update unbound
This commit is contained in:
parent
7792255968
commit
93944333c5
|
@ -168,7 +168,7 @@ HOST_OBJ=unbound-host.lo
|
|||
HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@
|
||||
UBANCHOR_SRC=smallapp/unbound-anchor.c
|
||||
UBANCHOR_OBJ=unbound-anchor.lo
|
||||
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \
|
||||
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \
|
||||
$(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@
|
||||
TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \
|
||||
daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
|
||||
|
@ -1175,7 +1175,7 @@ delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_h
|
|||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||
|
||||
|
|
|
@ -85,6 +85,10 @@
|
|||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||
#cmakedefine HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||
0 if you don't. */
|
||||
#cmakedefine HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
#cmakedefine HAVE_DECL_STRLCAT
|
||||
|
|
|
@ -82,6 +82,10 @@
|
|||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||
#undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||
0 if you don't. */
|
||||
#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_STRLCAT
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.4.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
|
@ -590,8 +590,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.5.4'
|
||||
PACKAGE_STRING='unbound 1.5.4'
|
||||
PACKAGE_VERSION='1.5.5'
|
||||
PACKAGE_STRING='unbound 1.5.5'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -1389,7 +1389,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.5.4 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1454,7 +1454,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.5.4:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.5.5:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1629,7 +1629,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.5.4
|
||||
unbound configure 1.5.5
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -2338,7 +2338,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.5.4, which was
|
||||
It was created by unbound $as_me 1.5.5, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2690,7 +2690,7 @@ UNBOUND_VERSION_MAJOR=1
|
|||
|
||||
UNBOUND_VERSION_MINOR=5
|
||||
|
||||
UNBOUND_VERSION_MICRO=4
|
||||
UNBOUND_VERSION_MICRO=5
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
|
@ -16684,7 +16684,7 @@ rm -f core conftest.err conftest.$ac_objext \
|
|||
conftest$ac_exeext conftest.$ac_ext
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
||||
$as_echo_n "checking for LibreSSL... " >&6; }
|
||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
|
@ -16845,6 +16845,36 @@ fi
|
|||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
|
||||
_ACEOF
|
||||
ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
|
||||
$ac_includes_default
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_RAND_H
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_CONF_H
|
||||
#include <openssl/conf.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
|
@ -18150,6 +18180,8 @@ esac
|
|||
fi
|
||||
|
||||
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
if test "x$ac_cv_func_reallocarray" = xyes; then :
|
||||
$as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
|
||||
|
@ -18164,8 +18196,6 @@ esac
|
|||
fi
|
||||
|
||||
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
|
||||
if test "$USE_NSS" = "no"; then
|
||||
ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
|
||||
if test "x$ac_cv_func_arc4random" = xyes; then :
|
||||
|
@ -18890,7 +18920,7 @@ _ACEOF
|
|||
|
||||
|
||||
|
||||
version=1.5.4
|
||||
version=1.5.5
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
|
@ -19405,7 +19435,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.5.4, which was
|
||||
This file was extended by unbound $as_me 1.5.5, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -19471,7 +19501,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.5.4
|
||||
unbound config.status 1.5.5
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ sinclude(dnstap/dnstap.m4)
|
|||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[5])
|
||||
m4_define([VERSION_MICRO],[4])
|
||||
m4_define([VERSION_MICRO],[5])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
|
@ -566,7 +566,7 @@ if test $USE_NSS = "no"; then
|
|||
ACX_WITH_SSL
|
||||
ACX_LIB_SSL
|
||||
AC_MSG_CHECKING([for LibreSSL])
|
||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
|
||||
# libressl provides these compat functions, but they may also be
|
||||
|
@ -578,7 +578,7 @@ fi
|
|||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
|
@ -998,9 +998,10 @@ AC_REPLACE_FUNCS(strlcat)
|
|||
AC_REPLACE_FUNCS(strlcpy)
|
||||
AC_REPLACE_FUNCS(memmove)
|
||||
AC_REPLACE_FUNCS(gmtime_r)
|
||||
AC_REPLACE_FUNCS(reallocarray)
|
||||
dnl without CTIME, ARC4-functions and without reallocarray.
