SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
SUBNET_OBJ=@SUBNET_OBJ@
SUBNET_HEADER=@SUBNET_HEADER@
+IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c
+IPSECMOD_OBJ=@IPSECMOD_OBJ@
+IPSECMOD_HEADER=@IPSECMOD_HEADER@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC) $(DNSCRYPT_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
+$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
+$(IPSECMOD_OBJ)
COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
+ -e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \
-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
> $(DEPEND_TMP)
cp $(DEPEND_TARGET) $(DEPEND_TMP2)
/* Define to 1 to use cachedb support */
#undef USE_CACHEDB
+/* Define to 1 to use ipsecmod support */
+#undef USE_IPSECMOD
+
/* Define to 1 to enable dnscrypt support */
#undef USE_DNSCRYPT
;;
esac
+# check for ipsecmod if requested
+AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+case "$enable_ipsecmod" in
+ yes)
+ AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
+ IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+ AC_SUBST(IPSECMOD_OBJ)
+ IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+ AC_SUBST(IPSECMOD_HEADER)
+ ;;
+ no|*)
+ # nothing
+ ;;
+esac
+
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
#ifdef CLIENT_SUBNET
size_t subnet = 0;
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ size_t ipsecmod = 0;
+#endif /* USE_IPSECMOD */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
val=0;
(&worker->env, m);
}
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ m = modstack_find(&worker->env.mesh->mods, "ipsecmod");
+ if(m != -1) {
+ fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+ mods.mod[m]->get_mem));
+ ipsecmod = (*worker->env.mesh->mods.mod[m]->get_mem)
+ (&worker->env, m);
+ }
+#endif /* USE_IPSECMOD */
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
return 0;
if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
return 0;
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
+ return 0;
+#endif /* USE_IPSECMOD */
return 1;
}
+16 May 2017: George
+ - Implemented opportunistic IPsec support module (ipsecmod).
+ - Some whitespace fixup.
+
16 May 2017: Wouter
- updated dependencies in the makefile.
- document trust-anchor-signaling in example config file.
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
+ # Specific options for ipsecmod. unbound needs to be configured with
+ # --enable-ipsecmod for these to take effect.
+ #
+ # Enable or disable ipsecmod (it still needs to be defined in
+ # module-config above). Can be used when ipsecmod needs to be
+ # enabled/disabled via remote-control(below).
+ # ipsecmod-enabled: yes
+ #
+ # Path to executable external hook. It must be defined when ipsecmod is
+ # listed in module-config (above).
+ # ipsecmod-hook: "./my_executable"
+ #
+ # When enabled unbound will reply with SERVFAIL if the return value of
+ # the ipsecmod-hook is not 0.
+ # ipsecmod-strict: no
+ #
+ # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+ # ipsecmod-max-ttl: 3600
+ #
+ # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+ # testing.
+ # ipsecmod-ignore-bogus: no
+ #
+ # Domains for which ipsecmod will be triggered. If not defined (default)
+ # all domains are treated as being whitelisted.
+ # ipsecmod-whitelist: "example.com"
+ # ipsecmod-whitelist: "nlnetlabs.nl"
+
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
.B unbound.conf
is used to configure
\fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
+The file format has attributes and values. Some attributes have attributes
+inside them.
The notation is: attribute: value.
.P
Comments start with # and last to the end of line. Empty lines are
ignored as is whitespace at the beginning of a line.
.P
-The utility
+The utility
\fIunbound\-checkconf\fR(8)
can be used to check unbound.conf prior to usage.
.SH "EXAMPLE"
and start the server with:
.P
.nf
- $ unbound \-c /etc/unbound/unbound.conf
+ $ unbound \-c /etc/unbound/unbound.conf
.fi
.P
Most settings are the defaults. Stop the server with:
access\-control: 2001:DB8::/64 allow
.fi
.SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
+There must be whitespace between keywords. Attribute keywords end with a colon ':'.
+An attribute is followed by its containing attributes, or a value.
.P
Files can be included using the
.B include:
Processing continues as if the text from the included file was copied into
the config file at that point. If also using chroot, using full path names
for the included files works, relative pathnames for the included names work
-if the directory where the daemon is started equals its chroot/working
+if the directory where the daemon is started equals its chroot/working
directory or is specified before the include statement with directory: dir.
Wildcards can be used to include multiple files, see \fIglob\fR(7).
.SS "Server Options"
clause.
.TP
.B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1
+The verbosity number, level 0 means no verbosity, only errors. Level 1
gives operational information. Level 2 gives detailed operational
-information. Level 3 gives query level information, output per query.
-Level 4 gives algorithm level information. Level 5 logs client
-identification for cache misses. Default is level 1.
+information. Level 3 gives query level information, output per query.
+Level 4 gives algorithm level information. Level 5 logs client
+identification for cache misses. Default is level 1.
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
.TP
.B statistics\-interval: \fI<seconds>
The number of seconds between printing statistics to the log for every thread.
Disable with value 0 or "". Default is disabled. The histogram statistics
-are only printed if replies were sent during the statistics interval,
+are only printed if replies were sent during the statistics interval,
requestlist statistics are printed for every interval (but can be 0).
This is because the median calculation requires data to be present.
.TP
the statistics counters after logging the statistics. Default is no.
.TP
.B extended\-statistics: \fI<yes or no>
-If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
+If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
Default is off, because keeping track of more statistics takes time. The
counters are listed in \fIunbound\-control\fR(8).
.TP
.B interface: \fI<ip address[@port]>
Interface to use to connect to the network. This interface is listened to
for queries from clients, and answers to clients are given from it.
-Can be given multiple times to work on several interfaces. If none are
+Can be given multiple times to work on several interfaces. If none are
given the default is to listen to localhost.
The interfaces are not changed on a reload (kill \-HUP) but only on restart.
A port number can be specified with @port (without spaces between
Same as interface: (for easy of compatibility with nsd.conf).
.TP
.B interface\-automatic: \fI<yes or no>
-Detect source interface on UDP queries and copy them to replies. This
+Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
-queries to authoritative servers and receive their replies. Can be given
-multiple times to work on several interfaces. If none are given the
-default (all) is used. You can specify the same interfaces in
+queries to authoritative servers and receive their replies. Can be given
+multiple times to work on several interfaces. If none are given the
+default (all) is used. You can specify the same interfaces in
.B interface:
and
.B outgoing\-interface:
-lines, the interfaces are then used for both purposes. Outgoing queries are
+lines, the interfaces are then used for both purposes. Outgoing queries are
sent via a random outgoing interface to counter spoofing.
.IP
If an IPv6 netblock is specified instead of an individual IPv6 address,
ip \-6 route add local mynetblock/64 dev lo
.TP
.B outgoing\-range: \fI<number>
-Number of ports to open. This number of file descriptors can be opened per
-thread. Must be at least 1. Default depends on compile options. Larger
+Number of ports to open. This number of file descriptors can be opened per
+thread. Must be at least 1. Default depends on compile options. Larger
numbers need extra resources from the operating system. For performance a
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
-spoofing attempts. Make sure these ports are not needed by other daemons.
+spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
Give a port number or a range of the form "low\-high", without spaces.
.IP
-The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
-are processed in the line order of the config file, adding the permitted ports
-and subtracting the avoided ports from the set of allowed ports. The
-processing starts with the non IANA allocated ports above 1024 in the set
+The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
+are processed in the line order of the config file, adding the permitted ports
+and subtracting the avoided ports from the set of allowed ports. The
+processing starts with the non IANA allocated ports above 1024 in the set
of allowed ports.
.TP
.B outgoing\-port\-avoid: \fI<port number or range>
-Do not permit unbound to open this port or range of ports for use to send
+Do not permit unbound to open this port or range of ports for use to send
queries. Use this to make sure unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
.B max\-udp\-size: \fI<number>
Maximum UDP response size (not applied to TCP response). 65536 disables the
udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096.
+Suggested values are 512 to 4096. Default is 4096.
.TP
.B msg\-buffer\-size: \fI<number>
Number of bytes size of the message buffers. Default is 65552 bytes, enough
for 64 Kb packets, the maximum DNS message size. No message larger than this
can be sent or received. Can be reduced to use less memory, but some requests
-for DNS data, such as for huge resource records, will result in a SERVFAIL
+for DNS data, such as for huge resource records, will result in a SERVFAIL
reply to the client.
.TP
.B msg\-cache\-size: \fI<number>
.TP
.B msg\-cache\-slabs: \fI<number>
Number of slabs in the message cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
+Must be set to a power of 2. Setting (close) to the number of cpus is a
reasonable guess.
