except (requests.exceptions.HTTPError, ValueError) as e:
print(e)
sys.exit(1)
- if 'name'in user_info:
+ if 'name' in user_info:
out += ' ({})'.format(user_info['name'])
else:
out += ' (@{})'.format(user_info['login'])
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
-# other if a failure occured
+# other if a failure occurred
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
# Enable hardening features for daemons
-# Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing
+# Note: blhc (build log hardening check) will find these false positives: CPPFLAGS 2 missing, LDFLAGS 1 missing
export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow,+pie
DPKG_EXPORT_BUILDFLAGS = 1
# Include buildflags.mk so we can append to the vars it sets.
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
-# other if a failure occured
+# other if a failure occurred
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
# Enable hardening features for daemons
-# Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing
+# Note: blhc (build log hardening check) will find these false positives: CPPFLAGS 2 missing, LDFLAGS 1 missing
export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow,+pie
DPKG_EXPORT_BUILDFLAGS = 1
# Include buildflags.mk so we can append to the vars it sets.
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
-# other if a failure occured
+# other if a failure occurred
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
# Enable hardening features for daemons
-# Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing
+# Note: blhc (build log hardening check) will find these false positives: CPPFLAGS 2 missing, LDFLAGS 1 missing
export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow,+pie
DPKG_EXPORT_BUILDFLAGS = 1
# Include buildflags.mk so we can append to the vars it sets.
fi
@ENDIF
-# mv accross layers with overlay2 is buggy in some kernel versions (results in empty dirs)
+# mv across layers with overlay2 is buggy in some kernel versions (results in empty dirs)
# See: https://github.com/moby/moby/issues/33733
#RUN mv /root/rpmbuild/RPMS/* /dist/
RUN cp -R /root/rpmbuild/RPMS/* /dist/
# First do the source builds
@INCLUDE Dockerfile.target.sdist
-# This defines the dstribution base layer
+# This defines the distribution base layer
# Put only the bare minimum of common commands here, without dev tools
FROM amazonlinux:2 as dist-base
ARG BUILDER_CACHE_BUSTER=
# First do the source builds
@INCLUDE Dockerfile.target.sdist
-# This defines the dstribution base layer
+# This defines the distribution base layer
# Put only the bare minimum of common commands here, without dev tools
FROM centos:6 as dist-base
ARG BUILDER_CACHE_BUSTER=
# First do the source builds
@INCLUDE Dockerfile.target.sdist
-# This defines the dstribution base layer
+# This defines the distribution base layer
# Put only the bare minimum of common commands here, without dev tools
FROM centos:7 as dist-base
ARG BUILDER_CACHE_BUSTER=
# First do the source builds
@INCLUDE Dockerfile.target.sdist
-# This defines the dstribution base layer
+# This defines the distribution base layer
# Put only the bare minimum of common commands here, without dev tools
FROM centos:8 as dist-base
ARG BUILDER_CACHE_BUSTER=
for master, slave and superslave operation.
When using the InnoDB storage engine, we suggest adding foreign key
-contraints to the tables in order to automate deletion of records, key
+constraints to the tables in order to automate deletion of records, key
material, and other information upon deletion of a domain from the
domains table. The following SQL does the job:
^^^^^^^^^^^^^^^^^^
.. versionadded:: 4.2.1
-Send the CLIENT_SSL capabily flag to the server. SSL suppport is announced by the server via CLIENT_SSL and is enabled if the client returns the same capability. Default: no.
+Send the CLIENT_SSL capability flag to the server. SSL support is announced by the server via CLIENT_SSL and is enabled if the client returns the same capability. Default: no.
.. _setting-gmysql-timeout:
Currently there are two options: Set ``ldap-method`` to ``strict`` to
have the code automatically derive PTR records from A and AAAA records
in the tree. Or, in ``simple`` and ``tree`` modes, create additional
-objects explictly mapping each address to a PTR record.
+objects explicitly mapping each address to a PTR record.
For ``strict`` or ``simple`` modes, first create an object with an SOA
record for the reverse-lookup zone(s) corresponding to the A and AAAA
associateddomain:1.0.1.10.in-addr.arpa
To use this kind of record, add the dnsdomain2 schema to the
-configuration of ther LDAP server.
+configuration of the LDAP server.
**CAUTION:** ``ldap-method=strict`` can not be used if zone transfers
(AXFR) are needed to other name servers. Distributing zones can only be
Default: mapasync
* ``sync``: LMDB synchronous mode. Safest option, but also slightly slower. Can also be enabled with ``lmdb-sync-mode=``
-* ``nosync``: don't flush systems buffers to disk when committing a transation.
+* ``nosync``: don't flush systems buffers to disk when committing a transaction.
This means a system crash can corrupt the database or lose the last transactions if buffers are not yet flushed to disk.
* ``nometasync``: flush system buffers to disk only once per transaction, omit the metadata flush. This maintains database integrity, but can potentially lose the last committed transaction if the operating system crashes.
* ``mapasync``: (default). Use asynchronous flushes to disk. As with nosync, a system crash can then corrupt the database or lose the last transactions.
integers 16 bits, fixes
`#5443 <https://github.com/PowerDNS/pdns/issues/5443>`__
- `#5346 <https://github.com/PowerDNS/pdns/pull/5346>`__: configure.ac:
- Corrects syntax error in test statement on existance of
+ Corrects syntax error in test statement on existence of
libcrypto\_ecdsa (shinsterneck)
- `#5440 <https://github.com/PowerDNS/pdns/pull/5440>`__: configure.ac:
Fix quoting issue fixes
Existing zone files may now be interpreted differently.
Specifically, where we previously used the SOA minimum field for the default
- TTL if none was set explictly, or no $TTL was set, we now use the TTL from
+ TTL if none was set explicitly, or no $TTL was set, we now use the TTL from
the previous line.
.. change::
:pullreq: 5361
:tickets: 3602
- Make requests always return to sender, for usage in multimaster slave zones. Also - made sure that the master that is questioned for updates will be selected randomly, to prevent repeatidally asking a dead master for updates.
+ Make requests always return to sender, for usage in multimaster slave zones. Also - made sure that the master that is questioned for updates will be selected randomly, to prevent repeatedly asking a dead master for updates.
