summaryrefslogtreecommitdiff
path: root/sbin/unwind
AgeCommit message (Collapse)Author
2022-09-23Sync to libunbound 1.16.3Florian Obser
2022-08-30sync to libunbound 1.16.2; heavy lifting by sthenFlorian Obser
2022-08-29Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd,Theo de Raadt
resolvd, slaacd, unwind. The mitigation story is way better: syscalls are in a randomly located libc, and every syscall stub is randomly located inside that due to random relinking. As opposed to fixed offset inside a release binary. There is one known consequence: /usr nfs mounting must use statically configured IP addresses. ok kettenis florian, others
2022-06-18sync to libunbound 1.16.0; heavy lifting by sthenFlorian Obser
2022-06-18We were a bit too enthusiastic when we copied libunbound and some otherFlorian Obser
helper functions from unbound(8). Delete unused shared memory functions that the unbound(8) daemon uses for statistics gathering. While here get rid of daemon.h which is unused, too. With this we can remove the hack in config.h to pretend we don't have shmget to prevent linker errors which makes syncing with unbound(8) easier.
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-03-13parse_packet() is used by unbound to parse response packets, notFlorian Obser
queries. There is no need to do all this work just to get access to the query id and flags. OK bket, sthen
2022-03-12Probe for DNS64 presence with an absolute name so that asr doesn't addFlorian Obser
search domains and retry.
2022-03-03Use LDNS_RCODE define; no functional changeFlorian Obser
2022-03-01Update to libunbound 1.15.0; heavy lifting by sthen in unbound(8).Florian Obser
Upstream renamed parse_edns_from_pkt to parse_edns_from_query_pkt and added two arguments (config_file and comm_point) that we don't use, adjust callers in frontend accordingly.
2022-03-01Upstream renamed parse_extract_edns toFlorian Obser
parse_extract_edns_from_response_msg and parse_edns_from_pkt to parse_edns_from_query_pkt in libunbound 1.14.0. Both funktions work equally well for us but it would look weird to use the "from_response_msg" function on the query so switch to parse_edns_from_pkt in preparation for the libunbound update. testing & OK sthen
2022-01-09unwind/unbound: prepare for opaque DSA and RSA.Theo Buehler
Use the OpenSSL 1.1 codepath using accessors that have been available since LibreSSL 2.7 instead of reaching into the structs. ok sthen
2021-12-18Make sure we receive what we expect over imsg.Florian Obser
Instead of repairing potential garbage ensure that we receive proper C strings. Inspired by a similar diff by deraadt@ for ldapd.
2021-12-13including sys/cdefs.h manually started as a result of netbsd trying toTheo de Raadt
macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
2021-11-19Sync to unbound to allow interface names as scope-id in IPv6Florian Obser
link-local addresses. With this dns proposals from slaacd with link-local addresses from slaacd(8) are wroking. Requested by & OK kn
2021-11-16Validate RTM_PROPOSAL in resolver not frontendKlemens Nanni
The resolver is the actual consumer and shouldn't trust the frontend. Fold the IPv4/IPv6 specific checks thanks to the previous commit. Idea from florian OK florian
2021-11-16Simplify address family handling, ditch inet_ntop(3)Klemens Nanni
Reduce duplicate code and use getnameinfo(3) for IPv4 as well. This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.21 "Simplify address family handling, ditch inet_ntop(3)". OK florian
2021-11-16Install missing scope identifier for IPv6 link-local addressesKlemens Nanni
RTM_PROPOSAL's list of IP addresses does not contain scope IDs by design. This is not a problem as the proposal is always bound to an interface, as long as we use it... Fill in the scope ID for link-local IPs and replace inet_ntop(3) usage with getnameinfo(3) in the IPv6 case such that it actually turns up in the string representation. This is the unwind specific fix to ensure working IPv6LL; libunbound still requires another fix. This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.20 "Install missing scope identifier for IPv6 link-local addresses". OK florian
2021-10-24Use braces in config examplesKlemens Nanni
We document them as explicitly required, `unwind -dnvf...' spits them out like this and the last `force' example uses them as well.
2021-10-23unwind(8) gives the most preferred resolver strategy a bit more timeFlorian Obser
(200ms) to answer before trying the next strategy. However, we need to skip strategies that are not available. In the default configuration, without a config file unwind(8) would give DoT 200ms more time, but no DoT forwarders are known, so this is useless. OK kn
2021-10-22oops, missed unused variable in previousFlorian Obser
2021-10-22config_new_empty() should give us a completely empty config, letFlorian Obser
parse_config() handle the case of defaults. This prevents the resolver process from spinning up resolver strategies before the config has been parsed and tearing them down immediately after if they are not listed in the config files preferences section. OK kn
2021-10-22Honour enabled resolvers to keep unused forwarders actually disabledKlemens Nanni
An unwind.conf like the following would still query forwarders, both "." periodically and any explicit "example.com." queries: preference { recursor autoconf stub } forwarder { 2001:db8::1 } force accept bogus forwarder { example.com. } That's because the forwarder and resolver children processes start with the default configuration and main later sends them the effective user configuration; merging them, however, would ignore the list of enabled resolvers, i.e. those listed in the `preference {}' block and thusly cause children to always have all forwarders enabled (as is by default). Copy the resolvers list during merge to fix this and restore expected behaviour. (Noticed during tests with "forwarder" temporarily removed from `preference {}' while leaving the rest as is: my VPN interface serving that forwarder showed DNS traffic while it was supposed to be silent.) OK florian
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-08-31Adjust .Bl widthKlemens Nanni
2021-08-31Say autoconf not dhcpKlemens Nanni
Do not abuse "dhcp" to say "DHCP and SLAAC". unwind.conf(5) does so but unwindctl(8) does not; in fact, the latter already has `status autoconf' to Show nameservers learned from dhclient(8), dhcpleased(8) or slaacd(8). Adjust unwind's config manual and internal code accordingly; still accept the old keyword but do not document it. hostname.if(5) already advises for `inet[6] autoconf' instead of `dhcp' and other related daemons don't abuse the word "dhcp" like unwind does. Feedback sthen OK florian
2021-08-30INADDR_LOOPBACK check needs htonl(3) to workKlemens Nanni
Found in resolvd(8) which uses the same code.