.TP
.B num\-queries\-per\-thread: \fI<number>
.TP
.B jostle\-timeout: \fI<msec>
Timeout used when the server is very busy. Set to a value that usually
-results in one roundtrip to the authority servers. If too many queries
+results in one roundtrip to the authority servers. If too many queries
arrive, then 50% of the queries are allowed to run to completion, and
-the other 50% are replaced with the new incoming query if they have already
-spent more than their allowed time. This protects against denial of
+the other 50% are replaced with the new incoming query if they have already
+spent more than their allowed time. This protects against denial of
service by slow queries or high query rates. Default 200 milliseconds.
-The effect is that the qps for long-lasting queries is about
+The effect is that the qps for long-lasting queries is about
(numqueriesperthread / 2) / (average time for such long queries) qps.
The qps for short queries can be about (numqueriesperthread / 2)
/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
.TP
.B rrset\-cache\-slabs: \fI<number>
Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2.
+Must be set to a power of 2.
.TP
.B cache\-max\-ttl: \fI<seconds>
-Time to live maximum for RRsets and messages in the cache. Default is
-86400 seconds (1 day). If the maximum kicks in, responses to clients
-still get decrementing TTLs based on the original (larger) values.
+Time to live maximum for RRsets and messages in the cache. Default is
+86400 seconds (1 day). If the maximum kicks in, responses to clients
+still get decrementing TTLs based on the original (larger) values.
When the internal TTL expires, the cache item has expired.
Can be set lower to force the resolver to query for data often, and not
trust (very large) TTL values.
If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
-higher values, especially more than an hour or so, can lead to trouble as
+higher values, especially more than an hour or so, can lead to trouble as
the data in the cache does not match up with the actual data any more.
.TP
.B cache\-max\-negative\-ttl: \fI<seconds>
authority section that is limited in time. Default is 3600.
.TP
.B infra\-host\-ttl: \fI<seconds>
-Time to live for entries in the host cache. The host cache contains
+Time to live for entries in the host cache. The host cache contains
roundtrip timing, lameness and EDNS support information. Default is 900.
.TP
.B infra\-cache\-slabs: \fI<number>
-Number of slabs in the infrastructure cache. Slabs reduce lock contention
-by threads. Must be set to a power of 2.
+Number of slabs in the infrastructure cache. Slabs reduce lock contention
+by threads. Must be set to a power of 2.
.TP
.B infra\-cache\-numhosts: \fI<number>
Number of hosts for which information is cached. Default is 10000.
.TP
.B tcp\-mss: \fI<number>
Maximum segment size (MSS) of TCP socket on which the server responds
-to queries. Value lower than common MSS on Ethernet
+to queries. Value lower than common MSS on Ethernet
(1220 for example) will address path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
Default is system default MSS determined by interface MTU and
.B ssl\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
-TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
+TCP wireformat. The other server must support this (see
+\fBssl\-service\-key\fR).
.TP
.B ssl\-service-key: \fI<file>
If enabled, the server provider SSL service on its TCP sockets. The clients
Default is yes.
.TP
.B access\-control: \fI<IP netblock> <action>
-The netblock is given as an IP4 or IP6 address with /size appended for a
-classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
+The netblock is given as an IP4 or IP6 address with /size appended for a
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
The most specific netblock match is used, if none match \fIdeny\fR is used.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
-The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
error message back.
.IP
-The action \fIallow\fR gives access to clients from that netblock.
-It gives only access for recursion clients (which is
+The action \fIallow\fR gives access to clients from that netblock.
+It gives only access for recursion clients (which is
what almost all clients need). Nonrecursive queries are refused.
.IP
-The \fIallow\fR action does allow nonrecursive queries to access the
+The \fIallow\fR action does allow nonrecursive queries to access the
local\-data that is configured. The reason is that this does not involve
-the unbound server recursive lookup algorithm, and static data is served
-in the reply. This supports normal operations where nonrecursive queries
-are made for the authoritative data. For nonrecursive queries any replies
+the unbound server recursive lookup algorithm, and static data is served
+in the reply. This supports normal operations where nonrecursive queries
+are made for the authoritative data. For nonrecursive queries any replies
from the dynamic cache are refused.
.IP
-The action \fIallow_snoop\fR gives nonrecursive access too. This give
-both recursive and non recursive access. The name \fIallow_snoop\fR refers
+The action \fIallow_snoop\fR gives nonrecursive access too. This give
+both recursive and non recursive access. The name \fIallow_snoop\fR refers
to cache snooping, a technique to use nonrecursive queries to examine
-the cache contents (for malicious acts). However, nonrecursive queries can
-also be a valuable debugging tool (when you want to examine the cache
+the cache contents (for malicious acts). However, nonrecursive queries can
+also be a valuable debugging tool (when you want to examine the cache
contents). In that case use \fIallow_snoop\fR for your administration host.
.IP
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
-The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
-protocol is not designed to handle dropped packets due to policy, and
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
+protocol is not designed to handle dropped packets due to policy, and
dropping may result in (possibly excessive) retried queries.
.IP
The deny_non_local and refuse_non_local settings are for hosts that are
.B chroot: \fI<directory>
If chroot is enabled, you should pass the configfile (from the
commandline) as a full path from the original root. After the
-chroot has been performed the now defunct portion of the config
-file path is removed to be able to reread the config after a reload.
+chroot has been performed the now defunct portion of the config
+file path is removed to be able to reread the config after a reload.
.IP
All other file paths (working dir, logfile, roothints, and
key files) can be specified in several ways:
.IP
The pidfile can be either a relative path to the working directory, or
an absolute path relative to the original root. It is written just prior
-to chroot and dropping permissions. This allows the pidfile to be
+to chroot and dropping permissions. This allows the pidfile to be
/var/run/unbound.pid and the chroot to be /var/unbound, for example.
.IP
Additionally, unbound may need to access /dev/random (for entropy)
from inside the chroot.
.IP
-If given a chroot is done to the given directory. The default is
+If given a chroot is done to the given directory. The default is
"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
.TP
.B username: \fI<name>
If given, after binding the port the user privileges are dropped. Default is
-"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
+"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
.IP
If this user is not capable of binding the
port, reloads (by signal HUP) will still retain the opened ports.
-If you change the port number in the config file, and that new port number
+If you change the port number in the config file, and that new port number
requires privileges, then a reload will fail; a restart is needed.
.TP
.B directory: \fI<directory>
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
-The logfile is appended to, in the following format:
+The logfile is appended to, in the following format:
.nf
-[seconds since 1970] unbound[pid:tid]: type: message.
+[seconds since 1970] unbound[pid:tid]: type: message.
.fi
If this option is given, the use\-syslog is option is set to "no".
-The logfile is reopened (for append) when the config file is reread, on
+The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
.TP
.B use\-syslog: \fI<yes or no>
-Sets unbound to send log messages to the syslogd, using
-\fIsyslog\fR(3).
+Sets unbound to send log messages to the syslogd, using
+\fIsyslog\fR(3).
The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
The default is to log to syslog.
characters in names are printed as '?'.
.TP
.B pidfile: \fI<filename>
-The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
+The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
So,
.nf
-kill \-HUP `cat @UNBOUND_PIDFILE@`
+kill \-HUP `cat @UNBOUND_PIDFILE@`
.fi
triggers a reload,
.nf
-kill \-TERM `cat @UNBOUND_PIDFILE@`
+kill \-TERM `cat @UNBOUND_PIDFILE@`
.fi
gracefully terminates.
.TP
.B root\-hints: \fI<filename>
Read the root hints from this file. Default is nothing, using builtin hints
-for the IN class. The file has the format of zone files, with root
+for the IN class. The file has the format of zone files, with root
nameserver names and addresses only. The default may become outdated,
when servers change, therefore it is good practice to use a root\-hints file.
.TP
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
-dependency depth.
+dependency depth.
.IP
The number of values determines the maximum dependency depth
-that unbound will pursue in answering a query.
+that unbound will pursue in answering a query.
A value of \-1 means to fetch all targets opportunistically for that dependency
depth. A value of 0 means to fetch on demand only. A positive value fetches
-that many targets opportunistically.
+that many targets opportunistically.
.IP
Enclose the list between quotes ("") and put spaces between numbers.
The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
-closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
+closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
rumoured to be closer to that of BIND 8.
