git.ipfire.org Git - thirdparty/unbound.git/log

- Fix text in test.

- Add suggestion to refresh the cached norec_ttl and expired_ttl when a
response cannot update the usable expired entry.

- Fix SERVFAIL logging.

- Update tests for expired cache updates.

- Explicit RRSIG queries are not expected to be validated.

- Try to use expired answers instead of SERVFAIL if serve-expired is
enabled even without serve-expired-client-timeout.

- Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records.

Changelog entry for:
- Fix SETEX check during Redis (re)initialization.

- Fix SETEX check during Redis (re)initialization.

- Fix to log redis timeout error string on failure.

- Fix for the serve expired DNSSEC information fix, it would not allow
  current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.

Changelog note for #1167
- Merge #1167: Makefile.in: fix occasional parallel build failures
around bison rule.

Makefile.in: fix occasional parallel build failures around bison rule (#1167)

Without the change `make -j16 --shuffle` occasinally fails to build as:

    $ make -j16 --shuffle
    ...
    bison -y -d -o util/configparser.c ./util/configparser.y
    ...
    /libtool --tag=CC --mode=compile gcc -I.  -I...-openssl-3.3.2-dev/include -I...-libevent-2.1.12-dev/include -I...-expat-2.6.3-dev/include -DSRCDIR=. -g -O2 -flto -fPIE -pthread  -o configparser.lo -c util/configparser.c
    ...
    util/configparser.c:755:3: error: expected ',' or '}' at end of input
  755 |   YYSYMBOL_server_low_rtt = 626,           /* server_low_rtt  */
      |   ^

The build failure happens due to this `Makefile.in` rule:

    util/configparser.c util/configparser.h:  $(srcdir)/util/configparser.y
        @-if test ! -d util; then $(INSTALL) -d util; fi
        $(YACC) -d -o util/configparser.c $(srcdir)/util/configparser.y

For GNU make that means that each of the targets will attempt the rule
execution when the file is missing: one for .c file and another for .h
file:

    https://www.gnu.org/software/make/manual/html_node/Multiple-Targets.html

The workaround is to only run $(YACC) for .c target and use .c as a
pre-requisite for an .h file.

Before the change the build fails about every 10-th run.
After the change no build failures after 100 successful builds.

- Fix redis that during a reload it does not fail if the redis
server does not connect or does not respond. It still logs the
errors and if the server is up checks expiration features.

Changelog entry for #1157:
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
ub_ctx_delete in Windows.

Fix heap corruption when calling ub_ctx_delete in Windows (#1157)

Changelog entry for #1170:
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
description.

Fix chroot manpage description (#1170)

- Add test case for #1159.
- Some clean up for stat_values.test.

- Merge #1159: Stats for discard-timeout and wait-limit.

Stats for discard-timeout and wait-limit (#1159)

* - Stats num.queries_discard_timeout and num.queries_wait_limit are used
instead of the mesh dropped that of requests exceeded.

- Fix #1163: Typos in unbound.conf documentation.

Add changelog entry for tag for 1.22.0rc1.

- Tag for 1.22.0 release. This did not contain the 1154 fix
from 16 oct. The code repository continues with
version 1.22.1 in development.

- Fix #1154: Tag Incorrectly Applying for Other Interfaces
Using the Same IP. This fix is not for 1.22.0.

- Fix for dnstap with dnscrypt and dnstap without dnsoverquic.

- Fix for dnsoverquic and dnstap to use the correct dnstap
environment.

- Fix dnsoverquic to extend the number of streams when one is closed.

- Fix to display warning if quic-port is set but dnsoverquic is not
enabled when compiled.

- Fix contrib/aaaa-filter-iterator.patch for change in call
signature for cache_fill_missing.

- Fix harden-unverified-glue for AAAA cache_fill_missing lookups.

- Fix to disable detection of quic configured ports when quic is
not compiled in.

- Fix add reallocarray to alloc stats unit test, and disable
override of strdup in unbound-host, and the result of config
get option is freed properly.

- Fix cookie_file test sporadic fails for time change during
the test.

- Fix for dnstap compile of doqclient with doq disabled.

Changelog entry and unit test for fix of NSEC TTL and prefetch ttl.
- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
prefetch ttl for messages after a CNAME with short TTL.

- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
prefetch ttl for messages after a CNAME with short TTL.

