summaryrefslogtreecommitdiff
path: root/usr.sbin/nsd
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/nsd')
-rw-r--r--usr.sbin/nsd/Makefile.bsd-wrapper5
-rw-r--r--usr.sbin/nsd/Makefile.in344
-rw-r--r--usr.sbin/nsd/README.md6
-rw-r--r--usr.sbin/nsd/acx_nlnetlabs.m436
-rw-r--r--usr.sbin/nsd/answer.h6
-rw-r--r--usr.sbin/nsd/axfr.c14
-rw-r--r--usr.sbin/nsd/axfr.h6
-rw-r--r--usr.sbin/nsd/bitset.h6
-rw-r--r--usr.sbin/nsd/buffer.h6
-rw-r--r--usr.sbin/nsd/config.h.in3
-rw-r--r--usr.sbin/nsd/configlexer.lex6
-rw-r--r--usr.sbin/nsd/configparser.y18
-rw-r--r--usr.sbin/nsd/configure51
-rw-r--r--usr.sbin/nsd/configure.ac20
-rw-r--r--usr.sbin/nsd/dname.h6
-rw-r--r--usr.sbin/nsd/dns.h6
-rw-r--r--usr.sbin/nsd/dnstap/dnstap.c457
-rw-r--r--usr.sbin/nsd/dnstap/dnstap.h19
-rw-r--r--usr.sbin/nsd/dnstap/dnstap_collector.c11
-rw-r--r--usr.sbin/nsd/doc/ChangeLog83
-rw-r--r--usr.sbin/nsd/doc/README10
-rw-r--r--usr.sbin/nsd/doc/RELNOTES41
-rw-r--r--usr.sbin/nsd/edns.h6
-rw-r--r--usr.sbin/nsd/ixfr.c49
-rw-r--r--usr.sbin/nsd/ixfr.h6
-rw-r--r--usr.sbin/nsd/ixfrcreate.c4
-rw-r--r--usr.sbin/nsd/ixfrcreate.h6
-rw-r--r--usr.sbin/nsd/namedb.h6
-rw-r--r--usr.sbin/nsd/netio.h6
-rw-r--r--usr.sbin/nsd/nsd-checkconf.8.in2
-rw-r--r--usr.sbin/nsd/nsd-checkconf.c19
-rw-r--r--usr.sbin/nsd/nsd-checkzone.8.in2
-rw-r--r--usr.sbin/nsd/nsd-control.8.in2
-rw-r--r--usr.sbin/nsd/nsd-control.c67
-rw-r--r--usr.sbin/nsd/nsd.8.in4
-rw-r--r--usr.sbin/nsd/nsd.c2
-rw-r--r--usr.sbin/nsd/nsd.conf.5.in19
-rw-r--r--usr.sbin/nsd/nsd.conf.sample.in7
-rw-r--r--usr.sbin/nsd/nsd.h6
-rw-r--r--usr.sbin/nsd/options.c6
-rw-r--r--usr.sbin/nsd/options.h12
-rw-r--r--usr.sbin/nsd/packet.h6
-rw-r--r--usr.sbin/nsd/popen3.h6
-rw-r--r--usr.sbin/nsd/query.h6
-rw-r--r--usr.sbin/nsd/rbtree.h6
-rw-r--r--usr.sbin/nsd/rdata.h6
-rw-r--r--usr.sbin/nsd/region-allocator.h6
-rw-r--r--usr.sbin/nsd/remote.c66
-rw-r--r--usr.sbin/nsd/server.c19
-rw-r--r--usr.sbin/nsd/tsig-openssl.h12
-rw-r--r--usr.sbin/nsd/tsig.h25
-rw-r--r--usr.sbin/nsd/util.h6
-rw-r--r--usr.sbin/nsd/verify.c9
-rw-r--r--usr.sbin/nsd/verify.h6
-rw-r--r--usr.sbin/nsd/xfrd-disk.c12
-rw-r--r--usr.sbin/nsd/xfrd-tcp.c19
-rw-r--r--usr.sbin/nsd/xfrd.c29
-rw-r--r--usr.sbin/nsd/zonec.c8
-rw-r--r--usr.sbin/nsd/zonec.h6
59 files changed, 1229 insertions, 415 deletions
diff --git a/usr.sbin/nsd/Makefile.bsd-wrapper b/usr.sbin/nsd/Makefile.bsd-wrapper
index f5042fc31b4..bf3c46a875a 100644
--- a/usr.sbin/nsd/Makefile.bsd-wrapper
+++ b/usr.sbin/nsd/Makefile.bsd-wrapper
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.bsd-wrapper,v 1.19 2021/06/30 11:50:22 deraadt Exp $
+# $OpenBSD: Makefile.bsd-wrapper,v 1.20 2023/06/29 19:38:49 florian Exp $
.include <bsd.own.mk>
@@ -21,8 +21,7 @@ CONFIGURE_OPTS= --prefix=/usr \
--with-xfrdir=${CHROOTDIR}/run/xfr \
--with-xfrdfile=${CHROOTDIR}/run/xfrd.state \
--with-libevent=/usr \
- --enable-ratelimit \
- --enable-root-server
+ --enable-ratelimit
PROG= nsd nsd-checkconf nsd-checkzone nsd-control
diff --git a/usr.sbin/nsd/Makefile.in b/usr.sbin/nsd/Makefile.in
index 96d0784f610..9b6c8b593a7 100644
--- a/usr.sbin/nsd/Makefile.in
+++ b/usr.sbin/nsd/Makefile.in
@@ -356,6 +356,15 @@ configlexer.c: $(srcdir)/configlexer.lex
configparser.c configparser.h: $(srcdir)/configparser.y
$(YACC) -d -p c_ -o configparser.c $(srcdir)/configparser.y
+# for build to run flex and bison before compiling code that needs the headers
+configlexer.o: configlexer.c config.h configparser.h
+configparser.o: configparser.c config.h configparser.h
+options.o: $(srcdir)/options.c config.h configparser.h
+zlexer.o: zlexer.c config.h zparser.h
+zparser.o: zparser.c config.h zparser.h
+dns.o: $(srcdir)/dns.c config.h zparser.h
+zonec.o: $(srcdir)/zonec.c config.h zparser.h
+
# dnstap
dnstap.o: $(srcdir)/dnstap/dnstap.c config.h dnstap/dnstap_config.h \
dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h $(srcdir)/dnstap/dnstap.h \
@@ -367,7 +376,7 @@ dnstap_collector.o: $(srcdir)/dnstap/dnstap_collector.c config.h \
$(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/region-allocator.h \
$(srcdir)/buffer.h $(srcdir)/namedb.h $(srcdir)/dname.h \
$(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h \
- $(srcdir)/options.h
+ $(srcdir)/options.h $(srcdir)/remote.h
dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
@-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi
$(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto
@@ -414,134 +423,159 @@ depend:
rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
# Dependencies
-answer.o: $(srcdir)/answer.c config.h $(srcdir)/answer.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/nsd.h \
- $(srcdir)/edns.h $(srcdir)/tsig.h
-ixfr.o: $(srcdir)/ixfr.c config.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/packet.h $(srcdir)/rdata.h $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/nsd.h $(srcdir)/tsig.h $(srcdir)/dns.h $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/buffer.h $(srcdir)/util.h
-ixfrcreate.o: $(srcdir)/ixfrcreate.c config.h $(srcdir)/ixfrcreate.h $(srcdir)/namedb.h $(srcdir)/ixfr.h $(srcdir)/options.h $(srcdir)/dname.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/buffer.h $(srcdir)/util.h
-axfr.o: $(srcdir)/axfr.c config.h $(srcdir)/axfr.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/rbtree.h \
- $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/options.h $(srcdir)/ixfr.h
-buffer.o: $(srcdir)/buffer.c config.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+answer.o: $(srcdir)/answer.c config.h $(srcdir)/answer.h $(srcdir)/dns.h $(srcdir)/namedb.h \
+ $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h \
+ $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/tsig.h
+axfr.o: $(srcdir)/axfr.c config.h $(srcdir)/axfr.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/options.h $(srcdir)/ixfr.h
+bitset.o: $(srcdir)/bitset.c config.h $(srcdir)/bitset.h
+buffer.o: $(srcdir)/buffer.c config.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
+ $(srcdir)/util.h
configlexer.o: configlexer.c config.h $(srcdir)/options.h \
$(srcdir)/region-allocator.h $(srcdir)/rbtree.h configparser.h
-configparser.o: configparser.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
- $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/tsig.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dns.h \
- $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h
-dbaccess.o: $(srcdir)/dbaccess.c config.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/options.h $(srcdir)/rdata.h $(srcdir)/udb.h \
- $(srcdir)/udbradtree.h $(srcdir)/udbzone.h $(srcdir)/zonec.h $(srcdir)/nsec3.h $(srcdir)/difffile.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/ixfr.h $(srcdir)/ixfrcreate.h
+configparser.o: configparser.c config.h $(srcdir)/options.h \
+ $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/tsig.h $(srcdir)/rrl.h $(srcdir)/query.h \
+ $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h configparser.h
+dbaccess.o: $(srcdir)/dbaccess.c config.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/options.h $(srcdir)/rdata.h \
+ $(srcdir)/udb.h $(srcdir)/udbradtree.h $(srcdir)/udbzone.h $(srcdir)/zonec.h $(srcdir)/nsec3.h $(srcdir)/difffile.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/bitset.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/ixfrcreate.h
dbcreate.o: $(srcdir)/dbcreate.c config.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
$(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/udb.h $(srcdir)/udbradtree.h \
- $(srcdir)/udbzone.h $(srcdir)/options.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/ixfr.h
-difffile.o: $(srcdir)/difffile.c config.h $(srcdir)/difffile.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h \
- $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/udb.h \
- $(srcdir)/xfrd-disk.h $(srcdir)/packet.h $(srcdir)/rdata.h $(srcdir)/udbzone.h $(srcdir)/udbradtree.h $(srcdir)/nsec3.h $(srcdir)/nsd.h $(srcdir)/edns.h \
- $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/tsig.h $(srcdir)/ixfr.h $(srcdir)/zonec.h
-dname.o: $(srcdir)/dname.c config.h $(srcdir)/dns.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h
-dns.o: $(srcdir)/dns.c config.h $(srcdir)/dns.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h zparser.h
-edns.o: $(srcdir)/edns.c config.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h \
- $(srcdir)/nsd.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/tsig.h
-ipc.o: $(srcdir)/ipc.c config.h $(srcdir)/ipc.h $(srcdir)/netio.h $(srcdir)/region-allocator.h $(srcdir)/buffer.h $(srcdir)/util.h \
- $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h \
- $(srcdir)/tsig.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/xfrd-notify.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/rrl.h $(srcdir)/query.h \
- $(srcdir)/packet.h
-iterated_hash.o: $(srcdir)/iterated_hash.c config.h $(srcdir)/iterated_hash.h
+ $(srcdir)/udbzone.h $(srcdir)/options.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/packet.h $(srcdir)/tsig.h
+difffile.o: $(srcdir)/difffile.c config.h $(srcdir)/difffile.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h \
+ $(srcdir)/options.h $(srcdir)/udb.h $(srcdir)/xfrd-disk.h $(srcdir)/packet.h $(srcdir)/rdata.h $(srcdir)/udbzone.h $(srcdir)/udbradtree.h \
+ $(srcdir)/nsec3.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/tsig.h $(srcdir)/ixfr.h $(srcdir)/zonec.h
+dname.o: $(srcdir)/dname.c config.h $(srcdir)/dns.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h \
+ $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h
+dns.o: $(srcdir)/dns.c config.h $(srcdir)/dns.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h zparser.h
+edns.o: $(srcdir)/edns.c config.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/bitset.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/tsig.h
+ipc.o: $(srcdir)/ipc.c config.h $(srcdir)/ipc.h $(srcdir)/netio.h $(srcdir)/region-allocator.h \
+ $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/xfrd-notify.h \
+ $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/packet.h
+iterated_hash.o: $(srcdir)/iterated_hash.c config.h $(srcdir)/iterated_hash.h \
+ $(srcdir)/util.h
+ixfr.o: $(srcdir)/ixfr.c config.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/rdata.h $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/zonec.h
+ixfrcreate.o: $(srcdir)/ixfrcreate.c config.h $(srcdir)/ixfrcreate.h $(srcdir)/dns.h \
+ $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h \
+ $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/options.h
lookup3.o: $(srcdir)/lookup3.c config.h $(srcdir)/lookup3.h
-mini_event.o: $(srcdir)/mini_event.c config.h
-namedb.o: $(srcdir)/namedb.c config.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsec3.h
-netio.o: $(srcdir)/netio.c config.h $(srcdir)/netio.h $(srcdir)/region-allocator.h $(srcdir)/util.h
-nsd.o: $(srcdir)/nsd.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/tsig.h $(srcdir)/dname.h $(srcdir)/remote.h $(srcdir)/xfrd-disk.h \
- $(srcdir)/dnstap/dnstap_collector.h
+mini_event.o: $(srcdir)/mini_event.c config.h $(srcdir)/mini_event.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h
+namedb.o: $(srcdir)/namedb.c config.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsec3.h
+netio.o: $(srcdir)/netio.c config.h $(srcdir)/netio.h $(srcdir)/region-allocator.h \
+ $(srcdir)/util.h
+nsd.o: $(srcdir)/nsd.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/tsig.h $(srcdir)/dname.h \
+ $(srcdir)/remote.h $(srcdir)/xfrd-disk.h $(srcdir)/dnstap/dnstap_collector.h
nsd-checkconf.o: $(srcdir)/nsd-checkconf.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h \
$(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/rrl.h $(srcdir)/query.h \
- $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h
-nsd-checkzone.o: $(srcdir)/nsd-checkzone.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h \
- $(srcdir)/radtree.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/packet.h $(srcdir)/ixfrcreate.h $(srcdir)/difffile.h $(srcdir)/udb.h
-nsd-control.o: $(srcdir)/nsd-control.c config.h $(srcdir)/util.h $(srcdir)/tsig.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
+ $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h
+nsd-checkzone.o: $(srcdir)/nsd-checkzone.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h \
+ $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/options.h $(srcdir)/rbtree.h \
+ $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/ixfr.h $(srcdir)/query.h $(srcdir)/packet.h $(srcdir)/tsig.h \
+ $(srcdir)/ixfrcreate.h $(srcdir)/difffile.h $(srcdir)/udb.h
+nsd-control.o: $(srcdir)/nsd-control.c config.h $(srcdir)/util.h $(srcdir)/tsig.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/zonec.h $(srcdir)/namedb.h \
+ $(srcdir)/dns.h $(srcdir)/radtree.h
nsd-mem.o: $(srcdir)/nsd-mem.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/tsig.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/namedb.h \
- $(srcdir)/radtree.h $(srcdir)/udb.h $(srcdir)/udbzone.h $(srcdir)/udbradtree.h
-nsec3.o: $(srcdir)/nsec3.c config.h $(srcdir)/nsec3.h $(srcdir)/iterated_hash.h $(srcdir)/namedb.h $(srcdir)/dname.h \
- $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h \
- $(srcdir)/answer.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/tsig.h $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/udbradtree.h $(srcdir)/options.h
-options.o: $(srcdir)/options.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h $(srcdir)/rbtree.h \
- $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h \
- $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/rrl.h configparser.h
-packet.o: $(srcdir)/packet.c config.h $(srcdir)/packet.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/tsig.h \
- $(srcdir)/rdata.h
-popen3.o: $(srcdir)/popen3.c $(srcdir)/popen3.h
-query.o: $(srcdir)/query.c config.h $(srcdir)/answer.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/nsd.h \
- $(srcdir)/edns.h $(srcdir)/tsig.h $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/nsec3.h
-radtree.o: $(srcdir)/radtree.c config.h $(srcdir)/radtree.h $(srcdir)/util.h $(srcdir)/region-allocator.h
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/tsig.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h \
+ $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/udb.h $(srcdir)/udbzone.h $(srcdir)/udbradtree.h
+nsec3.o: $(srcdir)/nsec3.c config.h $(srcdir)/nsec3.h $(srcdir)/iterated_hash.h \
+ $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h \
+ $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/answer.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/tsig.h \
+ $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/udbradtree.h $(srcdir)/options.h
+options.o: $(srcdir)/options.c config.h $(srcdir)/options.h \
+ $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h \
+ $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/ixfr.h $(srcdir)/difffile.h \
+ $(srcdir)/udb.h $(srcdir)/rrl.h configparser.h
+packet.o: $(srcdir)/packet.c config.h $(srcdir)/packet.h $(srcdir)/dns.h $(srcdir)/namedb.h \
+ $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/query.h \
+ $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/tsig.h $(srcdir)/rdata.h
+popen3.o: $(srcdir)/popen3.c config.h $(srcdir)/popen3.h
+query.o: $(srcdir)/query.c config.h $(srcdir)/answer.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/query.h \
+ $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/tsig.h $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/nsec3.h
+radtree.o: $(srcdir)/radtree.c config.h $(srcdir)/radtree.h $(srcdir)/util.h \
+ $(srcdir)/region-allocator.h
rbtree.o: $(srcdir)/rbtree.c config.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h
-rdata.o: $(srcdir)/rdata.c config.h $(srcdir)/rdata.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
-region-allocator.o: $(srcdir)/region-allocator.c config.h $(srcdir)/region-allocator.h $(srcdir)/util.h
-remote.o: $(srcdir)/remote.c config.h $(srcdir)/remote.h $(srcdir)/util.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h \
- $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h \
- $(srcdir)/tsig.h $(srcdir)/xfrd-notify.h $(srcdir)/xfrd-tcp.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/ipc.h \
- $(srcdir)/netio.h
-rrl.o: $(srcdir)/rrl.c config.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h \
- $(srcdir)/tsig.h $(srcdir)/lookup3.h $(srcdir)/options.h
-server.o: $(srcdir)/server.c config.h $(srcdir)/axfr.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/rbtree.h \
- $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/netio.h $(srcdir)/xfrd.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd-disk.h \
- $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/nsec3.h $(srcdir)/ipc.h $(srcdir)/remote.h $(srcdir)/lookup3.h $(srcdir)/dnstap/dnstap_collector.h $(srcdir)/rrl.h $(srcdir)/ixfr.h $(srcdir)/verify.h
