From 015b2b0daf6008615c0a6245d907b5d18cb7140b Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 19 Aug 2024 15:51:47 +0200 Subject: [PATCH 01/33] - Fix #1126: unbound-control-setup hangs while testing for openssl presence starting from version 1.21.0. --- doc/Changelog | 4 ++++ smallapp/unbound-control-setup.sh.in | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 8b05d3186..ad0da1464 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +19 August 2024: Wouter + - Fix #1126: unbound-control-setup hangs while testing for openssl + presence starting from version 1.21.0. + 9 August 2024: Wouter - Fix spelling for the cache-min-negative-ttl entry in the example.conf. diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in index f74b0105a..91458af36 100644 --- a/smallapp/unbound-control-setup.sh.in +++ b/smallapp/unbound-control-setup.sh.in @@ -104,7 +104,7 @@ while getopts 'd:hr' arg; do done shift $((OPTIND - 1)) -if ! openssl >/dev/null 2>&1; then +if ! openssl /dev/null 2>&1; then echo "$0 requires openssl to be installed for keys/certificates generation." >&2 exit 1 fi From 3d350fa73d1424f05e9b3be560590b3dcec4b795 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 20 Aug 2024 14:08:52 +0200 Subject: [PATCH 02/33] - Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options. --- doc/Changelog | 4 + doc/example.conf.in | 9 + doc/unbound.conf.5.in | 17 + iterator/iter_scrub.c | 14 +- iterator/iterator.c | 2 + iterator/iterator.h | 2 +- testdata/iter_max_global_quota.rpl | 2236 ++++++++++++++++++++++++++++ util/config_file.c | 10 + util/config_file.h | 6 + util/configlexer.lex | 3 + util/configparser.y | 33 +- 11 files changed, 2326 insertions(+), 10 deletions(-) create mode 100644 testdata/iter_max_global_quota.rpl diff --git a/doc/Changelog b/doc/Changelog index ad0da1464..d23ce259d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +20 August 2024: Wouter + - Add iter-scrub-ns, iter-scrub-cname and max-global-quota + configuration options. + 19 August 2024: Wouter - Fix #1126: unbound-control-setup hangs while testing for openssl presence starting from version 1.21.0. diff --git a/doc/example.conf.in b/doc/example.conf.in index d314d8ef2..b7db1e7d9 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -187,6 +187,15 @@ server: # query upon encountering a CNAME record. # max-query-restarts: 11 + # Limit on number of NS records in NS RRset for incoming packets. + # iter-scrub-ns: 20 + + # Limit on number of CNAME, DNAME records for incoming packets. + # iter-scrub-cname: 11 + + # Limit on upstream queries for an incoming query and its recursion. + # max-global-quota: 128 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index d6d9c905c..15f5a6607 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1957,6 +1957,23 @@ Changing this value needs caution as it can allow long CNAME chains to be accepted, where Unbound needs to verify (resolve) each link individually. Default is 11. .TP 5 +.B iter\-scrub\-ns: \fI +Limit on the number of NS records allowed in an rrset of type NS, from the +iterator scrubber. This protects the internals of the resolver from overly +large NS sets. Default is 20. +.TP 5 +.B iter\-scrub\-cname: \fI +Limit on the number of CNAME, DNAME records in an answer, from the iterator +scrubber. This protects the internals of the resolver from overly long +indirection chains. Clips off the remainder of the reply packet at that point. +Default is 11. +.TP 5 +.B max\-global\-quota: \fI +Limit on the number of upstream queries sent out for an incoming query and +its subqueries from recursion. It is not reset during the resolution. When +it is exceeded the query is failed and the lookup process stops. +Default is 128. +.TP 5 .B fast\-server\-permil: \fI Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. A value of 900 would pick from the fastest diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index f038ad69a..a043589fd 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -443,7 +443,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, prev = NULL; rrset = msg->rrset_first; while(rrset && rrset->section == LDNS_SECTION_ANSWER) { - if(cname_length > 11 /* env->cfg.iter_scrub_cname */) { + if(cname_length > env->cfg->iter_scrub_cname) { /* Too many CNAMEs, or DNAMEs, from the authority * server, scrub down the length to something * shorter. This deletes everything after the limit @@ -562,8 +562,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, dname_pkt_compare(pkt, oldsname, rrset->dname) == 0) { if(rrset->type == LDNS_RR_TYPE_NS && - rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) { - shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */); + rrset->rr_count > env->cfg->iter_scrub_ns) { + shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); } prev = rrset; rrset = rrset->rrset_all_next; @@ -581,8 +581,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, } if(rrset->type == LDNS_RR_TYPE_NS && - rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) { - shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */); + rrset->rr_count > env->cfg->iter_scrub_ns) { + shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); } /* Mark the additional names from relevant rrset as OK. */ @@ -641,7 +641,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, "RRset:", pkt, msg, prev, &rrset); continue; } - if(rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) { + if(rrset->rr_count > env->cfg->iter_scrub_ns) { /* If this is not a referral, and the NS RRset * is signed, then remove it entirely, so * that when it becomes bogus it does not @@ -657,7 +657,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, "RRset:", pkt, msg, prev, &rrset); continue; } else { - shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */); + shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); } } } diff --git a/iterator/iterator.c b/iterator/iterator.c index 228f5dfae..1066eb8cd 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -70,6 +70,8 @@ #include "sldns/parseutil.h" #include "sldns/sbuffer.h" +/* number of packets */ +int MAX_GLOBAL_QUOTA = 128; /* in msec */ int UNKNOWN_SERVER_NICENESS = 376; /* in msec */ diff --git a/iterator/iterator.h b/iterator/iterator.h index 70b11df7e..46701f6ee 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h @@ -57,7 +57,7 @@ struct rbtree_type; #define MAX_TARGET_COUNT 64 /** max number of upstream queries for a query and its subqueries, it is * never reset. */ -#define MAX_GLOBAL_QUOTA 128 +extern int MAX_GLOBAL_QUOTA; /** max number of target lookups per qstate, per delegation point */ #define MAX_DP_TARGET_COUNT 16 /** max number of nxdomains allowed for target lookups for a query and diff --git a/testdata/iter_max_global_quota.rpl b/testdata/iter_max_global_quota.rpl new file mode 100644 index 000000000..2dddf035a --- /dev/null +++ b/testdata/iter_max_global_quota.rpl @@ -0,0 +1,2236 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + ; Move it down to make it exceeded. + max-global-quota: 10 + ; With this limit the resolution succeeds. + ; max-global-quota: 250 + +stub-zone: + name: "." + stub-addr: 193.0.14.129 +CONFIG_END + +SCENARIO_BEGIN Test the max-global-quota limit. +; It looks up a name with 10 CNAMEs, and every cname needs 10 delegations. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.com. IN NS +SECTION AUTHORITY +foo.com. IN NS ns.foo.com. +SECTION ADDITIONAL +ns.foo.com. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c1.com. IN NS +SECTION AUTHORITY +c1.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c2.com. IN NS +SECTION AUTHORITY +c2.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c3.com. IN NS +SECTION AUTHORITY +c3.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c4.com. IN NS +SECTION AUTHORITY +c4.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c5.com. IN NS +SECTION AUTHORITY +c5.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c6.com. IN NS +SECTION AUTHORITY +c6.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c7.com. IN NS +SECTION AUTHORITY +c7.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c8.com. IN NS +SECTION AUTHORITY +c8.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c9.com. IN NS +SECTION AUTHORITY +c9.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +c10.com. IN NS +SECTION AUTHORITY +c10.com. IN NS ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c1.com. IN NS +SECTION AUTHORITY +l10c1.com. IN NS ns.l10c1.com. +SECTION ADDITIONAL +ns.l10c1.com. IN A 1.3.1.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c2.com. IN NS +SECTION AUTHORITY +l10c2.com. IN NS ns.l10c2.com. +SECTION ADDITIONAL +ns.l10c2.com. IN A 1.3.2.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c3.com. IN NS +SECTION AUTHORITY +l10c3.com. IN NS ns.l10c3.com. +SECTION ADDITIONAL +ns.l10c3.com. IN A 1.3.3.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c4.com. IN NS +SECTION AUTHORITY +l10c4.com. IN NS ns.l10c4.com. +SECTION ADDITIONAL +ns.l10c4.com. IN A 1.3.4.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c5.com. IN NS +SECTION AUTHORITY +l10c5.com. IN NS ns.l10c5.com. +SECTION ADDITIONAL +ns.l10c5.com. IN A 1.3.5.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c6.com. IN NS +SECTION AUTHORITY +l10c6.com. IN NS ns.l10c6.com. +SECTION ADDITIONAL +ns.l10c6.com. IN A 1.3.6.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c7.com. IN NS +SECTION AUTHORITY +l10c7.com. IN NS ns.l10c7.com. +SECTION ADDITIONAL +ns.l10c7.com. IN A 1.3.7.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c8.com. IN NS +SECTION AUTHORITY +l10c8.com. IN NS ns.l10c8.com. +SECTION ADDITIONAL +ns.l10c8.com. IN A 1.3.8.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c9.com. IN NS +SECTION AUTHORITY +l10c9.com. IN NS ns.l10c9.com. +SECTION ADDITIONAL +ns.l10c9.com. IN A 1.3.9.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l10c10.com. IN NS +SECTION AUTHORITY +l10c10.com. IN NS ns.l10c10.com. +SECTION ADDITIONAL +ns.l10c10.com. IN A 1.3.10.10 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN CNAME www.c1.com. +ENTRY_END +RANGE_END + +; ns.foo.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.foo.com. IN A +SECTION ANSWER +www.foo.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.10 +$ORIGIN l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.1.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.9 +$ORIGIN l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.1.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.8 +$ORIGIN l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.1.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.7 +$ORIGIN l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.1.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.6 +$ORIGIN l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.1.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.5 +$ORIGIN l5.l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.1.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.1.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.1.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.1.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.1.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c1.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.1.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c1.com. IN A +SECTION ANSWER +www.c1.com. IN CNAME www.c2.com. +ENTRY_END +RANGE_END + +; ns.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.10 +$ORIGIN l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.2.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.9 +$ORIGIN l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.2.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.8 +$ORIGIN l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.2.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.7 +$ORIGIN l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.2.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.6 +$ORIGIN l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.2.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.5 +$ORIGIN l5.l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.2.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.2.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.2.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.2.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.2.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c2.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.2.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c2.com. IN A +SECTION ANSWER +www.c2.com. IN CNAME www.c3.com. +ENTRY_END +RANGE_END + +; ns.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.10 +$ORIGIN l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.3.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.9 +$ORIGIN l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.3.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.8 +$ORIGIN l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.3.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.7 +$ORIGIN l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.3.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.6 +$ORIGIN l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.3.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.5 +$ORIGIN l5.l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.3.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.3.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.3.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.3.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.3.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c3.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.3.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c3.com. IN A +SECTION ANSWER +www.c3.com. IN CNAME www.c4.com. +ENTRY_END +RANGE_END +; ns.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.10 +$ORIGIN l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.4.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.9 +$ORIGIN l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.4.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.8 +$ORIGIN l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.4.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.7 +$ORIGIN l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.4.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.6 +$ORIGIN l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.4.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.5 +$ORIGIN l5.l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.4.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.4.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.4.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.4.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.4.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c4.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.4.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c4.com. IN A +SECTION ANSWER +www.c4.com. IN CNAME www.c5.com. +ENTRY_END +RANGE_END +; ns.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.10 +$ORIGIN l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.5.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.9 +$ORIGIN l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.5.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.8 +$ORIGIN l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.5.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.7 +$ORIGIN l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.5.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.6 +$ORIGIN l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.5.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.5 +$ORIGIN l5.l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.5.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.5.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.5.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.5.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.5.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c5.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.5.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c5.com. IN A +SECTION ANSWER +www.c5.com. IN CNAME www.c6.com. +ENTRY_END +RANGE_END +; ns.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.10 +$ORIGIN l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.6.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.9 +$ORIGIN l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.6.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.8 +$ORIGIN l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.6.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.7 +$ORIGIN l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.6.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.6 +$ORIGIN l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.6.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.5 +$ORIGIN l5.l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.6.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.6.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.6.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.6.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.6.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c6.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.6.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c6.com. IN A +SECTION ANSWER +www.c6.com. IN CNAME www.c7.com. +ENTRY_END +RANGE_END +; ns.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.10 +$ORIGIN l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.7.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.9 +$ORIGIN l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.7.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.8 +$ORIGIN l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.7.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.7 +$ORIGIN l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.7.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.6 +$ORIGIN l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.7.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.5 +$ORIGIN l5.l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.7.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.7.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.7.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.7.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.7.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c7.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.7.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c7.com. IN A +SECTION ANSWER +www.c7.com. IN CNAME www.c8.com. +ENTRY_END +RANGE_END +; ns.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.10 +$ORIGIN l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.8.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.9 +$ORIGIN l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.8.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.8 +$ORIGIN l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.8.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.7 +$ORIGIN l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.8.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.6 +$ORIGIN l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.8.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.5 +$ORIGIN l5.l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.8.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.8.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.8.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.8.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.8.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c8.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.8.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c8.com. IN A +SECTION ANSWER +www.c8.com. IN CNAME www.c9.com. +ENTRY_END +RANGE_END +; ns.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.10 +$ORIGIN l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.9.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.9 +$ORIGIN l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.9.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.8 +$ORIGIN l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.9.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.7 +$ORIGIN l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.9.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.6 +$ORIGIN l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.9.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.5 +$ORIGIN l5.l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.9.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.9.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.9.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.9.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.9.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c9.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.9.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c9.com. IN A +SECTION ANSWER +www.c9.com. IN CNAME www.c10.com. +ENTRY_END +RANGE_END +; ns.