.. change::
:tags: Improvements, API
- `commit 016d810 <https://github.com/PowerDNS/pdns/commit/016d810>`__:
improve postgresql detection during ./configure
- `commit dce1e90 <https://github.com/PowerDNS/pdns/commit/dce1e90>`__:
- DNAME: don't sign the synthesised CNAME
+ DNAME: don't sign the synthesized CNAME
- `commit 25e7af3 <https://github.com/PowerDNS/pdns/commit/25e7af3>`__:
send empty SERVFAIL after a backend throws a DBException, instead of
including useless content
.. note::
Actual supported algorithms depend on the crypto-libraries
- PowerDNS was compiled against. To check the supported DNSSEC algoritms
+ PowerDNS was compiled against. To check the supported DNSSEC algorithms
in your build of PowerDNS, run ``pdnsutil list-algorithms``.
{"name": "mytsigkey", "algorithm": "hmac-sha256"}
-Will yield a response similar to this (several headers ommitted):
+Will yield a response similar to this (several headers omitted):
.. code-block:: http
DNSName objects
^^^^^^^^^^^^^^^
-A :class:`DNSName` object represents a name in the DNS. It has serveral functions that can manipulate it without conversions to strings.
+A :class:`DNSName` object represents a name in the DNS. It has several functions that can manipulate it without conversions to strings.
Creating a ``DNSName`` is done with the :func:`newDN`::
myname = newDN("www.example.com")
.. method:: DNSName:canonCompare(name) -> bool
- Performs a comparaison of DNS names in canonical order.
+ Performs a comparison of DNS names in canonical order.
Returns true if the DNSName comes before ``name``.
See https://tools.ietf.org/html/rfc4034#section-6
.. method:: DNSName::equal(name) -> bool
- Perform a comparaison of the DNSName to the given ``name``.
+ Perform a comparison of the DNSName to the given ``name``.
You can also compare directly two DNSName objects using
the ``==`` operator
Returns true if ``address`` matches any of the masks in the group.
- :param ComboAddress address: The IP addres to match the netmasks against.
+ :param ComboAddress address: The IP address to match the netmasks against.
Example
-------
-``nsec3dig 8.8.8.8 53 doesntexist.isoc.nl TXT recurse``
+``nsec3dig 8.8.8.8 53 doesnotexist.isoc.nl TXT recurse``
--loglevel=<LEVEL> Set the logging level.
--config Show the currently configuration. There are three optional values:
--config=default show the default configuration.
- --config=diff show modified options in the curent configuration.
+ --config=diff show modified options in the current configuration.
--config=check parse the current configuration, with error checking.
--help To view more options that are available use this program.
OTHER TOOLS
-----------
-ipencrypt *IP-ADDRESS* passsword
+ipencrypt *IP-ADDRESS* password
Encrypt an IP address according to the 'ipcipher' standard
-ipdecrypt *IP-ADDRESS* passsword
+ipdecrypt *IP-ADDRESS* password
Encrypt an IP address according to the 'ipcipher' standard
See also
sdig ::1 53 example.com A recurse
Query to a DNS-over-HTTPS server requesting dnssec and recursion
- sdig https://dns.somesample.net/dns-query 443 example.com A dnssec recurse
+ sdig https://dns.example.net/dns-query 443 example.com A dnssec recurse
.. note::
Actual supported algorithms depend on the crypto-libraries
- PowerDNS was compiled against. To check the supported DNSSEC algoritms
+ PowerDNS was compiled against. To check the supported DNSSEC algorithms
in your build of PowerDNS, run ``pdnsutil list-algorithms``.
.. _setting-default-ksk-size:
.. note::
Actual supported algorithms depend on the crypto-libraries
- PowerDNS was compiled against. To check the supported DNSSEC algoritms
+ PowerDNS was compiled against. To check the supported DNSSEC algorithms
in your build of PowerDNS, run ``pdnsutil list-algorithms``.
.. _setting-default-zsk-size:
.. versionadded:: 4.1.0
-If this is enabled, ALIAS records are expanded (synthesised to their
+If this is enabled, ALIAS records are expanded (synthesized to their
A/AAAA).
If this is disabled (the default), ALIAS records will not be expanded and
- Boolean
- Default: no
-If this is enabled, ALIAS records are expanded (synthesised to their
+If this is enabled, ALIAS records are expanded (synthesized to their
A/AAAA) during outgoing AXFR. This means slaves will not automatically
follow changes in those A/AAAA records unless you AXFR regularly!
- String
- Default: auto
-Specify which random number generator to use. Permissible choises are:
+Specify which random number generator to use. Permissible choices are:
- auto - choose automatically
- sodium - Use libsodium ``randombytes_uniform``
- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
.. note::
- Not all choises are available on all systems.
+ Not all choices are available on all systems.
.. _setting-security-poll-suffix:
if (pcallReturnValue != 0) {
PushedObject errorCode{state, 1};
- // an error occured during execution, either an error message or a std::exception_ptr was pushed on the stack
+ // an error occurred during execution, either an error message or a std::exception_ptr was pushed on the stack
if (pcallReturnValue == LUA_ERRMEM) {
throw std::bad_alloc{};
return false;
}
else if ( code == -2 ) {
- // Here it may be possible to retry after obtainting a fresh ticket
+ // Here it may be possible to retry after obtaining a fresh ticket
g_log<<Logger::Debug << d_logPrefix << "No TGT found, trying to acquire a new one" << std::endl;
code = updateTgt();
return drc->serialize(domain, false);
}
-std::shared_ptr<DNSRecordContent> unserializeContentZR(uint16_t qtype, const DNSName& qname, const std::string& content)
+std::shared_ptr<DNSRecordContent> deserializeContentZR(uint16_t qtype, const DNSName& qname, const std::string& content)
{
if(qtype == QType::A && content.size() == 4) {
return std::make_shared<ARecordContent>(*((uint32_t*)content.c_str()));
}
- return DNSRecordContent::unserialize(qname, qtype, content);
+ return DNSRecordContent::deserialize(qname, qtype, content);
}
rr.dr.d_name = compoundOrdername::getQName(key) + d_lookupdomain;
rr.domain_id = compoundOrdername::getDomainID(key);
rr.dr.d_ttl = drr.ttl;
- rr.dr.d_content = unserializeContentZR(rr.dr.d_type, rr.dr.d_name, drr.content);
+ rr.dr.d_content = deserializeContentZR(rr.dr.d_type, rr.dr.d_name, drr.content);
rr.auth = drr.auth;
if(d_getcursor->next(keyv, val) || keyv.get<StringView>().rfind(d_matchkey, 0) != 0) {
throw NetworkError(std::string(strerror(rd)));
arl.feed(std::string(buffer, rd));
}
- // timeout occured.
