* Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
* sysctl is a failsafe API, so it guarantees a result. This
* should work inside a chroot, or when file descriptors are
- * exhuasted.
+ * exhausted.
*
* However this can fail if the Linux kernel removes support
* for sysctl. Starting in 2007, there have been efforts to
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
+ * equivalent.
*
* If your system does not define the above, then you can do so by
* hand like this:
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
- * This state is reponsible for iterating through a list of
+ * This state is responsible for iterating through a list of
@@ -309,6 +320,13 @@ struct iter_qstate {
*/
int refetch_glue;
- Change make/configure lines to attempt to fix -lphtread linking issue
* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
-- Removed dependancy for dnssec-conf
+- Removed dependency for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %%post
- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
- Re-enabled glob.patch
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
-- unbound-iterator.patch was not commited
+- unbound-iterator.patch was not committed
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
- Updated to 1.2.0
-- Added dependancy on minimum SSL for CVE-2008-5077
-- Added dependancy on bc for unbound-munin
+- Added dependency on minimum SSL for CVE-2008-5077
+- Added dependency on bc for unbound-munin
- Added minimum requirement of libevent 1.4.5. Crashes with older versions
(note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
-- Removed dependancy on selinux-policy (will get used when available)
+- Removed dependency on selinux-policy (will get used when available)
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
- Enable val-clean-additional to drop addition unsigned data from signed
- Build against ldns-1.3.0
* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
-- Split of -devel package, fixed dependancies, make rpmlint happy
+- Split of -devel package, fixed dependencies, make rpmlint happy
* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
- Using parts from ports collection entry by Jaap Akkerhuis.
enum Type {
// AUTH_QUERY is a DNS query message received from a resolver by an
- // authoritative name server, from the perspective of the authorative
+ // authoritative name server, from the perspective of the authoritative
// name server.
AUTH_QUERY = 1;
18 November 2015: Wouter
- newer acx_nlnetlabs.m4.
+ - spelling fixes from Igor Sobrado Delgado.
17 November 2015: Wouter
- Fix #594. libunbound: optionally use libnettle for crypto.
existence in 4592. NSEC empty non-terminals exist and thus the
RCODE should have been NOERROR. If this occurs, and the RRsets
are secure, we set the RCODE to NOERROR and the security status
- of the reponse is also considered secure.
+ of the response is also considered secure.
14 February 2014: Wouter
- Works on Minix (3.2.1).
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- Fix warning unused in compat/strptime.c.
- - Fix malloc detection and double defintion.
+ - Fix malloc detection and double definition.
2 December 2011: Wouter
- configure generated with autoconf 2.68.
- Advertise builtin select libevent alternative when no libevent
is found.
- signit can generate NSEC3 hashes, for generating tests.
- - multiple nsec3 paramaters in message test.
+ - multiple nsec3 parameters in message test.
- too high nsec3 iterations becomes insecure test.
21 September 2007: Wouter
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
- DS and noDS referral validation test.
- if you configure many trust anchors, parent trust anchors can
- securely deny existance of child trust anchors, if validated.
+ securely deny existence of child trust anchors, if validated.
- not all *.name NSECs are present because a wildcard was matched,
and *.name NSECs can prove nodata for empty nonterminals.
Also, for wildcard name NSECs, check they are not from the parent
17 July 2007: Wouter
- forward zone options in config file.
- - forward per zone in iterator. takes precendence over stubs.
+ - forward per zone in iterator. takes precedence over stubs.
- fixup commithooks.
- removed forward-to and forward-to-port features, subsumed by
new forward zones.
ldns and libevent are linked statically. Default is off.
- make install and make uninstall. Works with static-exe and without.
installation of unbound binary and manual pages.
- - alignement problem fix on solaris 64.
+ - alignment problem fix on solaris 64.
- fixup address in case of TCP error.
12 June 2007: Wouter
- removed FLAG_CD from message and rrset caches. This was useful for
an agnostic forwarder, but not for a sophisticated (trust value per
rrset enabled) cache.
- - iterator reponse typing.
+ - iterator response typing.
- iterator cname handle.
- iterator prime start.
- subquery work.
- Acknowledge use of unbound-java code in iterator. Nicer readme.
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
rrset cache from module environment.
- - packed rrset key has type and class as easily accessable struct
+ - packed rrset key has type and class as easily accessible struct
members. They are still kept in network format for fast msg encode.
- dns cache find_delegation routine.
- iterator main functions setup.
- EDNS read from query, used to make reply smaller.
- advertised edns value constants.
- EDNS BADVERS response, if asked for too high edns version.
- - EDNS extended error reponses once the EDNS record from the query
+ - EDNS extended error responses once the EDNS record from the query
has successfully been parsed.