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
||||
AC_REPLACE_FUNCS(reallocarray)
|
||||
if test "$USE_NSS" = "no"; then
|
||||
AC_REPLACE_FUNCS(arc4random)
|
||||
AC_REPLACE_FUNCS(arc4random_uniform)
|
||||
|
|
|
@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon)
|
|||
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
|
||||
|
||||
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
|
||||
if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
|
||||
log_warn("cannot reduce num-threads to %d because so-reuseport "
|
||||
"so continuing with %d threads.", (int)daemon->num,
|
||||
(int)daemon->num_ports);
|
||||
daemon->num = (int)daemon->num_ports;
|
||||
}
|
||||
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
|
||||
sizeof(struct worker*));
|
||||
if(daemon->cfg->dnstap) {
|
||||
|
@ -464,7 +470,7 @@ thread_start(void* arg)
|
|||
#endif
|
||||
#ifdef SO_REUSEPORT
|
||||
if(worker->daemon->cfg->so_reuseport)
|
||||
port_num = worker->thread_num;
|
||||
port_num = worker->thread_num % worker->daemon->num_ports;
|
||||
else
|
||||
port_num = 0;
|
||||
#endif
|
||||
|
|
|
@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
|
|||
goto setup_error;
|
||||
}
|
||||
verbose(VERB_ALGO, "setup SSL certificates");
|
||||
if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
|
||||
if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
|
||||
log_err("Error for server-cert-file: %s", s_cert);
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
|
||||
goto setup_error;
|
||||
}
|
||||
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
||||
|
@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
|
|||
log_crypto_err("Error in SSL_CTX check_private_key");
|
||||
goto setup_error;
|
||||
}
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
|
||||
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||
}
|
||||
#elif defined(USE_ECDSA)
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||
} else {
|
||||
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
|
||||
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||
}
|
||||
EC_KEY_free (ecdh);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
|
||||
log_crypto_err("Error setting up SSL_CTX verify locations");
|
||||
setup_error:
|
||||
|
@ -1683,6 +1700,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
|
|||
}
|
||||
}
|
||||
}
|
||||
dp->has_parent_side_NS = 1;
|
||||
return dp;
|
||||
}
|
||||
|
||||
|
|
|
@ -568,7 +568,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
|||
if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type ==
|
||||
htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type ==
|
||||
htons(LDNS_RR_TYPE_DNAME))) {
|
||||
if(!reply_check_cname_chain(rep)) {
|
||||
if(!reply_check_cname_chain(qinfo, rep)) {
|
||||
/* cname chain invalid, redo iterator steps */
|
||||
verbose(VERB_ALGO, "Cache reply: cname chain broken");
|
||||
bail_out:
|
||||
|
|
|
@ -1,3 +1,73 @@
|
|||
13 August 2015: Wouter
|
||||
- 5011 implementation does not insist on all algorithms, when
|
||||
harden-algo-downgrade is turned off.
|
||||
- Reap the child process that libunbound spawns.
|
||||
|
||||
11 August 2015: Wouter
|
||||
- Fix #694: configure script does not detect LibreSSL 2.2.2
|
||||
|
||||
4 August 2015: Wouter
|
||||
- Document that local-zone nodefault matches exactly and transparent
|
||||
can be used to release a subzone.
|
||||
|
||||
3 August 2015: Wouter
|
||||
- Document in the manual more text about configuring locally served
|
||||
zones.
|
||||
- Fix 5011 anchor update timer after reload.
|
||||
- Fix mktime in unbound-anchor not using UTC.
|
||||
|
||||
30 July 2015: Wouter
|
||||
- please afl-gcc (llvm) for uninitialised variable warning.
|
||||
- Added permit-small-holddown config to debug fast 5011 rollover.
|
||||
|
||||
24 July 2015: Wouter
|
||||
- Fix #690: Reload fails when so-reuseport is yes after changing
|
||||
num-threads.
|
||||
- iana portlist update.
|
||||
|
||||
21 July 2015: Wouter
|
||||
- Fix configure to detect SSL_CTX_set_ecdh_auto.
|
||||
- iana portlist update.
|
||||
|
||||
20 July 2015: Wouter
|
||||
- Enable ECDHE for servers. Where available, use
|
||||
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
|
||||
enable ECDHE. Otherwise, manually offer curve p256.
|
||||
Client connections should automatically use ECDHE when available.
|
||||
(thanks Daniel Kahn Gillmor)
|
||||
|
||||
18 July 2015: Willem
|
||||
- Allow certificate chain files to allow for intermediate certificates.
|
||||
(thanks Daniel Kahn Gillmor)
|
||||
|
||||
13 July 2015: Wouter
|
||||
- makedist produces sha1 and sha256 files for created binaries too.
|
||||
|
||||
9 July 2015: Wouter
|
||||
- 1.5.4 release tag
|
||||
- trunk has 1.5.5 in development.
|
||||
- Fix #681: Setting forwarders with unbound-control forward
|
||||
implicitly turns on forward-first.
|
||||
|
||||
29 June 2015: Wouter
|
||||
- iana portlist update.
|
||||
- Fix alloc with log for allocation size checks.
|
||||
|
||||
26 June 2015: Wouter
|
||||
- Fix #677 Fix DNAME responses from cache that failed internal chain
|
||||
test.
|
||||
- iana portlist update.
|
||||
|
||||
22 June 2015: Wouter
|
||||
- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
|
||||
and was therefore always synthesized (thanks to Valentin Dietrich).
|
||||
|
||||
4 June 2015: Wouter
|
||||
- RFC 7553 RR type URI support, is now enabled by default.
|
||||
|
||||
2 June 2015: Wouter
|
||||
- Fix #674: Do not free pointers given by getenv.
|
||||
|
||||
29 May 2015: Wouter
|
||||
- Fix that unparseable error responses are ratelimited.
|
||||
- SOA negative TTL is capped at minimumttl in its rdata section.