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.10 +$ORIGIN l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l9 IN NS +SECTION AUTHORITY +l9 IN NS ns.l9 +SECTION ADDITIONAL +ns.l9 IN A 1.3.10.9 +ENTRY_END +RANGE_END + +; ns.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.9 +$ORIGIN l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l8 IN NS +SECTION AUTHORITY +l8 IN NS ns.l8 +SECTION ADDITIONAL +ns.l8 IN A 1.3.10.8 +ENTRY_END +RANGE_END + +; ns.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.8 +$ORIGIN l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l7 IN NS +SECTION AUTHORITY +l7 IN NS ns.l7 +SECTION ADDITIONAL +ns.l7 IN A 1.3.10.7 +ENTRY_END +RANGE_END + +; ns.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.7 +$ORIGIN l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l6 IN NS +SECTION AUTHORITY +l6 IN NS ns.l6 +SECTION ADDITIONAL +ns.l6 IN A 1.3.10.6 +ENTRY_END +RANGE_END + +; ns.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.6 +$ORIGIN l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l5 IN NS +SECTION AUTHORITY +l5 IN NS ns.l5 +SECTION ADDITIONAL +ns.l5 IN A 1.3.10.5 +ENTRY_END +RANGE_END + +; ns.l5.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.5 +$ORIGIN l5.l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l4 IN NS +SECTION AUTHORITY +l4 IN NS ns.l4 +SECTION ADDITIONAL +ns.l4 IN A 1.3.10.4 +ENTRY_END +RANGE_END + +; ns.l4.l5.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.4 +$ORIGIN l4.l5.l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l3 IN NS +SECTION AUTHORITY +l3 IN NS ns.l3 +SECTION ADDITIONAL +ns.l3 IN A 1.3.10.3 +ENTRY_END +RANGE_END + +; ns.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.3 +$ORIGIN l3.l4.l5.l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l2 IN NS +SECTION AUTHORITY +l2 IN NS ns.l2 +SECTION ADDITIONAL +ns.l2 IN A 1.3.10.2 +ENTRY_END +RANGE_END + +; ns.l2.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.2 +$ORIGIN l2.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +l1 IN NS +SECTION AUTHORITY +l1 IN NS ns.l1 +SECTION ADDITIONAL +ns.l1 IN A 1.3.10.1 +ENTRY_END +RANGE_END + +; ns.l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +RANGE_BEGIN 0 100 + ADDRESS 1.3.10.1 +$ORIGIN l1.l2.l3.l4.l5.l6.l7.l8.l9.l10c10.com. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN A +SECTION ANSWER +ns IN A 1.3.10.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns IN AAAA +SECTION AUTHORITY +@ SOA ns host 2018060423 3600 300 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.c10.com. IN A +SECTION ANSWER +www.c10.com. IN CNAME www.foo.com. +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +; This is the answer that is exceeding the global quota. +; www.example.com. IN CNAME www.c1.com. +; www.c1.com. IN CNAME www.c2.com. +; www.c2.com. IN CNAME www.c3.com. +; www.c3.com. IN CNAME www.c4.com. +; www.c4.com. IN CNAME www.c5.com. +; www.c5.com. IN CNAME www.c6.com. +; www.c6.com. IN CNAME www.c7.com. +; www.c7.com. IN CNAME www.c8.com. +; www.c8.com. IN CNAME www.c9.com. +; www.c9.com. IN CNAME www.c10.com. +; www.c10.com. IN CNAME www.foo.com. +; www.foo.com. IN A 1.2.3.4 +ENTRY_END + +STEP 20 TRAFFIC + +SCENARIO_END diff --git a/util/config_file.c b/util/config_file.c index 9a93befd3..bd6f8f40b 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -408,6 +408,9 @@ config_create(void) cfg->ipset_name_v6 = NULL; #endif cfg->ede = 0; + cfg->iter_scrub_ns = 20; + cfg->iter_scrub_cname = 11; + cfg->max_global_quota = 128; return cfg; error_exit: config_delete(cfg); @@ -718,6 +721,9 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) else S_YNO("ede:", ede) else S_YNO("ede-serve-expired:", ede_serve_expired) + else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns) + else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname) + else S_NUMBER_OR_ZERO("max-global-quota:", max_global_quota) else S_YNO("serve-original-ttl:", serve_original_ttl) else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) @@ -1186,6 +1192,9 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout) else O_YNO(opt, "ede", ede) else O_YNO(opt, "ede-serve-expired", ede_serve_expired) + else O_DEC(opt, "iter-scrub-ns", iter_scrub_ns) + else O_DEC(opt, "iter-scrub-cname", iter_scrub_cname) + else O_DEC(opt, "max-global-quota", max_global_quota) else O_YNO(opt, "serve-original-ttl", serve_original_ttl) else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode) @@ -2389,6 +2398,7 @@ config_apply(struct config_file* config) MINIMAL_RESPONSES = config->minimal_responses; RRSET_ROUNDROBIN = config->rrset_roundrobin; LOG_TAG_QUERYREPLY = config->log_tag_queryreply; + MAX_GLOBAL_QUOTA = config->max_global_quota; UNKNOWN_SERVER_NICENESS = config->unknown_server_time_limit; USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT; BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4; diff --git a/util/config_file.h b/util/config_file.h index 23aacc67a..6b16efa63 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -760,6 +760,12 @@ struct config_file { #endif /** respond with Extended DNS Errors (RFC8914) */ int ede; + /** limit on NS RRs in RRset for the iterator scrubber. */ + size_t iter_scrub_ns; + /** limit on CNAME, DNAME RRs in answer for the iterator scrubber. */ + int iter_scrub_cname; + /** limit on upstream queries for an incoming query and subqueries. */ + int max_global_quota; }; /** from cfg username, after daemonize setup performed */ diff --git a/util/configlexer.lex b/util/configlexer.lex index cd5062092..9a95dc078 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -588,6 +588,9 @@ edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } nsid{COLON} { YDVAR(1, VAR_NSID ) } ede{COLON} { YDVAR(1, VAR_EDE ) } proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } +iter-scrub-ns{COLON} { YDVAR(1, VAR_ITER_SCRUB_NS) } +iter-scrub-cname{COLON} { YDVAR(1, VAR_ITER_SCRUB_CNAME) } +max-global-quota{COLON} { YDVAR(1, VAR_MAX_GLOBAL_QUOTA) } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ diff --git a/util/configparser.y b/util/configparser.y index b650b8109..0ab15f8eb 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -205,7 +205,8 @@ extern struct config_parser_state* cfg_parser; %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED -%token VAR_COOKIE_SECRET_FILE +%token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME +%token VAR_MAX_GLOBAL_QUOTA %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -343,7 +344,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_interface_automatic_ports | server_ede | server_proxy_protocol_port | server_statistics_inhibit_zero | server_harden_unknown_additional | server_disable_edns_do | - server_log_destaddr | server_cookie_secret_file + server_log_destaddr | server_cookie_secret_file | + server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota ; stubstart: VAR_STUB_ZONE { @@ -4006,6 +4008,33 @@ server_cookie_secret_file: VAR_COOKIE_SECRET_FILE STRING_ARG cfg_parser->cfg->cookie_secret_file = $2; } ; +server_iter_scrub_ns: VAR_ITER_SCRUB_NS STRING_ARG + { + OUTYY(("P(server_iter_scrub_ns:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->iter_scrub_ns = atoi($2); + free($2); + } + ; +server_iter_scrub_cname: VAR_ITER_SCRUB_CNAME STRING_ARG + { + OUTYY(("P(server_iter_scrub_cname:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->iter_scrub_cname = atoi($2); + free($2); + } + ; +server_max_global_quota: VAR_MAX_GLOBAL_QUOTA STRING_ARG + { + OUTYY(("P(server_max_global_quota:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_global_quota = atoi($2); + free($2); + } + ; ipsetstart: VAR_IPSET { OUTYY(("\nP(ipset:)\n")); From 04e6f9e03ba7891d38d3837276f46b8bd4a50e74 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 13:20:00 +0200 Subject: [PATCH 03/33] - Add cross platform freebsd to github ci. --- .github/workflows/analysis_ports.yml | 312 ++++++++++++++------------- doc/Changelog | 3 + 2 files changed, 171 insertions(+), 144 deletions(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 0dd2514e7..375aa5fac 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -14,153 +14,162 @@ jobs: strategy: matrix: include: - - name: GCC on Linux +# - name: GCC on Linux +# os: ubuntu-latest +# config: "--enable-debug --disable-flto" +# make_test: "yes" +# - name: Clang-analyzer +# os: ubuntu-latest +# config: "CC=clang --enable-debug --disable-flto --disable-static" +# make_test: "yes" +# clang_analysis: "yes" +# - name: libevent +# os: ubuntu-latest +# install_libevent: "yes" +# config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static" +# make_test: "yes" +# clang_analysis: "yes" +# - name: OS X +# os: macos-latest +# install_expat: "yes" +# config: "--enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat" +# make_test: "yes" +# - name: Clang on OS X +# os: macos-latest +# install_expat: "yes" +# config: "CC=clang --enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat --disable-static" +# make_test: "yes" +# clang_analysis: "yes" +# - name: ubsan (gcc undefined behaviour sanitizer) +# os: ubuntu-latest +# config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static' +# make_test: "yes" +# - name: asan (gcc address sanitizer) +# os: ubuntu-latest +# config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' +# make_test: "yes" +# - name: Apple iPhone on iOS, armv7 +# os: macos-latest +# AUTOTOOLS_HOST: armv7-apple-ios +# OPENSSL_HOST: ios-cross +# IOS_SDK: iPhoneOS +# IOS_CPU: armv7s +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: Apple iPhone on iOS, arm64 +# os: macos-latest +# AUTOTOOLS_HOST: aarch64-apple-ios +# OPENSSL_HOST: ios64-cross +# IOS_SDK: iPhoneOS +# IOS_CPU: arm64 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: Apple TV on iOS, arm64 +# os: macos-latest +# AUTOTOOLS_HOST: aarch64-apple-ios +# OPENSSL_HOST: ios64-cross +# IOS_SDK: AppleTVOS +# IOS_CPU: arm64 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: Apple Watch on iOS, armv7 +# os: macos-latest +# AUTOTOOLS_HOST: armv7-apple-ios +# OPENSSL_HOST: ios-cross +# IOS_SDK: WatchOS +# IOS_CPU: armv7k +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: iPhoneSimulator on OS X, i386 +# os: macos-latest +# AUTOTOOLS_HOST: i386-apple-ios +# OPENSSL_HOST: iphoneos-cross +# IOS_SDK: iPhoneSimulator +# IOS_CPU: i386 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: iPhoneSimulator on OS X, x86_64 +# os: macos-latest +# AUTOTOOLS_HOST: x86_64-apple-ios +# OPENSSL_HOST: iphoneos-cross +# IOS_SDK: iPhoneSimulator +# IOS_CPU: x86_64 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: AppleTVSimulator on OS X, x86_64 +# os: macos-latest +# AUTOTOOLS_HOST: x86_64-apple-ios +# OPENSSL_HOST: iphoneos-cross +# IOS_SDK: AppleTVSimulator +# IOS_CPU: x86_64 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: WatchSimulator on OS X, i386 +# os: macos-latest +# AUTOTOOLS_HOST: i386-apple-ios +# OPENSSL_HOST: iphoneos-cross +# IOS_SDK: WatchSimulator +# IOS_CPU: i386 +# test_ios: "yes" +# config: "no" +# make: "no" +# - name: Android armv7a +# os: ubuntu-latest +# AUTOTOOLS_HOST: armv7a-linux-androidabi +# OPENSSL_HOST: android-arm +# ANDROID_CPU: armv7a +# ANDROID_API: 23 +# test_android: "yes" +# config: "no" +# make: "no" +# - name: Android aarch64 +# os: ubuntu-latest +# AUTOTOOLS_HOST: aarch64-linux-android +# OPENSSL_HOST: android-arm64 +# ANDROID_CPU: aarch64 +# ANDROID_API: 23 +# test_android: "yes" +# config: "no" +# make: "no" +# - name: Android x86 +# os: ubuntu-latest +# AUTOTOOLS_HOST: i686-linux-android +# OPENSSL_HOST: android-x86 +# ANDROID_CPU: x86 +# ANDROID_API: 23 +# test_android: "yes" +# config: "no" +# make: "no" +# - name: Android x86_64 +# os: ubuntu-latest +# AUTOTOOLS_HOST: x86_64-linux-android +# OPENSSL_HOST: android-x86_64 +# ANDROID_CPU: x86_64 +# ANDROID_API: 23 +# test_android: "yes" +# config: "no" +# make: "no" +# - name: Windows +# os: windows-latest +# test_windows: "yes" +# config: "no" +# make: "no" + - name: FreeBSD os: ubuntu-latest - config: "--enable-debug --disable-flto" - make_test: "yes" - - name: Clang-analyzer - os: ubuntu-latest - config: "CC=clang --enable-debug --disable-flto --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: libevent - os: ubuntu-latest - install_libevent: "yes" - config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: OS X - os: macos-latest - install_expat: "yes" - config: "--enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat" - make_test: "yes" - - name: Clang on OS X - os: macos-latest - install_expat: "yes" - config: "CC=clang --enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: ubsan (gcc undefined behaviour sanitizer) - os: ubuntu-latest - config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static' - make_test: "yes" - - name: asan (gcc address sanitizer) - os: ubuntu-latest - config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' - make_test: "yes" - - name: Apple iPhone on iOS, armv7 - os: macos-latest - AUTOTOOLS_HOST: armv7-apple-ios - OPENSSL_HOST: ios-cross - IOS_SDK: iPhoneOS - IOS_CPU: armv7s - test_ios: "yes" - config: "no" - make: "no" - - name: Apple iPhone on iOS, arm64 - os: macos-latest - AUTOTOOLS_HOST: aarch64-apple-ios - OPENSSL_HOST: ios64-cross - IOS_SDK: iPhoneOS - IOS_CPU: arm64 - test_ios: "yes" - config: "no" - make: "no" - - name: Apple TV on iOS, arm64 - os: macos-latest - AUTOTOOLS_HOST: aarch64-apple-ios - OPENSSL_HOST: ios64-cross - IOS_SDK: AppleTVOS - IOS_CPU: arm64 - test_ios: "yes" - config: "no" - make: "no" - - name: Apple Watch on iOS, armv7 - os: macos-latest - AUTOTOOLS_HOST: armv7-apple-ios - OPENSSL_HOST: ios-cross - IOS_SDK: WatchOS - IOS_CPU: armv7k - test_ios: "yes" - config: "no" - make: "no" - - name: iPhoneSimulator on OS X, i386 - os: macos-latest - AUTOTOOLS_HOST: i386-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: iPhoneSimulator - IOS_CPU: i386 - test_ios: "yes" - config: "no" - make: "no" - - name: iPhoneSimulator on OS X, x86_64 - os: macos-latest - AUTOTOOLS_HOST: x86_64-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: iPhoneSimulator - IOS_CPU: x86_64 - test_ios: "yes" - config: "no" - make: "no" - - name: AppleTVSimulator on OS X, x86_64 - os: macos-latest - AUTOTOOLS_HOST: x86_64-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: AppleTVSimulator - IOS_CPU: x86_64 - test_ios: "yes" - config: "no" - make: "no" - - name: WatchSimulator on OS X, i386 - os: macos-latest - AUTOTOOLS_HOST: i386-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: WatchSimulator - IOS_CPU: i386 - test_ios: "yes" - config: "no" - make: "no" - - name: Android armv7a - os: ubuntu-latest - AUTOTOOLS_HOST: armv7a-linux-androidabi - OPENSSL_HOST: android-arm - ANDROID_CPU: armv7a - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android aarch64 - os: ubuntu-latest - AUTOTOOLS_HOST: aarch64-linux-android - OPENSSL_HOST: android-arm64 - ANDROID_CPU: aarch64 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android x86 - os: ubuntu-latest - AUTOTOOLS_HOST: i686-linux-android - OPENSSL_HOST: android-x86 - ANDROID_CPU: x86 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android x86_64 - os: ubuntu-latest - AUTOTOOLS_HOST: x86_64-linux-android - OPENSSL_HOST: android-x86_64 - ANDROID_CPU: x86_64 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Windows - os: windows-latest - test_windows: "yes" config: "no" make: "no" + with_cross_platform_action: "yes" + cross_platform_os: "freebsd" + cross_platform_arch: "x86-64" + cross_platform_version: "14.1" + cross_platform_config: "--enable-debug --disable-flto" steps: - uses: actions/checkout@v4 @@ -331,6 +340,21 @@ jobs: echo "::group::make install" make install echo "::endgroup::" + - name: cross-platform-action on ${{ matrix.cross_platform_os }} ${{ matrix.cross_platform_version }} + if: ${{ matrix.with_cross_platform_action == 'yes' }} + uses: cross-platform-actions/action@v0.25.0 + with: + operating_system: ${{ matrix.cross_platform_os }} + architecture: ${{ matrix.cross_platform_arch }} + version: ${{ matrix.cross_platform_version }} + shell: bash + memory: 4G + cpu_count: 2 + run: | + ASSUME_ALWAYS_YES=yes sudo pkg install openssl libevent expat + ./configure ${{ matrix.cross_platform_config }} + make + make test - name: install libevent if: ${{ matrix.install_libevent == 'yes' }} run: sudo apt-get install libevent-dev diff --git a/doc/Changelog b/doc/Changelog index d23ce259d..52302dbca 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +21 August 2024: Wouter + - Add cross platform freebsd to github ci. + 20 August 2024: Wouter - Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options. From 19d53d566359b51625e4ccf8dd13a5adb941fed6 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 13:24:54 +0200 Subject: [PATCH 04/33] Fix for freebsd ci. --- .github/workflows/analysis_ports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 375aa5fac..eba981b7a 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -351,7 +351,7 @@ jobs: memory: 4G cpu_count: 2 run: | - ASSUME_ALWAYS_YES=yes sudo pkg install openssl libevent expat + sudo pkg install -y openssl libevent expat ./configure ${{ matrix.cross_platform_config }} make make test From 12119e2d3e6300a508b9b016becfbc3695b3afb0 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 13:37:42 +0200 Subject: [PATCH 05/33] ci for freebsd nicer, with libevent, faster without static compile, and with grouped output, also the pkg install is conditional on the platform. --- .github/workflows/analysis_ports.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index eba981b7a..7ba9fd049 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -169,7 +169,7 @@ jobs: cross_platform_os: "freebsd" cross_platform_arch: "x86-64" cross_platform_version: "14.1" - cross_platform_config: "--enable-debug --disable-flto" + cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" steps: - uses: actions/checkout@v4 @@ -343,7 +343,10 @@ jobs: - name: cross-platform-action on ${{ matrix.cross_platform_os }} ${{ matrix.cross_platform_version }} if: ${{ matrix.with_cross_platform_action == 'yes' }} uses: cross-platform-actions/action@v0.25.0 + env: + CROSS_PLATFORM_OS: ${{ matrix.cross_platform_os }} with: + environment_variables: CROSS_PLATFORM_OS operating_system: ${{ matrix.cross_platform_os }} architecture: ${{ matrix.cross_platform_arch }} version: ${{ matrix.cross_platform_version }} @@ -351,10 +354,16 @@ jobs: memory: 4G cpu_count: 2 run: | - sudo pkg install -y openssl libevent expat + if test "$CROSS_PLATFORM_OS" = "freebsd"; then sudo pkg install -y openssl libevent expat; fi + echo "::group::configure" ./configure ${{ matrix.cross_platform_config }} + echo "::endgroup::" + echo "::group::make" make + echo "::endgroup::" + echo "::group::make test" make test + echo "::endgroup::" - name: install libevent if: ${{ matrix.install_libevent == 'yes' }} run: sudo apt-get install libevent-dev From 06d5031d226461961dcba792f7e256146231d69b Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 13:50:55 +0200 Subject: [PATCH 06/33] - Add cross platform openbsd to github ci. --- .github/workflows/analysis_ports.yml | 17 ++++++++++++++--- doc/Changelog | 1 + 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 7ba9fd049..6569d522a 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -161,14 +161,23 @@ jobs: # test_windows: "yes" # config: "no" # make: "no" - - name: FreeBSD +# - name: FreeBSD +# os: ubuntu-latest +# config: "no" +# make: "no" +# with_cross_platform_action: "yes" +# cross_platform_os: "freebsd" +# cross_platform_arch: "x86-64" +# cross_platform_version: "14.1" +# cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" + - name: OpenBSD os: ubuntu-latest config: "no" make: "no" with_cross_platform_action: "yes" - cross_platform_os: "freebsd" + cross_platform_os: "openbsd" cross_platform_arch: "x86-64" - cross_platform_version: "14.1" + cross_platform_version: "7.5" cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" steps: @@ -354,7 +363,9 @@ jobs: memory: 4G cpu_count: 2 run: | + set -e -x if test "$CROSS_PLATFORM_OS" = "freebsd"; then sudo pkg install -y openssl libevent expat; fi + if test "$CROSS_PLATFORM_OS" = "openbsd"; then sudo pkg_add libevent; fi echo "::group::configure" ./configure ${{ matrix.cross_platform_config }} echo "::endgroup::" diff --git a/doc/Changelog b/doc/Changelog index 52302dbca..42bce5cad 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 21 August 2024: Wouter - Add cross platform freebsd to github ci. + - Add cross platform openbsd to github ci. 20 August 2024: Wouter - Add iter-scrub-ns, iter-scrub-cname and max-global-quota From 4f52461e81778e6de8c12d137106c468c36cc371 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 14:03:11 +0200 Subject: [PATCH 07/33] - Add cross platform netbsd to github ci. --- .github/workflows/analysis_ports.yml | 16 +++++++++++++--- doc/Changelog | 3 +-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 6569d522a..475ec0f40 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -170,14 +170,23 @@ jobs: # cross_platform_arch: "x86-64" # cross_platform_version: "14.1" # cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" - - name: OpenBSD +# - name: OpenBSD +# os: ubuntu-latest +# config: "no" +# make: "no" +# with_cross_platform_action: "yes" +# cross_platform_os: "openbsd" +# cross_platform_arch: "x86-64" +# cross_platform_version: "7.5" +# cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" + - name: NetBSD os: ubuntu-latest config: "no" make: "no" with_cross_platform_action: "yes" - cross_platform_os: "openbsd" + cross_platform_os: "netbsd" cross_platform_arch: "x86-64" - cross_platform_version: "7.5" + cross_platform_version: "10.0" cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" steps: @@ -366,6 +375,7 @@ jobs: set -e -x if test "$CROSS_PLATFORM_OS" = "freebsd"; then sudo pkg install -y openssl libevent expat; fi if test "$CROSS_PLATFORM_OS" = "openbsd"; then sudo pkg_add libevent; fi + if test "$CROSS_PLATFORM_OS" = "netbsd"; then sudo pkgin -y install libevent; fi echo "::group::configure" ./configure ${{ matrix.cross_platform_config }} echo "::endgroup::" diff --git a/doc/Changelog b/doc/Changelog index 42bce5cad..f1bdd3381 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,5 @@ 21 August 2024: Wouter - - Add cross platform freebsd to github ci. - - Add cross platform openbsd to github ci. + - Add cross platform freebsd, openbsd and netbsd to github ci. 20 August 2024: Wouter - Add iter-scrub-ns, iter-scrub-cname and max-global-quota From 6b3266aaf84b18fa8c2dfd7f1cc052f13c07440e Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 14:15:23 +0200 Subject: [PATCH 08/33] - Fix for char signedness warnings on NetBSD. --- doc/Changelog | 1 + services/modstack.c | 2 +- testcode/unitzonemd.c | 2 +- util/config_file.c | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index f1bdd3381..a6eb51438 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 21 August 2024: Wouter - Add cross platform freebsd, openbsd and netbsd to github ci. + - Fix for char signedness warnings on NetBSD. 