4 May 2007: Wouter
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for
-public internet names. Any occurence of such addresses are removed
+public internet names. Any occurrence of such addresses are removed
from DNS answers. Additionally, the DNSSEC validator may mark the
answers bogus. This protects against so\-called DNS Rebinding, where
a user browser is turned into a network proxy, allowing remote access
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
to protect the users that rely on this validator for authentication from
-protentially bad data in the additional section.
+potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
Have the validator print validation failures to the log. Regardless of
exceeded. If set to another value, 1 in that number is allowed through
to complete. Default is 10, allowing 1/10 traffic to flow normally.
This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps>
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
* authoritative for the originating zone. It, of course, MAY
- * be authoriative for any other zones, and of course, MAY
+ * be authoritative for any other zones, and of course, MAY
* NOT be authoritative for some subdomains of the originating
* zone. */
prev = NULL;
return -1; /* server is lame */
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
/* server is unresponsive,
- * we used to return TOP_TIMOUT, but fairly useless,
+ * we used to return TOP_TIMEOUT, but fairly useless,
* because if == TOP_TIMEOUT is dropped because
* blacklisted later, instead, remove it here, so
* other choices (that are not blacklisted) can be
return got_it;
}
-/** filter the addres list, putting best targets at front,
+/** filter the address list, putting best targets at front,
* returns number of best targets (or 0, no suitable targets) */
static int
iter_filter_order(struct iter_env* iter_env, struct module_env* env,
/**
* Transition an event to its final state. Final states always either return
* a result up the module chain, or reactivate a dependent event. Which
- * final state to transtion to is set in the module state for the event when
+ * final state to transition to is set in the module state for the event when
* it was created, and depends on the original purpose of the event.
*
* The response is stored in the qstate->buf buffer.
/**
* Generate a subrequest.
* Generate a local request event. Local events are tied to this module, and
- * have a correponding (first tier) event that is waiting for this event to
+ * have a corresponding (first tier) event that is waiting for this event to
* resolve to continue.
*
* @param qname The query name for this request.
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " testenv to make test environment and run bash "
- @echo " usefull in case you don't want to install unbound but want to test examples"
+ @echo " useful in case you don't want to install unbound but want to test examples"
@echo " doc to make documentation"
@echo " clean clean all"
**Testing**
-If the compilation is successfull, you can test the python LDNS extension module by::
+If the compilation is successful, you can test the python LDNS extension module by::
> cd contrib/python
> make testenv
False, if validation failed or domain queried has no security info.
It is possible to get a result with no data (havedata is false),
- and secure is true. This means that the non-existance of the data
+ and secure is true. This means that the non-existence of the data
was cryptographically proven (with signatures).
.. attribute:: bogus
ctx.debuglevel(2)
if os.path.isfile("keys"):
- ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
+ ctx.add_ta_file("keys") #read public keys for DNSSEC verification
status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
if status == 0 and result.havedata:
/*
- * libounbound.i: pyUnbound module (libunbound wrapper for Python)
+ * libunbound.i: pyUnbound module (libunbound wrapper for Python)
*
* Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
* Marek Vavrusa (xvavru00 AT stud.fit.vutbr.cz)
#_UB_CTX_METHODS#
def zone_print(self):
- """Print local zones using debougout"""
+ """Print local zones using debugout"""
_unbound.ub_ctx_print_local_zones(self)
def zone_add(self,zonename,zonetype):
{
/* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
namespace, but it is not one of the ones we know about and
- have already dealt with, above (inluding dump-script), then
+ have already dealt with, above (including dump-script), then
report an error. Otherwise, targets might begin to believe
they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
namespace. The first time any user complains about this, we'll
Let's define the following format od DNS queries: ``word1[.]word2[.] ... wordN[.]{en,cs}[._dict_.cz.]``.
Word lookup is done by simple ``dict`` lookup from broken DNS request.
-Query name is divided into a list of labels. This list is accesible as qname_list attribute.
+Query name is divided into a list of labels. This list is accessible as qname_list attribute.
::
aword = ' '.join(qstate.qinfo.qname_list[0:-4]) #skip last four labels
.. attribute:: local_data
- Local data RRs configged.
+ Local data RRs configured.
.. attribute:: remote_control_enable
.. data:: module_event_error
- Error occured.
+ Error occurred.
Security status
~~~~~~~~~~~~~~~~
.. method:: __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0)
- Prepares an answer (DNS packet) from qiven information. Query flags are combination of PKT_xx contants.
+ Prepares an answer (DNS packet) from given information. Query flags are combination of PKT_xx constants.
.. method:: set_return_msg(self, qstate)
This method fills qstate return message according to the given informations.
