update unbound
This commit is contained in:
parent
7792255968
commit
93944333c5
|
@ -168,7 +168,7 @@ HOST_OBJ=unbound-host.lo
|
||||||
HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@
|
HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@
|
||||||
UBANCHOR_SRC=smallapp/unbound-anchor.c
|
UBANCHOR_SRC=smallapp/unbound-anchor.c
|
||||||
UBANCHOR_OBJ=unbound-anchor.lo
|
UBANCHOR_OBJ=unbound-anchor.lo
|
||||||
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \
|
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \
|
||||||
$(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@
|
$(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@
|
||||||
TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \
|
TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \
|
||||||
daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
|
daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
|
||||||
|
@ -1175,7 +1175,7 @@ delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_h
|
||||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||||
$(srcdir)/sldns/rrdef.h \
|
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||||
|
|
||||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||||
|
|
||||||
|
|
|
@ -85,6 +85,10 @@
|
||||||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||||
#cmakedefine HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
#cmakedefine HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
||||||
|
|
||||||
|
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||||
|
0 if you don't. */
|
||||||
|
#cmakedefine HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||||
|
|
||||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||||
don't. */
|
don't. */
|
||||||
#cmakedefine HAVE_DECL_STRLCAT
|
#cmakedefine HAVE_DECL_STRLCAT
|
||||||
|
|
|
@ -82,6 +82,10 @@
|
||||||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||||
#undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
#undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
||||||
|
|
||||||
|
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||||
|
0 if you don't. */
|
||||||
|
#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||||
|
|
||||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||||
don't. */
|
don't. */
|
||||||
#undef HAVE_DECL_STRLCAT
|
#undef HAVE_DECL_STRLCAT
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# Guess values for system-dependent variables and create Makefiles.
|
# Guess values for system-dependent variables and create Makefiles.
|
||||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.4.
|
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
|
||||||
#
|
#
|
||||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||||
#
|
#
|
||||||
|
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||||
# Identity of this package.
|
# Identity of this package.
|
||||||
PACKAGE_NAME='unbound'
|
PACKAGE_NAME='unbound'
|
||||||
PACKAGE_TARNAME='unbound'
|
PACKAGE_TARNAME='unbound'
|
||||||
PACKAGE_VERSION='1.5.4'
|
PACKAGE_VERSION='1.5.5'
|
||||||
PACKAGE_STRING='unbound 1.5.4'
|
PACKAGE_STRING='unbound 1.5.5'
|
||||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||||
PACKAGE_URL=''
|
PACKAGE_URL=''
|
||||||
|
|
||||||
|
@ -1389,7 +1389,7 @@ if test "$ac_init_help" = "long"; then
|
||||||
# Omit some internal or obsolete options to make the list less imposing.
|
# Omit some internal or obsolete options to make the list less imposing.
|
||||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||||
cat <<_ACEOF
|
cat <<_ACEOF
|
||||||
\`configure' configures unbound 1.5.4 to adapt to many kinds of systems.
|
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
|
||||||
|
|
||||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||||
|
|
||||||
|
@ -1454,7 +1454,7 @@ fi
|
||||||
|
|
||||||
if test -n "$ac_init_help"; then
|
if test -n "$ac_init_help"; then
|
||||||
case $ac_init_help in
|
case $ac_init_help in
|
||||||
short | recursive ) echo "Configuration of unbound 1.5.4:";;
|
short | recursive ) echo "Configuration of unbound 1.5.5:";;
|
||||||
esac
|
esac
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
|
|
||||||
|
@ -1629,7 +1629,7 @@ fi
|
||||||
test -n "$ac_init_help" && exit $ac_status
|
test -n "$ac_init_help" && exit $ac_status
|
||||||
if $ac_init_version; then
|
if $ac_init_version; then
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
unbound configure 1.5.4
|
unbound configure 1.5.5
|
||||||
generated by GNU Autoconf 2.69
|
generated by GNU Autoconf 2.69
|
||||||
|
|
||||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||||
|
@ -2338,7 +2338,7 @@ cat >config.log <<_ACEOF
|
||||||
This file contains any messages produced by compilers while
|
This file contains any messages produced by compilers while
|
||||||
running configure, to aid debugging if configure makes a mistake.
|
running configure, to aid debugging if configure makes a mistake.
|
||||||
|
|
||||||
It was created by unbound $as_me 1.5.4, which was
|
It was created by unbound $as_me 1.5.5, which was
|
||||||
generated by GNU Autoconf 2.69. Invocation command line was
|
generated by GNU Autoconf 2.69. Invocation command line was
|
||||||
|
|
||||||
$ $0 $@
|
$ $0 $@
|
||||||
|
@ -2690,7 +2690,7 @@ UNBOUND_VERSION_MAJOR=1
|
||||||
|
|
||||||
UNBOUND_VERSION_MINOR=5
|
UNBOUND_VERSION_MINOR=5
|
||||||
|
|
||||||
UNBOUND_VERSION_MICRO=4
|
UNBOUND_VERSION_MICRO=5
|
||||||
|
|
||||||
|
|
||||||
LIBUNBOUND_CURRENT=5
|
LIBUNBOUND_CURRENT=5
|
||||||
|
@ -16684,7 +16684,7 @@ rm -f core conftest.err conftest.$ac_objext \
|
||||||
conftest$ac_exeext conftest.$ac_ext
|
conftest$ac_exeext conftest.$ac_ext
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
||||||
$as_echo_n "checking for LibreSSL... " >&6; }
|
$as_echo_n "checking for LibreSSL... " >&6; }
|
||||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||||
$as_echo "yes" >&6; }
|
$as_echo "yes" >&6; }
|
||||||
|
|
||||||
|
@ -16845,6 +16845,36 @@ fi
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
|
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
|
||||||
_ACEOF
|
_ACEOF
|
||||||
|
ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
|
||||||
|
$ac_includes_default
|
||||||
|
#ifdef HAVE_OPENSSL_ERR_H
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_RAND_H
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_CONF_H
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
#endif
|
||||||
|
#include <openssl/ssl.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
"
|
||||||
|
if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then :
|
||||||
|
ac_have_decl=1
|
||||||
|
else
|
||||||
|
ac_have_decl=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl
|
||||||
|
_ACEOF
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -18150,6 +18180,8 @@ esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||||
|
|
||||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||||
if test "x$ac_cv_func_reallocarray" = xyes; then :
|
if test "x$ac_cv_func_reallocarray" = xyes; then :
|
||||||
$as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
|
$as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
|
||||||
|
@ -18164,8 +18196,6 @@ esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
|
||||||
|
|
||||||
if test "$USE_NSS" = "no"; then
|
if test "$USE_NSS" = "no"; then
|
||||||
ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
|
ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
|
||||||
if test "x$ac_cv_func_arc4random" = xyes; then :
|
if test "x$ac_cv_func_arc4random" = xyes; then :
