Commit 15de2de8 authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of Unbound 1.6.4.

parent 689b6591
This diff is collapsed.
......@@ -171,12 +171,13 @@ static int
cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
{
const char* backend_str = "testframe"; /* TODO get from cfg */
(void)cfg; /* need this until the TODO is implemented */
if(backend_str && backend_str[0]) {
cachedb_env->backend = cachedb_find_backend(backend_str);
if(!cachedb_env->backend) {
log_err("cachedb: cannot find backend name '%s",
backend_str);
return NULL;
return 0;
}
}
/* TODO see if more configuration needs to be applied or not */
......@@ -374,6 +375,36 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
return 1;
}
static void
packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
{
size_t i;
size_t total = data->count + data->rrsig_count;
if(data->ttl > subtract)
data->ttl -= subtract;
else data->ttl = 0;
for(i=0; i<total; i++) {
if(data->rr_ttl[i] > subtract)
data->rr_ttl[i] -= subtract;
else data->rr_ttl[i] = 0;
}
}
static void
adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
{
size_t i;
if(msg->rep->ttl > adjust)
msg->rep->ttl -= adjust;
else msg->rep->ttl = 0;
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
for(i=0; i<msg->rep->rrset_count; i++) {
packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->
rep->rrsets[i]->entry.data, adjust);
}
}
/** convert dns message in buffer to return_msg */
static int
parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
......@@ -420,24 +451,18 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
qstate->return_rcode = LDNS_RCODE_NOERROR;
/* see how much of the TTL expired, and remove it */
if(*qstate->env->now <= (time_t)timestamp) {
verbose(VERB_ALGO, "cachedb msg adjust by zero");
return 1; /* message from the future (clock skew?) */
}
adjust = *qstate->env->now - (time_t)timestamp;
if(qstate->return_msg->rep->ttl < adjust) {
verbose(VERB_ALGO, "cachedb msg expired");
return 0; /* message expired */
}
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
/*adjust_msg(qstate->return_msg, adjust);*/
/* TODO:
msg->rep->ttl = r->ttl - adjust;
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
for(i=0; i<d->count + d->rrsig_count; i++) {
if(d->rr_ttl[i] < adjust)
d->rr_ttl[i] = 0;
else d->rr_ttl[i] -= adjust;
}
if(d->ttl < adjust)
d->ttl = 0;
else d->ttl -= adjust;
*/
/* TODO */
return 0;
adjust_msg_ttl(qstate->return_msg, adjust);
return 1;
}
/**
......
......@@ -79,6 +79,10 @@
don't. */
#undef HAVE_DECL_INET_PTON
/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
don't. */
#undef HAVE_DECL_NID_ED25519
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
don't. */
#undef HAVE_DECL_NID_SECP384R1
......@@ -157,6 +161,9 @@
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
/* Define to 1 if you have the `EVP_DigestVerify' function. */
#undef HAVE_EVP_DIGESTVERIFY
/* Define to 1 if you have the `EVP_dss1' function. */
#undef HAVE_EVP_DSS1
......@@ -666,6 +673,9 @@
/* Define to 1 to enable dnscrypt support */
#undef USE_DNSCRYPT
/* Define to 1 to enable dnscrypt with xchacha20 support */
#undef USE_DNSCRYPT_XCHACHA20
/* Define to 1 to enable dnstap support */
#undef USE_DNSTAP
......@@ -678,9 +688,15 @@
/* Define this to enable an EVP workaround for older openssl */
#undef USE_ECDSA_EVP_WORKAROUND
/* Define this to enable ED25519 support. */
#undef USE_ED25519
/* Define this to enable GOST support. */
#undef USE_GOST
/* Define to 1 to use ipsecmod support. */
#undef USE_IPSECMOD
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.6.3.
# Generated by GNU Autoconf 2.69 for unbound 1.6.4.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
......@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.6.3'
PACKAGE_STRING='unbound 1.6.3'
PACKAGE_VERSION='1.6.4'
PACKAGE_STRING='unbound 1.6.4'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
 
......@@ -638,9 +638,12 @@ INSTALLTARGET
ALLTARGET
SOURCEFILE
SOURCEDETERMINE
IPSECMOD_HEADER
IPSECMOD_OBJ
DNSCRYPT_OBJ
DNSCRYPT_SRC
ENABLE_DNSCRYPT
ENABLE_DNSCRYPT_XCHACHA20
DNSTAP_OBJ
DNSTAP_SRC
opt_dnstap_socket_path
......@@ -755,6 +758,9 @@ UNBOUND_CHROOT_DIR
UNBOUND_RUN_DIR
ub_conf_dir
ub_conf_file
UNBOUND_LOCALSTATE_DIR
UNBOUND_SYSCONF_DIR
UNBOUND_SBIN_DIR
EGREP
GREP
CPP
......@@ -851,6 +857,7 @@ enable_subnet
enable_gost
enable_ecdsa
enable_dsa
enable_ed25519
enable_event_api
enable_tfo_client
enable_tfo_server
......@@ -867,6 +874,7 @@ with_libfstrm
enable_dnscrypt
with_libsodium
enable_cachedb
enable_ipsecmod
with_libunbound_only
'
ac_precious_vars='build_alias
......@@ -1429,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.6.3 to adapt to many kinds of systems.
\`configure' configures unbound 1.6.4 to adapt to many kinds of systems.
 
