![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / unwind
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.166 / (download) - annotate - [select for diffs], Tue May 21 05:00:48 2024 UTC (11 days, 14 hours ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.165: +1 -3 lines
Diff to previous 1.165 (colored)
remove prototypes with no matching function and externs with no var partly checked by millert@
Revision 1.165 / (download) - annotate - [select for diffs], Fri May 10 15:02:26 2024 UTC (3 weeks, 1 day ago) by florian
Branch: MAIN
Changes since 1.164: +2 -1 lines
Diff to previous 1.164 (colored)
Keep probing upstream servers. (lib)unbound might mark many servers down in case of a network issue. This is something that can easily happen for unwind(8). Problem pointed out by Kirill A. Korinsky in unbound(8). https://github.com/NLnetLabs/unbound/issues/362 OK sthen
Revision 1.164 / (download) - annotate - [select for diffs], Sun Feb 25 10:13:09 2024 UTC (3 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.163: +15 -1 lines
Diff to previous 1.163 (colored)
Let some missing missing RFC 1918 reverse zones through. Problem spotted and diff from Einfach Jemand (rru.142 at gmail), thanks! OK phessler, jca
Revision 1.163 / (download) - annotate - [select for diffs], Thu Dec 14 09:59:27 2023 UTC (5 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.162: +2 -2 lines
Diff to previous 1.162 (colored)
Use imsg_get_fd() to access the fd passed with the imsg. Go ahead florian@ OK tb@
Revision 1.162 / (download) - annotate - [select for diffs], Tue Sep 12 15:38:32 2023 UTC (8 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.161: +0 -5 lines
Diff to previous 1.161 (colored)
Revert accidentally committed debugging code confirmed by florian
Revision 1.161 / (download) - annotate - [select for diffs], Mon Sep 11 06:00:23 2023 UTC (8 months, 3 weeks ago) by florian
Branch: MAIN
Changes since 1.160: +6 -1 lines
Diff to previous 1.160 (colored)
Improve handling of ENOBUFS by not running in a tight loop forever. This cherry-picks upstream git commit 0ee44ef384593ed0382d1ce6048d5a9c9440b45c. Issue reported by landry@, which could be traced back to a buggy WiFi driver that would constantly return ENOBUFS. This in turn lead unwind(8) enter a tight loop through poll / sendto without making any progress and burning 100% cpu. OK sthen
Revision 1.160 / (download) - annotate - [select for diffs], Tue Apr 18 09:57:51 2023 UTC (13 months, 2 weeks ago) by florian
Branch: MAIN
Changes since 1.159: +18 -13 lines
Diff to previous 1.159 (colored)
If rcode is SERVFAIL, there is no need to look at the packet. This pulls the check for rcode up, before we check if the answer packet has sensible length. Since we are not touching the packet at all, we don't care about the size and don't need to log if the size is wrong from a DNS perspective. With asr error reporting improved in the previous commit, this probably gets rid of all "bad packet: too short" messages. OK semarie
Revision 1.159 / (download) - annotate - [select for diffs], Tue Apr 18 09:57:08 2023 UTC (13 months, 2 weeks ago) by florian
Branch: MAIN
Changes since 1.158: +8 -3 lines
Diff to previous 1.158 (colored)
Improve asr error handling. When an upstream nameserver is not available asr is not synthesizing a SERVFAIL rcode (duh), but sets ar_errno. When we need SERVFAIL further down,we need to set the rcode ourselves. While here, don't complain about a too short packet when asr already told us that resolving did not work out in check_dns64_done. OK semarie
Revision 1.158 / (download) - annotate - [select for diffs], Wed Feb 8 08:01:25 2023 UTC (15 months, 3 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.157: +2 -2 lines
Diff to previous 1.157 (colored)
unwind: add two missing void to function definitions Silences -Wstrict-prototype warnings seen with clang 15 on amd64 and arm64. ok florian
Revision 1.157 / (download) - annotate - [select for diffs], Tue Feb 7 17:44:02 2023 UTC (15 months, 3 weeks ago) by florian
Branch: MAIN
Changes since 1.156: +11 -7 lines
Diff to previous 1.156 (colored)
home.arpa is a special-use domain, internally answered by libunbound. Let it through to forwarders like we do with AS112 domains because home.arpa might be useful in the local network. Issue reported by Ryan Kavanagh (rak at rak.ac), thanks! Input & OK tb
Revision 1.156 / (download) - annotate - [select for diffs], Tue Nov 29 11:56:32 2022 UTC (18 months ago) by florian
Branch: MAIN
Changes since 1.155: +3 -2 lines
Diff to previous 1.155 (colored)
Ignore late check results for resolvers we no longer use. Since we no longer use that specific resolver there is also no need to re-check it. tb pointed out that prev_state might be used uninitialized in this case. OK tb
Revision 1.155 / (download) - annotate - [select for diffs], Sat Mar 12 14:35:29 2022 UTC (2 years, 2 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.154: +2 -2 lines
Diff to previous 1.154 (colored)
Probe for DNS64 presence with an absolute name so that asr doesn't add search domains and retry.
Revision 1.154 / (download) - annotate - [select for diffs], Sat Dec 18 10:34:19 2021 UTC (2 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.153: +4 -3 lines
Diff to previous 1.153 (colored)
Make sure we receive what we expect over imsg. Instead of repairing potential garbage ensure that we receive proper C strings. Inspired by a similar diff by deraadt@ for ldapd.
Revision 1.153 / (download) - annotate - [select for diffs], Tue Nov 16 16:45:23 2021 UTC (2 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.152: +6 -1 lines
Diff to previous 1.152 (colored)
Validate RTM_PROPOSAL in resolver not frontend The resolver is the actual consumer and shouldn't trust the frontend. Fold the IPv4/IPv6 specific checks thanks to the previous commit. Idea from florian OK florian
Revision 1.152 / (download) - annotate - [select for diffs], Tue Nov 16 16:37:52 2021 UTC (2 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.151: +26 -29 lines
Diff to previous 1.151 (colored)
Simplify address family handling, ditch inet_ntop(3) Reduce duplicate code and use getnameinfo(3) for IPv4 as well. This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.21 "Simplify address family handling, ditch inet_ntop(3)". OK florian
Revision 1.151 / (download) - annotate - [select for diffs], Tue Nov 16 16:30:42 2021 UTC (2 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.150: +19 -6 lines
Diff to previous 1.150 (colored)
Install missing scope identifier for IPv6 link-local addresses RTM_PROPOSAL's list of IP addresses does not contain scope IDs by design. This is not a problem as the proposal is always bound to an interface, as long as we use it... Fill in the scope ID for link-local IPs and replace inet_ntop(3) usage with getnameinfo(3) in the IPv6 case such that it actually turns up in the string representation. This is the unwind specific fix to ensure working IPv6LL; libunbound still requires another fix. This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.20 "Install missing scope identifier for IPv6 link-local addresses". OK florian
Revision 1.150 / (download) - annotate - [select for diffs], Sat Oct 23 07:25:20 2021 UTC (2 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.149: +8 -2 lines
Diff to previous 1.149 (colored)
unwind(8) gives the most preferred resolver strategy a bit more time (200ms) to answer before trying the next strategy. However, we need to skip strategies that are not available. In the default configuration, without a config file unwind(8) would give DoT 200ms more time, but no DoT forwarders are known, so this is useless. OK kn
Revision 1.149 / (download) - annotate - [select for diffs], Tue Aug 31 20:18:03 2021 UTC (2 years, 9 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.148: +25 -25 lines
Diff to previous 1.148 (colored)
Say autoconf not dhcp
Do not abuse "dhcp" to say "DHCP and SLAAC".
unwind.conf(5) does so but unwindctl(8) does not; in fact, the latter
already has `status autoconf' to
Show nameservers learned from dhclient(8), dhcpleased(8) or slaacd(8).