|
||||||
|
@ -18890,7 +18920,7 @@ _ACEOF
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
version=1.5.4
|
version=1.5.5
|
||||||
|
|
||||||
date=`date +'%b %e, %Y'`
|
date=`date +'%b %e, %Y'`
|
||||||
|
|
||||||
|
@ -19405,7 +19435,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||||
# report actual input values of CONFIG_FILES etc. instead of their
|
# report actual input values of CONFIG_FILES etc. instead of their
|
||||||
# values after options handling.
|
# values after options handling.
|
||||||
ac_log="
|
ac_log="
|
||||||
This file was extended by unbound $as_me 1.5.4, which was
|
This file was extended by unbound $as_me 1.5.5, which was
|
||||||
generated by GNU Autoconf 2.69. Invocation command line was
|
generated by GNU Autoconf 2.69. Invocation command line was
|
||||||
|
|
||||||
CONFIG_FILES = $CONFIG_FILES
|
CONFIG_FILES = $CONFIG_FILES
|
||||||
|
@ -19471,7 +19501,7 @@ _ACEOF
|
||||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||||
ac_cs_version="\\
|
ac_cs_version="\\
|
||||||
unbound config.status 1.5.4
|
unbound config.status 1.5.5
|
||||||
configured by $0, generated by GNU Autoconf 2.69,
|
configured by $0, generated by GNU Autoconf 2.69,
|
||||||
with options \\"\$ac_cs_config\\"
|
with options \\"\$ac_cs_config\\"
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ sinclude(dnstap/dnstap.m4)
|
||||||
# must be numbers. ac_defun because of later processing
|
# must be numbers. ac_defun because of later processing
|
||||||
m4_define([VERSION_MAJOR],[1])
|
m4_define([VERSION_MAJOR],[1])
|
||||||
m4_define([VERSION_MINOR],[5])
|
m4_define([VERSION_MINOR],[5])
|
||||||
m4_define([VERSION_MICRO],[4])
|
m4_define([VERSION_MICRO],[5])
|
||||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||||
|
@ -566,7 +566,7 @@ if test $USE_NSS = "no"; then
|
||||||
ACX_WITH_SSL
|
ACX_WITH_SSL
|
||||||
ACX_LIB_SSL
|
ACX_LIB_SSL
|
||||||
AC_MSG_CHECKING([for LibreSSL])
|
AC_MSG_CHECKING([for LibreSSL])
|
||||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||||
AC_MSG_RESULT([yes])
|
AC_MSG_RESULT([yes])
|
||||||
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
|
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
|
||||||
# libressl provides these compat functions, but they may also be
|
# libressl provides these compat functions, but they may also be
|
||||||
|
@ -578,7 +578,7 @@ fi
|
||||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
|
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
|
||||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
|
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||||
AC_INCLUDES_DEFAULT
|
AC_INCLUDES_DEFAULT
|
||||||
#ifdef HAVE_OPENSSL_ERR_H
|
#ifdef HAVE_OPENSSL_ERR_H
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
@ -998,9 +998,10 @@ AC_REPLACE_FUNCS(strlcat)
|
||||||
AC_REPLACE_FUNCS(strlcpy)
|
AC_REPLACE_FUNCS(strlcpy)
|
||||||
AC_REPLACE_FUNCS(memmove)
|
AC_REPLACE_FUNCS(memmove)
|
||||||
AC_REPLACE_FUNCS(gmtime_r)
|
AC_REPLACE_FUNCS(gmtime_r)
|
||||||
AC_REPLACE_FUNCS(reallocarray)
|
dnl without CTIME, ARC4-functions and without reallocarray.
|
||||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||||
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
||||||
|
AC_REPLACE_FUNCS(reallocarray)
|
||||||
if test "$USE_NSS" = "no"; then
|
if test "$USE_NSS" = "no"; then
|
||||||
AC_REPLACE_FUNCS(arc4random)
|
AC_REPLACE_FUNCS(arc4random)
|
||||||
AC_REPLACE_FUNCS(arc4random_uniform)
|
AC_REPLACE_FUNCS(arc4random_uniform)
|
||||||
|
|
|
@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon)
|
||||||
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
|
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
|
||||||
|
|
||||||
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
|
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
|
||||||
|
if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
|
||||||
|
log_warn("cannot reduce num-threads to %d because so-reuseport "
|
||||||
|
"so continuing with %d threads.", (int)daemon->num,
|
||||||
|
(int)daemon->num_ports);
|
||||||
|
daemon->num = (int)daemon->num_ports;
|
||||||
|
}
|
||||||
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
|
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
|
||||||
sizeof(struct worker*));
|
sizeof(struct worker*));
|
||||||
if(daemon->cfg->dnstap) {
|
if(daemon->cfg->dnstap) {
|
||||||
|
@ -464,7 +470,7 @@ thread_start(void* arg)
|
||||||
#endif
|
#endif
|
||||||
#ifdef SO_REUSEPORT
|
#ifdef SO_REUSEPORT
|
||||||
if(worker->daemon->cfg->so_reuseport)
|
if(worker->daemon->cfg->so_reuseport)
|
||||||
port_num = worker->thread_num;
|
port_num = worker->thread_num % worker->daemon->num_ports;
|
||||||
else
|
else
|
||||||
port_num = 0;
|
port_num = 0;
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
|
||||||
goto setup_error;
|
goto setup_error;
|
||||||
}
|
}
|
||||||
verbose(VERB_ALGO, "setup SSL certificates");
|
verbose(VERB_ALGO, "setup SSL certificates");
|
||||||
if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
|
if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
|
||||||
log_err("Error for server-cert-file: %s", s_cert);
|
log_err("Error for server-cert-file: %s", s_cert);
|
||||||
log_crypto_err("Error in SSL_CTX use_certificate_file");
|
log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
|
||||||
goto setup_error;
|
goto setup_error;
|
||||||
}
|
}
|
||||||
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
||||||
|
@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
|
||||||
log_crypto_err("Error in SSL_CTX check_private_key");
|
log_crypto_err("Error in SSL_CTX check_private_key");
|
||||||
goto setup_error;
|
goto setup_error;
|
||||||
}
|
}
|
||||||
|
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||||
|
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
|
||||||
|
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||||
|
}
|
||||||
|
#elif defined(USE_ECDSA)
|
||||||
|
if(1) {
|
||||||
|
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||||
|
if (!ecdh) {
|
||||||
|
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||||
|
} else {
|
||||||
|
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
|
||||||
|
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||||
|
}
|
||||||
|
EC_KEY_free (ecdh);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
|
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
|
||||||
log_crypto_err("Error setting up SSL_CTX verify locations");
|
log_crypto_err("Error setting up SSL_CTX verify locations");
|
||||||
setup_error:
|
setup_error:
|
||||||
|
@ -1683,6 +1700,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
dp->has_parent_side_NS = 1;
|
||||||
return dp;
|
return dp;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -568,7 +568,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||||
if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type ==
|
if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type ==
|
||||||
htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type ==
|
htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type ==
|
||||||
htons(LDNS_RR_TYPE_DNAME))) {
|
htons(LDNS_RR_TYPE_DNAME))) {
|
||||||
if(!reply_check_cname_chain(rep)) {
|
if(!reply_check_cname_chain(qinfo, rep)) {
|
||||||
/* cname chain invalid, redo iterator steps */
|
/* cname chain invalid, redo iterator steps */
|
||||||
verbose(VERB_ALGO, "Cache reply: cname chain broken");
|
verbose(VERB_ALGO, "Cache reply: cname chain broken");
|
||||||
bail_out:
|
bail_out:
|
||||||
|
|
|
@ -1,3 +1,73 @@
|
||||||
|
13 August 2015: Wouter
|
||||||
|
- 5011 implementation does not insist on all algorithms, when
|
||||||
|
harden-algo-downgrade is turned off.
|
||||||
|
- Reap the child process that libunbound spawns.
|
||||||
|
|
||||||
|
11 August 2015: Wouter
|
||||||
|
- Fix #694: configure script does not detect LibreSSL 2.2.2
|
||||||
|
|
||||||
|
4 August 2015: Wouter
|
||||||
|
- Document that local-zone nodefault matches exactly and transparent
|
||||||
|
can be used to release a subzone.
|
||||||
|
|
||||||
|
3 August 2015: Wouter
|
||||||
|
- Document in the manual more text about configuring locally served
|
||||||
|
zones.
|
||||||
|
- Fix 5011 anchor update timer after reload.
|
||||||
|
- Fix mktime in unbound-anchor not using UTC.
|
||||||
|
|
||||||
|
30 July 2015: Wouter
|
||||||
|
- please afl-gcc (llvm) for uninitialised variable warning.
|
||||||
|
- Added permit-small-holddown config to debug fast 5011 rollover.
|
||||||
|
|
||||||
|
24 July 2015: Wouter
|
||||||
|
- Fix #690: Reload fails when so-reuseport is yes after changing
|
||||||
|
num-threads.
|
||||||
|
- iana portlist update.
|
||||||
|
|
||||||
|
21 July 2015: Wouter
|
||||||
|
- Fix configure to detect SSL_CTX_set_ecdh_auto.
|
||||||
|
- iana portlist update.
|
||||||
|
|
||||||
|
20 July 2015: Wouter
|
||||||
|
- Enable ECDHE for servers. Where available, use
|
||||||
|
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
|
||||||
|
enable ECDHE. Otherwise, manually offer curve p256.
|
||||||
|
Client connections should automatically use ECDHE when available.
|
||||||
|
(thanks Daniel Kahn Gillmor)
|
||||||
|
|
||||||
|
18 July 2015: Willem
|
||||||
|
- Allow certificate chain files to allow for intermediate certificates.
