From: George Thessalonikefs Date: Tue, 16 May 2017 12:39:24 +0000 (+0000) Subject: - Implemented opportunistic IPsec support module (ipsecmod). X-Git-Tag: release-1.6.4rc1~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=491b0a26e45aabb236d407f5892f296f44b462fe;p=thirdparty%2Funbound.git - Implemented opportunistic IPsec support module (ipsecmod). - Some whitespace fixup. git-svn-id: file:///svn/unbound/trunk@4158 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/Makefile.in b/Makefile.in index 34d6fac5a..fe33c461c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -100,6 +100,9 @@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@ SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c SUBNET_OBJ=@SUBNET_OBJ@ SUBNET_HEADER=@SUBNET_HEADER@ +IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c +IPSECMOD_OBJ=@IPSECMOD_OBJ@ +IPSECMOD_HEADER=@IPSECMOD_HEADER@ COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \ util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \ @@ -122,7 +125,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \ edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \ cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \ -$(DNSTAP_SRC) $(DNSCRYPT_SRC) +$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC) COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ @@ -133,7 +136,8 @@ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \ slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \ -$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) +$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ +$(IPSECMOD_OBJ) COMMON_OBJ_WITHOUT_NETCALL+=respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo @@ -605,6 +609,7 @@ depend: -e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \ -e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \ -e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \ + -e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \ -e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \ > $(DEPEND_TMP) cp $(DEPEND_TARGET) $(DEPEND_TMP2) diff --git a/config.h.in b/config.h.in index eacbc7f69..a4eae9d51 100644 --- a/config.h.in +++ b/config.h.in @@ -663,6 +663,9 @@ /* Define to 1 to use cachedb support */ #undef USE_CACHEDB +/* Define to 1 to use ipsecmod support */ +#undef USE_IPSECMOD + /* Define to 1 to enable dnscrypt support */ #undef USE_DNSCRYPT diff --git a/configure.ac b/configure.ac index c2d1213da..b76f745f8 100644 --- a/configure.ac +++ b/configure.ac @@ -1353,6 +1353,21 @@ case "$enable_cachedb" in ;; esac +# check for ipsecmod if requested +AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec])) +case "$enable_ipsecmod" in + yes) + AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.]) + IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo" + AC_SUBST(IPSECMOD_OBJ) + IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h' + AC_SUBST(IPSECMOD_HEADER) + ;; + no|*) + # nothing + ;; +esac + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). diff --git a/daemon/remote.c b/daemon/remote.c index 2c53d8b38..ac5ffbc86 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -871,6 +871,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) #ifdef CLIENT_SUBNET size_t subnet = 0; #endif /* CLIENT_SUBNET */ +#ifdef USE_IPSECMOD + size_t ipsecmod = 0; +#endif /* USE_IPSECMOD */ msg = slabhash_get_mem(daemon->env->msg_cache); rrset = slabhash_get_mem(&daemon->env->rrset_cache->table); val=0; @@ -906,6 +909,15 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) (&worker->env, m); } #endif /* CLIENT_SUBNET */ +#ifdef USE_IPSECMOD + m = modstack_find(&worker->env.mesh->mods, "ipsecmod"); + if(m != -1) { + fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh-> + mods.mod[m]->get_mem)); + ipsecmod = (*worker->env.mesh->mods.mod[m]->get_mem) + (&worker->env, m); + } +#endif /* USE_IPSECMOD */ if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset)) return 0; @@ -921,6 +933,10 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet)) return 0; #endif /* CLIENT_SUBNET */ +#ifdef USE_IPSECMOD + if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod)) + return 0; +#endif /* USE_IPSECMOD */ return 1; } diff --git a/doc/Changelog b/doc/Changelog index 90ebce187..40c1c4ce0 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +16 May 2017: George + - Implemented opportunistic IPsec support module (ipsecmod). + - Some whitespace fixup. + 16 May 2017: Wouter - updated dependencies in the makefile. - document trust-anchor-signaling in example config file. diff --git a/doc/example.conf.in b/doc/example.conf.in index 1b52201d1..13c373f8f 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -701,6 +701,34 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Specific options for ipsecmod. unbound needs to be configured with + # --enable-ipsecmod for these to take effect. + # + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # ipsecmod-enabled: yes + # + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" + # + # When enabled unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no + # + # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. + # ipsecmod-max-ttl: 3600 + # + # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for + # testing. + # ipsecmod-ignore-bogus: no + # + # Domains for which ipsecmod will be triggered. If not defined (default) + # all domains are treated as being whitelisted. + # ipsecmod-whitelist: "example.com" + # ipsecmod-whitelist: "nlnetlabs.nl" + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index bf24f8467..c9979d47c 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -16,13 +16,14 @@ .B unbound.conf is used to configure \fIunbound\fR(8). -The file format has attributes and values. Some attributes have attributes inside them. +The file format has attributes and values. Some attributes have attributes +inside them. The notation is: attribute: value. .P Comments start with # and last to the end of line. Empty lines are ignored as is whitespace at the beginning of a line. .P -The utility +The utility \fIunbound\-checkconf\fR(8) can be used to check unbound.conf prior to usage. .SH "EXAMPLE" @@ -30,7 +31,7 @@ An example config file is shown below. Copy this to /etc/unbound/unbound.conf and start the server with: .P .nf - $ unbound \-c /etc/unbound/unbound.conf + $ unbound \-c /etc/unbound/unbound.conf .fi .P Most settings are the defaults. Stop the server with: @@ -62,8 +63,8 @@ server: access\-control: 2001:DB8::/64 allow .fi .SH "FILE FORMAT" -There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute -is followed by its containing attributes, or a value. +There must be whitespace between keywords. Attribute keywords end with a colon ':'. +An attribute is followed by its containing attributes, or a value. .P Files can be included using the .B include: @@ -71,7 +72,7 @@ directive. It can appear anywhere, it accepts a single file name as argument. Processing continues as if the text from the included file was copied into the config file at that point. If also using chroot, using full path names for the included files works, relative pathnames for the included names work -if the directory where the daemon is started equals its chroot/working +if the directory where the daemon is started equals its chroot/working directory or is specified before the include statement with directory: dir. Wildcards can be used to include multiple files, see \fIglob\fR(7). .SS "Server Options" @@ -80,17 +81,17 @@ These options are part of the clause. .TP .B verbosity: \fI -The verbosity number, level 0 means no verbosity, only errors. Level 1 +The verbosity number, level 0 means no verbosity, only errors. Level 1 gives operational information. Level 2 gives detailed operational -information. Level 3 gives query level information, output per query. -Level 4 gives algorithm level information. Level 5 logs client -identification for cache misses. Default is level 1. +information. Level 3 gives query level information, output per query. +Level 4 gives algorithm level information. Level 5 logs client +identification for cache misses. Default is level 1. The verbosity can also be increased from the commandline, see \fIunbound\fR(8). .TP .B statistics\-interval: \fI The number of seconds between printing statistics to the log for every thread. Disable with value 0 or "". Default is disabled. The histogram statistics -are only printed if replies were sent during the statistics interval, +are only printed if replies were sent during the statistics interval, requestlist statistics are printed for every interval (but can be 0). This is because the median calculation requires data to be present. .TP @@ -99,7 +100,7 @@ If enabled, statistics are cumulative since starting unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI -If enabled, extended statistics are printed from \fIunbound\-control\fR(8). +If enabled, extended statistics are printed from \fIunbound\-control\fR(8). Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP @@ -112,7 +113,7 @@ The port number, default 53, on which the server responds to queries. .B interface: \fI Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. -Can be given multiple times to work on several interfaces. If none are +Can be given multiple times to work on several interfaces. If none are given the default is to listen to localhost. The interfaces are not changed on a reload (kill \-HUP) but only on restart. A port number can be specified with @port (without spaces between @@ -123,19 +124,19 @@ interface and port number), if not specified the default port (from Same as interface: (for easy of compatibility with nsd.conf). .TP .B interface\-automatic: \fI -Detect source interface on UDP queries and copy them to replies. This +Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP .B outgoing\-interface: \fI Interface to use to connect to the network. This interface is used to send -queries to authoritative servers and receive their replies. Can be given -multiple times to work on several interfaces. If none are given the -default (all) is used. You can specify the same interfaces in +queries to authoritative servers and receive their replies. Can be given +multiple times to work on several interfaces. If none are given the +default (all) is used. You can specify the same interfaces in .B interface: and .B outgoing\-interface: -lines, the interfaces are then used for both purposes. Outgoing queries are +lines, the interfaces are then used for both purposes. Outgoing queries are sent via a random outgoing interface to counter spoofing. .IP If an IPv6 netblock is specified instead of an individual IPv6 address, @@ -155,26 +156,26 @@ ip \-6 addr add mynetblock/64 dev lo && ip \-6 route add local mynetblock/64 dev lo .TP .B outgoing\-range: \fI -Number of ports to open. This number of file descriptors can be opened per -thread. Must be at least 1. Default depends on compile options. Larger +Number of ports to open. This number of file descriptors can be opened per +thread. Must be at least 1. Default depends on compile options. Larger numbers need extra resources from the operating system. For performance a very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI Permit unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against -spoofing attempts. Make sure these ports are not needed by other daemons. +spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .IP -The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements -are processed in the line order of the config file, adding the permitted ports -and subtracting the avoided ports from the set of allowed ports. The -processing starts with the non IANA allocated ports above 1024 in the set +The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements +are processed in the line order of the config file, adding the permitted ports +and subtracting the avoided ports from the set of allowed ports. The +processing starts with the non IANA allocated ports above 1024 in the set of allowed ports. .TP .B outgoing\-port\-avoid: \fI -Do not permit unbound to open this port or range of ports for use to send +Do not permit unbound to open this port or range of ports for use to send queries. Use this to make sure unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. @@ -204,13 +205,13 @@ consider tuning the outgoing tcp number). .B max\-udp\-size: \fI Maximum UDP response size (not applied to TCP response). 