Adjust unwind's config manual and internal code accordingly; still accept
the old keyword but do not document it.
hostname.if(5) already advises for `inet[6] autoconf' instead of `dhcp' and
other related daemons don't abuse the word "dhcp" like unwind does.
Feedback sthen
OK florian
Revision 1.148 / (download) - annotate - [select for diffs], Mon Aug 30 11:09:58 2021 UTC (2 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored)
INADDR_LOOPBACK check needs htonl(3) to work Found in resolvd(8) which uses the same code.
Revision 1.147 / (download) - annotate - [select for diffs], Sat Aug 14 07:40:02 2021 UTC (2 years, 9 months ago) by florian
Branch: MAIN
Changes since 1.146: +3 -2 lines
Diff to previous 1.146 (colored)
Use new val-max-restart: 0 option to stop unwind from trying different authorities when encountering a validation error. This only helps one particular case of validation errors: When authorities are out of sync and some carry old zones. In all other cases this causes a huge amount of work that will just end in a SERVFAIL because the result will still be bogus. OK sthen
Revision 1.146 / (download) - annotate - [select for diffs], Sun Jul 25 08:36:06 2021 UTC (2 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.145: +4 -4 lines
Diff to previous 1.145 (colored)
Do not doubt a secure (i.e. validated) NXDOMAIN response when we just switched networks. We validated it, we can't do better than that! While here reorder the long list of conditions to make it easier to understand when we doubt a response because we might be behind a captive portal. First list all conditions when we do not doubt the response and then the two conditions when we do doubt the response. OK benno
Revision 1.145 / (download) - annotate - [select for diffs], Sun Jul 25 08:34:43 2021 UTC (2 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.144: +3 -17 lines
Diff to previous 1.144 (colored)
We store a list of resolver strategies in order of their preference in the configuration struct. This is also an implicit list of enabled resolver strategies. We have also stored an explict lookup array of enabled strategies outside of the configuration to be able to quickly answer "is this strategy enabled" without traversing the preferences list. Move this table into the configuration so that we don't need to "repair" it on config reload. This fixes a bug where on startup the preferences list and enabled lookup table were not in sync. It didn't matter in practice since we do a config reload and then pass in DNSSEC trustanchors on startup. Both actions combined repaired things. OK benno
Revision 1.144 / (download) - annotate - [select for diffs], Mon Jul 12 15:09:19 2021 UTC (2 years, 10 months ago) by beck
Branch: MAIN
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
Revision 1.143 / (download) - annotate - [select for diffs], Sun Feb 7 13:35:41 2021 UTC (3 years, 3 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.142: +3 -2 lines
Diff to previous 1.142 (colored)
Only probe for DNS64 presence when we know that we can talk to the slaacd provided nameservers, i.e. the stub resolver check succeeded. Previously we would only probe DNS64 on network change but would not reschedule when it failed. Sometimes (most of the time?) this failes because our address is still tentative or a default route has not yet been installed. OK phessler
Revision 1.142 / (download) - annotate - [select for diffs], Sat Feb 6 18:01:02 2021 UTC (3 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.141: +1 -3 lines
Diff to previous 1.141 (colored)
Revert delayed opening of trust anchor file. The code was somewhat ugly and the underlying problem (dhclient and unwind playing well together) should be solved differently. Final straw was jca reporting that it breaks his setup.
Revision 1.141 / (download) - annotate - [select for diffs], Sun Jan 31 16:07:27 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.140: +3 -3 lines
Diff to previous 1.140 (colored)
Make progress when stepping through rdns proposals even when skipping localhost.
Revision 1.140 / (download) - annotate - [select for diffs], Sat Jan 30 10:31:51 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.139: +3 -1 lines
Diff to previous 1.139 (colored)
Re-try to open DNSSEC trust anchor file if /var is not mounted yet. This is a step towards starting unwind earlier, before the network is up and partitions are mounted. OK kn
Revision 1.139 / (download) - annotate - [select for diffs], Fri Jan 29 17:48:58 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.138: +17 -11 lines
Diff to previous 1.138 (colored)
Some libunbound configuration changes can change the quality of a resolver so we have to schedule a re-check. OK kn
Revision 1.138 / (download) - annotate - [select for diffs], Thu Jan 28 07:34:34 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.137: +7 -3 lines
Diff to previous 1.137 (colored)
A new resolver can be created while we currently run a check with the old configuration. We will then request another check that runs in parallel to the old check. If the new check finishes earlier, the current check result will be overwritten by an outdated check result which is likely wrong. While here fix some whitespace. OK phessler
Revision 1.137 / (download) - annotate - [select for diffs], Wed Jan 27 08:30:50 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.136: +43 -8 lines
Diff to previous 1.136 (colored)
Determine available address families (and monitor when this changes) to configure libunbound accordingly. This way it no longer tries to talk to IPv6 nameservers when only IPv4 is available and vice versa. input deraadt OK kn
Revision 1.136 / (download) - annotate - [select for diffs], Tue Jan 26 12:46:46 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.135: +2 -4 lines
Diff to previous 1.135 (colored)
Some config changes require a restart of all resolvers even DEAD ones; handle them like UNKNOWN. Found the hard way by kn.
Revision 1.135 / (download) - annotate - [select for diffs], Mon Jan 25 16:56:59 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.134: +5 -4 lines
Diff to previous 1.134 (colored)
Disable logging to syslog for libunbound. We are not getting anything useful for us out of it and it can be quite noisy when we are missing IPv4 or IPv6 addresses. It is still available when logging to stderr when running with -d. OK phessler
Revision 1.134 / (download) - annotate - [select for diffs], Sun Jan 24 18:29:15 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.133: +234 -5 lines
Diff to previous 1.133 (colored)
Implement DNS64 synthesis. When unwind(8) learns new autoconf resolvers (from dhcp or router advertisements) it checks if a DNS64 is present in this network location and tries to recover the IPv6 prefix used according to RFC7050. The learned autoconf resolvers are then prevented from upgrading to the validating state since DNS64 breaks DNSSEC. unwind(8) can now perform its own synthesis. If a query for a AAAA record results in no answer we re-send the query for A and if that leads to an answer we synthesize an AAAA answer using the learned prefixes. Testing & OK kn
Revision 1.133 / (download) - annotate - [select for diffs], Sat Jan 23 16:28:12 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.132: +25 -14 lines
Diff to previous 1.132 (colored)
Move resolv_conf string generation for ASR to function; makes upcomming DNS64 diff simpler.
Revision 1.132 / (download) - annotate - [select for diffs], Sat Jan 23 16:27:24 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.131: +3 -3 lines
Diff to previous 1.131 (colored)
Don't just blindly upgrade to VALIDATING if we see a SECURE answer. Let's go through the check_resolver() / new_resolver() code path which will also hook up the resovler to the shared cache. This means also one less special case for upcomming DNS64 support.