20 August 2024: Wouter - Add iter-scrub-ns, iter-scrub-cname and max-global-quota diff --git a/services/modstack.c b/services/modstack.c index 6c8af0505..fa68cc71d 100644 --- a/services/modstack.c +++ b/services/modstack.c @@ -265,7 +265,7 @@ modstack_call_init(struct module_stack* stack, const char* module_conf, int i, changed = 0; env->need_to_validate = 0; /* set by module init below */ for(i=0; inum; i++) { - while(*module_conf && isspace(*module_conf)) + while(*module_conf && isspace((unsigned char)*module_conf)) module_conf++; if(strncmp(stack->mod[i]->name, module_conf, strlen(stack->mod[i]->name))) { diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c index bf130df5a..9ddf201f9 100644 --- a/testcode/unitzonemd.c +++ b/testcode/unitzonemd.c @@ -108,7 +108,7 @@ static void zonemd_generate_test(const char* zname, char* zfile, digestdup = strdup(digest); unit_assert(digestdup); for(i=0; i= VERB_ALGO) { char zname[255+1]; diff --git a/util/config_file.c b/util/config_file.c index bd6f8f40b..12df8e793 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -2332,7 +2332,7 @@ uint8_t* cfg_parse_nsid(const char* str, uint16_t* nsid_len) uint8_t *dp; for ( ch = str, dp = nsid - ; isxdigit(ch[0]) && isxdigit(ch[1]) + ; isxdigit((unsigned char)ch[0]) && isxdigit((unsigned char)ch[1]) ; ch += 2, dp++) { *dp = (uint8_t)sldns_hexdigit_to_int(ch[0]) * 16; *dp += (uint8_t)sldns_hexdigit_to_int(ch[1]); From 348df52e0590fb2d8bc1d61ed2e29aa732cab6de Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 21 Aug 2024 14:20:04 +0200 Subject: [PATCH 09/33] Enable ci back after debug. --- .github/workflows/analysis_ports.yml | 330 +++++++++++++-------------- 1 file changed, 165 insertions(+), 165 deletions(-) diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 475ec0f40..0388e3cca 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -14,171 +14,171 @@ jobs: strategy: matrix: include: -# - name: GCC on Linux -# os: ubuntu-latest -# config: "--enable-debug --disable-flto" -# make_test: "yes" -# - name: Clang-analyzer -# os: ubuntu-latest -# config: "CC=clang --enable-debug --disable-flto --disable-static" -# make_test: "yes" -# clang_analysis: "yes" -# - name: libevent -# os: ubuntu-latest -# install_libevent: "yes" -# config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static" -# make_test: "yes" -# clang_analysis: "yes" -# - name: OS X -# os: macos-latest -# install_expat: "yes" -# config: "--enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat" -# make_test: "yes" -# - name: Clang on OS X -# os: macos-latest -# install_expat: "yes" -# config: "CC=clang --enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat --disable-static" -# make_test: "yes" -# clang_analysis: "yes" -# - name: ubsan (gcc undefined behaviour sanitizer) -# os: ubuntu-latest -# config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static' -# make_test: "yes" -# - name: asan (gcc address sanitizer) -# os: ubuntu-latest -# config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' -# make_test: "yes" -# - name: Apple iPhone on iOS, armv7 -# os: macos-latest -# AUTOTOOLS_HOST: armv7-apple-ios -# OPENSSL_HOST: ios-cross -# IOS_SDK: iPhoneOS -# IOS_CPU: armv7s -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: Apple iPhone on iOS, arm64 -# os: macos-latest -# AUTOTOOLS_HOST: aarch64-apple-ios -# OPENSSL_HOST: ios64-cross -# IOS_SDK: iPhoneOS -# IOS_CPU: arm64 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: Apple TV on iOS, arm64 -# os: macos-latest -# AUTOTOOLS_HOST: aarch64-apple-ios -# OPENSSL_HOST: ios64-cross -# IOS_SDK: AppleTVOS -# IOS_CPU: arm64 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: Apple Watch on iOS, armv7 -# os: macos-latest -# AUTOTOOLS_HOST: armv7-apple-ios -# OPENSSL_HOST: ios-cross -# IOS_SDK: WatchOS -# IOS_CPU: armv7k -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: iPhoneSimulator on OS X, i386 -# os: macos-latest -# AUTOTOOLS_HOST: i386-apple-ios -# OPENSSL_HOST: iphoneos-cross -# IOS_SDK: iPhoneSimulator -# IOS_CPU: i386 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: iPhoneSimulator on OS X, x86_64 -# os: macos-latest -# AUTOTOOLS_HOST: x86_64-apple-ios -# OPENSSL_HOST: iphoneos-cross -# IOS_SDK: iPhoneSimulator -# IOS_CPU: x86_64 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: AppleTVSimulator on OS X, x86_64 -# os: macos-latest -# AUTOTOOLS_HOST: x86_64-apple-ios -# OPENSSL_HOST: iphoneos-cross -# IOS_SDK: AppleTVSimulator -# IOS_CPU: x86_64 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: WatchSimulator on OS X, i386 -# os: macos-latest -# AUTOTOOLS_HOST: i386-apple-ios -# OPENSSL_HOST: iphoneos-cross -# IOS_SDK: WatchSimulator -# IOS_CPU: i386 -# test_ios: "yes" -# config: "no" -# make: "no" -# - name: Android armv7a -# os: ubuntu-latest -# AUTOTOOLS_HOST: armv7a-linux-androidabi -# OPENSSL_HOST: android-arm -# ANDROID_CPU: armv7a -# ANDROID_API: 23 -# test_android: "yes" -# config: "no" -# make: "no" -# - name: Android aarch64 -# os: ubuntu-latest -# AUTOTOOLS_HOST: aarch64-linux-android -# OPENSSL_HOST: android-arm64 -# ANDROID_CPU: aarch64 -# ANDROID_API: 23 -# test_android: "yes" -# config: "no" -# make: "no" -# - name: Android x86 -# os: ubuntu-latest -# AUTOTOOLS_HOST: i686-linux-android -# OPENSSL_HOST: android-x86 -# ANDROID_CPU: x86 -# ANDROID_API: 23 -# test_android: "yes" -# config: "no" -# make: "no" -# - name: Android x86_64 -# os: ubuntu-latest -# AUTOTOOLS_HOST: x86_64-linux-android -# OPENSSL_HOST: android-x86_64 -# ANDROID_CPU: x86_64 -# ANDROID_API: 23 -# test_android: "yes" -# config: "no" -# make: "no" -# - name: Windows -# os: windows-latest -# test_windows: "yes" -# config: "no" -# make: "no" -# - name: FreeBSD -# os: ubuntu-latest -# config: "no" -# make: "no" -# with_cross_platform_action: "yes" -# cross_platform_os: "freebsd" -# cross_platform_arch: "x86-64" -# cross_platform_version: "14.1" -# cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" -# - name: OpenBSD -# os: ubuntu-latest -# config: "no" -# make: "no" -# with_cross_platform_action: "yes" -# cross_platform_os: "openbsd" -# cross_platform_arch: "x86-64" -# cross_platform_version: "7.5" -# cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" + - name: GCC on Linux + os: ubuntu-latest + config: "--enable-debug --disable-flto" + make_test: "yes" + - name: Clang-analyzer + os: ubuntu-latest + config: "CC=clang --enable-debug --disable-flto --disable-static" + make_test: "yes" + clang_analysis: "yes" + - name: libevent + os: ubuntu-latest + install_libevent: "yes" + config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static" + make_test: "yes" + clang_analysis: "yes" + - name: OS X + os: macos-latest + install_expat: "yes" + config: "--enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat" + make_test: "yes" + - name: Clang on OS X + os: macos-latest + install_expat: "yes" + config: "CC=clang --enable-debug --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libexpat=/opt/homebrew/opt/expat --disable-static" + make_test: "yes" + clang_analysis: "yes" + - name: ubsan (gcc undefined behaviour sanitizer) + os: ubuntu-latest + config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static' + make_test: "yes" + - name: asan (gcc address sanitizer) + os: ubuntu-latest + config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' + make_test: "yes" + - name: Apple iPhone on iOS, armv7 + os: macos-latest + AUTOTOOLS_HOST: armv7-apple-ios + OPENSSL_HOST: ios-cross + IOS_SDK: iPhoneOS + IOS_CPU: armv7s + test_ios: "yes" + config: "no" + make: "no" + - name: Apple iPhone on iOS, arm64 + os: macos-latest + AUTOTOOLS_HOST: aarch64-apple-ios + OPENSSL_HOST: ios64-cross + IOS_SDK: iPhoneOS + IOS_CPU: arm64 + test_ios: "yes" + config: "no" + make: "no" + - name: Apple TV on iOS, arm64 + os: macos-latest + AUTOTOOLS_HOST: aarch64-apple-ios + OPENSSL_HOST: ios64-cross + IOS_SDK: AppleTVOS + IOS_CPU: arm64 + test_ios: "yes" + config: "no" + make: "no" + - name: Apple Watch on iOS, armv7 + os: macos-latest + AUTOTOOLS_HOST: armv7-apple-ios + OPENSSL_HOST: ios-cross + IOS_SDK: WatchOS + IOS_CPU: armv7k + test_ios: "yes" + config: "no" + make: "no" + - name: iPhoneSimulator on OS X, i386 + os: macos-latest + AUTOTOOLS_HOST: i386-apple-ios + OPENSSL_HOST: iphoneos-cross + IOS_SDK: iPhoneSimulator + IOS_CPU: i386 + test_ios: "yes" + config: "no" + make: "no" + - name: iPhoneSimulator on OS X, x86_64 + os: macos-latest + AUTOTOOLS_HOST: x86_64-apple-ios + OPENSSL_HOST: iphoneos-cross + IOS_SDK: iPhoneSimulator + IOS_CPU: x86_64 + test_ios: "yes" + config: "no" + make: "no" + - name: AppleTVSimulator on OS X, x86_64 + os: macos-latest + AUTOTOOLS_HOST: x86_64-apple-ios + OPENSSL_HOST: iphoneos-cross + IOS_SDK: AppleTVSimulator + IOS_CPU: x86_64 + test_ios: "yes" + config: "no" + make: "no" + - name: WatchSimulator on OS X, i386 + os: macos-latest + AUTOTOOLS_HOST: i386-apple-ios + OPENSSL_HOST: iphoneos-cross + IOS_SDK: WatchSimulator + IOS_CPU: i386 + test_ios: "yes" + config: "no" + make: "no" + - name: Android armv7a + os: ubuntu-latest + AUTOTOOLS_HOST: armv7a-linux-androidabi + OPENSSL_HOST: android-arm + ANDROID_CPU: armv7a + ANDROID_API: 23 + test_android: "yes" + config: "no" + make: "no" + - name: Android aarch64 + os: ubuntu-latest + AUTOTOOLS_HOST: aarch64-linux-android + OPENSSL_HOST: android-arm64 + ANDROID_CPU: aarch64 + ANDROID_API: 23 + test_android: "yes" + config: "no" + make: "no" + - name: Android x86 + os: ubuntu-latest + AUTOTOOLS_HOST: i686-linux-android + OPENSSL_HOST: android-x86 + ANDROID_CPU: x86 + ANDROID_API: 23 + test_android: "yes" + config: "no" + make: "no" + - name: Android x86_64 + os: ubuntu-latest + AUTOTOOLS_HOST: x86_64-linux-android + OPENSSL_HOST: android-x86_64 + ANDROID_CPU: x86_64 + ANDROID_API: 23 + test_android: "yes" + config: "no" + make: "no" + - name: Windows + os: windows-latest + test_windows: "yes" + config: "no" + make: "no" + - name: FreeBSD + os: ubuntu-latest + config: "no" + make: "no" + with_cross_platform_action: "yes" + cross_platform_os: "freebsd" + cross_platform_arch: "x86-64" + cross_platform_version: "14.1" + cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" + - name: OpenBSD + os: ubuntu-latest + config: "no" + make: "no" + with_cross_platform_action: "yes" + cross_platform_os: "openbsd" + cross_platform_arch: "x86-64" + cross_platform_version: "7.5" + cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static" - name: NetBSD os: ubuntu-latest config: "no" From 1e0cf1e86b30c071a537af10940e1cf6f5f130e3 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 23 Aug 2024 08:56:48 +0200 Subject: [PATCH 10/33] - Merge patch to fix for glue that is outside of zone, with `harden-unverified-glue`, from Karthik Umashankar (Microsoft). Enabling this option protects the Unbound resolver against bad glue, that is unverified out of zone glue, by resolving them. It uses the records as last resort if there is no other working glue. --- doc/Changelog | 8 + doc/example.conf.in | 3 + doc/unbound.conf.5.in | 5 + iterator/iter_scrub.c | 31 ++++ iterator/iterator.c | 17 +- pythonmod/doc/modules/config.rst | 4 + pythonmod/interface.i | 1 + services/cache/dns.c | 4 +- services/cache/dns.h | 2 +- testdata/iter_unverified_glue.rpl | 188 +++++++++++++++++++++ testdata/iter_unverified_glue_fallback.rpl | 138 +++++++++++++++ util/config_file.c | 3 + util/config_file.h | 2 + util/configlexer.lex | 1 + util/configparser.y | 15 +- util/data/packed_rrset.h | 3 + 16 files changed, 416 insertions(+), 9 deletions(-) create mode 100644 testdata/iter_unverified_glue.rpl create mode 100644 testdata/iter_unverified_glue_fallback.rpl diff --git a/doc/Changelog b/doc/Changelog index a6eb51438..f176de045 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,11 @@ +23 August 2024: Wouter + - Merge patch to fix for glue that is outside of zone, with + `harden-unverified-glue`, from Karthik Umashankar (Microsoft). + Enabling this option protects the Unbound resolver against bad + glue, that is unverified out of zone glue, by resolving them. + It uses the records as last resort if there is no other working + glue. + 21 August 2024: Wouter - Add cross platform freebsd, openbsd and netbsd to github ci. - Fix for char signedness warnings on NetBSD. diff --git a/doc/example.conf.in b/doc/example.conf.in index b7db1e7d9..cce65c0f5 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -533,6 +533,9 @@ server: # Harden against out of zone rrsets, to avoid spoofing attempts. # harden-glue: yes + # Harden against unverified (outside-zone, including sibling zone) glue rrsets + # harden-unverified-glue: no + # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 15f5a6607..d051e8850 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1048,6 +1048,11 @@ payload is very large. .B harden\-glue: \fI Will trust glue only if it is within the servers authority. Default is yes. .TP +.B harden\-unverified\-glue: \fI +Will trust only in-zone glue. Will try to resolve all out of zone +(\fI) glue. Will fallback to the original glue if unable to resolve. +Default is no. +.TP .B harden\-dnssec\-stripped: \fI Require DNSSEC data for trust\-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index a043589fd..49a5f5da1 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -871,6 +871,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, { int del_addi = 0; /* if additional-holding rrsets are deleted, we do not trust the normalized additional-A-AAAA any more */ + uint8_t* ns_rrset_dname = NULL; int added_rrlen_ede = 0; struct rrset_parse* rrset, *prev; prev = NULL; @@ -976,6 +977,16 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, continue; } } + if(rrset->type == LDNS_RR_TYPE_NS && + (rrset->section == LDNS_SECTION_AUTHORITY || + rrset->section == LDNS_SECTION_ANSWER)) { + /* If the type is NS, and we're in the + * answer or authority section, then + * store the dname so we can check + * against the glue records + * further down */ + ns_rrset_dname = rrset->dname; + } if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) { remove_rrset("sanitize: removing potential " "poison reference RRset:", pkt, msg, prev, &rrset); @@ -988,6 +999,26 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, "RRset:", pkt, msg, prev, &rrset); continue; } + if(env->cfg->harden_unverified_glue && ns_rrset_dname && + rrset->section == LDNS_SECTION_ADDITIONAL && + (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA) && + !pkt_strict_sub(pkt, rrset->dname, ns_rrset_dname)) { + /* We're in the additional section, looking + * at an A/AAAA rrset, have a previous + * delegation point and we notice that + * the glue records are NOT for strict + * subdomains of the delegation. So set a + * flag, recompute the hash for the rrset + * and write the A/AAAA record to cache. + * It'll be retrieved if we can't separately + * resolve the glue */ + rrset->flags = PACKED_RRSET_UNVERIFIED_GLUE; + rrset->hash = pkt_hash_rrset(pkt, rrset->dname, rrset->type, rrset->rrset_class, rrset->flags); + store_rrset(pkt, msg, env, rrset); + remove_rrset("sanitize: storing potential " + "unverified glue reference RRset:", pkt, msg, prev, &rrset); + continue; + } prev = rrset; rrset = rrset->rrset_all_next; } diff --git a/iterator/iterator.c b/iterator/iterator.c index 1066eb8cd..659af34d9 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -254,7 +254,7 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super) } else { /* see if the failure did get (parent-lame) info */ if(!cache_fill_missing(super->env, super_iq->qchase.qclass, - super->region, super_iq->dp)) + super->region, super_iq->dp, 0)) log_err("out of memory adding missing"); } delegpt_mark_neg(dpns, qstate->qinfo.qtype); @@ -1571,7 +1571,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } if(!cache_fill_missing(qstate->env, iq->qchase.qclass, - qstate->region, iq->dp)) { + qstate->region, iq->dp, 0)) { errinf(qstate, "malloc failure, copy extra info into delegation point"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -2152,6 +2152,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL"); return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); } + if(qstate->env->cfg->harden_unverified_glue) { + if(!cache_fill_missing(qstate->env, iq->qchase.qclass, + qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE)) + log_err("out of memory in cache_fill_missing"); + if(iq->dp->usable_list) { + verbose(VERB_ALGO, "try unverified glue from cache"); + return next_state(iq, QUERYTARGETS_STATE); + } + } if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) { struct delegpt* dp; int nolock = 0; @@ -2194,7 +2203,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, } /* see if that makes new names available */ if(!cache_fill_missing(qstate->env, iq->qchase.qclass, - qstate->region, iq->dp)) + qstate->region, iq->dp, 0)) log_err("out of memory in cache_fill_missing"); if(iq->dp->usable_list) { verbose(VERB_ALGO, "try parent-side-name, w. glue from cache"); @@ -3426,7 +3435,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, old_dp->name, old_dp->namelen); } if(!cache_fill_missing(qstate->env, iq->qchase.qclass, - qstate->region, iq->dp)) { + qstate->region, iq->dp, 0)) { errinf(qstate, "malloc failure, copy extra info into delegation point"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } diff --git a/pythonmod/doc/modules/config.rst b/pythonmod/doc/modules/config.rst index ac4db4c94..64480c94d 100644 --- a/pythonmod/doc/modules/config.rst +++ b/pythonmod/doc/modules/config.rst @@ -176,6 +176,10 @@ config_file Harden against spoofed glue (out of zone data). + .. attribute:: harden_unverified_glue + + Harden against unverified glue. + .. attribute:: harden_dnssec_stripped Harden against receiving no DNSSEC data for trust anchor. diff --git a/pythonmod/interface.i b/pythonmod/interface.i index c876ab072..810b1449d 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i @@ -1009,6 +1009,7 @@ struct config_file { int harden_short_bufsize; int harden_large_queries; int harden_glue; + int harden_unverified_glue; int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; diff --git a/services/cache/dns.c b/services/cache/dns.c index 5e74c3169..e79002b79 100644 --- a/services/cache/dns.c +++ b/services/cache/dns.c @@ -365,7 +365,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass, /** find and add A and AAAA records for missing nameservers in delegpt */ int cache_fill_missing(struct module_env* env, uint16_t qclass, - struct regional* region, struct delegpt* dp) + struct regional* region, struct delegpt* dp, uint32_t flags) { struct delegpt_ns* ns; struct msgreply_entry* neg; @@ -376,7 +376,7 @@ cache_fill_missing(struct module_env* env, uint16_t qclass, continue; ns->cache_lookup_count++; akey = rrset_cache_lookup(env->rrset_cache, ns->name, - ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0); + ns->namelen, LDNS_RR_TYPE_A, qclass, flags, now, 0); if(akey) { if(!delegpt_add_rrset_A(dp, region, akey, ns->lame, NULL)) { diff --git a/services/cache/dns.h b/services/cache/dns.h index c2bf23c6d..5cb795b07 100644 --- a/services/cache/dns.h +++ b/services/cache/dns.h @@ -205,7 +205,7 @@ struct dns_msg* dns_cache_lookup(struct module_env* env, * @return false on alloc failure. */ int cache_fill_missing(struct module_env* env, uint16_t qclass, - struct regional* region, struct delegpt* dp); + struct regional* region, struct delegpt* dp, uint32_t flags); /** * Utility, create new, unpacked data structure for cache response. diff --git a/testdata/iter_unverified_glue.rpl b/testdata/iter_unverified_glue.rpl new file mode 100644 index 000000000..017f220b6 --- /dev/null +++ b/testdata/iter_unverified_glue.rpl @@ -0,0 +1,188 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no + do-ip6: no + harden-unverified-glue: yes +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test iterative resolve with lame hints. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns1.examplesibling.com. IN A +SECTION ANSWER +ns1.examplesibling.com. IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; stale ns1.examplesibling.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; actual ns1.examplesibling.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.50 +SECTION AUTHORITY +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.5 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.50 +SECTION AUTHORITY +example.com. IN NS ns1.examplesibling.com. +ENTRY_END + +SCENARIO_END diff --git a/testdata/iter_unverified_glue_fallback.rpl b/testdata/iter_unverified_glue_fallback.rpl new file mode 100644 index 000000000..386186d48 --- /dev/null +++ b/testdata/iter_unverified_glue_fallback.rpl @@ -0,0 +1,138 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no + do-ip6: no + harden-unverified-glue: yes +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test iterative resolve with lame hints. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns1.examplesibling.com. +SECTION ADDITIONAL +ns1.examplesibling.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NXDOMAIN +SECTION QUESTION +ns1.examplesibling.com. IN A +ENTRY_END +RANGE_END + +; stale ns1.examplesibling.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END + +SCENARIO_END diff --git a/util/config_file.c b/util/config_file.c index 12df8e793..d82e4374e 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -237,6 +237,7 @@ config_create(void) cfg->harden_short_bufsize = 1; cfg->harden_large_queries = 0; cfg->harden_glue = 1; + cfg->harden_unverified_glue = 0; cfg->harden_dnssec_stripped = 1; cfg->harden_below_nxdomain = 1; cfg->harden_referral_path = 0; @@ -675,6 +676,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STRLIST("root-hints:", root_hints) else S_STR("target-fetch-policy:", target_fetch_policy) else S_YNO("harden-glue:", harden_glue) + else S_YNO("harden-unverified-glue:", harden_unverified_glue) else S_YNO("harden-short-bufsize:", harden_short_bufsize) else S_YNO("harden-large-queries:", harden_large_queries) else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped) @@ -1168,6 +1170,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize) else O_YNO(opt, "harden-large-queries", harden_large_queries) else O_YNO(opt, "harden-glue", harden_glue) + else O_YNO(opt, "harden-unverified-glue", harden_unverified_glue) else O_YNO(opt, "harden-dnssec-stripped", harden_dnssec_stripped) else O_YNO(opt, "harden-below-nxdomain", harden_below_nxdomain) else O_YNO(opt, "harden-referral-path", harden_referral_path) diff --git a/util/config_file.h b/util/config_file.h index 6b16efa63..ae9c9cb5b 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -288,6 +288,8 @@ struct config_file { int harden_large_queries; /** harden against spoofed glue (out of zone data) */ int harden_glue; + /** harden against unverified glue */ + int harden_unverified_glue; /** harden against receiving no DNSSEC data for trust anchor */ int harden_dnssec_stripped; /** harden against queries that fall under known nxdomain names */ diff --git a/util/configlexer.lex b/util/configlexer.lex index 9a95dc078..8b37131cf 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -315,6 +315,7 @@ target-fetch-policy{COLON} { YDVAR(1, VAR_TARGET_FETCH_POLICY) } harden-short-bufsize{COLON} { YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) } harden-large-queries{COLON} { YDVAR(1, VAR_HARDEN_LARGE_QUERIES) } harden-glue{COLON} { YDVAR(1, VAR_HARDEN_GLUE) } +harden-unverified-glue{COLON} { YDVAR(1, VAR_HARDEN_UNVERIFIED_GLUE) } harden-dnssec-stripped{COLON} { YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) } harden-below-nxdomain{COLON} { YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) } harden-referral-path{COLON} { YDVAR(1, VAR_HARDEN_REFERRAL_PATH) } diff --git a/util/configparser.y b/util/configparser.y index 0ab15f8eb..8088bcfa9 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -206,7 +206,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED %token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME -%token VAR_MAX_GLOBAL_QUOTA +%token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -345,7 +345,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_proxy_protocol_port | server_statistics_inhibit_zero | server_harden_unknown_additional | server_disable_edns_do | server_log_destaddr | server_cookie_secret_file | - server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota + server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota | + server_harden_unverified_glue ; stubstart: VAR_STUB_ZONE { @@ -1807,6 +1808,16 @@ server_harden_glue: VAR_HARDEN_GLUE STRING_ARG free($2); } ; +server_harden_unverified_glue: VAR_HARDEN_UNVERIFIED_GLUE STRING_ARG + { + OUTYY(("P(server_harden_unverified_glue:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->harden_unverified_glue = + (strcmp($2, "yes")==0); + free($2); + } + ; server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG { OUTYY(("P(server_harden_dnssec_stripped:%s)\n", $2)); diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h index e1feb22bb..776e8d092 100644 --- a/util/data/packed_rrset.h +++ b/util/data/packed_rrset.h @@ -68,6 +68,8 @@ typedef uint64_t rrset_id_type; * actual network. But messages with these records in it can be stored in * the cache and retrieved for a reply. */ #define PACKED_RRSET_RPZ 0x8 +/** this rrset is A/AAAA and is an unverified glue record */ +#define PACKED_RRSET_UNVERIFIED_GLUE 0x10 /** number of rrs and rrsets for integer overflow protection. More than * this is not really possible (64K packet has much less RRs and RRsets) in @@ -96,6 +98,7 @@ struct packed_rrset_key { * o PACKED_RRSET_SOA_NEG * o PACKED_RRSET_FIXEDTTL (not supposed to be cached) * o PACKED_RRSET_RPZ + * o PACKED_RRSET_UNVERIFIED_GLUE */ uint32_t flags; /** the rrset type in network format */ From db1167c8b38daf2a4352ba3e4e6d54740e999d29 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 23 Aug 2024 09:22:07 +0200 Subject: [PATCH 11/33] - Fix #1127: error: "memory exhausted" when defining more than 9994 local-zones. --- doc/Changelog | 2 ++ util/configparser.y | 20 +++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index f176de045..2f4569088 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,8 @@ glue, that is unverified out of zone glue, by resolving them. It uses the records as last resort if there is no other working glue. + - Fix #1127: error: "memory exhausted" when defining more than 9994 + local-zones. 21 August 2024: Wouter - Add cross platform freebsd, openbsd and netbsd to github ci. diff --git a/util/configparser.y b/util/configparser.y index 8088bcfa9..4cd01cc3b 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -212,7 +212,7 @@ extern struct config_parser_state* cfg_parser; toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvar: serverstart contents_server | stubstart contents_stub | forwardstart contents_forward | pythonstart contents_py | - rcstart contents_rc | dtstart contents_dt | viewstart contents_view | + rcstart contents_rc | dtstart contents_dt | view_clause | dnscstart contents_dnsc | cachedbstart contents_cachedb | ipsetstart contents_ipset | authstart contents_auth | rpzstart contents_rpz | dynlibstart contents_dl | @@ -398,6 +398,14 @@ contents_forward: content_forward contents_forward content_forward: forward_name | forward_host | forward_addr | forward_first | forward_no_cache | forward_ssl_upstream | forward_tcp_upstream ; +view_clause: viewstart contents_view + { + /* view end */ + if(cfg_parser->cfg->views && + !cfg_parser->cfg->views->name) + yyerror("view without name"); + } + ; viewstart: VAR_VIEW { struct config_view* s; @@ -412,14 +420,8 @@ viewstart: VAR_VIEW } } ; -contents_view: content_view contents_view - | - { - /* view end */ - if(cfg_parser->cfg->views && - !cfg_parser->cfg->views->name) - yyerror("view without name"); - }; +contents_view: contents_view content_view + | ; content_view: view_name | view_local_zone | view_local_data | view_first | view_response_ip | view_response_ip_data | view_local_data_ptr ; From dc274fef9b41addec0cb96d9d9dfb2d816296c26 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 23 Aug 2024 13:19:15 +0200 Subject: [PATCH 12/33] - Fix documentation for cache_fill_missing function. --- doc/Changelog | 1 + services/cache/dns.h | 1 + 2 files changed, 2 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 2f4569088..17b683e6e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -7,6 +7,7 @@ glue. - Fix #1127: error: "memory exhausted" when defining more than 9994 local-zones. + - Fix documentation for cache_fill_missing function. 21 August 2024: Wouter - Add cross platform freebsd, openbsd and netbsd to github ci. diff --git a/services/cache/dns.h b/services/cache/dns.h index 5cb795b07..1dd537d2b 100644 --- a/services/cache/dns.h +++ b/services/cache/dns.h @@ -202,6 +202,7 @@ struct dns_msg* dns_cache_lookup(struct module_env* env, * @param qclass: which class to look in. * @param region: where to store new dp info. * @param dp: delegation point to fill missing entries. + * @param flags: rrset flags, or 0. * @return false on alloc failure. */ int cache_fill_missing(struct module_env* env, uint16_t qclass, From 6b373097055bb3f03bbc39515541d49c1676e91d Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 27 Aug 2024 17:00:27 +0200 Subject: [PATCH 13/33] - Fix #1130: Loads of logs: "validation failure: key for validation . is marked as invalid because of a previous" for non-DNSSEC signed zone. --- doc/Changelog | 5 + services/rpz.c | 15 ++ testdata/rpz_val_block.rpl | 414 +++++++++++++++++++++++++++++++++++++ util/module.h | 2 + validator/validator.c | 17 ++ 5 files changed, 453 insertions(+) create mode 100644 testdata/rpz_val_block.rpl diff --git a/doc/Changelog b/doc/Changelog index 17b683e6e..ccf334038 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +27 August 2024: Wouter + - Fix #1130: Loads of logs: "validation failure: key for validation + . is marked as invalid because of a previous" for + non-DNSSEC signed zone. + 23 August 2024: Wouter - Merge patch to fix for glue that is outside of zone, with `harden-unverified-glue`, from Karthik Umashankar (Microsoft). diff --git a/services/rpz.c b/services/rpz.c index d8999a8a5..1ee143f84 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -2288,15 +2288,18 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct query_info* qchase, if(action == RPZ_LOCAL_DATA_ACTION && raddr->data == NULL) { verbose(VERB_ALGO, "rpz: bug: nsip local data action but no local data"); ret = rpz_synthesize_nodata(r, ms, qchase, az); + ms->rpz_applied = 1; goto done; } switch(action) { case RPZ_NXDOMAIN_ACTION: ret = rpz_synthesize_nxdomain(r, ms, qchase, az); + ms->rpz_applied = 1; break; case RPZ_NODATA_ACTION: ret = rpz_synthesize_nodata(r, ms, qchase, az); + ms->rpz_applied = 1; break; case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be @@ -2306,11 +2309,13 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct query_info* qchase, break; case RPZ_DROP_ACTION: ret = rpz_synthesize_nodata(r, ms, qchase, az); + ms->rpz_applied = 1; ms->is_drop = 1; break; case RPZ_LOCAL_DATA_ACTION: ret = rpz_synthesize_nsip_localdata(r, ms, qchase, raddr, az); if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, qchase, az); } + ms->rpz_applied = 1; break; case RPZ_PASSTHRU_ACTION: ret = NULL; @@ -2318,6 +2323,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct query_info* qchase, break; case RPZ_CNAME_OVERRIDE_ACTION: ret = rpz_synthesize_cname_override_msg(r, ms, qchase); + ms->rpz_applied = 1; break; default: verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'", @@ -2352,9 +2358,11 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct query_info* qchase, switch(action) { case RPZ_NXDOMAIN_ACTION: ret = rpz_synthesize_nxdomain(r, ms, qchase, az); + ms->rpz_applied = 1; break; case RPZ_NODATA_ACTION: ret = rpz_synthesize_nodata(r, ms, qchase, az); + ms->rpz_applied = 1; break; case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be @@ -2364,11 +2372,13 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct query_info* qchase, break; case RPZ_DROP_ACTION: ret = rpz_synthesize_nodata(r, ms, qchase, az); + ms->rpz_applied = 1; ms->is_drop = 1; break; case RPZ_LOCAL_DATA_ACTION: ret = rpz_synthesize_nsdname_localdata(r, ms, qchase, z, match, az); if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, qchase, az); } + ms->rpz_applied = 1; break; case RPZ_PASSTHRU_ACTION: ret = NULL; @@ -2376,6 +2386,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct query_info* qchase, break; case RPZ_CNAME_OVERRIDE_ACTION: ret = rpz_synthesize_cname_override_msg(r, ms, qchase); + ms->rpz_applied = 1; break; default: verbose(VERB_ALGO, "rpz: nsdname: bug: unhandled or invalid action: '%s'", @@ -2579,9 +2590,11 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, switch(localzone_type_to_rpz_action(lzt)) { case RPZ_NXDOMAIN_ACTION: ret = rpz_synthesize_nxdomain(r, ms, &is->qchase, a); + ms->rpz_applied = 1; break; case RPZ_NODATA_ACTION: ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); + ms->rpz_applied = 1; break; case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be @@ -2591,11 +2604,13 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, break; case RPZ_DROP_ACTION: ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); + ms->rpz_applied = 1; ms->is_drop = 1; break; case RPZ_LOCAL_DATA_ACTION: ret = rpz_synthesize_qname_localdata_msg(r, ms, &is->qchase, z, a); if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); } + ms->rpz_applied = 1; break; case RPZ_PASSTHRU_ACTION: ret = NULL; diff --git a/testdata/rpz_val_block.rpl b/testdata/rpz_val_block.rpl new file mode 100644 index 000000000..45bfcce72 --- /dev/null +++ b/testdata/rpz_val_block.rpl @@ -0,0 +1,414 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + trust-anchor: "org. DS 1444 8 2 5224fb17d630a2e3efdc863a05a4032c5db415b5de3f32472ee9abed42e10146" + val-override-date: "20070916134226" + trust-anchor-signaling: no + log-servfail: yes + val-log-level: 2 + ede: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. + +rpz: + name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +foo.org CNAME . +foo2.org CNAME . +foo3.org CNAME . +TEMPFILE_END + +CONFIG_END + +SCENARIO_BEGIN Test RPZ with validator handles blocked zone. +; The DNSKEY and DS lookups are stopped. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 1000 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +org. IN NS +SECTION AUTHORITY +org. IN NS ns1.servers.org. +SECTION ADDITIONAL +ns1.servers.org. IN A 1.2.3.51 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS ns1.servers.com. +SECTION ADDITIONAL +ns1.servers.com. IN A 1.2.3.52 +ENTRY_END +RANGE_END + +; ns1.servers.org for .org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.51 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +org. IN NS +SECTION ANSWER +org. 3600 IN NS ns1.servers.org. +org. 3600 IN RRSIG NS 8 1 3600 20070926134150 20070829134150 1444 org. arkVLr3b2Ip4bkWpjPTywYWzoVqay11KLB+ZygfoIWtq7mKW20SjRGI+AzIviHHWPv8iibzA8nwcTehuSmqIuRTmZXYj58hpi/AxrqqzJNiwE60swi1dKn3ti0SZKZaLMRnxrrAv7yu3PR6zGt7CD7gJgxfMfQMc6QryQJQbiyM= +SECTION ADDITIONAL +ns1.servers.org. 3600 IN A 1.2.3.51 +ns1.servers.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1444 org. k+9JSbFm5GWSzEbVckC9bVXvzQYwbLvMbHMYmL5tIjt8RMhVhbkyqu+XER5m8xUFL0nrUqJ8ad6SKI9X/8FYGk1iSegpAjIh4bHGzea7vvM7CWw0HfTmmwDhS569IvUfxHyjH4TjSVlM1x9o/d8NGSLAa7h34b0s+NXLEEjNNbI= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +org. IN DNSKEY +SECTION ANSWER +org. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} +org. 3600 IN RRSIG DNSKEY 8 1 3600 20070926134150 20070829134150 1444 org. pJVKrXD3veTg0qOB2PSQAWdeTEyFFzSbMHJ2F9J9WyxVuMMIDj119aJrkHtkXTmLT7wdOd9RZxDfG0A1H30lQeQdvaJoymaVUgWLXfiwIAYg+4Uk7vZrP7UzHJO2BgDnGdf42h2vgBoboyP9szNMHTGGQdpUk7VkhtE6djonzwg= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.org. IN NS +SECTION AUTHORITY +foo.org. 3600 IN DS 29332 8 2 d38b124648bd7e32033a7fe9fd94ceab56e971ea9e61b3365566ccc028c15c98 +foo.org. 3600 IN RRSIG DS 8 2 3600 20070926134150 20070829134150 1444 org. BE2cR03ecUYk/nRsJNMcNfsOWnSoOfkwx4zmF9eEqwoRn/i5QzsrRBEUdorfBsFjpdKqB2R6jSu53CTQAGv392w8AE0cRANPBxcDUiWaRyFZ7CaqspKorPijOJCKEtgztEfFgC9YXab3xvRkJVUZzZRJ4nCrpmNIGzvmf7LlCTg= +foo.org. IN NS ns.foo.org. +SECTION ADDITIONAL +ns.foo.org. IN A 1.2.3.53 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo2.org. IN NS +SECTION AUTHORITY +foo2.org. 3600 IN NSEC foo3.org. NS RRSIG NSEC +foo2.org. 3600 IN RRSIG NSEC 8 2 3600 20070926134150 20070829134150 1444 org. RfkRfmLeyLYtdDKrLBaXTk/KXTkUn9/4dMZtm3Kl5k5oa9/LkbPmnPb0z+zZ/3aBBKZu0QIevS7w++fdYWfIQiK+DIgG9hhp+lNxakLKp4M5SiWuh+zlTjwbRzlf4abWe/c/FR4bjesgObUdLnaIoM4h3aQUS1KsjyGFmLOCUGM= +foo2.org. IN NS ns.foo2.org. +SECTION ADDITIONAL +ns.foo2.org. IN A 1.2.3.54 +ENTRY_END + +; for this entry the org zone is suddenly resigned with NSEC3. +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo3.org. IN NS +SECTION AUTHORITY +; org. NSEC3PARAM 1 0 0 - +; org. -> mvnq25j8mo8ge527pikocn5rl72s2o0s. +; foo3.org. -> n3dm0vverfek5tl6klsp0k0gduj0gk92. +mvnq25j8mo8ge527pikocn5rl72s2o0s.org. IN NSEC3 1 0 0 - mvnq25j8mo8ge527pikocn5rl72s2o0t NS SOA RRSIG DNSKEY +mvnq25j8mo8ge527pikocn5rl72s2o0s.org. 3600 IN RRSIG NSEC3 8 2 3600 20070926134150 20070829134150 1444 org. MBmDCmjCeXShkwoDI/I04KK7w33FkNs7vci+SKoR5uWS24E3yt2AVgfkwFkKh42+MgqZnBUJEdRPOfATc80XDwxDhdymB3Ff4W1KAVFpJAkU42ii3bdiyYr+YPWVWdCYG2EfSpLcJiD6E21mW2DNRR7Lj9/W89WmndeUEgpjALA= +n3dm0vverfek5tl6klsp0k0gduj0gk91.org. IN NSEC3 1 0 0 - n3dm0vverfek5tl6klsp0k0gduj0gk93 NS DS RRSIG +n3dm0vverfek5tl6klsp0k0gduj0gk91.org. 3600 IN RRSIG NSEC3 8 2 3600 20070926134150 20070829134150 1444 org. H5aeeVc6k8fTSwUYDA9BW4ScHazb2b3NfvdQwRbKYj97tlJnJa+cojgOnyvP3qW9YoqO0aRT8rzUjFPJajOIRoS/6XVWCZ3ymDNQIi8oW6vT8qQYA2ldmoWDvFK9fHSgiwqJzQiKXtNGdqTfj2HEyVKVbFTv/Cgxh5jLcB6r9jM= +foo3.org. IN NS ns.foo3.org. +SECTION ADDITIONAL +ns.foo3.org. IN A 1.2.3.55 +ENTRY_END +RANGE_END + +; ns1.servers.com for .com +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.52 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS ns1.servers.com. +SECTION ADDITIONAL +ns1.servers.com. IN A 1.2.3.52 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.com. IN TXT +SECTION ANSWER +foo.com. IN CNAME www.foo.org. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo2.com. IN TXT +SECTION ANSWER +foo2.com. IN CNAME www.foo2.org. +ENTRY_END +RANGE_END + +; ns.foo.org for foo.org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.53 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.org. IN NS +SECTION ANSWER +foo.org. 3600 IN NS ns.foo.org. +foo.org. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 29332 foo.org. WfSshqIf/LdScUjw5uyB10t3yoF36aOc+lkhTQsAiR7gat14Un+F1s8bQiG3gU8mnMirsu7M1aMBeQlbJncFhLu4av6ZkkI5L/qvojBAL0AF7Rj0gUWKbMc2NsAeAKY8ySzDXqF7ol9YEskHWW35aL+r5DB91u4joZVsANSqeAfLWAhm47hDGlWgzQ1us72dWOPxPqNBG0sx48xaFxiZJjowXVs/zbRQ1TyIFPeKztayc6HL2gaOPPUoOuHp/AEecySqjamXI28mqBBs8MGJoArFaJ05wIuWEdOzsfc+BcYnmuCaTVgEHUvZMbNvi2CYCY4l0jcl1UD7i4FzPhC4jQ== +SECTION ADDITIONAL +ns.foo.org. 3600 IN A 1.2.3.53 +ns.foo.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 29332 foo.org. pScBuh9fyXazJLV4yPGQsDKAnNgAGe5G5712sQ46V9CA4Rv+STTI9p6JDyqu1EWVJupLwbL7dqqypSwcSy8CpCO1nH/n/yBnT/9txduEpzvr4OtVJnRZS1LMMlpb4NrT+QPpzxXZH5Zlc+Axevbxj7FVeFIAUq9Fh2+yO6lYXffIy9BW85VOZa1S08/O/2ZyZwPh6pdxB7HRGe/KuD86TMjfjVsveYL4w7UFC+wk1XGQA+zuXOIm+9MQC+UzM/cVR38nW/7Oj1hY2iAgvevFrT75tesf+H927uaHaPrWqSVJLPRIfm4O5wT5K1bgvfYDSlpU/YLf7vaCtJ+kKSOpJw== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.org. IN DNSKEY +SECTION ANSWER +foo.org. 3600 IN DNSKEY 257 3 8 AwEAAb4WMOTBLTFvmBra5m6SK4VfViOzmvyUAU0qv861ZQXeEFvwlndqNU9rwRsMxrSWAYs5nHErKDn49usC/HyxxW1477iGFHhfgL4mjNreJm9zft2QFB1VLbRbEPYdDMLCn4co0qnG7/KG8W2i8Pym1L7f+aREwbLo+/716AS2PbaKMhfWLKLiq5wnBcUClQMNzCiwhqxDJp1oePqfkVdeUgXOtgi0dYRIKyQFhJ5VWJ22npoi/Gif0XLCADAlAwRLKc8o/yJkCxskzgpHpw5Cki1lclg0aq4ssOuPRQ+ne6IHYCz9D2mwzulblhLFamKdq7aHzNt4NlyxhpANVFiKLD8= ;{id = 29332 (ksk), size = 2048b} +foo.org. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 29332 foo.org. qlZQpZG+prXK6vsd+zObdHj8DbPBCpjB16B7UgTwsgmVxGRX9nSBnkqUqcIrnszJMHvEwu7VPWjegPX3E8LESgz2Slepa5T8hWmcoega2vWakIzIRNtDxH9PXDy804Dmduk/fxBzMlbbFLfsSrG5+cK5PhingjjxNbEuG3V124xTjFUGHKu4NM6kMfPcHOwjTTQLt6azJ10i6CeyaUXCSYz5xGE7Z4PSLYAstlLsM64EtLTGQHAZIEr2Dq6C23u23sRrj/0qcMFo0Nv8E3rjnkfJIo+RYuqqAznFsLMqfveX42ElWBl5YVLQHSo+kFbXcvgX7gzL8X9u4Z6MJ9zUkw== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.org. IN TXT +SECTION ANSWER +foo.org. 3600 IN TXT "a.b.c." +foo.org. 3600 IN RRSIG TXT 8 2 3600 20070926134150 20070829134150 29332 foo.org. UW/T+M0crcfzQ6PVM/0o1ZtXF2o26VTm/V/9/+F873aQnDwfRLH+tzYSC+yfWZ/0niuif6fv9FYWisE8CyAIIMZ8mrxM7M4JgEZ0/vFOC2sN0qnmqSoZoZaeOEjJIAS6F2om+L6AAFtAH2Khbm0wkHc0jBWj3vK8HoXO38iLe1pPnuBK6BhE2+tyDIcUCoABFrycT0E5NBKFERQL+CzYMEzMUS/joSeWloFw1AB1X9Z94ezgmD+g2MnbW78DR6TRZXGD4DWXuxYNswRnfp4VENSOsSbhX9ixtuxwGn1fhiZeTxN84zE/ERiLK59Yo1bQ3TFjOY0cCvj+c2NulTAr9w== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.foo.org. IN TXT +SECTION ANSWER +www.foo.org. 3600 IN TXT "a.b.d." +www.foo.org. 3600 IN RRSIG TXT 8 3 3600 20070926134150 20070829134150 29332 foo.org. EjFHdpJdlFFLDWabiMsMzUPE1+brzq/0ecRG39bpPuU/6MW4HCQs4rlLlZNmmJP/vj+kLTGfguSrKyLQt8n9Tf1fKbvD6NUOIOwiVUOE4kb54JghbiBhWeCnRLmUQwi7DKy0UEw8niX3SY6WwJxO/e7+leQJY7Gpg3S00vKskTAjnKeDYiHcrO69Dpyc0l/qtR1Bb98xcs4vMsh6//BBklSlPTMKBcu2uK6sK7G2ZR1lOtShoginq5UHa+EZWR6Pxn8pLkfQGOXTjGq5WaTeEdcinBlvXYBGhAPKWXHwcEtEjClkWi1ZXOnSgwHu9dRxgSk/jcfSmjBFzw2bycq2Lg== +ENTRY_END +RANGE_END + +; ns.foo2.org for foo2.org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.54 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo2.org. IN NS +SECTION ANSWER +foo2.org. IN NS ns.foo2.org. +SECTION ADDITIONAL +ns.foo2.org. IN A 1.2.3.54 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.foo2.org. IN TXT +SECTION ANSWER +www.foo2.org. IN TXT "a.b.e." +ENTRY_END +RANGE_END + +; ns.foo3.org for foo3.org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.55 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo3.org. IN NS +SECTION ANSWER +foo3.org. IN NS ns.foo3.org. +SECTION ADDITIONAL +ns.foo3.org. IN A 1.2.3.55 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.foo3.org. IN A +SECTION ANSWER +ns.foo3.org. IN A 1.2.3.55 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.foo3.org. IN AAAA +SECTION AUTHORITY +foo3.org. IN SOA ns.foo3.org. host.foo3.org. 2007090422 3600 300 604800 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.foo3.org. IN TXT +SECTION ANSWER +www.foo3.org. IN TXT "a.b.f." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www2.foo3.org. IN TXT +SECTION ANSWER +www2.foo3.org. IN TXT "a.b.g." +ENTRY_END +RANGE_END + +; Test query +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo.org. IN TXT +ENTRY_END + +; It is blocked +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NXDOMAIN +SECTION QUESTION +foo.org. IN TXT +SECTION ANSWER +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.foo2.org. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.foo2.org. IN TXT +SECTION ANSWER +www.foo2.org. IN TXT "a.b.e." +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.foo3.org. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.foo3.org. IN TXT +SECTION ANSWER +www.foo3.org. IN TXT "a.b.f." +ENTRY_END + +STEP 32 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.foo3.org. IN TXT +ENTRY_END + +STEP 33 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www2.foo3.org. IN TXT +SECTION ANSWER +www2.foo3.org. IN TXT "a.b.g." +ENTRY_END + +; This query has a CNAME to foo.org. +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo.com. IN TXT +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +foo.com. IN TXT +SECTION ANSWER +foo.com. IN CNAME www.foo.org. +www.foo.org. 3600 IN TXT "a.b.d." +ENTRY_END + +SCENARIO_END diff --git a/util/module.h b/util/module.h index 5bdb622a2..03f3eab0b 100644 --- a/util/module.h +++ b/util/module.h @@ -696,6 +696,8 @@ struct module_qstate { /** Extended result of response-ip action processing, mainly * for logging purposes. */ struct respip_action_info* respip_action_info; + /** if the query has been modified by rpz processing. */ + int rpz_applied; /** if the query is rpz passthru, no further rpz processing for it */ int rpz_passthru; /* Flag tcp required. */ diff --git a/validator/validator.c b/validator/validator.c index e6d19a2c9..194671e58 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -3053,6 +3053,14 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq, int ret; *suspend = 0; vq->empty_DS_name = NULL; + if(sub_qstate && sub_qstate->rpz_applied) { + verbose(VERB_ALGO, "rpz was applied to the DS lookup, " + "make it insecure"); + vq->key_entry = NULL; + vq->state = VAL_FINISHED_STATE; + vq->chase_reply->security = sec_status_insecure; + return; + } ret = ds_response_to_ke(qstate, vq, id, rcode, msg, qinfo, &dske, sub_qstate); if(ret != 0) { @@ -3146,6 +3154,15 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq, char* reason = NULL; sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; + if(sub_qstate && sub_qstate->rpz_applied) { + verbose(VERB_ALGO, "rpz was applied to the DNSKEY lookup, " + "make it insecure"); + vq->key_entry = NULL; + vq->state = VAL_FINISHED_STATE; + vq->chase_reply->security = sec_status_insecure; + return; + } + if(rcode == LDNS_RCODE_NOERROR) dnskey = reply_find_answer_rrset(qinfo, msg->rep); From b5951ce1fa30b64b4fb079e36d5d98d57fb53372 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 28 Aug 2024 10:51:22 +0200 Subject: [PATCH 14/33] - Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. --- doc/Changelog | 4 + testdata/rpz_val_block.rpl | 231 ++++++++++++++++++++++++++++++++++++- validator/validator.c | 8 ++ 3 files changed, 242 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index ccf334038..222bcfc2c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +28 August 2024: Wouter + - Fix that when rpz is applied the message does not get picked up by + the validator. That stops validation failures for the message. + 27 August 2024: Wouter - Fix #1130: Loads of logs: "validation failure: key for validation . is marked as invalid because of a previous" for diff --git a/testdata/rpz_val_block.rpl b/testdata/rpz_val_block.rpl index 45bfcce72..acde15294 100644 --- a/testdata/rpz_val_block.rpl +++ b/testdata/rpz_val_block.rpl @@ -30,6 +30,8 @@ $ORIGIN rpz.example.com. foo.org CNAME . foo2.org CNAME . foo3.org CNAME . +bok.foo4.org A 4.0.5.5 +www.foo5.org CNAME alt.foo5.org. TEMPFILE_END CONFIG_END @@ -152,6 +154,34 @@ foo3.org. IN NS ns.foo3.org. SECTION ADDITIONAL ns.foo3.org. IN A 1.2.3.55 ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo4.org. IN NS +SECTION AUTHORITY +foo4.org. 3600 IN DS 55567 8 2 db658962fbd0a03e81f1a68c33bb53eef3bc30e980040cb476fb191b24dfdd5a +foo4.org. 3600 IN RRSIG DS 8 2 3600 20070926134150 20070829134150 1444 org. kO2d+9du+9y0HcAUq056qnqBoXLwT+/EN82lEocJjCE7lx9qxv4YpwfNd1Sr3J9lwvZbfEm5uRPmSwtrythlI4+qmlsEWE90mfUntH+JqlXj7t2E514AZ/SZPSUd6h6AKPlB/DIhHuI/fAEKB+S263NnvVMccaHh8ScJMsY9nGI= +foo4.org. IN NS ns.foo4.org. +SECTION ADDITIONAL +ns.foo4.org. IN A 1.2.3.56 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo5.org. IN NS +SECTION AUTHORITY +foo5.org. 3600 IN DS 55567 8 2 4046e908302813cad9b4448cd4c243be118b7c18f8414b820bce0a1eab6f6889 +foo5.org. 3600 IN RRSIG DS 8 2 3600 20070926134150 20070829134150 1444 org. e0+FRSrwoSeQxd35dcvsEFGQIO9nz+H6p52LAwPDUTOSwFcbR+q+x4OKX+eG8dbFXK7MGztdGdpPji95HzlezXRTt/66sXqYeDM61NezxVM6N/OjPIOL3VTGeyG4nvDj4ycvBbgjJqdhmev6aWYmTQwFa0+6Nxrlsldrl5/chW4= +foo5.org. IN NS ns.foo5.org. +SECTION ADDITIONAL +ns.foo5.org. IN A 1.2.3.57 +ENTRY_END RANGE_END ; ns1.servers.com for .com @@ -188,6 +218,26 @@ foo2.com. IN TXT SECTION ANSWER foo2.com. IN CNAME www.foo2.org. ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo4.com. IN A +SECTION ANSWER +foo4.com. IN CNAME www.foo4.org. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo5.com. IN A +SECTION ANSWER +foo5.com. IN CNAME www.foo5.org. +ENTRY_END RANGE_END ; ns.foo.org for foo.org @@ -323,6 +373,133 @@ www2.foo3.org. IN TXT "a.b.g." ENTRY_END RANGE_END +; ns.foo4.org for foo4.org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.56 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo4.org. IN NS +SECTION ANSWER +foo4.org. 3600 IN NS ns.foo4.org. +foo4.org. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55567 foo4.org. FXwXqJ8EW2XZDzHiMSiqiUpkk6tHGsJdlH1pfuOO6yPsmAmg6sSnyE9UsIDeW1bGwanYxbZGiD4YR9ED/NzdlMUrCI0fs4c0fa0yJjcF5WY0yZCL9OZbyn/dPIcqZ3D6UWjVVMW6EhZSPqzuz5gWYEiXkBDEc1s2BEjIYSwZo4g= +SECTION ADDITIONAL +ns.foo4.org. 3600 IN A 1.2.3.56 +ns.foo4.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55567 foo4.org. MgKROh4mE6pUyp0ik2CHTZuf7n9M4WaDvTLdI9qb+AvvpJJiwA1+7/v004A3PADvohsUytQttldYKwK6J9+c8R48lpieT+e/WzeyoCM1ieFhbP73By32Bl/akH+8cOUxfqqLD8Y+1z/oKV55LyqKP0H0DCb6vfYtSxWAYQym9PQ= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo4.org. IN DNSKEY +SECTION ANSWER +foo4.org. IN DNSKEY 257 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55567 (ksk), size = 1024b} +foo4.org. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 55567 foo4.org. Hy1tP0xBPp23e+w2YJ49e09e8AB9hLDP3ksWI/8ujNFK51Kuwo8HBx4R6zbcuOELlqWxr6IQU2w6AwB6UqClS88mc2sIgeEbw7Nm+nCDWPSPklPP4qa9pdXFh2M4txF4NxymrgRABjTTJiXK4oeWtFBNKkUu0hf6RGb9OJmdzF0= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.foo4.org. IN A +SECTION ANSWER +www.foo4.org. 3600 IN CNAME bok.foo4.org. +www.foo4.org. 3600 IN RRSIG CNAME 8 3 3600 20070926134150 20070829134150 55567 foo4.org. ZRY/v7TPmkuKVNB739kTMiqPh84jtDO01hx2EtuPI2YwG4EnhWFV0fuz86FDMPKUD17MXRHKsi0+RUopqGUEbuZ7G9MzUFtuuTnVD8f9lNJVp2AfE2RAr1le8zZpdSvlmB1Y07HsrFPxxZAPYdBC2IY3VcpI0xaT1nHGsSpcoXc= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +bok.foo4.org. IN A +SECTION ANSWER +bok.foo4.org. 3600 IN A 1.2.3.4 +bok.foo4.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55567 foo4.org. xDPRNYlwWTxfQaX6kKHbYeKC/ro/U1TAQzEexUoQb/GDpx1zB1oqvYBuauivIjHyKwjrGg7f9WHyyzMxSby0G62hJLPoMJMLscLce17mwkWcG2AuojBiDwLBr5QXvJXhvT21LpOFt8xplLZuzNRyw4EsUau0ecd2nQ/5vtIz5aU= +ENTRY_END +RANGE_END + +; ns.foo5.org for foo5.org +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.57 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo5.org. IN NS +SECTION ANSWER +foo5.org. 3600 IN NS ns.foo5.org. +foo5.org. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55567 foo5.org. Zv/zSvsLucTxX2LL+i4IZfFw/D/5HvzNKmRcohBjmP2W+F53KddGJpRHb2FPqcBzKhvjL/Awf0x1mhHUUBCSQcHA3FZQ9q2kfXK4pzg4XbI03U/hsY5b/1M8SC/DfGE+4jN59QadXZ6N4ouV4Ka9sqRfqXiQFED1Rz9WuMyHfXY= +SECTION ADDITIONAL +ns.foo5.org. 3600 IN A 1.2.3.57 +ns.foo5.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55567 foo5.org. TcHl2qjwwcfoM1kJ+rwje/VRmPJT62RvJvjHwri5NqJopKp9tcaKz1dYByTlhbGbB0tGihWPa271ja3s31dHuOlZsuWd8hdMr7Hq/COpyn7iVOoeU8bLRtkvReLyiD3Ju9IMmzLMyWCGNNzpuZrEBfbBwTC4ali5iL4OgPjMdhc= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo5.org. IN DNSKEY +SECTION ANSWER +foo5.org. IN DNSKEY 257 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55567 (ksk), size = 1024b} +foo5.org. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 55567 foo5.org. wq5nET6vQal5aXvNr6lhUI5VzGJNM52k9RVdNsntiN25GehtBKF/+O2OhrD4YoLCIkMM4dzSSlO/nbbtx/8V8Y5LlA5Kxx3DU+QWpn4iwJg01VwXhJaw8KqK20bUS+PbkG+ZwAqVD1veAdtKR7lfYI35XZojZQ1ReSMWb/vLv4s= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +www.foo5.org. IN A +SECTION ANSWER +www.foo5.org. 3600 IN CNAME bok.foo5.org. +www.foo5.org. 3600 IN RRSIG CNAME 8 3 3600 20070926134150 20070829134150 55567 foo5.org. L/KOVafKFY401Y2k3J+QjkX0XcBTsMperFyhKfTmyQYY3lI5shvdJT0UGu6ogZ9cCWM+tLNyVr804+dfK6QL/wdYOx9hkK/fiePUhAU6lzepJBdg7wotw560Eu6J7UhhtopHKrWa5ElQFG1UFR/qjcx/m4Ms6BgCWh8yWy20N1E= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +alt.foo5.org. IN A +SECTION ANSWER +alt.foo5.org. 3600 IN A 4.0.5.6 +alt.foo5.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55567 foo5.org. vG+qffAmazC38iBE2QsZq5kFxNW5Mo+65epMjAA/06syLzjOKkfh8dbe++jQqvwqCqrIBb56miVFDCW1VEYOdh8vReptt9KtbQjXXMfRF39V3ccvbhEfP1xMG8Z8B7tkIBtLvfCNrsfYaccvYgq+gkPeeL1JEiK3ntOukJUbapM= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +bok.foo5.org. IN A +SECTION ANSWER +bok.foo5.org. 3600 IN A 1.2.3.4 +bok.foo5.org. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55567 foo5.org. rlBgWgq0R4yT+bK0CyuZfFJ36dCsZnpvc9/7tShcMAzDPDu4+hgbXuyMWcsnsZjX3ZfR0a4wRwOwH86ZNLLxdkXNO1/bSDq+IsLyXesoVBDmcNvtdq5PgupCNW5I/cBP4tK0DCytXDLRFtU7LOxdgPps4dFANhHU6Q6LboqW4t8= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +alt.foo5.org. IN DS +SECTION ANSWER +SECTION AUTHORITY +foo5.org. 3600 IN SOA ns.foo5.org. host.foo5.org. 2007090422 3600 300 604800 3600 +foo5.org. 3600 IN RRSIG SOA 8 2 3600 20070926134150 20070829134150 55567 foo5.org. cHo00Jg0OI9sRaQV9t6WMybhkRwG6UFx6gEq87HOeOm2gPSbXFjIImyH6l1u8MPdXj8kYcGsUotWUEPuBTfA88bGb/lKfbu4aMD9GaqjB9oZF1iOCf7IdkXqHg/0iZNHOXbUNyNlCJgjkrVdZysJ1D1tAx7qmJgmzsJHerDuQzA= +alt.foo5.org. 3600 IN NSEC alt2.foo5.org. A RRSIG NSEC +alt.foo5.org. 3600 IN RRSIG NSEC 8 3 3600 20070926134150 20070829134150 55567 foo5.org. fgOxxCj+ZnRWyfVFlNCS/9UDg4n8+JaSmMjQzsqUoXk5Db9fMzOd3ScYqVxweXC/ER6Ly+XHz9RFVsAOA4I67eWGL6YJ5sA/MUJd3tB4Dk3xp0ycHH0ARvys9YedG9PLUvBY9B5qT/nhrw2N9yRtkq04z6DhjLh3uC0UJKsSiVc= +ENTRY_END +RANGE_END + ; Test query STEP 10 QUERY ENTRY_BEGIN @@ -341,6 +518,8 @@ foo.org. IN TXT SECTION ANSWER ENTRY_END +; The foo2.org domain has no DS with NSEC. The queries for foo2.org DS and +; DNSKEY are blocked. STEP 20 QUERY ENTRY_BEGIN REPLY RD @@ -358,6 +537,9 @@ SECTION ANSWER www.foo2.org. IN TXT "a.b.e." ENTRY_END +; The foo3.org domain has no DS with NSEC3. The queries for foo3.org DS and +; DNSKEY are blocked. Because it is nsec3, there is no negative cache entry, +; and a type DS query is made, that is then blocked. STEP 30 QUERY ENTRY_BEGIN REPLY RD @@ -375,6 +557,8 @@ SECTION ANSWER www.foo3.org. IN TXT "a.b.f." ENTRY_END +; This query would use a validation failure for foo3.org from the key cache, +; if it previously failed. STEP 32 QUERY ENTRY_BEGIN REPLY RD @@ -392,7 +576,8 @@ SECTION ANSWER www2.foo3.org. IN TXT "a.b.g." ENTRY_END -; This query has a CNAME to foo.org. +; This query has a CNAME to www.foo.org. It is signed, but foo.org is blocked, +; for DS and DNSKEY queries. There is a DS, but the DNSKEY query is blocked. STEP 40 QUERY ENTRY_BEGIN REPLY RD @@ -411,4 +596,48 @@ foo.com. IN CNAME www.foo.org. www.foo.org. 3600 IN TXT "a.b.d." ENTRY_END +; The foo4.com query has a CNAME to a validly signed domain www.foo4.org, +; that has a cname to bok.foo4.org. The bok.foo4.org name is RPZ filtered, +; with a new A record in the response, that is not signed, from RPZ. +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo4.com. IN A +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +foo4.com. IN A +SECTION ANSWER +foo4.com. IN CNAME www.foo4.org. +www.foo4.org. IN CNAME bok.foo4.org. +bok.foo4.org IN A 4.0.5.5 +ENTRY_END + +; The foo5.com query has a CNAME to a signed domain www.foo5.org, +; the www.foo5.org is filtered by RPZ with a different CNAME to another, +; DNSSEC signed A record, alt.foo5.org, instead of bok.foo5.org. +STEP 60 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo5.com. IN A +ENTRY_END + +STEP 61 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +foo5.com. IN A +SECTION ANSWER +foo5.com. IN CNAME www.foo5.org. +www.foo5.org. IN CNAME alt.foo5.org. +alt.foo5.org IN A 4.0.5.6 +ENTRY_END + SCENARIO_END diff --git a/validator/validator.c b/validator/validator.c index 194671e58..57cd3031a 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -2617,6 +2617,14 @@ val_operate(struct module_qstate* qstate, enum module_ev event, int id, qstate->ext_state[id] = module_finished; return; } + if(qstate->rpz_applied) { + verbose(VERB_ALGO, "rpz applied, mark it as insecure"); + if(qstate->return_msg) + qstate->return_msg->rep->security = + sec_status_insecure; + qstate->ext_state[id] = module_finished; + return; + } /* qclass ANY should have validation result from spawned * queries. If we get here, it is bogus or an internal error */ if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) { From 42d421a30564c9840916ece25c56a1c94e58b8b0 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 28 Aug 2024 13:16:29 +0200 Subject: [PATCH 15/33] - Fix that stub-zone and forward-zone clauses do not exhaust memory for long content. --- doc/Changelog | 2 ++ util/configparser.y | 40 ++++++++++++++++++++++------------------ 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 222bcfc2c..ef963c4d2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 28 August 2024: Wouter - Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. + - Fix that stub-zone and forward-zone clauses do not exhaust memory + for long content. 27 August 2024: Wouter - Fix #1130: Loads of logs: "validation failure: key for validation diff --git a/util/configparser.y b/util/configparser.y index 4cd01cc3b..4dc647f82 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -210,8 +210,8 @@ extern struct config_parser_state* cfg_parser; %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; -toplevelvar: serverstart contents_server | stubstart contents_stub | - forwardstart contents_forward | pythonstart contents_py | +toplevelvar: serverstart contents_server | stub_clause | + forward_clause | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | view_clause | dnscstart contents_dnsc | cachedbstart contents_cachedb | ipsetstart contents_ipset | authstart contents_auth | @@ -348,6 +348,14 @@ content_server: server_num_threads | server_verbosity | server_port | server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota | server_harden_unverified_glue ; +stub_clause: stubstart contents_stub + { + /* stub end */ + if(cfg_parser->cfg->stubs && + !cfg_parser->cfg->stubs->name) + yyerror("stub-zone without name"); + } + ; stubstart: VAR_STUB_ZONE { struct config_stub* s; @@ -362,17 +370,19 @@ stubstart: VAR_STUB_ZONE } } ; -contents_stub: content_stub contents_stub - | - { - /* stub end */ - if(cfg_parser->cfg->stubs && - !cfg_parser->cfg->stubs->name) - yyerror("stub-zone without name"); - }; +contents_stub: contents_stub content_stub + | ; content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first | stub_no_cache | stub_ssl_upstream | stub_tcp_upstream ; +forward_clause: forwardstart contents_forward + { + /* forward end */ + if(cfg_parser->cfg->forwards && + !cfg_parser->cfg->forwards->name) + yyerror("forward-zone without name"); + } + ; forwardstart: VAR_FORWARD_ZONE { struct config_stub* s; @@ -387,14 +397,8 @@ forwardstart: VAR_FORWARD_ZONE } } ; -contents_forward: content_forward contents_forward - | - { - /* forward end */ - if(cfg_parser->cfg->forwards && - !cfg_parser->cfg->forwards->name) - yyerror("forward-zone without name"); - }; +contents_forward: contents_forward content_forward + | ; content_forward: forward_name | forward_host | forward_addr | forward_first | forward_no_cache | forward_ssl_upstream | forward_tcp_upstream ; From c06d3646a9b6fd33b0167fe98e5bcdf1cc4b91cc Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 29 Aug 2024 10:40:31 +0200 Subject: [PATCH 16/33] - Unit test for auth zone transfer TLS, and TLS failure. --- doc/Changelog | 3 + testdata/auth_tls.tdir/auth_tls.dsc | 16 ++++++ testdata/auth_tls.tdir/auth_tls.nsd.conf | 21 +++++++ testdata/auth_tls.tdir/auth_tls.post | 14 +++++ testdata/auth_tls.tdir/auth_tls.pre | 47 ++++++++++++++++ testdata/auth_tls.tdir/auth_tls.test | 48 ++++++++++++++++ testdata/auth_tls.tdir/auth_tls.ub.conf | 22 ++++++++ testdata/auth_tls.tdir/example.com.zone | 4 ++ testdata/auth_tls.tdir/nsd_server.key | 39 +++++++++++++ testdata/auth_tls.tdir/nsd_server.pem | 22 ++++++++ testdata/auth_tls.tdir/unbound_server.key | 39 +++++++++++++ testdata/auth_tls.tdir/unbound_server.pem | 22 ++++++++ .../auth_tls_failcert.dsc | 16 ++++++ .../auth_tls_failcert.nsd.conf | 21 +++++++ .../auth_tls_failcert.post | 14 +++++ .../auth_tls_failcert.pre | 47 ++++++++++++++++ .../auth_tls_failcert.test | 56 +++++++++++++++++++ .../auth_tls_failcert.ub.conf | 23 ++++++++ .../auth_tls_failcert.tdir/example.com.zone | 4 ++ .../auth_tls_failcert.tdir/nsd_server.key | 39 +++++++++++++ .../auth_tls_failcert.tdir/nsd_server.pem | 22 ++++++++ .../auth_tls_failcert.tdir/unbound_server.key | 39 +++++++++++++ .../auth_tls_failcert.tdir/unbound_server.pem | 22 ++++++++ 23 files changed, 600 insertions(+) create mode 100644 testdata/auth_tls.tdir/auth_tls.dsc create mode 100644 testdata/auth_tls.tdir/auth_tls.nsd.conf create mode 100644 testdata/auth_tls.tdir/auth_tls.post create mode 100644 testdata/auth_tls.tdir/auth_tls.pre create mode 100644 testdata/auth_tls.tdir/auth_tls.test create mode 100644 testdata/auth_tls.tdir/auth_tls.ub.conf create mode 100644 testdata/auth_tls.tdir/example.com.zone create mode 100644 testdata/auth_tls.tdir/nsd_server.key create mode 100644 testdata/auth_tls.tdir/nsd_server.pem create mode 100644 testdata/auth_tls.tdir/unbound_server.key create mode 100644 testdata/auth_tls.tdir/unbound_server.pem create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.dsc create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.nsd.conf create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.post create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.pre create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.test create mode 100644 testdata/auth_tls_failcert.tdir/auth_tls_failcert.ub.conf create mode 100644 testdata/auth_tls_failcert.tdir/example.com.zone create mode 100644 testdata/auth_tls_failcert.tdir/nsd_server.key create mode 100644 testdata/auth_tls_failcert.tdir/nsd_server.pem create mode 100644 testdata/auth_tls_failcert.tdir/unbound_server.key create mode 100644 testdata/auth_tls_failcert.tdir/unbound_server.pem diff --git a/doc/Changelog b/doc/Changelog index ef963c4d2..a2802909b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +29 August 2024: Wouter + - Unit test for auth zone transfer TLS, and TLS failure. + 28 August 2024: Wouter - Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. diff --git a/testdata/auth_tls.tdir/auth_tls.dsc b/testdata/auth_tls.tdir/auth_tls.dsc new file mode 100644 index 000000000..0caf949e8 --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.dsc @@ -0,0 +1,16 @@ +BaseName: auth_tls +Version: 1.0 +Description: Perform AXFR over tls for authority zone +CreationDate: Thu 29 Aug 09:35:40 CEST 2024 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: auth_tls.pre +Post: auth_tls.post +Test: auth_tls.