From: Wouter Wijngaards Date: Tue, 5 Jan 2016 14:02:45 +0000 (+0000) Subject: - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked X-Git-Tag: release-1.5.8~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5cb0a1d8edfe9d6510e19ea1fbfe4d45812bc675;p=thirdparty%2Funbound.git - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked by default, and can be unblocked with "nodefault" localzone config. git-svn-id: file:///svn/unbound/trunk@3593 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index c556d64ef..e8a0b1b6d 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 05 January 2016: Wouter - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch from Daisuke Higashi. + - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked + by default, and can be unblocked with "nodefault" localzone config. 04 January 2016: Wouter - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined, diff --git a/doc/example.conf.in b/doc/example.conf.in index 68a2596ec..b9175fa63 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -483,6 +483,7 @@ server: # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "onion." nodefault # local-zone: "10.in-addr.arpa." nodefault # local-zone: "16.172.in-addr.arpa." nodefault # local-zone: "17.172.in-addr.arpa." nodefault diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 08fc5e735..f45315c2c 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -928,10 +928,10 @@ has no other effect than turning off default contents for the given zone. Use \fInodefault\fR if you use exactly that zone, if you want to use a subzone, use \fItransparent\fR. .P -The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 -zones. The AS112 zones are reverse DNS zones for private use and reserved -IP addresses for which the servers on the internet cannot provide correct -answers. They are configured by default to give nxdomain (no reverse +The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and +the AS112 zones. The AS112 zones are reverse DNS zones for private use and +reserved IP addresses for which the servers on the internet cannot provide +correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your own local\-zone of that name, or using the 'nodefault' type. Below is a list of the default zone contents. @@ -975,6 +975,15 @@ local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. PTR localhost." .fi .TP 10 +\h'5'\fIonion (RFC 7686)\fR +Default content: +.nf +local\-zone: "onion." static +local\-data: "onion. 10800 IN NS localhost." +local\-data: "onion. 10800 IN + SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" +.fi +.TP 10 \h'5'\fIreverse RFC1918 local use zones\fR Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 31.172.in\-addr.arpa, 168.192.in\-addr.arpa. diff --git a/services/localzone.c b/services/localzone.c index c50ad0f15..b3a50532b 100644 --- a/services/localzone.c +++ b/services/localzone.c @@ -593,9 +593,9 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg) { struct local_zone* z; - /* this list of zones is from RFC 6303 */ + /* this list of zones is from RFC 6303 and RFC 7686 */ - /* block localhost level zones, first, later the LAN zones */ + /* block localhost level zones first, then onion and later the LAN zones */ /* localhost. zone */ if(!lz_exists(zones, "localhost.") && @@ -653,6 +653,22 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg) } lock_rw_unlock(&z->lock); } + /* onion. zone (RFC 7686) */ + if(!lz_exists(zones, "onion.") && + !lz_nodefault(cfg, "onion.")) { + if(!(z=lz_enter_zone(zones, "onion.", "static", + LDNS_RR_CLASS_IN)) || + !lz_enter_rr_into_zone(z, + "onion. 10800 IN NS localhost.") || + !lz_enter_rr_into_zone(z, + "onion. 10800 IN SOA localhost. nobody.invalid. " + "1 3600 1200 604800 10800")) { + log_err("out of memory adding default zone"); + if(z) { lock_rw_unlock(&z->lock); } + return 0; + } + lock_rw_unlock(&z->lock); + } /* if unblock lan-zones, then do not add the zones below. * we do add the zones above, about 127.0.0.1, because localhost is