Commit e24c5f97 authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Apply upstream r3619, r3620, r3621: add insecure-lan-zone option

parent a7af7146
......@@ -95,7 +95,7 @@ PYUNBOUND_SRC=
# libunbound_wrap.lo if python libunbound wrapper enabled.
PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
......@@ -113,7 +113,7 @@ validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
validator/val_secalgo.c validator/val_sigcrypt.c \
validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
......@@ -595,6 +595,7 @@ depend:
rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
# Dependencies
as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
......@@ -702,7 +703,7 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
......@@ -821,7 +822,7 @@ val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/as112.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
......
......@@ -508,13 +508,17 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful
# If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
# The insecure-lan-zones option disables validation for
# these zones, as if they were all listed as domain-insecure.
# insecure-lan-zones: no
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
......
......@@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
.TP
.B insecure\-lan\-zones: \fI<yesno>
Default is disabled. If enabled, then reverse lookups in private
address space are not validated. This is usually required whenever
\fIunblock\-lan\-zones\fR is used.
.TP
.B local\-zone: \fI<zone> <type>
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
......
......@@ -51,6 +51,7 @@
#include "util/netevent.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/as112.h"
struct local_zones*
local_zones_create(void)
......@@ -592,6 +593,7 @@ static int
lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
{
struct local_zone* z;
const char** zstr;
/* this list of zones is from RFC 6303 */
......@@ -654,110 +656,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
lock_rw_unlock(&z->lock);
}
/* if unblock lan-zones, then do not add the zones below.
* we do add the zones above, about 127.0.0.1, because localhost is
* not on the lan. */
if(cfg->unblock_lan_zones)
return 1;
/* block LAN level zones */
if ( !add_as112_default(zones, cfg, "10.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "18.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "19.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "20.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "21.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "22.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "23.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "24.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "25.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "26.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "27.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "28.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "29.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "30.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "31.172.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "168.192.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "0.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "64.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "65.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "66.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "67.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "68.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "69.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "70.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "71.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "72.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "73.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "74.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "75.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "76.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "77.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "78.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "79.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "80.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "81.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "82.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "83.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "84.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "85.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "86.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "87.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "88.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "89.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "90.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "91.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "92.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "93.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "94.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "95.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "96.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "97.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "98.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "99.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "100.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "101.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "102.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "103.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "104.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "105.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "106.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "107.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "108.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "109.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "110.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "111.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "112.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "113.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "114.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "115.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "116.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "117.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "118.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "119.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "120.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "121.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "122.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "123.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "124.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "125.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "126.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "127.100.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "254.169.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "2.0.192.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "100.51.198.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "113.0.203.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "255.255.255.255.in-addr.arpa.") ||
!add_as112_default(zones, cfg, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