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/auth_tls.tdir/auth_tls.nsd.conf b/testdata/auth_tls.tdir/auth_tls.nsd.conf new file mode 100644 index 000000000..c20ed21df --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.nsd.conf @@ -0,0 +1,21 @@ +server: + logfile: "/dev/stderr" + xfrdfile: xfrd.state + username: "" + chroot: "" + zonesdir: "" + pidfile: "nsd.pid" + zonelistfile: "zone.list" + verbosity: 5 + port: @NSD_PORT@ + interface: 127.0.0.1@@NSD_PORT@ + + tls-port: @NSD_PORT@ + tls-service-key: "nsd_server.key" + tls-service-pem: "nsd_server.pem" + +zone: + name: "example.com" + zonefile: "example.com.zone" + provide-xfr: 0.0.0.0/0 NOKEY + provide-xfr: ::0/0 NOKEY diff --git a/testdata/auth_tls.tdir/auth_tls.post b/testdata/auth_tls.tdir/auth_tls.post new file mode 100644 index 000000000..19de9f46f --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.post @@ -0,0 +1,14 @@ +# #-- auth_tls.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $NSD_PID +kill_pid $UNBOUND_PID +echo "nsd.log" +cat nsd.log +echo "unbound.log" +cat unbound.log diff --git a/testdata/auth_tls.tdir/auth_tls.pre b/testdata/auth_tls.tdir/auth_tls.pre new file mode 100644 index 000000000..ebeee24c5 --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.pre @@ -0,0 +1,47 @@ +# #-- auth_tls.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh +PRE="../.." +if test -n "$NSD"; then + : +else + if `which nsd >/dev/null 2>&1`; then + # need nsd >= 4.2.0 + NSD="nsd" + else + if test -f $PRE/../nsd/nsd; then + NSD="$PRE/../nsd/nsd" + else + skip_test "need nsd" + fi + fi +fi +echo "NSD=$NSD" + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +NSD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "NSD_PORT=$NSD_PORT" >> .tpkg.var.test + +# make config file +sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tls.ub.conf > ub.conf +sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tls.nsd.conf > nsd.conf + +# start nsd +$NSD -d -c nsd.conf >nsd.log 2>&1 & +NSD_PID=$! +echo "NSD_PID=$NSD_PID" >> .tpkg.var.test + +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_nsd_up nsd.log +wait_unbound_up unbound.log diff --git a/testdata/auth_tls.tdir/auth_tls.test b/testdata/auth_tls.tdir/auth_tls.test new file mode 100644 index 000000000..030212f52 --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.test @@ -0,0 +1,48 @@ +# #-- auth_tls.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig www.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +if grep SERVFAIL outfile; then + echo "> try again" + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +echo "> check answer" +if grep "1.2.3.4" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0 diff --git a/testdata/auth_tls.tdir/auth_tls.ub.conf b/testdata/auth_tls.tdir/auth_tls.ub.conf new file mode 100644 index 000000000..0220c60af --- /dev/null +++ b/testdata/auth_tls.tdir/auth_tls.ub.conf @@ -0,0 +1,22 @@ +server: + verbosity: 7 + # num-threads: 1 + interface: 127.0.0.1 + port: @UNBOUND_PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + tls-service-key: "unbound_server.key" + tls-service-pem: "unbound_server.pem" + tls-cert-bundle: "nsd_server.pem" + +auth-zone: + name: "example.com" + for-upstream: yes + for-downstream: yes + primary: "127.0.0.1@@NSD_PORT@#nsd" + allow-notify: "127.0.0.2@@NSD_PORT@" + allow-notify: 127.0.0.1 diff --git a/testdata/auth_tls.tdir/example.com.zone b/testdata/auth_tls.tdir/example.com.zone new file mode 100644 index 000000000..18b5b407e --- /dev/null +++ b/testdata/auth_tls.tdir/example.com.zone @@ -0,0 +1,4 @@ +example.com. 240 IN SOA ns.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2024082400 28800 7200 604800 240 +example.com. NS ns.example.com. +ns.example.com. IN A 192.0.2.1 +www.example.com. A 1.2.3.4 diff --git a/testdata/auth_tls.tdir/nsd_server.key b/testdata/auth_tls.tdir/nsd_server.key new file mode 100644 index 000000000..5d9f61031 --- /dev/null +++ b/testdata/auth_tls.tdir/nsd_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5QIBAAKCAYEAxLy5fFUI1OjXXbPcQ13303/K5AliTq6bCnS57edzQIbmPZj7 +XbGZ0RnU47cZ11GSAI9ptDIrSidNTsHzaqWZn431/IVjwrIkRgz95/aOWRov4fwm +cS5qvbYV60l384NZLqmF4BDDxSt2MLT2+jWxFEK2iUm2YXZewifQ8zaHmjfAWlo8 +TlK5jzt0Qc0qPv5nCC6mwtjb7OHul3N3QolW6hZOc1KZVEeBdELedoU9TyMyzhPB +vkqAXWoti/CwWj3YMTj/L7zNfQ9F1HW6n67Y+ltO8IadILPiZiiAVIrLqUh3EL2X +fq+BcJ3QvADjyL9F5TH3AaWoi6iYgMGcgdqK9k6hj+ziuMxX6OsgzfzxTEzZCHhP +Er39SX6j/fHzJP4aGQxAAHLAmv2p9P/oEZeZsvWPsBWYpULKgMZ0JDZhf26ddrB1 +mpTaqRQsG384dUZR9f/iyzTszwgc2PQ7JG6gVg723KoBhlD0g+DlC8XdxiRyaDbJ +PXzSoXgLWumx02OhAgMBAAECggGBAMS7MARriBRX7hzuYaEgE1V0oe+cjqi9o542 +EUMcQjzRaOVJ2HrdwUG+wgsgKwAMuqJCxuIBlRZm7MCH5CDODivmKohk3thviSRf +k3tlKv1g2Wby3YIqd2TT82FAK2nf+8tUi+H/AbVl+59DJwIXtMbc22m3w1/8nU8r +v5+l9L27aGcxesKbqKDZRC0Uu10YyvD8rZeEgY+EcjESrrxjV/1nZvWdMGR9yK74 +uzrri95aBVDbos7l8yz2oysf+UmUMp5U9rWwuU4M/34pFSGeo7CHjtliwbBF4FHn +uyompXaOr7Qrgeg4fc9NbZNaB4OAOV2d1sI202q6j3kEkhG4pD8LAG/RRnugCj7D +PKGJL3iZKxknjA+tAKkgq50EbMpLHHv1qSiKWy8p+bR5FyBYPSheOSkOKTywpqnd +OU+VDTi4iLDvkENt6E0TghSyhncl8yIcomYPktqepaNekCHquK5sX8NUhOzRe3WH +gX7l3e/o8JRvbwXJ8UWfQlKhPO/hvQKBwQDiLXVMf+Hjl/OoXHtF6huerNBux5CS +KYha5BLARs9W74kd9mTJ9F5IflenpzQJc1b/PnvvlcDDlniUvlgk463EA2th4qWp +50jFniq/l4rUMFk1vZBXldvuUaL6f+Ihi8WmoUAyguEVAB9G/EJ1bXqHKdJtxuz+ +/TXGBsXrF5+sZOTjfq96CgQtBmbPXMncPto0NndoMqcEB0bjsFywQXGCk6ZZZ3Ac +vwnZFqVwqro3aTwD+xllzVz+xBNK8GU+zW8CgcEA3q2EepAT7dlZAveC7VSLnFF/ +w86ziynGEuhoJly+zedDPkFIGxYje1SPaKhpMH2jOdCajyHPOGuWEeVfKMbzCrHP +GdFyiTQDk3Pq0JRXpUUJSPGPusAQnPruE68XccDb+eBiJR6y+0vXHd1J3F8B4BMQ +AloZZtlx9BkEZaaRjROxM7Ilbev4IjOcScTREb2GL8gU3vnI2FJjBMy6fI5cm4QK +XEgiLcxGniM77bAZTeoVFbpd4SSICDXVn/NM/XfvAoHBAMHbjKphAc/9MY6gldg6 +7Cl4nb4VtshQaNremWPMTXKKJNBVm9WtahJgl+jO2z8uaOalO70CchIyKm/zJcGY +lBtpguSHSs7xueIHy0QkM43jUtNJAyrO+46s0jA65Cs0jdhgZZHls944GJbTKHNV +vquTIRWOZxu3FBwDOihiOy2b3MNQlj7XzvR4hC4/rZTlGkmeVYItyBEf25bUVt2L +eisdOntuuR0qcNptGqgS7UEJJbOTyRUEjCyhCpg0q9LEaQKBwDF7N1wQ1gzdZlUt +cO+SAO/8gDqfnPAImVYsRLB5nYCdqiiUUxSJx9qpALEN80nuMS4wt5ekuKpd5dwW +Lx4dj3ZJ6q5fB2eLolvKv1wYCp3UCGsoGnsyIL7xV6QSHVCOvZL6FHURLE6BHM0r +FjWc+wqy0bTkFo7vNM48HOkFqYRC4vaM2JpjfCEFfO47iQW7Kq1FdbXSpZnEPPKd +F7eD3vpDzhWRhd7NbMfJJpD7t7PDl2nbnu7fska4x76iTvJoCwKBwQCcqj2yhl69 +1GfpzsOtfzh9rECrnKjAhmVbwRfKB1ivwe8G2tobgQjOUajBqkCYKpZgTy3wyhWn +0D4AdwonGu1XYLZWX+Hw/ZWhNEg/6Ju2wfiMJfFWmy5pvTSvmOlNWvYKwmH/TDjX +tEctSVj6D67xE5v6s3donTI0NFa1u7i1hwoGu4POCockbau52YN4n20R5K7enu2+ +YYpXfcUOmCi91Hpv+X1YbmY1tOo0m1ItYqupbuRFXnHVXJhKxsYXqlA= +-----END RSA PRIVATE KEY----- diff --git a/testdata/auth_tls.tdir/nsd_server.pem b/testdata/auth_tls.tdir/nsd_server.pem new file mode 100644 index 000000000..5d41ad2d6 --- /dev/null +++ b/testdata/auth_tls.tdir/nsd_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAgsCFCAZislHgIerlrBBkLFt/ZOkKYVZMA0GCSqGSIb3DQEBCwUAMA4x +DDAKBgNVBAMMA25zZDAeFw0xOTA0MjUxNTEzMjdaFw0yOTA0MjIxNTEzMjdaMA4x +DDAKBgNVBAMMA25zZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMS8 +uXxVCNTo112z3ENd99N/yuQJYk6umwp0ue3nc0CG5j2Y+12xmdEZ1OO3GddRkgCP +abQyK0onTU7B82qlmZ+N9fyFY8KyJEYM/ef2jlkaL+H8JnEuar22FetJd/ODWS6p +heAQw8UrdjC09vo1sRRCtolJtmF2XsIn0PM2h5o3wFpaPE5SuY87dEHNKj7+Zwgu +psLY2+zh7pdzd0KJVuoWTnNSmVRHgXRC3naFPU8jMs4Twb5KgF1qLYvwsFo92DE4 +/y+8zX0PRdR1up+u2PpbTvCGnSCz4mYogFSKy6lIdxC9l36vgXCd0LwA48i/ReUx +9wGlqIuomIDBnIHaivZOoY/s4rjMV+jrIM388UxM2Qh4TxK9/Ul+o/3x8yT+GhkM +QABywJr9qfT/6BGXmbL1j7AVmKVCyoDGdCQ2YX9unXawdZqU2qkULBt/OHVGUfX/ +4ss07M8IHNj0OyRuoFYO9tyqAYZQ9IPg5QvF3cYkcmg2yT180qF4C1rpsdNjoQID +AQABMA0GCSqGSIb3DQEBCwUAA4IBgQB+WGMopDqNkv7yDAO8Ik2EWieDqxTshqR4 +bT1do9zsC9WDrIVxoVcn+dtlIpEQl8MN9U5DTKBbRgk3grOwUsg2kC0Gujv3vAyQ +bF+jxjHWd1xzrbQ+QUgz07P1OMFWxMzECL2L2078UZbawFqKqlmNv5avUk27G8nB +GrujT/pUOIpRXC+rao8e14R84dPJLZuGm9IAeEBQIIdhY9sjFRyoQdCUubyKPpkm +/fpcDMkt7PzZ4nTovj4NUxnnoUGonpXuj0pHA/RDDJkPYaRrND4OGldQXdZ9LJNM +pROL6aCZ5iog74OY8yutVzCgGge9vZLkysceVP7Lyks9/fEAtIuozmulp9TUQAeR +MVdDOcREWRd0vFNtAC9xSloRqV+66CzrFHwkSMpLo+gdgcAZ8s33rgQk+I4gfavU +jPWMZVcZHXevtWuTRnxfOpMkbwiRyr2J8m549K7OKZgr+JRhdJTev4lvXVyfFia4 +zr6UOK4exZWP6VDXb4IyZbJh+LMjmws= +-----END CERTIFICATE----- diff --git a/testdata/auth_tls.tdir/unbound_server.key b/testdata/auth_tls.tdir/unbound_server.key new file mode 100644 index 000000000..370a7bbb2 --- /dev/null +++ b/testdata/auth_tls.tdir/unbound_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY----- diff --git a/testdata/auth_tls.tdir/unbound_server.pem b/testdata/auth_tls.tdir/unbound_server.pem new file mode 100644 index 000000000..986807310 --- /dev/null +++ b/testdata/auth_tls.tdir/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE----- diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.dsc b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.dsc new file mode 100644 index 000000000..ba11e2b8c --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.dsc @@ -0,0 +1,16 @@ +BaseName: auth_tls_failcert +Version: 1.0 +Description: Perform AXFR over tls for authority zone where the cert fails +CreationDate: Thu 29 Aug 10:35:40 CEST 2024 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: auth_tls_failcert.pre +Post: auth_tls_failcert.post +Test: auth_tls_failcert.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.nsd.conf b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.nsd.conf new file mode 100644 index 000000000..c20ed21df --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.nsd.conf @@ -0,0 +1,21 @@ +server: + logfile: "/dev/stderr" + xfrdfile: xfrd.state + username: "" + chroot: "" + zonesdir: "" + pidfile: "nsd.pid" + zonelistfile: "zone.list" + verbosity: 5 + port: @NSD_PORT@ + interface: 127.0.0.1@@NSD_PORT@ + + tls-port: @NSD_PORT@ + tls-service-key: "nsd_server.key" + tls-service-pem: "nsd_server.pem" + +zone: + name: "example.com" + zonefile: "example.com.zone" + provide-xfr: 0.0.0.0/0 NOKEY + provide-xfr: ::0/0 NOKEY diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.post b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.post new file mode 100644 index 000000000..db103df70 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.post @@ -0,0 +1,14 @@ +# #-- auth_tls_failcert.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $NSD_PID +kill_pid $UNBOUND_PID +echo "nsd.log" +cat nsd.log +echo "unbound.log" +cat unbound.log diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.pre b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.pre new file mode 100644 index 000000000..519c363db --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.pre @@ -0,0 +1,47 @@ +# #-- auth_tls_failcert.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh +PRE="../.." +if test -n "$NSD"; then + : +else + if `which nsd >/dev/null 2>&1`; then + # need nsd >= 4.2.0 + NSD="nsd" + else + if test -f $PRE/../nsd/nsd; then + NSD="$PRE/../nsd/nsd" + else + skip_test "need nsd" + fi + fi +fi +echo "NSD=$NSD" + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +NSD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "NSD_PORT=$NSD_PORT" >> .tpkg.var.test + +# make config file +sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tls_failcert.ub.conf > ub.conf +sed -e 's/@UNBOUND_PORT\@/'$UNBOUND_PORT'/' -e 's/@NSD_PORT\@/'$NSD_PORT'/' < auth_tls_failcert.nsd.conf > nsd.conf + +# start nsd +$NSD -d -c nsd.conf >nsd.log 2>&1 & +NSD_PID=$! +echo "NSD_PID=$NSD_PID" >> .tpkg.var.test + +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_nsd_up nsd.log +wait_unbound_up unbound.log diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.test b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.test new file mode 100644 index 000000000..1f9e8e201 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.test @@ -0,0 +1,56 @@ +# #-- auth_tls_failcert.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig www.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +if grep SERVFAIL outfile; then + echo "> try again" + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile +fi +echo "> check answer" +if grep "1.2.3.4" outfile; then + echo "Not OK" + exit 1 +else + echo "OK not present" +fi + +# But the server should be up +if grep "SERVFAIL" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0 diff --git a/testdata/auth_tls_failcert.tdir/auth_tls_failcert.ub.conf b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.ub.conf new file mode 100644 index 000000000..57e3dcfcb --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/auth_tls_failcert.ub.conf @@ -0,0 +1,23 @@ +server: + verbosity: 7 + # num-threads: 1 + interface: 127.0.0.1 + port: @UNBOUND_PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + tls-service-key: "unbound_server.key" + tls-service-pem: "unbound_server.pem" + tls-cert-bundle: "nsd_server.pem" + +auth-zone: + name: "example.com" + for-upstream: yes + for-downstream: yes + # actual working primary: "127.0.0.1@@NSD_PORT@#nsd" + primary: "127.0.0.1@@NSD_PORT@#wrongname" + allow-notify: "127.0.0.2@@NSD_PORT@" + allow-notify: 127.0.0.1 diff --git a/testdata/auth_tls_failcert.tdir/example.com.zone b/testdata/auth_tls_failcert.tdir/example.com.zone new file mode 100644 index 000000000..18b5b407e --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/example.com.zone @@ -0,0 +1,4 @@ +example.com. 240 IN SOA ns.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2024082400 28800 7200 604800 240 +example.com. NS ns.example.com. +ns.example.com. IN A 192.0.2.1 +www.example.com. A 1.2.3.4 diff --git a/testdata/auth_tls_failcert.tdir/nsd_server.key b/testdata/auth_tls_failcert.tdir/nsd_server.key new file mode 100644 index 000000000..5d9f61031 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/nsd_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5QIBAAKCAYEAxLy5fFUI1OjXXbPcQ13303/K5AliTq6bCnS57edzQIbmPZj7 +XbGZ0RnU47cZ11GSAI9ptDIrSidNTsHzaqWZn431/IVjwrIkRgz95/aOWRov4fwm +cS5qvbYV60l384NZLqmF4BDDxSt2MLT2+jWxFEK2iUm2YXZewifQ8zaHmjfAWlo8 +TlK5jzt0Qc0qPv5nCC6mwtjb7OHul3N3QolW6hZOc1KZVEeBdELedoU9TyMyzhPB +vkqAXWoti/CwWj3YMTj/L7zNfQ9F1HW6n67Y+ltO8IadILPiZiiAVIrLqUh3EL2X +fq+BcJ3QvADjyL9F5TH3AaWoi6iYgMGcgdqK9k6hj+ziuMxX6OsgzfzxTEzZCHhP +Er39SX6j/fHzJP4aGQxAAHLAmv2p9P/oEZeZsvWPsBWYpULKgMZ0JDZhf26ddrB1 +mpTaqRQsG384dUZR9f/iyzTszwgc2PQ7JG6gVg723KoBhlD0g+DlC8XdxiRyaDbJ +PXzSoXgLWumx02OhAgMBAAECggGBAMS7MARriBRX7hzuYaEgE1V0oe+cjqi9o542 +EUMcQjzRaOVJ2HrdwUG+wgsgKwAMuqJCxuIBlRZm7MCH5CDODivmKohk3thviSRf +k3tlKv1g2Wby3YIqd2TT82FAK2nf+8tUi+H/AbVl+59DJwIXtMbc22m3w1/8nU8r +v5+l9L27aGcxesKbqKDZRC0Uu10YyvD8rZeEgY+EcjESrrxjV/1nZvWdMGR9yK74 +uzrri95aBVDbos7l8yz2oysf+UmUMp5U9rWwuU4M/34pFSGeo7CHjtliwbBF4FHn +uyompXaOr7Qrgeg4fc9NbZNaB4OAOV2d1sI202q6j3kEkhG4pD8LAG/RRnugCj7D +PKGJL3iZKxknjA+tAKkgq50EbMpLHHv1qSiKWy8p+bR5FyBYPSheOSkOKTywpqnd +OU+VDTi4iLDvkENt6E0TghSyhncl8yIcomYPktqepaNekCHquK5sX8NUhOzRe3WH +gX7l3e/o8JRvbwXJ8UWfQlKhPO/hvQKBwQDiLXVMf+Hjl/OoXHtF6huerNBux5CS +KYha5BLARs9W74kd9mTJ9F5IflenpzQJc1b/PnvvlcDDlniUvlgk463EA2th4qWp +50jFniq/l4rUMFk1vZBXldvuUaL6f+Ihi8WmoUAyguEVAB9G/EJ1bXqHKdJtxuz+ +/TXGBsXrF5+sZOTjfq96CgQtBmbPXMncPto0NndoMqcEB0bjsFywQXGCk6ZZZ3Ac +vwnZFqVwqro3aTwD+xllzVz+xBNK8GU+zW8CgcEA3q2EepAT7dlZAveC7VSLnFF/ +w86ziynGEuhoJly+zedDPkFIGxYje1SPaKhpMH2jOdCajyHPOGuWEeVfKMbzCrHP +GdFyiTQDk3Pq0JRXpUUJSPGPusAQnPruE68XccDb+eBiJR6y+0vXHd1J3F8B4BMQ +AloZZtlx9BkEZaaRjROxM7Ilbev4IjOcScTREb2GL8gU3vnI2FJjBMy6fI5cm4QK +XEgiLcxGniM77bAZTeoVFbpd4SSICDXVn/NM/XfvAoHBAMHbjKphAc/9MY6gldg6 +7Cl4nb4VtshQaNremWPMTXKKJNBVm9WtahJgl+jO2z8uaOalO70CchIyKm/zJcGY +lBtpguSHSs7xueIHy0QkM43jUtNJAyrO+46s0jA65Cs0jdhgZZHls944GJbTKHNV +vquTIRWOZxu3FBwDOihiOy2b3MNQlj7XzvR4hC4/rZTlGkmeVYItyBEf25bUVt2L +eisdOntuuR0qcNptGqgS7UEJJbOTyRUEjCyhCpg0q9LEaQKBwDF7N1wQ1gzdZlUt +cO+SAO/8gDqfnPAImVYsRLB5nYCdqiiUUxSJx9qpALEN80nuMS4wt5ekuKpd5dwW +Lx4dj3ZJ6q5fB2eLolvKv1wYCp3UCGsoGnsyIL7xV6QSHVCOvZL6FHURLE6BHM0r +FjWc+wqy0bTkFo7vNM48HOkFqYRC4vaM2JpjfCEFfO47iQW7Kq1FdbXSpZnEPPKd +F7eD3vpDzhWRhd7NbMfJJpD7t7PDl2nbnu7fska4x76iTvJoCwKBwQCcqj2yhl69 +1GfpzsOtfzh9rECrnKjAhmVbwRfKB1ivwe8G2tobgQjOUajBqkCYKpZgTy3wyhWn +0D4AdwonGu1XYLZWX+Hw/ZWhNEg/6Ju2wfiMJfFWmy5pvTSvmOlNWvYKwmH/TDjX +tEctSVj6D67xE5v6s3donTI0NFa1u7i1hwoGu4POCockbau52YN4n20R5K7enu2+ +YYpXfcUOmCi91Hpv+X1YbmY1tOo0m1ItYqupbuRFXnHVXJhKxsYXqlA= +-----END RSA PRIVATE KEY----- diff --git a/testdata/auth_tls_failcert.tdir/nsd_server.pem b/testdata/auth_tls_failcert.tdir/nsd_server.pem new file mode 100644 index 000000000..5d41ad2d6 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/nsd_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAgsCFCAZislHgIerlrBBkLFt/ZOkKYVZMA0GCSqGSIb3DQEBCwUAMA4x +DDAKBgNVBAMMA25zZDAeFw0xOTA0MjUxNTEzMjdaFw0yOTA0MjIxNTEzMjdaMA4x +DDAKBgNVBAMMA25zZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMS8 +uXxVCNTo112z3ENd99N/yuQJYk6umwp0ue3nc0CG5j2Y+12xmdEZ1OO3GddRkgCP +abQyK0onTU7B82qlmZ+N9fyFY8KyJEYM/ef2jlkaL+H8JnEuar22FetJd/ODWS6p +heAQw8UrdjC09vo1sRRCtolJtmF2XsIn0PM2h5o3wFpaPE5SuY87dEHNKj7+Zwgu +psLY2+zh7pdzd0KJVuoWTnNSmVRHgXRC3naFPU8jMs4Twb5KgF1qLYvwsFo92DE4 +/y+8zX0PRdR1up+u2PpbTvCGnSCz4mYogFSKy6lIdxC9l36vgXCd0LwA48i/ReUx +9wGlqIuomIDBnIHaivZOoY/s4rjMV+jrIM388UxM2Qh4TxK9/Ul+o/3x8yT+GhkM +QABywJr9qfT/6BGXmbL1j7AVmKVCyoDGdCQ2YX9unXawdZqU2qkULBt/OHVGUfX/ +4ss07M8IHNj0OyRuoFYO9tyqAYZQ9IPg5QvF3cYkcmg2yT180qF4C1rpsdNjoQID +AQABMA0GCSqGSIb3DQEBCwUAA4IBgQB+WGMopDqNkv7yDAO8Ik2EWieDqxTshqR4 +bT1do9zsC9WDrIVxoVcn+dtlIpEQl8MN9U5DTKBbRgk3grOwUsg2kC0Gujv3vAyQ +bF+jxjHWd1xzrbQ+QUgz07P1OMFWxMzECL2L2078UZbawFqKqlmNv5avUk27G8nB +GrujT/pUOIpRXC+rao8e14R84dPJLZuGm9IAeEBQIIdhY9sjFRyoQdCUubyKPpkm +/fpcDMkt7PzZ4nTovj4NUxnnoUGonpXuj0pHA/RDDJkPYaRrND4OGldQXdZ9LJNM +pROL6aCZ5iog74OY8yutVzCgGge9vZLkysceVP7Lyks9/fEAtIuozmulp9TUQAeR +MVdDOcREWRd0vFNtAC9xSloRqV+66CzrFHwkSMpLo+gdgcAZ8s33rgQk+I4gfavU +jPWMZVcZHXevtWuTRnxfOpMkbwiRyr2J8m549K7OKZgr+JRhdJTev4lvXVyfFia4 +zr6UOK4exZWP6VDXb4IyZbJh+LMjmws= +-----END CERTIFICATE----- diff --git a/testdata/auth_tls_failcert.tdir/unbound_server.key b/testdata/auth_tls_failcert.tdir/unbound_server.key new file mode 100644 index 000000000..370a7bbb2 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/unbound_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY----- diff --git a/testdata/auth_tls_failcert.tdir/unbound_server.pem b/testdata/auth_tls_failcert.tdir/unbound_server.pem new file mode 100644 index 000000000..986807310 --- /dev/null +++ b/testdata/auth_tls_failcert.tdir/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE----- From 52154e658a4e0d1943ae1e1ee1418cfb4565823e Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 29 Aug 2024 13:04:03 +0200 Subject: [PATCH 17/33] - Fix to print port number in logs for auth zone transfer activities. --- doc/Changelog | 1 + services/authzone.c | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index a2802909b..40cf487d3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 29 August 2024: Wouter - Unit test for auth zone transfer TLS, and TLS failure. + - Fix to print port number in logs for auth zone transfer activities. 