Revision 1.131 / (download) - annotate - [select for diffs], Tue Jan 19 16:52:40 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.130: +3 -3 lines
Diff to previous 1.130 (colored)
Make imsg event structs static to fix -fno-common. Follows claudio's lead in ospfd et al. Problem reported by mortimer.
Revision 1.130 / (download) - annotate - [select for diffs], Tue Jan 19 16:50:23 2021 UTC (3 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.129: +3 -4 lines
Diff to previous 1.129 (colored)
No need for a global uw_process; unbreaks -fno-common. Problem reported by mortimer
Revision 1.129 / (download) - annotate - [select for diffs], Sat Dec 26 15:07:25 2020 UTC (3 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.128: +9 -2 lines
Diff to previous 1.128 (colored)
Otto hit an impossible situation: an answer bigger than 64k. Log the query and answer SERVFAIL instead of exiting fataly. That way we can at least figure out where libunbound goes off the rail. OK otto
Revision 1.128 / (download) - annotate - [select for diffs], Fri Dec 11 16:37:41 2020 UTC (3 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.127: +24 -18 lines
Diff to previous 1.127 (colored)
Introduce query_imsg2str() to simplify printing "qname class type". OK kn some time ago
Revision 1.127 / (download) - annotate - [select for diffs], Fri Dec 11 16:36:03 2020 UTC (3 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.126: +30 -33 lines
Diff to previous 1.126 (colored)
The recent fix to handle large answers in unwind (errata #5 for 6.8) has the downside to always copy the maximum IMSG size (about 16k) between the resolver and frontend process for DNS answers because we had to keep it as simple as possible. We can now rearange things in -current to be less wasteful. This copies only the usually small DNS answer. In the unusual case that a DNS answer is larger than the maximum IMSG size fragment the message and send multiple IMSGs.
Revision 1.123.4.1 / (download) - annotate - [select for diffs], Mon Nov 9 16:55:01 2020 UTC (3 years, 6 months ago) by tb
Branch: OPENBSD_6_7
Changes since 1.123: +28 -7 lines
Diff to previous 1.123 (colored) next main 1.124 (colored)
Handle DNS answers that are larger than the maximum imsg size (about 16k) by splitting them up. Previously unwind would send meta-data about the finished query from the resolver process to the frontend process and then silently fail to send the actual answer because it was too big for imsg. When receiving the meta-data for the next query the frontend process would then exit via fatal() because it was still expecting an answer. This likely fixes rare crashes observed by Leo Unglaub. Note that even with DNSSEC signatures, answers this big are very rare. OK tb, benno original commit: florian This is errata/6.7/028_unwind.patch.sig
Revision 1.125.4.1 / (download) - annotate - [select for diffs], Mon Nov 9 16:54:52 2020 UTC (3 years, 6 months ago) by tb
Branch: OPENBSD_6_8
Changes since 1.125: +28 -7 lines
Diff to previous 1.125 (colored) next main 1.126 (colored)
Handle DNS answers that are larger than the maximum imsg size (about 16k) by splitting them up. Previously unwind would send meta-data about the finished query from the resolver process to the frontend process and then silently fail to send the actual answer because it was too big for imsg. When receiving the meta-data for the next query the frontend process would then exit via fatal() because it was still expecting an answer. This likely fixes rare crashes observed by Leo Unglaub. Note that even with DNSSEC signatures, answers this big are very rare. OK tb, benno original commit: florian This is errata/6.8/005_unwind.patch.sig
Revision 1.126 / (download) - annotate - [select for diffs], Thu Nov 5 16:22:59 2020 UTC (3 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.125: +28 -7 lines
Diff to previous 1.125 (colored)
Handle DNS answers that are larger than the maximum imsg size (about 16k) by splitting them up. Previously unwind would send meta-data about the finished query from the resolver process to the frontend process and then silently fail to send the actual answer because it was too big for imsg. When receiving the meta-data for the next query the frontend process would then exit via fatal() because it was still expecting an answer. This likely fixes rare crashes observed by Leo Unglaub. Note that even with DNSSEC signatures, answers this big are very rare. OK tb, benno
Revision 1.125 / (download) - annotate - [select for diffs], Sat Sep 12 17:01:03 2020 UTC (3 years, 8 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE
Branch point for: OPENBSD_6_8
Changes since 1.124: +8 -5 lines
Diff to previous 1.124 (colored)
When an interface disapears we need to forget the learned autoconf resolvers. OK kn
Revision 1.124 / (download) - annotate - [select for diffs], Sun May 10 06:44:07 2020 UTC (4 years ago) by otto
Branch: MAIN
Changes since 1.123: +10 -5 lines
Diff to previous 1.123 (colored)
sockaddr_rtdns does not guarantee alignment of the buffer. So first memcpy the address into a local var before comparing it with code that reads ints using int *. at least sparc64 and landisk suffer from this. with and ok jca@
Revision 1.123 / (download) - annotate - [select for diffs], Thu Mar 19 19:27:21 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE
Branch point for: OPENBSD_6_7
Changes since 1.122: +4 -2 lines
Diff to previous 1.122 (colored)
Return when create_solver() returns NULL to prevent null pointer dereference in 'resolvers[type]->state = state'. ok florian@
Revision 1.122 / (download) - annotate - [select for diffs], Tue Jan 28 21:11:06 2020 UTC (4 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.121: +4 -8 lines
Diff to previous 1.121 (colored)
We are not correctly upgrading from "UNKNOWN" to "VALIDATING" resulting in a "fatal in resolver: wrong unified cache set on resolver". I believe this happens because we are using an UNKNOWN resolving strategy to resolve queries. Disable the upgrade logic for now and always construct a fresh resolver context and set the unified context on it before any cache gets allocated. This causes a bit of memory churn on startup and when changing networks, but better than a crashing unwind. First observed by deraadt
Revision 1.121 / (download) - annotate - [select for diffs], Tue Jan 28 15:44:13 2020 UTC (4 years, 4 months ago) by bket
Branch: MAIN
Changes since 1.120: +2 -5 lines
Diff to previous 1.120 (colored)
sbin/unwind: replace TAILQ concatenation loop with TAILQ_CONCAT OK florian@. reads ok benno@
Revision 1.120 / (download) - annotate - [select for diffs], Mon Jan 20 20:41:43 2020 UTC (4 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.119: +47 -14 lines
Diff to previous 1.119 (colored)
We can not share a cache between validating and resolving strategies. The resolving only strategies mess up the negative cache by claiming DNSSEC related records do not exist which confuses the validating strategies. Found the hard way by kn@ and analysed by otto@ OK kn@
Revision 1.119 / (download) - annotate - [select for diffs], Mon Dec 23 15:03:46 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.118: +1 -5 lines
Diff to previous 1.118 (colored)
Ralph Dolmans from nlnetlabs points out that libunbound uses ub_event_pluggable.c instead of ub_event.c. ( https://github.com/NLnetLabs/unbound/issues/99 ) We have been the odd one out, so switch to ub_event_pluggable, too.
Revision 1.118 / (download) - annotate - [select for diffs], Wed Dec 18 13:04:05 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.117: +6 -1 lines
Diff to previous 1.117 (colored)
Workaround unbound github issue #99. https://github.com/NLnetLabs/unbound/issues/99 ub_ctx_delete would free the passed in event_base leading to use-after-free since libunbound never allocated the memory and unwind expects to continue using the event_base.