.TP
.B harden\-short\-bufsize: \fI<yes or no>
Very small EDNS buffer sizes from queries are ignored. Default is off, since
-it is legal protocol wise to send these, and unbound tries to give very
+it is legal protocol wise to send these, and unbound tries to give very
small answers to these queries, where possible.
.TP
.B harden\-large\-queries: \fI<yes or no>
.B harden\-dnssec\-stripped: \fI<yes or no>
Require DNSSEC data for trust\-anchored zones, if such data is absent,
the zone becomes bogus. If turned off, and no DNSSEC data is received
-(or the DNSKEY data fails to validate), then the zone is made insecure,
-this behaves like there is no trust anchor. You could turn this off if
-you are sometimes behind an intrusive firewall (of some sort) that
-removes DNSSEC data from packets, or a zone changes from signed to
-unsigned to badly signed often. If turned off you run the risk of a
+(or the DNSKEY data fails to validate), then the zone is made insecure,
+this behaves like there is no trust anchor. You could turn this off if
+you are sometimes behind an intrusive firewall (of some sort) that
+removes DNSSEC data from packets, or a zone changes from signed to
+unsigned to badly signed often. If turned off you run the risk of a
downgrade attack that disables security for a zone. Default is on.
.TP
.B harden\-below\-nxdomain: \fI<yes or no>
Harden the referral path by performing additional queries for
infrastructure data. Validates the replies if trust anchors are configured
and the zones are signed. This enforces DNSSEC validation on nameserver
-NS sets and the nameserver addresses that are encountered on the referral
+NS sets and the nameserver addresses that are encountered on the referral
path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
-This perturbs the lowercase and uppercase of query names sent to
-authority servers and checks if the reply still has the correct casing.
-Disabled by default.
+This perturbs the lowercase and uppercase of query names sent to
+authority servers and checks if the reply still has the correct casing.
+Disabled by default.
This feature is an experimental implementation of draft dns\-0x20.
.TP
.B caps\-whitelist: \fI<domain>
.TP
.B qname\-minimisation: \fI<yes or no>
Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to NS when
+Only sent minimum required labels of the QNAME and set QTYPE to NS when
possible. Best effort approach; full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR, except when receiving
NXDOMAIN from a DNSSEC signed zone. Default is off.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.
-Give multiple times to allow multiple domain names to contain private
+Give multiple times to allow multiple domain names to contain private
addresses. Default is none.
.TP
.B unwanted\-reply\-threshold: \fI<number>
is suggested. Default is 0 (turned off).
.TP
.B do\-not\-query\-address: \fI<IP address>
-Do not query the given IP address. Can be IP4 or IP6. Append /num to
+Do not query the given IP address. Can be IP4 or IP6. Append /num to
indicate a classless delegation netblock, for example like
10.2.3.4/24 or 2001::11/64.
.TP
given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
The resource record is entered in the same format as 'dig' or 'drill' prints
them, the same format as in the zone file. Has to be on a single line, with
-"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
+"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
A class can be specified, but class IN is default.
.TP
.B trusted\-keys\-file: \fI<filename>
File with trusted keys for validation. Specify more than one file
with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
-but has a different file format. Format is BIND\-9 style format,
+but has a different file format. Format is BIND\-9 style format,
the trusted\-keys { name flag proto algo "key"; }; clauses are read.
It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
DNSKEY entries can be used in the file, in the same format as for
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned. Please do not use it any more.
+would be slow. The DLV configured is used as a root trusted DLV, this
+means that it is a lookaside for the root. Default is "", or no dlv anchor
+file. DLV is going to be decommissioned. Please do not use it any more.
.TP
.B dlv\-anchor: \fI<"Resource Record">
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
domain secure with a DS record, such a DS record is then ignored.
Also keys from DLV are ignored for the domain. Can be given multiple times
to specify multiple domains that are treated as if unsigned. If you set
-trust anchors for the domain they override this setting (and the domain
+trust anchors for the domain they override this setting (and the domain
is secured).
.IP
This can be useful if you want to make sure a trust anchor for external
-lookups does not affect an (unsigned) internal domain. A DS record
+lookups does not affect an (unsigned) internal domain. A DS record
externally can create validation failures for that internal domain.
.TP
.B val\-override\-date: \fI<rrsig\-style date spec>
Default is "" or "0", which disables this debugging feature. If enabled by
giving a RRSIG style date, that date is used for verifying RRSIG inception
-and expiration dates, instead of the current date. Do not set this unless
+and expiration dates, instead of the current date. Do not set this unless
you are debugging signature inception and expiration. The value \-1 ignores
the date altogether, useful for some special applications.
.TP
Instruct the validator to remove data from the additional section of secure
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
-to protect the users that rely on this validator for authentication from
+to protect the users that rely on this validator for authentication from
potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
.B val\-permissive\-mode: \fI<yes or no>
Instruct the validator to mark bogus messages as indeterminate. The security
checks are performed, but if the result is bogus (failed security), the
-reply is not withheld from the client with SERVFAIL as usual. The client
-receives the bogus data. For messages that are found to be secure the AD bit
+reply is not withheld from the client with SERVFAIL as usual. The client
+receives the bogus data. For messages that are found to be secure the AD bit
is set in replies. Also logging is performed as for full validation.
-The default value is "no".
+The default value is "no".
.TP
.B ignore\-cd\-flag: \fI<yes or no>
Instruct unbound to ignore the CD flag from clients and refuse to
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
maximum allowed NSEC3 iteration count before a message is simply marked
insecure instead of performing the many hashing iterations. The list must
-be in ascending order and have at least one entry. If you set it to
+be in ascending order and have at least one entry. If you set it to
"1024 65535" there is no restriction to NSEC3 iteration values.
This table must be kept short; a very long list could cause slower operation.
.TP
.TP
.B key\-cache\-slabs: \fI<number>
Number of slabs in the key cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
+Must be set to a power of 2. Setting (close) to the number of cpus is a
reasonable guess.
.TP
.B neg\-cache\-size: \fI<number>
For a negative answer a SOA is included in the answer if present
as local\-data for the zone apex domain.
.TP 10
-\h'5'\fItransparent\fR
+\h'5'\fItransparent\fR
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is resolved normally.
If the query is for a name given in localdata but no such type of data is
If no local\-zone is given local\-data causes a transparent zone
to be created by default.
.TP 10
-\h'5'\fItypetransparent\fR
+\h'5'\fItypetransparent\fR
If there is a match from local data, the query is answered. If the query
is for a different name, or for the same name but for a different type,
the query is resolved normally. So, similar to transparent but types
that are not listed in local data are resolved normally, so if an A record
is in the local data that does not cause a nodata reply for AAAA queries.
.TP 10
-\h'5'\fIredirect\fR
+\h'5'\fIredirect\fR
The query is answered from the local data for the zone name.
There may be no local data beneath the zone name.
This answers queries for the zone, and all subdomains of the zone
with the local data for the zone.
It can be used to redirect a domain to return a different address record
-to the end user, with
-local\-zone: "example.com." redirect and
+to the end user, with
+local\-zone: "example.com." redirect and
local\-data: "example.com. A 127.0.0.1"
queries for www.example.com and www.foo.example.com are redirected, so
that users with web browsers cannot access sites with suffix example.com.
.TP 10
-\h'5'\fIinform\fR
+\h'5'\fIinform\fR
The query is answered normally, same as transparent. The client IP
address (@portnumber) is printed to the logfile. The log message is:
timestamp, unbound-pid, info: zonename inform IP@port queryname type
class. This option can be used for normal resolution, but machines
looking up infected names are logged, eg. to run antivirus on them.
.TP 10
-\h'5'\fIinform_deny\fR
+\h'5'\fIinform_deny\fR
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
-\h'5'\fIalways_transparent\fR
+\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
-\h'5'\fIalways_refuse\fR
+\h'5'\fIalways_refuse\fR
Like refuse, but ignores local data and refuses the query.
.TP 10
-\h'5'\fIalways_nxdomain\fR
+\h'5'\fIalways_nxdomain\fR
Like static, but ignores local data and returns nxdomain for the query.
.TP 10
-\h'5'\fInodefault\fR
+\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
-also turn off default contents for the zone. The 'nodefault' option
-has no other effect than turning off default contents for the
+also turn off default contents for the zone. The 'nodefault' option
+has no other effect than turning off default contents for the
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
use a subzone, use \fItransparent\fR.
.P
reserved IP addresses for which the servers on the internet cannot provide
correct answers. They are configured by default to give nxdomain (no reverse
information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a
+own local\-zone of that name, or using the 'nodefault' type. Below is a
list of the default zone contents.