|
||||
|
|
|
@ -444,6 +444,9 @@ server:
|
|||
# If the value 0 is given, missing anchors are not removed.
|
||||
# keep-missing: 31622400 # 366 days
|
||||
|
||||
# debug option that allows very small holddown times for key rollover
|
||||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
|
@ -623,6 +626,8 @@ remote-control:
|
|||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
# to the server: section if the stub is a locally served zone.
|
||||
# stub-zone:
|
||||
# name: "example.com"
|
||||
# stub-addr: 192.0.2.68
|
||||
|
|
|
@ -801,6 +801,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
|
|||
The default is 366 days. The value 0 does not remove missing anchors,
|
||||
as per the RFC.
|
||||
.TP
|
||||
.B permit\-small\-holddown: \fI<yes or no>
|
||||
Debug option that allows the autotrust 5011 rollover timers to assume
|
||||
very small values. Default is no.
|
||||
.TP
|
||||
.B key\-cache\-size: \fI<number>
|
||||
Number of bytes size of the key cache. Default is 4 megabytes.
|
||||
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
|
||||
|
@ -895,7 +899,8 @@ infected machines without answering the queries.
|
|||
Used to turn off default contents for AS112 zones. The other types
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
given zone.
|
||||
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||
use a subzone, use \fItransparent\fR.
|
||||
.P
|
||||
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
|
||||
zones. The AS112 zones are reverse DNS zones for private use and reserved
|
||||
|
@ -1124,6 +1129,12 @@ bit on replies for the private zone (authoritative servers do not set the
|
|||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
.P
|
||||
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||
served zone. The insecure clause stops DNSSEC from invalidating the
|
||||
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
|
||||
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
|
||||
.TP
|
||||
.B name: \fI<domain name>
|
||||
Name of the stub zone.
|
||||
|
|
|
@ -372,7 +372,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
/* check next cname */
|
||||
uint8_t* t = NULL;
|
||||
size_t tlen = 0;
|
||||
if(!parse_get_cname_target(rrset, &t, &tlen))
|
||||
if(!parse_get_cname_target(nx, &t, &tlen))
|
||||
return 0;
|
||||
if(dname_pkt_compare(pkt, alias, t) == 0) {
|
||||
/* it's OK and better capitalized */
|
||||
|
|
|
@ -65,6 +65,9 @@
|
|||
#ifdef HAVE_PTHREAD
|
||||
#include <signal.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_WAIT_H
|
||||
#include <sys/wait.h>
|
||||
#endif
|
||||
|
||||
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
||||
#include <windows.h>
|
||||
|
@ -218,6 +221,12 @@ static void ub_stop_bg(struct ub_ctx* ctx)
|
|||
ub_thread_join(ctx->bg_tid);
|
||||
} else {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
#ifndef UB_ON_WINDOWS
|
||||
if(waitpid(ctx->bg_pid, NULL, 0) == -1) {
|
||||
if(verbosity > 2)
|
||||
log_err("waitpid: %s", strerror(errno));
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -136,6 +136,43 @@ create_temp_dir () {
|
|||
cd $temp_dir
|
||||
}
|
||||
|
||||
# pass filename as $1 arg.
|
||||
# creates file.sha1 and file.sha256
|
||||
storehash () {
|
||||
case $OSTYPE in
|
||||
linux*)
|
||||
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||
;;
|
||||
freebsd*)
|
||||
sha=`sha1 $1 | awk '{ print $5 }'`
|
||||
sha256=`sha256 $1 | awk '{ print $5 }'`
|
||||
;;
|
||||
*)
|
||||
# in case $OSTYPE is gone.
|
||||
case `uname` in
|
||||
Linux*)
|
||||
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||
;;
|
||||
FreeBSD*)
|
||||
sha=`sha1 $1 | awk '{ print $5 }'`
|
||||
sha256=`sha256 $1 | awk '{ print $5 }'`
|
||||
;;
|
||||
*)
|
||||
sha=`sha1sum $1 | awk '{ print $1 }'`
|
||||
sha256=`sha256sum $1 | awk '{ print $1 }'`
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
echo $sha > $1.sha1
|
||||
echo $sha256 > $1.sha256
|
||||
echo "hash of $1.{sha1,sha256}"
|
||||
echo "sha1 $sha"
|
||||
echo "sha256 $sha256"
|
||||
}
|
||||
|
||||
|
||||
SNAPSHOT="no"
|
||||
RC="no"
|
||||
|
@ -311,6 +348,8 @@ if [ "$DOWIN" = "yes" ]; then
|
|||
mv unbound-$version.zip $cwd/.
|
||||
cleanup
|
||||
fi
|
||||
storehash unbound_setup_$version.exe
|
||||
storehash unbound-$version.zip
|
||||
ls -lG unbound_setup_$version.exe
|
||||
ls -lG unbound-$version.zip
|
||||
info "Done"
|
||||
|
@ -411,36 +450,7 @@ tar czf ../unbound-$version.tar.gz unbound-$version || error_cleanup "Failed to
|
|||
|
||||
cleanup
|
||||
|
||||
case $OSTYPE in
|
||||
linux*)
|
||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
;;
|
||||
freebsd*)
|
||||
sha=`sha1 unbound-$version.tar.gz | awk '{ print $5 }'`
|
||||
sha256=`sha256 unbound-$version.tar.gz | awk '{ print $5 }'`
|
||||
;;
|
||||
*)
|
||||
# in case $OSTYPE is gone.
|
||||
case `uname` in
|
||||
Linux*)
|
||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
;;
|
||||
FreeBSD*)
|
||||
sha=`sha1 unbound-$version.tar.gz | awk '{ print $5 }'`
|
||||
sha256=`sha256 unbound-$version.tar.gz | awk '{ print $5 }'`
|
||||
;;
|
||||
*)
|
||||
sha=`sha1sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
sha256=`sha256sum unbound-$version.tar.gz | awk '{ print $1 }'`
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
echo $sha > unbound-$version.tar.gz.sha1
|
||||
echo $sha256 > unbound-$version.tar.gz.sha256
|
||||
storehash unbound-$version.tar.gz
|
||||
|
||||
info "Unbound distribution created successfully."
