Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (33 commits) - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled. - Fix dns64 with prefetch that the prefetch is stored in cache. - Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified, the redis-timeout value is used. Changelog comment for NLnetLabs#1140. - Merge NLnetLabs#1140: Fix spelling mistake in comments. Fix spelling mistake in comments (NLnetLabs#1140) - Fix and add comments in testdata/val_negcache_ttl.rpl. - Add unit test for ttl limit for aggressive nsec. - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). - Fix comment to not trigger doxygen unknown command. - Fix alloc-size and calloc-transposed-args compiler warnings. - Fix config file read for dnstap-sample-rate. Changelog note for NLnetLabs#1135 - Merge NLnetLabs#1135: Add new IANA trust anchor. Add new IANA trust anchor (NLnetLabs#1135) - Fix for NLnetLabs#1132, comment about adjusted copy of reference check. Changelog note for NLnetLabs#1132 and fix for NLnetLabs#1132. - Merge NLnetLabs#1132: b.root renumbering. - Fix for NLnetLabs#1132, adjusted unit test for change in the test file. b.root renumbering (NLnetLabs#1132) - Fix to print port number in logs for auth zone transfer activities. - Unit test for auth zone transfer TLS, and TLS failure. - Fix that stub-zone and forward-zone clauses do not exhaust memory for long content. - Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. ...
jedisct1 · Sep 23, 2024 · 90e673e · 90e673e
2 parents 3857248 + db719d4
commit 90e673e
Show file tree

Hide file tree

Showing 60 changed files with 4,736 additions and 84 deletions.
diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml
@@ -161,6 +161,33 @@ jobs:
             test_windows: "yes"
             config: "no"
             make: "no"
+          - name: FreeBSD
+            os: ubuntu-latest
+            config: "no"
+            make: "no"
+            with_cross_platform_action: "yes"
+            cross_platform_os: "freebsd"
+            cross_platform_arch: "x86-64"
+            cross_platform_version: "14.1"
+            cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static"
+          - name: OpenBSD
+            os: ubuntu-latest
+            config: "no"
+            make: "no"
+            with_cross_platform_action: "yes"
+            cross_platform_os: "openbsd"
+            cross_platform_arch: "x86-64"
+            cross_platform_version: "7.5"
+            cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static"
+          - name: NetBSD
+            os: ubuntu-latest
+            config: "no"
+            make: "no"
+            with_cross_platform_action: "yes"
+            cross_platform_os: "netbsd"
+            cross_platform_arch: "x86-64"
+            cross_platform_version: "10.0"
+            cross_platform_config: "--enable-debug --disable-flto --with-libevent --disable-static"
 
     steps:
       - uses: actions/checkout@v4
@@ -331,6 +358,33 @@ jobs:
           echo "::group::make install"
           make install
           echo "::endgroup::"
+      - name: cross-platform-action on ${{ matrix.cross_platform_os }} ${{ matrix.cross_platform_version }}
+        if: ${{ matrix.with_cross_platform_action == 'yes' }}
+        uses: cross-platform-actions/[email protected]
+        env:
+          CROSS_PLATFORM_OS: ${{ matrix.cross_platform_os }}
+        with:
+          environment_variables: CROSS_PLATFORM_OS
+          operating_system: ${{ matrix.cross_platform_os }}
+          architecture: ${{ matrix.cross_platform_arch }}
+          version: ${{ matrix.cross_platform_version }}
+          shell: bash
+          memory: 4G
+          cpu_count: 2
+          run: |
+            set -e -x
+            if test "$CROSS_PLATFORM_OS" = "freebsd"; then sudo pkg install -y openssl libevent expat; fi
+            if test "$CROSS_PLATFORM_OS" = "openbsd"; then sudo pkg_add libevent; fi
+            if test "$CROSS_PLATFORM_OS" = "netbsd"; then sudo pkgin -y install libevent; fi
+            echo "::group::configure"
+            ./configure ${{ matrix.cross_platform_config }}
+            echo "::endgroup::"
+            echo "::group::make"
+            make
+            echo "::endgroup::"
+            echo "::group::make test"
+            make test
+            echo "::endgroup::"
       - name: install libevent
         if: ${{ matrix.install_libevent == 'yes' }}
         run: sudo apt-get install libevent-dev