Usage: $0 [OPTION]... [VAR=VALUE]...
 
......@@ -1494,7 +1502,7 @@ fi
 
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.6.3:";;
short | recursive ) echo "Configuration of unbound 1.6.4:";;
esac
cat <<\_ACEOF
 
......@@ -1531,6 +1539,7 @@ Optional Features:
--disable-gost Disable GOST support
--disable-ecdsa Disable ECDSA support
--disable-dsa Disable DSA support
--disable-ed25519 Disable ED25519 support
--enable-event-api Enable (experimental) pluggable event base
libunbound API installed to unbound-event.h
--enable-tfo-client Enable TCP Fast Open for client mode
......@@ -1547,6 +1556,8 @@ Optional Features:
--enable-dnscrypt Enable dnscrypt support (requires libsodium)
--enable-cachedb enable cachedb module that can use external cache
storage
--enable-ipsecmod Enable ipsecmod module that facilitates
opportunistic IPsec
 
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
......@@ -1703,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.6.3
unbound configure 1.6.4
generated by GNU Autoconf 2.69
 
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2412,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
 
It was created by unbound $as_me 1.6.3, which was
It was created by unbound $as_me 1.6.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
$ $0 $@
......@@ -2764,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
 
UNBOUND_VERSION_MINOR=6
 
UNBOUND_VERSION_MICRO=3
UNBOUND_VERSION_MICRO=4
 
 
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=2
LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -2822,6 +2833,7 @@ LIBUNBOUND_AGE=5
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
# 1.6.2 had 7:1:5
# 1.6.3 had 7:2:5
# 1.6.4 had 7:3:5
 
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......@@ -4106,6 +4118,11 @@ case "$prefix" in
prefix="/usr/local"
;;
esac
case "$exec_prefix" in
NONE)
exec_prefix="$prefix"
;;
esac
 
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
......@@ -4117,6 +4134,12 @@ fi
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
......@@ -17598,7 +17621,7 @@ fi
 
done
 
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
......@@ -18046,6 +18069,47 @@ fi
;;
esac
 
# Check whether --enable-ed25519 was given.
if test "${enable_ed25519+set}" = set; then :
enableval=$enable_ed25519;
fi
use_ed25519="no"
case "$enable_ed25519" in
no)
;;
*)
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
#include <openssl/evp.h>
"
if test "x$ac_cv_have_decl_NID_ED25519" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_NID_ED25519 $ac_have_decl
_ACEOF
if test $ac_have_decl = 1; then :
cat >>confdefs.h <<_ACEOF
#define USE_ED25519 1
_ACEOF
use_ed25519="yes"
else
if test "x$enable_ed25519" = "xyes"; then as_fn_error $? "OpenSSL does not support ED25519 and you used --enable-ed25519." "$LINENO" 5
fi
fi
fi
;;
esac
 
# Check whether --enable-event-api was given.
if test "${enable_event_api+set}" = set; then :
......@@ -20309,6 +20373,73 @@ else
as_fn_error $? "The sodium library was not found. Please install sodium!" "$LINENO" 5
fi
 
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm" >&5
$as_echo_n "checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm... " >&6; }
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char crypto_box_curve25519xchacha20poly1305_beforenm ();
int
main ()
{
return crypto_box_curve25519xchacha20poly1305_beforenm ();
;
return 0;
}
_ACEOF
for ac_lib in '' sodium; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
break
fi
done
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
else
ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&5
$as_echo "$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&6; }
ac_res=$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
ENABLE_DNSCRYPT_XCHACHA20=1
$as_echo "#define USE_DNSCRYPT_XCHACHA20 1" >>confdefs.h
else
ENABLE_DNSCRYPT_XCHACHA20=0
fi
 
 
$as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
......@@ -20322,6 +20453,8 @@ $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
 
 
else
ENABLE_DNSCRYPT_XCHACHA20=0
 
ENABLE_DNSCRYPT=0
 
......@@ -20347,6 +20480,27 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
;;
esac
 
# check for ipsecmod if requested
# Check whether --enable-ipsecmod was given.
if test "${enable_ipsecmod+set}" = set; then :
enableval=$enable_ipsecmod;
fi
case "$enable_ipsecmod" in
yes)
$as_echo "#define USE_IPSECMOD 1" >>confdefs.h
IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
;;
no|*)
# nothing
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
# on openBSD, the implicit rule make $< work.
......@@ -20488,7 +20642,7 @@ _ACEOF
 