65536 disables the udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. +Suggested values are 512 to 4096. Default is 4096. .TP .B msg\-buffer\-size: \fI Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this can be sent or received. Can be reduced to use less memory, but some requests -for DNS data, such as for huge resource records, will result in a SERVFAIL +for DNS data, such as for huge resource records, will result in a SERVFAIL reply to the client. .TP .B msg\-cache\-size: \fI @@ -220,7 +221,7 @@ or gigabytes (1024*1024 bytes in a megabyte). .TP .B msg\-cache\-slabs: \fI Number of slabs in the message cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a +Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B num\-queries\-per\-thread: \fI @@ -232,12 +233,12 @@ the existing queries. Default depends on compile options, 512 or 1024. .TP .B jostle\-timeout: \fI Timeout used when the server is very busy. Set to a value that usually -results in one roundtrip to the authority servers. If too many queries +results in one roundtrip to the authority servers. If too many queries arrive, then 50% of the queries are allowed to run to completion, and -the other 50% are replaced with the new incoming query if they have already -spent more than their allowed time. This protects against denial of +the other 50% are replaced with the new incoming query if they have already +spent more than their allowed time. This protects against denial of service by slow queries or high query rates. Default 200 milliseconds. -The effect is that the qps for long-lasting queries is about +The effect is that the qps for long-lasting queries is about (numqueriesperthread / 2) / (average time for such long queries) qps. The qps for short queries can be about (numqueriesperthread / 2) / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 @@ -308,12 +309,12 @@ or gigabytes (1024*1024 bytes in a megabyte). .TP .B rrset\-cache\-slabs: \fI Number of slabs in the RRset cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. +Must be set to a power of 2. .TP .B cache\-max\-ttl: \fI -Time to live maximum for RRsets and messages in the cache. Default is -86400 seconds (1 day). If the maximum kicks in, responses to clients -still get decrementing TTLs based on the original (larger) values. +Time to live maximum for RRsets and messages in the cache. Default is +86400 seconds (1 day). If the maximum kicks in, responses to clients +still get decrementing TTLs based on the original (larger) values. When the internal TTL expires, the cache item has expired. Can be set lower to force the resolver to query for data often, and not trust (very large) TTL values. @@ -323,7 +324,7 @@ Time to live minimum for RRsets and messages in the cache. Default is 0. If the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, -higher values, especially more than an hour or so, can lead to trouble as +higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. .TP .B cache\-max\-negative\-ttl: \fI @@ -331,12 +332,12 @@ Time to live maximum for negative responses, these have a SOA in the authority section that is limited in time. Default is 3600. .TP .B infra\-host\-ttl: \fI -Time to live for entries in the host cache. The host cache contains +Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information. Default is 900. .TP .B infra\-cache\-slabs: \fI -Number of slabs in the infrastructure cache. Slabs reduce lock contention -by threads. Must be set to a power of 2. +Number of slabs in the infrastructure cache. Slabs reduce lock contention +by threads. Must be set to a power of 2. .TP .B infra\-cache\-numhosts: \fI Number of hosts for which information is cached. Default is 10000. @@ -372,7 +373,7 @@ Enable or disable whether TCP queries are answered or issued. Default is yes. .TP .B tcp\-mss: \fI Maximum segment size (MSS) of TCP socket on which the server responds -to queries. Value lower than common MSS on Ethernet +to queries. Value lower than common MSS on Ethernet (1220 for example) will address path MTU problem. Note that not all platform supports socket option to set MSS (TCP_MAXSEG). Default is system default MSS determined by interface MTU and @@ -393,7 +394,8 @@ Default is no. Useful in tunneling scenarios. .B ssl\-upstream: \fI Enabled or disable whether the upstream queries use SSL only for transport. Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in -TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). +TCP wireformat. The other server must support this (see +\fBssl\-service\-key\fR). .TP .B ssl\-service-key: \fI If enabled, the server provider SSL service on its TCP sockets. The clients @@ -423,37 +425,37 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service. Default is yes. .TP .B access\-control: \fI -The netblock is given as an IP4 or IP6 address with /size appended for a -classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, +The netblock is given as an IP4 or IP6 address with /size appended for a +classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. The most specific netblock match is used, if none match \fIdeny\fR is used. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP -The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED +The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED error message back. .IP -The action \fIallow\fR gives access to clients from that netblock. -It gives only access for recursion clients (which is +The action \fIallow\fR gives access to clients from that netblock. +It gives only access for recursion clients (which is what almost all clients need). Nonrecursive queries are refused. .IP -The \fIallow\fR action does allow nonrecursive queries to access the +The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served -in the reply. This supports normal operations where nonrecursive queries -are made for the authoritative data. For nonrecursive queries any replies +the unbound server recursive lookup algorithm, and static data is served +in the reply. This supports normal operations where nonrecursive queries +are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. .IP -The action \fIallow_snoop\fR gives nonrecursive access too. This give -both recursive and non recursive access. The name \fIallow_snoop\fR refers +The action \fIallow_snoop\fR gives nonrecursive access too. This give +both recursive and non recursive access. The name \fIallow_snoop\fR refers to cache snooping, a technique to use nonrecursive queries to examine -the cache contents (for malicious acts). However, nonrecursive queries can -also be a valuable debugging tool (when you want to examine the cache +the cache contents (for malicious acts). However, nonrecursive queries can +also be a valuable debugging tool (when you want to examine the cache contents). In that case use \fIallow_snoop\fR for your administration host. .IP By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. -The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS -protocol is not designed to handle dropped packets due to policy, and +The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS +protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. .IP The deny_non_local and refuse_non_local settings are for hosts that are @@ -485,8 +487,8 @@ Set view for given access control element. .B chroot: \fI If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the -chroot has been performed the now defunct portion of the config -file path is removed to be able to reread the config after a reload. +chroot has been performed the now defunct portion of the config +file path is removed to be able to reread the config after a reload. .IP All other file paths (working dir, logfile, roothints, and key files) can be specified in several ways: @@ -497,22 +499,22 @@ In the last case the path is adjusted to remove the unused portion. .IP The pidfile can be either a relative path to the working directory, or an absolute path relative to the original root. It is written just prior -to chroot and dropping permissions. This allows the pidfile to be +to chroot and dropping permissions. This allows the pidfile to be /var/run/unbound.pid and the chroot to be /var/unbound, for example. .IP Additionally, unbound may need to access /dev/random (for entropy) from inside the chroot. .IP -If given a chroot is done to the given directory. The default is +If given a chroot is done to the given directory. The default is "@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed. .TP .B username: \fI If given, after binding the port the user privileges are dropped. Default is -"@UNBOUND_USERNAME@". If you give username: "" no user change is performed. +"@UNBOUND_USERNAME@". If you give username: "" no user change is performed. .IP If this user is not capable of binding the port, reloads (by signal HUP) will still retain the opened ports. -If you change the port number in the config file, and that new port number +If you change the port number in the config file, and that new port number requires privileges, then a reload will fail; a restart is needed. .TP .B directory: \fI @@ -524,17 +526,17 @@ then those includes can be relative to the working directory. .TP .B logfile: \fI If "" is given, logging goes to stderr, or nowhere once daemonized. -The logfile is appended to, in the following format: +The logfile is appended to, in the following format: .nf -[seconds since 1970] unbound[pid:tid]: type: message. +[seconds since 1970] unbound[pid:tid]: type: message. .fi If this option is given, the use\-syslog is option is set to "no". -The logfile is reopened (for append) when the config file is reread, on +The logfile is reopened (for append) when the config file is reread, on SIGHUP. .TP .B use\-syslog: \fI -Sets unbound to send log messages to the syslogd, using -\fIsyslog\fR(3). +Sets unbound to send log messages to the syslogd, using +\fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. The default is to log to syslog. @@ -565,20 +567,20 @@ lines which makes the server (significantly) slower. Odd (nonprintable) characters in names are printed as '?'. .TP .B pidfile: \fI -The process id is written to the file. Default is "@UNBOUND_PIDFILE@". +The process id is written to the file. Default is "@UNBOUND_PIDFILE@". So, .nf -kill \-HUP `cat @UNBOUND_PIDFILE@` +kill \-HUP `cat @UNBOUND_PIDFILE@` .fi triggers a reload, .nf -kill \-TERM `cat @UNBOUND_PIDFILE@` +kill \-TERM `cat @UNBOUND_PIDFILE@` .fi gracefully terminates. .TP .B root\-hints: \fI Read the root hints from this file. Default is nothing, using builtin hints -for the IN class. The file has the format of zone files, with root +for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root\-hints file. .TP @@ -602,22 +604,22 @@ If enabled trustanchor.unbound queries are refused. .B target\-fetch\-policy: \fI<"list of numbers"> Set the target fetch policy used by unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per -dependency depth. +dependency depth. .IP The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. +that unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches -that many targets opportunistically. +that many targets opportunistically. .IP Enclose the list between quotes ("") and put spaces between numbers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour -closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour +closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour rumoured to be closer to that of BIND 8. .TP .B harden\-short\-bufsize: \fI Very small EDNS buffer sizes from queries are ignored. Default is off, since -it is legal protocol wise to send these, and unbound tries to give very +it is legal protocol wise to send these, and unbound tries to give very small answers to these queries, where possible. .TP .B harden\-large\-queries: \fI @@ -631,11 +633,11 @@ Will trust glue only if it is within the servers authority. Default is on. .B harden\-dnssec\-stripped: \fI Require DNSSEC data for trust\-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received -(or the DNSKEY data fails to validate), then the zone is made insecure, -this behaves like there is no trust anchor. You could turn this off if -you are sometimes behind an intrusive firewall (of some sort) that -removes DNSSEC data from packets, or a zone changes from signed to -unsigned to badly signed often. If turned off you run the risk of a +(or the DNSKEY data fails to validate), then the zone is made insecure, +this behaves like there is no trust anchor. You could turn this off if +you are sometimes behind an intrusive firewall (of some sort) that +removes DNSSEC data from packets, or a zone changes from signed to +unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. .TP .B harden\-below\-nxdomain: \fI @@ -653,7 +655,7 @@ The nxdomain must be secure, this means nsec3 with optout is insufficient. Harden the referral path by performing additional queries for infrastructure data. Validates the replies if trust anchors are configured and the zones are signed. This enforces DNSSEC validation on nameserver -NS sets and the nameserver addresses that are encountered on the referral +NS sets and the nameserver addresses that are encountered on the referral path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the @@ -670,9 +672,9 @@ this option off avoids that validation failure. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. -This perturbs the lowercase and uppercase of query names sent to -authority servers and checks if the reply still has the correct casing. -Disabled by default. +This perturbs the lowercase and uppercase of query names sent to +authority servers and checks if the reply still has the correct casing. +Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP .B caps\-whitelist: \fI @@ -683,7 +685,7 @@ Can be given multiple times, for different domains. .TP .B qname\-minimisation: \fI Send minimum amount of information to upstream servers to enhance privacy. -Only sent minimum required labels of the QNAME and set QTYPE to NS when +Only sent minimum required labels of the QNAME and set QTYPE to NS when possible. Best effort approach; full QNAME and original QTYPE will be sent when upstream replies with a RCODE other than NOERROR, except when receiving NXDOMAIN from a DNSSEC signed zone. Default is off. @@ -715,7 +717,7 @@ stops IPv4-mapped IPv6 addresses from bypassing the filter. .TP .B private\-domain: \fI Allow this domain, and all its subdomains to contain private addresses. -Give multiple times to allow multiple domain names to contain private +Give multiple times to allow multiple domain names to contain private addresses. Default is none. .TP .B unwanted\-reply\-threshold: \fI @@ -726,7 +728,7 @@ message caches, hopefully flushing away any poison. A value of 10 million is suggested. Default is 0 (turned off). .TP .B do\-not\-query\-address: \fI -Do not query the given IP address. Can be IP4 or IP6. Append /num to +Do not query the given IP address. Can be IP4 or IP6. Append /num to indicate a classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. .TP @@ -793,13 +795,13 @@ A DS or DNSKEY RR for a key to use for validation. Multiple entries can be given to specify multiple trusted keys, in addition to the trust\-anchor\-files. The resource record is entered in the same format as 'dig' or 'drill' prints them, the same format as in the zone file. Has to be on a single line, with -"" around it. A TTL can be specified for ease of cut and paste, but is ignored. +"" around it. A TTL can be specified for ease of cut and paste, but is ignored. A class can be specified, but class IN is default. .TP .B trusted\-keys\-file: \fI File with trusted keys for validation. Specify more than one file with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR -but has a different file format. Format is BIND\-9 style format, +but has a different file format. Format is BIND\-9 style format, the trusted\-keys { name flag proto algo "key"; }; clauses are read. It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. @@ -814,9 +816,9 @@ DS records registered with the parent zone (many top level zones are signed). File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more -would be slow. The DLV configured is used as a root trusted DLV, this -means that it is a lookaside for the root. Default is "", or no dlv anchor file. -DLV is going to be decommissioned. Please do not use it any more. +would be slow. The DLV configured is used as a root trusted DLV, this +means that it is a lookaside for the root. Default is "", or no dlv anchor +file. DLV is going to be decommissioned. Please do not use it any more. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. @@ -828,17 +830,17 @@ the domain name. So a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. Also keys from DLV are ignored for the domain. Can be given multiple times to specify multiple domains that are treated as if unsigned. If you set -trust anchors for the domain they override this setting (and the domain +trust anchors for the domain they override this setting (and the domain is secured). .IP This can be useful if you want to make sure a trust anchor for external -lookups does not affect an (unsigned) internal domain. A DS record +lookups does not affect an (unsigned) internal domain. A DS record externally can create validation failures for that internal domain. .TP .B val\-override\-date: \fI Default is "" or "0", which disables this debugging feature. If enabled by giving a RRSIG style date, that date is used for verifying RRSIG inception -and expiration dates, instead of the current date. Do not set this unless +and expiration dates, instead of the current date. Do not set this unless you are debugging signature inception and expiration. The value \-1 ignores the date altogether, useful for some special applications. .TP @@ -868,7 +870,7 @@ The time interval prevents repeated revalidation of bogus data. Instruct the validator to remove data from the additional section of secure messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected. Default is yes. Use this setting -to protect the users that rely on this validator for authentication from +to protect the users that rely on this validator for authentication from potentially bad data in the additional section. .TP .B val\-log\-level: \fI @@ -883,10 +885,10 @@ it was wrong and which server sent the faulty data. .B val\-permissive\-mode: \fI Instruct the validator to mark bogus messages as indeterminate. The security checks are performed, but if the result is bogus (failed security), the -reply is not withheld from the client with SERVFAIL as usual. The client -receives the bogus data. For messages that are found to be secure the AD bit +reply is not withheld from the client with SERVFAIL as usual. The client +receives the bogus data. For messages that are found to be secure the AD bit is set in replies. Also logging is performed as for full validation. -The default value is "no". +The default value is "no". .TP .B ignore\-cd\-flag: \fI Instruct unbound to ignore the CD flag from clients and refuse to @@ -906,7 +908,7 @@ List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the maximum allowed NSEC3 iteration count before a message is simply marked insecure instead of performing the many hashing iterations. The list must -be in ascending order and have at least one entry. If you set it to +be in ascending order and have at least one entry. If you set it to "1024 65535" there is no restriction to NSEC3 iteration values. This table must be kept short; a very long list could cause slower operation. .TP @@ -941,7 +943,7 @@ or gigabytes (1024*1024 bytes in a megabyte). .TP .B key\-cache\-slabs: \fI Number of slabs in the key cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a +Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess. .TP .B neg\-cache\-size: \fI @@ -992,7 +994,7 @@ Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local\-data for the zone apex domain. .TP 10 -\h'5'\fItransparent\fR +\h'5'\fItransparent\fR If there is a match from local data, the query is answered. Otherwise if the query has a different name, the query is resolved normally. If the query is for a name given in localdata but no such type of data is @@ -1000,49 +1002,49 @@ given in localdata, then a noerror nodata answer is returned. If no local\-zone is given local\-data causes a transparent zone to be created by default. .TP 10 -\h'5'\fItypetransparent\fR +\h'5'\fItypetransparent\fR If there is a match from local data, the query is answered. If the query is for a different name, or for the same name but for a different type, the query is resolved normally. So, similar to transparent but types that are not listed in local data are resolved normally, so if an A record is in the local data that does not cause a nodata reply for AAAA queries. .TP 10 -\h'5'\fIredirect\fR +\h'5'\fIredirect\fR The query is answered from the local data for the zone name. There may be no local data beneath the zone name. This answers queries for the zone, and all subdomains of the zone with the local data for the zone. It can be used to redirect a domain to return a different address record -to the end user, with -local\-zone: "example.com." redirect and +to the end user, with +local\-zone: "example.com." redirect and local\-data: "example.com. A 127.0.0.1" queries for www.example.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix example.com. .TP 10 -\h'5'\fIinform\fR +\h'5'\fIinform\fR The query is answered normally, same as transparent. The client IP address (@portnumber) is printed to the logfile. The log message is: timestamp, unbound-pid, info: zonename inform IP@port queryname type class. This option can be used for normal resolution, but machines looking up infected names are logged, eg. to run antivirus on them. .TP 10 -\h'5'\fIinform_deny\fR +\h'5'\fIinform_deny\fR The query is dropped, like 'deny', and logged, like 'inform'. Ie. find infected machines without answering the queries. .TP 10 -\h'5'\fIalways_transparent\fR +\h'5'\fIalways_transparent\fR Like transparent, but ignores local data and resolves normally. .TP 10 -\h'5'\fIalways_refuse\fR +\h'5'\fIalways_refuse\fR Like refuse, but ignores local data and refuses the query. .TP 10 -\h'5'\fIalways_nxdomain\fR +\h'5'\fIalways_nxdomain\fR Like static, but ignores local data and returns nxdomain for the query. .TP 10 -\h'5'\fInodefault\fR +\h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types -also turn off default contents for the zone. The 'nodefault' option -has no other effect than turning off default contents for the +also turn off default contents for the zone. The 'nodefault' option +has no other effect than turning off default contents for the given zone. Use \fInodefault\fR if you use exactly that zone, if you want to use a subzone, use \fItransparent\fR. .P @@ -1051,71 +1053,71 @@ the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the servers on the internet cannot provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your -own local\-zone of that name, or using the 'nodefault' type. Below is a +own local\-zone of that name, or using the 'nodefault' type. Below is a list of the default zone contents. .TP 10 -\h'5'\fIlocalhost\fR +\h'5'\fIlocalhost\fR The IP4 and IP6 localhost information is given. NS and SOA records are provided for completeness and to satisfy some DNS update tools. Default content: .nf local\-zone: "localhost." static local\-data: "localhost. 10800 IN NS localhost." -local\-data: "localhost. 10800 IN +local\-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "localhost. 10800 IN A 127.0.0.1" local\-data: "localhost. 10800 IN AAAA ::1" .fi .TP 10 -\h'5'\fIreverse IPv4 loopback\fR +\h'5'\fIreverse IPv4 loopback\fR Default content: .nf local\-zone: "127.in\-addr.arpa." static local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." -local\-data: "127.in\-addr.arpa. 10800 IN +local\-data: "127.in\-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN +local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN PTR localhost." .fi .TP 10 -\h'5'\fIreverse IPv6 loopback\fR +\h'5'\fIreverse IPv6 loopback\fR Default content: .nf local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN + 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN NS localhost." local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN + 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN + 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN PTR localhost." .fi .TP 10 -\h'5'\fIonion (RFC 7686)\fR +\h'5'\fIonion (RFC 7686)\fR Default content: .nf local\-zone: "onion." static local\-data: "onion. 10800 IN NS localhost." -local\-data: "onion. 