diff --git a/cachedb/redis.c b/cachedb/redis.c
@@ -58,7 +58,8 @@ struct redis_moddata {
 	int server_port;	 /* server's TCP port */
 	const char* server_path; /* server's unix path, or "", NULL if unused */
 	const char* server_password; /* server's AUTH password, or "", NULL if unused */
-	struct timeval timeout;	 /* timeout for connection setup and commands */
+	struct timeval command_timeout;	 /* timeout for commands */
+	struct timeval connect_timeout;	 /* timeout for connect */
 	int logical_db;		/* the redis logical database to use */
 };
 
@@ -88,10 +89,10 @@ redis_connect(const struct redis_moddata* moddata)
 
 	if(moddata->server_path && moddata->server_path[0]!=0) {
 		ctx = redisConnectUnixWithTimeout(moddata->server_path,
-			moddata->timeout);
+			moddata->connect_timeout);
 	} else {
 		ctx = redisConnectWithTimeout(moddata->server_host,
-			moddata->server_port, moddata->timeout);
+			moddata->server_port, moddata->connect_timeout);
 	}
 	if(!ctx || ctx->err) {
 		const char *errstr = "out of memory";
@@ -100,7 +101,7 @@ redis_connect(const struct redis_moddata* moddata)
 		log_err("failed to connect to redis server: %s", errstr);
 		goto fail;
 	}
-	if(redisSetTimeout(ctx, moddata->timeout) != REDIS_OK) {
+	if(redisSetTimeout(ctx, moddata->command_timeout) != REDIS_OK) {
 		log_err("failed to set redis timeout");
 		goto fail;
 	}
@@ -159,8 +160,24 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
 	moddata->server_port = env->cfg->redis_server_port;
 	moddata->server_path = env->cfg->redis_server_path;
 	moddata->server_password = env->cfg->redis_server_password;
-	moddata->timeout.tv_sec = env->cfg->redis_timeout / 1000;
-	moddata->timeout.tv_usec = (env->cfg->redis_timeout % 1000) * 1000;
+	moddata->command_timeout.tv_sec = env->cfg->redis_timeout / 1000;
+	moddata->command_timeout.tv_usec =
+		(env->cfg->redis_timeout % 1000) * 1000;
+	moddata->connect_timeout.tv_sec = env->cfg->redis_timeout / 1000;
+	moddata->connect_timeout.tv_usec =
+		(env->cfg->redis_timeout % 1000) * 1000;
+	if(env->cfg->redis_command_timeout != 0) {
+		moddata->command_timeout.tv_sec =
+			env->cfg->redis_command_timeout / 1000;
+		moddata->command_timeout.tv_usec =
+			(env->cfg->redis_command_timeout % 1000) * 1000;
+	}
+	if(env->cfg->redis_connect_timeout != 0) {
+		moddata->connect_timeout.tv_sec =
+			env->cfg->redis_connect_timeout / 1000;
+		moddata->connect_timeout.tv_usec =
+			(env->cfg->redis_connect_timeout % 1000) * 1000;
+	}
 	moddata->logical_db = env->cfg->redis_logical_db;
 	for(i = 0; i < moddata->numctxs; i++) {
 		redisContext* ctx = redis_connect(moddata);

diff --git a/dns64/dns64.c b/dns64/dns64.c
@@ -657,7 +657,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
 		qstate->return_msg->rep &&
 		!dns_cache_store(
 			qstate->env, &qstate->qinfo, qstate->return_msg->rep,
-			0, 0, 0, NULL,
+			0, qstate->prefetch_leeway, 0, NULL,
 			qstate->query_flags, qstate->qstarttime))
 		log_err("out of memory");
 
