Merge pull request #5 from NLnetLabs/master

bring fork up to date

.travis.yml

@@ -0,0 +1,16 @@
+sudo: false
+language: c
+compiler:
+  - gcc
+addons:
+  apt:
+    packages:
+    - libssl-dev
+    - libevent-dev
+    - libexpat-dev
+    - clang
+script:
+  - ./configure --enable-debug --disable-flto
+  - make
+  - make test
+  - (cd testdata; ../testcode/mini_tdir.sh exe clang-analysis.tdir ; if grep -e "warning:" -e "error:" result.clang-analysis ; then exit 1; else exit 0; fi)

config.h.in

@@ -86,6 +86,10 @@
    if you don't. */
 #undef HAVE_DECL_ARC4RANDOM_UNIFORM
 
+/* Define to 1 if you have the declaration of `evsignal_assign', and to 0 if
+   you don't. */
+#undef HAVE_DECL_EVSIGNAL_ASSIGN
+
 /* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
    don't. */
 #undef HAVE_DECL_INET_NTOP
@@ -166,6 +170,9 @@
 /* Define to 1 if you have the `ERR_load_crypto_strings' function. */
 #undef HAVE_ERR_LOAD_CRYPTO_STRINGS
 
+/* Define to 1 if you have the `event_assign' function. */
+#undef HAVE_EVENT_ASSIGN
+
 /* Define to 1 if you have the `event_base_free' function. */
 #undef HAVE_EVENT_BASE_FREE
 

configure

@@ -19013,6 +19013,35 @@ _ACEOF
 fi
 done
  # only in libev. (tested on 4.00)
+	for ac_func in event_assign
+do :
+  ac_fn_c_check_func "$LINENO" "event_assign" "ac_cv_func_event_assign"
+if test "x$ac_cv_func_event_assign" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EVENT_ASSIGN 1
+_ACEOF
+
+fi
+done
+ # in libevent, for thread-safety
+	ac_fn_c_check_decl "$LINENO" "evsignal_assign" "ac_cv_have_decl_evsignal_assign" "$ac_includes_default
+#ifdef HAVE_EVENT_H
+#  include <event.h>
+#else
+#  include \"event2/event.h\"
+#endif
+
+"
+if test "x$ac_cv_have_decl_evsignal_assign" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_EVSIGNAL_ASSIGN $ac_have_decl
+_ACEOF
+
         PC_LIBEVENT_DEPENDENCY="libevent"
 
 	if test -n "$BAK_LDFLAGS_SET"; then

configure.ac

@@ -1200,6 +1200,14 @@ large outgoing port ranges.  ])
 	AC_CHECK_FUNCS([event_base_get_method]) # only in libevent 1.4.3 and later
 	AC_CHECK_FUNCS([ev_loop]) # only in libev. (tested on 3.51)
 	AC_CHECK_FUNCS([ev_default_loop]) # only in libev. (tested on 4.00)
+	AC_CHECK_FUNCS([event_assign]) # in libevent, for thread-safety
+	AC_CHECK_DECLS([evsignal_assign], [], [], [AC_INCLUDES_DEFAULT
+#ifdef HAVE_EVENT_H
+#  include <event.h>
+#else
+#  include "event2/event.h"
+#endif
+	])
         PC_LIBEVENT_DEPENDENCY="libevent"
         AC_SUBST(PC_LIBEVENT_DEPENDENCY)
 	if test -n "$BAK_LDFLAGS_SET"; then