|
||||||
|
(thanks Daniel Kahn Gillmor)
|
||||||
|
|
||||||
|
13 July 2015: Wouter
|
||||||
|
- makedist produces sha1 and sha256 files for created binaries too.
|
||||||
|
|
||||||
|
9 July 2015: Wouter
|
||||||
|
- 1.5.4 release tag
|
||||||
|
- trunk has 1.5.5 in development.
|
||||||
|
- Fix #681: Setting forwarders with unbound-control forward
|
||||||
|
implicitly turns on forward-first.
|
||||||
|
|
||||||
|
29 June 2015: Wouter
|
||||||
|
- iana portlist update.
|
||||||
|
- Fix alloc with log for allocation size checks.
|
||||||
|
|
||||||
|
26 June 2015: Wouter
|
||||||
|
- Fix #677 Fix DNAME responses from cache that failed internal chain
|
||||||
|
test.
|
||||||
|
- iana portlist update.
|
||||||
|
|
||||||
|
22 June 2015: Wouter
|
||||||
|
- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
|
||||||
|
and was therefore always synthesized (thanks to Valentin Dietrich).
|
||||||
|
|
||||||
|
4 June 2015: Wouter
|
||||||
|
- RFC 7553 RR type URI support, is now enabled by default.
|
||||||
|
|
||||||
|
2 June 2015: Wouter
|
||||||
|
- Fix #674: Do not free pointers given by getenv.
|
||||||
|
|
||||||
29 May 2015: Wouter
|
29 May 2015: Wouter
|
||||||
- Fix that unparseable error responses are ratelimited.
|
- Fix that unparseable error responses are ratelimited.
|
||||||
- SOA negative TTL is capped at minimumttl in its rdata section.
|
- SOA negative TTL is capped at minimumttl in its rdata section.
|
||||||
|
|
|
@ -444,6 +444,9 @@ server:
|
||||||
# If the value 0 is given, missing anchors are not removed.
|
# If the value 0 is given, missing anchors are not removed.
|
||||||
# keep-missing: 31622400 # 366 days
|
# keep-missing: 31622400 # 366 days
|
||||||
|
|
||||||
|
# debug option that allows very small holddown times for key rollover
|
||||||
|
# permit-small-holddown: no
|
||||||
|
|
||||||
# the amount of memory to use for the key cache.
|
# the amount of memory to use for the key cache.
|
||||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||||
# key-cache-size: 4m
|
# key-cache-size: 4m
|
||||||
|
@ -623,6 +626,8 @@ remote-control:
|
||||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||||
# the list is treated as priming hints (default is no).
|
# the list is treated as priming hints (default is no).
|
||||||
# With stub-first yes, it attempts without the stub if it fails.
|
# With stub-first yes, it attempts without the stub if it fails.
|
||||||
|
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||||
|
# to the server: section if the stub is a locally served zone.
|
||||||
# stub-zone:
|
# stub-zone:
|
||||||
# name: "example.com"
|
# name: "example.com"
|
||||||
# stub-addr: 192.0.2.68
|
# stub-addr: 192.0.2.68
|
||||||
|
|
|
@ -801,6 +801,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
|
||||||
The default is 366 days. The value 0 does not remove missing anchors,
|
The default is 366 days. The value 0 does not remove missing anchors,
|
||||||
as per the RFC.
|
as per the RFC.
|
||||||
.TP
|
.TP
|
||||||
|
.B permit\-small\-holddown: \fI<yes or no>
|
||||||
|
Debug option that allows the autotrust 5011 rollover timers to assume
|
||||||
|
very small values. Default is no.
|
||||||
|
.TP
|
||||||
.B key\-cache\-size: \fI<number>
|
.B key\-cache\-size: \fI<number>
|
||||||
Number of bytes size of the key cache. Default is 4 megabytes.
|
Number of bytes size of the key cache. Default is 4 megabytes.
|
||||||
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
|
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
|
||||||
|
@ -895,7 +899,8 @@ infected machines without answering the queries.
|
||||||
Used to turn off default contents for AS112 zones. The other types
|
Used to turn off default contents for AS112 zones. The other types
|
||||||
also turn off default contents for the zone. The 'nodefault' option
|
also turn off default contents for the zone. The 'nodefault' option
|
||||||
has no other effect than turning off default contents for the
|
has no other effect than turning off default contents for the
|
||||||
given zone.
|
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||||
|
use a subzone, use \fItransparent\fR.
|
||||||
.P
|
.P
|
||||||
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
|
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
|
||||||
zones. The AS112 zones are reverse DNS zones for private use and reserved
|
zones. The AS112 zones are reverse DNS zones for private use and reserved
|
||||||
|
@ -1124,6 +1129,12 @@ bit on replies for the private zone (authoritative servers do not set the
|
||||||
AD bit). This setup makes unbound capable of answering queries for the
|
AD bit). This setup makes unbound capable of answering queries for the
|
||||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||||
('authoritative') bit is not set on these replies.
|
('authoritative') bit is not set on these replies.
|
||||||
|
.P
|
||||||
|
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||||
|
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||||
|
served zone. The insecure clause stops DNSSEC from invalidating the
|
||||||
|
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
|
||||||
|
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
|
||||||
.TP
|
.TP
|
||||||
.B name: \fI<domain name>
|
.B name: \fI<domain name>
|
||||||
Name of the stub zone.
|
Name of the stub zone.
|
||||||
|
|
|
@ -372,7 +372,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||||
/* check next cname */
|
/* check next cname */
|
||||||
uint8_t* t = NULL;
|
uint8_t* t = NULL;
|
||||||
size_t tlen = 0;
|
size_t tlen = 0;
|
||||||
if(!parse_get_cname_target(rrset, &t, &tlen))
|
if(!parse_get_cname_target(nx, &t, &tlen))
|
||||||
return 0;
|
return 0;
|
||||||
if(dname_pkt_compare(pkt, alias, t) == 0) {
|
if(dname_pkt_compare(pkt, alias, t) == 0) {
|
||||||
/* it's OK and better capitalized */
|
/* it's OK and better capitalized */
|
||||||
|
|
|
@ -65,6 +65,9 @@
|
||||||
#ifdef HAVE_PTHREAD
|
#ifdef HAVE_PTHREAD
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef HAVE_SYS_WAIT_H
|
||||||
|
#include <sys/wait.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
|
@ -218,6 +221,12 @@ static void ub_stop_bg(struct ub_ctx* ctx)
|
||||||
ub_thread_join(ctx->bg_tid);
|
ub_thread_join(ctx->bg_tid);
|
||||||
} else {
|
} else {
|
||||||
lock_basic_unlock(&ctx->cfglock);
|
lock_basic_unlock(&ctx->cfglock);
|
||||||
|
#ifndef UB_ON_WINDOWS
|
||||||
|
if(waitpid(ctx->bg_pid, NULL, 0) == -1) {
|
||||||
|
if(verbosity > 2)
|
||||||
|
log_err("waitpid: %s", strerror(errno));
|
||||||
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
|
@ -136,6 +136,43 @@ create_temp_dir () {
|
||||||
cd $temp_dir
|
cd $temp_dir
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# pass filename as $1 arg.
|
||||||
|
# creates file.sha1 and file.sha256
|
||||||
|
storehash () {
|
||||||
|
case $OSTYPE in
|
||||||
|
linux*)
|
||||||
|
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||||
|
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||||
|
;;
|
||||||
|
freebsd*)
|
||||||
|
sha=`sha1 $1 | awk '{ print $5 }'`
|
||||||
|
sha256=`sha256 $1 | awk '{ print $5 }'`
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# in case $OSTYPE is gone.
|
||||||
|
case `uname` in
|
||||||
|
Linux*)
|
||||||
|
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||||
|
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||||
|
;;
|
||||||
|
FreeBSD*)
|
||||||
|
sha=`sha1 $1 | awk '{ print $5 }'`
|
||||||
|
sha256=`sha256 $1 | awk '{ print $5 }'`
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||||
|
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo $sha > $1.sha1
|
||||||
|
echo $sha256 > $1.sha256
|
||||||
|
echo "hash of $1.{sha1,sha256}"
|
||||||
|
echo "sha1 $sha"
|
||||||
|
echo "sha256 $sha256"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
SNAPSHOT="no"
|
SNAPSHOT="no"
|
||||||
RC="no"
|
RC="no"
|
||||||
|
@ -311,6 +348,8 @@ if [ "$DOWIN" = "yes" ]; then
|
||||||
mv unbound-$version.zip $cwd/.