@@ -1007,7 +1007,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 	/* Store the generated response in cache. */
 	if ( (!super_dq || !super_dq->started_no_cache_store) &&
 		!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
-		0, 0, 0, NULL, super->query_flags, qstate->qstarttime))
+		0, super->prefetch_leeway, 0, NULL, super->query_flags, qstate->qstarttime))
 		log_err("out of memory");
 }
 

diff --git a/doc/Changelog b/doc/Changelog
@@ -1,3 +1,81 @@
+23 September 2024: Wouter
+	- Fix dns64 with prefetch that the prefetch is stored in cache.
+
+23 September 2024: Yorgos
+	- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
+	  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
+	  already disabled.
+
+17 September 2024: Wouter
+	- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
+	  that can set the timeout separately for commands and the
+	  connection set up to the redis server. If they are not
+	  specified, the redis-timeout value is used.
+
+16 September 2024: Wouter
+	- Merge #1140: Fix spelling mistake in comments.
+
+11 September 2024: Yorgos
+	- Fix and add comments in testdata/val_negcache_ttl.rpl.
+
+10 September 2024: Wouter
+	- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
+	  enabled (RFC9077).
+	- Add unit test for ttl limit for aggressive nsec.
+
+6 September 2024: Yorgos
+	- Fix alloc-size and calloc-transposed-args compiler warnings.
+	- Fix comment to not trigger doxygen unknown command.
+
+5 September 2024: Wouter
+	- Fix config file read for dnstap-sample-rate.
+
+2 September 2024: Wouter
+	- Merge #1135: Add new IANA trust anchor.
+
+30 August 2024: Wouter
+	- Merge #1132: b.root renumbering.
+	- Fix for #1132, adjusted unit test for change in the test file.
+	- Fix for #1132, comment about adjusted copy of reference check.
+
+29 August 2024: Wouter
+	- Unit test for auth zone transfer TLS, and TLS failure.
+	- Fix to print port number in logs for auth zone transfer activities.
+
+28 August 2024: Wouter
+	- Fix that when rpz is applied the message does not get picked up by
+	  the validator. That stops validation failures for the message.
+	- Fix that stub-zone and forward-zone clauses do not exhaust memory
+	  for long content.
+
+27 August 2024: Wouter
+	- Fix #1130: Loads of logs: "validation failure: key for validation
+	  <domain>. is marked as invalid because of a previous" for
+	  non-DNSSEC signed zone.
+
+23 August 2024: Wouter
+	- Merge patch to fix for glue that is outside of zone, with
+	  `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
+	  Enabling this option protects the Unbound resolver against bad
+	  glue, that is unverified out of zone glue, by resolving them.
+	  It uses the records as last resort if there is no other working
+	  glue.
+	- Fix #1127: error: "memory exhausted" when defining more than 9994
+	  local-zones.
+	- Fix documentation for cache_fill_missing function.
+
+21 August 2024: Wouter
+	- Add cross platform freebsd, openbsd and netbsd to github ci.
+	- Fix for char signedness warnings on NetBSD.
+
+20 August 2024: Wouter
+	- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
+	  configuration options.
+
+19 August 2024: Wouter
+	- Fix #1126: unbound-control-setup hangs while testing for openssl
+	  presence starting from version 1.21.0.
+
 9 August 2024: Wouter
 	- Fix spelling for the cache-min-negative-ttl entry in the
 	  example.conf.

diff --git a/doc/example.conf.in b/doc/example.conf.in
@@ -187,6 +187,15 @@ server:
 	# query upon encountering a CNAME record.
 	# max-query-restarts: 11
 
+	# Limit on number of NS records in NS RRset for incoming packets.
+	# iter-scrub-ns: 20
+
+	# Limit on number of CNAME, DNAME records for incoming packets.
+	# iter-scrub-cname: 11
+
+	# Limit on upstream queries for an incoming query and its recursion.
+	# max-global-quota: 128
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@@ -524,6 +533,9 @@ server:
 	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes
 