doc/Changelog

@@ -1,3 +1,47 @@
+18 April 2019: Ralph
+	- Scrub RRs from answer section when reusing NXDOMAIN message for
+	  subdomain answers.
+	- For harden-below-nxdomain: do not consider a name to be non-exitent
+	  when message contains a CNAME record.
+
+18 April 2019: Wouter
+	- travis build file.
+
+16 April 2019: Wouter
+	- Better braces in if statement in TCP fastopen code.
+	- iana portlist updated.
+
+15 April 2019: Wouter
+	- Fix tls write event for read state change to re-call SSL_write and
+	  not resume the TLS handshake.
+
+11 April 2019: George
+	- Update python documentation for init_standard().
+	- Typos.
+
+11 April 2019: Wouter
+	- Fix that auth zone uses correct network type for sockets for
+	  SOA serial probes.  This fixes that probes fail because earlier
+	  probe addresses are unreachable.
+	- Fix that auth zone fails over to next master for timeout in tcp.
+	- Squelch SSL read and write connection reset by peer and broken pipe 
+	  messages.  Verbosity 2 and higher enables them.
+
+8 April 2019: Wouter
+	- Fix to use event_assign with libevent for thread-safety.
+	- verbose information about auth zone lookup process, also lookup
+	  start, timeout and fail.
+	- Fix #17: Add python module example from Jan Janak, that is a
+	  plugin for the Unbound DNS resolver to resolve DNS records in
+	  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
+	  with Avahi via DBus. The comment section at the beginning of
+	  the file contains detailed documentation.
+	- Fix to wipe ssl ticket keys from memory with explicit_bzero,
+	  if available.
+
+5 April 2019: Wouter
+	- Fix to reinit event structure for accepted TCP (and TLS) sockets.
+
 4 April 2019: Wouter
 	- Fix spelling error in log output for event method.
 

doc/unbound.conf.5.in

@@ -828,7 +828,7 @@ Can be given multiple times, for different domains.
 .TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to A when
+Only send minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
 NXDOMAIN from a DNSSEC signed zone. Default is yes.

iterator/iter_utils.c

@@ -1211,6 +1211,19 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 	}
 }
 
+void
+iter_scrub_nxdomain(struct dns_msg* msg)
+{
+	if(msg->rep->an_numrrsets == 0)
+		return;
+
+	memmove(msg->rep->rrsets, msg->rep->rrsets+msg->rep->an_numrrsets,
+		sizeof(struct ub_packed_rrset_key*) *
+		(msg->rep->rrset_count-msg->rep->an_numrrsets));
+	msg->rep->rrset_count -= msg->rep->an_numrrsets;
+	msg->rep->an_numrrsets = 0;
+}
+
 void iter_dec_attempts(struct delegpt* dp, int d)
 {
 	struct delegpt_addr* a;

iterator/iter_utils.h

@@ -334,6 +334,13 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
 	uint8_t* z);
 
+/**
+ * Prepare an NXDOMAIN message to be used for a subdomain answer by removing all
+ * RRs from the ANSWER section.
+ * @param msg: the response to scrub.
+ */
+void iter_scrub_nxdomain(struct dns_msg* msg);
+
 /**
  * Remove query attempts from all available ips. For 0x20.
  * @param dp: delegpt.

iterator/iterator.c

@@ -2718,8 +2718,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
 				LDNS_RCODE_NOERROR) {
-				if(qstate->env->cfg->qname_minimisation_strict)
-					return final_state(iq);
+				if(qstate->env->cfg->qname_minimisation_strict) {
+					if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
+						LDNS_RCODE_NXDOMAIN) {
+						iter_scrub_nxdomain(iq->response);
+						return final_state(iq);
+					}
+					return error_response(qstate, id,
+						LDNS_RCODE_SERVFAIL);
+				}
 				/* Best effort qname-minimisation. 
 				 * Stop minimising and send full query when
 				 * RCODE is not NOERROR. */

pythonmod/doc/examples/example0-1.py

@@ -1,8 +1,11 @@
-
 def init(id, cfg):
    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
    return True
 
+def init_standard(id, env):
+   log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, env.cfg.port, env.cfg.python_script))
+   return True
+
 def deinit(id):
    log_info("pythonmod: deinit called, module id is %d" % id)
    return True

pythonmod/doc/examples/example0.rst

@@ -54,6 +54,25 @@ Script file must contain four compulsory functions:
       return True
 
 
+.. function:: init_standard(id, env)
+
+   Initialize module internals, like database etc.
+   Called just once on module load.
+
+   *Preferred* over the init() function above as this function's signature is the
+   same as the C counterpart and allows for extra functionality during init.
+   The previously accessible configuration options can now be found in env.cfg.
+
+   :param id: module identifier (integer)
+   :param env: :class:`module_env` module environment
+
+::
+
+    def init_standard(id, env):
+       log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, env.cfg.port, env.cfg.python_script))
+       return True
+
+
 .. function:: deinit(id)
 
    Deinitialize module internals.