2021-08-14Use new val-max-restart: 0 option to stop unwind from trying differentFlorian Obser
authorities when encountering a validation error. This only helps one particular case of validation errors: When authorities are out of sync and some carry old zones. In all other cases this causes a huge amount of work that will just end in a SERVFAIL because the result will still be bogus. OK sthen
2021-08-14Fix "no previous prototype" warningFlorian Obser
OK sthen as part of a larger diff
2021-08-14sync to unbound 1.13.2Florian Obser
OK sthen
2021-07-25Do not doubt a secure (i.e. validated) NXDOMAIN response when we justFlorian Obser
switched networks. We validated it, we can't do better than that! While here reorder the long list of conditions to make it easier to understand when we doubt a response because we might be behind a captive portal. First list all conditions when we do not doubt the response and then the two conditions when we do doubt the response. OK benno
2021-07-25We store a list of resolver strategies in order of their preference inFlorian Obser
the configuration struct. This is also an implicit list of enabled resolver strategies. We have also stored an explict lookup array of enabled strategies outside of the configuration to be able to quickly answer "is this strategy enabled" without traversing the preferences list. Move this table into the configuration so that we don't need to "repair" it on config reload. This fixes a bug where on startup the preferences list and enabled lookup table were not in sync. It didn't matter in practice since we do a config reload and then pass in DNSSEC trustanchors on startup. Both actions combined repaired things. OK benno
2021-07-24Capitalise DNS response code, stub learns from SLAAC, clarify wordingkn
OK florian
2021-07-18Document dhcpleased(8) and slaacd(8) besides dhclient(8) as DNS sourcekn
Zap the obsolete dhclient.conf(5) supersede quirk while here. Feedback OK florian
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-03-16sync to unbound 1.13.1; heavy lifting by sthenFlorian Obser
2021-02-27Path #defines are traditionally prefixed with _PATH.Florian Obser
Pointed out by deraadt
2021-02-24We need to track the pid of the connecting control connection to beFlorian Obser
able to send answers back to the correct client in case two are connecting at the same time. We also need to pass the pid around to the resolver process so that it can hand it back to us. Debugged by deraadt and dlg who noticed that answers would always arrive on the first control connection. deraadt@ points out that tracking the pid is not the best choice in case one process wants to hold open two connections but at least this brings us in line with all the other privsep daemons with control tools. If we change this we should change it in all daemons.
2021-02-20zap unneccessary .Pp;Jason McIntyre
2021-02-19Add an EXAMPLES sectionsolene
rewording by jmc@ ok jmc@
2021-02-07Only probe for DNS64 presence when we know that we can talk to the slaacdFlorian Obser
provided nameservers, i.e. the stub resolver check succeeded. Previously we would only probe DNS64 on network change but would not reschedule when it failed. Sometimes (most of the time?) this failes because our address is still tentative or a default route has not yet been installed. OK phessler
2021-02-06Revert delayed opening of trust anchor file. The code was somewhatFlorian Obser
ugly and the underlying problem (dhclient and unwind playing well together) should be solved differently. Final straw was jca reporting that it breaks his setup.
2021-01-31Make progress when stepping through rdns proposals even when skippingFlorian Obser
localhost.
2021-01-30Re-try to open DNSSEC trust anchor file if /var is not mounted yet.Florian Obser
This is a step towards starting unwind earlier, before the network is up and partitions are mounted. OK kn
2021-01-29Some libunbound configuration changes can change the quality of aFlorian Obser
resolver so we have to schedule a re-check. OK kn
2021-01-29Don't filter by address family on the route socket.Florian Obser
While here also set SOCK_NONBLOCK on the frontend routesock.
2021-01-28A new resolver can be created while we currently run a check with theFlorian Obser
old configuration. We will then request another check that runs in parallel to the old check. If the new check finishes earlier, the current check result will be overwritten by an outdated check result which is likely wrong. While here fix some whitespace. OK phessler
2021-01-27Determine available address families (and monitor when this changes)Florian Obser
to configure libunbound accordingly. This way it no longer tries to talk to IPv6 nameservers when only IPv4 is available and vice versa. input deraadt OK kn
2021-01-26Some config changes require a restart of all resolvers even DEAD ones;Florian Obser
handle them like UNKNOWN. Found the hard way by kn.
2021-01-25Revert local diff now that we no longer use syslog logging inFlorian Obser
libunbound. OK phessler