|
mv unbound-$version.zip $cwd/.
|
||||||
cleanup
|
cleanup
|
||||||
fi
|
fi
|
||||||
|
storehash unbound_setup_$version.exe
|
||||||
|
storehash unbound-$version.zip
|
||||||
ls -lG unbound_setup_$version.exe
|
ls -lG unbound_setup_$version.exe
|
||||||
ls -lG unbound-$version.zip
|
ls -lG unbound-$version.zip
|
||||||
info "Done"
|
info "Done"
|
||||||
|
@ -411,36 +450,7 @@ tar czf ../unbound-$version.tar.gz unbound-$version || error_cleanup "Failed to
|
||||||
|
|
||||||
cleanup
|
cleanup
|
||||||
|
|
||||||
case $OSTYPE in
|
storehash unbound-$version.tar.gz
|
||||||
linux*)
|
|
||||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
;;
|
|
||||||
freebsd*)
|
|
||||||
sha=`sha1 unbound-$version.tar.gz | awk '{ print $5 }'`
|
|
||||||
sha256=`sha256 unbound-$version.tar.gz | awk '{ print $5 }'`
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
# in case $OSTYPE is gone.
|
|
||||||
case `uname` in
|
|
||||||
Linux*)
|
|
||||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
;;
|
|
||||||
FreeBSD*)
|
|
||||||
sha=`sha1 unbound-$version.tar.gz | awk '{ print $5 }'`
|
|
||||||
sha256=`sha256 unbound-$version.tar.gz | awk '{ print $5 }'`
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
echo $sha > unbound-$version.tar.gz.sha1
|
|
||||||
echo $sha256 > unbound-$version.tar.gz.sha256
|
|
||||||
|
|
||||||
info "Unbound distribution created successfully."
|
info "Unbound distribution created successfully."
|
||||||
info "SHA1sum: $sha"
|
|
||||||
|
|
||||||
|
|
|
@ -505,7 +505,7 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
|
||||||
return NULL;
|
return NULL;
|
||||||
if(r->an_numrrsets > 0 && (r->rrsets[0]->rk.type == htons(
|
if(r->an_numrrsets > 0 && (r->rrsets[0]->rk.type == htons(
|
||||||
LDNS_RR_TYPE_CNAME) || r->rrsets[0]->rk.type == htons(
|
LDNS_RR_TYPE_CNAME) || r->rrsets[0]->rk.type == htons(
|
||||||
LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(r)) {
|
LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(q, r)) {
|
||||||
/* cname chain is now invalid, reconstruct msg */
|
/* cname chain is now invalid, reconstruct msg */
|
||||||
rrset_array_unlock(r->ref, r->rrset_count);
|
rrset_array_unlock(r->ref, r->rrset_count);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -213,13 +213,11 @@ static const sldns_rdf_type type_eui48_wireformat[] = {
|
||||||
static const sldns_rdf_type type_eui64_wireformat[] = {
|
static const sldns_rdf_type type_eui64_wireformat[] = {
|
||||||
LDNS_RDF_TYPE_EUI64
|
LDNS_RDF_TYPE_EUI64
|
||||||
};
|
};
|
||||||
#ifdef DRAFT_RRTYPES
|
|
||||||
static const sldns_rdf_type type_uri_wireformat[] = {
|
static const sldns_rdf_type type_uri_wireformat[] = {
|
||||||
LDNS_RDF_TYPE_INT16,
|
LDNS_RDF_TYPE_INT16,
|
||||||
LDNS_RDF_TYPE_INT16,
|
LDNS_RDF_TYPE_INT16,
|
||||||
LDNS_RDF_TYPE_LONG_STR
|
LDNS_RDF_TYPE_LONG_STR
|
||||||
};
|
};
|
||||||
#endif
|
|
||||||
static const sldns_rdf_type type_caa_wireformat[] = {
|
static const sldns_rdf_type type_caa_wireformat[] = {
|
||||||
LDNS_RDF_TYPE_INT8,
|
LDNS_RDF_TYPE_INT8,
|
||||||
LDNS_RDF_TYPE_TAG,
|
LDNS_RDF_TYPE_TAG,
|
||||||
|
@ -590,12 +588,8 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
|
||||||
/* ANY: A request for all (available) records */
|
/* ANY: A request for all (available) records */
|
||||||
{LDNS_RR_TYPE_ANY, "ANY", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
{LDNS_RR_TYPE_ANY, "ANY", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||||
|
|
||||||
#ifdef DRAFT_RRTYPES
|
|
||||||
/* 256 */
|
/* 256 */
|
||||||
{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||||
#else
|
|
||||||
{LDNS_RR_TYPE_NULL, "TYPE256", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
|
||||||
#endif
|
|
||||||
/* 257 */
|
/* 257 */
|
||||||
{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||||
|
|
||||||
|
|
|
@ -220,8 +220,7 @@ enum sldns_enum_rr_type
|
||||||
LDNS_RR_TYPE_MAILA = 254,
|
LDNS_RR_TYPE_MAILA = 254,
|
||||||
/** any type (wildcard) */
|
/** any type (wildcard) */
|
||||||
LDNS_RR_TYPE_ANY = 255,
|
LDNS_RR_TYPE_ANY = 255,
|
||||||
/** draft-faltstrom-uri-06 */
|
LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
|
||||||
LDNS_RR_TYPE_URI = 256,
|
|
||||||
LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
|
LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
|
||||||
|
|
||||||
/** DNSSEC Trust Authorities */
|
/** DNSSEC Trust Authorities */
|
||||||
|
|
|
@ -117,6 +117,7 @@
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "libunbound/unbound.h"
|
#include "libunbound/unbound.h"
|
||||||
#include "sldns/rrdef.h"
|
#include "sldns/rrdef.h"
|
||||||
|
#include "sldns/parseutil.h"
|
||||||
#include <expat.h>
|
#include <expat.h>
|
||||||
#ifndef HAVE_EXPAT_H
|
#ifndef HAVE_EXPAT_H
|
||||||
#error "need libexpat to parse root-anchors.xml file."
|
#error "need libexpat to parse root-anchors.xml file."
|
||||||
|
@ -1328,7 +1329,7 @@ xml_convertdate(const char* str)
|
||||||
/* but ignore, (lenient) */
|
/* but ignore, (lenient) */
|
||||||
}
|
}
|
||||||
|
|
||||||
t = mktime(&tm);
|
t = sldns_mktime_from_utc(&tm);
|
||||||
if(t == (time_t)-1) {
|
if(t == (time_t)-1) {
|
||||||
if(verb) printf("xml_convertdate mktime failure\n");
|
if(verb) printf("xml_convertdate mktime failure\n");
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
|
||||||
if(cfg->remote_control_use_cert) {
|
if(cfg->remote_control_use_cert) {
|
||||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||||
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
|
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||||
|| !SSL_CTX_check_private_key(ctx))
|
|| !SSL_CTX_check_private_key(ctx))
|
||||||
ssl_err("Error setting up SSL_CTX client key and cert");
|
ssl_err("Error setting up SSL_CTX client key and cert");
|
||||||
|
|
|
@ -236,12 +236,28 @@ setup_ctx(char* key, char* cert)
|
||||||
if(!ctx) print_exit("out of memory");
|
if(!ctx) print_exit("out of memory");
|
||||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
||||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
|
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
|
||||||
if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
|
if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
|
||||||
print_exit("cannot read cert");
|
print_exit("cannot read cert");
|
||||||
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
|
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
|
||||||
print_exit("cannot read key");
|
print_exit("cannot read key");
|
||||||
if(!SSL_CTX_check_private_key(ctx))
|
if(!SSL_CTX_check_private_key(ctx))
|
||||||
print_exit("private key is not correct");
|
print_exit("private key is not correct");
|
||||||
|
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||||
|
if (!SSL_CTX_set_ecdh_auto(ctx,1))
|
||||||
|
if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
|
||||||
|
#elif defined(USE_ECDSA)
|
||||||
|
if(1) {
|
||||||
|
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||||
|
if (!ecdh) {
|
||||||
|
if(verb>=1) printf("could not find p256, not enabling ECDHE\n");
|
||||||
|
} else {
|
||||||
|
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
|
||||||
|
if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n");
|
||||||
|
}
|
||||||
|
EC_KEY_free(ecdh);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
|
if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
|
||||||
print_exit("cannot load cert verify locations");
|
print_exit("cannot load cert verify locations");
|
||||||
return ctx;
|
return ctx;
|
||||||
|
|
Binary file not shown.