10800 IN +local\-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fIreverse RFC1918 local use zones\fR -Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to +\h'5'\fIreverse RFC1918 local use zones\fR +Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. -The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS +The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS records are provided. .TP 10 -\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR -Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, +\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR +Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). .TP 10 \h'5'\fIreverse RFC4291 IP6 unspecified\fR -Reverse data for zone +Reverse data for zone .nf 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. @@ -1140,11 +1142,11 @@ This also works with the other default zones. .TP 5 .B local\-data: \fI"" Configure local data, which is served in reply to queries for it. -The query has to match exactly unless you configure the local\-zone as +The query has to match exactly unless you configure the local\-zone as redirect. If not matched exactly, the local\-zone type determines further processing. If local\-data is configured that is not a subdomain of -a local\-zone, a transparent local\-zone is configured. -For record types such as TXT, use single quotes, as in +a local\-zone, a transparent local\-zone is configured. +For record types such as TXT, use single quotes, as in local\-data: 'example. TXT "text"'. .IP If you need more complicated authoritative data, with referrals, wildcards, @@ -1163,7 +1165,7 @@ used access-control element has a matching tag. Tags must be defined in tags. .TP 5 .B local\-zone\-override: \fI -Override the localzone type for queries from addresses matching netblock. +Override the localzone type for queries from addresses matching netblock. Use this localzone type, regardless the type configured for the local-zone (both tagged and untagged) and regardless the type configured using access\-control\-tag\-action. @@ -1309,21 +1311,21 @@ the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. -This is useful for company\-local data or private zones. Setup an -authoritative server on a different host (or different port). Enter a config -entry for unbound with +This is useful for company\-local data or private zones. Setup an +authoritative server on a different host (or different port). Enter a config +entry for unbound with .B stub\-addr: -. -The unbound resolver can then access the data, without referring to the -public internet for it. +. +The unbound resolver can then access the data, without referring to the +public internet for it. .P -This setup allows DNSSEC signed zones to be served by that +This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD -bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the -private zone, and can even set the AD bit ('authentic'), but the AA -('authoritative') bit is not set on these replies. +can be put in config, so that unbound can validate the data and set the AD +bit on replies for the private zone (authoritative servers do not set the +AD bit). This setup makes unbound capable of answering queries for the +private zone, and can even set the AD bit ('authentic'), but the AA +('authoritative') bit is not set on these replies. .P Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally @@ -1342,8 +1344,8 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. .TP .B stub\-prime: \fI -This option is by default off. If enabled it performs NS set priming, -which is similar to root hints, where it starts using the list of nameservers +This option is by default off. If enabled it performs NS set priming, +which is similar to root hints, where it starts using the list of nameservers currently published by the zone. Thus, if the hint list is slightly outdated, the resolver picks up a correct list online. .TP @@ -1395,10 +1397,10 @@ Default is no. There may be multiple .B view: clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view -name in an \fBaccess\-control\-view\fR element. Options from matching views will -override global options. Global options will be used if no matching view -is found. +\fBlocal\-data\fR elements. View can be mapped to requests by specifying the +view name in an \fBaccess\-control\-view\fR element. Options from matching +views will override global options. Global options will be used if no matching +view is found. .TP .B name: \fI Name of the view. Must be unique. This name is used in access\-control\-view @@ -1459,7 +1461,8 @@ clause give the settings of the dnscrypt channel. While those options are available, they are only meaningful if unbound was compiled with \fB\-\-enable\-dnscrypt\fR. Currently certificate and secret/public keys cannot be generated by unbound. -You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage +You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\ +dnscrypt-wrapper/blob/master/README.md#usage .TP .B dnscrypt\-enable: \fI\fR Whether or not the \fBdnscrypt\fR config should be enabled. You may define @@ -1480,19 +1483,19 @@ Path to the time limited secret key file. This option may be specified multiple times. .TP .B dnscrypt\-provider\-cert: \fI\fR -Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option -may be specified multiple times. +Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. +This option may be specified multiple times. .SS "EDNS Client Subnet Module Options" .LP The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache validator iterator" directive and be compiled into the daemon to be enabled. These settings go in the \fBserver:\fR section. .LP -If the destination address is whitelisted with Unbound will add the EDNS0 option -to the query containing the relevant part of the client's address. When an -answer contains the ECS option the response and the option are placed in a -specialized cache. If the authority indicated no support, the response is stored -in the regular cache. +If the destination address is whitelisted with Unbound will add the EDNS0 +option to the query containing the relevant part of the client's address. When +an answer contains the ECS option the response and the option are placed in a +specialized cache. If the authority indicated no support, the response is +stored in the regular cache. .LP Additionally, when a client includes the option in its queries, Unbound will forward the option to the authority if prensent in the whitelist, or @@ -1525,6 +1528,72 @@ to expose to third parties for IPv6. Defaults to 56. .B max\-client\-subnet\-ipv4: \fI\fR Specifies the maximum prefix length of the client source address we are willing to expose to third parties for IPv4. Defaults to 24. +.SS "Opportunistic IPsec Support Module Options" +.LP +The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod +validator iterator" directive and be compiled into the daemon to be +enabled. These settings go in the \fBserver:\fR section. +.LP +When unbound receives an A/AAAA query that is not in the cache and finds a +valid answer, it will withhold returning the answer and instead will generate +an IPSECKEY subquery for the same domain name. If an answer was found, unbound +will call an external hook passing the following arguments: +.TP 10 +\h'5'\fIQNAME\fR +Domain name of the A/AAAA and IPSECKEY query. In string format. +.TP 10 +\h'5'\fIIPSECKEY TTL\fR +TTL of the IPSECKEY RRset. +.TP 10 +\h'5'\fIA/AAAA\fR +String of space separated IP addresses present in the A/AAAA RRset. The IP +addresses are in string format. +.TP 10 +\h'5'\fIIPSECKEY\fR +String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The +IPSECKEY RDATA are in DNS presentation format. +.LP +The A/AAAA answer is then cached and returned to the client. If the external +hook was called the TTL changes to ensure it doesn't surpass +\fBipsecmod-max-ttl\fR. +.LP +The same procedure is also followed when \fBprefetch:\fR is used, but the +A/AAAA answer is given to the client before the hook is called. +\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still +relevant for opportunistic IPsec. +.TP +.B ipsecmod-enabled: \fI\fR +Specifies whether the IPsec module is enabled or not. The IPsec module still +needs to be defined in the \fBmodule\-config:\fR directive. This option +facilitates turning on/off the module without restarting/reloading unbound. +Defaults to yes. +.TP +.B ipsecmod\-hook: \fI\fR +Specifies the external hook that unbound will call with \fIsystem\fR(3). The +file can be specified as an absolute/relative path. The file needs the proper +permissions to be able to be executed by the same user that runs unbound. It +must be present when the IPsec module is defined in the \fBmodule\-config:\fR +directive. +.TP +.B ipsecmod-strict: \fI\fR +If enabled unbound requires the external hook to return a success value of 0. +Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also +not be cached. Defaults to no. +.TP +.B ipsecmod\-max-ttl: \fI\fR +Time to live maximum for A/AAAA cached records after calling the external hook. +Defaults to 3600. +.TP +.B ipsecmod-ignore-bogus: \fI\fR +Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set +to yes, the hook will be called and the A/AAAA answer will be returned to the +client. If set to no, the hook will not be called and the answer to the +A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no. +.TP +.B ipsecmod\-whitelist: \fI\fR +Whitelist the domain so that the module logic will be executed. Can +be given multiple times, for different domains. If the option is not +specified, all domains are treated as being whitelisted (default). .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer @@ -1532,7 +1601,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS. DNSSEC validation is enabled, just add trust anchors. If you do not have to worry about programs using more than 3 Mb of memory, the below example is not for you. Use the defaults to receive full service, -which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. +which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. .P .nf # example settings that reduce memory usage @@ -1573,12 +1642,12 @@ unbound configuration file. default unbound pidfile with process ID of the running daemon. .TP .I unbound.log -unbound log file. default is to log to -\fIsyslog\fR(3). +unbound log file. default is to log to +\fIsyslog\fR(3). .SH "SEE ALSO" -\fIunbound\fR(8), +\fIunbound\fR(8), \fIunbound\-checkconf\fR(8). .SH "AUTHORS" -.B Unbound +.B Unbound was written by NLnet Labs. Please see CREDITS file in the distribution for further details. diff --git a/ipsecmod/ipsecmod-whitelist.c b/ipsecmod/ipsecmod-whitelist.c new file mode 100644 index 000000000..c2b1f5d4a --- /dev/null +++ b/ipsecmod/ipsecmod-whitelist.c @@ -0,0 +1,158 @@ +/* + * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to + * operate on. + * + * Copyright (c) 2017, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/** + * \file + * + * Keep track of the white listed domains for ipsecmod. + */ + +#include "config.h" + +#ifdef USE_IPSECMOD +#include "ipsecmod/ipsecmod.h" +#include "ipsecmod/ipsecmod-whitelist.h" +#include "util/regional.h" +#include "util/log.h" +#include "util/config_file.h" +#include "util/rbtree.h" +#include "util/data/dname.h" +#include "util/storage/dnstree.h" +#include "sldns/str2wire.h" + +/** Apply ipsecmod-whitelist string. */ +static int +whitelist_str_cfg(rbtree_type* whitelist, const char* name) +{ + struct name_tree_node* n; + size_t len; + uint8_t* nm = sldns_str2wire_dname(name, &len); + if(!nm) { + log_err("ipsecmod: could not parse %s for whitelist.", name); + return 0; + } + n = (struct name_tree_node*)calloc(1, sizeof(*n)); + if(!n) { + log_err("ipsecmod: out of memory while creating whitelist."); + free(nm); + return 0; + } + n->node.key = n; + n->name = nm; + n->len = len; + n->labs = dname_count_labels(nm); + n->dclass = LDNS_RR_CLASS_IN; + if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) { + /* duplicate element ignored, idempotent */ + free(n->name); + free(n); + } + return 1; +} + +/** Read ipsecmod-whitelist config. */ +static int +read_whitelist(rbtree_type* whitelist, struct config_file* cfg) +{ + struct config_strlist* p; + for(p = cfg->ipsecmod_whitelist; p; p = p->next) { + log_assert(p->str); + if(!whitelist_str_cfg(whitelist, p->str)) + return 0; + } + return 1; +} + +int +ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie, + struct config_file* cfg) +{ + ie->whitelist = rbtree_create(name_tree_compare); + if(!read_whitelist(ie->whitelist, cfg)) + return 0; + name_tree_init_parents(ie->whitelist); + return 1; +} + +/** Delete ipsecmod_env->whitelist element. */ +static void +whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d)) +{ + if(n) { + free(((struct name_tree_node*)n)->name); + free(n); + } +} + +/** Get memory usage of ipsecmod_env->whitelist element. */ +static void +whitelist_get_mem(struct rbnode_type* n, void* arg) +{ + struct name_tree_node* node = (struct name_tree_node*)n; + size_t* size = (size_t*) arg; + if(node) { + *size += sizeof(node) + node->len; + } +} + +void +ipsecmod_whitelist_delete(rbtree_type* whitelist) +{ + if(whitelist) { + traverse_postorder(whitelist, whitelist_free, NULL); + free(whitelist); + } +} + +int +ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname, + size_t dname_len, uint16_t qclass) +{ + if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */ + return name_tree_lookup(ie->whitelist, dname, dname_len, + dname_count_labels(dname), qclass) != NULL; +} + +size_t +ipsecmod_whitelist_get_mem(rbtree_type* whitelist) +{ + size_t size = 0; + if(whitelist) { + traverse_postorder(whitelist, whitelist_get_mem, &size); + } + return size; +} + +#endif /* USE_IPSECMOD */ diff --git a/ipsecmod/ipsecmod-whitelist.h b/ipsecmod/ipsecmod-whitelist.h new file mode 100644 index 000000000..d98868814 --- /dev/null +++ b/ipsecmod/ipsecmod-whitelist.h @@ -0,0 +1,82 @@ +/* + * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to + * operate on. + * + * Copyright (c) 2017, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/** + * \file + * + * Keep track of the white listed domains for ipsecmod. + */ + +#ifndef IPSECMOD_WHITELIST_H +#define IPSECMOD_WHITELIST_H +#include "util/storage/dnstree.h" + +struct config_file; +struct regional; + +/** + * Process ipsecmod_whitelist config. + * @param ie: ipsecmod environment. + * @param cfg: config options. + * @return 0 on error. + */ +int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie, + struct config_file* cfg); + +/** + * Delete the ipsecmod whitelist. + * @param whitelist: ipsecmod whitelist. + */ +void ipsecmod_whitelist_delete(rbtree_type* whitelist); + +/** + * See if a domain is whitelisted. + * @param ie: ipsecmod environment. + * @param dname: domain name to check. + * @param dname_len: length of domain name. + * @param qclass: query CLASS. + * @return: true if the domain is whitelisted for the ipsecmod. + */ +int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname, + size_t dname_len, uint16_t qclass); + +/** + * Get memory used by ipsecmod whitelist. + * @param whitelist: structure for domain storage. + * @return bytes in use. + */ +size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist); + +#endif /* IPSECMOD_WHITELIST_H */ diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c new file mode 100644 index 000000000..10198ac94 --- /dev/null +++ b/ipsecmod/ipsecmod.c @@ -0,0 +1,512 @@ +/* + * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module + * + * Copyright (c) 2017, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains a module that facilitates opportunistic IPsec. It does so + * by also quering for the IPSECKEY for A/AAAA queries and calling a + * configurable hook (eg. signaling an IKE daemon) before replying. + */ + +#include "config.h" +#ifdef USE_IPSECMOD +#include "ipsecmod/ipsecmod.h" +#include "ipsecmod/ipsecmod-whitelist.h" +#include "util/fptr_wlist.h" +#include "util/regional.h" +#include "util/net_help.h" +#include "util/config_file.h" +#include "services/cache/dns.h" +#include "sldns/wire2str.h" + +/** Apply configuration to ipsecmod module 'global' state. */ +static int +ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg) +{ + if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) { + log_err("ipsecmod: missing ipsecmod-hook."); + return 0; + } + if(cfg->ipsecmod_whitelist && + !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg)) + return 0; + return 1; +} + +int +ipsecmod_init(struct module_env* env, int id) +{ + struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1, + sizeof(struct ipsecmod_env)); + if(!ipsecmod_env) { + log_err("malloc failure"); + return 0; + } + env->modinfo[id] = (void*)ipsecmod_env; + ipsecmod_env->whitelist = NULL; + if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) { + log_err("ipsecmod: could not apply configuration settings."); + return 0; + } + return 1; +} + +void +ipsecmod_deinit(struct module_env* env, int id) +{ + struct ipsecmod_env* ipsecmod_env; + if(!env || !env->modinfo[id]) + return; + ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id]; + /* Free contents. */ + ipsecmod_whitelist_delete(ipsecmod_env->whitelist); + free(ipsecmod_env); + env->modinfo[id] = NULL; +} + +/** New query for ipsecmod. */ +static int +ipsecmod_new(struct module_qstate* qstate, int id) +{ + struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc( + qstate->region, sizeof(struct ipsecmod_qstate)); + memset(iq, 0, sizeof(*iq)); + qstate->minfo[id] = iq; + if(!iq) + return 0; + /* Initialise it. */ + iq->enabled = qstate->env->cfg->ipsecmod_enabled; + iq->is_whitelisted = ipsecmod_domain_is_whitelisted( + (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname, + qstate->qinfo.qname_len, qstate->qinfo.qclass); + iq->region = regional_create(); + return 1; +} + +/** + * Exit module with an error status. + * @param qstate: query state + * @param id: module id. + */ +static void +ipsecmod_error(struct module_qstate* qstate, int id) +{ + qstate->ext_state[id] = module_error; + qstate->return_rcode = LDNS_RCODE_SERVFAIL; +} + +/** + * Generate a request for the IPSECKEY. + * + * @param qstate: query state that is the parent. + * @param id: module id. + * @param name: what name to query for. + * @param namelen: length of name. + * @param qtype: query type. + * @param qclass: query class. + * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. + * @return false on alloc failure. + */ +static int +generate_request(struct module_qstate* qstate, int id, uint8_t* name, + size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags) +{ + struct module_qstate* newq; + struct query_info ask; + ask.qname = name; + ask.qname_len = namelen; + ask.qtype = qtype; + ask.qclass = qclass; + ask.local_alias = NULL; + log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask); + fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); + if(!(*qstate->env->attach_sub)(qstate, &ask, + (uint16_t)(BIT_RD|flags), 0, 0, &newq)){ + log_err("Could not generate request: out of memory"); + return 0; + } + qstate->ext_state[id] = module_wait_subquery; + return 1; +} + +/** + * Prepare the data and call the hook. + * + * @param iq: ipsecmod qstate. + * @param ie: ipsecmod environment. + * @param rrset_data: IPSECKEY rrset. + * @return true on success, false otherwise. + */ +static int +call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, + struct ipsecmod_env* ie) +{ + size_t slen, tempdata_len, tempstring_len; + char str[65535], *s, *tempstring; + int i, w; + struct ub_packed_rrset_key* rrset_key; + struct packed_rrset_data* rrset_data; + uint8_t *tempdata; + + /* Check if a shell is available */ + if(system(NULL) == 0) { + log_err("ipsecmod: no shell available for ipsecmod-hook"); + return 0; + } + + /* Zero the buffer. */ + s = str; + slen = sizeof(str); + memset(s, 0, slen); + + /* Copy the hook into the buffer. */ + sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + /* Copy the qname into the buffer. */ + tempstring = sldns_wire2str_dname(qstate->qinfo.qname, + qstate->qinfo.qname_len); + if(!tempstring) { + log_err("ipsecmod: out of memory when calling the hook"); + return 0; + } + sldns_str_print(&s, &slen, "\"%s\"", tempstring); + free(tempstring); + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + /* Copy the IPSECKEY TTL into the buffer. */ + rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; + sldns_str_print(&s, &slen, "\"%ld\"", rrset_data->ttl); + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + /* Copy the A/AAAA record(s) into the buffer. Start and end this section + * with a double quote. */ + rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, + qstate->return_msg->rep); + rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; + sldns_str_print(&s, &slen, "\""); + for(i=0; icount; i++) { + if(i > 0) { + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + } + /* Ignore the first two bytes, they are the rr_data len. */ + w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, + rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); + if(w < 0) { + /* Error in printout. */ + return -1; + } else if((size_t)w >= slen) { + s = NULL; /* We do not want str to point outside of buffer. */ + slen = 0; + return -1; + } else { + s += w; + slen -= w; + } + } + sldns_str_print(&s, &slen, "\""); + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + /* Copy the IPSECKEY record(s) into the buffer. Start and end this section + * with a double quote. */ + sldns_str_print(&s, &slen, "\""); + rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; + for(i=0; icount; i++) { + if(i > 0) { + /* Put space into the buffer. */ + sldns_str_print(&s, &slen, " "); + } + /* Ignore the first two bytes, they are the rr_data len. */ + tempdata = rrset_data->rr_data[i] + 2; + tempdata_len = rrset_data->rr_len[i] - 2; + /* Save the buffer pointers. */ + tempstring = s; tempstring_len = slen; + w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, + NULL, 0); + /* There was an error when parsing the IPSECKEY; reset the buffer + * pointers to their previous values. */ + if(w == -1){ + s = tempstring; slen = tempstring_len; + } + } + sldns_str_print(&s, &slen, "\""); + verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); + /* ipsecmod-hook should return 0 on success. */ + if(system(str) != 0) + return 0; + return 1; +} + +/** + * Handle an ipsecmod module event with a query + * @param qstate: query state (from the mesh), passed between modules. + * contains qstate->env module environment with global caches and so on. + * @param iq: query state specific for this module. per-query. + * @param ie: environment specific for this module. global. + * @param id: module id. + */ +static void +ipsecmod_handle_query(struct module_qstate* qstate, + struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id) +{ + struct ub_packed_rrset_key* rrset_key; + struct packed_rrset_data* rrset_data; + size_t i; + /* Pass to next module if we are not enabled and whitelisted. */ + if(!(iq->enabled && iq->is_whitelisted)) { + qstate->ext_state[id] = module_wait_module; + return; + } + /* New query, check if the query is for an A/AAAA record and disable + * caching for other modules. */ + if(!iq->ipseckey_done) { + if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || + qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) { + verbose(VERB_ALGO, "ipsecmod: query for %s; engaging", + sldns_rr_descript(qstate->qinfo.qtype)->_name); + qstate->no_cache_store = 1; + } + /* Pass request to next module. */ + qstate->ext_state[id] = module_wait_module; + return; + } + /* IPSECKEY subquery is finished. */ + /* We have an IPSECKEY answer. */ + if(iq->ipseckey_rrset) { + rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; + if(rrset_data) { + /* If bogus return SERVFAIL. */ + if(!qstate->env->cfg->ipsecmod_ignore_bogus && + rrset_data->security == sec_status_bogus) { + log_err("ipsecmod: bogus IPSECKEY"); + ipsecmod_error(qstate, id); + return; + } + /* We have a valid IPSECKEY reply, call hook. */ + if(!call_hook(qstate, iq, ie) && + qstate->env->cfg->ipsecmod_strict) { + log_err("ipsecmod: ipsecmod-hook failed"); + ipsecmod_error(qstate, id); + return; + } + /* Make sure the A/AAAA's TTL is equal/less than the + * ipsecmod_max_ttl. */ + rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, + qstate->return_msg->rep); + rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; + if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { + /* Update TTL for rrset to fixed value. */ + rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl; + for(i=0; icount+rrset_data->rrsig_count; i++) + rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl; + /* Also update reply_info's TTL */ + qstate->return_msg->rep->ttl = + qstate->env->cfg->ipsecmod_max_ttl; + qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC( + qstate->return_msg->rep->ttl); + } + } + } + /* Store A/AAAA in cache. */ + if(!dns_cache_store(qstate->env, &qstate->qinfo, + qstate->return_msg->rep, 0, qstate->prefetch_leeway, + 0, qstate->region, qstate->query_flags)) { + log_err("ipsecmod: out of memory caching record"); + } + qstate->ext_state[id] = module_finished; +} + +/** + * Handle an ipsecmod module event with a response from the iterator. + * @param qstate: query state (from the mesh), passed between modules. + * contains qstate->env module environment with global caches and so on. + * @param iq: query state specific for this module. per-query. + * @param ie: environment specific for this module. global. + * @param id: module id. + */ +static void +ipsecmod_handle_response(struct module_qstate* qstate, + struct ipsecmod_qstate* ATTR_UNUSED(iq), struct ipsecmod_env* ie, int id) +{ + /* Pass to previous module if we are not enabled and whitelisted. */ + if(!