+ // timeout occurred.
if (arl.ready() == false)
throw NetworkError("timeout");
} catch (NetworkError &ne) {
DNSName wildcardname;
string content; //!< what this record points to. Example: 10.1.2.3
- // Aligned on 8-byte boundries on systems where time_t is 8 bytes and int
+ // Aligned on 8-byte boundaries on systems where time_t is 8 bytes and int
// is 4 bytes, aka modern linux on x86_64
time_t last_modified; //!< For autocalculating SOA serial numbers - the backend needs to fill this in
kiss_init(unsigned int seed)
{
kiss_seed = seed;
- kiss_jsr = 0x5eed5eed; /* simply musn't be 0 */
+ kiss_jsr = 0x5eed5eed; /* simply mustn't be 0 */
kiss_z = 1 ^ (kiss_w = kiss_jcong = seed); /* w=z=0 is bad, see Rose */
}
unsigned char nonce[DNSCRYPT_NONCE_SIZE];
static_assert(sizeof(nonce) == (2* sizeof(d_header.clientNonce)), "Nonce should be larger than clientNonce (half)");
- static_assert(sizeof(d_header.clientPK) == DNSCRYPT_PUBLIC_KEY_SIZE, "Client Publick key size is not right");
+ static_assert(sizeof(d_header.clientPK) == DNSCRYPT_PUBLIC_KEY_SIZE, "Client Public key size is not right");
static_assert(sizeof(d_pair->privateKey.key) == DNSCRYPT_PRIVATE_KEY_SIZE, "Private key size is not right");
memcpy(nonce, &d_header.clientNonce, sizeof(d_header.clientNonce));
{ "addDNSCryptBind", true, "\"127.0.0.1:8443\", \"provider name\", \"/path/to/resolver.cert\", \"/path/to/resolver.key\", {reusePort=false, tcpFastOpenQueueSize=0, interface=\"\", cpus={}}", "listen to incoming DNSCrypt queries on 127.0.0.1 port 8443, with a provider name of `provider name`, using a resolver certificate and associated key stored respectively in the `resolver.cert` and `resolver.key` files. The fifth optional parameter is a table of parameters" },
{ "addDOHLocal", true, "addr, certFile, keyFile [, urls [, vars]]", "listen to incoming DNS over HTTPS queries on the specified address using the specified certificate and key. The last two parameters are tables" },
{ "addDynBlocks", true, "addresses, message[, seconds[, action]]", "block the set of addresses with message `msg`, for `seconds` seconds (10 by default), applying `action` (default to the one set with `setDynBlocksAction()`)" },
- { "addDynBlockSMT", true, "names, msessage[, seconds [, action]]", "block the set of names with message `msg`, for `seconds` seconds (10 by default), applying `action` (default to the one set with `setDynBlocksAction()`)" },
+ { "addDynBlockSMT", true, "names, message[, seconds [, action]]", "block the set of names with message `msg`, for `seconds` seconds (10 by default), applying `action` (default to the one set with `setDynBlocksAction()`)" },
{ "addLocal", true, "addr [, {doTCP=true, reusePort=false, tcpFastOpenQueueSize=0, interface=\"\", cpus={}}]", "add `addr` to the list of addresses we listen on" },
{ "addCacheHitResponseAction", true, "DNS rule, DNS response action [, {uuid=\"UUID\"}]", "add a cache hit response rule" },
{ "addResponseAction", true, "DNS rule, DNS response action [, {uuid=\"UUID\"}]", "add a response rule" },
Modifying the ACL
-----------------
-ACLs can be modfied at runtime from the :ref:`Console`.
+ACLs can be modified at runtime from the :ref:`Console`.
To inspect the currently active :term:`ACL`, run :func:`showACL`.
To add a new network range to the existing ACL, use :func:`addACL`:
In order to provide the downstream server with the address of the real client, or at least the one talking to dnsdist, the ``useClientSubnet`` parameter can be used when creating a :func:`new server <newServer>`.
This parameter indicates whether an EDNS Client Subnet option should be added to the request.
-If the incoming request already contains an EDNS Client Subnet value, it will not be overriden unless :func:`setECSOverride` is set to ``true``.
+If the incoming request already contains an EDNS Client Subnet value, it will not be overridden unless :func:`setECSOverride` is set to ``true``.
The default source prefix-length is 24 for IPv4 and 56 for IPv6, meaning that for a query received from 192.0.2.42, the EDNS Client Subnet value sent to the backend will be 192.0.2.0.
This can be changed with :func:`setECSSourcePrefixV4` and :func:`setECSSourcePrefixV6`.
:tags: Improvements, Performance
:pullreq: 5185
- Add the possiblity to fill a :class:`NetmaskGroup` (using :meth:`NetmaskGroup:addMask`) from `exceeds*` results.
+ Add the possibility to fill a :class:`NetmaskGroup` (using :meth:`NetmaskGroup:addMask`) from `exceeds*` results.
.. change::
:tags: Improvements
Open Resolver
A recursive DNS server available for many hosts on the internet.
- Ususally without adequate rate-limiting, allowing it to be used in reflection attacks.
+ Usually without adequate rate-limiting, allowing it to be used in reflection attacks.
QPS
Queries Per Second
All exceed-functions are documented in the :ref:`Configuration Reference <exceedfuncs>`.
Dynamic blocks drop matched queries by default, but this behavior can be changed with :func:`setDynBlocksAction`.
-For example, to send a REFUSED code instead of droppping the query::
+For example, to send a REFUSED code instead of dropping the query::
setDynBlocksAction(DNSAction.Refused)
Security of the Webserver
-------------------------
-The built-in webserver serves its content from inside the binary, this means it will not and connot read from disk.
+The built-in webserver serves its content from inside the binary, this means it will not and cannot read from disk.
By default, our web server sends some security-related headers::
Use the API, this key will need to be sent to dnsdist in the ``X-API-Key`` request header.
An HTTP 401 response is returned when a wrong or no API key is received.
A 404 response is generated is the requested endpoint does not exist.
-And a 405 response is returned when the HTTP methos is not allowed.
+And a 405 response is returned when the HTTP method is not allowed.
URL Endpoints
~~~~~~~~~~~~~
==================
dnsdist only runs on UNIX-like systems and there are several ways to install dnsdist.
-The fastest way is using packages, either from your own operating system vendor or suppied by the PowerDNS project.
+The fastest way is using packages, either from your own operating system vendor or supplied by the PowerDNS project.
Building from source is also supported.
If dnsdist is available in your operating system's software repositories, install it from there.
However, the version of dnsdist in the repositories might be an older version that might not have a feature that was added in a later version.
Or you might want to be brave and try a development snapshot from the master branch.
-PowerDNS provides software respositories for the most popular distributions.