28 August 2024: Wouter - Fix that when rpz is applied the message does not get picked up by diff --git a/services/authzone.c b/services/authzone.c index 580a681f5..4259f694e 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -3684,6 +3684,29 @@ auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) return 1; } +/** print addr to str, and if not 53, append @port number, for logs. */ +static void addr_port_to_str(struct sockaddr_storage* addr, socklen_t addrlen, + char* buf, size_t len) +{ + uint16_t port = 0; + if(addr_is_ip6(addr, addrlen)) { + struct sockaddr_in6* sa = (struct sockaddr_in6*)addr; + port = ntohs((uint16_t)sa->sin6_port); + } else { + struct sockaddr_in* sa = (struct sockaddr_in*)addr; + port = ntohs((uint16_t)sa->sin_port); + } + if(port == UNBOUND_DNS_PORT) { + /* If it is port 53, print it plainly. */ + addr_to_str(addr, addrlen, buf, len); + } else { + char a[256]; + a[0]=0; + addr_to_str(addr, addrlen, a, sizeof(a)); + snprintf(buf, len, "%s@%d", a, (int)port); + } +} + /** see if addr appears in the list */ static int addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, @@ -5516,7 +5539,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) if(!xfr->task_transfer->cp) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "cannot create http cp " "connection for %s to %s", zname, as); return 0; @@ -5525,7 +5548,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) if(verbosity >= VERB_ALGO) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); } /* Create or refresh the list of allow_notify addrs */ @@ -5548,7 +5571,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) if(!xfr->task_transfer->cp) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "cannot create tcp cp connection for " "xfr %s to %s", zname, as); return 0; @@ -5557,7 +5580,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) if(verbosity >= VERB_ALGO) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname, (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as); } @@ -5660,7 +5683,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, } if(verbosity >= VERB_ALGO) { char s[64]; - addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); + addr_port_to_str(&a->addr, a->addrlen, s, sizeof(s)); verbose(VERB_ALGO, "auth host %s lookup %s", m->host, s); } @@ -6406,7 +6429,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, if(!xfr->task_probe->cp) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "cannot create udp cp for " "probe %s to %s", zname, as); return 0; @@ -6426,7 +6449,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, (struct sockaddr*)&addr, addrlen, 0)) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "failed to send soa probe for %s to %s", zname, as); return 0; @@ -6434,7 +6457,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, if(verbosity >= VERB_ALGO) { char zname[255+1], as[256]; dname_str(xfr->name, zname); - addr_to_str(&addr, addrlen, as, sizeof(as)); + addr_port_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname, as); } From 30bf996f39f8620870aa5c6f4ff84759eaece9f6 Mon Sep 17 00:00:00 2001 From: Loganaden Velvindron Date: Fri, 30 Aug 2024 10:48:31 +0400 Subject: [PATCH 18/33] b.root renumbering (#1132) https://b.root-servers.org/news/2023/05/16/new-addresses.html Worked together with Jaykishan Muktawoa --- testdata/zonemd.example_a5.zone | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testdata/zonemd.example_a5.zone b/testdata/zonemd.example_a5.zone index 246f5e237..114862aab 100644 --- a/testdata/zonemd.example_a5.zone +++ b/testdata/zonemd.example_a5.zone @@ -16,8 +16,8 @@ root-servers.net. 3600000 IN NS m.root-servers.net. a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 a.root-servers.net. 3600000 IN A 198.41.0.4 b.root-servers.net. 3600000 IN MX 20 mail.isi.edu. -b.root-servers.net. 3600000 IN AAAA 2001:500:200::b -b.root-servers.net. 3600000 IN A 199.9.14.201 +b.root-servers.net. 3600000 IN AAAA 2801:1b8:10::b +b.root-servers.net. 3600000 IN A 170.247.170.2 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c c.root-servers.net. 3600000 IN A 192.33.4.12 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d From fb198b96f1c047a5533dbe2cd3a2888163d97200 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 30 Aug 2024 08:51:56 +0200 Subject: [PATCH 19/33] Changelog note for #1132 and fix for #1132. - Merge #1132: b.root renumbering. - Fix for #1132, adjusted unit test for change in the test file. --- doc/Changelog | 4 ++++ testcode/unitzonemd.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 40cf487d3..e14ca5bc6 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +30 August 2024: Wouter + - Merge #1132: b.root renumbering. + - Fix for #1132, adjusted unit test for change in the test file. + 29 August 2024: Wouter - Unit test for auth zone transfer TLS, and TLS failure. - Fix to print port number in logs for auth zone transfer activities. diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c index 9ddf201f9..ba745d382 100644 --- a/testcode/unitzonemd.c +++ b/testcode/unitzonemd.c @@ -167,7 +167,7 @@ static void zonemd_generate_tests(void) /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12 * from section A.5 */ zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone", - 1, 1, "f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a978a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79"); + 1, 1, "5a9521d88984ee123d9626191e2a327a43a16fd4339dd4ecc13d8672d5bae527d066d33645e35778677800005247d199"); } /** test the zonemd check routine */ From a887284703d4505674fb03f1883d15d13170d368 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 30 Aug 2024 08:56:00 +0200 Subject: [PATCH 20/33] - Fix for #1132, comment about adjusted copy of reference check. --- doc/Changelog | 1 + testcode/unitzonemd.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index e14ca5bc6..78f13b36a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 30 August 2024: Wouter - Merge #1132: b.root renumbering. - Fix for #1132, adjusted unit test for change in the test file. + - Fix for #1132, comment about adjusted copy of reference check. 29 August 2024: Wouter - Unit test for auth zone transfer TLS, and TLS failure. diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c index ba745d382..a8a168e33 100644 --- a/testcode/unitzonemd.c +++ b/testcode/unitzonemd.c @@ -165,7 +165,8 @@ static void zonemd_generate_tests(void) 1, 1, "1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fadc556439889a10eaf6f11d615900a4f996bd46279514e473"); /* https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-12 - * from section A.5 */ + * from section A.5. + * Adjusted with renumbered B.root. */ zonemd_generate_test("root-servers.net", SRCDIRSTR "/testdata/zonemd.example_a5.zone", 1, 1, "5a9521d88984ee123d9626191e2a327a43a16fd4339dd4ecc13d8672d5bae527d066d33645e35778677800005247d199"); } From 9f09c36401dd17be7c698e9d9cdfb75187da05c4 Mon Sep 17 00:00:00 2001 From: Keelan Cannoo <96436249+Keelan10@users.noreply.github.com> Date: Mon, 2 Sep 2024 11:24:55 +0400 Subject: [PATCH 21/33] Add new IANA trust anchor (#1135) Signed-off-by: Keelan Cannoo Co-authored-by: Keelan10 --- libunbound/python/examples/dnssec_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/libunbound/python/examples/dnssec_test.py b/libunbound/python/examples/dnssec_test.py index b76c0437e..1a125affa 100644 --- a/libunbound/python/examples/dnssec_test.py +++ b/libunbound/python/examples/dnssec_test.py @@ -30,6 +30,7 @@ def dnssecParse(domain, rrType=RR_TYPE_A): resolver = ub_ctx() resolver.add_ta(". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5") resolver.add_ta(". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D") +resolver.add_ta(". IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16") dnssecParse("nic.cz") dnssecParse("nonexistent-domain-blablabla.cz") From 99824bc0e6dddf9a9e5f419dce1d0e10b9071950 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 2 Sep 2024 09:25:44 +0200 Subject: [PATCH 22/33] Changelog note for #1135 - Merge #1135: Add new IANA trust anchor. --- doc/Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 78f13b36a..2238cca45 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +2 September 2024: Wouter + - Merge #1135: Add new IANA trust anchor. + 30 August 2024: Wouter - Merge #1132: b.root renumbering. - Fix for #1132, adjusted unit test for change in the test file. From 7ecff4113ca329b7796660ea171c83788f53a13c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 5 Sep 2024 09:35:54 +0200 Subject: [PATCH 23/33] - Fix config file read for dnstap-sample-rate. --- doc/Changelog | 3 +++ util/configlexer.lex | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 2238cca45..e2ab5ccf8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +5 September 2024: Wouter + - Fix config file read for dnstap-sample-rate. + 2 September 2024: Wouter - Merge #1135: Add new IANA trust anchor. diff --git a/util/configlexer.lex b/util/configlexer.lex index 8b37131cf..527d5bfb9 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -514,7 +514,7 @@ dnstap-log-forwarder-query-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } -dnstap-sample-rate { YDVAR(1, VAR_DNSTAP_SAMPLE_RATE) } +dnstap-sample-rate{COLON} { YDVAR(1, VAR_DNSTAP_SAMPLE_RATE) } disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ip-ratelimit-cookie{COLON} { YDVAR(1, VAR_IP_RATELIMIT_COOKIE) } From c36ce2a3901c57f30e536ec5088af6165bc70f91 Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Fri, 6 Sep 2024 16:01:30 +0200 Subject: [PATCH 24/33] - Fix alloc-size and calloc-transposed-args compiler warnings. --- doc/Changelog | 3 +++ libunbound/context.c | 2 +- testcode/perf.c | 6 +++--- testcode/testbound.c | 2 +- validator/validator.c | 4 ++-- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index e2ab5ccf8..6b9d799a1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +6 September 2024: Yorgos + - Fix alloc-size and calloc-transposed-args compiler warnings. + 5 September 2024: Wouter - Fix config file read for dnstap-sample-rate. diff --git a/libunbound/context.c b/libunbound/context.c index 05f57987a..a1a4adf98 100644 --- a/libunbound/context.c +++ b/libunbound/context.c @@ -395,7 +395,7 @@ context_serialize_cancel(struct ctx_query* q, uint32_t* len) /* format of cancel: * o uint32 cmd * o uint32 async-id */ - uint8_t* p = (uint8_t*)reallocarray(NULL, sizeof(uint32_t), 2); + uint8_t* p = (uint8_t*)reallocarray(NULL, 2, sizeof(uint32_t)); if(!p) return NULL; *len = 2*sizeof(uint32_t); sldns_write_uint32(p, UB_LIBCMD_CANCEL); diff --git a/testcode/perf.c b/testcode/perf.c index 2be86c4bf..0a4ff1726 100644 --- a/testcode/perf.c +++ b/testcode/perf.c @@ -220,7 +220,7 @@ perfsetup(struct perfinfo* info) #endif signal(SIGTERM, perf_sigh) == SIG_ERR) fatal_exit("could not bind to signal"); - info->io = (struct perfio*)calloc(sizeof(struct perfio), info->io_num); + info->io = (struct perfio*)calloc(info->io_num, sizeof(struct perfio)); if(!info->io) fatal_exit("out of memory"); #ifndef S_SPLINT_S FD_ZERO(&info->rset); @@ -501,8 +501,8 @@ qlist_grow_capacity(struct perfinfo* info) { size_t newcap = (size_t)((info->qlist_capacity==0)?16: info->qlist_capacity*2); - uint8_t** d = (uint8_t**)calloc(sizeof(uint8_t*), newcap); - size_t* l = (size_t*)calloc(sizeof(size_t), newcap); + uint8_t** d = (uint8_t**)calloc(newcap, sizeof(uint8_t*)); + size_t* l = (size_t*)calloc(newcap, sizeof(size_t)); if(!d || !l) fatal_exit("out of memory"); if(info->qlist_data && info->qlist_capacity) memcpy(d, info->qlist_data, sizeof(uint8_t*)* diff --git a/testcode/testbound.c b/testcode/testbound.c index 123fe0d4e..70feb7972 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -502,7 +502,7 @@ struct listen_port* daemon_remote_open_ports(struct config_file* struct daemon_remote* daemon_remote_create(struct config_file* ATTR_UNUSED(cfg)) { - return (struct daemon_remote*)calloc(1,1); + return (struct daemon_remote*)calloc(1, sizeof(struct daemon_remote)); } void daemon_remote_delete(struct daemon_remote* rc) diff --git a/validator/validator.c b/validator/validator.c index 57cd3031a..da9215883 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -97,8 +97,8 @@ fill_nsec3_iter(struct val_env* ve, char* s, int c) int i; free(ve->nsec3_keysize); free(ve->nsec3_maxiter); - ve->nsec3_keysize = (size_t*)calloc(sizeof(size_t), (size_t)c); - ve->nsec3_maxiter = (size_t*)calloc(sizeof(size_t), (size_t)c); + ve->nsec3_keysize = (size_t*)calloc((size_t)c, sizeof(size_t)); + ve->nsec3_maxiter = (size_t*)calloc((size_t)c, sizeof(size_t)); if(!ve->nsec3_keysize || !ve->nsec3_maxiter) { log_err("out of memory"); return 0; From d3fdbba87757323063ee116a9924c68d48b67b3d Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Fri, 6 Sep 2024 16:03:20 +0200 Subject: [PATCH 25/33] - Fix comment to not trigger doxygen unknown command. --- doc/Changelog | 1 + services/authzone.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 6b9d799a1..8a22e049d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 6 September 2024: Yorgos - Fix alloc-size and calloc-transposed-args compiler warnings. + - Fix comment to not trigger doxygen unknown command. 5 September 2024: Wouter - Fix config file read for dnstap-sample-rate. diff --git a/services/authzone.c b/services/authzone.c index 4259f694e..6f6c55d43 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -3684,7 +3684,7 @@ auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) return 1; } -/** print addr to str, and if not 53, append @port number, for logs. */ +/** print addr to str, and if not 53, append "@port_number", for logs. */ static void addr_port_to_str(struct sockaddr_storage* addr, socklen_t addrlen, char* buf, size_t len) { From 24e0f0ab7e85995f497aa8799af52bbb12ffe042 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 10 Sep 2024 10:13:48 +0200 Subject: [PATCH 26/33] - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). --- doc/Changelog | 4 ++++ iterator/iterator.c | 47 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 8a22e049d..136fd0b68 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +10 September 2024: Wouter + - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is + enabled (RFC9077). + 6 September 2024: Yorgos - Fix alloc-size and calloc-transposed-args compiler warnings. - Fix comment to not trigger doxygen unknown command. diff --git a/iterator/iterator.c b/iterator/iterator.c index 659af34d9..d566a7998 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -367,6 +367,48 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode) return error_response(qstate, id, rcode); } +/** limit NSEC and NSEC3 TTL in response, RFC9077 */ +static void +limit_nsec_ttl(struct dns_msg* msg) +{ + size_t i; + int found = 0; + time_t soa_ttl = 0; + /* Limit the NSEC and NSEC3 TTL values to the SOA TTL and SOA minimum + * TTL. That has already been applied to the SOA record ttl. */ + for(i=0; irep->rrset_count; i++) { + struct ub_packed_rrset_key* s = msg->rep->rrsets[i]; + if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA) { + struct packed_rrset_data* soadata = (struct packed_rrset_data*)s->entry.data; + found = 1; + soa_ttl = soadata->ttl; + break; + } + } + if(!found) + return; + for(i=0; irep->rrset_count; i++) { + struct ub_packed_rrset_key* s = msg->rep->rrsets[i]; + if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC || + ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) { + struct packed_rrset_data* data = (struct packed_rrset_data*)s->entry.data; + /* Limit the negative TTL. */ + if(data->ttl > soa_ttl) { + if(verbosity >= VERB_ALGO) { + char buf[256]; + snprintf(buf, sizeof(buf), + "limiting TTL %d of %s record to the SOA TTL of %d for", + (int)data->ttl, ((ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC)?"NSEC":"NSEC3"), (int)soa_ttl); + log_nametypeclass(VERB_ALGO, buf, + s->rk.dname, ntohs(s->rk.type), + ntohs(s->rk.rrset_class)); + } + data->ttl = soa_ttl; + } + } + } +} + /** check if prepend item is duplicate item */ static int prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to, @@ -4366,7 +4408,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, if(verbosity >= VERB_ALGO) log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo, iq->response->rep); - + + if(qstate->env->cfg->aggressive_nsec) { + limit_nsec_ttl(iq->response); + } if(event == module_event_capsfail || iq->caps_fallback) { if(qstate->env->cfg->qname_minimisation && iq->minimisation_state != DONOT_MINIMISE_STATE) { From 5767b0933ffdc1a1cc9e8f2e5cca4d5c89604669 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 10 Sep 2024 10:17:31 +0200 Subject: [PATCH 27/33] - Add unit test for ttl limit for aggressive nsec. --- doc/Changelog | 1 + testdata/val_negcache_ttl.rpl | 159 ++++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+) create mode 100644 testdata/val_negcache_ttl.rpl diff --git a/doc/Changelog b/doc/Changelog index 136fd0b68..2da0c8694 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 10 September 2024: Wouter - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). + - Add unit test for ttl limit for aggressive nsec. 6 September 2024: Yorgos - Fix alloc-size and calloc-transposed-args compiler warnings. diff --git a/testdata/val_negcache_ttl.rpl b/testdata/val_negcache_ttl.rpl new file mode 100644 index 000000000..ef396cca1 --- /dev/null +++ b/testdata/val_negcache_ttl.rpl @@ -0,0 +1,159 @@ +; config options +; The island of trust is at testzone.nlnetlabs.nl +server: + trust-anchor: "testzone.nlnetlabs.nl. 3600 IN DS 1444 8 2 07633464c1c7b93abd6fc24c73f904a40f0f304b279a80667d7e33908eed43be" + val-override-date: "20180213111425" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + trust-anchor-signaling: no + aggressive-nsec: yes + +stub-zone: + name: "testzone.nlnetlabs.nl" + stub-addr: 185.49.140.60 +CONFIG_END + +SCENARIO_BEGIN Test validator with negative cache TTL (aggressive NSEC) + +; testzone.nlnetlabs.nl nameserver +RANGE_BEGIN 0 100 + ADDRESS 185.49.140.60 + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +testzone.nlnetlabs.nl. IN DNSKEY +SECTION ANSWER +testzone.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} +testzone.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. kQ2sc41aQeMxQ7KInz2HrHi4nQcUGdv1olro0GmVYgPvIJh7SqBKW3yZWYeQrbWWwdc3klBERBbBI8gnkNYbl5kX3BBa5su8w71mpTQPRGtMxDTB17daxc0SxpPUxM35CpWU9QlBuDXcu+VNyVUuLvZGGLznlqr6ku888U2Rz+c= +ENTRY_END + +; response for antelope.testzone.nlnetlabs.nl. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +antelope.testzone.nlnetlabs.nl. IN TXT +SECTION ANSWER +SECTION AUTHORITY +testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY +testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E= +alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC +alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA= +testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +SECTION ADDITIONAL +ENTRY_END + +; No answer for ant.testzone.nlnetlabs.nl + +; response for peanut.testzone.nlnetlabs.nl. AAAA +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +peanut.testzone.nlnetlabs.nl. IN AAAA +SECTION AUTHORITY +peanut.testzone.nlnetlabs.nl. IN NSEC rust.testzone.nlnetlabs.nl. A RRSIG NSEC +peanut.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. GhUUt3n1oVZCbU5l7XhbtE1kAhFXBRvQRvp/s3INitoHm1D54VERXWR33g+aQMcLAyCOe2TmpJMH1zDSbccf0zabvwEzqDzPmgcPt0KjXUdrN84/2XN+C4U84golbUui61lhhU+6bL8rylPuv3XtqQ4ppXy8sSe+gfsskauhMpg= +testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +; testzone.nlnetlabs.nl nameserver +RANGE_BEGIN 100 200 + ADDRESS 185.49.140.60 +ENTRY_BEGIN +REPLY QR AA NOERROR +SECTION QUESTION +ant.testzone.nlnetlabs.nl. IN TXT +SECTION ANSWER +ant.testzone.nlnetlabs.nl. TXT "heap" +ant.testzone.nlnetlabs.nl. 3600 IN RRSIG TXT 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Sn8dBGMSYGGKs7yGWO0CShxbm3ba5Y6ysHyE/HJyFnS8NmsKIx/KVdFPRQx/Jm7a3hektRXrjxetfhfJm0SzJ2UFeKlkE+VJ/Lj2oAETqN1oqqkNr+RDdbKLMzLApMRgrhStSAO1Yb8/8oUIflyrjNbuDbAHSMbkOE+Z49LIais= +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +antelope.testzone.nlnetlabs.nl. IN TXT +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA DO AD NXDOMAIN +SECTION QUESTION +antelope.testzone.nlnetlabs.nl. IN TXT +SECTION ANSWER +SECTION AUTHORITY +testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY +testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E= +alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC +alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA= +testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +SECTION ADDITIONAL +ENTRY_END + +; Time passes that should have removed the entry. +STEP 20 TIME_PASSES ELAPSE 910 + +; query something that gets the SOA record for the testzone in cache. +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +peanut.testzone.nlnetlabs.nl. IN AAAA +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +peanut.testzone.nlnetlabs.nl. IN AAAA +SECTION AUTHORITY +peanut.testzone.nlnetlabs.nl. IN NSEC rust.testzone.nlnetlabs.nl. A RRSIG NSEC +peanut.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. GhUUt3n1oVZCbU5l7XhbtE1kAhFXBRvQRvp/s3INitoHm1D54VERXWR33g+aQMcLAyCOe2TmpJMH1zDSbccf0zabvwEzqDzPmgcPt0KjXUdrN84/2XN+C4U84golbUui61lhhU+6bL8rylPuv3XtqQ4ppXy8sSe+gfsskauhMpg= +testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +ENTRY_END + +; query for ant.testzone.nlnetlabs.nl, which isn't on the testzone nameserver +STEP 110 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +ant.testzone.nlnetlabs.nl. IN TXT +ENTRY_END + +STEP 120 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +ant.testzone.nlnetlabs.nl. IN TXT +SECTION ANSWER +ant.testzone.nlnetlabs.nl. TXT "heap" +ant.testzone.nlnetlabs.nl. 3600 IN RRSIG TXT 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Sn8dBGMSYGGKs7yGWO0CShxbm3ba5Y6ysHyE/HJyFnS8NmsKIx/KVdFPRQx/Jm7a3hektRXrjxetfhfJm0SzJ2UFeKlkE+VJ/Lj2oAETqN1oqqkNr+RDdbKLMzLApMRgrhStSAO1Yb8/8oUIflyrjNbuDbAHSMbkOE+Z49LIais= +SECTION AUTHORITY +; This response is not returned, with NXDOMAIN +;testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY +;testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E= +;alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC +;alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA= +;testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +;testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +ENTRY_END + +SCENARIO_END From 6bf2b2ac568203e6119d1a64c2176e3fd03e7ffa Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Wed, 11 Sep 2024 12:16:02 +0200 Subject: [PATCH 28/33] - Fix and add comments in testdata/val_negcache_ttl.rpl. --- doc/Changelog | 3 ++ testdata/val_negcache_ttl.rpl | 53 +++++++++++++++++++++++++++-------- 2 files changed, 44 insertions(+), 12 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 2da0c8694..eb95e8bbb 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +11 September 2024: Yorgos + - Fix and add comments in testdata/val_negcache_ttl.rpl. + 10 September 2024: Wouter - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). diff --git a/testdata/val_negcache_ttl.rpl b/testdata/val_negcache_ttl.rpl index ef396cca1..328b9b6ec 100644 --- a/testdata/val_negcache_ttl.rpl +++ b/testdata/val_negcache_ttl.rpl @@ -14,6 +14,14 @@ stub-zone: CONFIG_END SCENARIO_BEGIN Test validator with negative cache TTL (aggressive NSEC) +; Scenario overview: +; - query for antelope.testzone.nlnetlabs.nl. IN TXT (NXDOMAIN) +; - answer from upstream is NXDOMAIN with NSEC records that cover ant.testzone.nlnetlabs.nl +; - the NSEC records should be cached for 900 seconds only (minimum of SOA) +; - check that ant.testzone.nlnetlabs.nl gets the synthesized NXDOMAIN from aggressive-nsec +; - let NSEC records expire +; - query for ant.testzone.nlnetlabs.nl. IN TXT which is now available on the nameserver +; - check that aggressive-nsec cannot synthesize NXDOMAIN (expired NSECs) and the query is resolved ; testzone.nlnetlabs.nl nameserver RANGE_BEGIN 0 100 @@ -32,6 +40,7 @@ testzone.