Changelog note for #871
- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
  `quic-size: 8m` that enable dnsoverquic, and the counters
  `num.query.quic` and `mem.quic` in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
  pass that with `--with-ssl=path` to compile unbound as well.

DNSoverQUIC (#871)

* - dnsoverquic, configure --with-libngtcp2 option.

* - dnsoverquic, create comm_point for doq and receive cmsg local address.

* - dnsoverquic, less obtrusive debug.

* - dnsoverquic, log and fix local port number. Neater subroutines and ifdefs.

* - dnsoverquic, add testcode/doqclient.

* - dnsoverquic, review fixes on doqclient.

* - dnsoverquic, fix unit test testbound link.

* - dnsoverquic, parse query in doqclient.

* - dnsoverquic, link with libngtcp2_crypto_openssl and code for doqclient.

* - dnsoverquic, random routine for doqclient and fix ngaddr allocation, and
  check ub_initstate return.

* - dnsoverquic, fix doqclient free of allocated ngaddr addresses.

* - dnsoverquic, enable debug output with -v for doqclient.

* - dnsoverquic, create and set TLS object and TLS context in doqclient.

* - dnsoverquic, work on quic tls context in doqclient.

* - dnsoverquic, set default dnsoverquic port to the standardized 853 port.

* - dnsoverquic, remove debug comment.

* - dnsoverquic, dns-over-quic quic-port: 853 config option.

* - dnsoverquic, log type of interface created at start of unbound.

* - dnsoverquic, log type of no tls https as https when interface is created.

* - dnsoverquic, setup client quic tls methods.

* - dnsoverquic, event work in doqclient.

* - dnsoverquic, explain in documentation that QUIC uses UDP.

* - dnsoverquic, make doqclient exit.

* - dnsoverquic, doqclient cleanup run routine.

* - dnsoverquic, doqclient code nicer.

* - dnsoverquic, doqclient read and timer.

* - dnsoverquic, doqclient write work.

* - dnsoverquic, review fixes.

* - dnsoverquic, detect openssl quic support at configure time.

* - dnsoverquic, do not allow QUIC on port 53 to stop confusion of DoQ and DNS.

* - dnsoverquic, in doqclient, when idle close is returned, drop the connection
  without calling ngtcp2_conn_write_connection_close.

* - dnsoverquic, in doqclient, log callbacks.

* - dnsoverquic, in doqclient add extend_max_local_streams_bidi callback.

* - dnsoverquic, in doqclient add client query lists.

* - dnsoverquic, in doqclient, code cleaner, log text nicer.

* - dnsoverquic, in doqclient, work on write_streams.

* - dnsoverquic, in doqclient, use signed int for stream_id, work on the
  ngtcp2_recv_stream_data callback.

* - dnsoverquic, in doqclient, print result and fixes for recv data.

* - dnsoverquic, in doqclient, add the event callbacks to fptr wlist.

* - dnsoverquic, in doqclient, when already expired, use zero timeout timer.

* - dnsoverquic, in doqclient, ignore unused return codes from
  ngtcp2_conn_writev_stream.

* - dnsoverquic, add doqclient event functions to the unbound-dnstap-socket
  test tool for linking.

* - dnsoverquic, in doqclient, fix multiple operands for the commandline.
  neater dns message output.

* - dnsoverquic, in doqclient, store packet when write blocks and try later.

* - dnsoverquic, in doqclient, limit number of packets and number of bytes sent.

* - dnsoverquic, in doqclient, better size estimate for outgoing packet.

* - dnsoverquic, in doqclient, fix that already written next packet is not
  counted for data length to send.

* - dnsoverquic, in doqclient, early data transmission and session resumption.

* - dnsoverquic, send version negotiation packet.

* - dnsoverquic, send retry and accept the connection.

* - dnsoverquic, storage structures.

* - dnsoverquic, doq connection setup.

* - dnsoverquic, neater code layout for new conn. Fix verbosity of log print.

* - dnsoverquic, doq conn callback functions.

* - dnsoverquic, doq_fill_rand routine in header file.

* - dnsoverquic, keep track of connection ids.

* - dnsoverquic, get_new_connection_id callback.

* - dnsoverquic, create doq_conid tree.

* - dnsoverquic, settings for server connection.

* - dnsoverquic, tls context.

* - dnsoverquic, sendmsg error handling.