+PowerDNS provides software repositories for the most popular distributions.
Visit https://repo.powerdns.com for more information and installation instructions.
Debian
* ``interface=""``: str - Set the network interface to use.
* ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
* ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time. Default is to use OpenSSL when available.
- * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provder is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``.
+ * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provider is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``.
* ``ciphersTLS13``: str - The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used.
* ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
* ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
:param string reason: The message to show next to the blocks
:param int blockingTime: The number of seconds this block to expire
:param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to the one set with :func:`setDynBlocksAction`)
- :param function vistitor: The Lua function to call.
+ :param function visitor: The Lua function to call.
.. method:: DynBlockRulesGroup:setSuffixMatchRuleFFI(seconds, reason, blockingTime, action , visitor)
:param string reason: The message to show next to the blocks
:param int blockingTime: The number of seconds this block to expire
:param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to the one set with :func:`setDynBlocksAction`)
- :param function vistitor: The Lua FFI function to call.
+ :param function visitor: The Lua FFI function to call.
.. method:: DynBlockRulesGroup:apply()
We must, however, provide a responder's maximum payload size in this record, and we can't easily know the
maximum payload size of the actual backend so we need to provide one. The default value is 1500 and can be
-overriden using :func:`setPayloadSizeOnSelfGeneratedAnswers`.
+overridden using :func:`setPayloadSizeOnSelfGeneratedAnswers`.
.. function:: setAddEDNSToSelfGeneratedResponses(add)
DNSName objects
===============
-A :class:`DNSName` object represents a name in the DNS. It has serveral functions that can manipulate it without conversions to strings.
+A :class:`DNSName` object represents a name in the DNS. It has several functions that can manipulate it without conversions to strings.
Creating a ``DNSName`` is done with the :func:`newDNSName`::
myname = newDNSName("www.example.com")
.. deprecated:: 1.2.0
Send at most ``limit`` queries/s for this pool, letting the subsequent rules apply otherwise.
- This function has been deprecated as of 1.2.0 and removed in 1.3.0, as it is only a convience function for the following syntax::
+ This function has been deprecated as of 1.2.0 and removed in 1.3.0, as it is only a convenience function for the following syntax::
addAction("192.0.2.0/24", QPSPoolAction(15, "myPool")
Move the last response rule to the first position.
-Functions for manipulating Cache Hit Respone Rules:
+Functions for manipulating Cache Hit Response Rules:
.. function:: addCacheHitResponseAction(DNSRule, action [, options])
Send copy of query to ``remote``, keep stats on responses.
If ``addECS`` is set to true, EDNS Client Subnet information will be added to the query.
- :param string remote: An IP:PORT conbination to send the copied queries to
+ :param string remote: An IP:PORT combination to send the copied queries to
:param bool addECS: Whether or not to add ECS information. Default false
.. function:: TempFailureCacheTTLAction(ttl)
dnsdist is designed to (re)start almost instantly.
But to prevent downtime when changing configuration, the console (see :ref:`Console`) can be used for live configuration.
-Issueing :func:`delta` on the console will print the changes to the configuration that have been made since startup::
+Issuing :func:`delta` on the console will print the changes to the configuration that have been made since startup::
> delta()
-- Wed Feb 22 2017 11:31:44 CET
vector<uint8_t> d_record;
};
-shared_ptr<DNSRecordContent> DNSRecordContent::unserialize(const DNSName& qname, uint16_t qtype, const string& serialized)
+shared_ptr<DNSRecordContent> DNSRecordContent::deserialize(const DNSName& qname, uint16_t qtype, const string& serialized)
{
dnsheader dnsheader;
memset(&dnsheader, 0, sizeof(dnsheader));
uint16_t d_pos;
uint16_t d_startrecordpos; // needed for getBlob later on
uint16_t d_recordlen; // ditto
- uint16_t not_used; // Aligns the whole class on 8-byte boundries
+ uint16_t not_used; // Aligns the whole class on 8-byte boundaries
const std::string& d_content;
};
return typeid(*this)==typeid(rhs) && this->getZoneRepresentation() == rhs.getZoneRepresentation();
}
- static shared_ptr<DNSRecordContent> unserialize(const DNSName& qname, uint16_t qtype, const string& serialized);
+ static shared_ptr<DNSRecordContent> deserialize(const DNSName& qname, uint16_t qtype, const string& serialized);
void doRecordCheck(const struct DNSRecord&){}
enum Type {
// AUTH_QUERY is a DNS query message received from a resolver by an
- // authoritative name server, from the perspective of the authorative
+ // authoritative name server, from the perspective of the authoritative
// name server.
AUTH_QUERY = 1;
private:
uint16_t lookupName(const DNSName& name, uint16_t* matchlen);
vector<uint16_t> d_namepositions;
- // We declare 1 uint_16 in the public section, these 3 align on a 8-byte boundry
+ // We declare 1 uint_16 in the public section, these 3 align on a 8-byte boundary
uint16_t d_sor;
uint16_t d_rollbackmarker; // start of last complete packet, for rollback
* Simplistic test to see if an IP address listens on a certain port
* Will return a single IP address from the set of available IP addresses. If
* no IP address is available, will return a random element of the set of
- * addresses suppplied for testing.
+ * addresses supplied for testing.
*
* @example ifportup(443, { '1.2.3.4', '5.4.3.2' })"
*/
void RecursorLua4::getFeatures(Features & features) {
// Add key-values pairs below.
- // Make sure you add string values explicity converted to string.
+ // Make sure you add string values explicitly converted to string.
// e.g. features.push_back(make_pair("somekey", string("stringvalue"));
// Both int and double end up as a lua number type.
features.push_back(make_pair("PR8001_devicename", true));
bool doReferral = true;
if(d_dk.doesDNSSEC()) {
for(auto& loopRR: rrset) {
- // In a dnssec capable backend auth=true means, there is no delagation at
+ // In a dnssec capable backend auth=true means, there is no delegation at
// or above this qname in this zone (for DS queries). Without a delegation,
// at or above this level, it is pointless to search for refferals.
if(loopRR.auth) {
bool ret = false;
// First check the (sub)domain isn't whitelisted for NOD purposes
if (!g_nodDomainWL.check(dname)) {
- // Now check the NODDB (note this is probablistic so can have FNs/FPs)
+ // Now check the NODDB (note this is probabilistic so can have FNs/FPs)
if (t_nodDBp && t_nodDBp->isNewDomain(dname)) {
if (g_nodLog) {
// This should probably log to a dedicated log file
For years, this was a safe assumption, but containers change that: in
most (all?) container implementations, the application itself is running
as pid 1. This means that sending signals to those applications, will not
- be handled by default. Results might be "your container not responsing
+ be handled by default. Results might be "your container not responding
when asking it to stop", or "ctrl-c not working even when the app is
running in the foreground inside a container".