(iq->enabled && iq->is_whitelisted)) { + qstate->ext_state[id] = module_finished; + return; + } + /* check if the response is for an A/AAAA query. */ + if((qstate->qinfo.qtype == LDNS_RR_TYPE_A || + qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) && + /* check that we had an answer for the A/AAAA query. */ + qstate->return_msg && + reply_find_answer_rrset(&qstate->return_msg->qinfo, + qstate->return_msg->rep) && + /* check that another module didn't SERVFAIL. */ + qstate->return_rcode != LDNS_RCODE_SERVFAIL) { + verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY " + "subquery", sldns_rr_descript(qstate->qinfo.qtype)->_name); + /* generate an IPSECKEY query. */ + if(!generate_request(qstate, id, qstate->qinfo.qname, + qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY, + qstate->qinfo.qclass, 0)) { + log_err("ipsecmod: could not generate subquery."); + ipsecmod_error(qstate, id); + } + return; + } + /* we are done with the query. */ + qstate->ext_state[id] = module_finished; +} + +void +ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id, + struct outbound_entry* outbound) +{ + struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id]; + struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id]; + verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s", + id, strextstate(qstate->ext_state[id]), strmodulevent(event)); + if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query", + &qstate->qinfo); + + /* create ipsecmod_qstate. */ + if((event == module_event_new || event == module_event_pass) && + iq == NULL) { + if(!ipsecmod_new(qstate, id)) { + ipsecmod_error(qstate, id); + return; + } + iq = (struct ipsecmod_qstate*)qstate->minfo[id]; + } + if(iq && (event == module_event_pass || event == module_event_new)) { + ipsecmod_handle_query(qstate, iq, ie, id); + return; + } + if(iq && (event == module_event_moddone)) { + ipsecmod_handle_response(qstate, iq, ie, id); + return; + } + if(iq && outbound) { + /* cachedb does not need to process responses at this time + * ignore it. + cachedb_process_response(qstate, iq, ie, id, outbound, event); + */ + return; + } + if(event == module_event_error) { + verbose(VERB_ALGO, "got called with event error, giving up"); + ipsecmod_error(qstate, id); + return; + } + if(!iq && (event == module_event_moddone)) { + /* during priming, module done but we never started. */ + qstate->ext_state[id] = module_finished; + return; + } + + log_err("ipsecmod: bad event %s", strmodulevent(event)); + ipsecmod_error(qstate, id); + return; +} + +void +ipsecmod_inform_super(struct module_qstate* qstate, int id, + struct module_qstate* super) +{ + log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is", + &qstate->qinfo); + log_query_info(VERB_ALGO, "super is", &super->qinfo); + struct ipsecmod_qstate* siq = (struct ipsecmod_qstate*)super->minfo[id]; + if(!siq) { + verbose(VERB_ALGO, "super has no ipsecmod state"); + return; + } + + if(qstate->return_msg) { + struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset( + &qstate->return_msg->qinfo, qstate->return_msg->rep); + if(rrset_key) { + /* We have an answer. */ + /* Copy to super's region. */ + rrset_key = packed_rrset_copy_region(rrset_key, siq->region, 0); + siq->ipseckey_rrset = rrset_key; + if(!rrset_key) { + log_err("ipsecmod: out of memory."); + } + } + } + /* Notify super to proceed. */ + siq->ipseckey_done = 1; +} + +void +ipsecmod_clear(struct module_qstate* qstate, int id) +{ + struct ipsecmod_qstate* iq; + if(!qstate) + return; + iq = (struct ipsecmod_qstate*)qstate->minfo[id]; + if(iq) { + /* free contents of iq. */ + regional_destroy(iq->region); + } + qstate->minfo[id] = NULL; +} + +size_t +ipsecmod_get_mem(struct module_env* env, int id) +{ + struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id]; + if(!ie) + return 0; + return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist); +} + +/** + * The ipsecmod function block + */ +static struct module_func_block ipsecmod_block = { + "ipsecmod", + &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate, + &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem +}; + +struct module_func_block* +ipsecmod_get_funcblock(void) +{ + return &ipsecmod_block; +} +#endif /* USE_IPSECMOD */ diff --git a/ipsecmod/ipsecmod.h b/ipsecmod/ipsecmod.h new file mode 100644 index 000000000..89323a4f7 --- /dev/null +++ b/ipsecmod/ipsecmod.h @@ -0,0 +1,99 @@ +/* + * ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module + * + * Copyright (c) 2017, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains a module that facilitates opportunistic IPsec. It does so + * by also quering for the IPSECKEY for A/AAAA queries and calling a + * configurable hook (eg. signaling an IKE daemon) before replying. + */ + +#ifndef IPSECMOD_H +#define IPSECMOD_H +#include "util/module.h" +#include "util/rbtree.h" + +/** + * The global variable environment contents for the ipsecmod + * Shared between threads, this represents long term information. + */ +struct ipsecmod_env { + /** White listed domains for ipsecmod. */ + rbtree_type* whitelist; +}; + +/** + * Per query state for the ipsecmod module. + */ +struct ipsecmod_qstate { + /** State of the IPsec module. */ + /** NOTE: This value is copied here from the configuration so that a change + * with unbound-control would not complicate an already running mesh. */ + int enabled; + /** If the qname is whitelisted or not. */ + /** NOTE: No whitelist means all qnames are whitelisted. */ + int is_whitelisted; + /** Region to store the IPSECKEY rrset. */ + struct regional* region; + /** Pointer to IPSECKEY rrset allocated in the above region. NULL if there + * was no IPSECKEY reply from the subquery. */ + struct ub_packed_rrset_key* ipseckey_rrset; + /** If the IPSECKEY subquery has finished. */ + int ipseckey_done; +}; + +/** Init the ipsecmod module */ +int ipsecmod_init(struct module_env* env, int id); +/** Deinit the ipsecmod module */ +void ipsecmod_deinit(struct module_env* env, int id); +/** Operate on an event on a query (in qstate). */ +void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, + int id, struct outbound_entry* outbound); +/** Subordinate query done, inform this super request of its conclusion */ +void ipsecmod_inform_super(struct module_qstate* qstate, int id, + struct module_qstate* super); +/** clear the ipsecmod query-specific contents out of qstate */ +void ipsecmod_clear(struct module_qstate* qstate, int id); +/** return memory estimate for the ipsecmod module */ +size_t ipsecmod_get_mem(struct module_env* env, int id); + +/** + * Get the function block with pointers to the ipsecmod functions + * @return the function block for "ipsecmod". + */ +struct module_func_block* ipsecmod_get_funcblock(void); + +#endif /* IPSECMOD_H */ diff --git a/libunbound/unbound.h b/libunbound/unbound.h index d155aa43f..bc47b5e46 100644 --- a/libunbound/unbound.h +++ b/libunbound/unbound.h @@ -606,22 +606,22 @@ const char* ub_version(void); * this struct is shared on a shm segment (shm-key in unbound.conf) */ struct ub_shm_stat_info { + int num_threads; - int num_threads; - - struct { + struct { long long now_sec, now_usec; long long up_sec, up_usec; long long elapsed_sec, elapsed_usec; - } time; - - struct { - long long msg; - long long rrset; - long long val; - long long iter; - long long subnet; - } mem; + } time; + + struct { + long long msg; + long long rrset; + long long val; + long long iter; + long long subnet; + long long ipsecmod; + } mem; }; /** number of qtype that is stored for in array */ diff --git a/services/modstack.c b/services/modstack.c index 9bebd3a56..8a8aa4e8f 100644 --- a/services/modstack.c +++ b/services/modstack.c @@ -54,6 +54,9 @@ #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif +#ifdef USE_IPSECMOD +#include "ipsecmod/ipsecmod.h" +#endif #ifdef CLIENT_SUBNET #include "edns-subnet/subnetmod.h" #endif @@ -126,17 +129,20 @@ module_list_avail(void) static const char* names[] = { "dns64", #ifdef WITH_PYTHONMODULE - "python", + "python", #endif #ifdef USE_CACHEDB "cachedb", #endif +#ifdef USE_IPSECMOD + "ipsecmod", +#endif #ifdef CLIENT_SUBNET - "subnetcache", + "subnetcache", #endif "respip", - "validator", - "iterator", + "validator", + "iterator", NULL}; return names; } @@ -151,22 +157,25 @@ module_funcs_avail(void) static struct module_func_block* (*fb[])(void) = { &dns64_get_funcblock, #ifdef WITH_PYTHONMODULE - &pythonmod_get_funcblock, + &pythonmod_get_funcblock, #endif #ifdef USE_CACHEDB &cachedb_get_funcblock, #endif +#ifdef USE_IPSECMOD + &ipsecmod_get_funcblock, +#endif #ifdef CLIENT_SUBNET - &subnetmod_get_funcblock, + &subnetmod_get_funcblock, #endif &respip_get_funcblock, - &val_get_funcblock, - &iter_get_funcblock, + &val_get_funcblock, + &iter_get_funcblock, NULL}; return fb; } -struct +struct module_func_block* module_factory(const char** str) { int i = 0; diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index f687b6518..11df4415c 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -4,22 +4,22 @@ * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. - * + * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR @@ -88,10 +88,10 @@ usage(void) exit(1); } -/** - * Print given option to stdout +/** + * Print given option to stdout * @param cfg: config - * @param opt: option name without trailing :. + * @param opt: option name without trailing :. * This is different from config_set_option. * @param final: if final pathname with chroot applied has to be printed. */ @@ -178,7 +178,7 @@ warn_hosts(const char* typ, struct config_stub* list) fprintf(stderr, "unbound-checkconf: warning:" " %s %s: \"%s\" is an IP%s address, " "and when looked up as a host name " - "during use may not resolve.\n", + "during use may not resolve.\n", s->name, typ, h->str, addr_is_ip6(&a, alen)?"6":"4"); } @@ -230,7 +230,7 @@ aclchecks(struct config_file* cfg) socklen_t alen; struct config_str2list* acl; for(acl=cfg->acls; acl; acl = acl->next) { - if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen, + if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen, &d)) { fatal_exit("cannot parse access control address %s %s", acl->str, acl->str2); @@ -240,7 +240,7 @@ aclchecks(struct config_file* cfg) /** true if fname is a file */ static int -is_file(const char* fname) +is_file(const char* fname) { struct stat buf; if(stat(fname, &buf) < 0) { @@ -260,7 +260,7 @@ is_file(const char* fname) /** true if fname is a directory */ static int -is_dir(const char* fname) +is_dir(const char* fname) { struct stat buf; if(stat(fname, &buf) < 0) { @@ -305,7 +305,7 @@ check_chroot_string(const char* desc, char** ss, fatal_exit("%s: \"%s\" does not exist in " "chrootdir %s", desc, str, chrootdir); else - fatal_exit("%s: \"%s\" does not exist", + fatal_exit("%s: \"%s\" does not exist", desc, str); } /* put in a new full path for continued checking */ @@ -332,8 +332,8 @@ check_chroot_filelist_wild(const char* desc, struct config_strlist* list, struct config_strlist* p; for(p=list; p; p=p->next) { #ifdef HAVE_GLOB - if(strchr(p->str, '*') || strchr(p->str, '[') || - strchr(p->str, '?') || strchr(p->str, '{') || + if(strchr(p->str, '*') || strchr(p->str, '[') || + strchr(p->str, '?') || strchr(p->str, '{') || strchr(p->str, '~')) { char* s = p->str; /* adjust whole pattern for chroot and check later */ @@ -370,11 +370,11 @@ morechecks(struct config_file* cfg, const char* fname) #ifdef UB_ON_WINDOWS w_config_adjust_directory(cfg); #endif - if(cfg->chrootdir && cfg->chrootdir[0] && + if(cfg->chrootdir && cfg->chrootdir[0] && cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/') fatal_exit("chootdir %s has trailing slash '/' please remove.", cfg->chrootdir); - if(cfg->chrootdir && cfg->chrootdir[0] && + if(cfg->chrootdir && cfg->chrootdir[0] && !is_dir(cfg->chrootdir)) { fatal_exit("bad chroot directory"); } @@ -416,16 +416,20 @@ morechecks(struct config_file* cfg, const char* fname) } } - check_chroot_filelist("file with root-hints", + check_chroot_filelist("file with root-hints", cfg->root_hints, cfg->chrootdir, cfg); - check_chroot_filelist("trust-anchor-file", + check_chroot_filelist("trust-anchor-file", cfg->trust_anchor_file_list, cfg->chrootdir, cfg); - check_chroot_filelist("auto-trust-anchor-file", + check_chroot_filelist("auto-trust-anchor-file", cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg); - check_chroot_filelist_wild("trusted-keys-file", + check_chroot_filelist_wild("trusted-keys-file", cfg->trusted_keys_file_list, cfg->chrootdir, cfg); - check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, + check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, cfg->chrootdir, cfg); +#ifdef USE_IPSECMOD + check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir, + cfg); +#endif /* remove chroot setting so that modules are not stripping pathnames*/ free(cfg->chrootdir); cfg->chrootdir = NULL; @@ -434,21 +438,21 @@ morechecks(struct config_file* cfg, const char* fname) * dns64, but it's not explicitly confirmed, so the combination is * excluded below. It's simply unknown yet for the combination of * respip and other modules. */ - if(strcmp(cfg->module_conf, "iterator") != 0 + if(strcmp(cfg->module_conf, "iterator") != 0 && strcmp(cfg->module_conf, "validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 iterator") != 0 && strcmp(cfg->module_conf, "respip iterator") != 0 && strcmp(cfg->module_conf, "respip validator iterator") != 0 #ifdef WITH_PYTHONMODULE - && strcmp(cfg->module_conf, "python iterator") != 0 - && strcmp(cfg->module_conf, "python validator iterator") != 0 + && strcmp(cfg->module_conf, "python iterator") != 0 + && strcmp(cfg->module_conf, "python validator iterator") != 0 && strcmp(cfg->module_conf, "validator python iterator") != 0 - && strcmp(cfg->module_conf, "dns64 python iterator") != 0 - && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 + && strcmp(cfg->module_conf, "dns64 python iterator") != 0 + && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator python iterator") != 0 - && strcmp(cfg->module_conf, "python dns64 iterator") != 0 - && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0 + && strcmp(cfg->module_conf, "python dns64 iterator") != 0 + && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0 #endif #ifdef USE_CACHEDB && strcmp(cfg->module_conf, "validator cachedb iterator") != 0 @@ -468,16 +472,28 @@ morechecks(struct config_file* cfg, const char* fname) && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0 #endif #ifdef CLIENT_SUBNET - && strcmp(cfg->module_conf, "subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET) && strcmp(cfg->module_conf, "python subnetcache iterator") != 0 - && strcmp(cfg->module_conf, "subnetcache python iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache python iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0 +#endif +#ifdef USE_IPSECMOD + && strcmp(cfg->module_conf, "ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 +#endif +#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD) + && strcmp(cfg->module_conf, "python ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0 #endif ) { fatal_exit("module conf '%s' is not known to work", diff --git a/testcode/testbound.c b/testcode/testbound.c index 052c74e82..20c99608f 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -78,6 +78,7 @@ testbound_usage(void) printf("-g detect GOST support (exit code 0 or 1)\n"); printf("-e detect ECDSA support (exit code 0 or 1)\n"); printf("-c detect CLIENT_SUBNET support (exit code 0 or 1)\n"); + printf("-i detect IPSECMOD support (exit code 0 or 1)\n"); printf("-s testbound self-test - unit test of testbound parts.\n"); printf("-o str unbound commandline options separated by spaces.\n"); printf("Version %s\n", PACKAGE_VERSION); @@ -281,7 +282,7 @@ main(int argc, char* argv[]) pass_argc = 1; pass_argv[0] = "unbound"; add_opts("-d", &pass_argc, pass_argv); - while( (c=getopt(argc, argv, "12egcho:p:s")) != -1) { + while( (c=getopt(argc, argv, "12egciho:p:s")) != -1) { switch(c) { case 's': free(pass_argv[1]); @@ -335,6 +336,15 @@ main(int argc, char* argv[]) #else printf("CLIENT_SUBNET not supported\n"); exit(1); +#endif + break; + case 'i': +#ifdef USE_IPSECMOD + printf("IPSECMOD supported\n"); + exit(0); +#else + printf("IPSECMOD not supported\n"); + exit(1); #endif break; case 'p': diff --git a/testdata/03-testbound.tpkg b/testdata/03-testbound.tpkg index 39e621699..5db2b7731 100644 Binary files a/testdata/03-testbound.tpkg and b/testdata/03-testbound.tpkg differ diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl new file mode 100644 index 000000000..1e76af3b9 --- /dev/null +++ b/testdata/ipsecmod_bogus_ipseckey.crpl @@ -0,0 +1,236 @@ +; Test ipsecmod with bogus IPSECKEY + +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a" + val-override-date: "-1" + target-fetch-policy: "0 0 0 0 0" + # test that default value of harden-dnssec-stripped is still yes. + fake-sha1: yes + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: no + ipsecmod-max-ttl: 200 + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY +; Scenario overview: +; - query for example.com. IN A +; - check that query for example.com. IN IPSECKEY is generated +; - check that we get an answer for example.com. IN A with the correct TTL +; - check that the get the same answer from cache +; - check that we don't get the IPSECKEY answer from cache (bogus) + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800 + example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s= + ENTRY_END + + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + + ; response to IPSECKEY query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= + ; (bogus answer) + example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + +; response to DNSKEY priming query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + example.com. IN DNSKEY + SECTION ANSWER + example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b} + example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 2 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER + ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A + SECTION ANSWER +ENTRY_END + +; Query without RD, check if not cached +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER + ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl new file mode 100644 index 000000000..757abb967 --- /dev/null +++ b/testdata/ipsecmod_enabled.crpl @@ -0,0 +1,219 @@ +; Test ipsecmod-enabled option. + +; config options +server: + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: no + ipsecmod-max-ttl: 200 + ipsecmod-enabled: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod-enabled option +; Scenario overview: +; - query for example.com. IN A +; - check that we get an answer for example.com. IN A with the correct TTL +; - check that the get the same answer from cache +; - check that we don't get the IPSECKEY answer from cache + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 10 IN SOA . . 15 28800 7200 604800 10 + ENTRY_END + + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to IPSECKEY query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if cached and with correct TTL +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if IPSECKEY cached +STEP 21 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/ipsecmod_hook.sh b/testdata/ipsecmod_hook.sh new file mode 100755 index 000000000..a418cb591 --- /dev/null +++ b/testdata/ipsecmod_hook.sh @@ -0,0 +1,2 @@ +echo " ---[ IPsec external hook FAIL; only care if ipsecmod-strict: yes ]---" +exit 1 diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl new file mode 100644 index 000000000..b97779085 --- /dev/null +++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl @@ -0,0 +1,257 @@ +; Test ipsecmod-ignore-bogus option + +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a" + val-override-date: "-1" + target-fetch-policy: "0 0 0 0 0" + # test that default value of harden-dnssec-stripped is still yes. + fake-sha1: yes + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: no + ipsecmod-max-ttl: 200 + ipsecmod-ignore-bogus: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod-ignore-bogus option +; Scenario overview: +; - query for example.com. IN A +; - check that query for example.com. IN IPSECKEY is generated +; - check that we get an answer for example.com. IN A with the correct TTL +; - check that the get the same answer from cache +; - check that we don't get the IPSECKEY answer from cache (bogus) + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800 + example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s= + ENTRY_END + + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + + ; response to IPSECKEY query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= + ; (bogus answer) + example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END + +; response to DNSKEY priming query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + example.com. IN DNSKEY + SECTION ANSWER + example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b} + example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI= + SECTION AUTHORITY + example.com. IN NS ns.example.com. + example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 2 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if cached and with correct TTL +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if IPSECKEY is not cached +STEP 21 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA SERVFAIL + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +SCENARIO_END diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl new file mode 100644 index 000000000..633dbe528 --- /dev/null +++ b/testdata/ipsecmod_max_ttl.crpl @@ -0,0 +1,228 @@ +; Test ipsecmod-max-ttl option. + +; config options +server: + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: no + ipsecmod-max-ttl: 200 + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod-max-ttl option +; Scenario overview: +; - query for example.com. IN A +; - check that query for example.com. IN IPSECKEY is generated +; - check that we get an answer for example.com. IN A with the correct TTL +; - check that the get the same answer from cache +; - check that we get the IPSECKEY answer from cache + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 10 IN SOA . . 15 28800 7200 604800 10 + ENTRY_END + + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to IPSECKEY query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 2 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if cached and with correct TTL +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Query without RD, check if IPSECKEY cached +STEP 21 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl new file mode 100644 index 000000000..1969b3b25 --- /dev/null +++ b/testdata/ipsecmod_strict.crpl @@ -0,0 +1,217 @@ +; Test ipsecmod-strict option + +; config options +server: + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: yes + ipsecmod-max-ttl: 200 + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod-strict option +; Scenario overview: +; - query for example.com. IN A +; - check that query for example.com. IN IPSECKEY is generated +; - check that we get SERVFAIL as answer (the hook failed) +; - check that the example.com. IN A answer is not cached +; - check that the example.com. IN IPSECKEY answer is cached + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 10 IN SOA . . 15 28800 7200 604800 10 + ENTRY_END + + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to IPSECKEY query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 2 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +STEP 21 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN IPSECKEY +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + example.com. IN IPSECKEY + SECTION ANSWER + example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl new file mode 100644 index 000000000..a185295fd --- /dev/null +++ b/testdata/ipsecmod_whitelist.crpl @@ -0,0 +1,294 @@ +; Test ipsecmod-whitelist option. + +; config options +server: + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" + ; ../../ is there because the test runs from testdata/03-testbound.dir + ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" + ipsecmod-strict: no + ipsecmod-max-ttl: 200 + ipsecmod-whitelist: white.example.com + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ipsecmod-whitelist option +; Scenario overview: +; - query for black.example.com. IN A +; - check that we get an answer for black.example.com. IN A with the correct TTL +; - check that an answer for black.example.com. IN IPSECKEY is not cached (not given) +; - query for white.example.com. IN A +; - check that query for white.example.com. IN IPSECKEY is generated +; - check that we get an answer for white.example.com. IN A with the correct TTL +; - check that the get the same answer from cache +; - check that we get the IPSECKEY answer from cache + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + a.gtld-servers.net. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + K.ROOT-SERVERS.NET. IN AAAA + SECTION AUTHORITY + . 86400 IN SOA . . 20070304 28800 7200 604800 86400 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + SECTION AUTHORITY + example.com. 10 IN SOA . . 15 28800 7200 604800 10 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + white.example.com. IN A + SECTION ANSWER + white.example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + white.example.com. IN IPSECKEY + SECTION ANSWER + white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + black.example.com. IN A + SECTION ANSWER + black.example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + black.example.com. IN IPSECKEY + SECTION ANSWER + black.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + black.example.com. IN A +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + black.example.com. IN A + SECTION ANSWER + black.example.com. 3600 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +STEP 11 QUERY +ENTRY_BEGIN + SECTION QUESTION + black.example.com. IN IPSECKEY +ENTRY_END + +STEP 12 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + black.example.com. IN IPSECKEY + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + white.example.com. IN A +ENTRY_END + +STEP 21 CHECK_OUT_QUERY +ENTRY_BEGIN + MATCH qname qtype opcode + SECTION QUESTION + white.example.com. IN IPSECKEY +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + white.example.com. IN A + SECTION ANSWER + white.example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +STEP 31 QUERY +ENTRY_BEGIN + SECTION QUESTION + white.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RA NOERROR + SECTION QUESTION + white.example.com. IN A + SECTION ANSWER + white.example.com. 200 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +STEP 41 QUERY +ENTRY_BEGIN + SECTION QUESTION + white.example.com. IN IPSECKEY +ENTRY_END + +STEP 50 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RA NOERROR + SECTION QUESTION + white.example.com. IN IPSECKEY + SECTION ANSWER + white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/util/config_file.c b/util/config_file.c index a7d680154..0904b4089 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -280,6 +280,14 @@ config_create(void) cfg->dnscrypt_provider = NULL; cfg->dnscrypt_provider_cert = NULL; cfg->dnscrypt_secret_key = NULL; +#ifdef USE_IPSECMOD + cfg->ipsecmod_enabled = 1; + cfg->ipsecmod_ignore_bogus = 0; + cfg->ipsecmod_hook = NULL; + cfg->ipsecmod_max_ttl = 3600; + cfg->ipsecmod_whitelist = NULL; + cfg->ipsecmod_strict = 0; +#endif return cfg; error_exit: config_delete(cfg); @@ -568,6 +576,13 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) else S_YNO("qname-minimisation:", qname_minimisation) else S_YNO("qname-minimisation-strict:", qname_minimisation_strict) +#ifdef USE_IPSECMOD + else S_YNO("ipsecmod-enabled:", ipsecmod_enabled) + else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus) + else if(strcmp(opt, "ipsecmod-max-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); } + else S_YNO("ipsecmod-strict:", ipsecmod_strict) +#endif else if(strcmp(opt, "define-tag:") ==0) { return config_add_tag(cfg, val); /* val_sig_skew_min and max are copied into val_env during init, @@ -589,15 +604,16 @@ int config_set_option(struct config_file* cfg, const char* opt, cfg->out_ifs = oi; } else { /* unknown or unsupported (from the set_option interface): - * interface, outgoing-interface, access-control, + * interface, outgoing-interface, access-control, * stub-zone, name, stub-addr, stub-host, stub-prime * forward-first, stub-first, forward-ssl-upstream, * stub-ssl-upstream, forward-zone, * name, forward-addr, forward-host, * ratelimit-for-domain, ratelimit-below-domain, - * local-zone-tag, access-control-view - * send-client-subnet client-subnet-always-forward - * max-client-subnet-ipv4 max-client-subnet-ipv6 */ + * local-zone-tag, access-control-view, + * send-client-subnet, client-subnet-always-forward, + * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook, + * ipsecmod_whitelist. */ return 0; } return 1; @@ -931,6 +947,14 @@ config_get_option(struct config_file* cfg, const char* opt, else O_LS3(opt, "access-control-tag-action", acl_tag_actions) else O_LS3(opt, "access-control-tag-data", acl_tag_datas) else O_LS2(opt, "access-control-view", acl_view) +#ifdef USE_IPSECMOD + else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled) + else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus) + else O_STR(opt, "ipsecmod-hook", ipsecmod_hook) + else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl) + else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist) + else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict) +#endif /* not here: * outgoing-permit, outgoing-avoid - have list of ports * local-zone - zones and nodefault variables @@ -1226,6 +1250,10 @@ config_delete(struct config_file* cfg) free(cfg->dnstap_version); config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); +#ifdef USE_IPSECMOD + free(cfg->ipsecmod_hook); + config_delstrlist(cfg->ipsecmod_whitelist); +#endif free(cfg); } diff --git a/util/config_file.h b/util/config_file.h index 6795fda48..9ccd6f117 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -460,6 +460,22 @@ struct config_file { struct config_strlist* dnscrypt_secret_key; /** dnscrypt provider certs 1.cert */ struct config_strlist* dnscrypt_provider_cert; + + /** IPsec module */ +#ifdef USE_IPSECMOD + /** false to bypass the IPsec module */ + int ipsecmod_enabled; + /** whitelisted domains for ipsecmod */ + struct config_strlist* ipsecmod_whitelist; + /** path to external hook */ + char* ipsecmod_hook; + /** true to proceed even with a bogus IPSECKEY */ + int ipsecmod_ignore_bogus; + /** max TTL for the A/AAAA records that call the hook */ + int ipsecmod_max_ttl; + /** false to proceed even when ipsecmod_hook fails */ + int ipsecmod_strict; +#endif }; /** from cfg username, after daemonise setup performed */ diff --git a/util/configlexer.lex b/util/configlexer.lex index ecb9b4c56..701df8ba4 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -416,6 +416,12 @@ dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) } dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) } dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) } dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) } +ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) } +ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) } +ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) } +ipsecmod-max-ttl{COLON} { YDVAR(1, VAR_IPSECMOD_MAX_TTL) } +ipsecmod-whitelist{COLON} { YDVAR(1, VAR_IPSECMOD_WHITELIST) } +ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ diff --git a/util/configparser.y b/util/configparser.y index 1be2bc876..98ce2f4fb 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -144,6 +144,8 @@ extern struct config_parser_state* cfg_parser; %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT +%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS +%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -228,7 +230,10 @@ content_server: server_num_threads | server_verbosity | server_port | server_fake_dsa | server_log_identity | server_use_systemd | server_response_ip_tag | server_response_ip | server_response_ip_data | server_shm_enable | server_shm_key | server_fake_sha1 | - server_hide_trustanchor | server_trust_anchor_signaling + server_hide_trustanchor | server_trust_anchor_signaling | + server_ipsecmod_enabled | server_ipsecmod_hook | + server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl | + server_ipsecmod_whitelist | server_ipsecmod_strict ; stubstart: VAR_STUB_ZONE { @@ -1794,6 +1799,80 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG free($2); } ; +server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_enabled:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0); + free($2); + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; +server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0); + free($2); + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; +server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_hook:%s)\n", $2)); + free(cfg_parser->cfg->ipsecmod_hook); + cfg_parser->cfg->ipsecmod_hook = $2; + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; +server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->ipsecmod_max_ttl = atoi($2); + free($2); + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; +server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_whitelist:%s)\n", $2)); + if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, $2)) + yyerror("out of memory"); + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; +server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG + { + #ifdef USE_IPSECMOD + OUTYY(("P(server_ipsecmod_strict:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ipsecmod_strict = (strcmp($2, "yes")==0); + free($2); + #else + OUTYY(("P(Compiled without IPsec module, ignoring)\n")); + #endif + } + ; stub_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c index 7c0b0bfcd..14efa3f88 100644 --- a/util/fptr_wlist.c +++ b/util/fptr_wlist.c @@ -83,6 +83,9 @@ #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif +#ifdef USE_IPSECMOD +#include "ipsecmod/ipsecmod.h" +#endif #ifdef CLIENT_SUBNET #include "edns-subnet/subnetmod.h" #endif @@ -345,6 +348,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id)) #ifdef USE_CACHEDB else if(fptr == &cachedb_init) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_init) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_init) return 1; #endif @@ -364,6 +370,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id)) #ifdef USE_CACHEDB else if(fptr == &cachedb_deinit) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_deinit) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_deinit) return 1; #endif @@ -384,6 +393,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate, #ifdef USE_CACHEDB else if(fptr == &cachedb_operate) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_operate) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_operate) return 1; #endif @@ -404,6 +416,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)( #ifdef USE_CACHEDB else if(fptr == &cachedb_inform_super) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_inform_super) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_inform_super) return 1; #endif @@ -424,6 +439,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate, #ifdef USE_CACHEDB else if(fptr == &cachedb_clear) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_clear) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_clear) return 1; #endif @@ -443,6 +461,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id)) #ifdef USE_CACHEDB else if(fptr == &cachedb_get_mem) return 1; #endif +#ifdef USE_IPSECMOD + else if(fptr == &ipsecmod_get_mem) return 1; +#endif #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_get_mem) return 1; #endif diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c index 84e0c4db4..55b96e5c0 100644 --- a/util/shm_side/shm_main.c +++ b/util/shm_side/shm_main.c @@ -273,6 +273,17 @@ void shm_main_run(struct worker *worker) fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem)); shm_stat->mem.subnet = (long long)(*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack); } +#endif + /* ipsecmod mem value is available in shm, also when not enabled, + * to make the struct easier to memmap by other applications, + * independent of the configuration of unbound */ + shm_stat->mem.ipsecmod = 0; +#ifdef USE_IPSECMOD + modstack = modstack_find(&worker->env.mesh->mods, "ipsecmod"); + if(modstack != -1) { + fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem)); + shm_stat->mem.ipsecmod = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack); + } #endif }