Revision 1.117 / (download) - annotate - [select for diffs], Wed Dec 18 09:18:27 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.116: +27 -1 lines
Diff to previous 1.116 (colored)
Implement unwindctl status memory to show chache memory usage. testing by otto & pamela as part of a larger diff
Revision 1.116 / (download) - annotate - [select for diffs], Wed Dec 18 09:17:22 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.115: +82 -27 lines
Diff to previous 1.115 (colored)
Rework unified cache handling to be able to unify key and neg caches. testing by otto & pamela as part of a larger diff
Revision 1.115 / (download) - annotate - [select for diffs], Sun Dec 15 17:23:27 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.114: +5 -3 lines
Diff to previous 1.114 (colored)
Make this fit in 80 cols.
Revision 1.114 / (download) - annotate - [select for diffs], Sun Dec 15 13:49:13 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.113: +4 -2 lines
Diff to previous 1.113 (colored)
Allow more outgoing ports, the default 16 is pretty tight for the recursor. Also change strategy to not fetch addresses of nameservers pro-actively, it does not help a lot in typical unwind setups and consumes resources we would like to spend on actual resolving user queries. ok florian@
Revision 1.113 / (download) - annotate - [select for diffs], Sat Dec 14 19:56:24 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.112: +3 -1 lines
Diff to previous 1.112 (colored)
Be less aggressive pre-allocating memory; ok florian@
Revision 1.112 / (download) - annotate - [select for diffs], Sat Dec 14 17:20:40 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.111: +50 -63 lines
Diff to previous 1.111 (colored)
Simplify resolve_done. - check if this is an answer to a still running query up front, if not there is nothing more to do - get rid of the retry case, we can now just inline it - reduce indent by always calculating elapsed time for DOUBT_NXDOMAIN_SEC Triggered by, input and OK otto
Revision 1.111 / (download) - annotate - [select for diffs], Sat Dec 14 11:18:54 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.110: +7 -1 lines
Diff to previous 1.110 (colored)
No use to create resolvers we know are going to be dead; ok florian@
Revision 1.110 / (download) - annotate - [select for diffs], Fri Dec 13 16:18:54 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.109: +3 -2 lines
Diff to previous 1.109 (colored)
Don't try dead resolvers; ok florian@
Revision 1.109 / (download) - annotate - [select for diffs], Fri Dec 13 15:10:04 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
print type as type and not as rcode
Revision 1.108 / (download) - annotate - [select for diffs], Fri Dec 13 14:37:03 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.107: +11 -5 lines
Diff to previous 1.107 (colored)
Avoid leaks by using the _buf versions of sldns_wire2str_* functions. Also add some consistentcy checking to detect logic errors. ok @florian
Revision 1.107 / (download) - annotate - [select for diffs], Thu Dec 12 09:28:58 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.106: +101 -118 lines
Diff to previous 1.106 (colored)
Only create (and check) resolvers listed in preferences. Unfortunately this required a fair amount of deck chair shuffling. Input & OK otto
Revision 1.106 / (download) - annotate - [select for diffs], Wed Dec 11 15:50:47 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.105: +28 -17 lines
Diff to previous 1.105 (colored)
Plug leaks related to running queue maintenance. ok florian@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Dec 10 07:49:01 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.104: +18 -14 lines
Diff to previous 1.104 (colored)
Similar to doubting NXDOMAIN when we just switched networks we also need to doubt validation errors as we might find ourselves behind a captive portal. The hotspot at schiphol airport uses login.hotspotschiphol.nl: - it is NXDOMAIN on the public internet - hotspotschiphol.nl is signed and attests that login does not exist. - resolves to 1.1.1.5(!) when asking the dhcp nameservers - the dhcp nameservers pass DNSSEC records so validation works This resulted in unwind doing validation and answering SERVFAIL since the answer is bogus. Input & OK otto
Revision 1.104 / (download) - annotate - [select for diffs], Sun Dec 8 21:31:16 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.103: +3 -2 lines
Diff to previous 1.103 (colored)
Limit advertised UDP payload size to 1232 bytes to prevent PMTU / fragmentation issues. OK otto
Revision 1.103 / (download) - annotate - [select for diffs], Sun Dec 8 09:47:50 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.102: +84 -116 lines
Diff to previous 1.102 (colored)
Turn opportunistic DoT into their own strategies. This is beneficial since we prefer strategies according to their performance. Previously name servers were upgraded to opportunistic DoT if it was available even if the round trip times went through the roof and there was no way to got back to plain udp/53 DNS. To make up a bit of space in the unwindctl status output, name servers learned via DHCP or SLAAC are printed in a new subcommand. The status output will be further improved shortly. Input & OK otto
Revision 1.102 / (download) - annotate - [select for diffs], Fri Dec 6 19:39:14 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.101: +4 -2 lines
Diff to previous 1.101 (colored)
Log why an answer is bogus. OK otto
Revision 1.101 / (download) - annotate - [select for diffs], Fri Dec 6 16:41:11 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.100: +7 -4 lines
Diff to previous 1.100 (colored)
Use the middle of the histogram bar in the median computations instead of the right-hand side; ok florian@
Revision 1.100 / (download) - annotate - [select for diffs], Thu Dec 5 15:50:20 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.99: +4 -4 lines
Diff to previous 1.99 (colored)
be less verbose in debug logging; ok florian@
Revision 1.99 / (download) - annotate - [select for diffs], Wed Dec 4 21:02:25 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.98: +14 -3 lines
Diff to previous 1.98 (colored)
When we detect that a resolver strategy is not validating because the time is wrong enable a timer to check it again later. ntpd might have corrected the time. input & OK otto
Revision 1.98 / (download) - annotate - [select for diffs], Wed Dec 4 13:56:09 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.97: +4 -1 lines
Diff to previous 1.97 (colored)
If we see a validated result, we can (must!) assume the resolver is validating; ok florian@
Revision 1.97 / (download) - annotate - [select for diffs], Tue Dec 3 16:17:48 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.96: +17 -11 lines
Diff to previous 1.96 (colored)
Cleanup query logging. Debug log level 1 gives us basic query progress, level 2 writes out packages. looks good to otto
Revision 1.96 / (download) - annotate - [select for diffs], Tue Dec 3 16:17:00 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.95: +16 -11 lines
Diff to previous 1.95 (colored)
Cleanup check_resolver_done() debug logging. Log answer packet only at debug level 2. looks good to otto
Revision 1.95 / (download) - annotate - [select for diffs], Tue Dec 3 16:16:25 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.94: +4 -4 lines
Diff to previous 1.94 (colored)
Add one more debug level and enable very detailed libunbound logging with this. Currently only available as a command line flag (-vvv). With this we now have two debug levels available in unwind proper, to be used shortly. looks good to otto
Revision 1.94 / (download) - annotate - [select for diffs], Tue Dec 3 16:15:41 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.93: +6 -8 lines
Diff to previous 1.93 (colored)
No need to store "why_bogus" with the resolver, we are no longer showing it in unwindctl. But log it with level warn for check_resolver so that one can find out what's wrong with a resolver strategy. looks good to otto
Revision 1.93 / (download) - annotate - [select for diffs], Tue Dec 3 16:14:31 2019 UTC (4 years, 5 months ago) by florian
Branch: MAIN
Changes since 1.92: +9 -96 lines
Diff to previous 1.92 (colored)
Remove useless log_debug() calls. Looks good to otto
Revision 1.92 / (download) - annotate - [select for diffs], Tue Dec 3 14:35:04 2019 UTC (4 years, 5 months ago) by otto
Branch: MAIN
Changes since 1.91: +19 -34 lines
Diff to previous 1.91 (colored)
No more status subcommands; ok florian@
Revision 1.91 / (download) - annotate - [select for diffs], Mon Dec 2 16:00:13 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.90: +11 -6 lines
Diff to previous 1.90 (colored)
Save the computed median to avoid having it to compute it all the time; ok florian@
Revision 1.90 / (download) - annotate - [select for diffs], Mon Dec 2 14:40:53 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.89: +60 -4 lines
Diff to previous 1.89 (colored)
Use a unified cache in all libunbound based resolvers. OK otto
Revision 1.89 / (download) - annotate - [select for diffs], Mon Dec 2 08:56:03 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.88: +2 -2 lines
Diff to previous 1.88 (colored)
increment refcount before doing the call to resolve(); ok florian@
Revision 1.88 / (download) - annotate - [select for diffs], Mon Dec 2 06:26:52 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.87: +13 -29 lines
Diff to previous 1.87 (colored)
Add an "all" mode for status and a much more compact and readable histogram display; remove the why bogus status message; ok florian@
Revision 1.87 / (download) - annotate - [select for diffs], Sun Dec 1 14:37:34 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.86: +58 -5 lines
Diff to previous 1.86 (colored)
Allow forcing specific domains to be resolved by specific resolvers; Handles typical split-horzizon setups. ok florian@
Revision 1.86 / (download) - annotate - [select for diffs], Sat Nov 30 16:14:03 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.85: +10 -4 lines
Diff to previous 1.85 (colored)
make sure we only pass normalized timevals for the next resolver interval; ok florian@
Revision 1.85 / (download) - annotate - [select for diffs], Sat Nov 30 11:09:14 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.84: +6 -3 lines
Diff to previous 1.84 (colored)
Not being able to create a resolver is not a fatal condition in unwind, there might be others still working. Make sure check_resolver() handles this correctly.
Revision 1.84 / (download) - annotate - [select for diffs], Fri Nov 29 15:22:02 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.83: +9 -11 lines
Diff to previous 1.83 (colored)
While we learn how the "decaying" histogram works it's helpful to show it in unwindctl status output next to the all time histogram.
Revision 1.83 / (download) - annotate - [select for diffs], Thu Nov 28 20:28:13 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.82: +37 -6 lines
Diff to previous 1.82 (colored)
The happy eyeballs code computes a median to assess how well a resolver is doing. But circumstances can change, so decay the histogram data over time to slowly forget about that past. Uses fixed point arithmetic to avoid floating point. ok florian@
Revision 1.82 / (download) - annotate - [select for diffs], Thu Nov 28 10:40:29 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored)
show median RTT in unwindctl status
Revision 1.81 / (download) - annotate - [select for diffs], Thu Nov 28 10:02:44 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.80: +44 -51 lines
Diff to previous 1.80 (colored)
Track all elements of a forwarder configuration individually: IP address, port and authentication name. This makes print_config less awkward and fixes a bug were an alternative port number was not printed.
Revision 1.80 / (download) - annotate - [select for diffs], Wed Nov 27 17:12:31 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.79: +349 -107 lines
Diff to previous 1.79 (colored)
Instead of only considering if a resolving strategy is dead, works or validates, measure how well it is doing. We keep track of the round trip median time of past queries and sort strategies according to this in addition to the more basic qualities of does it resolve and does it validate. If a query is not answered within the median time the next best strategy gets a chance. The most prefered strategy (either from the config file or defaults) gets an additional head start of 200ms. A response of SERVFAIL also advances to the next best strategy. This is helpful when the picked strategy can only see parts of the internet but another strategy can reach more. This alone gets us past quite a few captive portals already. Additionally we doubt NXDOMAIN from anything but the stub resolver for the first 5 minutes after a network change. This is probably as good as the http check we had previously but more tests are needed. This was inspired by RFC 8305, "Happy Eyeballs". OK otto
Revision 1.79 / (download) - annotate - [select for diffs], Wed Nov 27 17:11:00 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.78: +9 -8 lines
Diff to previous 1.78 (colored)
Move resolver preference storage to a struct which makes it easier to reuse in the future. OK otto
Revision 1.78 / (download) - annotate - [select for diffs], Wed Nov 27 17:09:12 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.77: +9 -299 lines
Diff to previous 1.77 (colored)
Nuke http captive portal detection; something better is coming. OK otto
Revision 1.77 / (download) - annotate - [select for diffs], Mon Nov 25 18:10:42 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.76: +3 -3 lines
Diff to previous 1.76 (colored)
simplify histogram code and cut off at < limit, as the histogram display in unwindctl suggests; ok florian@
Revision 1.76 / (download) - annotate - [select for diffs], Mon Nov 25 17:36:48 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)
Signal what happened, not what needs doing.
The frontend doesn't know.
Revision 1.75 / (download) - annotate - [select for diffs], Sat Nov 23 08:57:52 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.74: +5 -3 lines
Diff to previous 1.74 (colored)
plug memory leak
Revision 1.74 / (download) - annotate - [select for diffs], Sat Nov 23 08:17:10 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.73: +16 -15 lines
Diff to previous 1.73 (colored)
An if_index of zero signals to remove all previous proposals from a daemon. Soon to be used by slaacd(8) which handles all interfaces but can't know which interfaces had been set to autoconf before a restart.
Revision 1.73 / (download) - annotate - [select for diffs], Fri Nov 22 20:09:09 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.72: +19 -8 lines
Diff to previous 1.72 (colored)
Use a table for unbound options; ok florian@
Revision 1.72 / (download) - annotate - [select for diffs], Fri Nov 22 15:31:25 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.71: +37 -159 lines
Diff to previous 1.71 (colored)
Treat DNS proposals as replacement of previous proposals from the same daemon and interface. An empty list is automatically a withdrawl. prodding deraadt@
Revision 1.71 / (download) - annotate - [select for diffs], Thu Nov 21 05:01:22 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.70: +6 -1 lines
Diff to previous 1.70 (colored)
Track on which interface nameservers have been learned.
prodding deraadt@
Revision 1.70 / (download) - annotate - [select for diffs], Wed Nov 20 15:50:41 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.69: +13 -3 lines
Diff to previous 1.69 (colored)
Check for a too short answer packet in all callback functions because otherwise we try to parse an invalid packet. This can be triggered by captive_portal_resolve_done() when dhcp provided nameservers do not answer and asr hits a timeout. answer_packet is NULL and answer_len -1 in that case. Found the hard way by claudio
Revision 1.69 / (download) - annotate - [select for diffs], Tue Nov 19 14:49:36 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.68: +15 -3 lines
Diff to previous 1.68 (colored)
Print learned forwarders in unwindctl. Someone please make this pretty. Tested by deraadt as part of a larger diff.
Revision 1.68 / (download) - annotate - [select for diffs], Tue Nov 19 14:47:46 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.67: +119 -42 lines
Diff to previous 1.67 (colored)
Proposals from dhclient are sometimes replacements. slaacd should be changed as well. Tested by deraadt as part of a larger diff.
Revision 1.67 / (download) - annotate - [select for diffs], Tue Nov 19 14:46:33 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.66: +6 -70 lines
Diff to previous 1.66 (colored)
Stop dhcp lease file parsing now that dhclient sends proposals. Tested by deraadt as part of a larger diff.
