merge updates

9 files changed, 52 insertions, 11 deletions

diff --git a/usr.sbin/unbound/util/config_file.c b/usr.sbin/unbound/util/config_file.c
index d7bd37a8890..cd9389a3551 100644
--- a/usr.sbin/unbound/util/config_file.c
+++ b/usr.sbin/unbound/util/config_file.c
@@ -173,6 +173,7 @@ config_create(void)
 	cfg->infra_cache_slabs = 4;
 	cfg->infra_cache_numhosts = 10000;
 	cfg->infra_cache_min_rtt = 50;
+	cfg->infra_cache_max_rtt = 120000;
 	cfg->infra_keep_probing = 0;
 	cfg->delay_close = 0;
 	cfg->udp_connect = 1;
@@ -595,8 +596,14 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else if(strcmp(opt, "cache-min-ttl:") == 0)
 	{ IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;}
 	else if(strcmp(opt, "infra-cache-min-rtt:") == 0) {
-	    IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val);
-	    RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt;
+	 	IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val);
+		RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt;
+	}
+	else if(strcmp(opt, "infra-cache-max-rtt:") == 0) {
+		IS_NUMBER_OR_ZERO; cfg->infra_cache_max_rtt = atoi(val);
+		RTT_MAX_TIMEOUT=cfg->infra_cache_max_rtt;
+		USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT;
+		BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4;
 	}
 	else S_YNO("infra-keep-probing:", infra_keep_probing)
 	else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl)
@@ -1026,6 +1033,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "infra-host-ttl", host_ttl)
 	else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs)
 	else O_DEC(opt, "infra-cache-min-rtt", infra_cache_min_rtt)
+	else O_UNS(opt, "infra-cache-max-rtt", infra_cache_max_rtt)
 	else O_YNO(opt, "infra-keep-probing", infra_keep_probing)
 	else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
 	else O_UNS(opt, "delay-close", delay_close)
@@ -2222,11 +2230,14 @@ config_apply(struct config_file* config)
 	SERVE_ORIGINAL_TTL = config->serve_original_ttl;
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
+	RTT_MAX_TIMEOUT = config->infra_cache_max_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
 	MINIMAL_RESPONSES = config->minimal_responses;
 	RRSET_ROUNDROBIN = config->rrset_roundrobin;
 	LOG_TAG_QUERYREPLY = config->log_tag_queryreply;
 	UNKNOWN_SERVER_NICENESS = config->unknown_server_time_limit;
+	USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT;
+	BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4;
 	log_set_time_asc(config->log_time_ascii);
 	autr_permit_small_holddown = config->permit_small_holddown;
 	stream_wait_max = config->stream_wait_size;
diff --git a/usr.sbin/unbound/util/config_file.h b/usr.sbin/unbound/util/config_file.h
index 0b457e3476b..ed372522dfa 100644
--- a/usr.sbin/unbound/util/config_file.h
+++ b/usr.sbin/unbound/util/config_file.h
@@ -186,8 +186,10 @@ struct config_file {
 	size_t infra_cache_slabs;
 	/** max number of hosts in the infra cache */
 	size_t infra_cache_numhosts;
-	/** min value for infra cache rtt */
+	/** min value for infra cache rtt (min retransmit timeout) */
 	int infra_cache_min_rtt;
+	/** max value for infra cache rtt (max retransmit timeout) */
+	int infra_cache_max_rtt;
 	/** keep probing hosts that are down */
 	int infra_keep_probing;
 	/** delay close of udp-timeouted ports, if 0 no delayclose. in msec */
diff --git a/usr.sbin/unbound/util/configlexer.lex b/usr.sbin/unbound/util/configlexer.lex
index 2d59fbc32e8..a46a74fb640 100644
--- a/usr.sbin/unbound/util/configlexer.lex
+++ b/usr.sbin/unbound/util/configlexer.lex
@@ -302,6 +302,7 @@ infra-cache-slabs{COLON}	{ YDVAR(1, VAR_INFRA_CACHE_SLABS) }
 infra-cache-numhosts{COLON}	{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
 infra-cache-lame-size{COLON}	{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
 infra-cache-min-rtt{COLON}	{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
+infra-cache-max-rtt{COLON}	{ YDVAR(1, VAR_INFRA_CACHE_MAX_RTT) }
 infra-keep-probing{COLON}	{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
 num-queries-per-thread{COLON}	{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
 jostle-timeout{COLON}		{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
diff --git a/usr.sbin/unbound/util/configparser.y b/usr.sbin/unbound/util/configparser.y
index c003f335839..c23534019e5 100644
--- a/usr.sbin/unbound/util/configparser.y
+++ b/usr.sbin/unbound/util/configparser.y
@@ -120,7 +120,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UDP_CONNECT
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
-%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING
+%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_CACHE_MAX_RTT VAR_INFRA_KEEP_PROBING
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP
 %token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE
@@ -267,7 +267,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_so_reuseport | server_delay_close | server_udp_connect |
 	server_unblock_lan_zones | server_insecure_lan_zones |
 	server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
-	server_infra_cache_min_rtt | server_harden_algo_downgrade |
+	server_infra_cache_min_rtt | server_infra_cache_max_rtt | server_harden_algo_downgrade |
 	server_ip_transparent | server_ip_ratelimit | server_ratelimit |
 	server_ip_dscp | server_infra_keep_probing |
 	server_ip_ratelimit_slabs | server_ratelimit_slabs |
@@ -1659,6 +1659,15 @@ server_infra_cache_min_rtt: VAR_INFRA_CACHE_MIN_RTT STRING_ARG
 		free($2);
 	}
 	;
+server_infra_cache_max_rtt: VAR_INFRA_CACHE_MAX_RTT STRING_ARG
+	{
+		OUTYY(("P(server_infra_cache_max_rtt:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->infra_cache_max_rtt = atoi($2);
+		free($2);
+	}
+	;
 server_infra_keep_probing: VAR_INFRA_KEEP_PROBING STRING_ARG
 	{
 		OUTYY(("P(server_infra_keep_probing:%s)\n", $2));
diff --git a/usr.sbin/unbound/util/data/msgreply.c b/usr.sbin/unbound/util/data/msgreply.c
index e3ee607b154..1e6ee97040c 100644
--- a/usr.sbin/unbound/util/data/msgreply.c
+++ b/usr.sbin/unbound/util/data/msgreply.c
@@ -1015,7 +1015,7 @@ int edns_opt_list_append_ede(struct edns_option** list, struct regional* region,
 	prevp = list;
 	while(*prevp != NULL)
 		prevp = &((*prevp)->next);
-	verbose(VERB_ALGO, "attached EDE code: %d with message: %s", code, txt);
+	verbose(VERB_ALGO, "attached EDE code: %d with message: %s", code, (txt?txt:"\"\""));
 	*prevp = opt;
 	return 1;
 }
diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc
index c7662dc62fe..80a8144d385 100644
--- a/usr.sbin/unbound/util/iana_ports.inc
+++ b/usr.sbin/unbound/util/iana_ports.inc
@@ -2917,6 +2917,7 @@
 3297,
 3298,
 3299,
+3301,
 3302,
 3303,
 3304,
@@ -3975,6 +3976,7 @@
 4789,
 4790,
 4791,
+4792,
 4800,
 4801,
 4802,
@@ -4342,6 +4344,13 @@
 5859,
 5863,
 5900,
+5903,
+5904,
+5905,
+5906,
+5907,
+5908,
+5909,
 5910,
 5911,
 5912,
@@ -4553,6 +4562,7 @@
 6965,
 6966,
 6969,
+6980,
 6997,
 6998,
 6999,
diff --git a/usr.sbin/unbound/util/module.h b/usr.sbin/unbound/util/module.h
index 33068a71ce6..013c65b02dc 100644
--- a/usr.sbin/unbound/util/module.h
+++ b/usr.sbin/unbound/util/module.h
@@ -665,6 +665,12 @@ struct module_qstate {
 	int need_refetch;
 	/** whether the query (or a subquery) was ratelimited */
 	int was_ratelimited;
+	/** time when query was started. This is when the qstate is created.
+	 * This is used so that type NS data cannot be overwritten by them
+	 * expiring while the lookup is in progress, using data fetched from
+	 * those servers. By comparing expiry time with qstarttime for type NS.
+	 */
+	time_t qstarttime;
 