* - dnsoverquic, neat code.

* - dnsoverquic, track doq connection last error.

* - dnsoverquic, neater packet address parameters.

* - dnsoverquic, fix uninitialized bytes in msg control in doq sendmsg, and
  fix tree cleanup of conid tree.

* - dnsoverquic, better usage text for doqclient.

* - dnsoverquic, neat code.

* - dnsoverquic, connection receive packet handling.

* - dnsoverquic, debug output.

* - dnsoverquic, debug switched meaning of scid and dcid gives
  ERR_TRANSPORT_PARAM.

* - dnsoverquic, remove debug output.

* - dnsoverquic, connection delete routine and error from connection read in
  more detail with less clutter.

* - dnsoverquic, write to stream, and receive stream data, log packet.

* - dnsoverquic, alpn set up.

* - dnsoverquic, connection close.

* - dnsoverquic, doq_table and locks.

* - dnsoverquic, fix tests.

* - dnsoverquic, better locking.

* - dnsoverquic, doq_stream.

* - dnsoverquic, remove compile warning.

* - dnsoverquic, doq_stream receive data.

* - dnsoverquic, fixes for locks and keep length bytes allocated.

* - dnsoverquic, lock connection on initial insertion.

* - dnsoverquic, reply information, and reply buffer.

* - dnsoverquic, reply info from cache, local-zone and recursion lookups.

* - dnsoverquic, spelling in comment about buffer storage.

* - dnsoverquic, stream write list and doqclient fixes to exit and printout.

* - dnsoverquic, doqclient -q option for short printout.

* - dnsoverquic, unit test with local data reply.

* - dnsoverquic, write connection and write event is set.

* - dnsoverquic, neater logging for write event connection stream writes.

* - dnsoverquic, log remote connection when the streams are written for it.

* - dnsoverquic, better threaded use, threads can write to doq connections at
  the same time.

* - dnsoverquic, unit test for the calculation of connection size with a query.

* - dnsoverquic, use less memory per connection.

* - dnsoverquic, remove unit test output.

* - dnsoverquic, add MSG_DONTWAIT so that there is no mistakenly blocking
  socket operations.

* - dnsoverquic, doqclient logs address on connection failures.

* - dnsoverquic, compat code for clock get time routine.

* - dnsoverquic, use skip_test for doq unit test.

* - dnsoverquic, fixes for proxyprotocol, use remote_addr and set proxyprotocol
  disabled on the doq connection.

* - dnsoverquic, doqclient sets log identity to its name, instead of "unbound".

* - dnsoverquic, handle blocked udp packet writes.

* - dnsoverquic, fix function documentation for verbose_print_addr from
  services/listen_dnsport.c.

* - dnsoverquic, fix doq_conn lock protection. The checklock allows to set
  the output file name, and doqclient uses that. Print place of lock_protect.

* - dnsoverquic, neater buffer clear when write of blocked packet fails, make
  sure that memory area does not overlap for blocked packet addresses when
  write of blocked packet fails, and size blocked packet buffer to the pkt buf.

* - dnsoverquic, move lock check after the test to test script in doq test.

* - dnsoverquic, the doq test uses valgrind when enabled.

* - dnsoverquic, git ignore the doqclient test.

* - dnsoverquic, limit the buffer for packets to max packet size with some more.

* - dnsoverquic, spelling fix.

* - dnsoverquic, timer work, structure and adds and deletes.

* - dnsoverquic, timer_tree uses table.lock.

* - dnsoverquic, fix timer tree remove and spelling in header file comment.

* - dnsoverquic, fix testbound for timer compare function linkage.

* - dnsoverquic, timer set add debug output.

* - dnsoverquic, doq_conn_check_timer function.

* - dnsoverquic, doq_done_setup_timer_and_write function.

* - dnsoverquic, fix that doq conn is not deleted whilst editing write and timer.

* - dnsoverquic, Fix #861 make ERROR netevent.h:1073:32: error: field 'blocked_pkt_pi' has incomplete type

* - dnsoverquic, timer element has timeout setup when socket callback complete.

* - dnsoverquic, fix unit test compile.

* - dnsoverquic, timer callback routine, handle timeout and close and delete the
  connection if necessary.

* - dnsoverquic, timer pickup stops at current time.

* - dnsoverquic, timer comparable with the event base time.