|
@ -1,161 +0,0 @@
|
||||||
; This is a comment.
|
|
||||||
; config options go here.
|
|
||||||
forward-zone: name: "." forward-addr: 216.0.0.1
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test query and cache with type ANY
|
|
||||||
RANGE_BEGIN 0 1000
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
www.example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 10.20.30.50
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
;; different type in this answer.
|
|
||||||
www.example.com. IN TXT "text"
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN AAAA
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN AAAA ::5
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.foo.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
www.foo.com. IN A 1.2.3.77
|
|
||||||
www.foo.com. IN AAAA ::77
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
STEP 10 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; unneccesary nothing steps.
|
|
||||||
STEP 20 NOTHING
|
|
||||||
STEP 30 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; test cache synthesis
|
|
||||||
STEP 40 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
ENTRY_END
|
|
||||||
STEP 50 NOTHING
|
|
||||||
STEP 60 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; and again
|
|
||||||
; the synthesized result itself is not added to the cache
|
|
||||||
STEP 62 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
ENTRY_END
|
|
||||||
STEP 63 NOTHING
|
|
||||||
STEP 64 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; AAAA lookup to add more data in cache
|
|
||||||
STEP 70 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN AAAA
|
|
||||||
ENTRY_END
|
|
||||||
STEP 80 NOTHING
|
|
||||||
STEP 90 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN AAAA
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN AAAA ::5
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; test cache synthesis of AAAA, and two rrsets.
|
|
||||||
STEP 100 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
ENTRY_END
|
|
||||||
STEP 110 NOTHING
|
|
||||||
STEP 120 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
www.example.com. IN AAAA ::5
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; test query that is not synthesized from cache.
|
|
||||||
STEP 130 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.foo.com. IN ANY
|
|
||||||
ENTRY_END
|
|
||||||
STEP 140 NOTHING
|
|
||||||
STEP 150 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname qtype
|
|
||||||
SECTION QUESTION
|
|
||||||
www.foo.com. IN ANY
|
|
||||||
SECTION ANSWER
|
|
||||||
www.foo.com. IN A 1.2.3.77
|
|
||||||
www.foo.com. IN AAAA ::77
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,273 +0,0 @@
|
||||||
; config options
|
|
||||||
server:
|
|
||||||
target-fetch-policy: "0 0 0 0 0"
|
|
||||||
|
|
||||||
stub-zone:
|
|
||||||
name: "."
|
|
||||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test resolver with a domain sale
|
|
||||||
; and the old operator is nasty, keeps running his server with the old data.
|
|
||||||
; and lots of lookups keep going towards the domain.
|
|
||||||
; eventually, the NS record has to timeout.
|
|
||||||
|
|
||||||
; K.ROOT-SERVERS.NET.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 193.0.14.129
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net. (before sale of domain)
|
|
||||||
RANGE_BEGIN 0 20
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net. (after sale of domain)
|
|
||||||
RANGE_BEGIN 30 200
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com. first owner
|
|
||||||
RANGE_BEGIN 0 200
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; nxdomains for any name,type
|
|
||||||
; last in RANGE so that it matches everything left over.
|
|
||||||
; it includes the NS record.
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com. new owner
|
|
||||||
RANGE_BEGIN 0 200
|
|
||||||
ADDRESS 8.8.8.8
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 88.88.88.88
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; Fetch the old record from the old owner.
|
|
||||||
STEP 1 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 5 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; the domain is sold (right at this time).
|
|
||||||
; but the information stays in the cache.
|
|
||||||
|
|
||||||
; after 1800 secs still the cached answer
|
|
||||||
STEP 20 TIME_PASSES ELAPSE 1800
|
|
||||||
|
|
||||||
STEP 30 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 40 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 1800 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 1800 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 1800 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; and ask another query
|
|
||||||
STEP 50 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 60 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
|
|
||||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 1800 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 1800 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; after another 1900 seconds the domain must have timed out.
|
|
||||||
STEP 70 TIME_PASSES ELAPSE 1900
|
|
||||||
|
|
||||||
; the NS record should have timed out.
|
|
||||||
STEP 80 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 90 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 88.88.88.88
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
|
@ -1,342 +0,0 @@
|
||||||
; config options
|
|
||||||
server:
|
|
||||||
target-fetch-policy: "0 0 0 0 0"
|
|
||||||
|
|
||||||
stub-zone:
|
|
||||||
name: "."
|
|
||||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test resolver with a domain sale and NS changes
|
|
||||||
; and the old operator is nasty, keeps running his server with the old data.
|
|
||||||
; and lots of lookups keep going towards the domain.
|
|
||||||
; and the old server is changing the NS record of the old domain.
|
|
||||||
|
|
||||||
; K.ROOT-SERVERS.NET.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 193.0.14.129
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net. (before sale of domain)
|
|
||||||
RANGE_BEGIN 0 20
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net. (after sale of domain)
|
|
||||||
RANGE_BEGIN 30 200
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode subdomain
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com. first owner
|
|
||||||
RANGE_BEGIN 0 30
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; nxdomains for any name,type
|
|
||||||
; last in RANGE so that it matches everything left over.
|
|
||||||
; it includes the NS record.
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com. first owner, NS changed
|
|
||||||
RANGE_BEGIN 40 200
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS nsb.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
nsb.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qname
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS nsb.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
nsb.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; nxdomains for any name,type
|
|
||||||
; last in RANGE so that it matches everything left over.
|
|
||||||
; it includes the NS record.
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode
|
|
||||||
ADJUST copy_id copy_query
|
|
||||||
REPLY QR AA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 3600 IN NS nsb.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
nsb.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com. new owner
|
|
||||||
RANGE_BEGIN 0 200
|
|
||||||
ADDRESS 8.8.8.8
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 88.88.88.88
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; Fetch the old record from the old owner.
|
|
||||||
STEP 1 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 5 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; the domain is sold (right at this time).
|
|
||||||
; but the information stays in the cache.
|
|
||||||
|
|
||||||
; after 1800 secs still the cached answer
|
|
||||||
STEP 20 TIME_PASSES ELAPSE 1800
|
|
||||||
|
|
||||||
STEP 30 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 40 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 1800 IN A 10.20.30.40
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 1800 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 1800 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; and ask another query
|
|
||||||
STEP 50 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 60 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
|
||||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 3600 IN NS nsb.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
nsb.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
STEP 62 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 63 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NXDOMAIN
|
|
||||||
SECTION QUESTION
|
|
||||||
nx1.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
|
||||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
|
||||||
example.com. 1800 IN NS nsb.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
nsb.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; after another 1900 seconds the domain must have timed out.
|
|
||||||
STEP 70 TIME_PASSES ELAPSE 1900
|
|
||||||
|
|
||||||
; the NS record should have timed out.
|
|
||||||
STEP 80 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 90 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all ttl
|
|
||||||
REPLY QR RD RA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 88.88.88.88
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 8.8.8.8
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
Binary file not shown.
|
@ -1,151 +0,0 @@
|
||||||
; config options
|
|
||||||
; The island of trust is at example.com
|
|
||||||
server:
|
|
||||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
|
||||||
val-override-date: "20070916134226"
|
|
||||||
target-fetch-policy: "0 0 0 0 0"
|
|
||||||
|
|
||||||
stub-zone:
|
|
||||||
name: "."
|
|
||||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test validator with spurious unsigned NS in auth section
|
|
||||||
|
|
||||||
; K.ROOT-SERVERS.NET.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 193.0.14.129
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; response to DNSKEY priming query
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN DNSKEY
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
|
||||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; response to query of interest
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
STEP 1 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD DO
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 10 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all
|
|
||||||
REPLY QR RD RA AD DO NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
; removed by spurious NS record removal code
|
|
||||||
;;example.com. IN NS ns.example.com.