+rdata.o: $(srcdir)/rdata.c config.h $(srcdir)/rdata.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
+region-allocator.o: $(srcdir)/region-allocator.c config.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h
+remote.o: $(srcdir)/remote.c config.h $(srcdir)/mini_event.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/remote.h $(srcdir)/util.h $(srcdir)/xfrd.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/xfrd-notify.h $(srcdir)/xfrd-tcp.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/bitset.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/ipc.h $(srcdir)/netio.h
+rrl.o: $(srcdir)/rrl.c config.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/lookup3.h $(srcdir)/options.h
+server.o: $(srcdir)/server.c config.h $(srcdir)/mini_event.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/axfr.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/bitset.h \
+ $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/netio.h $(srcdir)/xfrd.h \
+ $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd-disk.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/nsec3.h $(srcdir)/ipc.h $(srcdir)/remote.h \
+ $(srcdir)/lookup3.h $(srcdir)/rrl.h $(srcdir)/ixfr.h $(srcdir)/dnstap/dnstap_collector.h $(srcdir)/verify.h
siphash.o: $(srcdir)/siphash.c
-tsig.o: $(srcdir)/tsig.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h \
- $(srcdir)/tsig-openssl.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h \
- $(srcdir)/edns.h
-tsig-openssl.o: $(srcdir)/tsig-openssl.c config.h $(srcdir)/tsig-openssl.h $(srcdir)/region-allocator.h \
- $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dname.h
+tsig.o: $(srcdir)/tsig.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/tsig-openssl.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h \
+ $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h
+tsig-openssl.o: $(srcdir)/tsig-openssl.c config.h $(srcdir)/tsig-openssl.h \
+ $(srcdir)/region-allocator.h $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dname.h
udb.o: $(srcdir)/udb.c config.h $(srcdir)/udb.h $(srcdir)/lookup3.h $(srcdir)/util.h
-udbradtree.o: $(srcdir)/udbradtree.c config.h $(srcdir)/udbradtree.h $(srcdir)/udb.h $(srcdir)/radtree.h
-udbzone.o: $(srcdir)/udbzone.c config.h $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/dns.h $(srcdir)/udbradtree.h $(srcdir)/util.h \
- $(srcdir)/iterated_hash.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/difffile.h $(srcdir)/rbtree.h \
- $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/options.h
-util.o: $(srcdir)/util.c config.h $(srcdir)/util.h $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/zonec.h
-bitset.o: $(srcdir)/bitset.c $(srcdir)/bitset.h
-verify.o: $(srcdir)/verify.c config.h $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/util.h config.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/options.h $(srcdir)/difffile.h \
- $(srcdir)/netio.h $(srcdir)/verify.h
-xfrd.o: $(srcdir)/xfrd.c config.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/namedb.h \
- $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/xfrd-tcp.h \
- $(srcdir)/xfrd-disk.h $(srcdir)/xfrd-notify.h $(srcdir)/netio.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/rdata.h \
- $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/ipc.h $(srcdir)/remote.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/dnstap/dnstap_collector.h
-xfrd-disk.o: $(srcdir)/xfrd-disk.c config.h $(srcdir)/xfrd-disk.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h \
+udbradtree.o: $(srcdir)/udbradtree.c config.h $(srcdir)/udbradtree.h $(srcdir)/udb.h \
+ $(srcdir)/radtree.h
+udbzone.o: $(srcdir)/udbzone.c config.h $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/dns.h \
+ $(srcdir)/udbradtree.h $(srcdir)/util.h $(srcdir)/iterated_hash.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
+ $(srcdir)/difffile.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/radtree.h $(srcdir)/options.h
+util.o: $(srcdir)/util.c config.h $(srcdir)/util.h $(srcdir)/region-allocator.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/zonec.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/bitset.h
+verify.o: $(srcdir)/verify.c config.h $(srcdir)/region-allocator.h $(srcdir)/namedb.h \
+ $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h \
+ $(srcdir)/options.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/verify.h $(srcdir)/mini_event.h $(srcdir)/popen3.h
+xfrd.o: $(srcdir)/xfrd.c config.h $(srcdir)/xfrd.h $(srcdir)/mini_event.h $(srcdir)/rbtree.h \
$(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h \
- $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/nsd.h $(srcdir)/edns.h
-xfrd-notify.o: $(srcdir)/xfrd-notify.c config.h $(srcdir)/xfrd-notify.h $(srcdir)/tsig.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/rbtree.h $(srcdir)/xfrd.h $(srcdir)/namedb.h $(srcdir)/dns.h \
- $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/packet.h
-xfrd-tcp.o: $(srcdir)/xfrd-tcp.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h \
- $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/packet.h $(srcdir)/xfrd-disk.h
-xfr-inspect.o: $(srcdir)/xfr-inspect.c config.h $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/dns.h $(srcdir)/udbradtree.h \
- $(srcdir)/util.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h \
- $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/difffile.h $(srcdir)/options.h
-zlexer.o: zlexer.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h zparser.h
-zonec.o: $(srcdir)/zonec.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h zparser.h \
- $(srcdir)/options.h $(srcdir)/nsec3.h
-zparser.o: zparser.c config.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h \
- $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
+ $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd-disk.h $(srcdir)/xfrd-notify.h $(srcdir)/netio.h $(srcdir)/nsd.h \
+ $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/rdata.h $(srcdir)/difffile.h $(srcdir)/udb.h $(srcdir)/ipc.h $(srcdir)/remote.h $(srcdir)/rrl.h \
+ $(srcdir)/query.h $(srcdir)/dnstap/dnstap_collector.h
+xfrd-disk.o: $(srcdir)/xfrd-disk.c config.h $(srcdir)/xfrd-disk.h $(srcdir)/xfrd.h \
+ $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h
+xfrd-notify.o: $(srcdir)/xfrd-notify.c config.h $(srcdir)/xfrd-notify.h \
+ $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dname.h \
+ $(srcdir)/xfrd.h $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/packet.h
+xfrd-tcp.o: $(srcdir)/xfrd-tcp.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h \
+ $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h \
+ $(srcdir)/packet.h $(srcdir)/xfrd-disk.h
+xfr-inspect.o: $(srcdir)/xfr-inspect.c config.h $(srcdir)/udbzone.h $(srcdir)/udb.h \
+ $(srcdir)/dns.h $(srcdir)/udbradtree.h $(srcdir)/util.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/packet.h $(srcdir)/namedb.h \
+ $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/difffile.h $(srcdir)/options.h
+zlexer.o: zlexer.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h zparser.h
+zonec.o: $(srcdir)/zonec.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h \
+ zparser.h $(srcdir)/options.h $(srcdir)/nsec3.h
+zparser.o: zparser.c config.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/zonec.h \
+ zparser.h
b64_ntop.o: $(srcdir)/compat/b64_ntop.c config.h
b64_pton.o: $(srcdir)/compat/b64_pton.c config.h
basename.o: $(srcdir)/compat/basename.c
-fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
-cpuset.o: $(srcdir)/compat/cpuset.c $(srcdir)/compat/cpuset.h config.h
+cpuset.o: $(srcdir)/compat/cpuset.c config.h
+explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
+fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h \
+
inet_aton.o: $(srcdir)/compat/inet_aton.c config.h
inet_ntop.o: $(srcdir)/compat/inet_ntop.c config.h
inet_pton.o: $(srcdir)/compat/inet_pton.c config.h
@@ -550,29 +584,39 @@ memcmp.o: $(srcdir)/compat/memcmp.c config.h
memmove.o: $(srcdir)/compat/memmove.c config.h
pselect.o: $(srcdir)/compat/pselect.c config.h
reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
+setproctitle.o: $(srcdir)/compat/setproctitle.c config.h
snprintf.o: $(srcdir)/compat/snprintf.c config.h
strlcat.o: $(srcdir)/compat/strlcat.c config.h
strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.o: $(srcdir)/compat/strptime.c
-setproctitle.o: $(srcdir)/compat/setproctitle.c config.h
-explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
-cutest.o: $(srcdir)/tpkg/cutest/cutest.c config.h $(srcdir)/tpkg/cutest/cutest.h
-cutest_dname.o: $(srcdir)/tpkg/cutest/cutest_dname.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
-cutest_dns.o: $(srcdir)/tpkg/cutest/cutest_dns.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/region-allocator.h $(srcdir)/dns.h
+cutest_bitset.o: $(srcdir)/tpkg/cutest/cutest_bitset.c $(srcdir)/bitset.h \
+ $(srcdir)/tpkg/cutest/cutest.h
+cutest.o: $(srcdir)/tpkg/cutest/cutest.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h
+cutest_dname.o: $(srcdir)/tpkg/cutest/cutest_dname.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h
+cutest_dns.o: $(srcdir)/tpkg/cutest/cutest_dns.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/dns.h
+cutest_event.o: $(srcdir)/tpkg/cutest/cutest_event.c config.h \
+ $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
+ $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/tpkg/cutest/cutest.h
cutest_iterated_hash.o: $(srcdir)/tpkg/cutest/cutest_iterated_hash.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/iterated_hash.h $(srcdir)/dname.h \
- $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h \
+ $(srcdir)/iterated_hash.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+cutest_iter.o: $(srcdir)/tpkg/cutest/cutest_iter.c config.h $(srcdir)/nsd.h \
+ $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/bitset.h $(srcdir)/options.h \
+ $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/radtree.h $(srcdir)/tpkg/cutest/cutest.h
cutest_namedb.o: $(srcdir)/tpkg/cutest/cutest_namedb.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h config.h \
- $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h \
- $(srcdir)/radtree.h $(srcdir)/nsec3.h $(srcdir)/udb.h $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/udbradtree.h $(srcdir)/difffile.h $(srcdir)/namedb.h \
- $(srcdir)/options.h $(srcdir)/zonec.h $(srcdir)/nsd.h $(srcdir)/edns.h
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
+ $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/nsec3.h $(srcdir)/udb.h \
+ $(srcdir)/udbzone.h $(srcdir)/udb.h $(srcdir)/udbradtree.h $(srcdir)/difffile.h $(srcdir)/namedb.h $(srcdir)/options.h $(srcdir)/zonec.h $(srcdir)/nsd.h \
+ $(srcdir)/edns.h $(srcdir)/bitset.h
cutest_options.o: $(srcdir)/tpkg/cutest/cutest_options.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h config.h \
- $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/dns.h \
- $(srcdir)/edns.h
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
+ $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/bitset.h
+cutest_popen3.o: $(srcdir)/tpkg/cutest/cutest_popen3.c config.h \
+ $(srcdir)/popen3.h $(srcdir)/tpkg/cutest/cutest.h
cutest_radtree.o: $(srcdir)/tpkg/cutest/cutest_radtree.c config.h \
$(srcdir)/tpkg/cutest/cutest.h $(srcdir)/radtree.h $(srcdir)/region-allocator.h $(srcdir)/util.h
cutest_rbtree.o: $(srcdir)/tpkg/cutest/cutest_rbtree.c config.h \
@@ -580,23 +624,27 @@ cutest_rbtree.o: $(srcdir)/tpkg/cutest/cutest_rbtree.c config.h \
cutest_region.o: $(srcdir)/tpkg/cutest/cutest_region.c config.h \
$(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h \
$(srcdir)/region-allocator.h
-cutest_rrl.o: $(srcdir)/tpkg/cutest/cutest_rrl.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h \
- $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h
-cutest_run.o: $(srcdir)/tpkg/cutest/cutest_run.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/tpkg/cutest/qtest.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/dns.h \
- $(srcdir)/edns.h $(srcdir)/buffer.h
-cutest_udb.o: $(srcdir)/tpkg/cutest/cutest_udb.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/udb.h
+cutest_rrl.o: $(srcdir)/tpkg/cutest/cutest_rrl.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h \
+ $(srcdir)/packet.h $(srcdir)/tsig.h
+cutest_run.o: $(srcdir)/tpkg/cutest/cutest_run.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/tpkg/cutest/qtest.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
+ $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/bitset.h
+cutest_udb.o: $(srcdir)/tpkg/cutest/cutest_udb.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/udb.h
cutest_udbrad.o: $(srcdir)/tpkg/cutest/cutest_udbrad.c config.h \
$(srcdir)/tpkg/cutest/cutest.h $(srcdir)/udbradtree.h $(srcdir)/udb.h
-cutest_util.o: $(srcdir)/tpkg/cutest/cutest_util.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/xfrd-tcp.h
-qtest.o: $(srcdir)/tpkg/cutest/qtest.c config.h $(srcdir)/tpkg/cutest/qtest.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/dns.h \
- $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/namedb.h $(srcdir)/util.h $(srcdir)/nsec3.h \
- $(srcdir)/options.h config.h $(srcdir)/packet.h $(srcdir)/dname.h $(srcdir)/rdata.h
-udb-inspect.o: $(srcdir)/tpkg/cutest/udb-inspect.c config.h $(srcdir)/udb.h $(srcdir)/udbradtree.h \
- $(srcdir)/udb.h $(srcdir)/udbzone.h $(srcdir)/dns.h $(srcdir)/udbradtree.h $(srcdir)/util.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/rdata.h \
- $(srcdir)/namedb.h $(srcdir)/difffile.h $(srcdir)/options.h config.h
+cutest_util.o: $(srcdir)/tpkg/cutest/cutest_util.c config.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h \
+ $(srcdir)/mini_event.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h
+popen3_echo.o: $(srcdir)/tpkg/cutest/popen3_echo.c
+qtest.o: $(srcdir)/tpkg/cutest/qtest.c config.h $(srcdir)/tpkg/cutest/qtest.h \
+ $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/dns.h $(srcdir)/radtree.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/bitset.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/namedb.h \
+ $(srcdir)/util.h $(srcdir)/nsec3.h $(srcdir)/options.h $(srcdir)/packet.h $(srcdir)/dname.h $(srcdir)/rdata.h
+udb-inspect.o: $(srcdir)/tpkg/cutest/udb-inspect.c config.h $(srcdir)/udb.h \
+ $(srcdir)/udbradtree.h $(srcdir)/udb.h $(srcdir)/udbzone.h $(srcdir)/dns.h $(srcdir)/udbradtree.h $(srcdir)/util.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/radtree.h \
+ $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/namedb.h $(srcdir)/difffile.h $(srcdir)/options.h
diff --git a/usr.sbin/nsd/README.md b/usr.sbin/nsd/README.md
index 3fa56a21fd2..4f1dfd8a26d 100644
--- a/usr.sbin/nsd/README.md
+++ b/usr.sbin/nsd/README.md
@@ -1,9 +1,9 @@
# NSD
-[![Travis Build Status](https://travis-ci.org/NLnetLabs/nsd.svg?branch=master)](https://travis-ci.org/NLnetLabs/nsd)
-[![Cirrus Build Status](https://api.cirrus-ci.com/github/NLnetLabs/nsd.svg)](https://cirrus-ci.com/github/NLnetLabs/nsd)
+[![Cirrus Build Status](https://api.cirrus-ci.com/github/NLnetLabs/nsd.svg?branch=master)](https://cirrus-ci.com/github/NLnetLabs/nsd)
[![Packaging status](https://repology.org/badge/tiny-repos/nsd.svg)](https://repology.org/project/nsd/versions)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1462/badge)](https://bestpractices.coreinfrastructure.org/projects/1462)
+[![Mastodon Follow](https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)](https://fosstodon.org/@nlnetlabs)
The NLnet Labs Name Server Daemon (NSD) is an authoritative DNS name server.
It has been developed for operations in environments where speed,
@@ -28,7 +28,7 @@ The repository does not contain `./configure`, but you can generate it like
this (note that the `./configure` is included in release tarballs so they do not have to be generated):
```
-aclocal && autoconf && autoheader
+autoreconf -fi
```
NSD can be compiled and installed using:
diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4
index cf436ec54bb..f27615bd8bc 100644
--- a/usr.sbin/nsd/acx_nlnetlabs.m4
+++ b/usr.sbin/nsd/acx_nlnetlabs.m4
@@ -2,7 +2,9 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 44
+# Version 46
+# 2023-05-04 fix to remove unused whitespace.
+# 2023-01-26 fix -Wstrict-prototypes.
# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
# 2021-08-17 fix sed script in ssldir split handling.
# 2021-08-17 fix for openssl to detect split version, with ssldir_include
@@ -187,7 +189,7 @@ dnl cache=`echo $1 | sed 'y%.=/+- %___p__%'`
AC_CACHE_VAL(cv_prog_cc_flag_needed_$cache,
[
echo '$2' > conftest.c
-echo 'void f(){}' >>conftest.c
+echo 'void f(void){}' >>conftest.c
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_needed_$cache=no"
else
@@ -233,7 +235,7 @@ dnl DEPFLAG: set to flag that generates dependencies.