.TP 10
-\h'5'\fIlocalhost\fR
+\h'5'\fIlocalhost\fR
The IP4 and IP6 localhost information is given. NS and SOA records are provided
for completeness and to satisfy some DNS update tools. Default content:
.nf
local\-zone: "localhost." static
local\-data: "localhost. 10800 IN NS localhost."
-local\-data: "localhost. 10800 IN
+local\-data: "localhost. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local\-data: "localhost. 10800 IN A 127.0.0.1"
local\-data: "localhost. 10800 IN AAAA ::1"
.fi
.TP 10
-\h'5'\fIreverse IPv4 loopback\fR
+\h'5'\fIreverse IPv4 loopback\fR
Default content:
.nf
local\-zone: "127.in\-addr.arpa." static
local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
-local\-data: "127.in\-addr.arpa. 10800 IN
+local\-data: "127.in\-addr.arpa. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
+local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
PTR localhost."
.fi
.TP 10
-\h'5'\fIreverse IPv6 loopback\fR
+\h'5'\fIreverse IPv6 loopback\fR
Default content:
.nf
local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
NS localhost."
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
PTR localhost."
.fi
.TP 10
-\h'5'\fIonion (RFC 7686)\fR
+\h'5'\fIonion (RFC 7686)\fR
Default content:
.nf
local\-zone: "onion." static
local\-data: "onion. 10800 IN NS localhost."
-local\-data: "onion. 10800 IN
+local\-data: "onion. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
-\h'5'\fIreverse RFC1918 local use zones\fR
-Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
+\h'5'\fIreverse RFC1918 local use zones\fR
+Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
-The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
+The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
records are provided.
.TP 10
-\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
-Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
+\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
+Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
.TP 10
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
-Reverse data for zone
+Reverse data for zone
.nf
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
.TP 5
.B local\-data: \fI"<resource record string>"
Configure local data, which is served in reply to queries for it.
-The query has to match exactly unless you configure the local\-zone as
+The query has to match exactly unless you configure the local\-zone as
redirect. If not matched exactly, the local\-zone type determines
further processing. If local\-data is configured that is not a subdomain of
-a local\-zone, a transparent local\-zone is configured.
-For record types such as TXT, use single quotes, as in
+a local\-zone, a transparent local\-zone is configured.
+For record types such as TXT, use single quotes, as in
local\-data: 'example. TXT "text"'.
.IP
If you need more complicated authoritative data, with referrals, wildcards,
tags.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
-Override the localzone type for queries from addresses matching netblock.
+Override the localzone type for queries from addresses matching netblock.
Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
.P
The stub zone can be used to configure authoritative data to be used
by the resolver that cannot be accessed using the public internet servers.
-This is useful for company\-local data or private zones. Setup an
-authoritative server on a different host (or different port). Enter a config
-entry for unbound with
+This is useful for company\-local data or private zones. Setup an
+authoritative server on a different host (or different port). Enter a config
+entry for unbound with
.B stub\-addr:
-<ip address of host[@port]>.
-The unbound resolver can then access the data, without referring to the
-public internet for it.
+<ip address of host[@port]>.
+The unbound resolver can then access the data, without referring to the
+public internet for it.
.P
-This setup allows DNSSEC signed zones to be served by that
+This setup allows DNSSEC signed zones to be served by that
authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that unbound can validate the data and set the AD
-bit on replies for the private zone (authoritative servers do not set the
-AD bit). This setup makes unbound capable of answering queries for the
-private zone, and can even set the AD bit ('authentic'), but the AA
-('authoritative') bit is not set on these replies.
+can be put in config, so that unbound can validate the data and set the AD
+bit on replies for the private zone (authoritative servers do not set the
+AD bit). This setup makes unbound capable of answering queries for the
+private zone, and can even set the AD bit ('authentic'), but the AA
+('authoritative') bit is not set on these replies.
.P
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
To use a nondefault port for DNS communication append '@' with the port number.
.TP
.B stub\-prime: \fI<yes or no>
-This option is by default off. If enabled it performs NS set priming,
-which is similar to root hints, where it starts using the list of nameservers
+This option is by default off. If enabled it performs NS set priming,
+which is similar to root hints, where it starts using the list of nameservers
currently published by the zone. Thus, if the hint list is slightly outdated,
the resolver picks up a correct list online.
.TP
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
+view name in an \fBaccess\-control\-view\fR element. Options from matching
+views will override global options. Global options will be used if no matching
+view is found.
.TP
.B name: \fI<view name>
Name of the view. Must be unique. This name is used in access\-control\-view
available, they are only meaningful if unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
+dnscrypt-wrapper/blob/master/README.md#usage
.TP
.B dnscrypt\-enable: \fI<yes or no>\fR
Whether or not the \fBdnscrypt\fR config should be enabled. You may define
times.
.TP
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+This option may be specified multiple times.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
.LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
+If the destination address is whitelisted with Unbound will add the EDNS0
+option to the query containing the relevant part of the client's address. When
+an answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is
+stored in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
forward the option to the authority if prensent in the whitelist, or
.B max\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the maximum prefix length of the client source address we are willing
to expose to third parties for IPv4. Defaults to 24.
+.SS "Opportunistic IPsec Support Module Options"
+.LP
+The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
+validator iterator" directive and be compiled into the daemon to be
+enabled. These settings go in the \fBserver:\fR section.
+.LP
+When unbound receives an A/AAAA query that is not in the cache and finds a
+valid answer, it will withhold returning the answer and instead will generate
+an IPSECKEY subquery for the same domain name. If an answer was found, unbound
+will call an external hook passing the following arguments:
+.TP 10
+\h'5'\fIQNAME\fR
+Domain name of the A/AAAA and IPSECKEY query. In string format.
+.TP 10
+\h'5'\fIIPSECKEY TTL\fR
+TTL of the IPSECKEY RRset.
+.TP 10
+\h'5'\fIA/AAAA\fR
+String of space separated IP addresses present in the A/AAAA RRset. The IP
+addresses are in string format.
+.TP 10
+\h'5'\fIIPSECKEY\fR
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The
+IPSECKEY RDATA are in DNS presentation format.
+.LP
+The A/AAAA answer is then cached and returned to the client. If the external
+hook was called the TTL changes to ensure it doesn't surpass
+\fBipsecmod-max-ttl\fR.
+.LP
+The same procedure is also followed when \fBprefetch:\fR is used, but the
+A/AAAA answer is given to the client before the hook is called.
+\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
+relevant for opportunistic IPsec.
+.TP
+.B ipsecmod-enabled: \fI<yes or no>\fR
+Specifies whether the IPsec module is enabled or not. The IPsec module still
+needs to be defined in the \fBmodule\-config:\fR directive. This option
+facilitates turning on/off the module without restarting/reloading unbound.
+Defaults to yes.
+.TP
+.B ipsecmod\-hook: \fI<filename>\fR
+Specifies the external hook that unbound will call with \fIsystem\fR(3). The
+file can be specified as an absolute/relative path. The file needs the proper
+permissions to be able to be executed by the same user that runs unbound. It
+must be present when the IPsec module is defined in the \fBmodule\-config:\fR
+directive.
+.TP
+.B ipsecmod-strict: \fI<yes or no>\fR
+If enabled unbound requires the external hook to return a success value of 0.
+Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
+not be cached. Defaults to no.
+.TP
+.B ipsecmod\-max-ttl: \fI<seconds>\fR
+Time to live maximum for A/AAAA cached records after calling the external hook.
+Defaults to 3600.
+.TP
+.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
+Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
+to yes, the hook will be called and the A/AAAA answer will be returned to the
+client. If set to no, the hook will not be called and the answer to the
+A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fR
+Whitelist the domain so that the module logic will be executed. Can
+be given multiple times, for different domains. If the option is not
+specified, all domains are treated as being whitelisted (default).
.SH "MEMORY CONTROL EXAMPLE"
In the example config settings below memory usage is reduced. Some service
levels are lower, notable very large data and a high TCP load are no longer
DNSSEC validation is enabled, just add trust anchors.
If you do not have to worry about programs using more than 3 Mb of memory,
the below example is not for you. Use the defaults to receive full service,
-which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
.P
.nf
# example settings that reduce memory usage
default unbound pidfile with process ID of the running daemon.
.TP
.I unbound.log
-unbound log file. default is to log to
-\fIsyslog\fR(3).
+unbound log file. default is to log to
+\fIsyslog\fR(3).
.SH "SEE ALSO"
-\fIunbound\fR(8),
+\fIunbound\fR(8),
\fIunbound\-checkconf\fR(8).
.SH "AUTHORS"
-.B Unbound
+.B Unbound
was written by NLnet Labs. Please see CREDITS file
in the distribution for further details.
--- /dev/null
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#include "config.h"
+
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/rbtree.h"
+#include "util/data/dname.h"
+#include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+
+/** Apply ipsecmod-whitelist string. */
+static int
+whitelist_str_cfg(rbtree_type* whitelist, const char* name)
+{
+ struct name_tree_node* n;
+ size_t len;
+ uint8_t* nm = sldns_str2wire_dname(name, &len);
+ if(!nm) {
+ log_err("ipsecmod: could not parse %s for whitelist.", name);
+ return 0;
+ }
+ n = (struct name_tree_node*)calloc(1, sizeof(*n));
+ if(!n) {
+ log_err("ipsecmod: out of memory while creating whitelist.");
+ free(nm);
+ return 0;
+ }
+ n->node.key = n;
+ n->name = nm;
+ n->len = len;
+ n->labs = dname_count_labels(nm);
+ n->dclass = LDNS_RR_CLASS_IN;
+ if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) {
+ /* duplicate element ignored, idempotent */
+ free(n->name);
+ free(n);
+ }
+ return 1;
+}
+
+/** Read ipsecmod-whitelist config. */
+static int
+read_whitelist(rbtree_type* whitelist, struct config_file* cfg)
+{
+ struct config_strlist* p;
+ for(p = cfg->ipsecmod_whitelist; p; p = p->next) {
+ log_assert(p->str);
+ if(!whitelist_str_cfg(whitelist, p->str))
+ return 0;
+ }
+ return 1;
+}
+
+int
+ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+ struct config_file* cfg)
+{
+ ie->whitelist = rbtree_create(name_tree_compare);
+ if(!read_whitelist(ie->whitelist, cfg))
+ return 0;
+ name_tree_init_parents(ie->whitelist);
+ return 1;
+}
+
+/** Delete ipsecmod_env->whitelist element. */
+static void
+whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
+{
+ if(n) {
+ free(((struct name_tree_node*)n)->name);
+ free(n);
+ }
+}
+
+/** Get memory usage of ipsecmod_env->whitelist element. */
+static void
+whitelist_get_mem(struct rbnode_type* n, void* arg)
+{
+ struct name_tree_node* node = (struct name_tree_node*)n;
+ size_t* size = (size_t*) arg;
+ if(node) {
+ *size += sizeof(node) + node->len;
+ }
+}
+
+void
+ipsecmod_whitelist_delete(rbtree_type* whitelist)
+{
+ if(whitelist) {
+ traverse_postorder(whitelist, whitelist_free, NULL);
+ free(whitelist);
+ }
+}
+
+int
+ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+ size_t dname_len, uint16_t qclass)
+{
+ if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */
+ return name_tree_lookup(ie->whitelist, dname, dname_len,
+ dname_count_labels(dname), qclass) != NULL;
+}
+
+size_t
+ipsecmod_whitelist_get_mem(rbtree_type* whitelist)
+{
+ size_t size = 0;
+ if(whitelist) {
+ traverse_postorder(whitelist, whitelist_get_mem, &size);
+ }
+ return size;
+}
+
+#endif /* USE_IPSECMOD */
--- /dev/null
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#ifndef IPSECMOD_WHITELIST_H
+#define IPSECMOD_WHITELIST_H
+#include "util/storage/dnstree.h"
+
+struct config_file;
+struct regional;
+
+/**
+ * Process ipsecmod_whitelist config.
+ * @param ie: ipsecmod environment.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+ struct config_file* cfg);
+
+/**
+ * Delete the ipsecmod whitelist.
+ * @param whitelist: ipsecmod whitelist.
+ */
+void ipsecmod_whitelist_delete(rbtree_type* whitelist);
+
+/**
+ * See if a domain is whitelisted.
+ * @param ie: ipsecmod environment.
+ * @param dname: domain name to check.
+ * @param dname_len: length of domain name.
+ * @param qclass: query CLASS.
+ * @return: true if the domain is whitelisted for the ipsecmod.
+ */
+int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+ size_t dname_len, uint16_t qclass);
+
+/**
+ * Get memory used by ipsecmod whitelist.
+ * @param whitelist: structure for domain storage.
+ * @return bytes in use.
+ */
+size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist);
+
+#endif /* IPSECMOD_WHITELIST_H */
--- /dev/null
+/*
+ * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#include "config.h"
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/fptr_wlist.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/config_file.h"
+#include "services/cache/dns.h"
+#include "sldns/wire2str.h"
+
+/** Apply configuration to ipsecmod module 'global' state. */
+static int
+ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
+{
+ if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
+ log_err("ipsecmod: missing ipsecmod-hook.");
+ return 0;
+ }
+ if(cfg->ipsecmod_whitelist &&
+ !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
+ return 0;
+ return 1;
+}
+
+int
+ipsecmod_init(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
+ sizeof(struct ipsecmod_env));
+ if(!ipsecmod_env) {
+ log_err("malloc failure");
+ return 0;
+ }
+ env->modinfo[id] = (void*)ipsecmod_env;
+ ipsecmod_env->whitelist = NULL;
+ if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
+ log_err("ipsecmod: could not apply configuration settings.");
+ return 0;
+ }
+ return 1;
+}
+
+void
+ipsecmod_deinit(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ipsecmod_env;
+ if(!env || !env->modinfo[id])
+ return;
+ ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
+ /* Free contents. */
+ ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
+ free(ipsecmod_env);
+ env->modinfo[id] = NULL;
+}
+
+/** New query for ipsecmod. */
+static int
+ipsecmod_new(struct module_qstate* qstate, int id)
+{
+ struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
+ qstate->region, sizeof(struct ipsecmod_qstate));
+ memset(iq, 0, sizeof(*iq));
+ qstate->minfo[id] = iq;
+ if(!iq)
+ return 0;
+ /* Initialise it. */
+ iq->enabled = qstate->env->cfg->ipsecmod_enabled;
+ iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
+ (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
+ qstate->qinfo.qname_len, qstate->qinfo.qclass);
+ iq->region = regional_create();
+ return 1;
+}
+
+/**
+ * Exit module with an error status.
+ * @param qstate: query state
+ * @param id: module id.
+ */
+static void
+ipsecmod_error(struct module_qstate* qstate, int id)
+{
+ qstate->ext_state[id] = module_error;
+ qstate->return_rcode = LDNS_RCODE_SERVFAIL;
+}
+
+/**
+ * Generate a request for the IPSECKEY.
+ *
+ * @param qstate: query state that is the parent.
+ * @param id: module id.
+ * @param name: what name to query for.
+ * @param namelen: length of name.
+ * @param qtype: query type.
+ * @param qclass: query class.
+ * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @return false on alloc failure.
+ */
+static int
+generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+ size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+{
+ struct module_qstate* newq;
+ struct query_info ask;
+ ask.qname = name;
+ ask.qname_len = namelen;
+ ask.qtype = qtype;
+ ask.qclass = qclass;
+ ask.local_alias = NULL;
+ log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
+ fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+ if(!(*qstate->env->attach_sub)(qstate, &ask,
+ (uint16_t)(BIT_RD|flags), 0, 0, &newq)){
+ log_err("Could not generate request: out of memory");
+ return 0;
+ }
+ qstate->ext_state[id] = module_wait_subquery;
+ return 1;
+}
+
+/**
+ * Prepare the data and call the hook.
+ *
+ * @param iq: ipsecmod qstate.
+ * @param ie: ipsecmod environment.
+ * @param rrset_data: IPSECKEY rrset.
+ * @return true on success, false otherwise.
+ */
+static int
+call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ struct ipsecmod_env* ie)
+{
+ size_t slen, tempdata_len, tempstring_len;
+ char str[65535], *s, *tempstring;
+ int i, w;
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ uint8_t *tempdata;
+
+ /* Check if a shell is available */
+ if(system(NULL) == 0) {
+ log_err("ipsecmod: no shell available for ipsecmod-hook");
+ return 0;
+ }
+
+ /* Zero the buffer. */
+ s = str;
+ slen = sizeof(str);
+ memset(s, 0, slen);
+
+ /* Copy the hook into the buffer. */
+ sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the qname into the buffer. */
+ tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+ qstate->qinfo.qname_len);
+ if(!tempstring) {
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+ sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ free(tempstring);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY TTL into the buffer. */
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ sldns_str_print(&s, &slen, "\"%ld\"", rrset_data->ttl);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+ sldns_str_print(&s, &slen, "\"");
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+ if(w < 0) {
+ /* Error in printout. */
+ return -1;
+ } else if((size_t)w >= slen) {
+ s = NULL; /* We do not want str to point outside of buffer. */
+ slen = 0;
+ return -1;
+ } else {
+ s += w;
+ slen -= w;
+ }
+ }
+ sldns_str_print(&s, &slen, "\"");
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ sldns_str_print(&s, &slen, "\"");
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ tempdata = rrset_data->rr_data[i] + 2;
+ tempdata_len = rrset_data->rr_len[i] - 2;
+ /* Save the buffer pointers. */
+ tempstring = s; tempstring_len = slen;
+ w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+ NULL, 0);
+ /* There was an error when parsing the IPSECKEY; reset the buffer
+ * pointers to their previous values. */
+ if(w == -1){
+ s = tempstring; slen = tempstring_len;
+ }
+ }
+ sldns_str_print(&s, &slen, "\"");
+ verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+ /* ipsecmod-hook should return 0 on success. */
+ if(system(str) != 0)
+ return 0;
+ return 1;
+}
+
+/**
+ * Handle an ipsecmod module event with a query
+ * @param qstate: query state (from the mesh), passed between modules.
+ * contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module. per-query.
+ * @param ie: environment specific for this module. global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_query(struct module_qstate* qstate,
+ struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
+{
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ size_t i;
+ /* Pass to next module if we are not enabled and whitelisted. */
+ if(!(iq->enabled && iq->is_whitelisted)) {
+ qstate->ext_state[id] = module_wait_module;
+ return;
+ }
+ /* New query, check if the query is for an A/AAAA record and disable
+ * caching for other modules. */
+ if(!iq->ipseckey_done) {
+ if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+ qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
+ verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
+ sldns_rr_descript(qstate->qinfo.qtype)->_name);
+ qstate->no_cache_store = 1;
+ }
+ /* Pass request to next module. */
+ qstate->ext_state[id] = module_wait_module;
+ return;
+ }
+ /* IPSECKEY subquery is finished. */
+ /* We have an IPSECKEY answer. */
+ if(iq->ipseckey_rrset) {
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ if(rrset_data) {
+ /* If bogus return SERVFAIL. */
+ if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
+ rrset_data->security == sec_status_bogus) {
+ log_err("ipsecmod: bogus IPSECKEY");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ /* We have a valid IPSECKEY reply, call hook. */
+ if(!call_hook(qstate, iq, ie) &&
+ qstate->env->cfg->ipsecmod_strict) {
+ log_err("ipsecmod: ipsecmod-hook failed");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ /* Make sure the A/AAAA's TTL is equal/less than the
+ * ipsecmod_max_ttl. */
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+ if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+ /* Update TTL for rrset to fixed value. */
+ rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
+ for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
+ rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
+ /* Also update reply_info's TTL */
+ qstate->return_msg->rep->ttl =
+ qstate->env->cfg->ipsecmod_max_ttl;
+ qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
+ qstate->return_msg->rep->ttl);
+ }
+ }
+ }
+ /* Store A/AAAA in cache. */
+ if(!dns_cache_store(qstate->env, &qstate->qinfo,
+ qstate->return_msg->rep, 0, qstate->prefetch_leeway,
+ 0, qstate->region, qstate->query_flags)) {
+ log_err("ipsecmod: out of memory caching record");
+ }
+ qstate->ext_state[id] = module_finished;
+}
+
+/**
+ * Handle an ipsecmod module event with a response from the iterator.
+ * @param qstate: query state (from the mesh), passed between modules.
+ * contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module. per-query.
+ * @param ie: environment specific for this module. global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_response(struct module_qstate* qstate,
+ struct ipsecmod_qstate* ATTR_UNUSED(iq), struct ipsecmod_env* ie, int id)
+{
+ /* Pass to previous module if we are not enabled and whitelisted. */
+ if(!(iq->enabled && iq->is_whitelisted)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+ /* check if the response is for an A/AAAA query. */
+ if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+ qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
+ /* check that we had an answer for the A/AAAA query. */
+ qstate->return_msg &&
+ reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep) &&
+ /* check that another module didn't SERVFAIL. */
+ qstate->return_rcode != LDNS_RCODE_SERVFAIL) {
+ verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
+ "subquery", sldns_rr_descript(qstate->qinfo.qtype)->_name);
+ /* generate an IPSECKEY query. */
+ if(!generate_request(qstate, id, qstate->qinfo.qname,
+ qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
+ qstate->qinfo.qclass, 0)) {
+ log_err("ipsecmod: could not generate subquery.");
+ ipsecmod_error(qstate, id);
+ }
+ return;
+ }
+ /* we are done with the query. */
+ qstate->ext_state[id] = module_finished;
+}
+
+void
+ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
+ struct outbound_entry* outbound)
+{
+ struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
+ struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+ verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
+ id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+ if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
+ &qstate->qinfo);
+
+ /* create ipsecmod_qstate. */
+ if((event == module_event_new || event == module_event_pass) &&
+ iq == NULL) {
+ if(!ipsecmod_new(qstate, id)) {
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+ }
+ if(iq && (event == module_event_pass || event == module_event_new)) {
+ ipsecmod_handle_query(qstate, iq, ie, id);
+ return;
+ }
+ if(iq && (event == module_event_moddone)) {
+ ipsecmod_handle_response(qstate, iq, ie, id);
+ return;
+ }
+ if(iq && outbound) {
+ /* cachedb does not need to process responses at this time
+ * ignore it.
+ cachedb_process_response(qstate, iq, ie, id, outbound, event);
+ */
+ return;
+ }
+ if(event == module_event_error) {
+ verbose(VERB_ALGO, "got called with event error, giving up");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ if(!iq && (event == module_event_moddone)) {
+ /* during priming, module done but we never started. */
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+
+ log_err("ipsecmod: bad event %s", strmodulevent(event));
+ ipsecmod_error(qstate, id);
+ return;
+}
+
+void
+ipsecmod_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super)
+{
+ log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
+ &qstate->qinfo);
+ log_query_info(VERB_ALGO, "super is", &super->qinfo);
+ struct ipsecmod_qstate* siq = (struct ipsecmod_qstate*)super->minfo[id];
+ if(!siq) {
+ verbose(VERB_ALGO, "super has no ipsecmod state");
+ return;
+ }
+
+ if(qstate->return_msg) {
+ struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
+ &qstate->return_msg->qinfo, qstate->return_msg->rep);
+ if(rrset_key) {
+ /* We have an answer. */
+ /* Copy to super's region. */
+ rrset_key = packed_rrset_copy_region(rrset_key, siq->region, 0);
+ siq->ipseckey_rrset = rrset_key;
+ if(!rrset_key) {
+ log_err("ipsecmod: out of memory.");
+ }
+ }
+ }
+ /* Notify super to proceed. */
+ siq->ipseckey_done = 1;
+}
+
+void
+ipsecmod_clear(struct module_qstate* qstate, int id)
+{
+ struct ipsecmod_qstate* iq;
+ if(!qstate)
+ return;
+ iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+ if(iq) {
+ /* free contents of iq. */
+ regional_destroy(iq->region);
+ }
+ qstate->minfo[id] = NULL;
+}
+
+size_t
+ipsecmod_get_mem(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
+ if(!ie)
+ return 0;
+ return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
+}
+
+/**
+ * The ipsecmod function block
+ */
+static struct module_func_block ipsecmod_block = {
+ "ipsecmod",
+ &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
+ &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
+};
+
+struct module_func_block*
+ipsecmod_get_funcblock(void)
+{
+ return &ipsecmod_block;
+}
+#endif /* USE_IPSECMOD */
--- /dev/null
+/*
+ * ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#ifndef IPSECMOD_H
+#define IPSECMOD_H
+#include "util/module.h"
+#include "util/rbtree.h"
+
+/**
+ * The global variable environment contents for the ipsecmod
+ * Shared between threads, this represents long term information.
+ */
+struct ipsecmod_env {
+ /** White listed domains for ipsecmod. */
+ rbtree_type* whitelist;
+};
+
+/**
+ * Per query state for the ipsecmod module.
+ */
+struct ipsecmod_qstate {
+ /** State of the IPsec module. */
+ /** NOTE: This value is copied here from the configuration so that a change
+ * with unbound-control would not complicate an already running mesh. */
+ int enabled;
+ /** If the qname is whitelisted or not. */
+ /** NOTE: No whitelist means all qnames are whitelisted. */
+ int is_whitelisted;
+ /** Region to store the IPSECKEY rrset. */
+ struct regional* region;
+ /** Pointer to IPSECKEY rrset allocated in the above region. NULL if there
+ * was no IPSECKEY reply from the subquery. */
+ struct ub_packed_rrset_key* ipseckey_rrset;
+ /** If the IPSECKEY subquery has finished. */
+ int ipseckey_done;
+};
+
+/** Init the ipsecmod module */
+int ipsecmod_init(struct module_env* env, int id);
+/** Deinit the ipsecmod module */
+void ipsecmod_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event,
+ int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipsecmod_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super);
+/** clear the ipsecmod query-specific contents out of qstate */
+void ipsecmod_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for the ipsecmod module */
+size_t ipsecmod_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipsecmod functions
+ * @return the function block for "ipsecmod".
+ */
+struct module_func_block* ipsecmod_get_funcblock(void);
+
+#endif /* IPSECMOD_H */
* this struct is shared on a shm segment (shm-key in unbound.conf)
*/
struct ub_shm_stat_info {
+ int num_threads;
- int num_threads;
-
- struct {
+ struct {
long long now_sec, now_usec;
long long up_sec, up_usec;
long long elapsed_sec, elapsed_usec;
- } time;
-
- struct {
- long long msg;
- long long rrset;
- long long val;
- long long iter;
- long long subnet;
- } mem;
+ } time;
+
+ struct {
+ long long msg;
+ long long rrset;
+ long long val;
+ long long iter;
+ long long subnet;
+ long long ipsecmod;
+ } mem;
};
/** number of qtype that is stored for in array */
#ifdef USE_CACHEDB
#include "cachedb/cachedb.h"
#endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
static const char* names[] = {
"dns64",
#ifdef WITH_PYTHONMODULE
- "python",
+ "python",
#endif
#ifdef USE_CACHEDB
"cachedb",
#endif
+#ifdef USE_IPSECMOD
+ "ipsecmod",
+#endif
#ifdef CLIENT_SUBNET
- "subnetcache",
+ "subnetcache",
#endif
"respip",
- "validator",
- "iterator",
+ "validator",
+ "iterator",
NULL};
return names;
}
static struct module_func_block* (*fb[])(void) = {
&dns64_get_funcblock,
#ifdef WITH_PYTHONMODULE
- &pythonmod_get_funcblock,
+ &pythonmod_get_funcblock,
#endif
#ifdef USE_CACHEDB
&cachedb_get_funcblock,
#endif
+#ifdef USE_IPSECMOD
+ &ipsecmod_get_funcblock,
+#endif
#ifdef CLIENT_SUBNET
- &subnetmod_get_funcblock,
+ &subnetmod_get_funcblock,
#endif
&respip_get_funcblock,
- &val_get_funcblock,
- &iter_get_funcblock,
+ &val_get_funcblock,
+ &iter_get_funcblock,
NULL};
return fb;
}
-struct
+struct
module_func_block* module_factory(const char** str)
{
int i = 0;
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
- *
+ *
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
- *
+ *
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
- *
+ *
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
exit(1);
}
-/**
- * Print given option to stdout
+/**
+ * Print given option to stdout
* @param cfg: config
- * @param opt: option name without trailing :.
+ * @param opt: option name without trailing :.
* This is different from config_set_option.
* @param final: if final pathname with chroot applied has to be printed.
*/
fprintf(stderr, "unbound-checkconf: warning:"
" %s %s: \"%s\" is an IP%s address, "
"and when looked up as a host name "
- "during use may not resolve.\n",
+ "during use may not resolve.\n",
s->name, typ, h->str,
addr_is_ip6(&a, alen)?"6":"4");
}
socklen_t alen;
struct config_str2list* acl;
for(acl=cfg->acls; acl; acl = acl->next) {
- if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
+ if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
&d)) {
fatal_exit("cannot parse access control address %s %s",
acl->str, acl->str2);
/** true if fname is a file */
static int
-is_file(const char* fname)
+is_file(const char* fname)
{
struct stat buf;
if(stat(fname, &buf) < 0) {
/** true if fname is a directory */
static int
-is_dir(const char* fname)
+is_dir(const char* fname)
{
struct stat buf;
if(stat(fname, &buf) < 0) {
fatal_exit("%s: \"%s\" does not exist in "
"chrootdir %s", desc, str, chrootdir);
else
- fatal_exit("%s: \"%s\" does not exist",
+ fatal_exit("%s: \"%s\" does not exist",
desc, str);
}
/* put in a new full path for continued checking */
struct config_strlist* p;
for(p=list; p; p=p->next) {
#ifdef HAVE_GLOB
- if(strchr(p->str, '*') || strchr(p->str, '[') ||
- strchr(p->str, '?') || strchr(p->str, '{') ||
+ if(strchr(p->str, '*') || strchr(p->str, '[') ||
+ strchr(p->str, '?') || strchr(p->str, '{') ||
strchr(p->str, '~')) {
char* s = p->str;
/* adjust whole pattern for chroot and check later */
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg);
#endif
- if(cfg->chrootdir && cfg->chrootdir[0] &&
+ if(cfg->chrootdir && cfg->chrootdir[0] &&
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
fatal_exit("chootdir %s has trailing slash '/' please remove.",
cfg->chrootdir);
- if(cfg->chrootdir && cfg->chrootdir[0] &&
+ if(cfg->chrootdir && cfg->chrootdir[0] &&
!is_dir(cfg->chrootdir)) {
fatal_exit("bad chroot directory");
}
}
}
- check_chroot_filelist("file with root-hints",
+ check_chroot_filelist("file with root-hints",
cfg->root_hints, cfg->chrootdir, cfg);
- check_chroot_filelist("trust-anchor-file",
+ check_chroot_filelist("trust-anchor-file",
cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist("auto-trust-anchor-file",
+ check_chroot_filelist("auto-trust-anchor-file",
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist_wild("trusted-keys-file",
+ check_chroot_filelist_wild("trusted-keys-file",
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
- check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
+ check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
cfg->chrootdir, cfg);
+#ifdef USE_IPSECMOD
+ check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
+ cfg);
+#endif
/* remove chroot setting so that modules are not stripping pathnames*/
free(cfg->chrootdir);
cfg->chrootdir = NULL;
* dns64, but it's not explicitly confirmed, so the combination is
* excluded below. It's simply unknown yet for the combination of
* respip and other modules. */
- if(strcmp(cfg->module_conf, "iterator") != 0
+ if(strcmp(cfg->module_conf, "iterator") != 0
&& strcmp(cfg->module_conf, "validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 iterator") != 0
&& strcmp(cfg->module_conf, "respip iterator") != 0
&& strcmp(cfg->module_conf, "respip validator iterator") != 0
#ifdef WITH_PYTHONMODULE
- && strcmp(cfg->module_conf, "python iterator") != 0
- && strcmp(cfg->module_conf, "python validator iterator") != 0
+ && strcmp(cfg->module_conf, "python iterator") != 0
+ && strcmp(cfg->module_conf, "python validator iterator") != 0
&& strcmp(cfg->module_conf, "validator python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
+ && strcmp(cfg->module_conf, "dns64 python iterator") != 0
+ && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
+ && strcmp(cfg->module_conf, "python dns64 iterator") != 0
+ && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
#endif
#ifdef USE_CACHEDB
&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
#endif
#ifdef CLIENT_SUBNET
- && strcmp(cfg->module_conf, "subnetcache iterator") != 0
+ && strcmp(cfg->module_conf, "subnetcache iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
#endif
#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache python iterator") != 0
+ && strcmp(cfg->module_conf, "subnetcache python iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
+#endif
+#ifdef USE_IPSECMOD
+ && strcmp(cfg->module_conf, "ipsecmod iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
+ && strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+ && strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
#endif
) {
fatal_exit("module conf '%s' is not known to work",
printf("-g detect GOST support (exit code 0 or 1)\n");
printf("-e detect ECDSA support (exit code 0 or 1)\n");
printf("-c detect CLIENT_SUBNET support (exit code 0 or 1)\n");
+ printf("-i detect IPSECMOD support (exit code 0 or 1)\n");
printf("-s testbound self-test - unit test of testbound parts.\n");
printf("-o str unbound commandline options separated by spaces.\n");
printf("Version %s\n", PACKAGE_VERSION);
pass_argc = 1;
pass_argv[0] = "unbound";
add_opts("-d", &pass_argc, pass_argv);
- while( (c=getopt(argc, argv, "12egcho:p:s")) != -1) {
+ while( (c=getopt(argc, argv, "12egciho:p:s")) != -1) {
switch(c) {
case 's':
free(pass_argv[1]);
#else
printf("CLIENT_SUBNET not supported\n");
exit(1);
+#endif
+ break;
+ case 'i':
+#ifdef USE_IPSECMOD
+ printf("IPSECMOD supported\n");
+ exit(0);
+#else
+ printf("IPSECMOD not supported\n");
+ exit(1);
#endif
break;
case 'p':
--- /dev/null
+; Test ipsecmod with bogus IPSECKEY
+
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+ val-override-date: "-1"
+ target-fetch-policy: "0 0 0 0 0"
+ # test that default value of harden-dnssec-stripped is still yes.