- It takes lists of RRs in each section of answer, created necessray RRsets in wire format and store the result in :attr:`qstate.return_msg`.
+ It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
Returns 1 if OK.
.. attribute:: rr_name
Firewall control
----------------
-Control firewall (e.g. enable incomming SSH connection) with DNS query signed with private key.
+Control firewall (e.g. enable incoming SSH connection) with DNS query signed with private key.
So firewall can blocks every service during normal operation.
Scriptable DNS-based blacklist (DNS-BL_)
/**
* The function interprets time as the number of seconds since epoch
- * with respect to now using serial arithmitics (rfc1982).
+ * with respect to now using serial arithmetics (rfc1982).
* That number of seconds is then converted to broken-out time information.
* This is especially usefull when converting the inception and expiration
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
- * to be intepreted as a serial arithmitics number relative to now.
+ * to be intepreted as a serial arithmetics number relative to now.
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
* to which the time value is compared to determine the final value.
* \param[out] result the struct with the broken-out time information
* signed yet; avoids attacks on system clock). The
* last-successful-RFC5011-probe (if available) has to be more than 30 days
* in the past (otherwise, RFC5011 should have worked). This keeps
- * unneccesary https traffic down. If the main certificate is expired, it
+ * unnecessary https traffic down. If the main certificate is expired, it
* fails.
*
* The dates on the keys in the xml are checked (uses the libexpat xml
* @param timedfunc: the pthread_mutex_timedlock or similar function.
* Uses absolute timeout value.
* @param arg: what to pass to tryfunc and timedlock.
- * @param exclusive: if lock must be exlusive (only one allowed).
+ * @param exclusive: if lock must be exclusive (only one allowed).
* @param getwr: if attempts to get writelock (or readlock) for rwlocks.
*/
static void
free(dp);
}
-/** perform exponential backoff on the timout */
+/** perform exponential backoff on the timeout */
static void
expon_timeout_backoff(struct replay_runtime* runtime)
{
*/
/**
* \file
- * Exits with code 1 on a failure. 0 if all unit tests are successfull.
+ * Exits with code 1 on a failure. 0 if all unit tests are successful.
*/
#include "config.h"
* @param in: file to read from. Filepos must be at the start of a new line.
* @param name: name of the file for prettier errors.
* @param pstate: file parse state with lineno, default_ttl,
- * oirigin and prev_rr name.
+ * origin and prev_rr name.
* @param skip_whitespace: skip leftside whitespace.
* @return: The entry read (malloced) or NULL if no entry could be read.
*/
static void
test_long_table(struct lruhash* table)
{
- /* assuming it all fits in the hastable, this check will work */
+ /* assuming it all fits in the hashtable, this check will work */
testdata_t* ref[HASHTESTMAX * 100];
size_t i;
memset(ref, 0, sizeof(ref));
/**
* \file
* Unit test main program. Calls all the other unit tests.
- * Exits with code 1 on a failure. 0 if all unit tests are successfull.
+ * Exits with code 1 on a failure. 0 if all unit tests are successful.
*/
#include "config.h"
static void
test_long_table(struct slabhash* table)
{
- /* assuming it all fits in the hastable, this check will work */
+ /* assuming it all fits in the hashtable, this check will work */
testdata_t* ref[HASHTESTMAX * 100];
size_t i;
memset(ref, 0, sizeof(ref));
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
- /** local data RRs configged */
+ /** local data RRs configured */
struct config_strlist* local_data;
/** unblock lan zones (reverse lookups for 10/8 and so on) */
int unblock_lan_zones;
0, /* default flags, run immediately */
NULL); /* do not store thread identifier anywhere */
#else
- /* the begintheadex routine setups for the C lib; aligns stack */
+ /* the beginthreadex routine setups for the C lib; aligns stack */
*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
#endif
if(*thr == NULL) {
static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
/*
- * Creates a new red black tree, intializes and returns a pointer to it.
+ * Creates a new red black tree, initializes and returns a pointer to it.
*
* Return NULL on failure.
*
void rtt_update(struct rtt_info* rtt, int ms);
/**
- * Update the statistics with a new timout expired observation.
+ * Update the statistics with a new timeout expired observation.
* @param rtt: round trip statistics structure.
* @param orig: original rtt time given for the query that timed out.
* Used to calculate the maximum responsible backed off time that
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
* rest of the string. Every machine with memory protection I've seen
* does it on word boundaries, so is OK with this. But VALGRIND will
* still catch it and complain. The masking trick does make the hash
- * noticably faster for short strings (like English words).
+ * noticeably faster for short strings (like English words).