AC_DEFUN([ACX_DEPFLAG],
[
AC_MSG_CHECKING([$CC dependency flag])
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test "`$CC -MM conftest.c 2>&1`" = "conftest.o: conftest.c"; then
DEPFLAG="-MM"
else
@@ -272,7 +274,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
#include <getopt.h>
#endif
-int test() {
+int test(void) {
int a;
char **opts = NULL;
struct timeval tv;
@@ -309,7 +311,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
#include <getopt.h>
#endif
-int test() {
+int test(void) {
int a;
char **opts = NULL;
struct timeval tv;
@@ -335,7 +337,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
[
#include <stdbool.h>
#include <ctype.h>
-int test() {
+int test(void) {
int a = 0;
return a;
}
@@ -345,7 +347,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
[
#include <ctype.h>
-int test() {
+int test(void) {
int a;
a = isascii(32);
return a;
@@ -356,7 +358,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
[
#include <netinet/in.h>
-int test() {
+int test(void) {
struct in6_pktinfo inf;
int a = (int)sizeof(inf);
return a;
@@ -370,7 +372,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE -D_FRSRESGID,
[
#include <unistd.h>
-int test() {
+int test(void) {
int a = setresgid(0,0,0);
a = setresuid(0,0,0);
return a;
@@ -385,7 +387,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_POSIX_C_SOURCE=200112,
#endif
#include <netdb.h>
-int test() {
+int test(void) {
int a = 0;
char *t;
time_t time = 0;
@@ -413,7 +415,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D__EXTENSIONS__,
#include <getopt.h>
#endif
-int test() {
+int test(void) {
int a;
char **opts = NULL;
struct timeval tv;
@@ -475,7 +477,7 @@ fi
dnl Setup ATTR_FORMAT config.h parts.
dnl make sure you call ACX_CHECK_FORMAT_ATTRIBUTE also.
AC_DEFUN([AHX_CONFIG_FORMAT_ATTRIBUTE],
-[
+[
#ifdef HAVE_ATTR_FORMAT
# define ATTR_FORMAT(archetype, string_index, first_to_check) \
__attribute__ ((format (archetype, string_index, first_to_check)))
@@ -834,7 +836,7 @@ dnl try to see if an additional _LARGEFILE_SOURCE 1 is needed to get fseeko
ACX_CHECK_COMPILER_FLAG_NEEDED(-D_LARGEFILE_SOURCE=1,
[
#include <stdio.h>
-int test() {
+int test(void) {
int a = fseeko(stdin, 0, 0);
return a;
}
@@ -859,7 +861,7 @@ char* (*f) () = getaddrinfo;
#ifdef __cplusplus
}
#endif
-int main() {
+int main(void) {
;
return 0;
}
@@ -923,7 +925,7 @@ cache=`echo $1 | sed 'y%.=/+-%___p_%'`
AC_CACHE_VAL(cv_cc_deprecated_$cache,
[
echo '$3' >conftest.c
-echo 'void f(){ $2 }' >>conftest.c
+echo 'void f(void){ $2 }' >>conftest.c
if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
eval "cv_cc_deprecated_$cache=no"
else
@@ -1317,7 +1319,7 @@ AC_DEFUN([AHX_CONFIG_W32_FD_SET_T],
#ifdef HAVE_WINSOCK2_H
#define FD_SET_T (u_int)
#else
-#define FD_SET_T
+#define FD_SET_T
#endif
])
@@ -1355,7 +1357,7 @@ dnl $3: define value, 1
AC_DEFUN([AHX_CONFIG_FLAG_OMITTED],
[#if defined($1) && !defined($2)
#define $2 $3
-[#]endif ])
+[#]endif])
dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags
dnl $1: the -DNAME or -DNAME=value string.
diff --git a/usr.sbin/nsd/answer.h b/usr.sbin/nsd/answer.h
index acb3665af11..43ae584b9b5 100644
--- a/usr.sbin/nsd/answer.h
+++ b/usr.sbin/nsd/answer.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _ANSWER_H_
-#define _ANSWER_H_
+#ifndef ANSWER_H
+#define ANSWER_H
#include <sys/types.h>
@@ -44,4 +44,4 @@ int answer_add_rrset(answer_type *answer, rr_section_type section,
domain_type *domain, rrset_type *rrset);
-#endif /* _ANSWER_H_ */
+#endif /* ANSWER_H */
diff --git a/usr.sbin/nsd/axfr.c b/usr.sbin/nsd/axfr.c
index dbf3eef914d..10f3802f1c7 100644
--- a/usr.sbin/nsd/axfr.c
+++ b/usr.sbin/nsd/axfr.c
@@ -116,11 +116,25 @@ query_axfr(struct nsd *nsd, struct query *query, int wstats)
&& query->axfr_current_rrset->zone == query->axfr_zone)
{
while (query->axfr_current_rr < query->axfr_current_rrset->rr_count) {
+ size_t oldmaxlen = query->maxlen;
+ if(total_added == 0)
+ /* RR > 16K can be first RR */
+ query->maxlen = (query->tcp?TCP_MAX_MESSAGE_LEN:UDP_MAX_MESSAGE_LEN);
added = packet_encode_rr(
query,
query->axfr_current_domain,
&query->axfr_current_rrset->rrs[query->axfr_current_rr],
query->axfr_current_rrset->rrs[query->axfr_current_rr].ttl);
+ if(total_added == 0) {
+ query->maxlen = oldmaxlen;
+ if(query_overflow(query)) {
+ if(added) {
+ ++total_added;
+ ++query->axfr_current_rr;
+ goto return_answer;
+ }
+ }
+ }
if (!added)
goto return_answer;
++total_added;
diff --git a/usr.sbin/nsd/axfr.h b/usr.sbin/nsd/axfr.h
index 105cd5362d5..7f80d1838c6 100644
--- a/usr.sbin/nsd/axfr.h
+++ b/usr.sbin/nsd/axfr.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _AXFR_H_
-#define _AXFR_H_
+#ifndef AXFR_H
+#define AXFR_H
#include "nsd.h"
#include "query.h"
@@ -22,4 +22,4 @@
query_state_type answer_axfr_ixfr(struct nsd *nsd, struct query *q);
query_state_type query_axfr(struct nsd *nsd, struct query *query, int wstats);
-#endif /* _AXFR_H_ */
+#endif /* AXFR_H */
diff --git a/usr.sbin/nsd/bitset.h b/usr.sbin/nsd/bitset.h
index 85ed3bfb16f..ddd9747656c 100644
--- a/usr.sbin/nsd/bitset.h
+++ b/usr.sbin/nsd/bitset.h
@@ -6,8 +6,8 @@
* See LICENSE for the license.
*
*/
-#ifndef _BITSET_H_
-#define _BITSET_H_
+#ifndef BITSET_H
+#define BITSET_H
#include <assert.h>
#include <limits.h>
@@ -37,4 +37,4 @@ void nsd_bitset_or(
struct nsd_bitset *srcset1,
struct nsd_bitset *srcset2);
-#endif /* _BITSET_H_ */
+#endif /* BITSET_H */
diff --git a/usr.sbin/nsd/buffer.h b/usr.sbin/nsd/buffer.h
index 9e17bc95844..9cf5321470a 100644
--- a/usr.sbin/nsd/buffer.h
+++ b/usr.sbin/nsd/buffer.h
@@ -10,8 +10,8 @@
* the java.nio.Buffer interface.
*/
-#ifndef _BUFFER_H_
-#define _BUFFER_H_
+#ifndef BUFFER_H
+#define BUFFER_H
#include <assert.h>
#include <stdarg.h>
@@ -411,4 +411,4 @@ buffer_read_u64(buffer_type *buffer)
int buffer_printf(buffer_type *buffer, const char *format, ...)
ATTR_FORMAT(printf, 2, 3);
-#endif /* _BUFFER_H_ */
+#endif /* BUFFER_H */
diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in
index 741669c83fe..96b7fa15cad 100644
--- a/usr.sbin/nsd/config.h.in
+++ b/usr.sbin/nsd/config.h.in
@@ -592,9 +592,6 @@
safely assume C89 semantics that RETSIGTYPE is void.' */
#undef RETSIGTYPE
-/* Define this to configure as a root server. */
-#undef ROOT_SERVER
-
/* The size of `off_t', as computed by sizeof. */
#undef SIZEOF_OFF_T
diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex
index 65b635cbca8..836dd8009dc 100644
--- a/usr.sbin/nsd/configlexer.lex
+++ b/usr.sbin/nsd/configlexer.lex
@@ -272,6 +272,12 @@ zonefiles-write{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ZONEFILES_WRITE;
dnstap{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP;}
dnstap-enable{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_ENABLE;}
dnstap-socket-path{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_SOCKET_PATH; }
+dnstap-ip{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_IP; }
+dnstap-tls{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_TLS; }
+dnstap-tls-server-name{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_TLS_SERVER_NAME; }
+dnstap-tls-cert-bundle{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_TLS_CERT_BUNDLE; }
+dnstap-tls-client-key-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_TLS_CLIENT_KEY_FILE; }
+dnstap-tls-client-cert-file{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_TLS_CLIENT_CERT_FILE; }
dnstap-send-identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_SEND_IDENTITY; }
dnstap-send-version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_SEND_VERSION; }
dnstap-identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_IDENTITY; }
diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y
index f0d165c071e..901c1ca2cc8 100644
--- a/usr.sbin/nsd/configparser.y
+++ b/usr.sbin/nsd/configparser.y
@@ -136,6 +136,12 @@ struct component {
%token VAR_DNSTAP
%token VAR_DNSTAP_ENABLE
%token VAR_DNSTAP_SOCKET_PATH
+%token VAR_DNSTAP_IP
+%token VAR_DNSTAP_TLS
+%token VAR_DNSTAP_TLS_SERVER_NAME
+%token VAR_DNSTAP_TLS_CERT_BUNDLE
+%token VAR_DNSTAP_TLS_CLIENT_KEY_FILE
+%token VAR_DNSTAP_TLS_CLIENT_CERT_FILE
%token VAR_DNSTAP_SEND_IDENTITY
%token VAR_DNSTAP_SEND_VERSION
%token VAR_DNSTAP_IDENTITY
@@ -615,6 +621,18 @@ dnstap_option:
{ cfg_parser->opt->dnstap_enable = $2; }
| VAR_DNSTAP_SOCKET_PATH STRING
{ cfg_parser->opt->dnstap_socket_path = region_strdup(cfg_parser->opt->region, $2); }
+ | VAR_DNSTAP_IP STRING
+ { cfg_parser->opt->dnstap_ip = region_strdup(cfg_parser->opt->region, $2); }
+ | VAR_DNSTAP_TLS boolean
+ { cfg_parser->opt->dnstap_tls = $2; }
+ | VAR_DNSTAP_TLS_SERVER_NAME STRING
+ { cfg_parser->opt->dnstap_tls_server_name = region_strdup(cfg_parser->opt->region, $2); }
+ | VAR_DNSTAP_TLS_CERT_BUNDLE STRING
+ { cfg_parser->opt->dnstap_tls_cert_bundle = region_strdup(cfg_parser->opt->region, $2); }
+ | VAR_DNSTAP_TLS_CLIENT_KEY_FILE STRING
+ { cfg_parser->opt->dnstap_tls_client_key_file = region_strdup(cfg_parser->opt->region, $2); }
+ | VAR_DNSTAP_TLS_CLIENT_CERT_FILE STRING
+ { cfg_parser->opt->dnstap_tls_client_cert_file = region_strdup(cfg_parser->opt->region, $2); }
| VAR_DNSTAP_SEND_IDENTITY boolean
{ cfg_parser->opt->dnstap_send_identity = $2; }
| VAR_DNSTAP_SEND_VERSION boolean
diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure
index f73475c2c3f..950d5849d6a 100644
--- a/usr.sbin/nsd/configure
+++ b/usr.sbin/nsd/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.6.1.
+# Generated by GNU Autoconf 2.69 for NSD 4.7.0.
#
# Report bugs to <nsd-bugs@nlnetlabs.nl>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.6.1'
-PACKAGE_STRING='NSD 4.6.1'
+PACKAGE_VERSION='4.7.0'
+PACKAGE_STRING='NSD 4.7.0'
PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.6.1 to adapt to many kinds of systems.
+\`configure' configures NSD 4.7.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1390,7 +1390,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.6.1:";;
+ short | recursive ) echo "Configuration of NSD 4.7.0:";;
esac
cat <<\_ACEOF
@@ -1407,7 +1407,7 @@ Optional Features:
--enable-recvmmsg Enable recvmmsg and sendmmsg compilation, faster but
some kernel versions may have implementation
problems for IPv6
- --enable-root-server Configure NSD as a root server
+ --enable-root-server Configure NSD as a root server (obsolete)
--disable-ipv6 Disables IPv6 support
--enable-bind8-stats Enables BIND8 like NSTATS & XSTATS and statistics in
nsd-control
@@ -1563,7 +1563,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.6.1
+NSD configure 4.7.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2272,7 +2272,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.6.1, which was
+It was created by NSD $as_me 4.7.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -8057,6 +8057,9 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#include <sys/socket.h>
#include <errno.h>
int main(void)
@@ -8093,6 +8096,9 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#include <sys/socket.h>
#include <errno.h>
int main(void)
@@ -8836,17 +8842,6 @@ if test "${enable_root_server+set}" = set; then :
enableval=$enable_root_server;
fi
-case "$enable_root_server" in
- yes)
-
-cat >>confdefs.h <<_ACEOF
-#define ROOT_SERVER /**/
-_ACEOF
-
- ;;
- no|*)
- ;;
-esac
# Check whether --enable-ipv6 was given.
if test "${enable_ipv6+set}" = set; then :
@@ -8921,7 +8916,7 @@ if eval \${cv_prog_cc_flag_$cache+:} false; then :
$as_echo_n "(cached) " >&6
else
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test -z "`$CC -W -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_$cache=yes"
else
@@ -8952,7 +8947,7 @@ if eval \${cv_prog_cc_flag_$cache+:} false; then :
$as_echo_n "(cached) " >&6
else
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test -z "`$CC -Wall -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_$cache=yes"
else
@@ -8983,7 +8978,7 @@ if eval \${cv_prog_cc_flag_$cache+:} false; then :
$as_echo_n "(cached) " >&6
else
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test -z "`$CC -Wextra -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_$cache=yes"
else
@@ -9014,7 +9009,7 @@ if eval \${cv_prog_cc_flag_$cache+:} false; then :
$as_echo_n "(cached) " >&6
else
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test -z "`$CC -Wdeclaration-after-statement -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_$cache=yes"
else
@@ -9426,7 +9421,7 @@ else
echo '
#include <openssl/sha.h>
' >conftest.c
-echo 'void f(){ (void)SHA1_Init(NULL); }' >>conftest.c
+echo 'void f(void){ (void)SHA1_Init(NULL); }' >>conftest.c
if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
eval "cv_cc_deprecated_$cache=no"
else
@@ -9554,7 +9549,7 @@ else
echo '
#include <openssl/ssl.h>
' >conftest.c
-echo 'void f(){ (void)ERR_load_SSL_strings(); }' >>conftest.c
+echo 'void f(void){ (void)ERR_load_SSL_strings(); }' >>conftest.c
if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
eval "cv_cc_deprecated_$cache=no"
else
@@ -9585,8 +9580,6 @@ fi
LIBS="$BAKLIBS"
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No SSL, therefore remote-control is disabled" >&5
-$as_echo "$as_me: WARNING: No SSL, therefore remote-control is disabled" >&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No SSL, therefore TLS is disabled" >&5
$as_echo "$as_me: WARNING: No SSL, therefore TLS is disabled" >&2;}
fi
@@ -10916,7 +10909,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.6.1, which was
+This file was extended by NSD $as_me 4.7.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -10978,7 +10971,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.6.1
+NSD config.status 4.7.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac
index 337fd1a753d..bd880566fb3 100644
--- a/usr.sbin/nsd/configure.ac
+++ b/usr.sbin/nsd/configure.ac
@@ -5,7 +5,7 @@ dnl
sinclude(acx_nlnetlabs.m4)
sinclude(dnstap/dnstap.m4)
-AC_INIT([NSD],[4.6.1],[nsd-bugs@nlnetlabs.nl])
+AC_INIT([NSD],[4.7.0],[nsd-bugs@nlnetlabs.nl])
AC_CONFIG_HEADERS([config.h])
#
@@ -296,7 +296,7 @@ AC_MSG_CHECKING(whether $CC supports -$1)
cache=`echo $1 | $SED 'y%.=/+-%___p_%'`
AC_CACHE_VAL(cv_prog_cc_flag_$cache,
[
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
if test -z "`$CC -$1 -c conftest.c 2>&1`"; then
eval "cv_prog_cc_flag_$cache=yes"
else
@@ -698,6 +698,9 @@ case "$enable_recvmmsg" in
yes)
AC_CHECK_FUNC([recvmmsg], [
AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#include <sys/socket.h>
#include <errno.h>
int main(void)
@@ -714,6 +717,9 @@ AC_DEFINE([HAVE_RECVMMSG], [1], [Define if recvmmsg exists])]
)])
AC_CHECK_FUNC([sendmmsg], [
AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#include <sys/socket.h>
#include <errno.h>
int main(void)
@@ -965,14 +971,7 @@ AC_DEFINE_UNQUOTED([TCP_TIMEOUT], $tcp_timeout, [Define to the default tcp timeo
dnl
dnl Features
dnl
-AC_ARG_ENABLE(root-server, AS_HELP_STRING([--enable-root-server],[Configure NSD as a root server]))
-case "$enable_root_server" in
- yes)
- AC_DEFINE_UNQUOTED([ROOT_SERVER], [], [Define this to configure as a root server.])