+ fake-sha1: yes
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800
+ example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ ; (bogus answer)
+ example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+; response to DNSKEY priming query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ example.com. IN DNSKEY
+ SECTION ANSWER
+ example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+ example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ENTRY_END
+
+; Query without RD, check if not cached
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+; Test ipsecmod-enabled option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-enabled: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-enabled option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+echo " ---[ IPsec external hook FAIL; only care if ipsecmod-strict: yes ]---"
+exit 1
--- /dev/null
+; Test ipsecmod-ignore-bogus option
+
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+ val-override-date: "-1"
+ target-fetch-policy: "0 0 0 0 0"
+ # test that default value of harden-dnssec-stripped is still yes.
+ fake-sha1: yes
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-ignore-bogus: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-ignore-bogus option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800
+ example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ ; (bogus answer)
+ example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+; response to DNSKEY priming query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ example.com. IN DNSKEY
+ SECTION ANSWER
+ example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+ example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY is not cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+; Test ipsecmod-max-ttl option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-max-ttl option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+; Test ipsecmod-strict option
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: yes
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-strict option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get SERVFAIL as answer (the hook failed)
+; - check that the example.com. IN A answer is not cached
+; - check that the example.com. IN IPSECKEY answer is cached
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+; Test ipsecmod-whitelist option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-whitelist: white.example.com
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-whitelist option
+; Scenario overview:
+; - query for black.example.com. IN A
+; - check that we get an answer for black.example.com. IN A with the correct TTL
+; - check that an answer for black.example.com. IN IPSECKEY is not cached (not given)
+; - query for white.example.com. IN A
+; - check that query for white.example.com. IN IPSECKEY is generated
+; - check that we get an answer for white.example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ SECTION ANSWER
+ white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ black.example.com. IN A
+ SECTION ANSWER
+ black.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ SECTION ANSWER
+ black.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ black.example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ black.example.com. IN A
+ SECTION ANSWER
+ black.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ white.example.com. IN A
+ENTRY_END
+
+STEP 21 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 31 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ white.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 41 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ SECTION ANSWER
+ white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
cfg->dnscrypt_provider = NULL;
cfg->dnscrypt_provider_cert = NULL;
cfg->dnscrypt_secret_key = NULL;
+#ifdef USE_IPSECMOD
+ cfg->ipsecmod_enabled = 1;
+ cfg->ipsecmod_ignore_bogus = 0;
+ cfg->ipsecmod_hook = NULL;
+ cfg->ipsecmod_max_ttl = 3600;
+ cfg->ipsecmod_whitelist = NULL;
+ cfg->ipsecmod_strict = 0;
+#endif
return cfg;
error_exit:
config_delete(cfg);
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
else S_YNO("qname-minimisation:", qname_minimisation)
else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
+#ifdef USE_IPSECMOD
+ else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
+ else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
+ else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
+ { IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
+ else S_YNO("ipsecmod-strict:", ipsecmod_strict)
+#endif
else if(strcmp(opt, "define-tag:") ==0) {
return config_add_tag(cfg, val);
/* val_sig_skew_min and max are copied into val_env during init,
cfg->out_ifs = oi;
} else {
/* unknown or unsupported (from the set_option interface):
- * interface, outgoing-interface, access-control,
+ * interface, outgoing-interface, access-control,
* stub-zone, name, stub-addr, stub-host, stub-prime
* forward-first, stub-first, forward-ssl-upstream,
* stub-ssl-upstream, forward-zone,
* name, forward-addr, forward-host,
* ratelimit-for-domain, ratelimit-below-domain,
- * local-zone-tag, access-control-view
- * send-client-subnet client-subnet-always-forward
- * max-client-subnet-ipv4 max-client-subnet-ipv6 */
+ * local-zone-tag, access-control-view,
+ * send-client-subnet, client-subnet-always-forward,
+ * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
+ * ipsecmod_whitelist. */
return 0;
}
return 1;
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
else O_LS2(opt, "access-control-view", acl_view)
+#ifdef USE_IPSECMOD
+ else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
+ else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
+ else O_STR(opt, "ipsecmod-hook", ipsecmod_hook)
+ else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl)
+ else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist)
+ else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict)
+#endif
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
free(cfg->dnstap_version);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
+#ifdef USE_IPSECMOD
+ free(cfg->ipsecmod_hook);
+ config_delstrlist(cfg->ipsecmod_whitelist);
+#endif
free(cfg);
}
struct config_strlist* dnscrypt_secret_key;
/** dnscrypt provider certs 1.cert */
struct config_strlist* dnscrypt_provider_cert;
+
+ /** IPsec module */
+#ifdef USE_IPSECMOD
+ /** false to bypass the IPsec module */
+ int ipsecmod_enabled;
+ /** whitelisted domains for ipsecmod */
+ struct config_strlist* ipsecmod_whitelist;
+ /** path to external hook */
+ char* ipsecmod_hook;
+ /** true to proceed even with a bogus IPSECKEY */
+ int ipsecmod_ignore_bogus;
+ /** max TTL for the A/AAAA records that call the hook */
+ int ipsecmod_max_ttl;
+ /** false to proceed even when ipsecmod_hook fails */
+ int ipsecmod_strict;
+#endif
};
/** from cfg username, after daemonise setup performed */
dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
+ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
+ipsecmod-max-ttl{COLON} { YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+ipsecmod-whitelist{COLON} { YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
/* Quoted strings. Strip leading and ending quotes */
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
+%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
server_fake_dsa | server_log_identity | server_use_systemd |
server_response_ip_tag | server_response_ip | server_response_ip_data |
server_shm_enable | server_shm_key | server_fake_sha1 |
- server_hide_trustanchor | server_trust_anchor_signaling
+ server_hide_trustanchor | server_trust_anchor_signaling |
+ server_ipsecmod_enabled | server_ipsecmod_hook |
+ server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
+ server_ipsecmod_whitelist | server_ipsecmod_strict
;
stubstart: VAR_STUB_ZONE
{
free($2);
}
;
+server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_enabled:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_hook:%s)\n", $2));
+ free(cfg_parser->cfg->ipsecmod_hook);
+ cfg_parser->cfg->ipsecmod_hook = $2;
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", $2));
+ if(atoi($2) == 0 && strcmp($2, "0") != 0)
+ yyerror("number expected");
+ else cfg_parser->cfg->ipsecmod_max_ttl = atoi($2);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_whitelist:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, $2))
+ yyerror("out of memory");
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_strict:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_strict = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
stub_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));
#ifdef USE_CACHEDB
#include "cachedb/cachedb.h"
#endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_init) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_init) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_init) return 1;
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_deinit) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_deinit) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_deinit) return 1;
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_operate) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_operate) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_operate) return 1;
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_inform_super) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_inform_super) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_inform_super) return 1;
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_clear) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_clear) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_clear) return 1;
#endif
#ifdef USE_CACHEDB
else if(fptr == &cachedb_get_mem) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_get_mem) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_get_mem) return 1;
#endif
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
shm_stat->mem.subnet = (long long)(*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
}
+#endif
+ /* ipsecmod mem value is available in shm, also when not enabled,
+ * to make the struct easier to memmap by other applications,
+ * independent of the configuration of unbound */
+ shm_stat->mem.ipsecmod = 0;
+#ifdef USE_IPSECMOD
+ modstack = modstack_find(&worker->env.mesh->mods, "ipsecmod");
+ if(modstack != -1) {
+ fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
+ shm_stat->mem.ipsecmod = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
+ }
#endif
}
projects / thirdparty / unbound.git / commitdiff