|
|
||||||
;;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
|
@ -1,182 +0,0 @@
|
||||||
; config options
|
|
||||||
; The island of trust is at example.com
|
|
||||||
server:
|
|
||||||
trust-anchor: "example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}"
|
|
||||||
trust-anchor: "example.com. 3600 IN DS 30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
|
||||||
val-override-date: "20070916134226"
|
|
||||||
target-fetch-policy: "0 0 0 0 0"
|
|
||||||
harden-algo-downgrade: no
|
|
||||||
|
|
||||||
stub-zone:
|
|
||||||
name: "."
|
|
||||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test validator with multiple algorithm trust anchor without harden
|
|
||||||
|
|
||||||
; K.ROOT-SERVERS.NET.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 193.0.14.129
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
ns.example.com. IN AAAA
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
|
|
||||||
; response to DNSKEY priming query
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN DNSKEY
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
|
|
||||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 512b}
|
|
||||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. AKIIYDOGHogglFqJK94ZtOnF7EfGikgAyloMNRSMCrQgFaFkmcOyjrc= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 example.com. J55fsz1GGMnngc4r50xvXDUdaVMlfcLKLVsfMhwNLF+ERac5XV/lLRAc/aSER+qQdsSo0CrjYjy1wat7YQpDAA== ;{id = 30899}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; response to query of interest
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
STEP 1 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD DO
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 10 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all
|
|
||||||
REPLY QR RD RA AD DO NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
|
@ -1,185 +0,0 @@
|
||||||
; config options
|
|
||||||
; The island of trust is at example.com
|
|
||||||
server:
|
|
||||||
trust-anchor: "example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}"
|
|
||||||
trust-anchor: "example.com. 3600 IN DS 30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
|
||||||
trust-anchor: "example.com. 3600 IN DS 30899 7 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
|
||||||
val-override-date: "20070916134226"
|
|
||||||
target-fetch-policy: "0 0 0 0 0"
|
|
||||||
harden-algo-downgrade: no
|
|
||||||
|
|
||||||
stub-zone:
|
|
||||||
name: "."
|
|
||||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
CONFIG_END
|
|
||||||
|
|
||||||
SCENARIO_BEGIN Test validator with multiple algorithm missing one
|
|
||||||
|
|
||||||
; K.ROOT-SERVERS.NET.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 193.0.14.129
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; a.gtld-servers.net.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 192.5.6.30
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
com. IN NS a.gtld-servers.net.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
; ns.example.com.
|
|
||||||
RANGE_BEGIN 0 100
|
|
||||||
ADDRESS 1.2.3.4
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN NS
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR AA NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
ns.example.com. IN AAAA
|
|
||||||
SECTION ANSWER
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
|
|
||||||
; response to DNSKEY priming query
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
example.com. IN DNSKEY
|
|
||||||
SECTION ANSWER
|
|
||||||
example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
|
|
||||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 512b}
|
|
||||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. AKIIYDOGHogglFqJK94ZtOnF7EfGikgAyloMNRSMCrQgFaFkmcOyjrc= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 example.com. J55fsz1GGMnngc4r50xvXDUdaVMlfcLKLVsfMhwNLF+ERac5XV/lLRAc/aSER+qQdsSo0CrjYjy1wat7YQpDAA== ;{id = 30899}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; response to query of interest
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH opcode qtype qname
|
|
||||||
ADJUST copy_id
|
|
||||||
REPLY QR NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. IN A 10.20.30.40
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. IN A 1.2.3.4
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
RANGE_END
|
|
||||||
|
|
||||||
STEP 1 QUERY
|
|
||||||
ENTRY_BEGIN
|
|
||||||
REPLY RD DO
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
; recursion happens here.
|
|
||||||
STEP 10 CHECK_ANSWER
|
|
||||||
ENTRY_BEGIN
|
|
||||||
MATCH all
|
|
||||||
REPLY QR RD RA AD DO NOERROR
|
|
||||||
SECTION QUESTION
|
|
||||||
www.example.com. IN A
|
|
||||||
SECTION ANSWER
|
|
||||||
www.example.com. 3600 IN A 10.20.30.40
|
|
||||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
|
||||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
|
||||||
|
|
||||||
SECTION AUTHORITY
|
|
||||||
example.com. 3600 IN NS ns.example.com.
|
|
||||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
|
||||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
|
||||||
|
|
||||||
SECTION ADDITIONAL
|
|
||||||
ns.example.com. 3600 IN A 1.2.3.4
|
|
||||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
|
||||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
|
||||||
ENTRY_END
|
|
||||||
|
|
||||||
SCENARIO_END
|
|
|
@ -364,6 +364,9 @@ void *unbound_stat_malloc(size_t size)
|
||||||
#ifdef calloc
|
#ifdef calloc
|
||||||
#undef calloc
|
#undef calloc
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef INT_MAX
|
||||||
|
#define INT_MAX (((int)-1)>>1)
|
||||||
|
#endif
|
||||||
/** calloc with stats */
|
/** calloc with stats */
|
||||||
void *unbound_stat_calloc(size_t nmemb, size_t size)
|
void *unbound_stat_calloc(size_t nmemb, size_t size)
|
||||||
{
|
{
|
||||||
|
|
|
@ -70,6 +70,8 @@
|
||||||
uid_t cfg_uid = (uid_t)-1;
|
uid_t cfg_uid = (uid_t)-1;
|
||||||
/** from cfg username, after daemonise setup performed */
|
/** from cfg username, after daemonise setup performed */
|
||||||
gid_t cfg_gid = (gid_t)-1;
|
gid_t cfg_gid = (gid_t)-1;
|
||||||
|
/** for debug allow small timeout values for fast rollovers */
|
||||||
|
int autr_permit_small_holddown = 0;
|
||||||
|
|
||||||
/** global config during parsing */
|
/** global config during parsing */
|
||||||
struct config_parser_state* cfg_parser = 0;
|
struct config_parser_state* cfg_parser = 0;
|
||||||
|
@ -200,6 +202,7 @@ config_create(void)
|
||||||
cfg->add_holddown = 30*24*3600;
|
cfg->add_holddown = 30*24*3600;
|
||||||
cfg->del_holddown = 30*24*3600;
|
cfg->del_holddown = 30*24*3600;
|
||||||
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
|
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
|
||||||
|
cfg->permit_small_holddown = 0;
|
||||||
cfg->key_cache_size = 4 * 1024 * 1024;
|
cfg->key_cache_size = 4 * 1024 * 1024;
|
||||||
cfg->key_cache_slabs = 4;
|
cfg->key_cache_slabs = 4;
|
||||||
cfg->neg_cache_size = 1 * 1024 * 1024;
|
cfg->neg_cache_size = 1 * 1024 * 1024;
|
||||||
|
@ -444,6 +447,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||||
else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
|
else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
|
||||||
else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
|
else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
|
||||||
else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
|
else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
|
||||||
|
else if(strcmp(opt, "permit-small-holddown:") == 0)
|
||||||
|
{ IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
|
||||||
|
autr_permit_small_holddown = cfg->permit_small_holddown; }
|
||||||
else S_MEMSIZE("key-cache-size:", key_cache_size)
|
else S_MEMSIZE("key-cache-size:", key_cache_size)
|
||||||
else S_POW2("key-cache-slabs:", key_cache_slabs)
|
else S_POW2("key-cache-slabs:", key_cache_slabs)
|
||||||
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
|
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
|
||||||
|
@ -705,6 +711,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||||
else O_UNS(opt, "add-holddown", add_holddown)
|
else O_UNS(opt, "add-holddown", add_holddown)
|
||||||
else O_UNS(opt, "del-holddown", del_holddown)
|
else O_UNS(opt, "del-holddown", del_holddown)
