Browse Source

New upstream version 4.3.2

tags/upstream/4.3.2^0
Chris Hofstaedtler 9 months ago
parent
commit
8457dbe04a
21 changed files with 635 additions and 368 deletions
  1. +10
    -10
      configure
  2. +1
    -1
      configure.ac
  3. +145
    -56
      effective_tld_names.dat
  4. +2
    -0
      ext/yahttp/yahttp/reqresp.cpp
  5. +37
    -0
      misc.cc
  6. +2
    -0
      misc.hh
  7. +1
    -1
      pdns_recursor.1
  8. +23
    -12
      pdns_recursor.cc
  9. +59
    -6
      portsmplexer.cc
  10. +67
    -208
      pubsuffix.cc
  11. +6
    -10
      rec-carbon.cc
  12. +1
    -1
      rec_control.1
  13. +15
    -8
      rpzloader.cc
  14. +77
    -31
      syncres.cc
  15. +1
    -1
      syncres.hh
  16. +1
    -1
      test-dns_random_hh.cc
  17. +78
    -1
      test-syncres_cc1.cc
  18. +51
    -20
      test-syncres_cc2.cc
  19. +50
    -0
      test-syncres_cc6.cc
  20. +4
    -0
      ws-recursor.cc
  21. +4
    -1
      ws-recursor.hh

+ 10
- 10
configure View File

@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for pdns-recursor 4.3.1.
# Generated by GNU Autoconf 2.69 for pdns-recursor 4.3.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='pdns-recursor'
PACKAGE_TARNAME='pdns-recursor'
PACKAGE_VERSION='4.3.1'
PACKAGE_STRING='pdns-recursor 4.3.1'
PACKAGE_VERSION='4.3.2'
PACKAGE_STRING='pdns-recursor 4.3.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''

@@ -1519,7 +1519,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures pdns-recursor 4.3.1 to adapt to many kinds of systems.
\`configure' configures pdns-recursor 4.3.2 to adapt to many kinds of systems.

Usage: $0 [OPTION]... [VAR=VALUE]...

@@ -1590,7 +1590,7 @@ fi

if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of pdns-recursor 4.3.1:";;
short | recursive ) echo "Configuration of pdns-recursor 4.3.2:";;
esac
cat <<\_ACEOF

@@ -1772,7 +1772,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
pdns-recursor configure 4.3.1
pdns-recursor configure 4.3.2
generated by GNU Autoconf 2.69

Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2365,7 +2365,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by pdns-recursor $as_me 4.3.1, which was
It was created by pdns-recursor $as_me 4.3.2, which was
generated by GNU Autoconf 2.69. Invocation command line was

$ $0 $@
@@ -3233,7 +3233,7 @@ fi

# Define the identity of the package.
PACKAGE='pdns-recursor'
VERSION='4.3.1'
VERSION='4.3.2'


cat >>confdefs.h <<_ACEOF
@@ -25391,7 +25391,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by pdns-recursor $as_me 4.3.1, which was
This file was extended by pdns-recursor $as_me 4.3.2, which was
generated by GNU Autoconf 2.69. Invocation command line was

CONFIG_FILES = $CONFIG_FILES
@@ -25457,7 +25457,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
pdns-recursor config.status 4.3.1
pdns-recursor config.status 4.3.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"



+ 1
- 1
configure.ac View File

@@ -1,6 +1,6 @@
AC_PREREQ([2.61])

AC_INIT([pdns-recursor], [4.3.1])
AC_INIT([pdns-recursor], [4.3.2])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11])
AM_SILENT_RULES([yes])


+ 145
- 56
effective_tld_names.dat View File

@@ -258,7 +258,7 @@ tas.gov.au
vic.gov.au
wa.gov.au
// 4LDs
education.tas.edu.au
// education.tas.edu.au - Removed at the request of the Department of Education Tasmania
schools.nsw.edu.au

// aw : https://en.wikipedia.org/wiki/.aw
@@ -3785,7 +3785,7 @@ gov.lc
// li : https://en.wikipedia.org/wiki/.li
li

// lk : http://www.nic.lk/seclevpr.html
// lk : https://www.nic.lk/index.php/domain-registration/lk-domain-naming-structure
lk
gov.lk
sch.lk
@@ -6327,7 +6327,6 @@ cv.ua
dn.ua
dnepropetrovsk.ua
dnipropetrovsk.ua
dominic.ua
donetsk.ua
dp.ua
if.ua
@@ -6919,11 +6918,11 @@ yt
қаз

// xn--fzc2c9e2c ("Lanka", Sinhalese-Sinhala) : LK
// http://nic.lk
// https://nic.lk
ලංකා

// xn--xkc2al3hye2a ("Ilangai", Tamil) : LK
// http://nic.lk
// https://nic.lk
இலங்கை

// xn--mgbc0a9azcg ("Morocco/al-Maghrib", Arabic) : MA
@@ -7092,7 +7091,7 @@ org.zw

// newGTLDs

// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-05-06T16:23:34Z
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-06-27T16:53:37Z
// This list is auto-generated, don't edit it manually.
// aaa : 2015-02-26 American Automobile Association, Inc.
aaa
@@ -7175,9 +7174,6 @@ agency
// aig : 2014-12-18 American International Group, Inc.
aig

// aigo : 2015-08-06 aigo Digital Technology Co,Ltd.
aigo

// airbus : 2015-07-30 Airbus S.A.S.
airbus

@@ -7301,7 +7297,7 @@ audi
// audible : 2015-06-25 Amazon Registry Services, Inc.
audible

// audio : 2014-03-20 Uniregistry, Corp.
// audio : 2014-03-20 UNR Corp.
audio

// auspost : 2015-08-13 Australian Postal Corporation
@@ -7439,7 +7435,7 @@ bio
// black : 2014-01-16 Afilias Limited
black

// blackfriday : 2014-01-16 Uniregistry, Corp.
// blackfriday : 2014-01-16 UNR Corp.
blackfriday

// blockbuster : 2015-07-30 Dish DBS Corporation
@@ -7679,7 +7675,7 @@ cheap
// chintai : 2015-06-11 CHINTAI Corporation
chintai

// christmas : 2013-11-21 Uniregistry, Corp.
// christmas : 2013-11-21 UNR Corp.
christmas

// chrome : 2014-07-24 Charleston Road Registry Inc.
@@ -7718,7 +7714,7 @@ claims
// cleaning : 2013-12-05 Binky Moon, LLC
cleaning

// click : 2014-06-05 Uniregistry, Corp.
// click : 2014-06-05 UNR Corp.
click

// clinic : 2014-03-20 Binky Moon, LLC
@@ -7931,7 +7927,7 @@ dhl
// diamonds : 2013-09-22 Binky Moon, LLC
diamonds

// diet : 2014-06-26 Uniregistry, Corp.
// diet : 2014-06-26 UNR Corp.
diet

// digital : 2014-03-06 Binky Moon, LLC
@@ -8054,9 +8050,6 @@ esq
// estate : 2013-08-27 Binky Moon, LLC
estate