--]]
function preresolve (dq)
- print ("prereesolve handler called for: "..dq.remoteaddr:toString().. ", local: ".. dq.localaddr:toString()..", ".. dq.qname:toString()..", ".. dq.qtype)
+ print ("preresolve handler called for: "..dq.remoteaddr:toString().. ", local: ".. dq.localaddr:toString()..", ".. dq.qname:toString()..", ".. dq.qtype)
dq.followupFunction="udpQueryResponse"
dq.udpCallback="gotdomaindetails"
dq.udpQueryDest=newCA("127.0.0.1:5555")
The PowerDNS Recursor can log DNS query information over :doc:`Protocol Buffers <../lua-config/protobuf>`.
To enable this functionality, install the `protobuf <https://developers.google.com/protocol-buffers/>`_ library and compiler.
-The configure script will automatically detect this and bump the Boost version depencency to 1.42.
+The configure script will automatically detect this and bump the Boost version dependency to 1.42.
To disable building this functionality, use ``--without-protobuf``.
systemd notify support
^^^^^^^^^^^^^^^^^^^^^^
-During configure, ``configure`` will attempt to detect the availibility of `systemd or systemd-daemon <https://freedesktop.org/wiki/Software/systemd/>`_ headers.
+During configure, ``configure`` will attempt to detect the availability of `systemd or systemd-daemon <https://freedesktop.org/wiki/Software/systemd/>`_ headers.
To force the use of systemd (and failing configure if the headers do not exist), use ``--enable-systemd``.
To set the directory where the unit files should be installed, use ``--with-systemd=/path/to/unit/dir``.
:pullreq: 5912
Fix going Insecure on NSEC3 hashes with too many iterations, since
- we could have gone Bogus on a positive answer synthetized from a
+ we could have gone Bogus on a positive answer synthesized from a
wildcard if the corresponding NSEC3 had more iterations that we were
willing to accept, while the correct result is Insecure.
:tags: Improvements
:pullreq: 5699
- Implement dynamic cache sizeing.
+ Implement dynamic cache sizing.
.. change::
:tags: Bug Fixes, DNSSEC
:tags: Improvements
:pullreq: 8726
- Give an explicit messsage if something is wrong with socket-dir.
+ Give an explicit message if something is wrong with socket-dir.
.. changelog::
:version: 4.3.0-beta2
messages from being logged f48d7b657ec32517f8bfcada3bfe6353ca313314
- Webserver now implements CORS for the API
ea89a97e864c43c1cb03f2959ad04c4ebe7580ad, fixing ticket #1984
-- Houskeeping thread would sometimes run multiple times simultaneously,
+- Housekeeping thread would sometimes run multiple times simultaneously,
which worked, but was odd cc59bce675e62e2b9657b42614ce8be3312cae82
New features:
* ``forward-zones``, ``forward-zones-recurse`` and/or ``auth-zones``
settings must be set (possibly to the empty string) in a
- configuration file. These settings must not be overriden on the
+ configuration file. These settings must not be overridden on the
command line. Setting these options on the command line will
override what has been set in the dynamically generated
configuration files.
:param int reconnectWaitTime: How long to wait, in seconds, between two reconnection attempts
:param bool asyncConnect: When set to false (default) the first connection to the server during startup will block up to ``timeout`` seconds, otherwise the connection is done in a separate thread, after the first message has been queued..
-Protobol Buffers Definition
+Protocol Buffers Definition
---------------------------
The protocol buffers message types can be found in the `dnsmessage.proto <https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto>`_ file and is included here:
------------------
The PowerDNS Recursor's Lua engine has the notion of a :class:`DNSName`, an object that represents a name in the DNS.
It is returned by several functions and has several functions to programmatically interact with it.
-:class:`DNSNames <DNSName>` can be compared agains each other using the :meth:`:equal <DNSName:equal>` function or the ``==`` operator.
+:class:`DNSNames <DNSName>` can be compared against each other using the :meth:`:equal <DNSName:equal>` function or the ``==`` operator.
As names in the DNS are case-insensitive, ``www.powerdns.com`` is equal to ``Www.PowerDNS.cOM``.
Creating a :class:`DNSName` is done with :func:`newDN()`.
.. versionadded:: 4.3.0
- Along the ``deviceId`` value that can be returned, it was addded a ``deviceName`` field to fill the :attr:`DNSQuestion.deviceName` field.
+ Along the ``deviceId`` value that can be returned, it was added a ``deviceName`` field to fill the :attr:`DNSQuestion.deviceName` field.
The tagged packetcache can e.g. be used to answer queries from cache that have e.g. been filtered for certain IPs (this logic should be implemented in :func:`gettag`).
This ensure that queries are answered quickly compared to setting :attr:`dq.variable <DNSQuestion.variable>` to true.
Returns true if ``address`` matches any of the masks in the group.
- :param ComboAddress address: The IP addres to match the netmasks against.
+ :param ComboAddress address: The IP address to match the netmasks against.
policy-result-noaction
^^^^^^^^^^^^^^^^^^^^^^
-packets that were not actioned upon by the RPZ/filter engine
+packets that were not acted upon by the RPZ/filter engine
policy-result-drop
^^^^^^^^^^^^^^^^^^
A common security technique for detecting domains that may be suspicious or be associated with bad actors such as hosting malware, phishing or botnet command and control, is to investigate domains that haven't been seen before, i.e. are newly observed.
-Deciding whether a domain is truly a new domain would involve deterministic methods, such as maintaining a database of all domains ever seen, and comparing all domain lookups against that database. Such a mechanism would not be scalable in a recursor, and so is best suited to offline analysis. However, determining candidate domains for such an offline service is a problem that can be solved in the recursor, given that sending all domain lookups to such an offline service would still be prohibitely costly, and given that the true number of newly observed domains is likely to be relatively small in a given time period.
+Deciding whether a domain is truly a new domain would involve deterministic methods, such as maintaining a database of all domains ever seen, and comparing all domain lookups against that database. Such a mechanism would not be scalable in a recursor, and so is best suited to offline analysis. However, determining candidate domains for such an offline service is a problem that can be solved in the recursor, given that sending all domain lookups to such an offline service would still be prohibitively costly, and given that the true number of newly observed domains is likely to be relatively small in a given time period.