|
||||
info "SHA1sum: $sha"
|
||||
|
||||
|
|
|
@ -505,7 +505,7 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
|
|||
return NULL;
|
||||
if(r->an_numrrsets > 0 && (r->rrsets[0]->rk.type == htons(
|
||||
LDNS_RR_TYPE_CNAME) || r->rrsets[0]->rk.type == htons(
|
||||
LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(r)) {
|
||||
LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(q, r)) {
|
||||
/* cname chain is now invalid, reconstruct msg */
|
||||
rrset_array_unlock(r->ref, r->rrset_count);
|
||||
return NULL;
|
||||
|
|
|
@ -213,13 +213,11 @@ static const sldns_rdf_type type_eui48_wireformat[] = {
|
|||
static const sldns_rdf_type type_eui64_wireformat[] = {
|
||||
LDNS_RDF_TYPE_EUI64
|
||||
};
|
||||
#ifdef DRAFT_RRTYPES
|
||||
static const sldns_rdf_type type_uri_wireformat[] = {
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_LONG_STR
|
||||
};
|
||||
#endif
|
||||
static const sldns_rdf_type type_caa_wireformat[] = {
|
||||
LDNS_RDF_TYPE_INT8,
|
||||
LDNS_RDF_TYPE_TAG,
|
||||
|
@ -590,12 +588,8 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
|
|||
/* ANY: A request for all (available) records */
|
||||
{LDNS_RR_TYPE_ANY, "ANY", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
|
||||
#ifdef DRAFT_RRTYPES
|
||||
/* 256 */
|
||||
{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#else
|
||||
{LDNS_RR_TYPE_NULL, "TYPE256", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#endif
|
||||
/* 257 */
|
||||
{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
|
||||
|
|
|
@ -220,8 +220,7 @@ enum sldns_enum_rr_type
|
|||
LDNS_RR_TYPE_MAILA = 254,
|
||||
/** any type (wildcard) */
|
||||
LDNS_RR_TYPE_ANY = 255,
|
||||
/** draft-faltstrom-uri-06 */
|
||||
LDNS_RR_TYPE_URI = 256,
|
||||
LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
|
||||
LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
|
||||
|
||||
/** DNSSEC Trust Authorities */
|
||||
|
|
|
@ -117,6 +117,7 @@
|
|||
#include "config.h"
|
||||
#include "libunbound/unbound.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include <expat.h>
|
||||
#ifndef HAVE_EXPAT_H
|
||||
#error "need libexpat to parse root-anchors.xml file."
|
||||
|
@ -1328,7 +1329,7 @@ xml_convertdate(const char* str)
|
|||
/* but ignore, (lenient) */
|
||||
}
|
||||
|
||||
t = mktime(&tm);
|
||||
t = sldns_mktime_from_utc(&tm);
|
||||
if(t == (time_t)-1) {
|
||||
if(verb) printf("xml_convertdate mktime failure\n");
|
||||
return 0;
|
||||
|
|
|
@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
|
|||
if(cfg->remote_control_use_cert) {
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||
|| !SSL_CTX_check_private_key(ctx))
|
||||
ssl_err("Error setting up SSL_CTX client key and cert");
|
||||
|
|
|
@ -236,12 +236,28 @@ setup_ctx(char* key, char* cert)
|
|||
if(!ctx) print_exit("out of memory");
|
||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
|
||||
if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
|
||||
print_exit("cannot read cert");
|
||||
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
|
||||
print_exit("cannot read key");
|
||||
if(!SSL_CTX_check_private_key(ctx))
|
||||
print_exit("private key is not correct");
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if (!SSL_CTX_set_ecdh_auto(ctx,1))
|
||||
if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
|
||||
#elif defined(USE_ECDSA)
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
if(verb>=1) printf("could not find p256, not enabling ECDHE\n");
|
||||
} else {
|
||||
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
|
||||
if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n");
|
||||
}
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
|
||||
print_exit("cannot load cert verify locations");
|
||||
return ctx;
|
||||
|
|
Binary file not shown.
|
@ -1,161 +0,0 @@
|
|||
; This is a comment.
|
||||
; config options go here.
|
||||
forward-zone: name: "." forward-addr: 216.0.0.1
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test query and cache with type ANY
|
||||
RANGE_BEGIN 0 1000
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
www.example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
;; different type in this answer.
|
||||
www.example.com. IN TXT "text"
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN AAAA
|
||||
SECTION ANSWER
|
||||
www.example.com. IN AAAA ::5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
ADJUST copy_id
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.foo.com. IN ANY
|
||||
SECTION ANSWER
|
||||
www.foo.com. IN A 1.2.3.77
|
||||
www.foo.com. IN AAAA ::77
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; unneccesary nothing steps.