!add_as112_default(zones, cfg, "d.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "8.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "9.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "a.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "b.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
log_err("out of memory adding default zone");
return 0;
/* block AS112 zones, unless asked not to */
if(!cfg->unblock_lan_zones) {
for(zstr = as112_zones; *zstr; zstr++) {
if(!add_as112_default(zones, cfg, *zstr)) {
log_err("out of memory adding default zone");
return 0;
}
}
}
return 1;
}
......
/*
* util/as112.c - list of local zones.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file provides a list of lan zones.
*/
#include "util/as112.h"
static const char* as112_zone_array[] = {
"10.in-addr.arpa.",
"16.172.in-addr.arpa.",
"17.172.in-addr.arpa.",
"18.172.in-addr.arpa.",
"19.172.in-addr.arpa.",
"20.172.in-addr.arpa.",
"21.172.in-addr.arpa.",
"22.172.in-addr.arpa.",
"23.172.in-addr.arpa.",
"24.172.in-addr.arpa.",
"25.172.in-addr.arpa.",
"26.172.in-addr.arpa.",
"27.172.in-addr.arpa.",
"28.172.in-addr.arpa.",
"29.172.in-addr.arpa.",
"30.172.in-addr.arpa.",
"31.172.in-addr.arpa.",
"168.192.in-addr.arpa.",
"0.in-addr.arpa.",
"64.100.in-addr.arpa.",
"65.100.in-addr.arpa.",
"66.100.in-addr.arpa.",
"67.100.in-addr.arpa.",
"68.100.in-addr.arpa.",
"69.100.in-addr.arpa.",
"70.100.in-addr.arpa.",
"71.100.in-addr.arpa.",
"72.100.in-addr.arpa.",
"73.100.in-addr.arpa.",
"74.100.in-addr.arpa.",
"75.100.in-addr.arpa.",
"76.100.in-addr.arpa.",
"77.100.in-addr.arpa.",
"78.100.in-addr.arpa.",
"79.100.in-addr.arpa.",
"80.100.in-addr.arpa.",
"81.100.in-addr.arpa.",
"82.100.in-addr.arpa.",
"83.100.in-addr.arpa.",
"84.100.in-addr.arpa.",
"85.100.in-addr.arpa.",
"86.100.in-addr.arpa.",
"87.100.in-addr.arpa.",
"88.100.in-addr.arpa.",
"89.100.in-addr.arpa.",
"90.100.in-addr.arpa.",
"91.100.in-addr.arpa.",
"92.100.in-addr.arpa.",
"93.100.in-addr.arpa.",
"94.100.in-addr.arpa.",
"95.100.in-addr.arpa.",
"96.100.in-addr.arpa.",
"97.100.in-addr.arpa.",
"98.100.in-addr.arpa.",
"99.100.in-addr.arpa.",
"100.100.in-addr.arpa.",
"101.100.in-addr.arpa.",
"102.100.in-addr.arpa.",
"103.100.in-addr.arpa.",
"104.100.in-addr.arpa.",
"105.100.in-addr.arpa.",
"106.100.in-addr.arpa.",
"107.100.in-addr.arpa.",
"108.100.in-addr.arpa.",
"109.100.in-addr.arpa.",
"110.100.in-addr.arpa.",
"111.100.in-addr.arpa.",
"112.100.in-addr.arpa.",
"113.100.in-addr.arpa.",
"114.100.in-addr.arpa.",
"115.100.in-addr.arpa.",
"116.100.in-addr.arpa.",
"117.100.in-addr.arpa.",
"118.100.in-addr.arpa.",
"119.100.in-addr.arpa.",
"120.100.in-addr.arpa.",
"121.100.in-addr.arpa.",
"122.100.in-addr.arpa.",
"123.100.in-addr.arpa.",
"124.100.in-addr.arpa.",
"125.100.in-addr.arpa.",
"126.100.in-addr.arpa.",
"127.100.in-addr.arpa.",
"254.169.in-addr.arpa.",
"2.0.192.in-addr.arpa.",
"100.51.198.in-addr.arpa.",
"113.0.203.in-addr.arpa.",
"255.255.255.255.in-addr.arpa.",
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
"d.f.ip6.arpa.",
"8.e.f.ip6.arpa.",
"9.e.f.ip6.arpa.",
"a.e.f.ip6.arpa.",
"b.e.f.ip6.arpa.",
"8.b.d.0.1.0.0.2.ip6.arpa.",
0
};
const char** as112_zones = as112_zone_array;
/*
* util/as112.c - list of local zones.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* \file
*
* This file provides a list of lan zones
*/
#ifndef UTIL_AS112_H
#define UTIL_AS112_H
/**
* Array of text-format domain names of the AS112 zones.
* The array ends with NULL. "AS112" is a service on the internet that
* that this array is named after. The names in this list (or some of them)
* are null-routed by this service to avoid load on central servers caused by
* mistaken lookups for local content on the global internet.
*
* This is the list of names that unbound should not normally be sending
* on towards the internet, because they are local-use.
*/
extern const char** as112_zones;
#endif
......@@ -210,6 +210,7 @@ config_create(void)
cfg->local_zones_nodefault = NULL;
cfg->local_data = NULL;
cfg->unblock_lan_zones = 0;
cfg->insecure_lan_zones = 0;
cfg->python_script = NULL;
cfg->remote_control_enable = 0;
cfg->control_ifs = NULL;
......@@ -458,6 +459,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("rrset-roundrobin:", rrset_roundrobin)
else S_STRLIST("local-data:", local_data)
else S_YNO("unblock-lan-zones:", unblock_lan_zones)
else S_YNO("insecure-lan-zones:", insecure_lan_zones)
else S_YNO("control-enable:", remote_control_enable)
else S_STRLIST("control-interface:", control_ifs)
else S_NUMBER_NONZERO("control-port:", control_port)
......@@ -739,6 +741,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "minimal-responses", minimal_responses)
else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
else O_DEC(opt, "max-udp-size", max_udp_size)
else O_STR(opt, "python-script", python_script)
else O_DEC(opt, "ratelimit", ratelimit)
......
......@@ -285,8 +285,10 @@ struct config_file {
struct config_strlist* local_zones_nodefault;
/** local data RRs configured */
struct config_strlist* local_data;
/** unblock lan zones (reverse lookups for 10/8 and so on) */
/** unblock lan zones (reverse lookups for AS112 zones) */
int unblock_lan_zones;
/** insecure lan zones (don't validate AS112 zones) */
int insecure_lan_zones;
/** remote control section. enable toggle. */
int remote_control_enable;
......
......@@ -319,6 +319,7 @@ local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) }
statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) }
statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) }
......
......@@ -106,7 +106,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
%token VAR_INFRA_CACHE_MIN_RTT
%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
......@@ -180,7 +181,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_log_queries | server_tcp_upstream | server_ssl_upstream |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close | server_unblock_lan_zones |
server_so_reuseport | server_delay_close |
server_unblock_lan_zones | server_insecure_lan_zones |
server_dns64_prefix | server_dns64_synthall |
server_infra_cache_min_rtt | server_harden_algo_downgrade |
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
......@@ -722,6 +724,16 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
free($2);
}
;
server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
{
OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->insecure_lan_zones =
(strcmp($2, "yes")==0);
free($2);
}
;
server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
{
OUTYY(("P(server_rrset_cache_size:%s)\n", $2));
......
......@@ -48,6 +48,7 @@
#include "util/log.h"
#include "util/net_help.h"
#include "util/config_file.h"
#include "util/as112.h"
#include "sldns/sbuffer.h"
#include "sldns/rrdef.h"
#include "sldns/str2wire.h"
......@@ -1044,8 +1045,18 @@ int
anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
{
struct config_strlist* f;
const char** zstr;
char* nm;
sldns_buffer* parsebuf = sldns_buffer_new(65535);
if(cfg->insecure_lan_zones) {
for(zstr = as112_zones; *zstr; zstr++) {
if(!anchor_insert_insecure(anchors, *zstr)) {
log_err("error in insecure-lan-zones: %s", *zstr);
sldns_buffer_free(parsebuf);
return 0;
}
}
}
for(f = cfg->domain_insecure; f; f = f->next) {
if(!f->str || f->str[0] == 0) /* empty "" */
continue;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment