From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 30 Oct 2025 08:48:57 +0000 (+0100)
Subject: Merge branch 'master' into update-with-branches/poisonlicious
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2217c9b96e70e16e5794a7b5223c3b3646c45d19;p=thirdparty%2Funbound.git

Merge branch 'master' into update-with-branches/poisonlicious
---

2217c9b96e70e16e5794a7b5223c3b3646c45d19
diff --cc doc/unbound.conf.rst
index 3c2b1781e,8f78fb31d..ed9cdef00
--- a/doc/unbound.conf.rst
+++ b/doc/unbound.conf.rst
@@@ -4978,45 -5110,9 +5134,45 @@@ answer queries with that content
      :ref:`interface-tag<unbound.conf.interface-tag>`.
      Enclose list of tags in quotes (``""``) and put spaces between tags.
  
-     If no tags are specified the policies from this clause will be applied for
+     If no tags are specified the policies from this section will be applied for
      all clients.
  
 +.. _unbound.conf.tsig-key:
 +
 +TSIG Key Options
 +^^^^^^^^^^^^^^^^^
 +
 +The **tsig-key:** clauses specify the TSIG keys that are used.
 +There can be multiple **tsig-key:** clauses, with each specifying a
 +different key.
 +Each key has a name, algorithm and secret key material.
 +
 +TSIG keys are shared secrets.
 +Both sides of the connection share the secret information.
 +Also they must both use the same name for the key, and same algorithm.
 +
 +With ``include: "key.conf"`` it is possible to put the declaration of the key
 +or some lines of it in an external file from the main configuration file.
 +It can also be used without such an include, with it the config statements
 +and key material can be put in separate files.
 +
 +
 +@@UAHL@unbound.conf.tsig-key@name@@: *"<key name>"*
 +    Name of the TSIG key.
 +    The key name is transferred in DNS wireformat in the TSIG record, and
 +    is used to reference the TSIG key from where it is configured to be used.
 +
 +
 +@@UAHL@unbound.conf.tsig-key@algorithm@@: *<algorithm name>*
 +    Name of the algorithm to use with this TSIG key.
 +    This can be md5, sha1, sha224, sha256, sha384 or sha512.
 +
 +
 +@@UAHL@unbound.conf.tsig-key@secret@@: *"<base64 blob>"*
 +    The secret contents is a base64 string.
 +    A way to get random base64 bytes is e.g.
 +    from ``dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64``
 +
  Memory Control Example
  ----------------------
  
diff --cc services/mesh.c
index a092915d5,af2172102..d3cac3204
--- a/services/mesh.c
+++ b/services/mesh.c
@@@ -1728,50 -1736,38 +1737,59 @@@ void mesh_query_done(struct mesh_state
  	if(mstate->reply_list && mstate->s.env->cfg->dns_error_reporting)
  		dns_error_reporting(&mstate->s, rep);
  