 	/**
 	 * Attributes of clients that share the qstate that may affect IP-based
diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c
index 114920e3f90..8153dbdd181 100644
--- a/usr.sbin/unbound/util/net_help.c
+++ b/usr.sbin/unbound/util/net_help.c
@@ -1162,10 +1162,11 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 			(const unsigned char **)&pTargetCert->pbCertEncoded,
 			pTargetCert->cbCertEncoded);
 		if (!cert1) {
+			unsigned long error = ERR_get_error();
 			/* return error if a cert fails */
 			verbose(VERB_ALGO, "%s %d:%s",
 				"Unable to parse certificate in memory",
-				(int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+				(int)error, ERR_error_string(error, NULL));
 			return 0;
 		}
 		else {
@@ -1176,10 +1177,11 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
 				/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
 				* certificate is already in the store.  */
 				if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
-				   ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+					error = ERR_get_error();
 					verbose(VERB_ALGO, "%s %d:%s\n",
-					    "Error adding certificate", (int)ERR_get_error(),
-					     ERR_error_string(ERR_get_error(), NULL));
+					    "Error adding certificate", (int)error,
+					     ERR_error_string(error, NULL));
 					X509_free(cert1);
 					return 0;
 				}
diff --git a/usr.sbin/unbound/util/rtt.h b/usr.sbin/unbound/util/rtt.h
index 07e65ee1d3d..63ed8eadb9d 100644
--- a/usr.sbin/unbound/util/rtt.h
+++ b/usr.sbin/unbound/util/rtt.h
@@ -58,7 +58,7 @@ struct rtt_info {
 /** min retransmit timeout value, in milliseconds */
 extern int RTT_MIN_TIMEOUT;
 /** max retransmit timeout value, in milliseconds */
-#define RTT_MAX_TIMEOUT 120000
+extern int RTT_MAX_TIMEOUT;
 
 /**
  * Initialize RTT estimators.