- ;;
- no|*)
- ;;
-esac
+AC_ARG_ENABLE(root-server, AS_HELP_STRING([--enable-root-server],[Configure NSD as a root server (obsolete)]))
AC_ARG_ENABLE(ipv6, AS_HELP_STRING([--disable-ipv6],[Disables IPv6 support]))
case "$enable_ipv6" in
@@ -1122,7 +1121,6 @@ AC_INCLUDES_DEFAULT
LIBS="$BAKLIBS"
else
- AC_MSG_WARN([No SSL, therefore remote-control is disabled])
AC_MSG_WARN([No SSL, therefore TLS is disabled])
fi
diff --git a/usr.sbin/nsd/dname.h b/usr.sbin/nsd/dname.h
index 188ade18ddd..0d5dc4ac83a 100644
--- a/usr.sbin/nsd/dname.h
+++ b/usr.sbin/nsd/dname.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _DNAME_H_
-#define _DNAME_H_
+#ifndef DNAME_H
+#define DNAME_H
#include <assert.h>
#include <stdio.h>
@@ -381,4 +381,4 @@ char* wirelabel2str(const uint8_t* label);
/** check if two uncompressed dnames of the same total length are equal */
int dname_equal_nocase(uint8_t* a, uint8_t* b, uint16_t len);
-#endif /* _DNAME_H_ */
+#endif /* DNAME_H */
diff --git a/usr.sbin/nsd/dns.h b/usr.sbin/nsd/dns.h
index 344e8cc4899..924db3de0f8 100644
--- a/usr.sbin/nsd/dns.h
+++ b/usr.sbin/nsd/dns.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _DNS_H_
-#define _DNS_H_
+#ifndef DNS_H
+#define DNS_H
enum rr_section {
QUESTION_SECTION,
@@ -305,4 +305,4 @@ operator++(rr_section_type &lhs)
}
#endif /* __cplusplus */
-#endif /* _DNS_H_ */
+#endif /* DNS_H */
diff --git a/usr.sbin/nsd/dnstap/dnstap.c b/usr.sbin/nsd/dnstap/dnstap.c
index 1f4dabff1f3..19543d755b1 100644
--- a/usr.sbin/nsd/dnstap/dnstap.c
+++ b/usr.sbin/nsd/dnstap/dnstap.c
@@ -53,6 +53,15 @@
#include "dnstap/dnstap.h"
#include "dnstap/dnstap.pb-c.h"
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+#endif
+
#define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap"
#define DNSTAP_INITIAL_BUF_SIZE 256
@@ -120,6 +129,380 @@ dt_msg_init(const struct dt_env *env,
}
}
+#ifdef HAVE_SSL
+/** TLS writer object for fstrm. */
+struct dt_tls_writer {
+ /* ip address */
+ char* ip;
+ /* if connected already */
+ int connected;
+ /* file descriptor */
+ int fd;
+ /* TLS context */
+ SSL_CTX* ctx;
+ /* SSL transport */
+ SSL* ssl;
+ /* the server name to authenticate */
+ char* tls_server_name;
+};
+
+void log_crypto_err(const char* str); /* in server.c */
+
+/* Create TLS writer object for fstrm. */
+static struct dt_tls_writer*
+tls_writer_init(char* ip, char* tls_server_name, char* tls_cert_bundle,
+ char* tls_client_key_file, char* tls_client_cert_file)
+{
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)calloc(1,
+ sizeof(*dtw));
+ if(!dtw) return NULL;
+ dtw->fd = -1;
+ dtw->ip = strdup(ip);
+ if(!dtw->ip) {
+ free(dtw);
+ return NULL;
+ }
+ dtw->ctx = SSL_CTX_new(SSLv23_client_method());
+ if(!dtw->ctx) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_new failed");
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+#if SSL_OP_NO_SSLv2 != 0
+ if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+ != SSL_OP_NO_SSLv2) {
+ log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_SSLv2");
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+#endif
+ if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3) {
+ log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_SSLv3");
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_RENEGOTIATION");
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+#endif
+ if(tls_client_key_file && tls_client_key_file[0]) {
+ if(!SSL_CTX_use_certificate_chain_file(dtw->ctx,
+ tls_client_cert_file)) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_use_certificate_chain_file failed for %s", tls_client_cert_file);
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ if(!SSL_CTX_use_PrivateKey_file(dtw->ctx, tls_client_key_file,
+ SSL_FILETYPE_PEM)) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_use_PrivateKey_file failed for %s", tls_client_key_file);
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ if(!SSL_CTX_check_private_key(dtw->ctx)) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_check_private_key failed for %s", tls_client_key_file);
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ }
+ if(tls_cert_bundle && tls_cert_bundle[0]) {
+ if(!SSL_CTX_load_verify_locations(dtw->ctx, tls_cert_bundle, NULL)) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_load_verify_locations failed for %s", tls_cert_bundle);
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ if(SSL_CTX_set_default_verify_paths(dtw->ctx) != 1) {
+ log_msg(LOG_ERR, "dnstap: SSL_CTX_set_default_verify_paths failed");
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ SSL_CTX_set_verify(dtw->ctx, SSL_VERIFY_PEER, NULL);
+ }
+ if(tls_server_name) {
+ dtw->tls_server_name = strdup(tls_server_name);
+ if(!dtw->tls_server_name) {
+ log_msg(LOG_ERR, "dnstap: strdup failed");
+ SSL_CTX_free(dtw->ctx);
+ free(dtw->ip);
+ free(dtw);
+ return NULL;
+ }
+ }
+ return dtw;
+}
+
+/* Delete TLS writer object */
+static void
+tls_writer_delete(struct dt_tls_writer* dtw)
+{
+ if(!dtw)
+ return;
+ if(dtw->ssl)
+ SSL_shutdown(dtw->ssl);
+ SSL_free(dtw->ssl);
+ dtw->ssl = NULL;
+ SSL_CTX_free(dtw->ctx);
+ if(dtw->fd != -1) {
+ close(dtw->fd);
+ dtw->fd = -1;
+ }
+ free(dtw->ip);
+ free(dtw->tls_server_name);
+ free(dtw);
+}
+
+/* The fstrm writer destroy callback for TLS */
+static fstrm_res
+dt_tls_writer_destroy(void* obj)
+{
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj;
+ tls_writer_delete(dtw);
+ return fstrm_res_success;
+}
+
+/* The fstrm writer open callback for TLS */
+static fstrm_res
+dt_tls_writer_open(void* obj)
+{
+ struct sockaddr_storage addr;
+ socklen_t addrlen;
+ char* svr, *at = NULL;
+ int port = 3333;
+ int addrfamily;
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj;
+ X509* x;
+
+ /* skip action if already connected */
+ if(dtw->connected)
+ return fstrm_res_success;
+
+ /* figure out port number */
+ svr = dtw->ip;
+ at = strchr(svr, '@');
+ if(at != NULL) {
+ *at = 0;
+ port = atoi(at+1);
+ }
+
+ /* parse addr */
+ memset(&addr, 0, sizeof(addr));
+#ifdef INET6
+ if(strchr(svr, ':')) {
+ struct sockaddr_in6 sa;
+ addrlen = (socklen_t)sizeof(struct sockaddr_in6);
+ memset(&sa, 0, addrlen);
+ sa.sin6_family = AF_INET6;
+ sa.sin6_port = (in_port_t)htons((uint16_t)port);
+ if(inet_pton((int)sa.sin6_family, svr, &sa.sin6_addr) <= 0) {
+ log_msg(LOG_ERR, "dnstap: could not parse IP: %s", svr);
+ if(at != NULL)
+ *at = '@';
+ return fstrm_res_failure;
+ }
+ memcpy(&addr, &sa, addrlen);
+ addrfamily = AF_INET6;
+ } else
+#else
+ if(1)
+#endif
+ {
+ struct sockaddr_in sa;
+ addrlen = (socklen_t)sizeof(struct sockaddr_in);
+ memset(&sa, 0, addrlen);
+ sa.sin_family = AF_INET;
+ sa.sin_port = (in_port_t)htons((uint16_t)port);
+ if(inet_pton((int)sa.sin_family, svr, &sa.sin_addr) <= 0) {
+ log_msg(LOG_ERR, "dnstap: could not parse IP: %s", svr);
+ if(at != NULL)
+ *at = '@';
+ return fstrm_res_failure;
+ }
+ memcpy(&addr, &sa, addrlen);
+ addrfamily = AF_INET;
+ }
+ if(at != NULL)
+ *at = '@';
+
+ /* open socket */
+ dtw->fd = socket(addrfamily, SOCK_STREAM, 0);
+ if(dtw->fd == -1) {
+ log_msg(LOG_ERR, "dnstap: socket failed: %s", strerror(errno));
+ return fstrm_res_failure;
+ }
+ if(connect(dtw->fd, (struct sockaddr*)&addr, addrlen) < 0) {
+ log_msg(LOG_ERR, "dnstap: connect failed: %s", strerror(errno));
+ return fstrm_res_failure;
+ }
+ dtw->connected = 1;
+
+ /* setup SSL */
+ dtw->ssl = SSL_new(dtw->ctx);
+ if(!dtw->ssl) {
+ log_msg(LOG_ERR, "dnstap: SSL_new failed");
+ return fstrm_res_failure;
+ }
+ SSL_set_connect_state(dtw->ssl);
+ (void)SSL_set_mode(dtw->ssl, SSL_MODE_AUTO_RETRY);
+ if(!SSL_set_fd(dtw->ssl, dtw->fd)) {
+ log_msg(LOG_ERR, "dnstap: SSL_set_fd failed");
+ return fstrm_res_failure;
+ }
+ if(dtw->tls_server_name && dtw->tls_server_name[0]) {
+ if(!SSL_set1_host(dtw->ssl, dtw->tls_server_name)) {
+ log_msg(LOG_ERR, "dnstap: TLS setting of hostname %s failed to %s",
+ dtw->tls_server_name, dtw->ip);
+ return fstrm_res_failure;
+ }
+ }
+
+ /* handshake */
+ while(1) {
+ int r;
+ ERR_clear_error();
+ if( (r=SSL_do_handshake(dtw->ssl)) == 1)
+ break;
+ r = SSL_get_error(dtw->ssl, r);
+ if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
+ if(r == SSL_ERROR_ZERO_RETURN) {
+ log_msg(LOG_ERR, "dnstap: EOF on SSL_do_handshake");
+ return fstrm_res_failure;
+ }
+ if(r == SSL_ERROR_SYSCALL) {
+ log_msg(LOG_ERR, "dnstap: SSL_do_handshake failed: %s", strerror(errno));
+ return fstrm_res_failure;
+ }
+ log_crypto_err("dnstap: SSL_do_handshake failed");
+ return fstrm_res_failure;
+ }
+ /* wants to be called again */
+ }
+
+ /* check authenticity of server */
+ if(SSL_get_verify_result(dtw->ssl) != X509_V_OK) {
+ log_crypto_err("SSL verification failed");
+ return fstrm_res_failure;
+ }
+ x = SSL_get_peer_certificate(dtw->ssl);
+ if(!x) {
+ log_crypto_err("Server presented no peer certificate");
+ return fstrm_res_failure;
+ }
+ X509_free(x);
+
+ return fstrm_res_success;
+}
+
+/* The fstrm writer close callback for TLS */
+static fstrm_res
+dt_tls_writer_close(void* obj)
+{
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj;
+ if(dtw->connected) {
+ dtw->connected = 0;
+ if(dtw->ssl)
+ SSL_shutdown(dtw->ssl);
+ SSL_free(dtw->ssl);
+ dtw->ssl = NULL;
+ if(dtw->fd != -1) {
+ close(dtw->fd);
+ dtw->fd = -1;
+ }
+ return fstrm_res_success;
+ }
+ return fstrm_res_failure;
+}
+
+/* The fstrm writer read callback for TLS */
+static fstrm_res
+dt_tls_writer_read(void* obj, void* buf, size_t nbytes)
+{
+ /* want to read nbytes of data */
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj;
+ size_t nread = 0;
+ if(!dtw->connected)
+ return fstrm_res_failure;
+ while(nread < nbytes) {
+ int r;
+ ERR_clear_error();
+ if((r = SSL_read(dtw->ssl, ((char*)buf)+nread, nbytes-nread)) <= 0) {
+ r = SSL_get_error(dtw->ssl, r);
+ if(r == SSL_ERROR_ZERO_RETURN) {
+ log_msg(LOG_ERR, "dnstap: EOF from %s",
+ dtw->ip);
+ return fstrm_res_failure;
+ }
+ if(r == SSL_ERROR_SYSCALL) {
+ log_msg(LOG_ERR, "dnstap: read %s: %s",
+ dtw->ip, strerror(errno));
+ return fstrm_res_failure;
+ }
+ if(r == SSL_ERROR_SSL) {
+ log_crypto_err("dnstap: could not SSL_read");
+ return fstrm_res_failure;
+ }
+ log_msg(LOG_ERR, "dnstap: SSL_read failed with err %d",
+ r);
+ return fstrm_res_failure;
+ }
+ nread += r;
+ }
+ return fstrm_res_success;
+}
+
+/* The fstrm writer write callback for TLS */
+static fstrm_res
+dt_tls_writer_write(void* obj, const struct iovec* iov, int iovcnt)
+{
+ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj;
+ int i;
+ if(!dtw->connected)
+ return fstrm_res_failure;
+ for(i=0; i<iovcnt; i++) {
+ if(SSL_write(dtw->ssl, iov[i].iov_base, (int)(iov[i].iov_len)) <= 0) {
+ log_crypto_err("dnstap: could not SSL_write");
+ return fstrm_res_failure;
+ }
+ }
+ return fstrm_res_success;
+}
+
+/* Create the fstrm writer object for TLS */
+static struct fstrm_writer*
+dt_tls_make_writer(struct fstrm_writer_options* fwopt,
+ struct dt_tls_writer* dtw)
+{
+ struct fstrm_rdwr* rdwr = fstrm_rdwr_init(dtw);
+ fstrm_rdwr_set_destroy(rdwr, dt_tls_writer_destroy);
+ fstrm_rdwr_set_open(rdwr, dt_tls_writer_open);
+ fstrm_rdwr_set_close(rdwr, dt_tls_writer_close);
+ fstrm_rdwr_set_read(rdwr, dt_tls_writer_read);
+ fstrm_rdwr_set_write(rdwr, dt_tls_writer_write);
+ return fstrm_writer_init(fwopt, &rdwr);
+}
+#endif /* HAVE_SSL */
+
/* check that the socket file can be opened and exists, print error if not */
static void
check_socket_file(const char* socket_path)
@@ -133,22 +516,30 @@ check_socket_file(const char* socket_path)
}
struct dt_env *
-dt_create(const char *socket_path, unsigned num_workers)
+dt_create(const char *socket_path, char* ip, unsigned num_workers,
+ int tls, char* tls_server_name, char* tls_cert_bundle,
+ char* tls_client_key_file, char* tls_client_cert_file)
{
#ifndef NDEBUG
fstrm_res res;
#endif
struct dt_env *env;
struct fstrm_iothr_options *fopt;
- struct fstrm_unix_writer_options *fuwopt;
+ struct fstrm_unix_writer_options *fuwopt = NULL;
+ struct fstrm_tcp_writer_options *ftwopt = NULL;
struct fstrm_writer *fw;
struct fstrm_writer_options *fwopt;
- VERBOSITY(1, (LOG_INFO, "attempting to connect to dnstap socket %s",
- socket_path));
- assert(socket_path != NULL);
assert(num_workers > 0);
- check_socket_file(socket_path);
+ if(ip == NULL || ip[0] == 0) {
+ VERBOSITY(1, (LOG_INFO, "attempting to connect to dnstap socket %s",
+ socket_path));
+ assert(socket_path != NULL);
+ check_socket_file(socket_path);
+ } else {
+ VERBOSITY(1, (LOG_INFO, "attempting to connect to dnstap %ssocket %s",
+ (tls?"tls ":""), ip));
+ }
env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
if (!env)
@@ -164,10 +555,50 @@ dt_create(const char *socket_path, unsigned num_workers)
DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1);
assert(res == fstrm_res_success);
- fuwopt = fstrm_unix_writer_options_init();
- fstrm_unix_writer_options_set_socket_path(fuwopt, socket_path);
-
- fw = fstrm_unix_writer_init(fuwopt, fwopt);
+ if(ip == NULL || ip[0] == 0) {
+ fuwopt = fstrm_unix_writer_options_init();
+ fstrm_unix_writer_options_set_socket_path(fuwopt, socket_path);
+ } else {
+ char* at = strchr(ip, '@');
+ if(!tls) {
+ ftwopt = fstrm_tcp_writer_options_init();
+ if(at == NULL) {
+ fstrm_tcp_writer_options_set_socket_address(ftwopt, ip);
+ fstrm_tcp_writer_options_set_socket_port(ftwopt, "3333");
+ } else {
+ *at = 0;
+ fstrm_tcp_writer_options_set_socket_address(ftwopt, ip);
+ fstrm_tcp_writer_options_set_socket_port(ftwopt, at+1);
+ *at = '@';
+ }
+ } else {
+#ifdef HAVE_SSL
+ env->tls_writer = tls_writer_init(ip, tls_server_name,
+ tls_cert_bundle, tls_client_key_file,
+ tls_client_cert_file);
+#else
+ (void)tls_server_name;
+ (void)tls_cert_bundle;
+ (void)tls_client_key_file;
+ (void)tls_client_cert_file;
+ log_msg(LOG_ERR, "dnstap: tls enabled but compiled without ssl.");
+#endif
+ if(!env->tls_writer) {
+ log_msg(LOG_ERR, "dt_create: tls_writer_init() failed");
+ fstrm_writer_options_destroy(&fwopt);
+ free(env);
+ return NULL;
+ }
+ }
+ }
+ if(ip == NULL || ip[0] == 0)
+ fw = fstrm_unix_writer_init(fuwopt, fwopt);
+ else if(!tls)
+ fw = fstrm_tcp_writer_init(ftwopt, fwopt);
+#ifdef HAVE_SSL
+ else
+ fw = dt_tls_make_writer(fwopt, env->tls_writer);
+#endif
assert(fw != NULL);
fopt = fstrm_iothr_options_init();
@@ -180,7 +611,11 @@ dt_create(const char *socket_path, unsigned num_workers)
env = NULL;
}
fstrm_iothr_options_destroy(&fopt);
- fstrm_unix_writer_options_destroy(&fuwopt);
+
+ if(ip == NULL || ip[0] == 0)
+ fstrm_unix_writer_options_destroy(&fuwopt);
+ else if(!tls)
+ fstrm_tcp_writer_options_destroy(&ftwopt);
fstrm_writer_options_destroy(&fwopt);
return env;
diff --git a/usr.sbin/nsd/dnstap/dnstap.h b/usr.sbin/nsd/dnstap/dnstap.h
index e5eaa2a1345..8c84928cbc5 100644
--- a/usr.sbin/nsd/dnstap/dnstap.h
+++ b/usr.sbin/nsd/dnstap/dnstap.h
@@ -42,6 +42,7 @@
struct nsd_options;
struct fstrm_io;
struct fstrm_queue;
+struct dt_tls_writer;
struct dt_env {
/** dnstap I/O thread */
@@ -66,6 +67,9 @@ struct dt_env {
unsigned log_auth_query_messages : 1;
/** whether to log Message/AUTH_RESPONSE */
unsigned log_auth_response_messages : 1;
+
+ /** tls writer object, or NULL */
+ struct dt_tls_writer* tls_writer;
};
/**
@@ -75,12 +79,23 @@ struct dt_env {
* of the structure) to ensure lock-free access to its own per-worker circular
* queue. Duplicate the environment object if more than one worker needs to
* share access to the dnstap I/O socket.