// esurance : 2015-07-23 Esurance Insurance Company
esurance

// etisalat : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat)
etisalat

@@ -8171,7 +8164,7 @@ fit
// fitness : 2014-03-06 Binky Moon, LLC
fitness

// flickr : 2015-04-02 Yahoo! Domain Services Inc.
// flickr : 2015-04-02 Flickr, Inc.
flickr

// flights : 2013-12-05 Binky Moon, LLC
@@ -8183,7 +8176,7 @@ flir
// florist : 2013-11-07 Binky Moon, LLC
florist

// flowers : 2014-10-09 Uniregistry, Corp.
// flowers : 2014-10-09 UNR Corp.
flowers

// fly : 2014-05-08 Charleston Road Registry Inc.
@@ -8273,7 +8266,7 @@ gallo
// gallup : 2015-02-19 Gallup, Inc.
gallup

// game : 2015-05-28 Uniregistry, Corp.
// game : 2015-05-28 UNR Corp.
game

// games : 2015-05-28 Dog Beach, LLC
@@ -8411,7 +8404,7 @@ guge
// guide : 2013-09-13 Binky Moon, LLC
guide

// guitars : 2013-11-14 Uniregistry, Corp.
// guitars : 2013-11-14 UNR Corp.
guitars

// guru : 2013-08-27 Binky Moon, LLC
@@ -8444,7 +8437,7 @@ health
// healthcare : 2014-06-12 Binky Moon, LLC
healthcare

// help : 2014-06-26 Uniregistry, Corp.
// help : 2014-06-26 UNR Corp.
help

// helsinki : 2015-02-05 City of Helsinki
@@ -8459,7 +8452,7 @@ hermes
// hgtv : 2015-07-02 Lifestyle Domain Holdings, Inc.
hgtv

// hiphop : 2014-03-06 Uniregistry, Corp.
// hiphop : 2014-03-06 UNR Corp.
hiphop

// hisamitsu : 2015-07-16 Hisamitsu Pharmaceutical Co.,Inc.
@@ -8468,7 +8461,7 @@ hisamitsu
// hitachi : 2014-10-31 Hitachi, Ltd.
hitachi

// hiv : 2014-03-13 Uniregistry, Corp.
// hiv : 2014-03-13 UNR Corp.
hiv

// hkt : 2015-05-14 PCCW-HKT DataCom Services Limited
@@ -8507,7 +8500,7 @@ hospital
// host : 2014-04-17 DotHost Inc.
host

// hosting : 2014-05-29 Uniregistry, Corp.
// hosting : 2014-05-29 UNR Corp.
hosting

// hot : 2015-08-27 Amazon Registry Services, Inc.
@@ -8681,7 +8674,7 @@ jpmorgan
// jprs : 2014-09-18 Japan Registry Services Co., Ltd.
jprs

// juegos : 2014-03-20 Uniregistry, Corp.
// juegos : 2014-03-20 UNR Corp.
juegos

// juniper : 2015-07-30 JUNIPER NETWORKS, INC.
@@ -8849,7 +8842,7 @@ lincoln
// linde : 2014-12-04 Linde Aktiengesellschaft
linde

// link : 2013-11-14 Uniregistry, Corp.
// link : 2013-11-14 UNR Corp.
link

// lipsy : 2015-06-25 Lipsy Ltd
@@ -8867,7 +8860,7 @@ lixil
// llc : 2017-12-14 Afilias Limited
llc

// llp : 2019-08-26 Dot Registry LLC
// llp : 2019-08-26 UNR Corp.
llp

// loan : 2014-11-20 dot Loan Limited
@@ -8885,7 +8878,7 @@ locus
// loft : 2015-07-30 Annco, Inc.
loft

// lol : 2015-01-30 Uniregistry, Corp.
// lol : 2015-01-30 UNR Corp.
lol

// london : 2013-11-14 Dot London Domains Limited
@@ -9047,7 +9040,7 @@ moe
// moi : 2014-12-18 Amazon Registry Services, Inc.
moi

// mom : 2015-04-16 Uniregistry, Corp.
// mom : 2015-04-16 UNR Corp.
mom

// monash : 2013-09-30 Monash University
@@ -9122,7 +9115,7 @@ netflix
// network : 2013-11-14 Binky Moon, LLC
network

// neustar : 2013-12-05 Registry Services, LLC
// neustar : 2013-12-05 NeuStar, Inc.
neustar

// new : 2014-01-30 Charleston Road Registry Inc.
@@ -9323,7 +9316,7 @@ philips
// phone : 2016-06-02 Dish DBS Corporation
phone

// photo : 2013-11-14 Uniregistry, Corp.
// photo : 2013-11-14 UNR Corp.
photo

// photography : 2013-09-20 Binky Moon, LLC
@@ -9335,7 +9328,7 @@ photos
// physio : 2014-05-01 PhysBiz Pty Ltd
physio

// pics : 2013-11-14 Uniregistry, Corp.
// pics : 2013-11-14 UNR Corp.
pics

// pictet : 2014-06-26 Pictet Europe S.A.
@@ -9422,7 +9415,7 @@ promo
// properties : 2013-12-05 Binky Moon, LLC
properties

// property : 2014-05-22 Uniregistry, Corp.
// property : 2014-05-22 UNR Corp.
property

// protection : 2015-04-23 XYZ.COM LLC
@@ -9674,9 +9667,6 @@ science
// scjohnson : 2015-07-23 Johnson Shareholdings, Inc.
scjohnson

// scor : 2014-10-31 SCOR SE
scor

// scot : 2014-01-23 Dot Scot Registry Limited
scot

@@ -9716,7 +9706,7 @@ sew
// sex : 2014-11-13 ICM Registry SX LLC
sex

// sexy : 2013-09-11 Uniregistry, Corp.
// sexy : 2013-09-11 UNR Corp.
sexy

// sfr : 2015-08-13 Societe Francaise du Radiotelephone - SFR
@@ -9947,7 +9937,7 @@ tatamotors
// tatar : 2014-04-24 Limited Liability Company "Coordination Center of Regional Domain of Tatarstan Republic"
tatar

// tattoo : 2013-08-30 Uniregistry, Corp.
// tattoo : 2013-08-30 UNR Corp.
tattoo

// tax : 2014-03-20 Binky Moon, LLC
@@ -10490,9 +10480,6 @@ xin
// xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V.
飞利浦

// xn--kpu716f : 2014-12-22 Richemont DNS Inc.
手表

// xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd
手机

@@ -10547,9 +10534,6 @@ xin
// xn--p1acf : 2013-12-12 Rusnames Limited
рус

// xn--pbt977c : 2014-12-22 Richemont DNS Inc.
珠宝

// xn--pssy2u : 2015-01-15 VeriSign Sarl
大拿

@@ -10666,6 +10650,9 @@ cc.ua
inf.ua
ltd.ua

// 611coin : https://611project.org/
611.to

// Adobe : https://www.adobe.com/
// Submitted by Ian Boston <boston@adobe.com>
adobeaemcloud.com
@@ -10685,6 +10672,10 @@ barsy.ca
*.compute.estate
*.alces.network