|
||||
STEP 20 NOTHING
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
|
||||
; test cache synthesis
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
ENTRY_END
|
||||
STEP 50 NOTHING
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
|
||||
; and again
|
||||
; the synthesized result itself is not added to the cache
|
||||
STEP 62 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
ENTRY_END
|
||||
STEP 63 NOTHING
|
||||
STEP 64 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
|
||||
; AAAA lookup to add more data in cache
|
||||
STEP 70 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN AAAA
|
||||
ENTRY_END
|
||||
STEP 80 NOTHING
|
||||
STEP 90 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.example.com. IN AAAA
|
||||
SECTION ANSWER
|
||||
www.example.com. IN AAAA ::5
|
||||
ENTRY_END
|
||||
|
||||
; test cache synthesis of AAAA, and two rrsets.
|
||||
STEP 100 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
ENTRY_END
|
||||
STEP 110 NOTHING
|
||||
STEP 120 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
www.example.com. IN AAAA ::5
|
||||
ENTRY_END
|
||||
|
||||
; test query that is not synthesized from cache.
|
||||
STEP 130 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.foo.com. IN ANY
|
||||
ENTRY_END
|
||||
STEP 140 NOTHING
|
||||
STEP 150 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
www.foo.com. IN ANY
|
||||
SECTION ANSWER
|
||||
www.foo.com. IN A 1.2.3.77
|
||||
www.foo.com. IN AAAA ::77
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
Binary file not shown.
Binary file not shown.
|
@ -1,273 +0,0 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test resolver with a domain sale
|
||||
; and the old operator is nasty, keeps running his server with the old data.
|
||||
; and lots of lookups keep going towards the domain.
|
||||
; eventually, the NS record has to timeout.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net. (before sale of domain)
|
||||
RANGE_BEGIN 0 20
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net. (after sale of domain)
|
||||
RANGE_BEGIN 30 200
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com. first owner
|
||||
RANGE_BEGIN 0 200
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; nxdomains for any name,type
|
||||
; last in RANGE so that it matches everything left over.
|
||||
; it includes the NS record.
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com. new owner
|
||||
RANGE_BEGIN 0 200
|
||||
ADDRESS 8.8.8.8
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 88.88.88.88
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Fetch the old record from the old owner.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 5 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; the domain is sold (right at this time).
|
||||
; but the information stays in the cache.
|
||||
|
||||
; after 1800 secs still the cached answer
|
||||
STEP 20 TIME_PASSES ELAPSE 1800
|
||||
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 1800 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 1800 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 1800 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; and ask another query
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 1800 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 1800 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; after another 1900 seconds the domain must have timed out.
|
||||
STEP 70 TIME_PASSES ELAPSE 1900
|
||||
|
||||
; the NS record should have timed out.
|
||||
STEP 80 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 90 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 88.88.88.88
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -1,342 +0,0 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test resolver with a domain sale and NS changes
|
||||
; and the old operator is nasty, keeps running his server with the old data.
|
||||
; and lots of lookups keep going towards the domain.
|
||||
; and the old server is changing the NS record of the old domain.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net. (before sale of domain)
|
||||
RANGE_BEGIN 0 20
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net. (after sale of domain)
|
||||
RANGE_BEGIN 30 200
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com. first owner
|
||||
RANGE_BEGIN 0 30
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; nxdomains for any name,type
|
||||
; last in RANGE so that it matches everything left over.
|
||||
; it includes the NS record.
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com. first owner, NS changed
|
||||
RANGE_BEGIN 40 200
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; nxdomains for any name,type
|
||||
; last in RANGE so that it matches everything left over.
|
||||
; it includes the NS record.
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 3600 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com. new owner
|
||||
RANGE_BEGIN 0 200
|
||||
ADDRESS 8.8.8.8
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 88.88.88.88
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Fetch the old record from the old owner.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 5 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; the domain is sold (right at this time).
|
||||
; but the information stays in the cache.
|
||||
|
||||
; after 1800 secs still the cached answer
|
||||
STEP 20 TIME_PASSES ELAPSE 1800
|
||||
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 1800 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 1800 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 1800 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; and ask another query
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 3600 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 62 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 63 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
nx1.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 1800 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; after another 1900 seconds the domain must have timed out.
|
||||
STEP 70 TIME_PASSES ELAPSE 1900
|
||||
|
||||
; the NS record should have timed out.
|
||||
STEP 80 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; recursion happens here.
|
||||
STEP 90 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 88.88.88.88
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 8.8.8.8
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
Binary file not shown.
|
@ -1,151 +0,0 @@
|
|||
; config options
|
||||
; The island of trust is at example.com
|
||||
server:
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
val-override-date: "20070916134226"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test validator with spurious unsigned NS in auth section
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
; removed by spurious NS record removal code
|
||||
;;example.com. IN NS ns.example.com.