+	# Harden against unverified (outside-zone, including sibling zone) glue rrsets
+	# harden-unverified-glue: no
+
 	# Harden against receiving dnssec-stripped data. If you turn it
 	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
@@ -1289,6 +1301,10 @@ remote-control:
 #     # redis-server-password: ""
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
+#     # timeout (in ms) for commands, if 0, uses redis-timeout.
+#     redis-command-timeout: 0
+#     # timeout (in ms) for connection set up, if 0, uses redis-timeout.
+#     redis-connect-timeout: 0
 #     # set timeout on redis records based on DNS response TTL
 #     redis-expire-records: no
 #     # redis logical database to use, 0 is the default database.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
@@ -1048,6 +1048,11 @@ payload is very large.
 .B harden\-glue: \fI<yes or no>
 Will trust glue only if it is within the servers authority. Default is yes.
 .TP
+.B harden\-unverified\-glue: \fI<yes or no>
+Will trust only in-zone glue. Will try to resolve all out of zone
+(\fI<unverfied>) glue. Will fallback to the original glue if unable to resolve.
+Default is no.
+.TP
 .B harden\-dnssec\-stripped: \fI<yes or no>
 Require DNSSEC data for trust\-anchored zones, if such data is absent,
 the zone becomes bogus. If turned off, and no DNSSEC data is received
@@ -1957,6 +1962,23 @@ Changing this value needs caution as it can allow long CNAME chains to be
 accepted, where Unbound needs to verify (resolve) each link individually.
 Default is 11.
 .TP 5
+.B iter\-scrub\-ns: \fI<number>
+Limit on the number of NS records allowed in an rrset of type NS, from the
+iterator scrubber. This protects the internals of the resolver from overly
+large NS sets. Default is 20.
+.TP 5
+.B iter\-scrub\-cname: \fI<number>
+Limit on the number of CNAME, DNAME records in an answer, from the iterator
+scrubber. This protects the internals of the resolver from overly long
+indirection chains. Clips off the remainder of the reply packet at that point.
+Default is 11.
+.TP 5
+.B max\-global\-quota: \fI<number>
+Limit on the number of upstream queries sent out for an incoming query and
+its subqueries from recursion. It is not reset during the resolution. When
+it is exceeded the query is failed and the lookup process stops.
+Default is 128.
+.TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.  A value of 900 would pick from the fastest
@@ -2788,6 +2810,14 @@ if the Redis server does not have the requested data, and will try to
 re-establish a new connection later.
 This option defaults to 100 milliseconds.
 .TP
+.B redis-command-timeout: \fI<msec>\fR
+The timeout to use for redis commands, in milliseconds. If 0, it uses the
+redis\-timeout value. The default is 0.
+.TP
+.B redis-connect-timeout: \fI<msec>\fR
+The timeout to use for redis connection set up, in milliseconds. If 0, it
+uses the redis\-timeout value. The default is 0.
+.TP
 .B redis-expire-records: \fI<yes or no>
 If Redis record expiration is enabled.  If yes, Unbound sets timeout for Redis
 records so that Redis can evict keys that have expired automatically.  If

diff --git a/doc/unbound.doxygen b/doc/unbound.doxygen
@@ -1226,23 +1226,23 @@ VERBATIM_HEADERS       = NO
 # generated with the -Duse_libclang=ON option for CMake.
 # The default value is: NO.
 
-CLANG_ASSISTED_PARSING = NO
+#CLANG_ASSISTED_PARSING = NO
 
 # If the CLANG_ASSISTED_PARSING tag is set to YES and the CLANG_ADD_INC_PATHS
 # tag is set to YES then doxygen will add the directory of each input to the
 # include path.
 # The default value is: YES.
 # This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
 
-CLANG_ADD_INC_PATHS    = YES
+#CLANG_ADD_INC_PATHS    = YES
 
 # If clang assisted parsing is enabled you can provide the compiler with command
 # line options that you would normally use when invoking the compiler. Note that
 # the include paths will already be set by doxygen for the files and directories
 # specified with INPUT and INCLUDE_PATH.
 # This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
 
-CLANG_OPTIONS          =
+#CLANG_OPTIONS          =
 
 # If clang assisted parsing is enabled you can provide the clang parser with the
 # path to the directory containing a file called compile_commands.json. This
@@ -1255,7 +1255,7 @@ CLANG_OPTIONS          =
 # Note: The availability of this option depends on whether or not doxygen was
 # generated with the -Duse_libclang=ON option for CMake.
 
-CLANG_DATABASE_PATH    =
+#CLANG_DATABASE_PATH    =
 
 #---------------------------------------------------------------------------
 # Configuration options related to the alphabetical class index