// all-inkl.com : https://all-inkl.com
// Submitted by Werner Kaltofen <wk@all-inkl.com>
kasserver.com

// Altervista: https://www.altervista.org
// Submitted by Carlo Cannas <tech_staff@altervista.it>
altervista.org
@@ -10849,8 +10840,11 @@ backplaneapp.io
balena-devices.com

// Banzai Cloud
// Submitted by Gabor Kozma <info@banzaicloud.com>
// Submitted by Janos Matyas <info@banzaicloud.com>
*.banzai.cloud
app.banzaicloud.io
*.backyards.banzaicloud.io


// BetaInABox
// Submitted by Adrian <adrian@betainabox.com>
@@ -11193,6 +11187,9 @@ drud.us
// Submitted by Richard Harper <richard@duckdns.org>
duckdns.org

// bitbridge.net : Submitted by Craig Welch, abeliidev@gmail.com
bitbridge.net

// dy.fi : http://dy.fi/
// Submitted by Heikki Hannikainen <hessu@hes.iki.fi>
dy.fi
@@ -11728,12 +11725,11 @@ global.ssl.fastly.net

// FASTVPS EESTI OU : https://fastvps.ru/
// Submitted by Likhachev Vasiliy <lihachev@fastvps.ru>
fastpanel.direct
fastvps-server.com
myfast.space
fastvps.host
myfast.host
fastvps.site
fastvps.host
myfast.space

// Featherhead : https://featherhead.xyz/
// Submitted by Simon Menke <simon@featherhead.xyz>
@@ -11772,6 +11768,12 @@ filegear-sg.me
// Submitted by Chris Raynor <chris@firebase.com>
firebaseapp.com

// fly.io: https://fly.io
// Submitted by Kurt Mackey <kurt@fly.io>
fly.dev
edgeapp.net
shw.io

// Flynn : https://flynn.io
// Submitted by Jonathan Rudenberg <jonathan@flynn.io>
flynnhosting.net
@@ -11793,6 +11795,10 @@ freeboxos.fr
// Submitted by Daniel Stone <daniel@fooishbar.org>
freedesktop.org

// FunkFeuer - Verein zur Förderung freier Netze : https://www.funkfeuer.at
// Submitted by Daniel A. Maierhofer <vorstand@funkfeuer.at>
wien.funkfeuer.at

// Futureweb OG : http://www.futureweb.at
// Submitted by Andreas Schnederle-Wagner <schnederle@futureweb.at>
*.futurecms.at
@@ -11816,6 +11822,7 @@ usercontent.jp
// Gentlent, Inc. : https://www.gentlent.com
// Submitted by Tom Klein <tom@gentlent.com>
gentapps.com
gentlentapis.com
lab.ms

// GitHub, Inc.
@@ -11827,6 +11834,10 @@ githubusercontent.com
// Submitted by Alex Hanselka <alex@gitlab.com>
gitlab.io

// Gitplac.si - https://gitplac.si
// Submitted by Aljaž Starc <me@aljaxus.eu>
gitpage.si

// Glitch, Inc : https://glitch.com
// Submitted by Mads Hartmann <mads@glitch.com>
glitch.me
@@ -12006,6 +12017,9 @@ ngo.ng
ng.school
sch.so

// HostyHosting (hostyhosting.com)
hostyhosting.io

// Häkkinen.fi
// Submitted by Eero Häkkinen <Eero+psl@Häkkinen.fi>
häkkinen.fi
@@ -12089,6 +12103,15 @@ iserv.dev
// Submitted by Yuji Minagawa <domains-admin@iodata.jp>
iobb.net

//Jelastic, Inc. : https://jelastic.com/
// Submitetd by Ihor Kolodyuk <ik@jelastic.com>
hidora.com
demo.jelastic.com
j.scaleforce.com.cy
mircloud.host
jls-sto1.elastx.net
j.layershift.co.uk

// Jino : https://www.jino.ru
// Submitted by Sergey Ulyashin <ulyashin@jino.ru>
myjino.ru
@@ -12174,7 +12197,8 @@ linkyard-cloud.ch
// Linode : https://linode.com
// Submitted by <security@linode.com>
members.linode.com
nodebalancer.linode.com
*.nodebalancer.linode.com
*.linodeobjects.com

// LiquidNet Ltd : http://www.liquidnetlimited.com/
// Submitted by Victor Velchev <admin@liquidnetlimited.com>
@@ -12313,9 +12337,7 @@ nctu.me

// Netlify : https://www.netlify.com
// Submitted by Jessica Parsons <jessica@netlify.com>
bitballoon.com
netlify.app
netlify.com

// Neustar Inc.
// Submitted by Trung Tran <Trung.Tran@neustar.biz>
@@ -12562,6 +12584,10 @@ outsystemscloud.com
ownprovider.com
own.pm

// OwO : https://whats-th.is/
// Submitted by Dean Sheather <dean@deansheather.com>
*.owo.codes

// OX : http://www.ox.rs
// Submitted by Adam Grand <webmaster@mail.ox.rs>
ox.rs
@@ -12578,6 +12604,10 @@ pgfog.com
// Submitted by Jason Kriss <jason@pagefronthq.com>
pagefrontapp.com

// PageXL : https://pagexl.com
// Submitted by Yann Guichard <yann@pagexl.com>
pagexl.com

// .pl domains (grandfathered)
art.pl
gliwice.pl
@@ -12614,6 +12644,12 @@ platter-app.com
platter-app.dev
platterp.us

// Plesk : https://www.plesk.com/
// Submitted by Anton Akhtyamov <program-managers@plesk.com>
pdns.page
plesk.page
pleskns.com

// Port53 : https://port53.io/
// Submitted by Maximilian Schieder <maxi@zeug.co>
dyn53.io
@@ -12696,6 +12732,10 @@ vaporcloud.io
rackmaze.com
rackmaze.net

// Rakuten Games, Inc : https://dev.viberplay.io
// Submitted by Joshua Zhang <public-suffix@rgames.jp>
g.vbrplsbx.io

// Rancher Labs, Inc : https://rancher.com
// Submitted by Vincent Fiduccia <domains@rancher.com>
*.on-k3s.io
@@ -12773,6 +12813,10 @@ my-firewall.org
myfirewall.org
spdns.org

// Seidat : https://www.seidat.com
// Submitted by Artem Kondratev <accounts@seidat.com>
seidat.net

// Senseering GmbH : https://www.senseering.de
// Submitted by Felix Mönckemeyer <f.moenckemeyer@senseering.de>
senseering.net
@@ -13022,6 +13066,12 @@ lib.de.us
// Submitted by Danko Aleksejevs <danko@very.lv>
2038.io

// Vercel, Inc : https://vercel.com/
// Submitted by Connor Davis <security@vercel.com>
vercel.app
vercel.dev
now.sh