|
||||||
else O_UNS(opt, "keep-missing", keep_missing)
|
else O_UNS(opt, "keep-missing", keep_missing)
|
||||||
|
else O_YNO(opt, "permit-small-holddown", permit_small_holddown)
|
||||||
else O_MEM(opt, "key-cache-size", key_cache_size)
|
else O_MEM(opt, "key-cache-size", key_cache_size)
|
||||||
else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
|
else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
|
||||||
else O_MEM(opt, "neg-cache-size", neg_cache_size)
|
else O_MEM(opt, "neg-cache-size", neg_cache_size)
|
||||||
|
@ -1243,6 +1250,7 @@ config_apply(struct config_file* config)
|
||||||
MINIMAL_RESPONSES = config->minimal_responses;
|
MINIMAL_RESPONSES = config->minimal_responses;
|
||||||
RRSET_ROUNDROBIN = config->rrset_roundrobin;
|
RRSET_ROUNDROBIN = config->rrset_roundrobin;
|
||||||
log_set_time_asc(config->log_time_ascii);
|
log_set_time_asc(config->log_time_ascii);
|
||||||
|
autr_permit_small_holddown = config->permit_small_holddown;
|
||||||
}
|
}
|
||||||
|
|
||||||
void config_lookup_uid(struct config_file* cfg)
|
void config_lookup_uid(struct config_file* cfg)
|
||||||
|
|
|
@ -269,6 +269,8 @@ struct config_file {
|
||||||
unsigned int del_holddown;
|
unsigned int del_holddown;
|
||||||
/** autotrust keep_missing time, in seconds. 0 is forever. */
|
/** autotrust keep_missing time, in seconds. 0 is forever. */
|
||||||
unsigned int keep_missing;
|
unsigned int keep_missing;
|
||||||
|
/** permit small holddown values, allowing 5011 rollover very fast */
|
||||||
|
int permit_small_holddown;
|
||||||
|
|
||||||
/** size of the key cache */
|
/** size of the key cache */
|
||||||
size_t key_cache_size;
|
size_t key_cache_size;
|
||||||
|
@ -368,6 +370,8 @@ struct config_file {
|
||||||
extern uid_t cfg_uid;
|
extern uid_t cfg_uid;
|
||||||
/** from cfg username, after daemonise setup performed */
|
/** from cfg username, after daemonise setup performed */
|
||||||
extern gid_t cfg_gid;
|
extern gid_t cfg_gid;
|
||||||
|
/** debug and enable small timeouts */
|
||||||
|
extern int autr_permit_small_holddown;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Stub config options
|
* Stub config options
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -306,6 +306,7 @@ val-nsec3-keysize-iterations{COLON} {
|
||||||
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
|
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
|
||||||
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
|
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
|
||||||
keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) }
|
keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) }
|
||||||
|
permit-small-holddown{COLON} { YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
|
||||||
use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) }
|
use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) }
|
||||||
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
|
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
|
||||||
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
|
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -203,7 +203,8 @@ extern int yydebug;
|
||||||
VAR_RATELIMIT_BELOW_DOMAIN = 412,
|
VAR_RATELIMIT_BELOW_DOMAIN = 412,
|
||||||
VAR_RATELIMIT_FACTOR = 413,
|
VAR_RATELIMIT_FACTOR = 413,
|
||||||
VAR_CAPS_WHITELIST = 414,
|
VAR_CAPS_WHITELIST = 414,
|
||||||
VAR_CACHE_MAX_NEGATIVE_TTL = 415
|
VAR_CACHE_MAX_NEGATIVE_TTL = 415,
|
||||||
|
VAR_PERMIT_SMALL_HOLDDOWN = 416
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
/* Tokens. */
|
/* Tokens. */
|
||||||
|
@ -365,6 +366,7 @@ extern int yydebug;
|
||||||
#define VAR_RATELIMIT_FACTOR 413
|
#define VAR_RATELIMIT_FACTOR 413
|
||||||
#define VAR_CAPS_WHITELIST 414
|
#define VAR_CAPS_WHITELIST 414
|
||||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 415
|
#define VAR_CACHE_MAX_NEGATIVE_TTL 415
|
||||||
|
#define VAR_PERMIT_SMALL_HOLDDOWN 416
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -378,7 +380,7 @@ typedef union YYSTYPE
|
||||||
|
|
||||||
|
|
||||||
/* Line 2058 of yacc.c */
|
/* Line 2058 of yacc.c */
|
||||||
#line 382 "util/configparser.h"
|
#line 384 "util/configparser.h"
|
||||||
} YYSTYPE;
|
} YYSTYPE;
|
||||||
# define YYSTYPE_IS_TRIVIAL 1
|
# define YYSTYPE_IS_TRIVIAL 1
|
||||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||||
|
|
|
@ -121,7 +121,7 @@ extern struct config_parser_state* cfg_parser;
|
||||||
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
|
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
|
||||||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
||||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL
|
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||||
|
|
||||||
%%
|
%%
|
||||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||||
|
@ -185,7 +185,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||||
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
|
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
|
||||||
server_ratelimit_size | server_ratelimit_for_domain |
|
server_ratelimit_size | server_ratelimit_for_domain |
|
||||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||||
server_caps_whitelist | server_cache_max_negative_ttl
|
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||||
|
server_permit_small_holddown
|
||||||
;
|
;
|
||||||
stubstart: VAR_STUB_ZONE
|
stubstart: VAR_STUB_ZONE
|
||||||
{
|
{
|
||||||
|
@ -1125,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING STRING_ARG
|
||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
|
||||||
|
{
|
||||||
|
OUTYY(("P(server_permit_small_holddown:%s)\n", $2));
|
||||||
|
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||||
|
yyerror("expected yes or no.");
|
||||||
|
else cfg_parser->cfg->permit_small_holddown =
|
||||||
|
(strcmp($2, "yes")==0);
|
||||||
|
free($2);
|
||||||
|
}
|
||||||
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
||||||
|
|
|
@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||||
size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
|
size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
|
||||||
{
|
{
|
||||||
struct compress_tree_node* p;
|
struct compress_tree_node* p;
|
||||||
struct compress_tree_node** insertpt;
|
struct compress_tree_node** insertpt = NULL;
|
||||||
if(!*owner_ptr) {
|
if(!*owner_ptr) {
|
||||||
/* compress first time dname */
|
/* compress first time dname */
|
||||||
if((p = compress_tree_lookup(tree, key->rk.dname,
|
if((p = compress_tree_lookup(tree, key->rk.dname,
|
||||||
|
|
|
@ -822,13 +822,13 @@ log_query_info(enum verbosity_value v, const char* str,
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
reply_check_cname_chain(struct reply_info* rep)
|
reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep)
|
||||||
{
|
{
|
||||||
/* check only answer section rrs for matching cname chain.
|
/* check only answer section rrs for matching cname chain.
|
||||||
* the cache may return changed rdata, but owner names are untouched.*/
|
* the cache may return changed rdata, but owner names are untouched.*/
|
||||||
size_t i;
|
size_t i;
|
||||||
uint8_t* sname = rep->rrsets[0]->rk.dname;
|
uint8_t* sname = qinfo->qname;
|
||||||
size_t snamelen = rep->rrsets[0]->rk.dname_len;
|
size_t snamelen = qinfo->qname_len;
|
||||||
for(i=0; i<rep->an_numrrsets; i++) {
|
for(i=0; i<rep->an_numrrsets; i++) {
|
||||||
uint16_t t = ntohs(rep->rrsets[i]->rk.type);
|
uint16_t t = ntohs(rep->rrsets[i]->rk.type);
|
||||||
if(t == LDNS_RR_TYPE_DNAME)
|
if(t == LDNS_RR_TYPE_DNAME)
|
||||||
|
|
|
@ -359,10 +359,11 @@ uint8_t* reply_find_final_cname_target(struct query_info* qinfo,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if cname chain in cached reply is still valid.
|
* Check if cname chain in cached reply is still valid.
|
||||||
|
* @param qinfo: query info with query name.
|
||||||
* @param rep: reply to check.
|
* @param rep: reply to check.
|
||||||
* @return: true if valid, false if invalid.
|
* @return: true if valid, false if invalid.
|
||||||
*/
|
*/
|
||||||
int reply_check_cname_chain(struct reply_info* rep);
|
int reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check security status of all RRs in the message.
|
* Check security status of all RRs in the message.