 +	if(mstate->reply_list && rep) {
 +		uint8_t data[8192];
 +		struct sldns_buffer dest;
 +		int i;
 +
 +		sldns_buffer_init_frm_data(&dest, data, sizeof(data));
 +		reply_info_answer_encode(&mstate->s.qinfo, rep, 0 /* id */,
 +				0 /* qflags */, &dest, 0 /* current time */,
 +				1 /* cached */, mstate->s.env->scratch,
 +				sizeof(data) /* udpsize */, NULL /* edns */,
 +				1 /* dnssec */, 0 /* secure */);
 +		log_err("Answer to be send to other unbounds, size: %d",
 +				(int)sldns_buffer_limit(&dest));
 +		for(i = 0; i < mstate->s.env->outnet->num_dist; i++) {
 +			if(mstate->s.env->outnet->dist[i] != -1)
 +				send(mstate->s.env->outnet->dist[i],
 +					data, sldns_buffer_limit(&dest), 0);
 +		}
 +			
 +	}
 +
  	for(r = mstate->reply_list; r; r = r->next) {
- 		struct timeval old;
- 		timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
- 		if(mstate->s.env->cfg->discard_timeout != 0 &&
- 			((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
- 			mstate->s.env->cfg->discard_timeout) {
- 			/* Drop the reply, it is too old */
- 			/* briefly set the reply_list to NULL, so that the
- 			 * tcp req info cleanup routine that calls the mesh
- 			 * to deregister the meshstate for it is not done
- 			 * because the list is NULL and also accounting is not
- 			 * done there, but instead we do that here. */
- 			struct mesh_reply* reply_list = mstate->reply_list;
- 			verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
- 			infra_wait_limit_dec(mstate->s.env->infra_cache,
- 				&r->query_reply, mstate->s.env->cfg);
- 			mstate->reply_list = NULL;
- 			if(r->query_reply.c->use_h2)
- 				http2_stream_remove_mesh_state(r->h2_stream);
- 			comm_point_drop_reply(&r->query_reply);
- 			mstate->reply_list = reply_list;
- 			mstate->s.env->mesh->num_queries_discard_timeout++;
- 			continue;
+ 		if(mesh_is_udp(r)) {
+ 			/* For UDP queries, the old replies are discarded.
+ 			 * This stops a large volume of old replies from
+ 			 * building up.
+ 			 * The stream replies, are not discarded. The
+ 			 * stream is open, the other side is waiting.
+ 			 * Some answer is needed, even if servfail, but the
+ 			 * real reply is ready to go, so that is given. */
+ 			struct timeval old;
+ 			timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
+ 			if(mstate->s.env->cfg->discard_timeout != 0 &&
+ 				((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
+ 				mstate->s.env->cfg->discard_timeout) {
+ 				/* Drop the reply, it is too old */
+ 				/* briefly set the reply_list to NULL, so that the
+ 				 * tcp req info cleanup routine that calls the mesh
+ 				 * to deregister the meshstate for it is not done
+ 				 * because the list is NULL and also accounting is not
+ 				 * done there, but instead we do that here. */
+ 				struct mesh_reply* reply_list = mstate->reply_list;
+ 				verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
+ 				infra_wait_limit_dec(mstate->s.env->infra_cache,
+ 					&r->query_reply, mstate->s.env->cfg);
+ 				mstate->reply_list = NULL;
+ 				if(r->query_reply.c->use_h2)
+ 					http2_stream_remove_mesh_state(r->h2_stream);
+ 				comm_point_drop_reply(&r->query_reply);
+ 				mstate->reply_list = reply_list;
+ 				mstate->s.env->mesh->num_queries_discard_timeout++;
+ 				continue;
+ 			}
  		}
  
  		i++;
diff --cc util/configlexer.lex
index 2268e3e65,22f98e464..f01b4f59a
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@@ -612,9 -607,7 +612,10 @@@ proxy-protocol-port{COLON}	{ YDVAR(1, V
  iter-scrub-ns{COLON}		{ YDVAR(1, VAR_ITER_SCRUB_NS) }
  iter-scrub-cname{COLON}		{ YDVAR(1, VAR_ITER_SCRUB_CNAME) }
  max-global-quota{COLON}		{ YDVAR(1, VAR_MAX_GLOBAL_QUOTA) }
+ iter-scrub-promiscuous{COLON}	{ YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) }
 +tsig-key{COLON}			{ YDVAR(0, VAR_TSIG_KEY) }
 +algorithm{COLON}		{ YDVAR(1, VAR_ALGORITHM) }
 +secret{COLON}			{ YDVAR(1, VAR_SECRET) }
  <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
  
  	/* Quoted strings. Strip leading and ending quotes */
diff --cc util/configparser.y
index 732212a37,bf9c196fc..cd01fbcbd
--- a/util/configparser.y
+++ b/util/configparser.y
@@@ -220,7 -216,7 +220,8 @@@ extern struct config_parser_state* cfg_
  %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED
  %token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME
  %token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE VAR_LOG_TIME_ISO
+ %token VAR_ITER_SCRUB_PROMISCUOUS
 +%token VAR_TSIG_KEY VAR_ALGORITHM VAR_SECRET
  
  %%
  toplevelvars: /* empty */ | toplevelvars toplevelvar ;