src - OpenBSD base system

Age	Commit message (Collapse)	Author
2019-12-17	Reject leases that do not provide a subnet mask for the address being	Kenneth R Westerback
	provided. Restores behaviour previously provided by the default dhclient.conf.
2019-12-15	Make this fit in 80 cols.	Florian Obser

2019-12-15	semarie diagnosed a what appeared to be a 'large backwards memcpy' of an	Theo de Raadt
	ipv6 address, but was actually oversize (a large union). correct access to the right subfield. ok florian semarie
2019-12-15	Allow more outgoing ports, the default 16 is pretty tight for the	Otto Moerbeek
	recursor. Also change strategy to not fetch addresses of nameservers pro-actively, it does not help a lot in typical unwind setups and consumes resources we would like to spend on actual resolving user queries. ok florian@
2019-12-14	Be less aggressive pre-allocating memory; ok florian@	Otto Moerbeek

2019-12-14	Simplify resolve_done.	Florian Obser
	- check if this is an answer to a still running query up front, if not there is nothing more to do - get rid of the retry case, we can now just inline it - reduce indent by always calculating elapsed time for DOUBT_NXDOMAIN_SEC Triggered by, input and OK otto
2019-12-14	No use to create resolvers we know are going to be dead; ok florian@	Otto Moerbeek

2019-12-13	Don't try dead resolvers; ok florian@	Otto Moerbeek

2019-12-13	print type as type and not as rcode	Otto Moerbeek

2019-12-13	Revert two files committed by accident	Otto Moerbeek

2019-12-13	Avoid leaks by using the _buf versions of sldns_wire2str_* functions.	Otto Moerbeek
	Also add some consistentcy checking to detect logic errors. ok @florian
2019-12-12	Avoid optimizing empty rulesets	kn
	All optimizations work on actual rules; if there are none, return early. While here, tell which ruleset/anchor is being optimized to make the debug message actually useful. OK mikeb
2019-12-12	Only create (and check) resolvers listed in preferences.	Florian Obser
	Unfortunately this required a fair amount of deck chair shuffling. Input & OK otto
2019-12-11	Plug leaks related to running queue maintenance. ok florian@	Otto Moerbeek

2019-12-10	If a file or directory component does not exists, realpath(3) returns	Alexander Bluhm
	ENOENT. In this case, try to open(2) the path. Then a non-existing file will be created, but a missing directory component still causes an error. This fixes isakmpd(8) IKE pcap file creation. from hshoexer@
2019-12-10	We can receive a delete and free an SA that is referenced in sa_nextr.	tobhe
	Remove references when deleting the SA, otherwise we trigger a use-after-free. ok markus@
2019-12-10	Plug two mem leaks in udp_receive() and zap unneeded allocations;	Otto Moerbeek
	ok florian@
2019-12-10	Similar to doubting NXDOMAIN when we just switched networks we also	Florian Obser
	need to doubt validation errors as we might find ourselves behind a captive portal. The hotspot at schiphol airport uses login.hotspotschiphol.nl: - it is NXDOMAIN on the public internet - hotspotschiphol.nl is signed and attests that login does not exist. - resolves to 1.1.1.5(!) when asking the dhcp nameservers - the dhcp nameservers pass DNSSEC records so validation works This resulted in unwind doing validation and answering SERVFAIL since the answer is bogus. Input & OK otto
2019-12-08	Limit advertised UDP payload size to 1232 bytes to prevent PMTU /	Florian Obser
	fragmentation issues. OK otto
2019-12-08	More compact two column format for first section of status display; use	Otto Moerbeek
	* to mark opportunistic DoT forwarders; ok florian
2019-12-08	Turn opportunistic DoT into their own strategies.	Florian Obser
	This is beneficial since we prefer strategies according to their performance. Previously name servers were upgraded to opportunistic DoT if it was available even if the round trip times went through the roof and there was no way to got back to plain udp/53 DNS. To make up a bit of space in the unwindctl status output, name servers learned via DHCP or SLAAC are printed in a new subcommand. The status output will be further improved shortly. Input & OK otto
2019-12-06	Log why an answer is bogus.	Florian Obser
	OK otto
2019-12-06	Use the middle of the histogram bar in the median computations	Otto Moerbeek
	instead of the right-hand side; ok florian@
2019-12-06	Stop fiddling with openlog / closelog in libunbound. unwind handles	Florian Obser
	this. We need to find a way to properly upstream this. OK otto
2019-12-05	be less verbose in debug logging; ok florian@	Otto Moerbeek