// Viprinet Europe GmbH : http://www.viprinet.com
// Submitted by Simon Kissel <hostmaster@viprinet.com>
router.management
@@ -13034,6 +13084,49 @@ v-info.info
// Submitted by Nathan van Bakel <info@voorloper.com>
voorloper.cloud

// Voxel.sh DNS : https://voxel.sh/dns/
// Submitted by Mia Rehlinger <dns@voxel.sh>
neko.am
nyaa.am
be.ax
cat.ax
es.ax
eu.ax
gg.ax
mc.ax
us.ax
xy.ax
nl.ci
xx.gl
app.gp
blog.gt
de.gt
to.gt
be.gy
cc.hn
blog.kg
io.kg
jp.kg
tv.kg
uk.kg
us.kg
de.ls
at.md
de.md
jp.md
to.md
uwu.nu
indie.porn
vxl.sh
ch.tc
me.tc
we.tc
nyan.to
at.vg
blog.vu
dev.vu
me.vu

// V.UA Domain Administrator : https://domain.v.ua/
// Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
v.ua
@@ -13125,10 +13218,6 @@ noho.st
za.net
za.org

// Zeit, Inc. : https://zeit.domains/
// Submitted by Olli Vanhoja <olli@zeit.co>
now.sh

// Zine EOOD : https://zine.bg/
// Submitted by Martin Angelov <martin@zine.bg>
bss.design


+ 2
- 0
ext/yahttp/yahttp/reqresp.cpp View File

@@ -2,6 +2,8 @@

namespace YaHTTP {

template class AsyncLoader<Request>;

bool isspace(char c) {
return std::isspace(c) != 0;
}


+ 37
- 0
misc.cc View File

@@ -57,6 +57,7 @@
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
#include <limits.h>
#ifdef __FreeBSD__
# include <pthread_np.h>
#endif
@@ -1563,3 +1564,39 @@ bool setPipeBufferSize(int fd, size_t size)
return false;
#endif /* F_SETPIPE_SZ */
}

static size_t getMaxHostNameSize()
{
#if defined(HOST_NAME_MAX)
return HOST_NAME_MAX;
#endif

#if defined(_SC_HOST_NAME_MAX)
auto tmp = sysconf(_SC_HOST_NAME_MAX);
if (tmp != -1) {
return tmp;
}
#endif

/* _POSIX_HOST_NAME_MAX */
return 255;
}

std::string getCarbonHostName()
{
std::string hostname;
hostname.resize(getMaxHostNameSize() + 1, 0);

if (gethostname(const_cast<char*>(hostname.c_str()), hostname.size()) != 0) {
throw std::runtime_error(stringerror());
}

auto pos = hostname.find(".");
if (pos != std::string::npos) {
hostname.resize(pos);
}

boost::replace_all(hostname, ".", "_");

return hostname;
}

+ 2
- 0
misc.hh View File

@@ -607,3 +607,5 @@ bool isSettingThreadCPUAffinitySupported();
int mapThreadToCPUList(pthread_t tid, const std::set<int>& cpus);

std::vector<ComboAddress> getResolvers(const std::string& resolvConfPath);

std::string getCarbonHostName();

+ 1
- 1
pdns_recursor.1 View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "PDNS_RECURSOR" "1" "May 08, 2020" "" "PowerDNS Recursor"
.TH "PDNS_RECURSOR" "1" "Jul 01, 2020" "" "PowerDNS Recursor"
.SH NAME
pdns_recursor \- The PowerDNS Recursor binary
.


+ 23
- 12
pdns_recursor.cc View File

@@ -1056,8 +1056,6 @@ static bool checkFrameStreamExport(LocalStateHolder<LuaConfigItems>& luaconfsLoc
#ifdef NOD_ENABLED
static bool nodCheckNewDomain(const DNSName& dname)
{
static const QType qt(QType::A);
static const uint16_t qc(QClass::IN);
bool ret = false;
// First check the (sub)domain isn't whitelisted for NOD purposes
if (!g_nodDomainWL.check(dname)) {
@@ -1067,19 +1065,24 @@ static bool nodCheckNewDomain(const DNSName& dname)
// This should probably log to a dedicated log file
g_log<<Logger::Notice<<"Newly observed domain nod="<<dname.toLogString()<<endl;
}
if (!(g_nodLookupDomain.isRoot())) {
// Send a DNS A query to <domain>.g_nodLookupDomain
DNSName qname = dname;
vector<DNSRecord> dummy;
qname += g_nodLookupDomain;
directResolve(qname, qt, qc, dummy);
}
ret = true;
}
}
return ret;
}

static void sendNODLookup(const DNSName& dname)
{
if (!(g_nodLookupDomain.isRoot())) {
// Send a DNS A query to <domain>.g_nodLookupDomain
static const QType qt(QType::A);
static const uint16_t qc(QClass::IN);
DNSName qname = dname + g_nodLookupDomain;
vector<DNSRecord> dummy;
directResolve(qname, qt, qc, dummy);
}
}

static bool udrCheckUniqueDNSRecord(const DNSName& dname, uint16_t qtype, const DNSRecord& record)
{
bool ret = false;
@@ -1654,8 +1657,9 @@ static void startDoResolve(void *p)
#ifdef NOD_ENABLED
bool nod = false;
if (g_nodEnabled) {
if (nodCheckNewDomain(dc->d_mdp.d_qname))
if (nodCheckNewDomain(dc->d_mdp.d_qname)) {
nod = true;
}
}
#endif /* NOD_ENABLED */
#ifdef HAVE_PROTOBUF
@@ -1805,8 +1809,9 @@ static void startDoResolve(void *p)
}
}
}

float spent=makeFloat(sr.getNow()-dc->d_now);
if(!g_quiet) {
if (!g_quiet) {
g_log<<Logger::Error<<t_id<<" ["<<MT->getTid()<<"/"<<MT->numProcesses()<<"] answer to "<<(dc->d_mdp.d_header.rd?"":"non-rd ")<<"question '"<<dc->d_mdp.d_qname<<"|"<<DNSRecordContent::NumberToType(dc->d_mdp.d_qtype);
g_log<<"': "<<ntohs(pw.getHeader()->ancount)<<" answers, "<<ntohs(pw.getHeader()->arcount)<<" additional, took "<<sr.d_outqueries<<" packets, "<<
sr.d_totUsec/1000.0<<" netw ms, "<< spent*1000.0<<" tot ms, "<<
@@ -1817,7 +1822,6 @@ static void startDoResolve(void *p)
}
g_log<<endl;

}

if (sr.d_outqueries || sr.d_authzonequeries) {
@@ -1864,6 +1868,13 @@ static void startDoResolve(void *p)
newLat=ourtime*1000; // usec
g_stats.avgLatencyOursUsec=(1-1.0/g_latencyStatSize)*g_stats.avgLatencyOursUsec + (float)newLat/g_latencyStatSize;
}

#ifdef NOD_ENABLED
if (nod) {
sendNODLookup(dc->d_mdp.d_qname);
}
#endif /* NOD_ENABLED */

// cout<<dc->d_mdp.d_qname<<"\t"<<MT->getUsec()<<"\t"<<sr.d_outqueries<<endl;
}
catch(PDNSException &ae) {


+ 59
- 6
portsmplexer.cc View File

@@ -23,11 +23,12 @@ public:
close(d_portfd);
}

virtual int run(struct timeval* tv, int timeout=500);
virtual int run(struct timeval* tv, int timeout=500) override;
virtual void getAvailableFDs(std::vector<int>& fds, int timeout) override;

virtual void addFD(callbackmap_t& cbmap, int fd, callbackfunc_t toDo, const boost::any& parameter, const struct timeval* ttd=nullptr);
virtual void removeFD(callbackmap_t& cbmap, int fd);
string getName()
virtual void addFD(callbackmap_t& cbmap, int fd, callbackfunc_t toDo, const boost::any& parameter, const struct timeval* ttd=nullptr) override;
virtual void removeFD(callbackmap_t& cbmap, int fd) override;
string getName() const override
{
return "solaris completion ports";
}
@@ -78,6 +79,58 @@ void PortsFDMultiplexer::removeFD(callbackmap_t& cbmap, int fd)
throw FDMultiplexerException("Removing fd from port set: "+stringerror());
}

void PortsFDMultiplexer::getAvailableFDs(std::vector<int>& fds, int timeout)
{
struct timespec timeoutspec;
timeoutspec.tv_sec = timeout / 1000;
timeoutspec.tv_nsec = (timeout % 1000) * 1000000;
unsigned int numevents = 1;
int ret = port_getn(d_portfd, d_pevents.get(), min(PORT_MAX_LIST, s_maxevents), &numevents, &timeoutspec);

/* port_getn has an unusual API - (ret == -1, errno == ETIME) can
mean partial success; you must check (*numevents) in this case
and process anything in there, otherwise you'll never see any
events from that object again. We don't care about pure timeouts
(ret == -1, errno == ETIME, *numevents == 0) so we don't bother
with that case. */
if (ret == -1 && errno != ETIME) {
if (errno != EINTR) {
throw FDMultiplexerException("completion port_getn returned error: " + stringerror());
}

// EINTR is not really an error
return;
}

if (numevents == 0) {
// nothing
return;
}

fds.reserve(numevents);

for (unsigned int n = 0; n < numevents; ++n) {
const auto fd = d_pevents[n].portev_object;

/* we need to re-associate the FD */
if (d_readCallbacks.count(fd)) {
if (port_associate(d_portfd, PORT_SOURCE_FD, fd, POLLIN, 0) < 0) {
throw FDMultiplexerException("Unable to add fd back to ports (read): " + stringerror());
}
}
else if (d_writeCallbacks.count(fd)) {
if (port_associate(d_portfd, PORT_SOURCE_FD, fd, POLLOUT, 0) < 0) {
throw FDMultiplexerException("Unable to add fd back to ports (write): " + stringerror());
}
} else {
/* not registered, this is unexpected */
continue;
}

fds.push_back(fd);
}
}

int PortsFDMultiplexer::run(struct timeval* now, int timeout)
{
if(d_inrun) {
@@ -85,8 +138,8 @@ int PortsFDMultiplexer::run(struct timeval* now, int timeout)
}
struct timespec timeoutspec;
timeoutspec.tv_sec = time / 1000;
timeoutspec.tv_nsec = (time % 1000) * 1000000;
timeoutspec.tv_sec = timeout / 1000;
timeoutspec.tv_nsec = (timeout % 1000) * 1000000;
unsigned int numevents=1;
int ret= port_getn(d_portfd, d_pevents.get(), min(PORT_MAX_LIST, s_maxevents), &numevents, &timeoutspec);


+ 67
- 208
pubsuffix.cc
File diff suppressed because it is too large
View File


+ 6
- 10
rec-carbon.cc View File

@@ -32,17 +32,13 @@ try
if(namespace_name.empty()) {
namespace_name="pdns";
}
if(hostname.empty()) {
char tmp[HOST_NAME_MAX+1];
memset(tmp, 0, sizeof(tmp));
if (gethostname(tmp, sizeof(tmp)) != 0) {
throw std::runtime_error("The 'carbon-ourname' setting has not been set and we are unable to determine the system's hostname: " + stringerror());
if (hostname.empty()) {
try {
hostname = getCarbonHostName();
}
catch(const std::exception& e) {
throw std::runtime_error(std::string("The 'carbon-ourname' setting has not been set and we are unable to determine the system's hostname: ") + e.what());
}
char *p = strchr(tmp, '.');
if(p) *p=0;

hostname=tmp;
boost::replace_all(hostname, ".", "_");
}
if(instance_name.empty()) {
instance_name="recursor";


+ 1
- 1
rec_control.1 View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "REC_CONTROL" "1" "May 08, 2020" "" "PowerDNS Recursor"
.TH "REC_CONTROL" "1" "Jul 01, 2020" "" "PowerDNS Recursor"
.SH NAME
rec_control \- Command line tool to control a running Recursor
.


+ 15
- 8
rpzloader.cc View File

@@ -458,7 +458,8 @@ void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DN
oldZone = luaconfsLocal->dfe.getZone(zoneIdx);
/* we need to make a _full copy_ of the zone we are going to work on */
std::shared_ptr<DNSFilterEngine::Zone> newZone = std::make_shared<DNSFilterEngine::Zone>(*oldZone);
std::shared_ptr<SOARecordContent> newSR{nullptr};
/* initialize the current serial to the last one */
std::shared_ptr<SOARecordContent> currentSR = sr;

int totremove=0, totadd=0;
bool fullUpdate = false;
@@ -475,11 +476,17 @@ void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DN
continue;
if(rr.d_type == QType::SOA) {
auto oldsr = getRR<SOARecordContent>(rr);
if(oldsr && oldsr->d_st.serial == sr->d_st.serial) {
if (oldsr && oldsr->d_st.serial == currentSR->d_st.serial) {
// cout<<"Got good removal of SOA serial "<<oldsr->d_st.serial<<endl;
}
else
g_log<<Logger::Error<<"GOT WRONG SOA SERIAL REMOVAL, SHOULD TRIGGER WHOLE RELOAD"<<endl;
else {
if (!oldsr) {
throw std::runtime_error("Unable to extract serial from SOA record while processing the removal part of an update");
}
else {
throw std::runtime_error("Received an unexpected serial (" + std::to_string(oldsr->d_st.serial) + ", expecting " + std::to_string(currentSR->d_st.serial) + ") from SOA record while processing the removal part of an update");
}
}
}
else {
totremove++;
@@ -493,9 +500,9 @@ void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DN
continue;
if(rr.d_type == QType::SOA) {
auto tempSR = getRR<SOARecordContent>(rr);
// g_log<<Logger::Info<<"New SOA serial for "<<zoneName<<": "<<newsr->d_st.serial<<endl;
// g_log<<Logger::Info<<"New SOA serial for "<<zoneName<<": "<<currentSR->d_st.serial<<endl;
if (tempSR) {
newSR = tempSR;
currentSR = tempSR;
}
}
else {
@@ -507,8 +514,8 @@ void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DN
}