Revision 1.66 / (download) - annotate - [select for diffs], Fri Nov 15 06:08:21 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.65: +7 -7 lines
Diff to previous 1.65 (colored)
Improve readability by using a typedef for the callback type; ok florian@
Revision 1.65 / (download) - annotate - [select for diffs], Thu Nov 14 08:34:17 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.64: +68 -7 lines
Diff to previous 1.64 (colored)
With the stub resolver we have since some time we can resolve the captive portal host internaly via the resolver process. deraadt and me observed weird captive portal checking hangs inside of unwind if only 127.0.0.1 was listed as a nameserver in resolv.conf with the old code.
Revision 1.64 / (download) - annotate - [select for diffs], Thu Nov 14 08:32:30 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.63: +14 -3 lines
Diff to previous 1.63 (colored)
Checking a resolver that we are already checking can lead to a
self-DoS under high query rate and constant failures.
Revision 1.63 / (download) - annotate - [select for diffs], Thu Nov 14 08:30:10 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.62: +97 -119 lines
Diff to previous 1.62 (colored)
Since resolve() switched to a callback mechanism all uw_resolver objects
pass through resolve() and either asr_resolve_done() or
ub_resolve_done().
With that we can pull resolver_ref() and resolver_unref() into those
functions to make the reference counting easier.
Only check_resolver is special since it needs to refcount the to be
checked resolver. But the resolver doing the actual work is
automatically refcounted by resolve() and *_resolve_done().
One last piece of the puzzle is to track the uw_resolver object in
cb_data so that the *_resolve_done() functions have access to it.
This also allowes us to remove the ad-hoc passing of the resolver in
query_imsg. Since the callback functions all need access to the
resolver that did the work we pass it in as first argument.
OK otto
Revision 1.62 / (download) - annotate - [select for diffs], Tue Nov 12 20:26:36 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.61: +9 -4 lines
Diff to previous 1.61 (colored)
we might not have a best resolver at all
Revision 1.61 / (download) - annotate - [select for diffs], Tue Nov 12 20:24:51 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.60: +52 -53 lines
Diff to previous 1.60 (colored)
do not leak buf or region if either fails to allocate
Revision 1.60 / (download) - annotate - [select for diffs], Tue Nov 12 15:37:31 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.59: +13 -14 lines
Diff to previous 1.59 (colored)
we are not using was_ratelimited
Revision 1.59 / (download) - annotate - [select for diffs], Tue Nov 12 15:36:49 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.58: +54 -37 lines
Diff to previous 1.58 (colored)
Pass in a callback function to resolve() instead of a flag to distinguish between an external query and check_resolver(). Also switch trust_anchor_resolve() over which was special.
Revision 1.58 / (download) - annotate - [select for diffs], Tue Nov 12 15:35:11 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.57: +8 -9 lines
Diff to previous 1.57 (colored)
Error logging is done inside of resolve since it depends on the
resolver type.
Revision 1.57 / (download) - annotate - [select for diffs], Tue Nov 12 15:34:37 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.56: +11 -12 lines
Diff to previous 1.56 (colored)
It is possible to cancel libunbound queries by tracking an id.
We are not using that feature so stop tracking the value.
Revision 1.56 / (download) - annotate - [select for diffs], Mon Nov 11 05:51:06 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.55: +197 -15 lines
Diff to previous 1.55 (colored)
Implement DNS proposals to learn nameservers from network autoconfiguration daemons. Currently only slaacd is switched over so we need to keep the lease file parsing.
Revision 1.55 / (download) - annotate - [select for diffs], Sat Nov 9 16:28:10 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.54: +23 -23 lines
Diff to previous 1.54 (colored)
Mechanically change the forwarder SIMPLEQ to a TAILQ. Needed for future work to be able to easily delete elements while iterating. OK kn
Revision 1.54 / (download) - annotate - [select for diffs], Sat Nov 9 08:06:38 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.53: +6 -2 lines
Diff to previous 1.53 (colored)
failure to allocate memory is not an XXX
Revision 1.53 / (download) - annotate - [select for diffs], Wed Nov 6 16:51:11 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.52: +1 -2 lines
Diff to previous 1.52 (colored)
useless debug output
Revision 1.52 / (download) - annotate - [select for diffs], Sun Nov 3 18:15:26 2019 UTC (4 years, 6 months ago) by florian
Branch: MAIN
Changes since 1.51: +121 -1 lines
Diff to previous 1.51 (colored)
When we are talking to an upstream nameserver we should not refuse to
forward queries for certain reverse zones (e.g. RFC1918 space). The
local network might use them and it's the policy of the upstream
nameserver what should be done with these.
Of course if we are recursively resolving ourselves these should not
leak to the global internet so we continue to synthesize NXDOMAIN
ourselves.
For now we also always synthesize NXDOMAIN for special use domains like
test and onion.
Pointed out by henning.
Input & OK sthen
Revision 1.51 / (download) - annotate - [select for diffs], Sun Nov 3 09:46:11 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.50: +128 -27 lines
Diff to previous 1.50 (colored)
*** empty log message ***
Revision 1.50 / (download) - annotate - [select for diffs], Sat Nov 2 20:05:39 2019 UTC (4 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.49: +1 -2 lines
Diff to previous 1.49 (colored)
unused global
Revision 1.49 / (download) - annotate - [select for diffs], Sat Nov 2 07:47:01 2019 UTC (4 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.48: +3 -2 lines
Diff to previous 1.48 (colored)
When we are behind a captive portal we very likely need to use the asr strategy to get past it. This is also true when we don't know yet if we are behind a captive portal. However, when the nameserver dhcp hands us are unreachable (e.g. because they are down) asr is dead, we are still using it and we are now stuck. Only force to asr if we know that it is working. If we are behind a captive portal and the dhcp nameserver are dead we probably won't get past it. But if we are in a network with unreachable dhcp nameservers we will make progress. Stumbled upon by remi while blocking port 53 in pf. OK remi
Revision 1.48 / (download) - annotate - [select for diffs], Thu Oct 31 12:54:40 2019 UTC (4 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.47: +4 -22 lines
Diff to previous 1.47 (colored)
With the asr fallback we can skip the service port up & down dance,
unwind should now be able to work in networks with crappy middle boxes.
We also need to switch to the ASR resolver, not DHCP when we are behind
a captive portal. Some captive portals let through DNS queries with edns0
options but the "click here to accept the terms of service page" is not
resolvable with edns0.
Revision 1.47 / (download) - annotate - [select for diffs], Thu Oct 31 12:51:43 2019 UTC (4 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.46: +167 -46 lines
Diff to previous 1.46 (colored)
Add asr resolver type which completely bypasses libunbound and uses the libc asynchronous resolver directly with DHCP provided nameservers. This is a last-ditch effort when we find ourself behind a completely broken middle-box. Input & OK otto OK benno
Revision 1.46 / (download) - annotate - [select for diffs], Sat Oct 19 17:42:21 2019 UTC (4 years, 7 months ago) by otto
Branch: MAIN
Changes since 1.45: +8 -2 lines
Diff to previous 1.45 (colored)
Plug mem leak when the list of dhcp resolvers didn't change. ok florian@
Revision 1.45 / (download) - annotate - [select for diffs], Mon Sep 30 18:07:09 2019 UTC (4 years, 8 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.44: +9 -4 lines
Diff to previous 1.44 (colored)
Introduce defines for DNSSEC validation states.