|
||||
;;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -1,182 +0,0 @@
|
|||
; config options
|
||||
; The island of trust is at example.com
|
||||
server:
|
||||
trust-anchor: "example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}"
|
||||
trust-anchor: "example.com. 3600 IN DS 30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
||||
val-override-date: "20070916134226"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
harden-algo-downgrade: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test validator with multiple algorithm trust anchor without harden
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 512b}
|
||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. AKIIYDOGHogglFqJK94ZtOnF7EfGikgAyloMNRSMCrQgFaFkmcOyjrc= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 example.com. J55fsz1GGMnngc4r50xvXDUdaVMlfcLKLVsfMhwNLF+ERac5XV/lLRAc/aSER+qQdsSo0CrjYjy1wat7YQpDAA== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -1,185 +0,0 @@
|
|||
; config options
|
||||
; The island of trust is at example.com
|
||||
server:
|
||||
trust-anchor: "example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}"
|
||||
trust-anchor: "example.com. 3600 IN DS 30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
||||
trust-anchor: "example.com. 3600 IN DS 30899 7 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
|
||||
val-override-date: "20070916134226"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
harden-algo-downgrade: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test validator with multiple algorithm missing one
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 512b}
|
||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. AKIIYDOGHogglFqJK94ZtOnF7EfGikgAyloMNRSMCrQgFaFkmcOyjrc= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 example.com. J55fsz1GGMnngc4r50xvXDUdaVMlfcLKLVsfMhwNLF+ERac5XV/lLRAc/aSER+qQdsSo0CrjYjy1wat7YQpDAA== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 3600 IN A 10.20.30.40
|
||||
www.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. JNWECShNE+nCLQwOXJJ3xpUkh2G+FCh5nk8uYAHIVQRse/BIvCMSlvRrtVyw9RnXvk5RR2bEgN0pRdLWW7ug5Q== ;{id = 30899}
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
|
||||
SECTION AUTHORITY
|
||||
example.com. 3600 IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
example.com. 3600 IN RRSIG NS 5 2 3600 20070926134150 20070829134150 30899 example.com. YTqtYba73HIOQuPr5oDyIX9pfmz1ybEBjwlD/jUgcPmFINUOZ9FeqG6ywgRKwn4AizkKTK00p1sxZYMKxl91wg== ;{id = 30899}
|
||||
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3600 IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
ns.example.com. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.com. Dn1ziMKrc3NdJkSv8g61Y9WNk3+BAuwCwnYzAZiHmkejkSCPViLJN7+f4Conp9l8LkTl50ZnLgoYrrUYNhMj6w== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -364,6 +364,9 @@ void *unbound_stat_malloc(size_t size)
|
|||
#ifdef calloc
|
||||
#undef calloc
|
||||
#endif
|
||||
#ifndef INT_MAX
|
||||
#define INT_MAX (((int)-1)>>1)
|
||||
#endif
|
||||
/** calloc with stats */
|
||||
void *unbound_stat_calloc(size_t nmemb, size_t size)
|
||||
{
|
||||
|
|
|
@ -70,6 +70,8 @@
|
|||
uid_t cfg_uid = (uid_t)-1;
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
gid_t cfg_gid = (gid_t)-1;
|
||||
/** for debug allow small timeout values for fast rollovers */
|
||||
int autr_permit_small_holddown = 0;
|
||||
|
||||
/** global config during parsing */
|
||||
struct config_parser_state* cfg_parser = 0;
|
||||
|
@ -200,6 +202,7 @@ config_create(void)
|
|||
cfg->add_holddown = 30*24*3600;
|
||||
cfg->del_holddown = 30*24*3600;
|
||||
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
|
||||
cfg->permit_small_holddown = 0;
|
||||
cfg->key_cache_size = 4 * 1024 * 1024;
|
||||
cfg->key_cache_slabs = 4;
|
||||
cfg->neg_cache_size = 1 * 1024 * 1024;
|
||||
|
@ -444,6 +447,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||
else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
|
||||
else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
|
||||
else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
|
||||
else if(strcmp(opt, "permit-small-holddown:") == 0)
|
||||
{ IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
|
||||
autr_permit_small_holddown = cfg->permit_small_holddown; }
|
||||
else S_MEMSIZE("key-cache-size:", key_cache_size)
|
||||
else S_POW2("key-cache-slabs:", key_cache_slabs)
|
||||
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
|
||||
|
@ -705,6 +711,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||
else O_UNS(opt, "add-holddown", add_holddown)
|
||||
else O_UNS(opt, "del-holddown", del_holddown)
|
||||
else O_UNS(opt, "keep-missing", keep_missing)
|
||||
else O_YNO(opt, "permit-small-holddown", permit_small_holddown)
|
||||
else O_MEM(opt, "key-cache-size", key_cache_size)
|
||||
else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
|
||||
else O_MEM(opt, "neg-cache-size", neg_cache_size)
|
||||
|