/* only update sr now that all changes have been converted */
if (newSR) {
sr = newSR;
if (currentSR) {
sr = currentSR;
}
g_log<<Logger::Info<<"Had "<<totremove<<" RPZ removal"<<addS(totremove)<<", "<<totadd<<" addition"<<addS(totadd)<<" for "<<zoneName<<" New serial: "<<sr->d_st.serial<<endl;
newZone->setSerial(sr->d_st.serial);


+ 77
- 31
syncres.cc View File

@@ -671,7 +671,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
vector<DNSRecord> retq;
bool old = setCacheOnly(true);
bool fromCache = false;
int res = doResolveNoQNameMinimization(qname, qtype, retq, depth + 1, beenthere, state, &fromCache);
int res = doResolveNoQNameMinimization(qname, qtype, retq, depth, beenthere, state, &fromCache);
setCacheOnly(old);
if (fromCache) {
QLOG("Step0 Found in cache");
@@ -691,7 +691,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
for (int tries = 0; tries < 2 && bestns.empty(); ++tries) {
bool flawedNSSet = false;
set<GetBestNSAnswer> beenthereIgnored;
getBestNSFromCache(qname, qtype, bestns, &flawedNSSet, depth + 1, beenthereIgnored);
getBestNSFromCache(qname, qtype, bestns, &flawedNSSet, depth, beenthereIgnored);
}

if (bestns.size() == 0) {
@@ -719,7 +719,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
// Step 3 resolve
if (child == qname) {
QLOG("Step3 Going to do final resolve");
res = doResolveNoQNameMinimization(qname, qtype, ret, depth + 1, beenthere, state);
res = doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);
QLOG("Step3 Final resolve: " << RCode::to_s(res) << "/" << ret.size());
return res;
}
@@ -728,7 +728,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
QLOG("Step4 Resolve A for child");
retq.resize(0);
StopAtDelegation stopAtDelegation = Stop;
res = doResolveNoQNameMinimization(child, QType::A, retq, depth + 1, beenthere, state, NULL, &stopAtDelegation);
res = doResolveNoQNameMinimization(child, QType::A, retq, depth, beenthere, state, NULL, &stopAtDelegation);
QLOG("Step4 Resolve A result is " << RCode::to_s(res) << "/" << retq.size() << "/" << stopAtDelegation);
if (stopAtDelegation == Stopped) {
QLOG("Delegation seen, continue at step 1");
@@ -739,7 +739,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
// Case 5: unexpected answer
QLOG("Step5: other rcode, last effort final resolve");
setQNameMinimization(false);
res = doResolveNoQNameMinimization(qname, qtype, ret, depth + 1, beenthere, state);
res = doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);

if(res == RCode::NoError) {
s_qnameminfallbacksuccess++;
@@ -846,6 +846,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty

if(!d_skipCNAMECheck && doCNAMECacheCheck(qname, qtype, ret, depth, res, state, wasAuthZone, wasForwardRecurse)) { // will reroute us if needed
d_wasOutOfBand = wasAuthZone;
// Do not set *fromCache; res does not reflect the final result in all cases
return res;
}

@@ -1165,6 +1166,18 @@ void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& q
}
}

static bool scanForCNAMELoop(const DNSName& name, const vector<DNSRecord>& records)
{
for (const auto& record: records) {
if (record.d_type == QType::CNAME && record.d_place == DNSResourceRecord::ANSWER) {
if (name == record.d_name) {
return true;
}
}
}
return false;
}

bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse)
{
string prefix;
@@ -1323,6 +1336,19 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
newTarget = cnameContent->getTarget();
}

if (qname == newTarget) {
string msg = "got a CNAME referral (from cache) to self";
LOG(prefix<<qname<<": "<<msg<<endl);
throw ImmediateServFailException(msg);
}

// Check to see if we already have seen the new target as a previous target
if (scanForCNAMELoop(newTarget, ret)) {
string msg = "got a CNAME referral (from cache) that causes a loop";
LOG(prefix<<qname<<": status="<<msg<<endl);
throw ImmediateServFailException(msg);
}

set<GetBestNSAnswer>beenthere;
vState cnameState = Indeterminate;
res = doResolve(newTarget, qtype, ret, depth+1, beenthere, cnameState);
@@ -1375,15 +1401,14 @@ static void reapRecordsFromNegCacheEntryForValidation(tcache_t& tcache, const ve
* \param ttl The new TTL for these records
* \param ret The vector of DNSRecords that should contian the records with the modified TTL
*/
static void addTTLModifiedRecords(const vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) {
for (const auto& rec : records) {
DNSRecord r(rec);
r.d_ttl = ttl;
ret.push_back(r);
static void addTTLModifiedRecords(vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) {
for (auto& rec : records) {
rec.d_ttl = ttl;
ret.push_back(std::move(rec));
}
}

void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth)
void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth)
{
DNSName subdomain(qname);
/* if we are retrieving a DS, we only care about the state of the parent zone */
@@ -1393,10 +1418,10 @@ void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne,
computeZoneCuts(subdomain, g_rootdnsname, depth);

tcache_t tcache;
reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.records);
reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.signatures);
reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.records);
reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.signatures);
reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.records);
reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.signatures);
reapRecordsFromNegCacheEntryForValidation(tcache, ne.DNSSECRecords.records);
reapRecordsFromNegCacheEntryForValidation(tcache, ne.DNSSECRecords.signatures);

for (const auto& entry : tcache) {
// this happens when we did store signatures, but passed on the records themselves
@@ -1424,10 +1449,10 @@ void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne,
}

if (state == Secure) {
vState neValidationState = ne->d_validationState;
vState neValidationState = ne.d_validationState;
dState expectedState = res == RCode::NXDomain ? NXDOMAIN : NXQTYPE;
dState denialState = getDenialValidationState(*ne, state, expectedState, false);
updateDenialValidationState(neValidationState, ne->d_name, state, denialState, expectedState, qtype == QType::DS || expectedState == NXDOMAIN);
dState denialState = getDenialValidationState(ne, state, expectedState, false);
updateDenialValidationState(neValidationState, ne.d_name, state, denialState, expectedState, qtype == QType::DS || expectedState == NXDOMAIN);
}
if (state != Indeterminate) {
/* validation succeeded, let's update the cache entry so we don't have to validate again */
@@ -1435,7 +1460,7 @@ void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne,
if (state == Bogus) {
capTTD = d_now.tv_sec + s_maxbogusttl;
}
t_sstorage.negcache.updateValidationStatus(ne->d_name, ne->d_qtype, state, capTTD);
t_sstorage.negcache.updateValidationStatus(ne.d_name, ne.d_qtype, state, capTTD);
}
}

@@ -1514,9 +1539,17 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w

state = cachedState;

/* let's do a full copy now, since:
- we know we are going to use the records ;
- we might have to go to the network in computeNegCacheValidationStatus(),
and our pointer might get invalidated during that time.
*/
NegCache::NegCacheEntry negativeEntry = *ne;
ne = nullptr;

if (!wasAuthZone && shouldValidate() && state == Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state for records retrieved from the negative cache, validating.."<<endl);
computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth);
computeNegCacheValidationStatus(negativeEntry, qname, qtype, res, state, depth);

if (state != cachedState && state == Bogus) {
sttl = std::min(sttl, s_maxbogusttl);
@@ -1524,11 +1557,11 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
}

// Transplant SOA to the returned packet
addTTLModifiedRecords(ne->authoritySOA.records, sttl, ret);
addTTLModifiedRecords(negativeEntry.authoritySOA.records, sttl, ret);
if(d_doDNSSEC) {
addTTLModifiedRecords(ne->authoritySOA.signatures, sttl, ret);
addTTLModifiedRecords(ne->DNSSECRecords.records, sttl, ret);
addTTLModifiedRecords(ne->DNSSECRecords.signatures, sttl, ret);
addTTLModifiedRecords(negativeEntry.authoritySOA.signatures, sttl, ret);
addTTLModifiedRecords(negativeEntry.DNSSECRecords.records, sttl, ret);
addTTLModifiedRecords(negativeEntry.DNSSECRecords.signatures, sttl, ret);
}

LOG(prefix<<qname<<": updating validation state with negative cache content for "<<qname<<" to "<<vStates[state]<<endl);
@@ -1851,7 +1884,7 @@ vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix,

if(!tns->first.empty()) {
LOG(prefix<<qname<<": Trying to resolve NS '"<<tns->first<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl);
result = getAddrs(tns->first, depth+2, beenthere, cacheOnly, retrieveAddressesForNS);
result = getAddrs(tns->first, depth, beenthere, cacheOnly, retrieveAddressesForNS);
pierceDontQuery=false;
}
else {
@@ -2213,7 +2246,7 @@ void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned
/* temporarily mark as Indeterminate, so that we won't enter an endless loop
trying to determine that zone cut again. */
d_cutStates[qname] = newState;
bool foundCut = lookForCut(qname, depth + 1, cutState, newState);
bool foundCut = lookForCut(qname, depth, cutState, newState);
if (foundCut) {
LOG(d_prefix<<": - Found cut at "<<qname<<endl);
if (newState != Indeterminate) {
@@ -2326,8 +2359,10 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
if (!signer.empty() && name.isPartOf(signer)) {
if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) {
/* we are already retrieving those keys, sorry */
if (qtype == QType::DS) {
/* something is very wrong */
if (qtype == QType::DS && !signer.isRoot()) {
/* Unless we are getting the DS of the root zone, we should never see a
DS (or a denial of a DS) signed by the DS itself, since we should be
requesting it from the parent zone. Something is very wrong */
LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl);
return Bogus;
}
@@ -2531,11 +2566,13 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
const unsigned int labelCount = qname.countLabels();
bool isCNAMEAnswer = false;
bool isDNAMEAnswer = false;
for(const auto& rec : lwr.d_records) {
if (rec.d_class != QClass::IN) {
for (auto& rec : lwr.d_records) {
if (rec.d_type == QType::OPT || rec.d_class != QClass::IN) {
continue;
}

rec.d_ttl = min(s_maxcachettl, rec.d_ttl);

if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) {
isCNAMEAnswer = true;
}
@@ -2558,7 +2595,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
}
}
}
if(rec.d_type == QType::RRSIG) {
if (rec.d_type == QType::RRSIG) {
auto rrsig = getRR<RRSIGRecordContent>(rec);
if (rrsig) {
/* As illustrated in rfc4035's Appendix B.6, the RRSIG label
@@ -3347,6 +3384,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
if(!newtarget.empty()) {
if(newtarget == qname) {
LOG(prefix<<qname<<": status=got a CNAME referral to self, returning SERVFAIL"<<endl);
ret.clear();
*rcode = RCode::ServFail;
return true;
}
@@ -3357,6 +3395,14 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
return true;
}

// Check to see if we already have seen the new target as a previous target
if (scanForCNAMELoop(newtarget, ret)) {
LOG(prefix<<qname<<": status=got a CNAME referral that causes a loop, returning SERVFAIL"<<endl);
ret.clear();
*rcode = RCode::ServFail;
return true;
}

if (qtype == QType::DS) {
LOG(prefix<<qname<<": status=got a CNAME referral, but we are looking for a DS"<<endl);



+ 1
- 1
syncres.hh View File

@@ -862,7 +862,7 @@ private:
vState getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth);
dState getDenialValidationState(const NegCache::NegCacheEntry& ne, const vState state, const dState expectedState, bool referralToUnsigned);
void updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool allowOptOut);
void computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth);
void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth);
vState getTA(const DNSName& zone, dsmap_t& ds);
bool haveExactValidationStatus(const DNSName& domain);
vState getValidationStatus(const DNSName& subdomain, bool allowIndeterminate=true);


+ 1
- 1
test-dns_random_hh.cc View File

@@ -123,7 +123,7 @@ BOOST_AUTO_TEST_CASE(test_dns_random_getrandom_average) {
#endif

#if defined(HAVE_ARC4RANDOM)
BOOST_AUTO_TEST_CASE(test_dns_random_getrandom_average) {
BOOST_AUTO_TEST_CASE(test_dns_random_arc4random_average) {

::arg().set("rng")="arc4random";
::arg().set("entropy-source")="/dev/urandom";


+ 78
- 1
test-syncres_cc1.cc View File

@@ -1125,8 +1125,85 @@ BOOST_AUTO_TEST_CASE(test_cname_loop)
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::ServFail);
BOOST_CHECK_GT(ret.size(), 0U);
BOOST_CHECK_EQUAL(ret.size(), 0U);
BOOST_CHECK_EQUAL(count, 2U);

// Again to check cache
try {
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK(false);
}
catch (const ImmediateServFailException& ex) {
BOOST_CHECK(true);
}
}