This also fixes a brain fart in trust_anchor_resolve_done() which was
arguably created by "sec" carrying 3 values and "true" does not mean
secure. Why this does not use enum sec_status is beyond me.
Revision 1.44 / (download) - annotate - [select for diffs], Sun Sep 29 17:52:02 2019 UTC (4 years, 8 months ago) by otto
Branch: MAIN
Changes since 1.43: +6 -4 lines
Diff to previous 1.43 (colored)
Fix histogram code to do an inclusive check for the upper bound to avoid an out-of-bound write for specific values and also check for oob writes in general; with input from kettenis; ok florian@ kn@
Revision 1.43 / (download) - annotate - [select for diffs], Sun Sep 29 13:18:39 2019 UTC (4 years, 8 months ago) by florian
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)
annoying trailing whitespaces
Revision 1.42 / (download) - annotate - [select for diffs], Thu May 23 15:11:58 2019 UTC (5 years ago) by florian
Branch: MAIN
Changes since 1.41: +14 -7 lines
Diff to previous 1.41 (colored)
If we find ourselves behind a captive portal shutdown the service port. This lets us get past captive portals that - correctly answer SOA queries for the root zone with edns0 option - return NXDOAMIN for the captive portal redirect domain if edns0 is present Observed by many after g2k19 in maple leaf lounges. While here improve handling of captive portal configuration removal while unwind thinks we are behind a captive portal. For example because the host we are checking is down. Previously unwind would think we are stuck behind a captive portal forever.
Revision 1.41 / (download) - annotate - [select for diffs], Thu May 23 15:09:17 2019 UTC (5 years ago) by florian
Branch: MAIN
Changes since 1.40: +3 -2 lines
Diff to previous 1.40 (colored)
typo
Revision 1.40 / (download) - annotate - [select for diffs], Tue May 14 14:51:31 2019 UTC (5 years ago) by florian
Branch: MAIN
Changes since 1.39: +2 -63 lines
Diff to previous 1.39 (colored)
Move common config passing code into a function. OK pamela
Revision 1.39 / (download) - annotate - [select for diffs], Fri May 10 14:10:38 2019 UTC (5 years ago) by florian
Branch: MAIN
Changes since 1.38: +8 -1 lines
Diff to previous 1.38 (colored)
Implement DNS block lists. If unwind is queried for a domain
in the block list it answers with rcode REFUSED.
Revision 1.38 / (download) - annotate - [select for diffs], Mon May 6 17:31:25 2019 UTC (5 years ago) by florian
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
Only try to resolve the DNSSEC trust anchor if we have a validating resolver context. Otherwise we will ignore the answer later on anyway.
Revision 1.37 / (download) - annotate - [select for diffs], Tue Apr 2 08:28:20 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
the fiendishly that needed some extra space here didn't pan out
Revision 1.36 / (download) - annotate - [select for diffs], Tue Apr 2 08:04:13 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.35: +6 -18 lines
Diff to previous 1.35 (colored)
Simplify code; we can loop over our resolvers now.
Revision 1.35 / (download) - annotate - [select for diffs], Tue Apr 2 07:47:22 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.34: +61 -66 lines
Diff to previous 1.34 (colored)
Add a config option to specify the preference of name servers. Unfortunately the nameserver types enums needed to be renamed to not collide with yacc tokens.
Revision 1.34 / (download) - annotate - [select for diffs], Tue Apr 2 07:46:03 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.33: +3 -16 lines
Diff to previous 1.33 (colored)
Collapse case statements to a common fall through and use the passed in type to identify the resolver now that they can be addressed by index.
Revision 1.33 / (download) - annotate - [select for diffs], Tue Apr 2 07:45:11 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.32: +73 -66 lines
Diff to previous 1.32 (colored)
Introduce array of resolvers in preparation of custom ordering
Revision 1.32 / (download) - annotate - [select for diffs], Mon Apr 1 09:24:15 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.31: +21 -29 lines
Diff to previous 1.31 (colored)
Reduce code duplication and ensure that a type of resolver and it's checking counterpart are created the same way.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Apr 1 03:31:55 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.30: +11 -8 lines
Diff to previous 1.30 (colored)
Implement "Authentication Domain Names" configuration as per RFC 8310 section 7.1 for DoT servers. We are setting the CA cert bundle path (/etc/ssl/cert.pem) directly in libunbound so we need to losen pledge(2) a bit and allow rpath. At the same time we unveil only /etc/ssl/cert.pem. We can drop the chroot(2) since pledge(2) and unveil(2) give us more fine grained isolation. prodding by tb@. p.s. for portable it might be necessary to pass in a file descriptor from the parent, slurp in the file and then use X509_STORE_load_mem() (pointed out by sthen) in the guts of libunbound.
Revision 1.30 / (download) - annotate - [select for diffs], Sun Mar 31 00:57:41 2019 UTC (5 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.29: +1 -43 lines
Diff to previous 1.29 (colored)
we don't need to set openssl lock callbacks. this code is not threaded. ok florian
Revision 1.29 / (download) - annotate - [select for diffs], Sat Mar 30 12:52:03 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.28: +2 -83 lines
Diff to previous 1.28 (colored)
Shuffle captive portal detection around. While we are behind a captive portal we have to ask the dhcp provided resolvers. However it is possible that those resolvers do not like to talk to unwind because of EDNS0. Unwind handles this case by closing its listening socket and hands over to asr. Except for the resolving of the captive portal host which it still tries to resolve via libunbound. Turns out there is no need for this we can just use getaddrinfo_async from asr which then either hits unwind which does the right thing or unwind closed its listening socket and asr moves on to talk directly to the dhcp resolvers.
Revision 1.28 / (download) - annotate - [select for diffs], Sat Mar 30 02:12:45 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.27: +5 -5 lines
Diff to previous 1.27 (colored)
Do not try to print NULL with %s. Brainfart pointed out by tb
Revision 1.27 / (download) - annotate - [select for diffs], Sun Mar 24 17:56:54 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.26: +21 -25 lines
Diff to previous 1.26 (colored)
Reduce debug logging in best_resolver() to two lines, helps a bit with seeing what is going on. There is still a lot to do wrt logging but it's not a priority yet.
Revision 1.26 / (download) - annotate - [select for diffs], Sun Mar 24 17:56:25 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.25: +4 -2 lines
Diff to previous 1.25 (colored)
recheck all resolvers when we are no longer behind a captive portal
Revision 1.25 / (download) - annotate - [select for diffs], Sun Mar 24 17:55:58 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.24: +67 -6 lines
Diff to previous 1.24 (colored)
Do not check every resolver every 30 seconds as that is wasteful and pointless. Trigger a check - on startup - when forwarders change on config reload - when dhcp provided forwarders change - on network interface state change When a check finishes and the checked resolver cannot resolve anything configure a timer to run another check in the future using an exponential backoff for the timeout.
Revision 1.24 / (download) - annotate - [select for diffs], Sun Mar 24 17:55:17 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.23: +2 -1 lines
Diff to previous 1.23 (colored)
If we can't check the resolver its state is UNKNOWN.
Revision 1.23 / (download) - annotate - [select for diffs], Sun Mar 24 17:54:52 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.22: +1 -2 lines
Diff to previous 1.22 (colored)
remove useless debug output
Revision 1.22 / (download) - annotate - [select for diffs], Fri Mar 15 16:48:37 2019 UTC (5 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.21: +7 -1 lines
Diff to previous 1.21 (colored)
Correctly interlock config reloads imsgs. Only accept a new config reload if it's not currently running and on accept a config reload end if one is currently running. OK pamela
Revision 1.21 / (download) - annotate - [select for diffs], Fri Mar 1 08:02:25 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
Due to the way we build libunbound inside of unwind .o files collide in the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) and prefixing the source filename of colliding .o files in unwind with uw_. However, these files are shared through out our tree (namely parse.y, log.c and log.h) and we try to keep them in sync. Move files back to their original name and instead symlink colliding source files in libunbound to unique filenames by prefixing them with the directory they live in: obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c Idea to use symlinks deraadt@ via jsg@ OK benno
Revision 1.20 / (download) - annotate - [select for diffs], Mon Feb 18 07:50:14 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.19: +26 -33 lines
Diff to previous 1.19 (colored)
Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on imsg.hdr.len and shorten code. Input & OK pamela
Revision 1.19 / (download) - annotate - [select for diffs], Sun Feb 17 16:15:31 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.18: +1 -4 lines
Diff to previous 1.18 (colored)
Since we do a naive string comparison to see if the trust anchor changed we need to fix the TTL to the value we would get from the root for the ksk DNSKEY (currently 2 days). Otherwise we would interpret a lowerd TTL from a cache as changed trust anchor. Use the same define everywhere. (Considering the glacial speed with which the root ksk rotates this should be fine for the forseable future.)
Revision 1.18 / (download) - annotate - [select for diffs], Sun Feb 17 14:52:16 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
On log verbosity change we need to restart all resolvers: add missing DoT resolver.
Revision 1.17 / (download) - annotate - [select for diffs], Sun Feb 17 14:49:15 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.16: +187 -191 lines
Diff to previous 1.16 (colored)
s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here
Revision 1.16 / (download) - annotate - [select for diffs], Thu Feb 7 17:20:35 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.15: +216 -31 lines
Diff to previous 1.15 (colored)
Rewrite trust anchor handling. Do not use the libunbound's auto trust anchor file feature since it then the resolver process needs rpath, wpath, and cpath pledges and permission on the trust anchor file. Instead configure the trust anchor as resource record strings. The parent process opens the file, passes a filedescriptor to the frontend process to parse the file and then passes trust anchors to the resolver process to (re-) configure the resolver contexts. The resolver process periodically probes for new trust anchors (DNSKEY records of the root zone) and passes those to the frontend process. This in turn requests a file descripter for writing from the parent process. Once the trust anchors have been written the parent process renames the tmp file to the final location. Also provide a built in trust anchor for boot strapping purposes if no file is found on disk. That way we can get rid of unbound-anchor in unwind's rc.d script.
Revision 1.15 / (download) - annotate - [select for diffs], Tue Feb 5 19:32:24 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.14: +4 -2 lines
Diff to previous 1.14 (colored)
unref resolver in error branch
Revision 1.14 / (download) - annotate - [select for diffs], Sun Feb 3 12:02:30 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
Changes since 1.13: +336 -18 lines
Diff to previous 1.13 (colored)
Captive portal detection for unwind(8).
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jan 29 19:13:01 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.12: +29 -12 lines
Diff to previous 1.12 (colored)
Make imsg processing much more paranoid. If it comes from one of our processes and the size does not match what we expect call fatalx to crash and burn. We either hit a logic bug or something is fishy on the other end and we can't trust that process any longer. Not that we trust those processes to begin with. This also applies to receiving resources that we don't expect. For example if we have an open UDP listen socket and get a new one passed from the main process something is wrong and we should crash and burn. The only place where we are more lenient is on the control socket. We just ignore wrong sized messages so that users can't bring down unwind.
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jan 29 15:37:29 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.11: +1 -5 lines
Diff to previous 1.11 (colored)
We don't need IMSG_SHUTDOWN, we can just close the sockets. pointed out by deraadt
Revision 1.11 / (download) - annotate - [select for diffs], Sun Jan 27 12:40:54 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.10: +60 -1 lines
Diff to previous 1.10 (colored)
Implement DNS over TLS (DoT).
Revision 1.10 / (download) - annotate - [select for diffs], Sun Jan 27 07:46:49 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.9: +4 -10 lines
Diff to previous 1.9 (colored)
unwind(8) traces its ancestry to rad(8) and inherited all of its include directives, some of them no longer necessary. Cleanup by Caspar Schutijser, thank you very much!
Revision 1.9 / (download) - annotate - [select for diffs], Fri Jan 25 17:20:45 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.8: +4 -2 lines
Diff to previous 1.8 (colored)
We are not holding on to a ref to the resolver if ub_resolve_event fails.
Revision 1.8 / (download) - annotate - [select for diffs], Fri Jan 25 11:08:03 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.7: +4 -1 lines
Diff to previous 1.7 (colored)
make sure resolver exists before sending detailed info
Revision 1.7 / (download) - annotate - [select for diffs], Fri Jan 25 10:16:13 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
typo
Revision 1.6 / (download) - annotate - [select for diffs], Fri Jan 25 10:15:12 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.5: +3 -2 lines
Diff to previous 1.5 (colored)
We also need to check the rcode in the wire paket. This lets us get past the broken Dutch railway wifi that responds NXDOMAIN if an edns0 option is present.
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jan 25 08:06:41 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
pasto; from Caspar Schutijser, thanks!
Revision 1.4 / (download) - annotate - [select for diffs], Thu Jan 24 17:39:43 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.3: +16 -1 lines
Diff to previous 1.3 (colored)
Open and close listening sockets on localhost:53 depending on if we can resolve at all. We come up without listening and open IPv4 and IPv6 sockets once the resolver process has determinded that we can speak DNS to the outside world. Furthermore close the listening sockets when the resolver process notices that we can no longer speak DNS to the outside. This is a last-ditch effort to get out of libc resolver's way and let it speak directly to e.g. dhcp provided resolvers. With the recomended configuration of having 127.0.0.1 first in /etc/resolv.conf and then add dhcp provided resolvers after that our libc resolver will receive a port unreachable error and immediately switch to the next one if unwind is not listening on port 53. (Networks have been observed in the wild that intercept DNS packets and answer NXDOMAIN if an edns0 option is send with the query.)
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jan 24 15:33:44 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.2: +31 -22 lines
Diff to previous 1.2 (colored)
Switch to libunbound internals for packet parsing. These functions / macros (from (s)ldns) are not part of the public libunbound API so we couldn't use them before. Due to the way we use libunbound (a local copy) we now have access.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jan 24 15:32:08 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.1: +3 -5 lines
Diff to previous 1.1 (colored)
When we switched from the fork based ub_resolve_async() to ub_resolve_event() the heuristic to detect if the authoritative server is unreachable was adapted in the wrong way. Turns out when using ub_resolve_event() we get the correct rcode passed in (SERVFAIL). The rcode in the wire format answer_packet is still wrong though (NOERROR). But that doesn't matter since we can just check the passed in rcode.
Revision 1.1 / (download) - annotate - [select for diffs], Wed Jan 23 13:11:00 2019 UTC (5 years, 4 months ago) by florian
Branch: MAIN
Import unwind(8). unwind(8) is a hybrid validating stub & recursive resolver. It actively observes the local net to decide how to best resolve names. It can chose to recurse on it's own or talk to dhcp provided forwardes or statically defined forwarders in the config file. The intention is to be able to run it on localhost on every machine. "toss it in man" deraadt@