|
||||||
|
|
|
@ -1066,7 +1066,6 @@
|
||||||
1404,
|
1404,
|
||||||
1405,
|
1405,
|
||||||
1406,
|
1406,
|
||||||
1407,
|
|
||||||
1408,
|
1408,
|
||||||
1409,
|
1409,
|
||||||
1410,
|
1410,
|
||||||
|
@ -4667,6 +4666,7 @@
|
||||||
7725,
|
7725,
|
||||||
7726,
|
7726,
|
||||||
7727,
|
7727,
|
||||||
|
7728,
|
||||||
7734,
|
7734,
|
||||||
7738,
|
7738,
|
||||||
7741,
|
7741,
|
||||||
|
@ -4781,6 +4781,7 @@
|
||||||
8301,
|
8301,
|
||||||
8320,
|
8320,
|
||||||
8321,
|
8321,
|
||||||
|
8322,
|
||||||
8351,
|
8351,
|
||||||
8376,
|
8376,
|
||||||
8377,
|
8377,
|
||||||
|
@ -4788,6 +4789,7 @@
|
||||||
8379,
|
8379,
|
||||||
8380,
|
8380,
|
||||||
8383,
|
8383,
|
||||||
|
8384,
|
||||||
8400,
|
8400,
|
||||||
8401,
|
8401,
|
||||||
8402,
|
8402,
|
||||||
|
@ -4804,6 +4806,7 @@
|
||||||
8474,
|
8474,
|
||||||
8500,
|
8500,
|
||||||
8501,
|
8501,
|
||||||
|
8503,
|
||||||
8554,
|
8554,
|
||||||
8555,
|
8555,
|
||||||
8567,
|
8567,
|
||||||
|
@ -5034,6 +5037,7 @@
|
||||||
10200,
|
10200,
|
||||||
10201,
|
10201,
|
||||||
10252,
|
10252,
|
||||||
|
10253,
|
||||||
10260,
|
10260,
|
||||||
10288,
|
10288,
|
||||||
10439,
|
10439,
|
||||||
|
@ -5168,6 +5172,8 @@
|
||||||
17220,
|
17220,
|
||||||
17221,
|
17221,
|
||||||
17222,
|
17222,
|
||||||
|
17224,
|
||||||
|
17225,
|
||||||
17234,
|
17234,
|
||||||
17235,
|
17235,
|
||||||
17500,
|
17500,
|
||||||
|
@ -5380,6 +5386,7 @@
|
||||||
40843,
|
40843,
|
||||||
40853,
|
40853,
|
||||||
41111,
|
41111,
|
||||||
|
41230,
|
||||||
41794,
|
41794,
|
||||||
41795,
|
41795,
|
||||||
42508,
|
42508,
|
||||||
|
|
|
@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||||
SSL_CTX_free(ctx);
|
SSL_CTX_free(ctx);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||||
log_err("error for cert file: %s", pem);
|
log_err("error for cert file: %s", pem);
|
||||||
log_crypto_err("error in SSL_CTX use_certificate_file");
|
log_crypto_err("error in SSL_CTX use_certificate_chain_file");
|
||||||
SSL_CTX_free(ctx);
|
SSL_CTX_free(ctx);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||||
SSL_CTX_free(ctx);
|
SSL_CTX_free(ctx);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||||
|
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
|
||||||
|
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||||
|
}
|
||||||
|
#elif defined(USE_ECDSA)
|
||||||
|
if(1) {
|
||||||
|
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||||
|
if (!ecdh) {
|
||||||
|
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||||
|
} else {
|
||||||
|
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
|
||||||
|
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||||
|
}
|
||||||
|
EC_KEY_free (ecdh);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if(verifypem && verifypem[0]) {
|
if(verifypem && verifypem[0]) {
|
||||||
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
||||||
|
@ -684,7 +701,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
if(key && key[0]) {
|
if(key && key[0]) {
|
||||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||||
log_err("error in client certificate %s", pem);
|
log_err("error in client certificate %s", pem);
|
||||||
log_crypto_err("error in certificate file");
|
log_crypto_err("error in certificate file");
|
||||||
SSL_CTX_free(ctx);
|
SSL_CTX_free(ctx);
|
||||||
|
|
|
@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
|
||||||
{
|
{
|
||||||
char* reason = NULL;
|
char* reason = NULL;
|
||||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||||
int downprot = 1;
|
int downprot = env->cfg->harden_algo_downgrade;
|
||||||
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
|
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
|
||||||
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
|
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
|
||||||
/* sigalg is ignored, it returns algorithms signalled to exist, but
|
/* sigalg is ignored, it returns algorithms signalled to exist, but
|
||||||
|
@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
||||||
if(rrsig_exp_interval/2 < x)
|
if(rrsig_exp_interval/2 < x)
|
||||||
x = rrsig_exp_interval/2;
|
x = rrsig_exp_interval/2;
|
||||||
/* MAX(1hr, x) */
|
/* MAX(1hr, x) */
|
||||||
if(x < 3600)
|
if(!autr_permit_small_holddown) {
|
||||||
tp->autr->query_interval = 3600;
|
if(x < 3600)
|
||||||
else tp->autr->query_interval = x;
|
tp->autr->query_interval = 3600;
|
||||||
|
else tp->autr->query_interval = x;
|
||||||
|
} else tp->autr->query_interval = x;
|
||||||
|
|
||||||
/* x= MIN(1day, ttl/10, expire/10) */
|
/* x= MIN(1day, ttl/10, expire/10) */
|
||||||
x = 24 * 3600;
|
x = 24 * 3600;
|
||||||
|
@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
||||||
if(rrsig_exp_interval/10 < x)
|
if(rrsig_exp_interval/10 < x)
|
||||||
x = rrsig_exp_interval/10;
|
x = rrsig_exp_interval/10;
|
||||||
/* MAX(1hr, x) */
|
/* MAX(1hr, x) */
|
||||||
if(x < 3600)
|
if(!autr_permit_small_holddown) {
|
||||||
tp->autr->retry_time = 3600;
|
if(x < 3600)
|
||||||
else tp->autr->retry_time = x;
|
tp->autr->retry_time = 3600;
|
||||||
|
else tp->autr->retry_time = x;
|
||||||
|
} else tp->autr->retry_time = x;
|
||||||
|
|
||||||
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
|
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
|
||||||
*changed = 1;
|
*changed = 1;
|
||||||
|
@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env, time_t wait)
|
||||||
{
|
{
|
||||||
/* make it random, 90-100% */
|
/* make it random, 90-100% */
|
||||||
time_t rnd, rest;
|
time_t rnd, rest;
|
||||||
if(wait < 3600)
|
if(!autr_permit_small_holddown) {
|
||||||
wait = 3600;
|
if(wait < 3600)
|
||||||
|
wait = 3600;
|
||||||
|
} else {
|
||||||
|
if(wait == 0) wait = 1;
|
||||||
|
}
|
||||||
rnd = wait/10;
|
rnd = wait/10;
|
||||||
rest = wait-rnd;
|
rest = wait-rnd;
|
||||||
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
|
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
|
||||||
|
@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_t* next)
|
||||||
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
|
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
|
||||||
/* in case of revoked anchors */
|
/* in case of revoked anchors */
|
||||||
lock_basic_unlock(&env->anchors->lock);
|
lock_basic_unlock(&env->anchors->lock);
|
||||||
|
/* signal that there are no anchors to probe */
|
||||||
|
*next = 0;
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
tp = (struct trust_anchor*)el->key;
|
tp = (struct trust_anchor*)el->key;
|
||||||
|
@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env)
|
||||||
struct trust_anchor* tp;
|
struct trust_anchor* tp;
|
||||||
time_t next_probe = 3600;
|
time_t next_probe = 3600;
|
||||||
int num = 0;
|
int num = 0;
|
||||||
|
if(autr_permit_small_holddown) next_probe = 1;
|
||||||
verbose(VERB_ALGO, "autotrust probe timer callback");
|
verbose(VERB_ALGO, "autotrust probe timer callback");
|
||||||
/* while there are still anchors to probe */
|
/* while there are still anchors to probe */
|
||||||
while( (tp = todo_probe(env, &next_probe)) ) {
|
while( (tp = todo_probe(env, &next_probe)) ) {
|
||||||
|
@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env)
|
||||||
num++;
|
num++;
|
||||||
}
|
}
|
||||||
regional_free_all(env->scratch);
|
regional_free_all(env->scratch);
|
||||||
if(num == 0)
|
if(next_probe == 0)
|
||||||
return 0; /* no trust points to probe */
|
return 0; /* no trust points to probe */
|
||||||
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
|
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
|
||||||
return next_probe;
|
return next_probe;
|
||||||
|
|
|
@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||||
vq->state = VAL_VALIDATE_STATE;
|
vq->state = VAL_VALIDATE_STATE;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
downprot = 1;
|
downprot = qstate->env->cfg->harden_algo_downgrade;
|
||||||
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
|
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
|
||||||
ve, dnskey, vq->ds_rrset, downprot, &reason);
|
ve, dnskey, vq->ds_rrset, downprot, &reason);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue