From owner-svn-src-vendor@freebsd.org Mon Sep 10 16:30:25 2018 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E8051094CD8; Mon, 10 Sep 2018 16:30:25 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3157289B7A; Mon, 10 Sep 2018 16:30:25 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2BF832D06; Mon, 10 Sep 2018 16:30:25 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8AGUPQM075055; Mon, 10 Sep 2018 16:30:25 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8AGUI3l074987; Mon, 10 Sep 2018 16:30:18 GMT (envelope-from des@FreeBSD.org) Message-Id: <201809101630.w8AGUI3l074987@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Mon, 10 Sep 2018 16:30:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r338562 - in vendor/unbound/dist: . compat contrib daemon doc iterator libunbound services smallapp testcode testdata testdata/02-unittest.tdir testdata/03-testbound.tdir testdata/tcp_s... X-SVN-Group: vendor X-SVN-Commit-Author: des X-SVN-Commit-Paths: in vendor/unbound/dist: . compat contrib daemon doc iterator libunbound services smallapp testcode testdata testdata/02-unittest.tdir testdata/03-testbound.tdir testdata/tcp_sigpipe.tdir util winrc X-SVN-Commit-Revision: 338562 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2018 16:30:26 -0000 Author: des Date: Mon Sep 10 16:30:18 2018 New Revision: 338562 URL: https://svnweb.freebsd.org/changeset/base/338562 Log: Vendor import of Unbound 1.7.2. Modified: vendor/unbound/dist/Makefile.in vendor/unbound/dist/compat/arc4random.c vendor/unbound/dist/config.h.in vendor/unbound/dist/configure vendor/unbound/dist/configure.ac vendor/unbound/dist/contrib/libunbound.pc.in vendor/unbound/dist/daemon/acl_list.c vendor/unbound/dist/daemon/acl_list.h vendor/unbound/dist/daemon/daemon.c vendor/unbound/dist/daemon/unbound.c vendor/unbound/dist/daemon/worker.c vendor/unbound/dist/doc/Changelog vendor/unbound/dist/doc/README vendor/unbound/dist/doc/example.conf.in vendor/unbound/dist/doc/libunbound.3.in vendor/unbound/dist/doc/unbound-anchor.8.in vendor/unbound/dist/doc/unbound-checkconf.8.in vendor/unbound/dist/doc/unbound-control.8.in vendor/unbound/dist/doc/unbound-host.1.in vendor/unbound/dist/doc/unbound.8.in vendor/unbound/dist/doc/unbound.conf.5.in vendor/unbound/dist/iterator/iter_utils.c vendor/unbound/dist/libunbound/context.c vendor/unbound/dist/libunbound/context.h vendor/unbound/dist/libunbound/libunbound.c vendor/unbound/dist/libunbound/libworker.c vendor/unbound/dist/services/authzone.c vendor/unbound/dist/services/listen_dnsport.c vendor/unbound/dist/services/mesh.c vendor/unbound/dist/services/outside_network.c vendor/unbound/dist/services/outside_network.h vendor/unbound/dist/smallapp/unbound-host.c vendor/unbound/dist/testcode/asynclook.c vendor/unbound/dist/testcode/fake_event.c vendor/unbound/dist/testcode/streamtcp.c vendor/unbound/dist/testcode/testbound.c vendor/unbound/dist/testcode/unitmain.c vendor/unbound/dist/testdata/02-unittest.tdir/02-unittest.test vendor/unbound/dist/testdata/03-testbound.tdir/03-testbound.test vendor/unbound/dist/testdata/auth_xfr_host.rpl vendor/unbound/dist/testdata/autotrust_init_failsig.rpl vendor/unbound/dist/testdata/autotrust_revtp_use.rpl vendor/unbound/dist/testdata/black_data.rpl vendor/unbound/dist/testdata/black_dnskey.rpl vendor/unbound/dist/testdata/black_ds.rpl vendor/unbound/dist/testdata/black_ent.rpl vendor/unbound/dist/testdata/black_prime.rpl vendor/unbound/dist/testdata/black_prime_entry.rpl vendor/unbound/dist/testdata/dlv_anchor.rpl vendor/unbound/dist/testdata/dlv_ask_higher.rpl vendor/unbound/dist/testdata/dlv_below_ta.rpl vendor/unbound/dist/testdata/dlv_delegation.rpl vendor/unbound/dist/testdata/dlv_ds_lookup.rpl vendor/unbound/dist/testdata/dlv_insecure.rpl vendor/unbound/dist/testdata/dlv_insecure_negcache.rpl vendor/unbound/dist/testdata/dlv_keyretry.rpl vendor/unbound/dist/testdata/dlv_negnx.rpl vendor/unbound/dist/testdata/dlv_optout.rpl vendor/unbound/dist/testdata/dlv_remove_pos.rpl vendor/unbound/dist/testdata/dns64_lookup.rpl vendor/unbound/dist/testdata/domain_insec_ds.rpl vendor/unbound/dist/testdata/fetch_glue.rpl vendor/unbound/dist/testdata/fetch_glue_cname.rpl vendor/unbound/dist/testdata/fwddlv_parse.rpl vendor/unbound/dist/testdata/ipsecmod_bogus_ipseckey.crpl vendor/unbound/dist/testdata/ipsecmod_enabled.crpl vendor/unbound/dist/testdata/ipsecmod_ignore_bogus_ipseckey.crpl vendor/unbound/dist/testdata/ipsecmod_max_ttl.crpl vendor/unbound/dist/testdata/ipsecmod_strict.crpl vendor/unbound/dist/testdata/ipsecmod_whitelist.crpl vendor/unbound/dist/testdata/iter_class_any.rpl vendor/unbound/dist/testdata/iter_cname_double.rpl vendor/unbound/dist/testdata/iter_cname_nx.rpl vendor/unbound/dist/testdata/iter_cname_qnamecopy.rpl vendor/unbound/dist/testdata/iter_cycle.rpl vendor/unbound/dist/testdata/iter_cycle_noh.rpl vendor/unbound/dist/testdata/iter_dname_insec.rpl vendor/unbound/dist/testdata/iter_dnsseclame_bug.rpl vendor/unbound/dist/testdata/iter_dnsseclame_ds.rpl vendor/unbound/dist/testdata/iter_dnsseclame_ds_ok.rpl vendor/unbound/dist/testdata/iter_dnsseclame_ta.rpl vendor/unbound/dist/testdata/iter_dnsseclame_ta_ok.rpl vendor/unbound/dist/testdata/iter_donotq127.rpl vendor/unbound/dist/testdata/iter_ds_locate_ns_detach.rpl vendor/unbound/dist/testdata/iter_emptydp.rpl vendor/unbound/dist/testdata/iter_emptydp_for_glue.rpl vendor/unbound/dist/testdata/iter_got6only.rpl vendor/unbound/dist/testdata/iter_hint_lame.rpl vendor/unbound/dist/testdata/iter_lame_noaa.rpl vendor/unbound/dist/testdata/iter_lamescrub.rpl vendor/unbound/dist/testdata/iter_mod.rpl vendor/unbound/dist/testdata/iter_ns_badip.rpl vendor/unbound/dist/testdata/iter_ns_spoof.rpl vendor/unbound/dist/testdata/iter_pcdirect.rpl vendor/unbound/dist/testdata/iter_prefetch.rpl vendor/unbound/dist/testdata/iter_prefetch_childns.rpl vendor/unbound/dist/testdata/iter_prefetch_ns.rpl vendor/unbound/dist/testdata/iter_primenoglue.rpl vendor/unbound/dist/testdata/iter_privaddr.rpl vendor/unbound/dist/testdata/iter_reclame_one.rpl vendor/unbound/dist/testdata/iter_recurse.rpl vendor/unbound/dist/testdata/iter_resolve.rpl vendor/unbound/dist/testdata/iter_resolve_minimised.rpl vendor/unbound/dist/testdata/iter_scrub_cname_an.rpl vendor/unbound/dist/testdata/iter_scrub_dname_insec.rpl vendor/unbound/dist/testdata/iter_scrub_dname_rev.rpl vendor/unbound/dist/testdata/iter_scrub_dname_sec.rpl vendor/unbound/dist/testdata/iter_timeout_ra_aaaa.rpl vendor/unbound/dist/testdata/local_ds.rpl vendor/unbound/dist/testdata/local_nodefault.rpl vendor/unbound/dist/testdata/local_typetransparent.rpl vendor/unbound/dist/testdata/nomem_cnametopos.rpl vendor/unbound/dist/testdata/stop_nxdomain.rpl vendor/unbound/dist/testdata/subnet_cached.crpl vendor/unbound/dist/testdata/subnet_derived.crpl vendor/unbound/dist/testdata/subnet_format_ip4.crpl vendor/unbound/dist/testdata/subnet_max_source.crpl vendor/unbound/dist/testdata/subnet_not_whitelisted.crpl vendor/unbound/dist/testdata/subnet_val_positive.crpl vendor/unbound/dist/testdata/subnet_val_positive_client.crpl vendor/unbound/dist/testdata/subnet_without_validator.crpl vendor/unbound/dist/testdata/tcp_sigpipe.tdir/tcp_sigpipe.testns vendor/unbound/dist/testdata/ttl_max.rpl vendor/unbound/dist/testdata/ttl_min.rpl vendor/unbound/dist/testdata/ttl_msg.rpl vendor/unbound/dist/testdata/val_adbit.rpl vendor/unbound/dist/testdata/val_adcopy.rpl vendor/unbound/dist/testdata/val_anchor_nx.rpl vendor/unbound/dist/testdata/val_anchor_nx_nosig.rpl vendor/unbound/dist/testdata/val_ans_dsent.rpl vendor/unbound/dist/testdata/val_ans_nx.rpl vendor/unbound/dist/testdata/val_any.rpl vendor/unbound/dist/testdata/val_any_cname.rpl vendor/unbound/dist/testdata/val_any_dname.rpl vendor/unbound/dist/testdata/val_cname_loop1.rpl vendor/unbound/dist/testdata/val_cname_loop2.rpl vendor/unbound/dist/testdata/val_cname_loop3.rpl vendor/unbound/dist/testdata/val_cnameinsectopos.rpl vendor/unbound/dist/testdata/val_cnamenx_dblnsec.rpl vendor/unbound/dist/testdata/val_cnamenx_rcodenx.rpl vendor/unbound/dist/testdata/val_cnameqtype.rpl vendor/unbound/dist/testdata/val_cnametocnamewctoposwc.rpl vendor/unbound/dist/testdata/val_cnametodname.rpl vendor/unbound/dist/testdata/val_cnametodnametocnametopos.rpl vendor/unbound/dist/testdata/val_cnametonodata.rpl vendor/unbound/dist/testdata/val_cnametonodata_nonsec.rpl vendor/unbound/dist/testdata/val_cnametonsec.rpl vendor/unbound/dist/testdata/val_cnametonx.rpl vendor/unbound/dist/testdata/val_cnametooptin.rpl vendor/unbound/dist/testdata/val_cnametopos.rpl vendor/unbound/dist/testdata/val_cnametoposnowc.rpl vendor/unbound/dist/testdata/val_cnametoposwc.rpl vendor/unbound/dist/testdata/val_cnamewctonodata.rpl vendor/unbound/dist/testdata/val_cnamewctonx.rpl vendor/unbound/dist/testdata/val_cnamewctoposwc.rpl vendor/unbound/dist/testdata/val_deleg_nons.rpl vendor/unbound/dist/testdata/val_dnametopos.rpl vendor/unbound/dist/testdata/val_dnametoposwc.rpl vendor/unbound/dist/testdata/val_dnamewc.rpl vendor/unbound/dist/testdata/val_ds_afterprime.rpl vendor/unbound/dist/testdata/val_ds_cname.rpl vendor/unbound/dist/testdata/val_ds_cnamesub.rpl vendor/unbound/dist/testdata/val_ds_gost.crpl vendor/unbound/dist/testdata/val_ds_gost_downgrade.crpl vendor/unbound/dist/testdata/val_ds_sha2.crpl vendor/unbound/dist/testdata/val_ds_sha2_downgrade.crpl vendor/unbound/dist/testdata/val_ds_sha2_lenient.crpl vendor/unbound/dist/testdata/val_entds.rpl vendor/unbound/dist/testdata/val_keyprefetch.rpl vendor/unbound/dist/testdata/val_keyprefetch_verify.rpl vendor/unbound/dist/testdata/val_mal_wc.rpl vendor/unbound/dist/testdata/val_negcache_ds.rpl vendor/unbound/dist/testdata/val_negcache_dssoa.rpl vendor/unbound/dist/testdata/val_negcache_nodata.rpl vendor/unbound/dist/testdata/val_negcache_nta.rpl vendor/unbound/dist/testdata/val_negcache_nxdomain.rpl vendor/unbound/dist/testdata/val_noadwhennodo.rpl vendor/unbound/dist/testdata/val_nodata.rpl vendor/unbound/dist/testdata/val_nodata_ent.rpl vendor/unbound/dist/testdata/val_nodata_entnx.rpl vendor/unbound/dist/testdata/val_nodata_entwc.rpl vendor/unbound/dist/testdata/val_nodata_failsig.rpl vendor/unbound/dist/testdata/val_nodata_failwc.rpl vendor/unbound/dist/testdata/val_nodata_hasdata.rpl vendor/unbound/dist/testdata/val_nodata_zonecut.rpl vendor/unbound/dist/testdata/val_nodatawc.rpl vendor/unbound/dist/testdata/val_nodatawc_badce.rpl vendor/unbound/dist/testdata/val_nodatawc_nodeny.rpl vendor/unbound/dist/testdata/val_nodatawc_one.rpl vendor/unbound/dist/testdata/val_nsec3_b1_nameerror.rpl vendor/unbound/dist/testdata/val_nsec3_b1_nameerror_noce.rpl vendor/unbound/dist/testdata/val_nsec3_b1_nameerror_nonc.rpl vendor/unbound/dist/testdata/val_nsec3_b1_nameerror_nowc.rpl vendor/unbound/dist/testdata/val_nsec3_b21_nodataent.rpl vendor/unbound/dist/testdata/val_nsec3_b21_nodataent_wr.rpl vendor/unbound/dist/testdata/val_nsec3_b2_nodata.rpl vendor/unbound/dist/testdata/val_nsec3_b3_optout.rpl vendor/unbound/dist/testdata/val_nsec3_b3_optout_negcache.rpl vendor/unbound/dist/testdata/val_nsec3_b3_optout_noce.rpl vendor/unbound/dist/testdata/val_nsec3_b3_optout_nonc.rpl vendor/unbound/dist/testdata/val_nsec3_b4_wild.rpl vendor/unbound/dist/testdata/val_nsec3_b4_wild_wr.rpl vendor/unbound/dist/testdata/val_nsec3_b5_wcnodata.rpl vendor/unbound/dist/testdata/val_nsec3_b5_wcnodata_noce.rpl vendor/unbound/dist/testdata/val_nsec3_b5_wcnodata_nonc.rpl vendor/unbound/dist/testdata/val_nsec3_b5_wcnodata_nowc.rpl vendor/unbound/dist/testdata/val_nsec3_cname_ds.rpl vendor/unbound/dist/testdata/val_nsec3_cname_par.rpl vendor/unbound/dist/testdata/val_nsec3_cname_sub.rpl vendor/unbound/dist/testdata/val_nsec3_cnametocnamewctoposwc.rpl vendor/unbound/dist/testdata/val_nsec3_iter_high.rpl vendor/unbound/dist/testdata/val_nsec3_nodatawccname.rpl vendor/unbound/dist/testdata/val_nsec3_nods.rpl vendor/unbound/dist/testdata/val_nsec3_nods_badopt.rpl vendor/unbound/dist/testdata/val_nsec3_nods_badsig.rpl vendor/unbound/dist/testdata/val_nsec3_nods_negcache.rpl vendor/unbound/dist/testdata/val_nsec3_optout_ad.rpl vendor/unbound/dist/testdata/val_nsec3_wcany.rpl vendor/unbound/dist/testdata/val_nsec3_wcany_nodeny.rpl vendor/unbound/dist/testdata/val_nx.rpl vendor/unbound/dist/testdata/val_nx_failwc.rpl vendor/unbound/dist/testdata/val_nx_nodeny.rpl vendor/unbound/dist/testdata/val_nx_nowc.rpl vendor/unbound/dist/testdata/val_nx_nsec3_collision.rpl vendor/unbound/dist/testdata/val_nx_nsec3_params.rpl vendor/unbound/dist/testdata/val_nx_overreach.rpl vendor/unbound/dist/testdata/val_pos_truncns.rpl vendor/unbound/dist/testdata/val_positive.rpl vendor/unbound/dist/testdata/val_positive_wc.rpl vendor/unbound/dist/testdata/val_positive_wc_nodeny.rpl vendor/unbound/dist/testdata/val_qds_badanc.rpl vendor/unbound/dist/testdata/val_qds_oneanc.rpl vendor/unbound/dist/testdata/val_qds_twoanc.rpl vendor/unbound/dist/testdata/val_refer_unsignadd.rpl vendor/unbound/dist/testdata/val_referd.rpl vendor/unbound/dist/testdata/val_referglue.rpl vendor/unbound/dist/testdata/val_rrsig.rpl vendor/unbound/dist/testdata/val_secds.rpl vendor/unbound/dist/testdata/val_spurious_ns.rpl vendor/unbound/dist/testdata/val_ta_algo_dnskey.rpl vendor/unbound/dist/testdata/val_ta_algo_dnskey_dp.rpl vendor/unbound/dist/testdata/val_ta_algo_missing.rpl vendor/unbound/dist/testdata/val_ta_algo_missing_dp.rpl vendor/unbound/dist/testdata/val_unalgo_anchor.rpl vendor/unbound/dist/testdata/val_unalgo_dlv.rpl vendor/unbound/dist/testdata/val_unalgo_ds.rpl vendor/unbound/dist/testdata/val_unsec_cname.rpl vendor/unbound/dist/testdata/val_unsecds.rpl vendor/unbound/dist/testdata/val_unsecds_negcache.rpl vendor/unbound/dist/testdata/val_unsecds_qtypeds.rpl vendor/unbound/dist/testdata/val_wild_pos.rpl vendor/unbound/dist/testdata/views.rpl vendor/unbound/dist/util/alloc.c vendor/unbound/dist/util/alloc.h vendor/unbound/dist/util/config_file.c vendor/unbound/dist/util/config_file.h vendor/unbound/dist/util/configlexer.c vendor/unbound/dist/util/configlexer.lex vendor/unbound/dist/util/configparser.c vendor/unbound/dist/util/configparser.h vendor/unbound/dist/util/configparser.y vendor/unbound/dist/util/net_help.c vendor/unbound/dist/util/net_help.h vendor/unbound/dist/util/netevent.c vendor/unbound/dist/winrc/win_svc.c Modified: vendor/unbound/dist/Makefile.in ============================================================================== --- vendor/unbound/dist/Makefile.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/Makefile.in Mon Sep 10 16:30:18 2018 (r338562) @@ -327,7 +327,7 @@ unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbou $(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS) unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la - $(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS) + $(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS) unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la $(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS) @@ -360,7 +360,7 @@ memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK) $(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS) asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la - $(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound + $(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS) streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK) $(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) @@ -1463,7 +1463,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/remote.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h + $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \ $(srcdir)/winrc/w_inst.h Modified: vendor/unbound/dist/compat/arc4random.c ============================================================================== --- vendor/unbound/dist/compat/arc4random.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/compat/arc4random.c Mon Sep 10 16:30:18 2018 (r338562) @@ -71,6 +71,72 @@ static struct { static inline void _rs_rekey(u_char *dat, size_t datlen); +/* + * Basic sanity checking; wish we could do better. + */ +static int +fallback_gotdata(char *buf, size_t len) +{ + char any_set = 0; + size_t i; + + for (i = 0; i < len; ++i) + any_set |= buf[i]; + if (any_set == 0) + return -1; + return 0; +} + +/* fallback for getentropy in case libc returns failure */ +static int +fallback_getentropy_urandom(void *buf, size_t len) +{ + size_t i; + int fd, flags; + int save_errno = errno; + +start: + + flags = O_RDONLY; +#ifdef O_NOFOLLOW + flags |= O_NOFOLLOW; +#endif +#ifdef O_CLOEXEC + flags |= O_CLOEXEC; +#endif + fd = open("/dev/urandom", flags, 0); + if (fd == -1) { + if (errno == EINTR) + goto start; + goto nodevrandom; + } +#ifndef O_CLOEXEC +# ifdef HAVE_FCNTL + fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); +# endif +#endif + for (i = 0; i < len; ) { + size_t wanted = len - i; + ssize_t ret = read(fd, (char*)buf + i, wanted); + + if (ret == -1) { + if (errno == EAGAIN || errno == EINTR) + continue; + close(fd); + goto nodevrandom; + } + i += ret; + } + close(fd); + if (fallback_gotdata(buf, len) == 0) { + errno = save_errno; + return 0; /* satisfied */ + } +nodevrandom: + errno = EIO; + return -1; +} + static inline void _rs_init(u_char *buf, size_t n) { @@ -114,11 +180,14 @@ _rs_stir(void) u_char rnd[KEYSZ + IVSZ]; if (getentropy(rnd, sizeof rnd) == -1) { + if(errno != ENOSYS || + fallback_getentropy_urandom(rnd, sizeof rnd) == -1) { #ifdef SIGKILL - raise(SIGKILL); + raise(SIGKILL); #else - exit(9); /* windows */ + exit(9); /* windows */ #endif + } } if (!rs) Modified: vendor/unbound/dist/config.h.in ============================================================================== --- vendor/unbound/dist/config.h.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/config.h.in Mon Sep 10 16:30:18 2018 (r338562) @@ -30,6 +30,9 @@ internal symbols */ #undef EXPORT_ALL_SYMBOLS +/* Define to 1 if you have the `accept4' function. */ +#undef HAVE_ACCEPT4 + /* Define to 1 if you have the `arc4random' function. */ #undef HAVE_ARC4RANDOM Modified: vendor/unbound/dist/configure ============================================================================== --- vendor/unbound/dist/configure Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/configure Mon Sep 10 16:30:18 2018 (r338562) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.7.1. +# Generated by GNU Autoconf 2.69 for unbound 1.7.2. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.7.1' -PACKAGE_STRING='unbound 1.7.1' +PACKAGE_VERSION='1.7.2' +PACKAGE_STRING='unbound 1.7.2' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.7.1 to adapt to many kinds of systems. +\`configure' configures unbound 1.7.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1505,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.7.1:";; + short | recursive ) echo "Configuration of unbound 1.7.2:";; esac cat <<\_ACEOF @@ -1722,7 +1722,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.7.1 +unbound configure 1.7.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.7.1, which was +It was created by unbound $as_me 1.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=7 -UNBOUND_VERSION_MICRO=1 +UNBOUND_VERSION_MICRO=2 LIBUNBOUND_CURRENT=7 -LIBUNBOUND_REVISION=9 +LIBUNBOUND_REVISION=10 LIBUNBOUND_AGE=5 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2848,6 +2848,7 @@ LIBUNBOUND_AGE=5 # 1.6.8 had 7:7:5 # 1.7.0 had 7:8:5 # 1.7.1 had 7:9:5 +# 1.7.2 had 7:10:5 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -19467,7 +19468,7 @@ else WINDRES="$ac_cv_prog_WINDRES" fi - LIBS="$LIBS -liphlpapi" + LIBS="$LIBS -liphlpapi -lcrypt32" WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe" WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c" @@ -19701,7 +19702,7 @@ if test "$ac_res" != no; then : fi -for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget +for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -20854,6 +20855,8 @@ if test "${enable_cachedb+set}" = set; then : enableval=$enable_cachedb; fi +# turn on cachedb when hiredis support is enabled. +if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi case "$enable_cachedb" in yes) @@ -21041,7 +21044,7 @@ _ACEOF -version=1.7.1 +version=1.7.2 date=`date +'%b %e, %Y'` @@ -21560,7 +21563,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.7.1, which was +This file was extended by unbound $as_me 1.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21626,7 +21629,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.7.1 +unbound config.status 1.7.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Modified: vendor/unbound/dist/configure.ac ============================================================================== --- vendor/unbound/dist/configure.ac Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/configure.ac Mon Sep 10 16:30:18 2018 (r338562) @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[7]) -m4_define([VERSION_MICRO],[1]) +m4_define([VERSION_MICRO],[2]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=7 -LIBUNBOUND_REVISION=9 +LIBUNBOUND_REVISION=10 LIBUNBOUND_AGE=5 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -79,6 +79,7 @@ LIBUNBOUND_AGE=5 # 1.6.8 had 7:7:5 # 1.7.0 had 7:8:5 # 1.7.1 had 7:9:5 +# 1.7.2 had 7:10:5 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -1245,7 +1246,7 @@ if test "$USE_WINSOCK" = 1; then #include ]) AC_CHECK_TOOL(WINDRES, windres) - LIBS="$LIBS -liphlpapi" + LIBS="$LIBS -liphlpapi -lcrypt32" WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe" AC_SUBST(WINAPPS) WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c" @@ -1318,7 +1319,7 @@ AC_INCLUDES_DEFAULT #endif ]) AC_SEARCH_LIBS([setusercontext], [util]) -AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget]) +AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4]) AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])]) AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])]) @@ -1488,6 +1489,8 @@ dnsc_DNSCRYPT([ # check for cachedb if requested AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage])) +# turn on cachedb when hiredis support is enabled. +if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi case "$enable_cachedb" in yes) AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support]) Modified: vendor/unbound/dist/contrib/libunbound.pc.in ============================================================================== --- vendor/unbound/dist/contrib/libunbound.pc.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/contrib/libunbound.pc.in Mon Sep 10 16:30:18 2018 (r338562) @@ -7,7 +7,7 @@ Name: unbound Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ -Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@ -Libs: -L${libdir} -lunbound +Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@ +Libs: -L${libdir} -lunbound -lssl -lcrypto Libs.private: @SSLLIB@ @LIBS@ Cflags: -I${includedir} Modified: vendor/unbound/dist/daemon/acl_list.c ============================================================================== --- vendor/unbound/dist/daemon/acl_list.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/daemon/acl_list.c Mon Sep 10 16:30:18 2018 (r338562) @@ -111,6 +111,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str control = acl_refuse_non_local; else if(strcmp(s2, "allow_snoop") == 0) control = acl_allow_snoop; + else if(strcmp(s2, "allow_setrd") == 0) + control = acl_allow_setrd; else { log_err("access control type %s unknown", str); return 0; Modified: vendor/unbound/dist/daemon/acl_list.h ============================================================================== --- vendor/unbound/dist/daemon/acl_list.h Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/daemon/acl_list.h Mon Sep 10 16:30:18 2018 (r338562) @@ -63,7 +63,9 @@ enum acl_access { /** allow full access for recursion (+RD) queries */ acl_allow, /** allow full access for all queries, recursion and cache snooping */ - acl_allow_snoop + acl_allow_snoop, + /** allow full access for recursion queries and set RD flag regardless of request */ + acl_allow_setrd }; /** Modified: vendor/unbound/dist/daemon/daemon.c ============================================================================== --- vendor/unbound/dist/daemon/daemon.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/daemon/daemon.c Mon Sep 10 16:30:18 2018 (r338562) @@ -704,6 +704,7 @@ daemon_cleanup(struct daemon* daemon) free(daemon->workers); daemon->workers = NULL; daemon->num = 0; + alloc_clear_special(&daemon->superalloc); #ifdef USE_DNSTAP dt_delete(daemon->dtenv); daemon->dtenv = NULL; Modified: vendor/unbound/dist/daemon/unbound.c ============================================================================== --- vendor/unbound/dist/daemon/unbound.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/daemon/unbound.c Mon Sep 10 16:30:18 2018 (r338562) @@ -431,7 +431,7 @@ perform_setup(struct daemon* daemon, struct config_fil fatal_exit("could not set up listen SSL_CTX"); } if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, - cfg->tls_cert_bundle))) + cfg->tls_cert_bundle, cfg->tls_win_cert))) fatal_exit("could not set up connect SSL_CTX"); #endif Modified: vendor/unbound/dist/daemon/worker.c ============================================================================== --- vendor/unbound/dist/daemon/worker.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/daemon/worker.c Mon Sep 10 16:30:18 2018 (r338562) @@ -1351,6 +1351,13 @@ worker_handle_request(struct comm_point* c, void* arg, } /* If this request does not have the recursion bit set, verify + * ACLs allow the recursion bit to be treated as set. */ + if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) && + acl == acl_allow_setrd ) { + LDNS_RD_SET(sldns_buffer_begin(c->buffer)); + } + + /* If this request does not have the recursion bit set, verify * ACLs allow the snooping. */ if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) && acl != acl_allow_snoop ) { Modified: vendor/unbound/dist/doc/Changelog ============================================================================== --- vendor/unbound/dist/doc/Changelog Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/Changelog Mon Sep 10 16:30:18 2018 (r338562) @@ -1,8 +1,80 @@ +4 June 2018: Wouter + - Fix deadlock caused by incoming notify for auth-zone. + - tag for 1.7.2rc1 + +1 June 2018: Wouter + - Rename additional-tls-port to tls-additional-ports. + The older name is accepted for backwards compatibility. + +30 May 2018: Wouter + - Patch from Syzdek: Add ability to ignore RD bit and treat all + requests as if the RD bit is set. + +29 May 2018: Wouter + - in compat/arc4random call getentropy_urandom when getentropy fails + with ENOSYS. + - Fix that fallback for windows port. + +28 May 2018: Wouter + - Fix windows tcp and tls spin on events. + - Add routine from getdns to add windows cert store to the SSL_CTX. + - tls-win-cert option that adds the system certificate store for + authenticating DNS-over-TLS connections. It can be used instead + of the tls-cert-bundle option, or with it to add certificates. + +25 May 2018: Wouter + - For TCP and TLS connections that don't establish, perform address + update in infra cache, so future selections can exclude them. + - Fix that tcp sticky events are removed for closed fd on windows. + - Fix close events for tcp only. + +24 May 2018: Wouter + - Fix that libunbound can do DNS-over-TLS, when configured. + - Fix that windows unbound service can use DNS-over-TLS. + - unbound-host initializes ssl (for potential DNS-over-TLS usage + inside libunbound), when ssl upstream or a cert-bundle is configured. + +23 May 2018: Wouter + - Use accept4 to speed up incoming TCP (and TLS) connections, + available on Linux, FreeBSD and OpenBSD. + +17 May 2018: Ralph + - Qname minimisation default changed to yes. + +15 May 2018: Wouter + - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand. + +11 May 2018: Wouter + - Fix contrib/libunbound.pc for libssl libcrypto references, + from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914 + +7 May 2018: Wouter + - Fix windows to not have sticky TLS events for TCP. + - Fix read of DNS over TLS length and data in one read call. + - Fix mesh state assertion failure due to callback removal. + +3 May 2018: Wouter + - Fix that configure --with-libhiredis also turns on cachedb. + - Fix gcc 8 buffer warning in testcode. + - Fix function type cast warning in libunbound context callback type. + +2 May 2018: Wouter + - Fix fail to reject dead peers in forward-zone, with ssl-upstream. + +1 May 2018: Wouter + - Fix that unbound-control reload frees the rrset keys and returns + the memory pages to the system. + +30 April 2018: Wouter + - Fix spelling error in man page and note defaults as no instead of + off. + 26 April 2018: Wouter - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. - - tag for 1.7.1rc1 release. + - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk + is from here 1.7.2 in development. 25 April 2018: Ralph - Fix memory leak when caching wildcard records for aggressive NSEC use Modified: vendor/unbound/dist/doc/README ============================================================================== --- vendor/unbound/dist/doc/README Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/README Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -README for Unbound 1.7.1 +README for Unbound 1.7.2 Copyright 2007 NLnet Labs http://unbound.net Modified: vendor/unbound/dist/doc/example.conf.in ============================================================================== --- vendor/unbound/dist/doc/example.conf.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/example.conf.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.7.1. +# See unbound.conf(5) man page, version 1.7.2. # # this is a comment. @@ -223,7 +223,8 @@ server: # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), + # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). # access-control: 0.0.0.0/0 refuse @@ -372,7 +373,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. - # qname-minimisation: no + # qname-minimisation: yes # QNAME minimisation in strict mode. Do not fall-back to sending full # QNAME to potentially broken nameservers. A lot of domains will not be @@ -681,8 +682,11 @@ server: # Certificates used to authenticate connections made upstream. # tls-cert-bundle: "" + # Add system certs to the cert bundle, from the Windows Cert Store + # tls-win-cert: no + # Also serve tls on these port numbers (eg. 443, ...), by listing - # additional-tls-port: portno for each of the port numbers. + # tls-additional-ports: portno for each of the port numbers. # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. @@ -725,7 +729,7 @@ server: # low-rtt: 45 # select low rtt this many times out of 1000. 0 means the fast server # select is disabled. prefetches are not sped up. - # low-rtt-pct: 0 + # low-rtt-permil: 0 # Specific options for ipsecmod. unbound needs to be configured with # --enable-ipsecmod for these to take effect. Modified: vendor/unbound/dist/doc/libunbound.3.in ============================================================================== --- vendor/unbound/dist/doc/libunbound.3.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/libunbound.3.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -43,7 +43,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.7.1 functions. +\- Unbound DNS validating resolver 1.7.2 functions. .SH "SYNOPSIS" .B #include .LP Modified: vendor/unbound/dist/doc/unbound-anchor.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-anchor.8.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound-anchor.8.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" Modified: vendor/unbound/dist/doc/unbound-checkconf.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-checkconf.8.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound-checkconf.8.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" Modified: vendor/unbound/dist/doc/unbound-control.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-control.8.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound-control.8.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound-control.8 -- unbound remote control manual .\" Modified: vendor/unbound/dist/doc/unbound-host.1.in ============================================================================== --- vendor/unbound/dist/doc/unbound-host.1.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound-host.1.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" Modified: vendor/unbound/dist/doc/unbound.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound.8.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound.8.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.7.1. +\- Unbound DNS validating resolver 1.7.2. .SH "SYNOPSIS" .B unbound .RB [ \-h ] Modified: vendor/unbound/dist/doc/unbound.conf.5.in ============================================================================== --- vendor/unbound/dist/doc/unbound.conf.5.in Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/doc/unbound.conf.5.in Mon Sep 10 16:30:18 2018 (r338562) @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "May 3, 2018" "NLnet Labs" "unbound 1.7.1" +.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TL Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in TCP wireformat. The other server must support this (see \fBtls\-service\-key\fR). +If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to +load CA certs, otherwise the connections cannot be authenticated. .TP .B ssl\-upstream: \fI Alternate syntax for \fBtls\-upstream\fR. If both are present in the config @@ -444,8 +446,14 @@ urls, and also DNS over TLS connections. .B ssl\-cert\-bundle: \fI Alternate syntax for \fBtls\-cert\-bundle\fR. .TP -.B additional\-tls\-port: \fI -List portnumbers as additional\-tls\-port, and when interfaces are defined, +.B tls\-win\-cert: \fI +Add the system certificates to the cert bundle certificates for authentication. +If no cert bundle, it uses only these certificates. Default is no. +On windows this option uses the certificates from the cert store. Use +the tls\-cert\-bundle option on other systems. +.TP +.B tls\-additional\-ports: \fI +List portnumbers as tls\-additional\-ports, and when interfaces are defined, eg. with the @port suffix, as this port number, they provide dns over TLS service. Can list multiple, each on a new statement. .TP @@ -461,7 +469,8 @@ Default is yes. .B access\-control: \fI The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. +\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or +\fIrefuse_non_local\fR. The most specific netblock match is used, if none match \fIdeny\fR is used. .IP The action \fIdeny\fR stops queries from hosts from that netblock. @@ -480,6 +489,15 @@ in the reply. This supports normal operations where n are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. .IP +The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and +treats all requests as if the recursion desired bit is set. Note that this +behavior violates RFC 1034 which states that a name server should never perform +recursive service unless asked via the RD bit since this interferes with +trouble shooting of name servers and their databases. This prohibited behavior +may be useful if another DNS server must forward requests for specific +zones to a resolver DNS server, but only supports stub domains and +sends queries to the resolver DNS server with the RD bit cleared. +.IP The action \fIallow_snoop\fR gives nonrecursive access too. This give both recursive and non recursive access. The name \fIallow_snoop\fR refers to cache snooping, a technique to use nonrecursive queries to examine @@ -691,7 +709,7 @@ infrastructure data. Validates the replies if trust a and the zones are signed. This enforces DNSSEC validation on nameserver NS sets and the nameserver addresses that are encountered on the referral path to the answer. -Default off, because it burdens the authority servers, and it is +Default no, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the target\-fetch\-policy @@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers Only sent minimum required labels of the QNAME and set QTYPE to A when possible. Best effort approach; full QNAME and original QTYPE will be sent when upstream replies with a RCODE other than NOERROR, except when receiving -NXDOMAIN from a DNSSEC signed zone. Default is off. +NXDOMAIN from a DNSSEC signed zone. Default is yes. .TP .B qname\-minimisation\-strict: \fI QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to @@ -1315,10 +1333,10 @@ factor given. .TP 5 .B low\-rtt: \fI Set the time in millisecond that is considere a low ping time for fast -server selection with the low\-rtt\-pct option, that turns this on or off. +server selection with the low\-rtt\-permil option, that turns this on or off. The default is 45 msec, a number from IPv6 quick response documents. .TP 5 -.B low\-rtt\-pct: \fI +.B low\-rtt\-permil: \fI Specify how many times out of 1000 to pick the fast server from the low rtt band. 0 turns the feature off. A value of 900 would pick the fast server when such fast servers are available 90 percent of the time, and @@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and i moment to perform server exploration. The low\-rtt option can be used to specify which servers are picked for fast server selection, servers with a ping roundtrip time below that value are considered. -The default for low\-rtt\-pct is 0. +The default for low\-rtt\-permil is 0. .SS "Remote Control Options" In the .B remote\-control: @@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP To use a nondefault port for DNS communication append '@' with the port number. .TP .B stub\-prime: \fI -This option is by default off. If enabled it performs NS set priming, +This option is by default no. If enabled it performs NS set priming, which is similar to root hints, where it starts using the list of nameservers currently published by the zone. Thus, if the hint list is