- * @param socket_path: path to dnstap logging socket, must be non-NULL.
+ * @param socket_path: path to dnstap logging socket, must be non-NULL if used.
+ * @param ip: if NULL or "" use socket path, otherwise IP or IP@port.
* @param num_workers: number of worker threads, must be > 0.
+ * @param tls: set to true to use TLS, otherwise, TCP. Used when ip is set.
+ * @param tls_server_name: name for authenticating the upstream server, or
+ * NULL or "".
+ * @param tls_cert_bundle: pem bundle to verify server with. Or NULL or "".
+ * @param tls_client_key_file: key file for client authentication. Or NULL
+ * or "".
+ * @param tls_client_cert_file: cert file for client authentication. Or NULL
+ * or "".
* @return dt_env object, NULL on failure.
*/
struct dt_env *
-dt_create(const char *socket_path, unsigned num_workers);
+dt_create(const char *socket_path, char* ip, unsigned num_workers,
+ int tls, char* tls_server_name, char* tls_cert_bundle,
+ char* tls_client_key_file, char* tls_client_cert_file);
/**
* Apply config settings.
diff --git a/usr.sbin/nsd/dnstap/dnstap_collector.c b/usr.sbin/nsd/dnstap/dnstap_collector.c
index 5ee1e5f78c6..1578bdfb00e 100644
--- a/usr.sbin/nsd/dnstap/dnstap_collector.c
+++ b/usr.sbin/nsd/dnstap/dnstap_collector.c
@@ -32,6 +32,7 @@
#include "buffer.h"
#include "namedb.h"
#include "options.h"
+#include "remote.h"
#include "udb.h"
#include "rrl.h"
@@ -279,7 +280,12 @@ static void dt_init_dnstap(struct dt_collector* dt_col, struct nsd* nsd)
nsd->options->dnstap_socket_path += l;
}
#endif
- dt_col->dt_env = dt_create(nsd->options->dnstap_socket_path, num_workers);
+ dt_col->dt_env = dt_create(nsd->options->dnstap_socket_path,
+ nsd->options->dnstap_ip, num_workers, nsd->options->dnstap_tls,
+ nsd->options->dnstap_tls_server_name,
+ nsd->options->dnstap_tls_cert_bundle,
+ nsd->options->dnstap_tls_client_key_file,
+ nsd->options->dnstap_tls_client_cert_file);
if(!dt_col->dt_env) {
log_msg(LOG_ERR, "could not create dnstap env");
return;
@@ -308,6 +314,9 @@ static void dt_collector_cleanup(struct dt_collector* dt_col, struct nsd* nsd)
free(dt_col->inputs);
}
dt_collector_destroy(dt_col, nsd);
+ daemon_remote_delete(nsd->rc); /* ssl-delete secret keys */
+ nsd_options_destroy(nsd->options);
+ region_destroy(nsd->region);
#endif
}
diff --git a/usr.sbin/nsd/doc/ChangeLog b/usr.sbin/nsd/doc/ChangeLog
index fac449dbbd0..c37f0839cac 100644
--- a/usr.sbin/nsd/doc/ChangeLog
+++ b/usr.sbin/nsd/doc/ChangeLog
@@ -1,3 +1,86 @@
+31 May 2023: Wouter
+ - Add missing items to doc/RELNOTES.
+ - Tag for 4.7.0rc1.
+
+30 May 2023: Jeroen
+ - Fix #240: Prefix messages originating from verifier.
+ - Fix #275: Drop unnecessary root server checks.
+
+30 May 2023: Wouter
+ - Next version is 4.7.0, instead of 4.6.2, because of the added
+ features, like TLS for DNSTAP.
+ - Fix unused variable warning in unit test, from clang compile.
+
+24 May 2023: Wouter
+ - For #279: Note that autoreconf -fi creates the configure script
+ and also the needed auxiliary files, for autoconf 2.69 and 2.71.
+
+4 May 2023: Wouter
+ - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
+
+1 May 2023: Wouter
+ - make depend.
+ - Fix for build to run flex and bison before compiling code that needs
+ the headers.
+
+13 April 2023: Wouter
+ - Fix cirrus script for submit to coverity scan to libtoolize
+ the configure script components config.guess and config.sub.
+ - Fix readme status badge links.
+
+28 March 2023: Wouter
+ - Fix #273: Large TXT record breaks AXFR.
+ - Fix ixfr create from adding too many record types.
+
+16 March 2023: Wouter
+ - Fix include brackets for ssl.h include statements, instead of quotes.
+ - Fix static analyzer warning about nsd_event_method initialization.
+
+15 March 2023: Wouter
+ - Dnstap tls code fixes.
+
+14 March 2023: Wouter
+ - Fix dnstap to not check socket path when using IP address.
+ - dnstap over TLS, default enabled. Configured with the
+ options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
+ dnstap-tls-client-key-file and dnstap-tls-client-cert-file.
+ - Fix to compile without ssl with dnstap-tls code.
+
+9 March 2023: Wouter
+ - Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
+ - Fix to clean more memory on exit of dnstap collector.
+
+23 February 2023: Wouter
+ - Fix #270: reserved identifier violation.
+
+20 February 2023: Wouter
+ - Merge #269 from Fale: Add systemd service unit.
+
+16 February 2023: Wouter
+ - Fix #266: Fix build with --without-ssl.
+ - Fix #267: Allow unencrypted local operation of nsd-control.
+ - Fix for #267: neater variable definitions.
+
+2 February 2023: Wouter
+ - Merge #265: Fix C99 compatibility issue.
+
+30 January 2023: Wouter
+ - Merge #263: Add bash autocompletion script for nsd-control.
+ - Fix for #262: More error logging for SSL read failures for zone
+ transfers.
+
+27 January 2023: Wouter
+ - Fix #262: Zone(s) not synchronizing properly via TLS.
+ - Fix ixfr_and_restart test to wait for processes to come to a stop.
+
+26 January 2023: Wouter
+ - Fix configure for -Wstrict-prototypes.
+
+10 November 2022: Wouter
+ - Tag for NSD 4.6.1, the repository continues with version 4.6.2.
+ - Fix #239: -Wincompatible-pointer-types warning in remote.c.
+ - Fix unit tests to succeed with --disable-bind8-stats.
+
1 November 2022: Wouter
- Fixup for non-trailing newline lexer change warnings.
- Update doc/RELNOTES for changes.
diff --git a/usr.sbin/nsd/doc/README b/usr.sbin/nsd/doc/README
index ccb54551fd5..bb737c781ad 100644
--- a/usr.sbin/nsd/doc/README
+++ b/usr.sbin/nsd/doc/README
@@ -21,7 +21,7 @@
1.0 Introduction
-This is NSD Name Server Daemon (NSD) version 4.6.1.
+This is NSD Name Server Daemon (NSD) version 4.7.0.
The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant
DNS nameserver. It was first conceived to allow for more genetic
@@ -57,7 +57,7 @@ and uses a simple configuration file 'nsd.conf'.
1.2 Quick build and install
-Step 1: Unpack the source with gtar -xzvf nsd-4.6.1.tar.gz
+Step 1: Unpack the source with gtar -xzvf nsd-4.7.0.tar.gz
Step 2: Create user nsd or any other unprivileged user of your
choice. In case of later make sure to use
@@ -111,9 +111,9 @@ Step 11: If desired add 'nsd-control write' to your superuser crontab to
Use your favorite combination of tar and gnu zip to unpack the source,
for example
-$ gtar -xzvf nsd-4.6.1.tar.gz
+$ gtar -xzvf nsd-4.7.0.tar.gz
-will unpack the source into the ./nsd-4.6.1 directory...
+will unpack the source into the ./nsd-4.7.0 directory...
2.2 Configuring NSD
@@ -927,4 +927,4 @@ larger and regular donations please contact us at users@NLnetLabs.nl. Also
see http://www.nlnetlabs.nl/labs/contributors/.
-$Id: README,v 1.5 2022/11/14 21:09:32 sthen Exp $
+$Id: README,v 1.6 2023/06/29 19:38:50 florian Exp $
diff --git a/usr.sbin/nsd/doc/RELNOTES b/usr.sbin/nsd/doc/RELNOTES
index c145878576e..10cfea94f1e 100644
--- a/usr.sbin/nsd/doc/RELNOTES
+++ b/usr.sbin/nsd/doc/RELNOTES
@@ -1,5 +1,46 @@
NSD RELEASE NOTES
+4.7.0
+================
+FEATURES:
+ - Merge #263: Add bash autocompletion script for nsd-control.
+ - Fix #267: Allow unencrypted local operation of nsd-control.
+ - Merge #269 from Fale: Add systemd service unit.
+ - Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
+ - dnstap over TLS, default enabled. Configured with the
+ options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
+ dnstap-tls-client-key-file and dnstap-tls-client-cert-file.
+BUG FIXES:
+ - Fix #239: -Wincompatible-pointer-types warning in remote.c.
+ - Fix configure for -Wstrict-prototypes.
+ - Fix #262: Zone(s) not synchronizing properly via TLS.
+ - Fix for #262: More error logging for SSL read failures for zone
+ transfers.
+ - Merge #265: Fix C99 compatibility issue.
+ - Fix #266: Fix build with --without-ssl.
+ - Fix for #267: neater variable definitions.
+ - Fix #270: reserved identifier violation.
+ - Fix to clean more memory on exit of dnstap collector.
+ - Fix dnstap to not check socket path when using IP address.
+ - Fix to compile without ssl with dnstap-tls code.
+ - Dnstap tls code fixes.
+ - Fix include brackets for ssl.h include statements, instead of quotes.
+ - Fix static analyzer warning about nsd_event_method initialization.
+ - Fix #273: Large TXT record breaks AXFR.
+ - Fix ixfr create from adding too many record types.
+ - Fix cirrus script for submit to coverity scan to libtoolize
+ the configure script components config.guess and config.sub.
+ - Fix readme status badge links.
+ - make depend.
+ - Fix for build to run flex and bison before compiling code that needs
+ the headers.
+ - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
+ - For #279: Note that autoreconf -fi creates the configure script
+ and also the needed auxiliary files, for autoconf 2.69 and 2.71.
+ - Fix unused variable warning in unit test, from clang compile.
+ - Fix #240: Prefix messages originating from verifier.
+ - Fix #275: Drop unnecessary root server checks.
+
4.6.1
================
FEATURES:
diff --git a/usr.sbin/nsd/edns.h b/usr.sbin/nsd/edns.h
index 942312c036b..45d7c636173 100644
--- a/usr.sbin/nsd/edns.h
+++ b/usr.sbin/nsd/edns.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _EDNS_H_
-#define _EDNS_H_
+#ifndef EDNS_H
+#define EDNS_H
#include "buffer.h"
struct nsd;
@@ -103,4 +103,4 @@ void edns_init_nsid(edns_data_type *data, uint16_t nsid_len);
void cookie_verify(struct query *q, struct nsd* nsd, uint32_t *now_p);
void cookie_create(struct query *q, struct nsd* nsd, uint32_t *now_p);
-#endif /* _EDNS_H_ */
+#endif /* EDNS_H */
diff --git a/usr.sbin/nsd/ixfr.c b/usr.sbin/nsd/ixfr.c
index b054122b848..5a7efc0bf00 100644
--- a/usr.sbin/nsd/ixfr.c
+++ b/usr.sbin/nsd/ixfr.c
@@ -261,7 +261,8 @@ static int pktcompression_write_dname(struct buffer* packet,
/* write an RR into the packet with compression for domain names,
* return 0 and resets position if it does not fit in the packet. */
static int ixfr_write_rr_pkt(struct query* query, struct buffer* packet,
- struct pktcompression* pcomp, const uint8_t* rr, size_t rrlen)
+ struct pktcompression* pcomp, const uint8_t* rr, size_t rrlen,
+ uint16_t total_added)
{
size_t oldpos = buffer_position(packet);
size_t rdpos;
@@ -271,10 +272,21 @@ static int ixfr_write_rr_pkt(struct query* query, struct buffer* packet,
size_t i;
rrtype_descriptor_type* descriptor;
- if(buffer_position(packet) > MAX_COMPRESSION_OFFSET
- || query_overflow(query)) {
- /* we are past the maximum length */
- return 0;
+ if(total_added == 0) {
+ size_t oldmaxlen = query->maxlen;
+ /* RR > 16K can be first RR */
+ query->maxlen = (query->tcp?TCP_MAX_MESSAGE_LEN:UDP_MAX_MESSAGE_LEN);
+ if(query_overflow(query)) {
+ query->maxlen = oldmaxlen;
+ return 0;
+ }
+ query->maxlen = oldmaxlen;
+ } else {
+ if(buffer_position(packet) > MAX_COMPRESSION_OFFSET
+ || query_overflow(query)) {
+ /* we are past the maximum length */
+ return 0;
+ }
}
/* write owner */
@@ -401,10 +413,21 @@ static int ixfr_write_rr_pkt(struct query* query, struct buffer* packet,
}
/* write compressed rdata length */
buffer_write_u16_at(packet, rdpos, buffer_position(packet)-rdpos-2);
- if(query_overflow(query)) {
- /* we are past the maximum length */
- buffer_set_position(packet, oldpos);
- return 0;
+ if(total_added == 0) {
+ size_t oldmaxlen = query->maxlen;
+ query->maxlen = (query->tcp?TCP_MAX_MESSAGE_LEN:UDP_MAX_MESSAGE_LEN);
+ if(query_overflow(query)) {
+ query->maxlen = oldmaxlen;
+ buffer_set_position(packet, oldpos);
+ return 0;
+ }
+ query->maxlen = oldmaxlen;
+ } else {
+ if(query_overflow(query)) {
+ /* we are past the maximum length */
+ buffer_set_position(packet, oldpos);
+ return 0;
+ }
}
return 1;
}
@@ -658,7 +681,7 @@ static uint16_t ixfr_copy_rrs_into_packet(struct query* query,
* the final SOA of the result of the IXFR */
if(ixfr_write_rr_pkt(query, query->packet, pcomp,
query->ixfr_end_data->newsoa,
- query->ixfr_end_data->newsoa_len)) {
+ query->ixfr_end_data->newsoa_len, total_added)) {
query->ixfr_count_newsoa = query->ixfr_end_data->newsoa_len;
total_added++;
query->ixfr_pos_of_newsoa = buffer_position(query->packet);
@@ -672,7 +695,7 @@ static uint16_t ixfr_copy_rrs_into_packet(struct query* query,
if(query->ixfr_count_oldsoa < query->ixfr_data->oldsoa_len) {
if(ixfr_write_rr_pkt(query, query->packet, pcomp,
query->ixfr_data->oldsoa,
- query->ixfr_data->oldsoa_len)) {
+ query->ixfr_data->oldsoa_len, total_added)) {
query->ixfr_count_oldsoa = query->ixfr_data->oldsoa_len;
total_added++;
} else {
@@ -687,7 +710,7 @@ static uint16_t ixfr_copy_rrs_into_packet(struct query* query,
query->ixfr_data->del_len, query->ixfr_count_del);
if(rrlen && ixfr_write_rr_pkt(query, query->packet, pcomp,
query->ixfr_data->del + query->ixfr_count_del,
- rrlen)) {
+ rrlen, total_added)) {
query->ixfr_count_del += rrlen;
total_added++;
} else {
@@ -703,7 +726,7 @@ static uint16_t ixfr_copy_rrs_into_packet(struct query* query,
query->ixfr_data->add_len, query->ixfr_count_add);
if(rrlen && ixfr_write_rr_pkt(query, query->packet, pcomp,
query->ixfr_data->add + query->ixfr_count_add,
- rrlen)) {
+ rrlen, total_added)) {
query->ixfr_count_add += rrlen;
total_added++;
} else {
diff --git a/usr.sbin/nsd/ixfr.h b/usr.sbin/nsd/ixfr.h
index 0f201038bff..0920dc132f1 100644
--- a/usr.sbin/nsd/ixfr.h
+++ b/usr.sbin/nsd/ixfr.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _IXFR_H_
-#define _IXFR_H_
+#ifndef IXFR_H
+#define IXFR_H
struct nsd;
#include "query.h"
#include "rbtree.h"
@@ -265,4 +265,4 @@ int ixfr_unlink_it(const char* zname, const char* zfile, int file_num,
void ixfr_delete_superfluous_files(struct zone* zone, const char* zfile,
int dest_num_files);
-#endif /* _IXFR_H_ */
+#endif /* IXFR_H */
diff --git a/usr.sbin/nsd/ixfrcreate.c b/usr.sbin/nsd/ixfrcreate.c
index 6841f004b48..33855ebbc37 100644
--- a/usr.sbin/nsd/ixfrcreate.c
+++ b/usr.sbin/nsd/ixfrcreate.c
@@ -533,16 +533,14 @@ static int process_marktypes(struct ixfr_store* store, struct zone* zone,
/* walk through the rrsets in the zone, if it is not in the
* marktypes list, then it is new and an added RRset */
rrset_type* s;
- size_t atmarktype = 0;
qsort(marktypes, marktypes_used, sizeof(marktypes[0]), &sort_uint16);
for(s=domain->rrsets; s; s=s->next) {
uint16_t tp;
if(s->zone != zone)
continue;
tp = rrset_rrtype(s);
- if(atmarktype < marktypes_used && marktypes[atmarktype]==tp) {
+ if(bsearch(&tp, marktypes, marktypes_used, sizeof(marktypes[0]), &sort_uint16)) {
/* the item is in the marked list, skip it */
- atmarktype++;
continue;
}
if(!process_add_rrset(store, domain, s))
diff --git a/usr.sbin/nsd/ixfrcreate.h b/usr.sbin/nsd/ixfrcreate.h
index c09e0b1b745..0446d2cb050 100644
--- a/usr.sbin/nsd/ixfrcreate.h
+++ b/usr.sbin/nsd/ixfrcreate.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _IXFRCREATE_H_
-#define _IXFRCREATE_H_
+#ifndef IXFRCREATE_H
+#define IXFRCREATE_H
#include "dns.h"
struct zone;
struct nsd;
@@ -83,4 +83,4 @@ struct spool_dname_iterator {
char* file_name;
};
-#endif /* _IXFRCREATE_H_ */
+#endif /* IXFRCREATE_H */
diff --git a/usr.sbin/nsd/namedb.h b/usr.sbin/nsd/namedb.h
index e20d1cac623..3143e867d99 100644
--- a/usr.sbin/nsd/namedb.h
+++ b/usr.sbin/nsd/namedb.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _NAMEDB_H_
-#define _NAMEDB_H_
+#ifndef NAMEDB_H
+#define NAMEDB_H
#include <stdio.h>
@@ -466,4 +466,4 @@ void zone_rr_iter_init(zone_rr_iter_type *iter, zone_type *zone);
rr_type *zone_rr_iter_next(zone_rr_iter_type *iter);
-#endif /* _NAMEDB_H_ */
+#endif /* NAMEDB_H */
diff --git a/usr.sbin/nsd/netio.h b/usr.sbin/nsd/netio.h
index a0e805e9ea5..48543524820 100644
--- a/usr.sbin/nsd/netio.h
+++ b/usr.sbin/nsd/netio.h
@@ -38,8 +38,8 @@
* blocked in pselect(2).