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20180313101254 201802131012 ENTRY_END ; response for antelope.testzone.nlnetlabs.nl. +; NSECs cover ant.testzone.nlnetlabs.nl as non-existent. ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -49,7 +58,7 @@ testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 14 SECTION ADDITIONAL ENTRY_END -; No answer for ant.testzone.nlnetlabs.nl +; No answer for ant.testzone.nlnetlabs.nl in this range ; response for peanut.testzone.nlnetlabs.nl. AAAA ENTRY_BEGIN @@ -70,6 +79,7 @@ RANGE_END ; testzone.nlnetlabs.nl nameserver RANGE_BEGIN 100 200 ADDRESS 185.49.140.60 +; response for ant.testzone.nlnetlabs.nl ENTRY_BEGIN REPLY QR AA NOERROR SECTION QUESTION @@ -87,7 +97,7 @@ SECTION QUESTION antelope.testzone.nlnetlabs.nl. IN TXT ENTRY_END -; recursion happens here. +; recursion happens here. Expect NXDOMAIN. STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all ttl @@ -105,7 +115,32 @@ testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 14 SECTION ADDITIONAL ENTRY_END -; Time passes that should have removed the entry. +; query for ant.testzone.nlnetlabs.nl (non-existent) +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +ant.testzone.nlnetlabs.nl. IN TXT +ENTRY_END + +; this is the synthesized NXDOMAIN from aggressive-nsec +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +ant.testzone.nlnetlabs.nl. IN TXT +SECTION ANSWER +SECTION AUTHORITY +testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY +testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E= +alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC +alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA= +testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 +testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= +ENTRY_END + +; Time passes and NSECs should be expired. STEP 20 TIME_PASSES ELAPSE 910 ; query something that gets the SOA record for the testzone in cache. @@ -129,7 +164,7 @@ testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs. testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= ENTRY_END -; query for ant.testzone.nlnetlabs.nl, which isn't on the testzone nameserver +; query for ant.testzone.nlnetlabs.nl. In this range it is on the nameserver. STEP 110 QUERY ENTRY_BEGIN REPLY RD DO @@ -137,6 +172,8 @@ SECTION QUESTION ant.testzone.nlnetlabs.nl. IN TXT ENTRY_END +; Expect an answer since the 3600 TTL NSECs from STEP 10 should have been +; limited to 900 and be expired by now. STEP 120 CHECK_ANSWER ENTRY_BEGIN MATCH all ttl @@ -146,14 +183,6 @@ ant.testzone.nlnetlabs.nl. IN TXT SECTION ANSWER ant.testzone.nlnetlabs.nl. TXT "heap" ant.testzone.nlnetlabs.nl. 3600 IN RRSIG TXT 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Sn8dBGMSYGGKs7yGWO0CShxbm3ba5Y6ysHyE/HJyFnS8NmsKIx/KVdFPRQx/Jm7a3hektRXrjxetfhfJm0SzJ2UFeKlkE+VJ/Lj2oAETqN1oqqkNr+RDdbKLMzLApMRgrhStSAO1Yb8/8oUIflyrjNbuDbAHSMbkOE+Z49LIais= -SECTION AUTHORITY -; This response is not returned, with NXDOMAIN -;testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY -;testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E= -;alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC -;alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA= -;testzone.nlnetlabs.nl. 900 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 -;testzone.nlnetlabs.nl. 900 IN RRSIG SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0= ENTRY_END SCENARIO_END From 819764663b28d000042b52d4dfc00b942fb13ea4 Mon Sep 17 00:00:00 2001 From: Tochus <91380691+TochusC@users.noreply.github.com> Date: Mon, 16 Sep 2024 18:14:28 +0800 Subject: [PATCH 29/33] Fix spelling mistake in comments (#1140) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I noticed a spelling mistake in the comments. The term “chain of trust” was incorrectly written as “chainoftrust”. This change corrects the spelling to “chain of trust” which is the correct term used in English. --- validator/validator.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validator/validator.h b/validator/validator.h index 72f44b16e..c07f9d59d 100644 --- a/validator/validator.h +++ b/validator/validator.h @@ -159,7 +159,7 @@ struct val_qstate { * The query restart count */ int restart_count; - /** The blacklist saved for chainoftrust elements */ + /** The blacklist saved for chain of trust elements */ struct sock_list* chain_blacklist; /** From 606e262fdd96fe558a1f3364a57a8ec3a0733fc7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 16 Sep 2024 12:15:04 +0200 Subject: [PATCH 30/33] Changelog comment for #1140. - Merge #1140: Fix spelling mistake in comments. --- doc/Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index eb95e8bbb..e5d778f1d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +16 September 2024: Wouter + - Merge #1140: Fix spelling mistake in comments. + 11 September 2024: Yorgos - Fix and add comments in testdata/val_negcache_ttl.rpl. From 5e9b6296b7ab586eaa956f21b98c574967ceb06e Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 17 Sep 2024 13:10:34 +0200 Subject: [PATCH 31/33] - Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified, the redis-timeout value is used. --- cachedb/redis.c | 29 +++++++++++++++++++++++------ doc/Changelog | 6 ++++++ doc/example.conf.in | 4 ++++ doc/unbound.conf.5.in | 8 ++++++++ util/config_file.c | 4 ++++ util/config_file.h | 4 ++++ util/configlexer.lex | 2 ++ util/configparser.y | 30 +++++++++++++++++++++++++++++- 8 files changed, 80 insertions(+), 7 deletions(-) diff --git a/cachedb/redis.c b/cachedb/redis.c index 6cc975901..68c033535 100644 --- a/cachedb/redis.c +++ b/cachedb/redis.c @@ -58,7 +58,8 @@ struct redis_moddata { int server_port; /* server's TCP port */ const char* server_path; /* server's unix path, or "", NULL if unused */ const char* server_password; /* server's AUTH password, or "", NULL if unused */ - struct timeval timeout; /* timeout for connection setup and commands */ + struct timeval command_timeout; /* timeout for commands */ + struct timeval connect_timeout; /* timeout for connect */ int logical_db; /* the redis logical database to use */ }; @@ -88,10 +89,10 @@ redis_connect(const struct redis_moddata* moddata) if(moddata->server_path && moddata->server_path[0]!=0) { ctx = redisConnectUnixWithTimeout(moddata->server_path, - moddata->timeout); + moddata->connect_timeout); } else { ctx = redisConnectWithTimeout(moddata->server_host, - moddata->server_port, moddata->timeout); + moddata->server_port, moddata->connect_timeout); } if(!ctx || ctx->err) { const char *errstr = "out of memory"; @@ -100,7 +101,7 @@ redis_connect(const struct redis_moddata* moddata) log_err("failed to connect to redis server: %s", errstr); goto fail; } - if(redisSetTimeout(ctx, moddata->timeout) != REDIS_OK) { + if(redisSetTimeout(ctx, moddata->command_timeout) != REDIS_OK) { log_err("failed to set redis timeout"); goto fail; } @@ -159,8 +160,24 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env) moddata->server_port = env->cfg->redis_server_port; moddata->server_path = env->cfg->redis_server_path; moddata->server_password = env->cfg->redis_server_password; - moddata->timeout.tv_sec = env->cfg->redis_timeout / 1000; - moddata->timeout.tv_usec = (env->cfg->redis_timeout % 1000) * 1000; + moddata->command_timeout.tv_sec = env->cfg->redis_timeout / 1000; + moddata->command_timeout.tv_usec = + (env->cfg->redis_timeout % 1000) * 1000; + moddata->connect_timeout.tv_sec = env->cfg->redis_timeout / 1000; + moddata->connect_timeout.tv_usec = + (env->cfg->redis_timeout % 1000) * 1000; + if(env->cfg->redis_command_timeout != 0) { + moddata->command_timeout.tv_sec = + env->cfg->redis_command_timeout / 1000; + moddata->command_timeout.tv_usec = + (env->cfg->redis_command_timeout % 1000) * 1000; + } + if(env->cfg->redis_connect_timeout != 0) { + moddata->connect_timeout.tv_sec = + env->cfg->redis_connect_timeout / 1000; + moddata->connect_timeout.tv_usec = + (env->cfg->redis_connect_timeout % 1000) * 1000; + } moddata->logical_db = env->cfg->redis_logical_db; for(i = 0; i < moddata->numctxs; i++) { redisContext* ctx = redis_connect(moddata); diff --git a/doc/Changelog b/doc/Changelog index e5d778f1d..ed3bc8700 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +17 September 2024: Wouter + - Add redis-command-timeout: 20 and redis-connect-timeout: 200, + that can set the timeout separately for commands and the + connection set up to the redis server. If they are not + specified, the redis-timeout value is used. + 16 September 2024: Wouter - Merge #1140: Fix spelling mistake in comments. diff --git a/doc/example.conf.in b/doc/example.conf.in index cce65c0f5..e5bb5029f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1301,6 +1301,10 @@ remote-control: # # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 +# # timeout (in ms) for commands, if 0, uses redis-timeout. +# redis-command-timeout: 0 +# # timeout (in ms) for connection set up, if 0, uses redis-timeout. +# redis-connect-timeout: 0 # # set timeout on redis records based on DNS response TTL # redis-expire-records: no # # redis logical database to use, 0 is the default database. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index d051e8850..f4cf81778 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -2810,6 +2810,14 @@ if the Redis server does not have the requested data, and will try to re-establish a new connection later. This option defaults to 100 milliseconds. .TP +.B redis-command-timeout: \fI\fR +The timeout to use for redis commands, in milliseconds. If 0, it uses the +redis\-timeout value. The default is 0. +.TP +.B redis-connect-timeout: \fI\fR +The timeout to use for redis connection set up, in milliseconds. If 0, it +uses the redis\-timeout value. The default is 0. +.TP .B redis-expire-records: \fI If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis records so that Redis can evict keys that have expired automatically. If diff --git a/util/config_file.c b/util/config_file.c index d82e4374e..ab63d3fed 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -399,6 +399,8 @@ config_create(void) cfg->redis_server_path = NULL; cfg->redis_server_password = NULL; cfg->redis_timeout = 100; + cfg->redis_command_timeout = 0; + cfg->redis_connect_timeout = 0; cfg->redis_server_port = 6379; cfg->redis_expire_records = 0; cfg->redis_logical_db = 0; @@ -1364,6 +1366,8 @@ config_get_option(struct config_file* cfg, const char* opt, else O_STR(opt, "redis-server-path", redis_server_path) else O_STR(opt, "redis-server-password", redis_server_password) else O_DEC(opt, "redis-timeout", redis_timeout) + else O_DEC(opt, "redis-command-timeout", redis_command_timeout) + else O_DEC(opt, "redis-connect-timeout", redis_connect_timeout) else O_YNO(opt, "redis-expire-records", redis_expire_records) else O_DEC(opt, "redis-logical-db", redis_logical_db) #endif /* USE_REDIS */ diff --git a/util/config_file.h b/util/config_file.h index ae9c9cb5b..29dd71620 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -739,6 +739,10 @@ struct config_file { char* redis_server_password; /** timeout (in ms) for communication with the redis server */ int redis_timeout; + /** timeout (in ms) for redis commands */ + int redis_command_timeout; + /** timeout (in ms) for redis connection set up */ + int redis_connect_timeout; /** set timeout on redis records based on DNS response ttl */ int redis_expire_records; /** set the redis logical database upon connection */ diff --git a/util/configlexer.lex b/util/configlexer.lex index 527d5bfb9..b4442e913 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -574,6 +574,8 @@ redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) } redis-server-path{COLON} { YDVAR(1, VAR_CACHEDB_REDISPATH) } redis-server-password{COLON} { YDVAR(1, VAR_CACHEDB_REDISPASSWORD) } redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) } +redis-command-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISCOMMANDTIMEOUT) } +redis-connect-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISCONNECTTIMEOUT) } redis-expire-records{COLON} { YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) } redis-logical-db{COLON} { YDVAR(1, VAR_CACHEDB_REDISLOGICALDB) } ipset{COLON} { YDVAR(0, VAR_IPSET) } diff --git a/util/configparser.y b/util/configparser.y index 4dc647f82..dfc0c58af 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -182,6 +182,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT %token VAR_CACHEDB_REDISEXPIRERECORDS VAR_CACHEDB_REDISPATH VAR_CACHEDB_REDISPASSWORD %token VAR_CACHEDB_REDISLOGICALDB +%token VAR_CACHEDB_REDISCOMMANDTIMEOUT VAR_CACHEDB_REDISCONNECTTIMEOUT %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL @@ -3838,7 +3839,8 @@ contents_cachedb: contents_cachedb content_cachedb content_cachedb: cachedb_backend_name | cachedb_secret_seed | redis_server_host | redis_server_port | redis_timeout | redis_expire_records | redis_server_path | redis_server_password | - cachedb_no_store | redis_logical_db | cachedb_check_when_serve_expired + cachedb_no_store | redis_logical_db | cachedb_check_when_serve_expired | + redis_command_timeout | redis_connect_timeout ; cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG { @@ -3954,6 +3956,32 @@ redis_timeout: VAR_CACHEDB_REDISTIMEOUT STRING_ARG free($2); } ; +redis_command_timeout: VAR_CACHEDB_REDISCOMMANDTIMEOUT STRING_ARG + { + #if defined(USE_CACHEDB) && defined(USE_REDIS) + OUTYY(("P(redis_command_timeout:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("redis command timeout value expected"); + else cfg_parser->cfg->redis_command_timeout = atoi($2); + #else + OUTYY(("P(Compiled without cachedb or redis, ignoring)\n")); + #endif + free($2); + } + ; +redis_connect_timeout: VAR_CACHEDB_REDISCONNECTTIMEOUT STRING_ARG + { + #if defined(USE_CACHEDB) && defined(USE_REDIS) + OUTYY(("P(redis_connect_timeout:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("redis connect timeout value expected"); + else cfg_parser->cfg->redis_connect_timeout = atoi($2); + #else + OUTYY(("P(Compiled without cachedb or redis, ignoring)\n")); + #endif + free($2); + } + ; redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG { #if defined(USE_CACHEDB) && defined(USE_REDIS) From a35a0c49da6549b7a199552d8c30d520a506d8d7 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 23 Sep 2024 12:19:43 +0200 Subject: [PATCH 32/33] - Fix dns64 with prefetch that the prefetch is stored in cache. --- dns64/dns64.c | 4 +- doc/Changelog | 3 + services/cache/dns.c | 2 +- testdata/dns64_prefetch_cache.rpl | 195 ++++++++++++++++++++++++++++++ 4 files changed, 201 insertions(+), 3 deletions(-) create mode 100644 testdata/dns64_prefetch_cache.rpl diff --git a/dns64/dns64.c b/dns64/dns64.c index cfb6ce63e..49718e3d8 100644 --- a/dns64/dns64.c +++ b/dns64/dns64.c @@ -657,7 +657,7 @@ handle_event_moddone(struct module_qstate* qstate, int id) qstate->return_msg->rep && !dns_cache_store( qstate->env, &qstate->qinfo, qstate->return_msg->rep, - 0, 0, 0, NULL, + 0, qstate->prefetch_leeway, 0, NULL, qstate->query_flags, qstate->qstarttime)) log_err("out of memory"); @@ -1007,7 +1007,7 @@ dns64_inform_super(struct module_qstate* qstate, int id, /* Store the generated response in cache. */ if ( (!super_dq || !super_dq->started_no_cache_store) && !dns_cache_store(super->env, &super->qinfo, super->return_msg->rep, - 0, 0, 0, NULL, super->query_flags, qstate->qstarttime)) + 0, super->prefetch_leeway, 0, NULL, super->query_flags, qstate->qstarttime)) log_err("out of memory"); } diff --git a/doc/Changelog b/doc/Changelog index ed3bc8700..d9af117a1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +23 September 2024: Wouter + - Fix dns64 with prefetch that the prefetch is stored in cache. + 17 September 2024: Wouter - Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the diff --git a/services/cache/dns.c b/services/cache/dns.c index e79002b79..dd8df4554 100644 --- a/services/cache/dns.c +++ b/services/cache/dns.c @@ -88,7 +88,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now, /* update ref if it was in the cache */ switch(rrset_cache_update(env->rrset_cache, &rep->ref[i], env->alloc, ((ntohs(rep->ref[i].key->rk.type)== - LDNS_RR_TYPE_NS && !pside)?qstarttime:now + leeway))) { + LDNS_RR_TYPE_NS && !pside)?qstarttime:now) + leeway)) { case 0: /* ref unchanged, item inserted */ break; case 2: /* ref updated, cache is superior */ diff --git a/testdata/dns64_prefetch_cache.rpl b/testdata/dns64_prefetch_cache.rpl new file mode 100644 index 000000000..a23b92f08 --- /dev/null +++ b/testdata/dns64_prefetch_cache.rpl @@ -0,0 +1,195 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + module-config: "dns64 iterator" + dns64-prefix: 64:ff9b::0/96 + minimal-responses: no + prefetch: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test dns64 with prefetch and cache store. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 200 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 200 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ENTRY_END + +STEP 20 TIME_PASSES ELAPSE 3500 + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; the prefetch is started, the older cache reply is returned. +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 100 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 100 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 100 IN A 1.2.3.4 +ENTRY_END + +; check what is in the cache +STEP 42 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 43 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ENTRY_END + +STEP 50 TIME_PASSES ELAPSE 300 + +; now the upstream is offline, the prefetched answer should be in the cache. +STEP 110 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 120 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3300 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3300 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3300 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END From db719d404f542cb09d31ace5015f992d78da30af Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Mon, 23 Sep 2024 15:31:32 +0200 Subject: [PATCH 33/33] - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled. --- doc/Changelog | 5 +++++ doc/unbound.doxygen | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index d9af117a1..75dfdc629 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,11 @@ 23 September 2024: Wouter - Fix dns64 with prefetch that the prefetch is stored in cache. +23 September 2024: Yorgos + - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, + CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were + already disabled. + 17 September 2024: Wouter - Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen index 996229118..7ff24284b 100644 --- a/doc/unbound.doxygen +++ b/doc/unbound.doxygen @@ -1226,7 +1226,7 @@ VERBATIM_HEADERS = NO # generated with the -Duse_libclang=ON option for CMake. # The default value is: NO. -CLANG_ASSISTED_PARSING = NO +#CLANG_ASSISTED_PARSING = NO # If the CLANG_ASSISTED_PARSING tag is set to YES and the CLANG_ADD_INC_PATHS # tag is set to YES then doxygen will add the directory of each input to the @@ -1234,7 +1234,7 @@ CLANG_ASSISTED_PARSING = NO # The default value is: YES. # This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES. -CLANG_ADD_INC_PATHS = YES +#CLANG_ADD_INC_PATHS = YES # If clang assisted parsing is enabled you can provide the compiler with command # line options that you would normally use when invoking the compiler. Note that @@ -1242,7 +1242,7 @@ CLANG_ADD_INC_PATHS = YES # specified with INPUT and INCLUDE_PATH. # This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES. -CLANG_OPTIONS = +#CLANG_OPTIONS = # If clang assisted parsing is enabled you can provide the clang parser with the # path to the directory containing a file called compile_commands.json. This @@ -1255,7 +1255,7 @@ CLANG_OPTIONS = # Note: The availability of this option depends on whether or not doxygen was # generated with the -Duse_libclang=ON option for CMake. -CLANG_DATABASE_PATH = +#CLANG_DATABASE_PATH = #--------------------------------------------------------------------------- # Configuration options related to the alphabetical class index