slightly outdated, the resolver picks up a correct list online. @@ -1490,6 +1508,8 @@ The default is no. .B forward\-tls\-upstream: \fI Enabled or disable whether the queries to this forwarder use TLS for transport. Default is no. +If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to +load CA certs, otherwise the connections cannot be authenticated. .TP .B forward\-ssl\-upstream: \fI Alternate syntax for \fBforward\-tls\-upstream\fR. @@ -1827,7 +1847,7 @@ If Unbound was built with on a system that has installed the hiredis C client library of Redis, then the "redis" backend can be used. This backend communicates with the specified Redis server over a TCP -connection to store and retrive cache data. +connection to store and retrieve cache data. It can be used as a persistent and/or shared cache backend. It should be noted that Unbound never removes data stored in the Redis server, even if some data have expired in terms of DNS TTL or the Redis server has Modified: vendor/unbound/dist/iterator/iter_utils.c ============================================================================== --- vendor/unbound/dist/iterator/iter_utils.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/iterator/iter_utils.c Mon Sep 10 16:30:18 2018 (r338562) @@ -329,9 +329,9 @@ iter_filter_order(struct iter_env* iter_env, struct mo return 0 to force the caller to fetch more */ } - if(env->cfg->low_rtt_pct != 0 && prefetch == 0 && + if(env->cfg->low_rtt_permil != 0 && prefetch == 0 && low_rtt < env->cfg->low_rtt && - ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_pct) { + ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_permil) { /* the query is not prefetch, but for a downstream client, * there is a low_rtt (fast) server. We choose that x% of the * time */ Modified: vendor/unbound/dist/libunbound/context.c ============================================================================== --- vendor/unbound/dist/libunbound/context.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/libunbound/context.c Mon Sep 10 16:30:18 2018 (r338562) @@ -130,7 +130,7 @@ find_id(struct ub_ctx* ctx, int* id) struct ctx_query* context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass, - ub_callback_type cb, void* cbarg) + ub_callback_type cb, ub_event_callback_type cb_event, void* cbarg) { struct ctx_query* q = (struct ctx_query*)calloc(1, sizeof(*q)); if(!q) return NULL; @@ -142,8 +142,9 @@ context_new(struct ub_ctx* ctx, const char* name, int } lock_basic_unlock(&ctx->cfglock); q->node.key = &q->querynum; - q->async = (cb != NULL); + q->async = (cb != NULL || cb_event != NULL); q->cb = cb; + q->cb_event = cb_event; q->cb_arg = cbarg; q->res = (struct ub_result*)calloc(1, sizeof(*q->res)); if(!q->res) { Modified: vendor/unbound/dist/libunbound/context.h ============================================================================== --- vendor/unbound/dist/libunbound/context.h Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/libunbound/context.h Mon Sep 10 16:30:18 2018 (r338562) @@ -45,6 +45,7 @@ #include "util/rbtree.h" #include "services/modstack.h" #include "libunbound/unbound.h" +#include "libunbound/unbound-event.h" #include "util/data/packed_rrset.h" struct libworker; struct tube; @@ -148,8 +149,10 @@ struct ctx_query { /** was this query cancelled (for bg worker) */ int cancelled; - /** for async query, the callback function */ + /** for async query, the callback function of type ub_callback_type */ ub_callback_type cb; + /** for event callbacks the type is ub_event_callback_type */ + ub_event_callback_type cb_event; /** for async query, the callback user arg */ void* cb_arg; @@ -238,11 +241,13 @@ void context_query_delete(struct ctx_query* q); * @param rrtype: type * @param rrclass: class * @param cb: callback for async, or NULL for sync. + * @param cb_event: event callback for async, or NULL for sync. * @param cbarg: user arg for async queries. * @return new ctx_query or NULL for malloc failure. */ struct ctx_query* context_new(struct ub_ctx* ctx, const char* name, int rrtype, - int rrclass, ub_callback_type cb, void* cbarg); + int rrclass, ub_callback_type cb, ub_event_callback_type cb_event, + void* cbarg); /** * Get a new alloc. Creates a new one or uses a cached one. Modified: vendor/unbound/dist/libunbound/libunbound.c ============================================================================== --- vendor/unbound/dist/libunbound/libunbound.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/libunbound/libunbound.c Mon Sep 10 16:30:18 2018 (r338562) @@ -690,7 +690,7 @@ ub_resolve(struct ub_ctx* ctx, const char* name, int r } /* create new ctx_query and attempt to add to the list */ lock_basic_unlock(&ctx->cfglock); - q = context_new(ctx, name, rrtype, rrclass, NULL, NULL); + q = context_new(ctx, name, rrtype, rrclass, NULL, NULL, NULL); if(!q) return UB_NOMEM; /* become a resolver thread for a bit */ @@ -747,8 +747,7 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, ub_comm_base_now(ctx->event_worker->base); /* create new ctx_query and attempt to add to the list */ - q = context_new(ctx, name, rrtype, rrclass, (ub_callback_type)callback, - mydata); + q = context_new(ctx, name, rrtype, rrclass, NULL, callback, mydata); if(!q) return UB_NOMEM; @@ -793,7 +792,7 @@ ub_resolve_async(struct ub_ctx* ctx, const char* name, } /* create new ctx_query and attempt to add to the list */ - q = context_new(ctx, name, rrtype, rrclass, callback, mydata); + q = context_new(ctx, name, rrtype, rrclass, callback, NULL, mydata); if(!q) return UB_NOMEM; Modified: vendor/unbound/dist/libunbound/libworker.c ============================================================================== --- vendor/unbound/dist/libunbound/libworker.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/libunbound/libworker.c Mon Sep 10 16:30:18 2018 (r338562) @@ -158,9 +158,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct hints_delete(w->env->hints); w->env->hints = NULL; } - if(cfg->ssl_upstream) { + if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) { w->sslctx = connect_sslctx_create(NULL, NULL, - cfg->tls_cert_bundle); + cfg->tls_cert_bundle, cfg->tls_win_cert); if(!w->sslctx) { /* to make the setup fail after unlock */ hints_delete(w->env->hints); @@ -637,7 +637,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_bu enum sec_status s, char* why_bogus) { struct ctx_query* q = (struct ctx_query*)arg; - ub_event_callback_type cb = (ub_event_callback_type)q->cb; + ub_event_callback_type cb = q->cb_event; void* cb_arg = q->cb_arg; int cancelled = q->cancelled; Modified: vendor/unbound/dist/services/authzone.c ============================================================================== --- vendor/unbound/dist/services/authzone.