A simple method to determine a candidate domain would simply be to check if the domain was not in the recursor cache; indeed this is a method used by many security researchers. However, while that does produce a smaller list of candidate domains, cache misses are still relatively common, particularly in deployments where techniques such as EDNS client-subnet are used.
-Therefore, a feature has been developed for the recursor which uses probablistic data structures (specifically a Stable Bloom Filter (SBF): [http://webdocs.cs.ualberta.ca/~drafiei/papers/DupDet06Sigmod.pdf]). This recursor feature is named "Newly Observed Domain" or "NOD" for short.
+Therefore, a feature has been developed for the recursor which uses probabilistic data structures (specifically a Stable Bloom Filter (SBF): [http://webdocs.cs.ualberta.ca/~drafiei/papers/DupDet06Sigmod.pdf]). This recursor feature is named "Newly Observed Domain" or "NOD" for short.
-The use of a probablistic data structure means that the memory and CPU usage for the NOD feature is minimal, however it does mean that there can be false positives (a domain flagged as new when it is not), and false negatives (a domain that is new is not detected). The size of the SBF data structure can be tuned to reduce the FP/FN rate, although it is created with a default size (67108864 cells) that should provide a reasonably low FP/FN rate. To configure a different size use the ``new-domain-db-size`` setting to specify a higher or lower cell count. Each cell consumes 1-bit of RAM (per recursor thread) and 1-byte of disk space.
+The use of a probabilistic data structure means that the memory and CPU usage for the NOD feature is minimal, however it does mean that there can be false positives (a domain flagged as new when it is not), and false negatives (a domain that is new is not detected). The size of the SBF data structure can be tuned to reduce the FP/FN rate, although it is created with a default size (67108864 cells) that should provide a reasonably low FP/FN rate. To configure a different size use the ``new-domain-db-size`` setting to specify a higher or lower cell count. Each cell consumes 1-bit of RAM (per recursor thread) and 1-byte of disk space.
NOD is disabled by default, and must be enabled through the use of the following setting in recursor.conf:
Unique Domain Response
~~~~~~~~~~~~~~~~~~~~~~
-A similar feature to NOD is Unique Domain Response (UDR). This feature uses the same probablistic data structures as NOD to store information about unique responses for a given lookup domain. Determining if a particular response is unique for a given lookup domain is extremly useful for determining potential security issues such as:
+A similar feature to NOD is Unique Domain Response (UDR). This feature uses the same probabilistic data structures as NOD to store information about unique responses for a given lookup domain. Determining if a particular response is unique for a given lookup domain is extremely useful for determining potential security issues such as:
* Fast-Flux Domain Names
* Cache-Poisoning Attacks
When wiping cache entries, matching entries in *all* caches (packet cache, recursor cache, negative cache) are removed.
-When debugging resolving issues, it can be advantagious to have a dump of all the cache entries.
+When debugging resolving issues, it can be advantageous to have a dump of all the cache entries.
:doc:`rec_control <manpages/rec_control.1>` can write the caches of all threads to a file::
rec_control dump-cache /tmp/cache
- Default: no (disabled)
Whether to track newly observed domains, i.e. never seen before. This
-is a probablistic algorithm, using a stable bloom filter to store
+is a probabilistic algorithm, using a stable bloom filter to store
records of previously seen domains. When enabled for the first time,
all domains will appear to be newly observed, so the feature is best
left enabled for e.g. a week or longer before using the results. Note
- String
- Default: auto
-Specify which random number generator to use. Permissible choises are
+Specify which random number generator to use. Permissible choices are
- auto - choose automatically
- sodium - Use libsodium ``randombytes_uniform``
- openssl - Use libcrypto ``RAND_bytes``
- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
.. note::
- Not all choises are available on all systems.
+ Not all choices are available on all systems.
.. _setting-root-nx-trust:
using namespace ::boost::multi_index;
-/* FIXME should become part of the normal cache (I think) and shoudl become more like
+/* FIXME should become part of the normal cache (I think) and should become more like
* struct {
* vector<DNSRecord> records;
* vector<DNSRecord> signatures;
"Number of packets dropped because of (Lua) policy decision")},
{"policy-result-noaction",
MetricDefinition(PrometheusMetricType::counter,
- "Number of packets that were not actioned upon by the RPZ/filter engine")},
+ "Number of packets that were not acted upon by the RPZ/filter engine")},
{"policy-result-drop",
MetricDefinition(PrometheusMetricType::counter,
"Number of packets that were dropped by the RPZ/filter engine")},
BOOST_CHECK(ret[2].d_type == QType::A);
BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
- // Check if we correctly return a synthesizd CNAME, should send out just 1 more query
+ // Check if we correctly return a synthesized CNAME, should send out just 1 more query
ret.clear();
res = sr->beginResolve(uncachedTarget, QType(QType::A), QClass::IN, ret);
return 0;
});
- /* we populate the cache with eveything we need */
+ /* we populate the cache with everything we need */
time_t now = sr->getNow().tv_sec;
std::vector<DNSRecord> records;
std::vector<shared_ptr<RRSIGRecordContent>> sigs;
closesocket(sock);
}
catch(const PDNSException& e) {
- g_log<<Logger::Error<<"Error closing master forwarding socket after a timeout occured: "<<e.reason<<endl;
+ g_log<<Logger::Error<<"Error closing master forwarding socket after a timeout occurred: "<<e.reason<<endl;
}
continue;
}
closesocket(sock);
}
catch(const PDNSException& e) {
- g_log<<Logger::Error<<"Error closing master forwarding socket after an error occured: "<<e.reason<<endl;
+ g_log<<Logger::Error<<"Error closing master forwarding socket after an error occurred: "<<e.reason<<endl;
}
continue;
}
TSIGRecordContent trc;
DNSName tsigkeyname;
dp.getTSIGDetails(&trc, &tsigkeyname);
- P->trySuperMasterSynchronous(dp, tsigkeyname); // FIXME could use some error loging
+ P->trySuperMasterSynchronous(dp, tsigkeyname); // FIXME could use some error logging
}
if(rdomains.empty()) { // if we have priority domains, check them first