*/
-#ifndef _NETIO_H_
-#define _NETIO_H_
+#ifndef NETIO_H
+#define NETIO_H
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
@@ -187,4 +187,4 @@ operator |= (netio_event_types_type &lhs, netio_event_types_type rhs) {
}
#endif /* __cplusplus */
-#endif /* _NETIO_H_ */
+#endif /* NETIO_H */
diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in
index 331d896796a..ac23b1bb755 100644
--- a/usr.sbin/nsd/nsd-checkconf.8.in
+++ b/usr.sbin/nsd/nsd-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1"
+.TH "nsd\-checkconf" "8" "Jun 7, 2023" "NLnet Labs" "nsd 4.7.0"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git a/usr.sbin/nsd/nsd-checkconf.c b/usr.sbin/nsd/nsd-checkconf.c
index a286b5cff86..970f4014ee3 100644
--- a/usr.sbin/nsd/nsd-checkconf.c
+++ b/usr.sbin/nsd/nsd-checkconf.c
@@ -468,6 +468,12 @@ config_print_zone(nsd_options_type* opt, const char* k, int s, const char *o,
#ifdef USE_DNSTAP
SERV_GET_BIN(dnstap_enable, o);
SERV_GET_STR(dnstap_socket_path, o);
+ SERV_GET_STR(dnstap_ip, o);
+ SERV_GET_BIN(dnstap_tls, o);
+ SERV_GET_STR(dnstap_tls_server_name, o);
+ SERV_GET_STR(dnstap_tls_cert_bundle, o);
+ SERV_GET_STR(dnstap_tls_client_key_file, o);
+ SERV_GET_STR(dnstap_tls_client_cert_file, o);
SERV_GET_BIN(dnstap_send_identity, o);
SERV_GET_BIN(dnstap_send_version, o);
SERV_GET_STR(dnstap_identity, o);
@@ -699,6 +705,12 @@ config_test_print_server(nsd_options_type* opt)
printf("\ndnstap:\n");
printf("\tdnstap-enable: %s\n", opt->dnstap_enable?"yes":"no");
print_string_var("dnstap-socket-path:", opt->dnstap_socket_path);
+ print_string_var("dnstap-ip:", opt->dnstap_ip);
+ printf("\tdnstap-tls: %s\n", opt->dnstap_tls?"yes":"no");
+ print_string_var("dnstap-tls-server-name:", opt->dnstap_tls_server_name);
+ print_string_var("dnstap-tls-cert-bundle:", opt->dnstap_tls_cert_bundle);
+ print_string_var("dnstap-tls-client-key-file:", opt->dnstap_tls_client_key_file);
+ print_string_var("dnstap-tls-client-cert-file:", opt->dnstap_tls_client_cert_file);
printf("\tdnstap-send-identity: %s\n", opt->dnstap_send_identity?"yes":"no");
printf("\tdnstap-send-version: %s\n", opt->dnstap_send_version?"yes":"no");
print_string_var("dnstap-identity:", opt->dnstap_identity);
@@ -779,13 +791,6 @@ additional_checks(nsd_options_type* opt, const char* filename)
errors ++;
continue;
}
-#ifndef ROOT_SERVER
- /* Is it a root zone? Are we a root server then? Idiot proof. */
- if(dname->label_count == 1) {
- fprintf(stderr, "%s: not configured as a root server.\n", filename);
- errors ++;
- }
-#endif
if(zone->pattern->allow_notify && !zone->pattern->request_xfr) {
fprintf(stderr, "%s: zone %s has allow-notify but no request-xfr"
" items. Where can it get a zone transfer when a notify "
diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in
index e88f01b3fcd..6c7b62e3a0b 100644
--- a/usr.sbin/nsd/nsd-checkzone.8.in
+++ b/usr.sbin/nsd/nsd-checkzone.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1"
+.TH "nsd\-checkzone" "8" "Jun 7, 2023" "NLnet Labs" "nsd 4.7.0"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git a/usr.sbin/nsd/nsd-control.8.in b/usr.sbin/nsd/nsd-control.8.in
index e66d7b89366..76734e1b336 100644
--- a/usr.sbin/nsd/nsd-control.8.in
+++ b/usr.sbin/nsd/nsd-control.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1"
+.TH "nsd\-control" "8" "Jun 7, 2023" "NLnet Labs" "nsd 4.7.0"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff --git a/usr.sbin/nsd/nsd-control.c b/usr.sbin/nsd/nsd-control.c
index c58eff6fc53..ddd380d0832 100644
--- a/usr.sbin/nsd/nsd-control.c
+++ b/usr.sbin/nsd/nsd-control.c
@@ -44,10 +44,24 @@
#include "config.h"
#include <stdio.h>
#include <stdlib.h>
-#ifdef HAVE_SSL
+
+struct region;
+struct domain_table;
+struct zone;
+struct domain;
+int zonec_parse_string(struct region* ATTR_UNUSED(region),
+ struct domain_table* ATTR_UNUSED(domains),
+ struct zone* ATTR_UNUSED(zone), char* ATTR_UNUSED(str),
+ struct domain** ATTR_UNUSED(parsed), int* ATTR_UNUSED(num_rrs))
+{
+ return 0;
+}
+
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
+#include <errno.h>
+#ifdef HAVE_SSL
#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
@@ -57,6 +71,7 @@
#ifdef HAVE_OPENSSL_RAND_H
#include <openssl/rand.h>
#endif
+#endif /* HAVE_SSL */
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
@@ -70,20 +85,17 @@
#include "zonec.h"
static void usage(void) ATTR_NORETURN;
+#ifdef HAVE_SSL
static void ssl_err(const char* s) ATTR_NORETURN;
static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
+#else
+/* define SSL to use as a boolean to turn it off in function calls. */
+#define SSL int
+#endif
/** timeout to wait for connection over stream, in msec */
#define NSD_CONTROL_CONNECT_TIMEOUT 5000
-int zonec_parse_string(region_type* ATTR_UNUSED(region),
- domain_table_type* ATTR_UNUSED(domains), zone_type* ATTR_UNUSED(zone),
- char* ATTR_UNUSED(str), domain_type** ATTR_UNUSED(parsed),
- int* ATTR_UNUSED(num_rrs))
-{
- return 0;
-}
-
/** Give nsd-control usage, and exit (1). */
static void
usage()
@@ -130,6 +142,7 @@ usage()
exit(1);
}
+#ifdef HAVE_SSL
/** exit with ssl error */
static void ssl_err(const char* s)
{
@@ -203,6 +216,7 @@ setup_ctx(struct nsd_options* cfg)
return ctx;
}
+#endif /* HAVE_SSL */
/** check connect error */
static void
@@ -355,6 +369,7 @@ contact_server(const char* svr, struct nsd_options* cfg, int statuscmd)
return fd;
}
+#ifdef HAVE_SSL
/** setup SSL on the connection */
static SSL*
setup_ssl(SSL_CTX* ctx, int fd)
@@ -390,12 +405,14 @@ setup_ssl(SSL_CTX* ctx, int fd)
X509_free(x);
return ssl;
}
+#endif /* HAVE_SSL */
/** read from ssl or fd, fatalexit on error, 0 EOF, 1 success */
static int
remote_read(SSL* ssl, int fd, char* buf, size_t len)
{
if(ssl) {
+#ifdef HAVE_SSL
int r;
ERR_clear_error();
if((r = SSL_read(ssl, buf, (int)len-1)) <= 0) {
@@ -406,6 +423,7 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
ssl_err("could not SSL_read");
}
buf[r] = 0;
+#endif /* HAVE_SSL */
} else {
ssize_t rr = read(fd, buf, len-1);
if(rr <= 0) {
@@ -427,8 +445,10 @@ static void
remote_write(SSL* ssl, int fd, const char* buf, size_t len)
{
if(ssl) {
+#ifdef HAVE_SSL
if(SSL_write(ssl, buf, (int)len) <= 0)
ssl_err("could not SSL_write");
+#endif /* HAVE_SSL */
} else {
if(write(fd, buf, len) < (ssize_t)len) {
fprintf(stderr, "could not write: %s\n",
@@ -492,8 +512,10 @@ go(const char* cfgfile, char* svr, int argc, char* argv[])
{
struct nsd_options* opt;
int fd, ret;
- SSL_CTX* ctx;
- SSL* ssl;
+#ifdef HAVE_SSL
+ SSL_CTX* ctx = NULL;
+#endif
+ SSL* ssl = NULL;
/* read config */
if(!(opt = nsd_options_create(region_create(xalloc, free)))) {
@@ -508,18 +530,31 @@ go(const char* cfgfile, char* svr, int argc, char* argv[])
if(!opt->control_enable)
fprintf(stderr, "warning: control-enable is 'no' in the config file.\n");
resolve_interface_names(opt);
+#ifdef HAVE_SSL
ctx = setup_ctx(opt);
+#else
+ if(options_remote_is_address(opt)) {
+ fprintf(stderr, "error: NSD was compiled without SSL.\n");
+ exit(1);
+ }
+#endif /* HAVE_SSL */
/* contact server */
fd = contact_server(svr, opt, argc>0&&strcmp(argv[0],"status")==0);
+#ifdef HAVE_SSL
ssl = setup_ssl(ctx, fd);
+#endif
/* send command */
ret = go_cmd(ssl, fd, argc, argv);
+#ifdef HAVE_SSL
if(ssl) SSL_free(ssl);
+#endif
close(fd);
+#ifdef HAVE_SSL
if(ctx) SSL_CTX_free(ctx);
+#endif
region_destroy(opt->region);
return ret;
}
@@ -537,6 +572,7 @@ int main(int argc, char* argv[])
char* svr = NULL;
log_init("nsd-control");
+#ifdef HAVE_SSL
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
@@ -569,6 +605,7 @@ int main(int argc, char* argv[])
RAND_seed(buf, 256);
fprintf(stderr, "warning: no entropy, seeding openssl PRNG with time\n");
}
+#endif /* HAVE_SSL */
/* parse the options */
while( (c=getopt(argc, argv, "c:s:h")) != -1) {
@@ -603,11 +640,3 @@ int main(int argc, char* argv[])
return go(cfgfile, svr, argc, argv);
}
-
-#else /* HAVE_SSL */
-int main(void)
-{
- printf("error: NSD was compiled without SSL.\n");
- return 1;
-}
-#endif /* HAVE_SSL */
diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in
index c7705a8dd12..38b36e64800 100644
--- a/usr.sbin/nsd/nsd.8.in
+++ b/usr.sbin/nsd/nsd.8.in
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Nov 10, 2022" "NLnet Labs" "NSD 4.6.1"
+.TH "NSD" "8" "Jun 7, 2023" "NLnet Labs" "NSD 4.7.0"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.6.1.
+\- Name Server Daemon (NSD) version 4.7.0.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c
index abf658a6297..81dfe2e85a6 100644
--- a/usr.sbin/nsd/nsd.c
+++ b/usr.sbin/nsd/nsd.c
@@ -1556,11 +1556,13 @@ main(int argc, char *argv[])
if(nsd.options->control_enable || (nsd.options->tls_service_key && nsd.options->tls_service_key[0])) {
perform_openssl_init();
}
+#endif /* HAVE_SSL */
if(nsd.options->control_enable) {
/* read ssl keys while superuser and outside chroot */
if(!(nsd.rc = daemon_remote_create(nsd.options)))
error("could not perform remote control setup");
}
+#if defined(HAVE_SSL)
if(nsd.options->tls_service_key && nsd.options->tls_service_key[0]
&& nsd.options->tls_service_pem && nsd.options->tls_service_pem[0]) {
if(!(nsd.tls_ctx = server_tls_ctx_create(&nsd, NULL,
diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in
index f8c5987e914..6780ea7e849 100644
--- a/usr.sbin/nsd/nsd.conf.5.in
+++ b/usr.sbin/nsd/nsd.conf.5.in
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1"
+.TH "nsd.conf" "5" "Jun 7, 2023" "NLnet Labs" "nsd 4.7.0"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -1071,6 +1071,23 @@ for those messages to the server.
Sets the unix socket file name for connecting to the server that is
listening on that socket. Default is "@dnstap_socket_path@".
.TP
+.B dnstap-ip:\fR <"" or addr[@port]>
+If disabled with "", the socket path is used. With a value, like address or
+address@port, like "127.0.0.1@3333" TCP or TLS is used. Default is "".
+.TP
+.B dnstap-tls:\fR <yes or no>
+If enabled, TLS is used to the address specified in \fBdnstap-ip\fR. Otherwise,
+TCP is used. Default is yes.
+.TP
+.B dnstap-tls-server-name:\fR <string>
+The name for authenticating the upstream server. With "" disabled.
+.TP
+.B dnstap-tls-client-key-file:\fR <file name>
+The key file for client authentication, or "" disabled.
+.TP
+.B dnstap-tls-client-cert-file:\fR <file name>
+The cert file for client authentication, or "" disabled.
+.TP
.B dnstap-send-identity:\fR <yes or no>
If enabled, the server identity is included in the log messages.