@ -1243,6 +1250,7 @@ config_apply(struct config_file* config)
|
|||
MINIMAL_RESPONSES = config->minimal_responses;
|
||||
RRSET_ROUNDROBIN = config->rrset_roundrobin;
|
||||
log_set_time_asc(config->log_time_ascii);
|
||||
autr_permit_small_holddown = config->permit_small_holddown;
|
||||
}
|
||||
|
||||
void config_lookup_uid(struct config_file* cfg)
|
||||
|
|
|
@ -269,6 +269,8 @@ struct config_file {
|
|||
unsigned int del_holddown;
|
||||
/** autotrust keep_missing time, in seconds. 0 is forever. */
|
||||
unsigned int keep_missing;
|
||||
/** permit small holddown values, allowing 5011 rollover very fast */
|
||||
int permit_small_holddown;
|
||||
|
||||
/** size of the key cache */
|
||||
size_t key_cache_size;
|
||||
|
@ -368,6 +370,8 @@ struct config_file {
|
|||
extern uid_t cfg_uid;
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
extern gid_t cfg_gid;
|
||||
/** debug and enable small timeouts */
|
||||
extern int autr_permit_small_holddown;
|
||||
|
||||
/**
|
||||
* Stub config options
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -306,6 +306,7 @@ val-nsec3-keysize-iterations{COLON} {
|
|||
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
|
||||
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
|
||||
keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) }
|
||||
permit-small-holddown{COLON} { YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
|
||||
use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) }
|
||||
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
|
||||
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -203,7 +203,8 @@ extern int yydebug;
|
|||
VAR_RATELIMIT_BELOW_DOMAIN = 412,
|
||||
VAR_RATELIMIT_FACTOR = 413,
|
||||
VAR_CAPS_WHITELIST = 414,
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 415
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 415,
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 416
|
||||
};
|
||||
#endif
|
||||
/* Tokens. */
|
||||
|
@ -365,6 +366,7 @@ extern int yydebug;
|
|||
#define VAR_RATELIMIT_FACTOR 413
|
||||
#define VAR_CAPS_WHITELIST 414
|
||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 415
|
||||
#define VAR_PERMIT_SMALL_HOLDDOWN 416
|
||||
|
||||
|
||||
|
||||
|
@ -378,7 +380,7 @@ typedef union YYSTYPE
|
|||
|
||||
|
||||
/* Line 2058 of yacc.c */
|
||||
#line 382 "util/configparser.h"
|
||||
#line 384 "util/configparser.h"
|
||||
} YYSTYPE;
|
||||
# define YYSTYPE_IS_TRIVIAL 1
|
||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||
|
|
|
@ -121,7 +121,7 @@ extern struct config_parser_state* cfg_parser;
|
|||
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
|
||||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
|
@ -185,7 +185,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
|||
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
|
||||
server_ratelimit_size | server_ratelimit_for_domain |
|
||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
server_permit_small_holddown
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
|
@ -1125,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING STRING_ARG
|
|||
free($2);
|
||||
}
|
||||
;
|
||||
server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_permit_small_holddown:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->permit_small_holddown =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
||||
|
|
|
@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
|||
size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
|
||||
{
|
||||
struct compress_tree_node* p;
|
||||
struct compress_tree_node** insertpt;
|
||||
struct compress_tree_node** insertpt = NULL;
|
||||
if(!*owner_ptr) {
|
||||
/* compress first time dname */
|
||||
if((p = compress_tree_lookup(tree, key->rk.dname,
|
||||
|
|
|
@ -822,13 +822,13 @@ log_query_info(enum verbosity_value v, const char* str,
|
|||
}
|
||||
|
||||
int
|
||||
reply_check_cname_chain(struct reply_info* rep)
|
||||
reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep)
|
||||
{
|
||||
/* check only answer section rrs for matching cname chain.
|
||||
* the cache may return changed rdata, but owner names are untouched.*/
|
||||
size_t i;
|
||||
uint8_t* sname = rep->rrsets[0]->rk.dname;
|
||||
size_t snamelen = rep->rrsets[0]->rk.dname_len;
|
||||
uint8_t* sname = qinfo->qname;
|
||||
size_t snamelen = qinfo->qname_len;
|
||||
for(i=0; i<rep->an_numrrsets; i++) {
|
||||
uint16_t t = ntohs(rep->rrsets[i]->rk.type);
|
||||
if(t == LDNS_RR_TYPE_DNAME)
|
||||
|
|
|
@ -359,10 +359,11 @@ uint8_t* reply_find_final_cname_target(struct query_info* qinfo,
|
|||
|
||||
/**
|
||||
* Check if cname chain in cached reply is still valid.
|
||||
* @param qinfo: query info with query name.
|
||||
* @param rep: reply to check.
|
||||
* @return: true if valid, false if invalid.
|
||||
*/
|
||||
int reply_check_cname_chain(struct reply_info* rep);
|
||||
int reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep);
|
||||
|
||||
/**
|
||||
* Check security status of all RRs in the message.