2019-12-05	Tell a little bit how "preference" works these days; ok florian@	Otto Moerbeek

2019-12-05	Remove clause #3 from mrg@NetBSD license.	Martin Pieuchot
	In May 29 2008, Matthew R. Green removed it in NetBSD: github.com/IIJ-NetBSD/netbsd-src/commit/7ea20401d535da9996394136ef ok deraadt@
2019-12-04	When we detect that a resolver strategy is not validating because the	Florian Obser
	time is wrong enable a timer to check it again later. ntpd might have corrected the time. input & OK otto
2019-12-04	Use NI_MAXHOST like everywhere else instead of a wrong number.	Florian Obser

2019-12-04	If we see a validated result, we can (must!) assume the resolver is	Otto Moerbeek
	validating; ok florian@
2019-12-03	Cleanup query logging.	Florian Obser
	Debug log level 1 gives us basic query progress, level 2 writes out packages. looks good to otto
2019-12-03	Cleanup check_resolver_done() debug logging.	Florian Obser
	Log answer packet only at debug level 2. looks good to otto
2019-12-03	Add one more debug level and enable very detailed libunbound logging	Florian Obser
	with this. Currently only available as a command line flag (-vvv). With this we now have two debug levels available in unwind proper, to be used shortly. looks good to otto
2019-12-03	No need to store "why_bogus" with the resolver, we are no longer	Florian Obser
	showing it in unwindctl. But log it with level warn for check_resolver so that one can find out what's wrong with a resolver strategy. looks good to otto
2019-12-03	Remove useless log_debug() calls.	Florian Obser
	Looks good to otto
2019-12-03	No more status subcommands; ok florian@	Otto Moerbeek

2019-12-03	Correctly represent flows as traffic selectors as described in RFC 7296. This	tobhe
	allows us to deduplicate the network ranges sent in the TS payload and saves some bytes on the wire. ok patrick@
2019-12-02	Save the computed median to avoid having it to compute it all the time;	Otto Moerbeek
	ok florian@
2019-12-02	Use a unified cache in all libunbound based resolvers.	Florian Obser
	OK otto
2019-12-02	increment refcount before doing the call to resolve(); ok florian@	Otto Moerbeek

2019-12-02	Add an "all" mode for status and a much more compact and readable histogram	Otto Moerbeek
	display; remove the why bogus status message; ok florian@
2019-12-01	Add missing space between "accept" and "bogus"	kn

2019-12-01	Allow forcing specific domains to be resolved by specific resolvers;	Otto Moerbeek
	Handles typical split-horzizon setups. ok florian@
2019-12-01	Explain how ipcomp can be enabled.	tobhe
	ok reyk@
2019-11-30	make sure we only pass normalized timevals for the next resolver interval;	Otto Moerbeek
	ok florian@
2019-11-30	The message sent in config_setmode starts the handshake in the ikev2 process	tobhe
	and thus must be sent last. ok reyk@
2019-11-30	Log loaded SPIs and flows.	tobhe
	ok patrick@
2019-11-30	Not being able to create a resolver is not a fatal condition in unwind,	Florian Obser
	there might be others still working. Make sure check_resolver() handles this correctly.
2019-11-30	ifconfig(8) did silently ignore the netmask parameter for inet6 and	Alexander Bluhm
	interpreted only prefixlen. Also accept netmask for IPv6. This is consistent to our man page and the route(8) command. OK benno@
2019-11-29	Change the default security level for incoming IPsec flows from	tobhe
	isakmpd and iked to REQUIRE. Filter policy violations earlier. ok sashan@ bluhm@