Default is no.
diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in
index 93bc80bdec8..67fdf4cb1d1 100644
--- a/usr.sbin/nsd/nsd.conf.sample.in
+++ b/usr.sbin/nsd/nsd.conf.sample.in
@@ -301,6 +301,13 @@ verify:
# set this to yes and set one or more of dnstap-log-..-messages to yes.
# dnstap-enable: no
# dnstap-socket-path: "@dnstap_socket_path@"
+ # for dnstap-ip, "" is disabled, use TCP or TLS with like 127.0.0.1@3333
+ # dnstap-ip: ""
+ # dnstap-tls: yes
+ # dnstap-tls-server-name: ""
+ # dnstap-tls-cert-bundle: "path/to/bundle.pem"
+ # dnstap-tls-client-key-file: ""
+ # dnstap-tls-client-cert-file: ""
# dnstap-send-identity: no
# dnstap-send-version: no
# dnstap-identity: ""
diff --git a/usr.sbin/nsd/nsd.h b/usr.sbin/nsd/nsd.h
index f7cd53817b0..8fea49d6ddc 100644
--- a/usr.sbin/nsd/nsd.h
+++ b/usr.sbin/nsd/nsd.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _NSD_H_
-#define _NSD_H_
+#ifndef NSD_H
+#define NSD_H
#include <signal.h>
#include <net/if.h>
@@ -407,4 +407,4 @@ void perform_openssl_init(void);
#endif
ssize_t block_read(struct nsd* nsd, int s, void* p, ssize_t sz, int timeout);
-#endif /* _NSD_H_ */
+#endif /* NSD_H */
diff --git a/usr.sbin/nsd/options.c b/usr.sbin/nsd/options.c
index b3d2d530436..7f435adcbe9 100644
--- a/usr.sbin/nsd/options.c
+++ b/usr.sbin/nsd/options.c
@@ -117,6 +117,12 @@ nsd_options_create(region_type* region)
#ifdef USE_DNSTAP
opt->dnstap_enable = 0;
opt->dnstap_socket_path = DNSTAP_SOCKET_PATH;
+ opt->dnstap_ip = "";
+ opt->dnstap_tls = 1;
+ opt->dnstap_tls_server_name = NULL;
+ opt->dnstap_tls_cert_bundle = NULL;
+ opt->dnstap_tls_client_key_file = NULL;
+ opt->dnstap_tls_client_cert_file = NULL;
opt->dnstap_send_identity = 0;
opt->dnstap_send_version = 0;
opt->dnstap_identity = NULL;
diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h
index b447b401b88..a9540911109 100644
--- a/usr.sbin/nsd/options.h
+++ b/usr.sbin/nsd/options.h
@@ -164,6 +164,18 @@ struct nsd_options {
int dnstap_enable;
/** dnstap socket path */
char* dnstap_socket_path;
+ /** dnstap IP, if "", it uses socket path. */
+ char* dnstap_ip;
+ /** dnstap TLS enable */
+ int dnstap_tls;
+ /** dnstap tls server authentication name */
+ char* dnstap_tls_server_name;
+ /** dnstap server cert bundle */
+ char* dnstap_tls_cert_bundle;
+ /** dnstap client key for client authentication */
+ char* dnstap_tls_client_key_file;
+ /** dnstap client cert for client authentication */
+ char* dnstap_tls_client_cert_file;
/** true to send "identity" via dnstap */
int dnstap_send_identity;
/** true to send "version" via dnstap */
diff --git a/usr.sbin/nsd/packet.h b/usr.sbin/nsd/packet.h
index ed08dfae1d6..9b4a524cde8 100644
--- a/usr.sbin/nsd/packet.h
+++ b/usr.sbin/nsd/packet.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _PACKET_H_
-#define _PACKET_H_
+#ifndef PACKET_H
+#define PACKET_H
#include <sys/types.h>
@@ -202,4 +202,4 @@ int packet_read_query_section(buffer_type *packet,
* returns false on no-serial found or parse failure. */
int packet_find_notify_serial(buffer_type *packet, uint32_t* serial);
-#endif /* _PACKET_H_ */
+#endif /* PACKET_H */
diff --git a/usr.sbin/nsd/popen3.h b/usr.sbin/nsd/popen3.h
index ed95b500fdd..82d84d87884 100644
--- a/usr.sbin/nsd/popen3.h
+++ b/usr.sbin/nsd/popen3.h
@@ -6,8 +6,8 @@
* See LICENSE for the license.
*
*/
-#ifndef _POPEN3_H_
-#define _POPEN3_H_
+#ifndef POPEN3_H
+#define POPEN3_H
#include <stdio.h>
#include <sys/types.h>
@@ -24,4 +24,4 @@ pid_t popen3(char *const *command,
int *fdoutptr,
int *fderrptr);
-#endif /* _POPEN3_H_ */
+#endif /* POPEN3_H */
diff --git a/usr.sbin/nsd/query.h b/usr.sbin/nsd/query.h
index 2f47c9371b1..e6822901918 100644
--- a/usr.sbin/nsd/query.h
+++ b/usr.sbin/nsd/query.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _QUERY_H_
-#define _QUERY_H_
+#ifndef QUERY_H
+#define QUERY_H
#include <assert.h>
#include <string.h>
@@ -230,4 +230,4 @@ query_overflow(query_type *q)
{
return buffer_position(q->packet) > (q->maxlen - q->reserved_space);
}
-#endif /* _QUERY_H_ */
+#endif /* QUERY_H */
diff --git a/usr.sbin/nsd/rbtree.h b/usr.sbin/nsd/rbtree.h
index eb9b3941245..0dea2097c86 100644
--- a/usr.sbin/nsd/rbtree.h
+++ b/usr.sbin/nsd/rbtree.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _RBTREE_H_
-#define _RBTREE_H_
+#ifndef RBTREE_H
+#define RBTREE_H
#include "region-allocator.h"
@@ -73,4 +73,4 @@ rbnode_type *rbtree_previous(rbnode_type *rbtree);
(rbnode_type*)node != RBTREE_NULL; \
node = (type)rbtree_next((rbnode_type*)node))
-#endif /* _RBTREE_H_ */
+#endif /* RBTREE_H */
diff --git a/usr.sbin/nsd/rdata.h b/usr.sbin/nsd/rdata.h
index 457d940eca0..deaa6eff7e8 100644
--- a/usr.sbin/nsd/rdata.h
+++ b/usr.sbin/nsd/rdata.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _RDATA_H_
-#define _RDATA_H_
+#ifndef RDATA_H
+#define RDATA_H
#include "dns.h"
#include "namedb.h"
@@ -58,4 +58,4 @@ int rdata_atoms_to_unknown_string(buffer_type *out,
int print_rdata(buffer_type *output, rrtype_descriptor_type *descriptor,
rr_type *record);
-#endif /* _DNS_H_ */
+#endif /* RDATA_H */
diff --git a/usr.sbin/nsd/region-allocator.h b/usr.sbin/nsd/region-allocator.h
index b305f1c9bde..99af23350e6 100644
--- a/usr.sbin/nsd/region-allocator.h
+++ b/usr.sbin/nsd/region-allocator.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _REGION_ALLOCATOR_H_
-#define _REGION_ALLOCATOR_H_
+#ifndef REGION_ALLOCATOR_H
+#define REGION_ALLOCATOR_H
#include <stdio.h>
@@ -150,4 +150,4 @@ size_t region_get_mem_unused(region_type* region);
/* Debug print REGION statistics to LOG. */
void region_log_stats(region_type *region);
-#endif /* _REGION_ALLOCATOR_H_ */
+#endif /* REGION_ALLOCATOR_H */
diff --git a/usr.sbin/nsd/remote.c b/usr.sbin/nsd/remote.c
index 2b2064aa681..5cdee68db2b 100644
--- a/usr.sbin/nsd/remote.c
+++ b/usr.sbin/nsd/remote.c
@@ -43,10 +43,10 @@
* Both the server and the client(control tool) have their own keys.
*/
#include "config.h"
-#ifdef HAVE_SSL
+#ifdef HAVE_SSL
#ifdef HAVE_OPENSSL_SSL_H
-#include "openssl/ssl.h"
+#include <openssl/ssl.h>
#endif
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
@@ -54,10 +54,12 @@
#ifdef HAVE_OPENSSL_RAND_H
#include <openssl/rand.h>
#endif
+#endif /* HAVE_SSL */
#include <ctype.h>
#include <unistd.h>
#include <assert.h>
#include <fcntl.h>
+#include <errno.h>
#ifndef USE_MINI_EVENT
# ifdef HAVE_EVENT_H
# include <event.h>
@@ -121,8 +123,10 @@ struct rc_state {
struct timeval tval;
/** in the handshake part */
enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
/** the ssl state */
SSL* ssl;
+#endif
/** file descriptor */
int fd;
/** the rc this is part of */
@@ -165,16 +169,20 @@ struct daemon_remote {
struct rc_state* stats_list;
/** last time stats was reported */
struct timeval stats_time, boot_time;
+#ifdef HAVE_SSL
/** the SSL context for creating new SSL streams */
SSL_CTX* ctx;
+#endif
};
/**
* Connection to print to, either SSL or plain over fd
*/
struct remote_stream {
+#ifdef HAVE_SSL
/** SSL structure, nonNULL if using SSL */
SSL* ssl;
+#endif
/** file descriptor for plain transfer */
int fd;
};
@@ -218,7 +226,7 @@ remote_control_callback(int fd, short event, void* arg);
/** ---- end of private defines ---- **/
-
+#ifdef HAVE_SSL
/** log ssl crypto err */
static void
log_crypto_err(const char* str)
@@ -233,6 +241,7 @@ log_crypto_err(const char* str)
log_msg(LOG_ERR, "and additionally crypto %s", buf);
}
}
+#endif /* HAVE_SSL */
#ifdef BIND8_STATS
/** subtract timers and the values do not overflow or become negative */
@@ -252,6 +261,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
}
#endif /* BIND8_STATS */
+#ifdef HAVE_SSL
static int
remote_setup_ctx(struct daemon_remote* rc, struct nsd_options* cfg)
{
@@ -264,6 +274,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct nsd_options* cfg)
}
return 1;
}
+#endif /* HAVE_SSL */
struct daemon_remote*
daemon_remote_create(struct nsd_options* cfg)
@@ -274,14 +285,20 @@ daemon_remote_create(struct nsd_options* cfg)
assert(cfg->control_enable);
if(options_remote_is_address(cfg)) {
+#ifdef HAVE_SSL
if(!remote_setup_ctx(rc, cfg)) {
daemon_remote_delete(rc);
return NULL;
}
rc->use_cert = 1;
+#else
+ log_msg(LOG_ERR, "Could not setup remote control: NSD was compiled without SSL.");
+#endif /* HAVE_SSL */
} else {
struct ip_address_option* o;
+#ifdef HAVE_SSL
rc->ctx = NULL;
+#endif
rc->use_cert = 0;
for(o = cfg->control_interface; o; o = o->next) {
if(o->address && o->address[0] != '/')
@@ -328,8 +345,10 @@ void daemon_remote_close(struct daemon_remote* rc)
np = p->next;
if(p->event_added)
event_del(&p->c);
+#ifdef HAVE_SSL
if(p->ssl)
SSL_free(p->ssl);
+#endif
close(p->c.ev_fd);
free(p);
p = np;
@@ -342,9 +361,11 @@ void daemon_remote_delete(struct daemon_remote* rc)
{
if(!rc) return;
daemon_remote_close(rc);
+#ifdef HAVE_SSL
if(rc->ctx) {
SSL_CTX_free(rc->ctx);
}
+#endif
free(rc);
}
@@ -639,6 +660,7 @@ remote_accept_callback(int fd, short event, void* arg)
}
}
+#ifdef HAVE_SSL
if(rc->ctx) {
n->shake_state = rc_hs_read;
n->ssl = SSL_new(rc->ctx);
@@ -660,6 +682,7 @@ remote_accept_callback(int fd, short event, void* arg)
} else {
n->ssl = NULL;
}
+#endif /* HAVE_SSL */
n->rc = rc;
n->stats_next = NULL;
@@ -717,10 +740,12 @@ clean_point(struct daemon_remote* rc, struct rc_state* s)
rc->active --;
if(s->event_added)
event_del(&s->c);
+#ifdef HAVE_SSL
if(s->ssl) {
SSL_shutdown(s->ssl);
SSL_free(s->ssl);
}
+#endif /* HAVE_SSL */
close(s->c.ev_fd);
free(s);
}
@@ -728,10 +753,11 @@ clean_point(struct daemon_remote* rc, struct rc_state* s)
static int
ssl_print_text(RES* res, const char* text)
{
- int r;
if(!res)
return 0;
+#ifdef HAVE_SSL
if(res->ssl) {
+ int r;
ERR_clear_error();
if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) {
if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) {
@@ -743,12 +769,15 @@ ssl_print_text(RES* res, const char* text)
return 0;
}
} else {
+#endif /* HAVE_SSL */
if(write_socket(res->fd, text, strlen(text)) <= 0) {
log_msg(LOG_ERR, "could not write: %s",
strerror(errno));
return 0;
}
+#ifdef HAVE_SSL
}
+#endif /* HAVE_SSL */
return 1;
}
@@ -776,14 +805,15 @@ ssl_printf(RES* ssl, const char* format, ...)
static int
ssl_read_line(RES* res, char* buf, size_t max)
{
- int r;
size_t len = 0;
if(!res)
return 0;
while(len < max) {
buf[len] = 0; /* terminate for safety and please checkers */
/* this byte is written if we read a byte from the input */
+#ifdef HAVE_SSL
if(res->ssl) {
+ int r;
ERR_clear_error();
if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) {
if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) {
@@ -794,6 +824,7 @@ ssl_read_line(RES* res, char* buf, size_t max)
return 0;
}
} else {
+#endif /* HAVE_SSL */
while(1) {
ssize_t rr = read(res->fd, buf+len, 1);
if(rr <= 0) {
@@ -809,7 +840,9 @@ ssl_read_line(RES* res, char* buf, size_t max)
}
break;
}
+#ifdef HAVE_SSL
}
+#endif /* HAVE_SSL */
if(buf[len] == '\n') {
/* return string without \n */
buf[len] = 0;
@@ -1212,8 +1245,11 @@ do_stats(struct daemon_remote* rc, int peek, struct rc_state* rs)
/* force a reload */
xfrd_set_reload_now(xfrd);
#else
+ RES res;
+ res.ssl = rs->ssl;
+ res.fd = rs->fd;
(void)rc; (void)peek;
- (void)ssl_printf(rs->ssl, "error no stats enabled at compile time\n");
+ (void)ssl_printf(&res, "error no stats enabled at compile time\n");
#endif /* BIND8_STATS */
}
@@ -2403,6 +2439,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
}
/* try to read magic UBCT[version]_space_ string */
+#ifdef HAVE_SSL
if(res->ssl) {
ERR_clear_error();
if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) {
@@ -2412,6 +2449,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
return;
}
} else {
+#endif /* HAVE_SSL */
while(1) {
ssize_t rr = read(res->fd, magic, sizeof(magic)-1);
if(rr <= 0) {
@@ -2424,7 +2462,9 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
r = (int)rr;
break;
}
+#ifdef HAVE_SSL
}
+#endif /* HAVE_SSL */
magic[7] = 0;
if( r != 7 || strncmp(magic, "NSDCT", 5) != 0) {
VERBOSITY(2, (LOG_INFO, "control connection has bad header"));
@@ -2450,6 +2490,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
execute_cmd(rc, res, buf, s);
}
+#ifdef HAVE_SSL
/** handle SSL_do_handshake changes to the file descriptor to wait for later */
static void
remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, int fd,
@@ -2492,6 +2533,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, int fd,
clean_point(rc, s);
}
}
+#endif /* HAVE_SSL */
static void
remote_control_callback(int fd, short event, void* arg)
@@ -2499,14 +2541,15 @@ remote_control_callback(int fd, short event, void* arg)
RES res;
struct rc_state* s = (struct rc_state*)arg;
struct daemon_remote* rc = s->rc;
- int r;
if( (event&EV_TIMEOUT) ) {
log_msg(LOG_ERR, "remote control timed out");
clean_point(rc, s);
return;
}
+#ifdef HAVE_SSL
if(s->ssl) {
/* (continue to) setup the SSL connection */
+ int r;
ERR_clear_error();
r = SSL_do_handshake(s->ssl);
if(r != 1) {
@@ -2516,10 +2559,12 @@ remote_control_callback(int fd, short event, void* arg)
}
s->shake_state = rc_none;
}
+#endif /* HAVE_SSL */
/* once handshake has completed, check authentication */
if (!rc->use_cert) {
VERBOSITY(3, (LOG_INFO, "unauthenticated remote control connection"));
+#ifdef HAVE_SSL
} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
X509* x = SSL_get_peer_certificate(s->ssl);
if(!x) {
@@ -2530,6 +2575,7 @@ remote_control_callback(int fd, short event, void* arg)
}
VERBOSITY(3, (LOG_INFO, "remote control connection authenticated"));
X509_free(x);
+#endif /* HAVE_SSL */
} else {
VERBOSITY(2, (LOG_INFO, "remote control connection failed to "
"authenticate with client certificate"));
@@ -2538,7 +2584,9 @@ remote_control_callback(int fd, short event, void* arg)
}
/* if OK start to actually handle the request */
+#ifdef HAVE_SSL
res.ssl = s->ssl;
+#endif /* HAVE_SSL */
res.fd = fd;
handle_req(rc, s, &res);
@@ -2833,7 +2881,9 @@ daemon_remote_process_stats(struct daemon_remote* rc)
/* pop one and give it stats */
while((s = rc->stats_list)) {
assert(s->in_stats_list);
+#ifdef HAVE_SSL
res.ssl = s->ssl;
+#endif
res.fd = s->fd;
print_stats(&res, rc->xfrd, &now, (s->in_stats_list == 1));
if(s->in_stats_list == 1) {
@@ -2908,5 +2958,3 @@ err:
return -1;
#endif
}
-
-#endif /* HAVE_SSL */
diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c
index 18fc6d4c0ec..529edcf404f 100644
--- a/usr.sbin/nsd/server.c
+++ b/usr.sbin/nsd/server.c
@@ -1532,8 +1532,8 @@ server_shutdown(struct nsd *nsd)
}
tsig_finalize();
-#ifdef HAVE_SSL
daemon_remote_delete(nsd->rc); /* ssl-delete secret keys */
+#ifdef HAVE_SSL
if (nsd->tls_ctx)
SSL_CTX_free(nsd->tls_ctx);
#endif
@@ -1709,9 +1709,7 @@ server_send_soa_xfrd(struct nsd* nsd, int shortsoa)
log_msg(LOG_WARNING, "signal received, shutting down...");
server_close_all_sockets(nsd->udp, nsd->ifs);
server_close_all_sockets(nsd->tcp, nsd->ifs);
-#ifdef HAVE_SSL
daemon_remote_close(nsd->rc);
-#endif
/* Unlink it if possible... */
unlinkpid(nsd->pidfile);
unlink(nsd->task[0]->fname);
@@ -2810,9 +2808,7 @@ server_main(struct nsd *nsd)
/* close opened ports to avoid race with restart of nsd */
server_close_all_sockets(nsd->udp, nsd->ifs);
server_close_all_sockets(nsd->tcp, nsd->ifs);
-#ifdef HAVE_SSL
daemon_remote_close(nsd->rc);
-#endif
send_children_quit_and_wait(nsd);
/* Unlink it if possible... */
@@ -2926,11 +2922,13 @@ nsd_event_method(void)
return "select";
#else
struct event_base* b = nsd_child_event_base();
- const char* m = "?";
+ const char* m;
# ifdef EV_FEATURE_BACKENDS
m = ub_ev_backend2str(ev_backend((struct ev_loop*)b));
# elif defined(HAVE_EVENT_BASE_GET_METHOD)
m = event_base_get_method(b);
+# else
+ m = "?";
# endif
# ifdef MEMCLEAN
event_base_free(b);
@@ -3040,7 +3038,11 @@ void server_verify(struct nsd *nsd, int cmdsocket)
nsd->verifier_count = 0;
nsd->verifier_limit = nsd->options->verifier_count;
size = sizeof(struct verifier) * nsd->verifier_limit;
- pipe(nsd->verifier_pipe);
+ if(pipe(nsd->verifier_pipe) == -1) {
+ log_msg(LOG_ERR, "verify: could not create pipe: %s",
+ strerror(errno));
+ goto fail_pipe;
+ }
fcntl(nsd->verifier_pipe[0], F_SETFD, FD_CLOEXEC);
fcntl(nsd->verifier_pipe[1], F_SETFD, FD_CLOEXEC);
nsd->verifiers = region_alloc_zero(nsd->server_region, size);
@@ -3130,9 +3132,10 @@ void server_verify(struct nsd *nsd, int cmdsocket)
assert(nsd->next_zone_to_verify == NULL || nsd->mode == NSD_QUIT);
assert(nsd->verifier_count == 0 || nsd->mode == NSD_QUIT);
fail:
- event_base_free(nsd->event_base);
close(nsd->verifier_pipe[0]);
close(nsd->verifier_pipe[1]);
+fail_pipe:
+ event_base_free(nsd->event_base);
region_destroy(nsd->server_region);
nsd->event_base = NULL;
diff --git a/usr.sbin/nsd/tsig-openssl.h b/usr.sbin/nsd/tsig-openssl.h
index 30345b6596f..13824a5e63b 100644
--- a/usr.sbin/nsd/tsig-openssl.h
+++ b/usr.sbin/nsd/tsig-openssl.h
@@ -7,10 +7,10 @@
*
*/
-#ifndef _TSIG_OPENSSL_H_
-#define _TSIG_OPENSSL_H_
+#ifndef TSIG_OPENSSL_H
+#define TSIG_OPENSSL_H
-#if defined(TSIG) && defined(HAVE_SSL)
+#if defined(HAVE_SSL)
#include "region-allocator.h"
@@ -22,8 +22,8 @@
*/
int tsig_openssl_init(region_type *region);
-void tsig_openssl_finalize();
+void tsig_openssl_finalize(void);
-#endif /* defined(TSIG) && defined(HAVE_SSL) */
+#endif /* defined(HAVE_SSL) */
-#endif /* _TSIG_H_ */
+#endif /* TSIG_OPENSSL_H */
diff --git a/usr.sbin/nsd/tsig.h b/usr.sbin/nsd/tsig.h
index 7af8dfe5886..4f74dd276dd 100644
--- a/usr.sbin/nsd/tsig.h
+++ b/usr.sbin/nsd/tsig.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _TSIG_H_
-#define _TSIG_H_
+#ifndef TSIG_H
+#define TSIG_H
#include <sys/types.h>
#include <sys/socket.h>
@@ -22,10 +22,6 @@
#define TSIG_ERROR_BADKEY 17
#define TSIG_ERROR_BADTIME 18
-#define TSIG_HMAC_MD5 157
-#define TSIG_HMAC_SHA1 158
-#define TSIG_HMAC_SHA256 159
-
typedef struct tsig_algorithm tsig_algorithm_type;
typedef struct tsig_key tsig_key_type;
typedef struct tsig_record tsig_record_type;
@@ -103,7 +99,7 @@ struct tsig_key
{
const dname_type *name;
size_t size;
- const uint8_t *data;
+ uint8_t *data;
};
struct tsig_record
@@ -144,6 +140,7 @@ int tsig_init(region_type *region);
* Add the specified key to the TSIG key table.