B->getUnfreshSlaveInfos(&rdomains);
void StatBag::declareComboRing(const string &name, const string &help, unsigned int size)
{
- d_comborings.emplace(name, size);
- d_comborings[name].setHelp(help);
+ d_comboRings.emplace(name, size);
+ d_comboRings[name].setHelp(help);
registerRingStats(name);
}
}
vector<pair<string, unsigned int> > ret;
- if (d_comborings.count(name)) {
+ if (d_comboRings.count(name)) {
typedef pair<SComboAddress, unsigned int> stor_t;
- vector<stor_t> raw =d_comborings[name].get();
+ vector<stor_t> raw =d_comboRings[name].get();
for(const stor_t& stor : raw) {
ret.push_back(make_pair(stor.first.ca.toString(), stor.second));
}
{
if(d_rings.count(name))
d_rings[name].reset();
- if(d_comborings.count(name))
- d_comborings[name].reset();
+ if(d_comboRings.count(name))
+ d_comboRings[name].reset();
if(d_dnsnameqtyperings.count(name))
d_dnsnameqtyperings[name].reset();
}
{
if(d_rings.count(name))
d_rings[name].resize(newsize);
- if(d_comborings.count(name))
- d_comborings[name].resize(newsize);
+ if(d_comboRings.count(name))
+ d_comboRings[name].resize(newsize);
if(d_dnsnameqtyperings.count(name))
return d_dnsnameqtyperings[name].resize(newsize);
}
{
if(d_rings.count(name))
return d_rings[name].getSize();
- if(d_comborings.count(name))
- return d_comborings[name].getSize();
+ if(d_comboRings.count(name))
+ return d_comboRings[name].getSize();
if(d_dnsnameqtyperings.count(name))
return d_dnsnameqtyperings[name].getSize();
return 0;
{
if(d_rings.count(name))
return d_rings[name].getEntriesCount();
- if(d_comborings.count(name))
- return d_comborings[name].getEntriesCount();
+ if(d_comboRings.count(name))
+ return d_comboRings[name].getEntriesCount();
if(d_dnsnameqtyperings.count(name))
return d_dnsnameqtyperings[name].getEntriesCount();
return 0;
{
if(d_rings.count(name))
return d_rings[name].getHelp();
- if(d_comborings.count(name))
- return d_comborings[name].getHelp();
+ if(d_comboRings.count(name))
+ return d_comboRings[name].getHelp();
if(d_dnsnameqtyperings.count(name))
return d_dnsnameqtyperings[name].getHelp();
return "";
vector<string> ret;
for(auto i=d_rings.begin();i!=d_rings.end();++i)
ret.push_back(i->first);
- for(auto i=d_comborings.begin();i!=d_comborings.end();++i)
+ for(auto i=d_comboRings.begin();i!=d_comboRings.end();++i)
ret.push_back(i->first);
for(const auto &i : d_dnsnameqtyperings)
ret.push_back(i.first);
bool StatBag::ringExists(const string &name)
{
- return d_rings.count(name) || d_comborings.count(name) || d_dnsnameqtyperings.count(name);
+ return d_rings.count(name) || d_comboRings.count(name) || d_dnsnameqtyperings.count(name);
}
void StatBag::blacklist(const string& str) {
{
public:
StatRing(unsigned int size=10000);
- // Some older C++ libs have trouble emplacing without a copy-contructor, so provide one
+ // Some older C++ libs have trouble emplacing without a copy-constructor, so provide one
StatRing(const StatRing &);
StatRing & operator=(const StatRing &) = delete;
map<string, std::unique_ptr<AtomicCounter>> d_stats;
map<string, string> d_keyDescrips;
map<string,StatRing<string, CIStringCompare> >d_rings;
- map<string,StatRing<SComboAddress> >d_comborings;
+ map<string,StatRing<SComboAddress> >d_comboRings;
map<string,StatRing<std::tuple<DNSName, QType> > >d_dnsnameqtyperings;
typedef boost::function<uint64_t(const std::string&)> func_t;
typedef map<string, func_t> funcstats_t;
void ringAccount(const char* name, const ComboAddress &item)
{
if(d_doRings) {
- if(!d_comborings.count(name))
- throw runtime_error("Attempting to account to non-existent comboring '"+std::string(name)+"'");
- d_comborings[name].account(item);
+ if(!d_comboRings.count(name))
+ throw runtime_error("Attempting to account to non-existent comboRing '"+std::string(name)+"'");
+ d_comboRings[name].account(item);
}
}
void ringAccount(const char* name, const DNSName &dnsname, const QType &qtype)
}
/*!
- * Convience function to push the records from records into ret with a new TTL
+ * Convenience function to push the records from records into ret with a new TTL
*
* \param records DNSRecords that need to go into ret
* \param ttl The new TTL for these records
- * \param ret The vector of DNSRecords that should contian the records with the modified TTL
+ * \param ret The vector of DNSRecords that should contain the records with the modified TTL
*/
static void addTTLModifiedRecords(const vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) {
for (const auto& rec : records) {
prefix.append(depth, ' ');
}
- // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexists.powerdns.com|A)
+ // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexist.powerdns.com|A)
DNSName sqname(qname);
QType sqt(qtype);
uint32_t sttl=0;
isCNAMEAnswer = false;
}
- /* if we have a positive answer synthetized from a wildcard,
+ /* if we have a positive answer synthesized from a wildcard,
we need to store the corresponding NSEC/NSEC3 records proving
that the exact name did not exist in the negative cache */
if(gatherWildcardProof) {
if (rrsig) {
/* As illustrated in rfc4035's Appendix B.6, the RRSIG label
count can be lower than the name's label count if it was
- synthetized from the wildcard. Note that the difference might
+ synthesized from the wildcard. Note that the difference might
be > 1. */
if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) {
gatherWildcardProof = true;
We still want to gather the corresponding NSEC/NSEC3 records
to pass them to our client in case it wants to validate by itself.
*/
- LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
+ LOG(prefix<<qname<<": RRSIG indicates the name was synthesized from a wildcard, we need a wildcard proof"<<endl);
needWildcardProof = true;
}
else {
- LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl);
+ LOG(prefix<<qname<<": RRSIG indicates the name was synthesized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl);
}
wildcardLabelsCount = rrsig->d_labels;
}
}
}
}
- /* if we have a positive answer synthetized from a wildcard, we need to
+ /* if we have a positive answer synthesized from a wildcard, we need to
return the corresponding NSEC/NSEC3 records from the AUTHORITY section
proving that the exact name did not exist */
else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
done=true;
if (state == Secure && needWildcardProof) {
- /* We have a positive answer synthetized from a wildcard, we need to check that we have
+ /* We have a positive answer synthesized from a wildcard, we need to check that we have
proof that the exact name doesn't exist so the wildcard can be used,
as described in section 5.3.4 of RFC 4035 and 5.3 of RFC 7129.