*/
#ifndef VALGRIND
{
for (j=0; j<8; ++j) /*------------------------ for each input bit, */
{
- for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
+ for (m=1; m<8; ++m) /*------------ for several possible initvals, */
{
for (l=0; l<HASHSTATE; ++l)
e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
/** background write queue, commpoint to write results back */
struct comm_point* res_com;
- /** are we curently writing a result, 0 if not, else bytecount into
+ /** are we currently writing a result, 0 if not, else bytecount into
* the res_list first entry. */
size_t res_write;
/** list of outstanding results to be written back */
int stick_events;
/** true if this event is a signaling WSAEvent by the user.
- * User created and user closed WSAEvent. Only signaled/unsigneled,
+ * User created and user closed WSAEvent. Only signaled/unsignaled,
* no read/write/distinctions needed. */
int is_signal;
/** used during callbacks to see which events were just checked */
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
/* only increase failure count if this is not the first prime,
- * this means there was a previous succesful probe */
+ * this means there was a previous successful probe */
if(tp->autr->last_success) {
tp->autr->query_failed += 1;
autr_write_file(env, tp);
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/
#include "config.h"
*
* This file contains helper functions for the validator module.
* The functions help with aggressive negative caching.
- * This creates new denials of existance, and proofs for absence of types
+ * This creates new denials of existence, and proofs for absence of types
* from cached NSEC records.
*/
/*
- * validator/val_nsec.c - validator NSEC denial of existance functions.
+ * validator/val_nsec.c - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include "validator/val_nsec.h"
return sec_status_insecure;
}
- /* NSEC proof did not conlusively point to DS or no DS */
+ /* NSEC proof did not conclusively point to DS or no DS */
return sec_status_unchecked;
}
/*
- * validator/val_nsec.h - validator NSEC denial of existance functions.
+ * validator/val_nsec.h - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#ifndef VALIDATOR_VAL_NSEC_H
/**
* Check DS absence.
* There is a NODATA reply to a DS that needs checking.
- * NSECs can prove this is not a delegation point, or sucessfully prove
+ * NSECs can prove this is not a delegation point, or successfully prove
* that there is no DS. Or this fails.
*
* @param env: module env for rrsig verification routines.
/*
- * validator/val_nsec3.c - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.c - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include <ctype.h>
/**
* Start iterating over NSEC3 records.
* @param filter: the filter structure, must have been filter_init-ed.
- * @param rrsetnum: can be undefined on call, inited.
- * @param rrnum: can be undefined on call, inited.
+ * @param rrsetnum: can be undefined on call, initialised.
+ * @param rrnum: can be undefined on call, initialised.
* @return first rrset of an NSEC3, together with rrnum this points to
* the first RR to examine. Is NULL on empty list.
*/
/*
- * validator/val_nsec3.h - validator NSEC3 denial of existance functions.
+ * validator/val_nsec3.h - validator NSEC3 denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
*
* This file contains helper functions for the validator module.
* The functions help with NSEC3 checking, the different NSEC3 proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*
* NSEC3
* 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
* Used internally by the nsec3 proof functions in this file.
* published to enable unit testing of hash algorithms and cache.
*
- * @param table: the cache table. Must be inited at start.
+ * @param table: the cache table. Must be initialised at start.
* @param region: scratch region to use for allocation.
* This region holds the tree, if you wipe the region, reinit the tree.
* @param buf: temporary buffer.
* Find DS denial message in cache. Saves new qstate allocation and allows
* the validator to use partial content which is not enough to construct a
* message for network (or user) consumption. Without SOA for example,
- * which is a common occurence in the unbound code since the referrals contain
+ * which is a common occurrence in the unbound code since the referrals contain
* NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
* full negative reply, but do allow synthesis of sufficient proof.
* @param env: query env with caches and time.
/* Since we are here, there must be nothing in the ANSWER section to
* validate. */
/* (Note: CNAME/DNAME responses will not directly get here --
- * instead, they are chased down into indiviual CNAME validations,
+ * instead, they are chased down into individual CNAME validations,
* and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
* validation.) */
target_key_name) != 0) {
/* check if there is a cache entry : pick up an NSEC if
* there is no DS, check if that NSEC has DS-bit unset, and
- * thus can disprove the secure delagation we seek.
+ * thus can disprove the secure delegation we seek.
* We can then use that NSEC even in the absence of a SOA
* record that would be required by the iterator to supply
* a completely protocol-correct response.
* @return true if there is no DLV.
* false: processing is finished for the validator operate().
* This function may exit in three ways:
- * o no DLV (agressive cache), so insecure. (true)
+ * o no DLV (aggressive cache), so insecure. (true)
* o error - stop processing (false)
* o DLV lookup was started, stop processing (false)
*/
projects / thirdparty / unbound.git / commitdiff