*/
void tsig_add_key(tsig_key_type *key);
+void tsig_del_key(tsig_key_type *key);
/*
* Add the specified algorithm to the TSIG algorithm table.
@@ -156,11 +153,6 @@ void tsig_add_algorithm(tsig_algorithm_type *algorithm);
tsig_algorithm_type *tsig_get_algorithm_by_name(const char *name);
/*
- * Find an HMAC algorithm based on its identifier.
- */
-tsig_algorithm_type *tsig_get_algorithm_by_id(uint8_t alg);
-
-/*
* Return a descriptive error message based on the TSIG error code.
*/
const char *tsig_error(int error_code);
@@ -177,6 +169,7 @@ void tsig_create_record(tsig_record_type* tsig,
/*
* Like tsig_create_record, with custom region settings.
* The size params are used to customise the rr_region and context_region.
+ * If region is NULL, no cleanup is attached to it.
*/
void tsig_create_record_custom(tsig_record_type* tsig,
region_type* region,
@@ -185,6 +178,12 @@ void tsig_create_record_custom(tsig_record_type* tsig,
size_t initial_cleanup_size);
/*
+ * Destroy tsig record internals (the main ptr is user alloced).
+ * if region is nonNULL, removes cleanup.
+ */
+void tsig_delete_record(tsig_record_type* tsig, region_type* region);
+
+/*
* Call this before starting to analyze or signing a sequence of
* packets.
*
@@ -290,4 +289,4 @@ int tsig_strlowercmp(const char* str1, const char* str2);
*/
void tsig_finalize(void);
-#endif /* _TSIG_H_ */
+#endif /* TSIG_H */
diff --git a/usr.sbin/nsd/util.h b/usr.sbin/nsd/util.h
index 332d5d30d56..97b7ba0cfca 100644
--- a/usr.sbin/nsd/util.h
+++ b/usr.sbin/nsd/util.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _UTIL_H_
-#define _UTIL_H_
+#ifndef UTIL_H
+#define UTIL_H
#include <sys/time.h>
#include <stdarg.h>
@@ -451,4 +451,4 @@ void activate_cookie_secret(struct nsd* nsd);
/* Drop a cookie secret. Drops the staging secret. An active secret will not
* be dropped. */
void drop_cookie_secret(struct nsd* nsd);
-#endif /* _UTIL_H_ */
+#endif /* UTIL_H */
diff --git a/usr.sbin/nsd/verify.c b/usr.sbin/nsd/verify.c
index 06d72d30e0e..df9b8e80e4d 100644
--- a/usr.sbin/nsd/verify.c
+++ b/usr.sbin/nsd/verify.c
@@ -112,11 +112,11 @@ static inline size_t print_line(struct verifier_stream *stream, int eof)
return 0;
if (len > LOGLINELEN) {
- fmt = stream->cut ? ".. %.*s .." : "%.*s ..";
+ fmt = stream->cut ? "verifier: .. %.*s .." : "verifier: %.*s ..";
len = LOGLINELEN; // remainder printed next iteration
stream->cut = 1;
} else {
- fmt = stream->cut ? ".. %.*s" : "%.*s";
+ fmt = stream->cut ? "verifier: .. %.*s" : "verifier: %.*s";
stream->cut = 0;
}
log_msg(stream->priority, fmt, len, stream->buf + stream->off);
@@ -274,7 +274,10 @@ void verify_handle_signal(int sig, short event, void *arg)
assert(arg != NULL);
nsd = (struct nsd *)arg;
- (void)write(nsd->verifier_pipe[1], buf, sizeof(buf));
+ if(write(nsd->verifier_pipe[1], buf, sizeof(buf)) == -1) {
+ log_msg(LOG_ERR, "verify_handle_signal: write failed: %s",
+ strerror(errno));
+ }
}
/*
diff --git a/usr.sbin/nsd/verify.h b/usr.sbin/nsd/verify.h
index 7333b91888d..1d50f622f67 100644
--- a/usr.sbin/nsd/verify.h
+++ b/usr.sbin/nsd/verify.h
@@ -5,8 +5,8 @@
*
* See LICENSE for the license.
*/
-#ifndef _VERIFY_H_
-#define _VERIFY_H_
+#ifndef VERIFY_H
+#define VERIFY_H
#ifndef USE_MINI_EVENT
# ifdef HAVE_EVENT_H
@@ -77,4 +77,4 @@ void verify_handle_exit(int fd, short event, void *arg);
void verify_handle_command(int fd, short event, void *arg);
-#endif /* _VERIFY_H_ */
+#endif /* VERIFY_H */
diff --git a/usr.sbin/nsd/xfrd-disk.c b/usr.sbin/nsd/xfrd-disk.c
index 325405d812e..274d5a2ddc7 100644
--- a/usr.sbin/nsd/xfrd-disk.c
+++ b/usr.sbin/nsd/xfrd-disk.c
@@ -329,13 +329,13 @@ xfrd_read_state(struct xfrd_state* xfrd)
incoming_soa = zone->soa_nsd;
incoming_acquired = zone->soa_nsd_acquired;
zone->soa_nsd = soa_nsd_read;
- zone->soa_disk = soa_disk_read;
- zone->soa_notified = soa_notified_read;
zone->soa_nsd_acquired = soa_nsd_acquired_read;
- /* we had better use what we got from starting NSD, not
- * what we store in this file, because the actual zone
- * contents trumps the contents of this cache */
- /* zone->soa_disk_acquired = soa_disk_acquired_read; */
+ /* use soa and soa_acquired from starting NSD, not what is stored in
+ * the state file, because the actual zone contents trumps the contents
+ * of this cache */
+ zone->soa_disk = incoming_soa;
+ zone->soa_disk_acquired = incoming_acquired;
+ zone->soa_notified = soa_notified_read;
zone->soa_notified_acquired = soa_notified_acquired_read;
if (zone->state == xfrd_zone_expired)
{
diff --git a/usr.sbin/nsd/xfrd-tcp.c b/usr.sbin/nsd/xfrd-tcp.c
index b5910b33e70..5b1d80bb514 100644
--- a/usr.sbin/nsd/xfrd-tcp.c
+++ b/usr.sbin/nsd/xfrd-tcp.c
@@ -1268,9 +1268,12 @@ conn_read_ssl(struct xfrd_tcp* tcp, SSL* ssl)
}
if(err == SSL_ERROR_ZERO_RETURN) {
/* EOF */
- return 0;
+ return -1;
}
- log_msg(LOG_ERR, "ssl_read returned error %d with received %zd", err, received);
+ if(err == SSL_ERROR_SYSCALL)
+ log_msg(LOG_ERR, "ssl_read returned error SSL_ERROR_SYSCALL with received %zd: %s", received, strerror(errno));
+ else
+ log_msg(LOG_ERR, "ssl_read returned error %d with received %zd", err, received);
}
if(received == -1) {
if(errno == EAGAIN || errno == EINTR) {
@@ -1317,9 +1320,12 @@ conn_read_ssl(struct xfrd_tcp* tcp, SSL* ssl)
int err = SSL_get_error(ssl, received);
if(err == SSL_ERROR_ZERO_RETURN) {
/* EOF */
- return 0;
+ return -1;
}
- log_msg(LOG_ERR, "ssl_read returned error %d with received %zd", err, received);
+ if(err == SSL_ERROR_SYSCALL)
+ log_msg(LOG_ERR, "ssl_read returned error SSL_ERROR_SYSCALL with received %zd: %s", received, strerror(errno));
+ else
+ log_msg(LOG_ERR, "ssl_read returned error %d with received %zd", err, received);
}
if(received == -1) {
if(errno == EAGAIN || errno == EINTR) {
@@ -1462,7 +1468,10 @@ xfrd_tcp_read(struct xfrd_tcp_pipeline* tp)
#endif
ret = conn_read(tcp);
if(ret == -1) {
- log_msg(LOG_ERR, "xfrd: failed reading tcp %s", strerror(errno));
+ if(errno != 0)
+ log_msg(LOG_ERR, "xfrd: failed reading tcp %s", strerror(errno));
+ else
+ log_msg(LOG_ERR, "xfrd: failed reading tcp: closed");
xfrd_tcp_pipe_stop(tp);
return;
}
diff --git a/usr.sbin/nsd/xfrd.c b/usr.sbin/nsd/xfrd.c
index f2a29169acd..b7e1628c725 100644
--- a/usr.sbin/nsd/xfrd.c
+++ b/usr.sbin/nsd/xfrd.c
@@ -15,6 +15,7 @@
#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <inttypes.h>
#include "xfrd.h"
#include "xfrd-tcp.h"
#include "xfrd-disk.h"
@@ -196,9 +197,7 @@ xfrd_init(int socket, struct nsd* nsd, int shortsoa, int reload_active,
xfrd->notify_waiting_last = NULL;
xfrd->notify_udp_num = 0;
-#ifdef HAVE_SSL
daemon_remote_attach(xfrd->nsd->rc, xfrd);
-#endif
xfrd->tcp_set = xfrd_tcp_set_create(xfrd->region, nsd->options->tls_cert_bundle, nsd->options->xfrd_tcp_max, nsd->options->xfrd_tcp_pipeline);
xfrd->tcp_set->tcp_timeout = nsd->tcp_timeout;
@@ -357,9 +356,7 @@ xfrd_shutdown()
if(xfrd->nsd->options->zonefiles_write) {
event_del(&xfrd->write_timer);
}
-#ifdef HAVE_SSL
daemon_remote_close(xfrd->nsd->rc); /* close sockets of rc */
-#endif
/* close sockets */
RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones)
{
@@ -406,8 +403,8 @@ xfrd_shutdown()
/* unlink xfr files in not-yet-done task file */
xfrd_clean_pending_tasks(xfrd->nsd, xfrd->nsd->task[xfrd->nsd->mytask]);
xfrd_del_tempdir(xfrd->nsd);
-#ifdef HAVE_SSL
daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */
+#ifdef HAVE_SSL
if (xfrd->nsd->tls_ctx)
SSL_CTX_free(xfrd->nsd->tls_ctx);
# ifdef HAVE_TLS_1_3
@@ -1300,7 +1297,7 @@ xfrd_handle_incoming_soa(xfrd_zone_type* zone,
return;
if(zone->soa_disk_acquired) {
- int cmp = compare_serial(soa->serial, zone->soa_disk.serial);
+ int cmp = compare_serial(ntohl(soa->serial), ntohl(zone->soa_disk.serial));
/* soa is from an update if serial equals soa_disk.serial or
serial is less than soa_disk.serial and the acquired time is
@@ -1317,9 +1314,17 @@ xfrd_handle_incoming_soa(xfrd_zone_type* zone,
}
/* soa in disk has been loaded in memory */
- log_msg(LOG_INFO, "zone %s serial %u is updated to %u",
- zone->apex_str, (unsigned)ntohl(zone->soa_nsd.serial),
- (unsigned)ntohl(soa->serial));
+ {
+ uint32_t soa_serial, soa_nsd_serial;
+ soa_serial = ntohl(soa->serial);
+ soa_nsd_serial = ntohl(zone->soa_nsd.serial);
+ if (compare_serial(soa_serial, soa_nsd_serial) > 0)
+ log_msg(LOG_INFO, "zone %s serial %"PRIu32" is updated to %"PRIu32,
+ zone->apex_str, soa_nsd_serial, soa_serial);
+ else
+ log_msg(LOG_INFO, "zone %s serial is updated to %"PRIu32,
+ zone->apex_str, soa_serial);
+ }
zone->soa_nsd = *soa;
zone->soa_nsd_acquired = acquired;
xfrd->write_zonefile_needed = 1;
@@ -2356,8 +2361,8 @@ xfrd_handle_received_xfr_packet(xfrd_zone_type* zone, buffer_type* packet)
zone->soa_disk = soa;
if(zone->soa_notified_acquired && (
zone->soa_notified.serial == 0 ||
- compare_serial(htonl(zone->soa_disk.serial),
- htonl(zone->soa_notified.serial)) >= 0))
+ compare_serial(ntohl(zone->soa_disk.serial),
+ ntohl(zone->soa_notified.serial)) >= 0))
{
zone->soa_notified_acquired = 0;
}
@@ -2691,9 +2696,7 @@ xfrd_process_stat_info_task(xfrd_state_type* xfrd, struct task_list_d* task)
xfrd->nsd->children[i].query_count += *p++;
}
/* got total, now see if users are interested in these statistics */
-#ifdef HAVE_SSL
daemon_remote_process_stats(xfrd->nsd->rc);
-#endif
}
#endif /* BIND8_STATS */
diff --git a/usr.sbin/nsd/zonec.c b/usr.sbin/nsd/zonec.c
index d9090ff8698..c01fc51b3b6 100644
--- a/usr.sbin/nsd/zonec.c
+++ b/usr.sbin/nsd/zonec.c
@@ -2209,14 +2209,6 @@ zonec_read(const char* name, const char* zonefile, zone_type* zone)
return 1;
}
-#ifndef ROOT_SERVER
- /* Is it a root zone? Are we a root server then? Idiot proof. */
- if (dname->label_count == 1) {
- zc_error("not configured as a root server");
- return 1;
- }
-#endif
-
/* Open the zone file */
if (!zone_open(zonefile, 3600, CLASS_IN, dname)) {
zc_error("cannot open '%s': %s", zonefile, strerror(errno));
diff --git a/usr.sbin/nsd/zonec.h b/usr.sbin/nsd/zonec.h
index e1b1fdd5484..d4db32e0f79 100644
--- a/usr.sbin/nsd/zonec.h
+++ b/usr.sbin/nsd/zonec.h
@@ -7,8 +7,8 @@
*
*/
-#ifndef _ZONEC_H_
-#define _ZONEC_H_
+#ifndef ZONEC_H
+#define ZONEC_H
#include "namedb.h"
@@ -150,4 +150,4 @@ void check_sshfp(void);
void apex_rrset_checks(struct namedb* db, rrset_type* rrset,
domain_type* domain);
-#endif /* _ZONEC_H_ */
+#endif /* ZONEC_H */