|
||||
|
|
|
@ -1066,7 +1066,6 @@
|
|||
1404,
|
||||
1405,
|
||||
1406,
|
||||
1407,
|
||||
1408,
|
||||
1409,
|
||||
1410,
|
||||
|
@ -4667,6 +4666,7 @@
|
|||
7725,
|
||||
7726,
|
||||
7727,
|
||||
7728,
|
||||
7734,
|
||||
7738,
|
||||
7741,
|
||||
|
@ -4781,6 +4781,7 @@
|
|||
8301,
|
||||
8320,
|
||||
8321,
|
||||
8322,
|
||||
8351,
|
||||
8376,
|
||||
8377,
|
||||
|
@ -4788,6 +4789,7 @@
|
|||
8379,
|
||||
8380,
|
||||
8383,
|
||||
8384,
|
||||
8400,
|
||||
8401,
|
||||
8402,
|
||||
|
@ -4804,6 +4806,7 @@
|
|||
8474,
|
||||
8500,
|
||||
8501,
|
||||
8503,
|
||||
8554,
|
||||
8555,
|
||||
8567,
|
||||
|
@ -5034,6 +5037,7 @@
|
|||
10200,
|
||||
10201,
|
||||
10252,
|
||||
10253,
|
||||
10260,
|
||||
10288,
|
||||
10439,
|
||||
|
@ -5168,6 +5172,8 @@
|
|||
17220,
|
||||
17221,
|
||||
17222,
|
||||
17224,
|
||||
17225,
|
||||
17234,
|
||||
17235,
|
||||
17500,
|
||||
|
@ -5380,6 +5386,7 @@
|
|||
40843,
|
||||
40853,
|
||||
41111,
|
||||
41230,
|
||||
41794,
|
||||
41795,
|
||||
42508,
|
||||
|
|
|
@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
|||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error for cert file: %s", pem);
|
||||
log_crypto_err("error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("error in SSL_CTX use_certificate_chain_file");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
|||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
|
||||
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||
}
|
||||
#elif defined(USE_ECDSA)
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||
} else {
|
||||
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
|
||||
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||
}
|
||||
EC_KEY_free (ecdh);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if(verifypem && verifypem[0]) {
|
||||
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
||||
|
@ -684,7 +701,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
|||
return NULL;
|
||||
}
|
||||
if(key && key[0]) {
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error in client certificate %s", pem);
|
||||
log_crypto_err("error in certificate file");
|
||||
SSL_CTX_free(ctx);
|
||||
|
|
|
@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
|
|||
{
|
||||
char* reason = NULL;
|
||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||
int downprot = 1;
|
||||
int downprot = env->cfg->harden_algo_downgrade;
|
||||
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
|
||||
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
|
||||
/* sigalg is ignored, it returns algorithms signalled to exist, but
|
||||
|
@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
|||
if(rrsig_exp_interval/2 < x)
|
||||
x = rrsig_exp_interval/2;
|
||||
/* MAX(1hr, x) */
|
||||
if(x < 3600)
|
||||
tp->autr->query_interval = 3600;
|
||||
else tp->autr->query_interval = x;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(x < 3600)
|
||||
tp->autr->query_interval = 3600;
|
||||
else tp->autr->query_interval = x;
|
||||
} else tp->autr->query_interval = x;
|
||||
|
||||
/* x= MIN(1day, ttl/10, expire/10) */
|
||||
x = 24 * 3600;
|
||||
|
@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
|||
if(rrsig_exp_interval/10 < x)
|
||||
x = rrsig_exp_interval/10;
|
||||
/* MAX(1hr, x) */
|
||||
if(x < 3600)
|
||||
tp->autr->retry_time = 3600;
|
||||
else tp->autr->retry_time = x;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(x < 3600)
|
||||
tp->autr->retry_time = 3600;
|
||||
else tp->autr->retry_time = x;
|
||||
} else tp->autr->retry_time = x;
|
||||
|
||||
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
|
||||
*changed = 1;
|
||||
|
@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env, time_t wait)
|
|||
{
|
||||
/* make it random, 90-100% */
|
||||
time_t rnd, rest;
|
||||
if(wait < 3600)
|
||||
wait = 3600;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(wait < 3600)
|
||||
wait = 3600;
|
||||
} else {
|
||||
if(wait == 0) wait = 1;
|
||||
}
|
||||
rnd = wait/10;
|
||||
rest = wait-rnd;
|
||||
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
|
||||
|
@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_t* next)
|
|||
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
|
||||
/* in case of revoked anchors */
|
||||
lock_basic_unlock(&env->anchors->lock);
|
||||
/* signal that there are no anchors to probe */
|
||||
*next = 0;
|
||||
return NULL;
|
||||
}
|
||||
tp = (struct trust_anchor*)el->key;
|
||||
|
@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env)
|
|||
struct trust_anchor* tp;
|
||||
time_t next_probe = 3600;
|
||||
int num = 0;
|
||||
if(autr_permit_small_holddown) next_probe = 1;
|
||||
verbose(VERB_ALGO, "autotrust probe timer callback");
|
||||
/* while there are still anchors to probe */
|
||||
while( (tp = todo_probe(env, &next_probe)) ) {
|
||||
|
@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env)
|
|||
num++;
|
||||
}
|
||||
regional_free_all(env->scratch);
|
||||
if(num == 0)
|
||||
if(next_probe == 0)
|
||||
return 0; /* no trust points to probe */
|
||||
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
|
||||
return next_probe;
|
||||
|
|
|
@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
|||
vq->state = VAL_VALIDATE_STATE;
|
||||
return;
|
||||
}
|
||||
downprot = 1;
|
||||
downprot = qstate->env->cfg->harden_algo_downgrade;
|
||||
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
|
||||
ve, dnskey, vq->ds_rrset, downprot, &reason);
|
||||
|
||||
|
|
Loading…
Reference in New Issue