* - dnsoverquic, erase marked time when timer disabled.

* - dnsoverquic, fix timer to set correctly and lock popped write connection
  early, before it is modified.

* - dnsoverquic, fix to unlock connection lock when it is unlinked and deleted.

* - dnsoverquic, fix to unlock connection lock when it is deleted because it is
  a duplicate connection.

* - dnsoverquic, fix that doq timer is not disabled when not set.

* - dnsoverquic, quic-size: 8m maximum number of bytes for QUIC buffers.

* - dnsoverquic, flex and bison.

* - dnsoverquic, quic-size turn away new connections when full.

* - dnsoverquic, doqclient outputs stream reset information.

* - dnsoverquic, detect stream close and reset.

* - dnsoverquic, free stream buffers when data is acked and stream is closed.

* - dnsoverquic, delete stream when closed. Unlink it. Allow stream_id 4 as first.

* - dnsoverquic, stats output for mem.quic and num.query.quic.

* - dnsoverquic, review fix.

* - dnsoverquic, fix when compiled without ngtcp2.

* - dnsoverquic, fix to detect ngtcp2_crypto_quictls for openssl crypto, after
  change in libngtcp2.

* - dnsoverquic, fix for newer ngtcp2 versions. detect ngtcp2_ccerr_default,
  ngtcp2/ngtcp2_crypto_quictls.h, struct ngtcp2_pkt_hd.tokenlen,
  struct ngtcp2_settings.tokenlen and struct ngtcp2_version_cid.

* - dnsoverquic, fix for newer ngtcp2 version, detect number of arguments for
  ngtcp2_conn_shutdown_stream.

* - dnsoverquic, fix for newer ngtcp2.

* - dnsoverquic, use the functions from util/timeval_func.h.

* - dnsoverquic, fix in doqclient only write transport parameters once.

* - dnsoverquic, debug log output removed.

* - dnsoverquic, fix in doqclient to work with renamed NGTCP2_CC_ALGO_BBR_V2
  from ngtcp2.

* - dnsoverquic, fix to check in doq_server_socket_create that tls-service-key
  and tls-service-pem have a value.

* - dnsoverquic, fix to error when doq_server_socket_create fails.

* - dnsoverquic, improve linebreaks in configparser additions.

* - dnsoverquic, fix port from interface pickup after main branch change.

* Fix getting user data from SSL, fix calloc warning.

* Fix fwrite return value check in doqclient

* - timeval_substruct from timeval_func.h
- lock_protect also for HAVE_NGTCP2_CCERR_DEFAULT
- fix doq logging for inet_ntop failures

* - memset for consistency
- no value returned from msghdr_get_ecn when S_SPLINT_S is defined

* - dnsoverquic, rerun autoconf.

---------

Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

- Fix #1128: Cannot override tcp-upstream and tls-upstream with
forward-tcp-upstream and forward-tls-upstream.

- Fix #1149: unbound-control-setup hangs sometimes depending on
the openssl version.

- The fix for CVE-2024-8508 was part of 1.21.1, a security point release
on 1.21.0. The code repository continues with this fix and the version
number 1.22.0.

Merge branch 'release-1.21.1'

- Fix CVE-2024-8508, unbounded name compression could lead to denial of
service.

- Set version to 1.21.1

- Fix unbound dnstap socket test program analyzer warnings about
unused variable assignments and variable initialization.

- Fix negative cache NSEC3 parameter compares for zero length NSEC3
salt.

- Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
This adds the option `log-time-iso: yes` that logs in ISO8601
format.

Changelog entry for #1143:
- Merge #1143: Fix cache update when serve expired is used. Expired
records are favored over resolution and validation failures when
serve-expired is used.

Fix cache update when serve expired is used (#1143)

- Fix cache update when serve expired is used in order to not evict
  still usable expired records. Modules are forbidden to update the
  cache if their answer is DNSSEC unchecked or bogus and a valid
  (expired) entry already exists. Bogus replies from the validator are
  also discarded in favor of existing (expired) valid replies.

- serve-expired-ttl-reset should try to keep expired records in the
  cache in case they are reset.

- More clear text for prefetch and minimal-responses in the
unbound.conf man page.

- Attempt to further fix doh_downstream_buffer_size.tdir flakiness.

- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
already disabled.

- Fix dns64 with prefetch that the prefetch is stored in cache.

- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
  that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.

Changelog comment for #1140.
- Merge #1140: Fix spelling mistake in comments.

Fix spelling mistake in comments (#1140)

I noticed a spelling mistake in the comments. The term “chain of trust” was incorrectly written as “chainoftrust”. This change corrects the spelling to “chain of trust” which is the correct term used in English.

- Fix and add comments in testdata/val_negcache_ttl.rpl.

- Add unit test for ttl limit for aggressive nsec.

- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
enabled (RFC9077).

- Fix comment to not trigger doxygen unknown command.

- Fix alloc-size and calloc-transposed-args compiler warnings.

- Fix config file read for dnstap-sample-rate.

Changelog note for #1135
- Merge #1135: Add new IANA trust anchor.

Add new IANA trust anchor (#1135)

Signed-off-by: Keelan Cannoo <keelan.cannoo@cyberstorm.mu>
Co-authored-by: Keelan10 <keelan.cannoo@cyberstorm.mu>

- Fix for #1132, comment about adjusted copy of reference check.

Changelog note for #1132 and fix for #1132.
- Merge #1132: b.root renumbering.
- Fix for #1132, adjusted unit test for change in the test file.

b.root renumbering (#1132)

https://b.root-servers.org/news/2023/05/16/new-addresses.html

Worked together with Jaykishan Muktawoa <jay@cyberstorm.mu>

- Fix to print port number in logs for auth zone transfer activities.

- Unit test for auth zone transfer TLS, and TLS failure.

- Fix that stub-zone and forward-zone clauses do not exhaust memory
for long content.

- Fix that when rpz is applied the message does not get picked up by
the validator. That stops validation failures for the message.

- Fix #1130: Loads of logs: "validation failure: key for validation
<domain>. is marked as invalid because of a previous" for
non-DNSSEC signed zone.

- Fix documentation for cache_fill_missing function.

- Fix #1127: error: "memory exhausted" when defining more than 9994
local-zones.

- Merge patch to fix for glue that is outside of zone, with
  `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.

Enable ci back after debug.

- Fix for char signedness warnings on NetBSD.

- Add cross platform netbsd to github ci.

- Add cross platform openbsd to github ci.

ci for freebsd nicer, with libevent, faster without static compile, and
with grouped output, also the pkg install is conditional on the platform.

Fix for freebsd ci.

- Add cross platform freebsd to github ci.

- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
configuration options.

- Fix #1126: unbound-control-setup hangs while testing for openssl
presence starting from version 1.21.0.

- Tag for release 1.21.0, the repository continues with 1.21.1
in development.

- Fix spelling for the cache-min-negative-ttl entry in the
example.conf.

- Fix that for windows the module startup is called and sets up
the module-config.

- Set version number to 1.21.0 for release.

- Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
University and Reichman University).

- Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.

- Fix that alloc stats for forwards and hints are printed, and when
alloc stats is enabled, the unit test for unbound control waits for
reloads to complete.

Changelog note for #1090
- Merge #1090: Cookie secret file. Adds
  `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
  cookie secrets for EDNS COOKIE secret rollover. The remote control
  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
  commands can be used for rollover, the command print_cookie_secrets
  shows the values in use.

Cookie secret file (#1090)

* - cookie-secret-file, define struct.

* - cookie-secret-file, add config option, create, read and delete struct.

* - cookie-secret-file, check cookie secrets for cookie validation.

* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
activate_cookie_secret and print_cookie_secrets.

* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
staging cookies get a fresh cookie and spelling in error message.

* - cookie-secret-file, remove unused variable from cookie file unit test.

* Remove unshare and faketime dependencies for cookie_file test; documentation nits.

---------

Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Update changelog.
- Fix testbound for alloc stats strdup in util/alloc.c.

- Fix testbound for alloc stats strdup in util/alloc.c.

- Fix that alloc stats has strdup checks, it stops debuggers from
complaining about mismatch at free time.

- Fix that the worker mem report with alloc stats does not attempt
to print memory use of forwards and hints if they have been
deleted already.

- Fix dnstap test program, cleans up to have clean memory on exit,
  for tap_data_free, does not delete NULL items. Also it does not try
  to free the tail, specifically in the free of the list since that
  picked up the next item in the list for its loop causing invalid
  free. Added internal unit test to unbound-dnstap-socket for that.