BOOST_AUTO_TEST_CASE(test_cname_long_loop)
{
std::unique_ptr<SyncRes> sr;
initSR(sr);

primeHints();

size_t count = 0;
const DNSName target1("cname1.powerdns.com.");
const DNSName target2("cname2.powerdns.com.");
const DNSName target3("cname3.powerdns.com.");
const DNSName target4("cname4.powerdns.com.");

sr->setAsyncCallback([target1, target2, target3, target4, &count](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
count++;

if (isRootServer(ip)) {

setLWResult(res, 0, false, false, true);
addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
return 1;
}
else if (ip == ComboAddress("192.0.2.1:53")) {

if (domain == target1) {
setLWResult(res, 0, true, false, false);
addRecordToLW(res, domain, QType::CNAME, target2.toString());
return 1;
}
else if (domain == target2) {
setLWResult(res, 0, true, false, false);
addRecordToLW(res, domain, QType::CNAME, target3.toString());
return 1;
}
else if (domain == target3) {
setLWResult(res, 0, true, false, false);
addRecordToLW(res, domain, QType::CNAME, target4.toString());
return 1;
}
else if (domain == target4) {
setLWResult(res, 0, true, false, false);
addRecordToLW(res, domain, QType::CNAME, target1.toString());
return 1;
}

return 1;
}

return 0;
});

vector<DNSRecord> ret;
int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::ServFail);
BOOST_CHECK_EQUAL(ret.size(), 0U);
BOOST_CHECK_EQUAL(count, 8U);

// And again to check cache
try {
res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
BOOST_CHECK(false);
}
catch (const ImmediateServFailException& ex) {
BOOST_CHECK(true);
}
}

BOOST_AUTO_TEST_CASE(test_cname_depth)


+ 51
- 20
test-syncres_cc2.cc View File

@@ -5,7 +5,7 @@

BOOST_AUTO_TEST_SUITE(syncres_cc2)

BOOST_AUTO_TEST_CASE(test_referral_depth)
static void do_test_referral_depth(bool limited)
{
std::unique_ptr<SyncRes> sr;
initSR(sr);
@@ -35,36 +35,66 @@ BOOST_AUTO_TEST_CASE(test_referral_depth)
}
else if (domain == DNSName("ns3.powerdns.org.")) {
addRecordToLW(res, domain, QType::NS, "ns4.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
}
else if (domain == DNSName("ns4.powerdns.org.")) {
addRecordToLW(res, domain, QType::NS, "ns5.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
addRecordToLW(res, domain, QType::A, "192.0.2.1", DNSResourceRecord::AUTHORITY, 172800);
addRecordToLW(res, "ns4.powerdns.org.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
}

return 1;
}
else if (ip == ComboAddress("192.0.2.1:53")) {

setLWResult(res, 0, true, false, false);
addRecordToLW(res, domain, QType::A, "192.0.2.2");
if (domain == DNSName("www.powerdns.com.")) {
addRecordToLW(res, domain, QType::A, "192.0.2.2");
}
else {
addRecordToLW(res, domain, QType::A, "192.0.2.1");
}
return 1;
}

return 0;
});

/* Set the maximum depth low */
SyncRes::s_maxdepth = 10;

try {
vector<DNSRecord> ret;
sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK(false);
if (limited) {
/* Set the maximum depth low */
SyncRes::s_maxdepth = 4;
try {
vector<DNSRecord> ret;
sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK(false);
}
catch (const ImmediateServFailException& e) {
BOOST_CHECK(e.reason.find("max-recursion-depth") != string::npos);
}
}
catch (const ImmediateServFailException& e) {
else {
// Check if the setup with high limit is OK.
SyncRes::s_maxdepth = 50;
try {
vector<DNSRecord> ret;
int rcode = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(rcode, RCode::NoError);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK_EQUAL(ret[0].d_name, target);
BOOST_REQUIRE(ret[0].d_type == QType::A);
BOOST_CHECK(getRR<ARecordContent>(ret[0])->getCA() == ComboAddress("192.0.2.2"));
}
catch (const ImmediateServFailException& e) {
BOOST_CHECK(false);
}
}
}

BOOST_AUTO_TEST_CASE(test_referral_depth)
{
// Test with limit
do_test_referral_depth(true);
}
BOOST_AUTO_TEST_CASE(test_referral_depth_ok)
{
// Test with default limit
do_test_referral_depth(false);
}

BOOST_AUTO_TEST_CASE(test_cname_qperq)
{
std::unique_ptr<SyncRes> sr;
@@ -1260,7 +1290,7 @@ BOOST_AUTO_TEST_CASE(test_completely_flawed_big_nsset)
if (isRootServer(ip) && domain == target) {
setLWResult(res, 0, false, false, true);
// 20 NS records
for (int i = 0; i < 20; i++) {
for (int i = 0; i < 20; i++) {
string n = string("pdns-public-ns") + std::to_string(i) + string(".powerdns.com.");
addRecordToLW(res, domain, QType::NS, n, DNSResourceRecord::AUTHORITY, 172800);
}
@@ -1278,10 +1308,11 @@ BOOST_AUTO_TEST_CASE(test_completely_flawed_big_nsset)
try {
sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK(0);
} catch (const ImmediateServFailException& ex) {
BOOST_CHECK_EQUAL(ret.size(), 0U);
// one query to get NSs, then A and AAAA for each NS, 5th NS hits the limit
// limit is reduced to 5, because zone publishes many (20) NS
}
catch (const ImmediateServFailException& ex) {
BOOST_CHECK_EQUAL(ret.size(), 0U);
// one query to get NSs, then A and AAAA for each NS, 5th NS hits the limit
// limit is reduced to 5, because zone publishes many (20) NS
BOOST_CHECK_EQUAL(queriesCount, 11);
}
}


+ 50
- 0
test-syncres_cc6.cc View File

@@ -238,6 +238,56 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop)
BOOST_CHECK_EQUAL(queriesCount, 8U);
}

BOOST_AUTO_TEST_CASE(test_dnssec_ds_root)
{
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
testkeysset_t keys;

auto luaconfsCopy = g_luaconfs.getCopy();
luaconfsCopy.dsAnchors.clear();
generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

g_luaconfs.setState(luaconfsCopy);

size_t queriesCount = 0;

sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
queriesCount++;

if (type == QType::DS) {
setLWResult(res, 0, true, false, true);
addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
addRRSIG(keys, res->d_records, DNSName("."), 300);
addNSECRecordToLW(domain, DNSName("aaa."), {QType::DNSKEY, QType::SOA, QType::NS, QType::NSEC, QType::RRSIG}, 600, res->d_records);
addRRSIG(keys, res->d_records, DNSName("."), 300);
return 1;
}

return 0;
});

vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(queriesCount, 1U);

/* again, to test the cache */
ret.clear();
res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(queriesCount, 1U);
}

BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child)
{
/* check that we don't accept a signer below us */


+ 4
- 0
ws-recursor.cc View File

@@ -674,6 +674,10 @@ void AsyncServer::newConnection()

// This is an entry point from FDM, so it needs to catch everything.
void AsyncWebServer::serveConnection(std::shared_ptr<Socket> client) const {
if (!client->acl(d_acl)) {
return;
}

const string logprefix = d_logprefix + to_string(getUniqueID()) + " ";

HttpRequest req(logprefix);


+ 4
- 1
ws-recursor.hh View File

@@ -32,7 +32,10 @@ class HttpResponse;

class AsyncServer : public Server {
public:
AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { };
AsyncServer(const string &localaddress, int port) : Server(localaddress, port)
{
d_server_socket.setNonBlocking();
};

friend void AsyncServerNewConnectionMT(void *p);



Loading…
Cancel
Save