*/
// CASE_L can be used where this is not the case. See LOC below for a good example why this might happen
/* (CASE_S(QType::NAME, "zone format", "line format")) */
-/* (CASE_L(QType::NAME, "zone format", "canonic zone format", "line format")) */
+/* (CASE_L(QType::NAME, "zone format", "canonical zone format", "line format")) */
#define _CASE_L(type, inval, zoneval, lineval, broken) case_t(type, BINARY(inval), BINARY(zoneval), BINARY(lineval), broken)
#define CASE_L(type, inval, zoneval, lineval) _CASE_L(type, inval, zoneval, lineval, broken_marker::WORKING)
}
recData = rec->serialize(DNSName("rec.test"));
- std::shared_ptr<DNSRecordContent> rec2 = DNSRecordContent::unserialize(DNSName("rec.test"),q.getCode(),recData);
- BOOST_CHECK_MESSAGE(rec2 != NULL, "unserialize(rec.test, " << q.getCode() << ", recData) should not return NULL");
+ std::shared_ptr<DNSRecordContent> rec2 = DNSRecordContent::deserialize(DNSName("rec.test"),q.getCode(),recData);
+ BOOST_CHECK_MESSAGE(rec2 != NULL, "deserialize(rec.test, " << q.getCode() << ", recData) should not return NULL");
if (rec2 == NULL) continue;
// now verify the zone representation (here it can be different!)
REC_CHECK_EQUAL(rec2->getZoneRepresentation(), zoneval);
- If `wantsNoDataProof` is set but a NSEC proves that the whole name does not exist, the function will return
NXQTYPE is the name is proven to be ENT and NXDOMAIN otherwise.
- If `needWildcardProof` is false, the proof that a wildcard covering this qname|qtype is not checked. It is
- useful when we have a positive answer synthetized from a wildcard and we only need to prove that the exact
+ useful when we have a positive answer synthesized from a wildcard and we only need to prove that the exact
name does not exist.
*/
dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, bool needWildcardProof, unsigned int wildcardLabelsCount)
{
bool nsec3Seen = false;
if (!needWildcardProof && wildcardLabelsCount == 0) {
- throw PDNSException("Invalid wildcard labels count for the validation of a positive answer synthetized from a wildcard");
+ throw PDNSException("Invalid wildcard labels count for the validation of a positive answer synthesized from a wildcard");
}
for(const auto& v : validrrsets) {
}
}
-/** Throws ApiException if records which violate RRset contraints are present.
+/** Throws ApiException if records which violate RRset constraints are present.
* NOTE: sorts records in-place.
*
* Constraints being checked:
"""
Try to get get a key that does not exist
"""
- name = "idontexist"
+ name = "idonotexist"
r = self.session.get(self.url(
"/api/v1/servers/localhost/tsigkeys/" + name + '.'),
headers={'accept': 'application/json'})
self.assertRcodeEqual(res, dns.rcode.NOERROR)
self.assertAnyRRsetInAnswer(res, expected)
- # the first IP should not be up so only second shoud be returned
+ # the first IP should not be up so only second should be returned
expected = [expected[1]]
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.NOERROR)
def testServersIDontExist(self):
"""
- API: /api/v1/servers/idontexist (should be 404)
+ API: /api/v1/servers/idonotexist (should be 404)
"""
headers = {'x-api-key': self._webServerAPIKey}
- url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/idontexist'
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/idonotexist'
r = requests.get(url, headers=headers, timeout=self._webTimeout)
self.assertEquals(r.status_code, 404)
time.sleep(self._negCacheTTL + 1)
- # we should not have cached for longer than the negativel TTL
+ # we should not have cached for longer than the negative TTL
# so it should be a miss
(receivedQuery, receivedResponse) = self.sendUDPQuery(query, response)
self.assertTrue(receivedQuery)
def testSecureCNAMEWildCardNXDOMAIN(self):
# the answer to this query reaches the UDP truncation threshold, so let's use TCP
res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True)
- expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.')
+ expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesnotexist.secure.example.')
self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
*.cnamewildcard.secure.example. 3600 IN CNAME host1.secure.example.
-*.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example.
+*.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesnotexist.secure.example.
cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
self.assertEqual(res.answer[0].ttl, 1)
def testIPFilterHeader(self):
- query = dns.message.make_query('ipfiler.luahooks.example.', 'A', 'IN')
+ query = dns.message.make_query('ipfilter.luahooks.example.', 'A', 'IN')
query.flags |= dns.flags.AD
for method in ("sendUDPQuery", "sendTCPQuery"):
super(RPZFileDefaultPolNotOverrideLocalRecursorTest, cls).generateRecursorConfig(confdir)
def testRPZ(self):
- # local data entries will not be overridden by the default polic
+ # local data entries will not be overridden by the default policy
self.checkCustom('a.example.', 'A', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.42', '192.0.2.43'))
self.checkCustom('a.example.', 'TXT', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'TXT', '"some text"'))
# will be blocked because the default policy does not override local data entries
from recursortests import RecursorTest
-class testReadTrustAnchorsFronFile(RecursorTest):
+class testReadTrustAnchorsFromFile(RecursorTest):
_confdir = 'ReadTAsFromFile'
_config_template = """dnssec=validate"""
@ SOA $SOA
@ NS ns.example.net.
-defpol-with-ttl.example.net 50 IN A 192.0.2.35 ; will be overriden by the default policy and the default TTL
+defpol-with-ttl.example.net 50 IN A 192.0.2.35 ; will be overridden by the default policy and the default TTL
EOF
@ SOA $SOA
@ NS ns.example.net.
-defpol-with-ttl-capped.example.net 100 IN A 192.0.2.35 ; will be overriden by the default policy and the default TTL (but capped by maxTTL)
+defpol-with-ttl-capped.example.net 100 IN A 192.0.2.35 ; will be overridden by the default policy and the default TTL (but capped by maxTTL)
EOF
@ SOA $SOA
@ NS ns.example.net.
-defpol-without-ttl.example.net A 192.0.2.35 ; will be overriden by the default policy, but with the zone's TTL
+defpol-without-ttl.example.net A 192.0.2.35 ; will be overridden by the default policy, but with the zone's TTL
EOF
@ SOA $SOA
@ NS ns.example.net.
-defpol-without-ttl-capped.example.net A 192.0.2.35 ; will be overriden by the default policy, but with the zone's TTL capped by maxTTL
+defpol-without-ttl-capped.example.net A 192.0.2.35 ; will be overridden by the default policy, but with the zone's TTL capped by maxTTL
EOF
-Check NSECx response for wildcards no data asnwers (mode 2)
+Check NSECx response for wildcards no data answers (mode 2)
-Check NSECx response for wildcard asnwers (mode 3)
+Check NSECx response for wildcard answers (mode 3)
projects / thirdparty / pdns.git / commitdiff