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/services/authzone.c Mon Sep 10 16:30:18 2018 (r338562) @@ -3425,14 +3425,17 @@ xfr_process_notify(struct auth_xfer* xfr, struct modul { /* if the serial of notify is older than we have, don't fetch * a zone, we already have it */ - if(has_serial && !xfr_serial_means_update(xfr, serial)) + if(has_serial && !xfr_serial_means_update(xfr, serial)) { + lock_basic_unlock(&xfr->lock); return; + } /* start new probe with this addr src, or note serial */ if(!xfr_start_probe(xfr, env, fromhost)) { /* not started because already in progress, note the serial */ xfr_note_notify_serial(xfr, has_serial, serial); lock_basic_unlock(&xfr->lock); } + /* successful end of start_probe unlocked xfr->lock */ } int auth_zones_notify(struct auth_zones* az, struct module_env* env, Modified: vendor/unbound/dist/services/listen_dnsport.c ============================================================================== --- vendor/unbound/dist/services/listen_dnsport.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/services/listen_dnsport.c Mon Sep 10 16:30:18 2018 (r338562) @@ -1059,7 +1059,7 @@ set_recvpktinfo(int s, int family) /** see if interface is ssl, its port number == the ssl port number */ static int if_is_ssl(const char* ifname, const char* port, int ssl_port, - struct config_strlist* additional_tls_port) + struct config_strlist* tls_additional_ports) { struct config_strlist* s; char* p = strchr(ifname, '@'); @@ -1067,7 +1067,7 @@ if_is_ssl(const char* ifname, const char* port, int ss return 1; if(p && atoi(p+1) == ssl_port) return 1; - for(s = additional_tls_port; s; s = s->next) { + for(s = tls_additional_ports; s; s = s->next) { if(p && atoi(p+1) == atoi(s->str)) return 1; if(!p && atoi(port) == atoi(s->str)) @@ -1089,7 +1089,7 @@ if_is_ssl(const char* ifname, const char* port, int ss * @param rcv: receive buffer size for UDP * @param snd: send buffer size for UDP * @param ssl_port: ssl service port number - * @param additional_tls_port: list of additional ssl service port numbers. + * @param tls_additional_ports: list of additional ssl service port numbers. * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @param transparent: set IP_TRANSPARENT socket option. @@ -1103,7 +1103,7 @@ static int ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, size_t rcv, size_t snd, int ssl_port, - struct config_strlist* additional_tls_port, int* reuseport, + struct config_strlist* tls_additional_ports, int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, int dnscrypt_port) { @@ -1170,7 +1170,7 @@ ports_create_if(const char* ifname, int do_auto, int d } if(do_tcp) { int is_ssl = if_is_ssl(ifname, port, ssl_port, - additional_tls_port); + tls_additional_ports); if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, freebind, use_systemd)) == -1) { @@ -1356,7 +1356,7 @@ listening_ports_open(struct config_file* cfg, int* reu do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, cfg->additional_tls_port, + cfg->ssl_port, cfg->tls_additional_ports, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { @@ -1370,7 +1370,7 @@ listening_ports_open(struct config_file* cfg, int* reu do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, cfg->additional_tls_port, + cfg->ssl_port, cfg->tls_additional_ports, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { @@ -1386,7 +1386,7 @@ listening_ports_open(struct config_file* cfg, int* reu if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, cfg->additional_tls_port, + cfg->ssl_port, cfg->tls_additional_ports, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { @@ -1400,7 +1400,7 @@ listening_ports_open(struct config_file* cfg, int* reu if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, cfg->additional_tls_port, + cfg->ssl_port, cfg->tls_additional_ports, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd, cfg->dnscrypt_port)) { Modified: vendor/unbound/dist/services/mesh.c ============================================================================== --- vendor/unbound/dist/services/mesh.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/services/mesh.c Mon Sep 10 16:30:18 2018 (r338562) @@ -1173,6 +1173,10 @@ void mesh_query_done(struct mesh_state* mstate) while((c = mstate->cb_list) != NULL) { /* take this cb off the list; so that the list can be * changed, eg. by adds from the callback routine */ + if(!mstate->reply_list && mstate->cb_list && !c->next) { + /* was a reply state, not anymore */ + mstate->s.env->mesh->num_reply_states--; + } mstate->cb_list = c->next; if(!mstate->reply_list && !mstate->cb_list && mstate->super_set.count == 0) Modified: vendor/unbound/dist/services/outside_network.c ============================================================================== --- vendor/unbound/dist/services/outside_network.c Mon Sep 10 16:20:12 2018 (r338561) +++ vendor/unbound/dist/services/outside_network.c Mon Sep 10 16:30:18 2018 (r338562) @@ -1301,8 +1301,8 @@ pending_tcp_query(struct serviced_query* sq, sldns_buf w->ssl_upstream = sq->ssl_upstream; w->tls_auth_name = sq->tls_auth_name; #ifndef S_SPLINT_S - tv.tv_sec = timeout; - tv.tv_usec = 0; + tv.tv_sec = timeout/1000; + tv.tv_usec = (timeout%1000)*1000; #endif comm_timer_set(w->timer, &tv); if(pend) { @@ -1812,7 +1812,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, } if(sq->tcp_upstream || sq->ssl_upstream) { struct timeval now = *sq->outnet->now_tv; - if(now.tv_sec > sq->last_sent_time.tv_sec || + if(error!=NETEVENT_NOERROR) { + if(!infra_rtt_update(sq->outnet->infra, &sq->addr, + sq->addrlen, sq->zone, sq->zonelen, sq->qtype, + -1, sq->last_rtt, (time_t)now.tv_sec)) + log_err("out of memory in TCP exponential backoff."); + } else if(now.tv_sec > sq->last_sent_time.tv_sec || (now.tv_sec == sq->last_sent_time.tv_sec && now.tv_usec > sq->last_sent_time.tv_usec)) { /* convert from microseconds to milliseconds */ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***