 
 
version=1.6.3
version=1.6.4
 
date=`date +'%b %e, %Y'`
 
......@@ -21007,7 +21161,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.6.3, which was
This file was extended by unbound $as_me 1.6.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
 
CONFIG_FILES = $CONFIG_FILES
......@@ -21073,7 +21227,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.6.3
unbound config.status 1.6.4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
 
......
......@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[3])
m4_define([VERSION_MICRO],[4])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=2
LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
......@@ -72,6 +72,7 @@ LIBUNBOUND_AGE=5
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
# 1.6.2 had 7:1:5
# 1.6.3 had 7:2:5
# 1.6.4 had 7:3:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
......@@ -109,6 +110,11 @@ case "$prefix" in
prefix="/usr/local"
;;
esac
case "$exec_prefix" in
NONE)
exec_prefix="$prefix"
;;
esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
......@@ -120,6 +126,12 @@ fi
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
AC_SUBST(UNBOUND_SBIN_DIR)
UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
AC_SUBST(UNBOUND_SYSCONF_DIR)
UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
AC_SUBST(UNBOUND_LOCALSTATE_DIR)
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
......@@ -680,7 +692,7 @@ else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
......@@ -906,6 +918,23 @@ case "$enable_dsa" in
;;
esac
AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
use_ed25519="no"
case "$enable_ed25519" in
no)
;;
*)
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_DECLS([NID_ED25519], [
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
use_ed25519="yes"
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
fi ], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
fi
;;
esac
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
case "$enable_event_api" in
......@@ -1353,6 +1382,21 @@ case "$enable_cachedb" in
;;
esac
# check for ipsecmod if requested
AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
case "$enable_ipsecmod" in
yes)
AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
AC_SUBST(IPSECMOD_OBJ)
IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
AC_SUBST(IPSECMOD_HEADER)
;;
no|*)
# nothing
;;
esac
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
......
......@@ -31,3 +31,6 @@ distribution but may be helpful.
Contributed by Yuri Voinov.
* unbound.socket and unbound.service: systemd files for unbound, install them
in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
instead of SERVFAIL. Contributed by SIDN.
* fastrpz.patch: fastrpz support from Farsight Security.
This diff is collapsed.
Index: daemon/worker.c
===================================================================
--- daemon/worker.c (revision 4191)
+++ daemon/worker.c (working copy)
@@ -663,8 +663,21 @@
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
goto bail_out;
- error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
- qinfo, id, flags, edns);
+ if (qinfo->qtype == LDNS_RR_TYPE_A &&
+ worker->env.cfg->redirect_bogus_ipv4) {
+ /* BAD cached */
+ fixed_address_encode(repinfo->c->buffer,
+ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
+ worker->env.cfg->redirect_bogus_ipv4);
+ } else if (qinfo->qtype == LDNS_RR_TYPE_AAAA &&
+ worker->env.cfg->redirect_bogus_ipv6) {
+ fixed_address_encode(repinfo->c->buffer,
+ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
+ worker->env.cfg->redirect_bogus_ipv6);
+ } else {
+ error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
+ qinfo, id, flags, edns);
+ }
rrset_array_unlock_touch(worker->env.rrset_cache,
worker->scratchpad, rep->ref, rep->rrset_count);
if(worker->stats.extended) {
Index: doc/unbound.conf.5.in
===================================================================
--- doc/unbound.conf.5.in (revision 4191)
+++ doc/unbound.conf.5.in (working copy)
@@ -1244,6 +1244,18 @@
This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
+.TP 5
+.B redirect-bogus-ipv4: \fI<IPv4 address>
+Set a fixed address for DNSSEC failures that are cached
+Instead of responding to A queries with SERVFAIL, respond
+with NOERROR and the address specified here
+The TTL of the response will be 5 seconds
+.TP 5
+.B redirect-bogus-ipv6: \fI<IPv4 address>
+Set a fixed address for DNSSEC failures that are cached
+Instead of responding to AAAA queries with SERVFAIL, respond
+with NOERROR and the address specified here
+The TTL of the response will be 5 seconds
.SS "Remote Control Options"
In the
.B remote\-control:
Index: services/mesh.c
===================================================================
--- services/mesh.c (revision 4191)
+++ services/mesh.c (working copy)
@@ -1006,6 +1006,7 @@
struct timeval end_time;
struct timeval duration;
int secure;
+ int bogus_override = 0;
/* Copy the client's EDNS for later restore, to make sure the edns
* compare is with the correct edns options. */
struct edns_data edns_bak = r->edns;
@@ -1016,6 +1017,7 @@
rcode = LDNS_RCODE_SERVFAIL;
if(m->s.env->cfg->stat_extended)
m->s.env->mesh->ans_bogus++;
+ bogus_override = 1;
}
if(rep && rep->security == sec_status_secure)
secure = 1;
@@ -1047,17 +1049,34 @@
} else if(rcode) {
m->s.qinfo.qname = r->qname;