diff options
author | sthen <sthen@openbsd.org> | 2015-12-11 12:28:49 +0000 |
---|---|---|
committer | sthen <sthen@openbsd.org> | 2015-12-11 12:28:49 +0000 |
commit | 3126abd5b48597586fd4a570a3b34bd2977fbe39 (patch) | |
tree | a205a29f98b6e14f4be9674271b4a55049c51c7d /usr.sbin | |
parent | Add cmdq as an argument to format_create and add a format for the (diff) | |
download | wireguard-openbsd-3126abd5b48597586fd4a570a3b34bd2977fbe39.tar.xz wireguard-openbsd-3126abd5b48597586fd4a570a3b34bd2977fbe39.zip |
update to NSD 4.1.7, ok florian@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/nsd/Makefile.in | 1 | ||||
-rw-r--r-- | usr.sbin/nsd/acx_nlnetlabs.m4 | 12 | ||||
-rw-r--r-- | usr.sbin/nsd/config.h.in | 9 | ||||
-rw-r--r-- | usr.sbin/nsd/configlexer.lex | 1 | ||||
-rw-r--r-- | usr.sbin/nsd/configparser.y | 10 | ||||
-rw-r--r-- | usr.sbin/nsd/configure.ac | 35 | ||||
-rw-r--r-- | usr.sbin/nsd/netio.c | 80 | ||||
-rw-r--r-- | usr.sbin/nsd/netio.h | 7 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-checkconf.8.in | 2 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-checkconf.c | 7 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-checkzone.8.in | 2 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd-control.8.in | 2 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd.8.in | 4 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd.c | 3 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd.conf.5.in | 33 | ||||
-rw-r--r-- | usr.sbin/nsd/nsd.conf.sample.in | 15 | ||||
-rw-r--r-- | usr.sbin/nsd/options.c | 14 | ||||
-rw-r--r-- | usr.sbin/nsd/options.h | 1 | ||||
-rw-r--r-- | usr.sbin/nsd/query.c | 10 | ||||
-rw-r--r-- | usr.sbin/nsd/region-allocator.c | 1 | ||||
-rw-r--r-- | usr.sbin/nsd/server.c | 5 | ||||
-rw-r--r-- | usr.sbin/nsd/tsig-openssl.c | 4 | ||||
-rw-r--r-- | usr.sbin/nsd/zonec.c | 5 |
23 files changed, 167 insertions, 96 deletions
diff --git a/usr.sbin/nsd/Makefile.in b/usr.sbin/nsd/Makefile.in index d193cc6629e..91032915ada 100644 --- a/usr.sbin/nsd/Makefile.in +++ b/usr.sbin/nsd/Makefile.in @@ -65,6 +65,7 @@ EDIT = sed \ -e 's,@zonelistfile\@,$(zonelistfile),g' \ -e 's,@nsdconfigfile\@,$(nsdconfigfile),g' \ -e 's,@shell\@,$(SHELL),g' \ + -e 's,@ratelimit_default\@,@ratelimit_default@,g' \ -e 's,@user\@,$(user),g' TARGETS=nsd nsd-checkconf nsd-checkzone nsd-control nsd.conf.sample nsd-control-setup.sh diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index c9ca7558da5..26513e4ff67 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,7 +2,9 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 28 +# Version 30 +# 2015-11-18 spelling check fix. +# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly. # 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. # 2015-03-17 AHX_CONFIG_REALLOCARRAY added # 2013-09-19 FLTO help text improved. @@ -24,7 +26,7 @@ # 2010-07-02 Add check for ss_family (for minix). # 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS. # 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end. -# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl +# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl # 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN # 2010-01-20 added AHX_COONFIG_STRLCAT # 2009-07-14 U_CHAR detection improved for windows crosscompile. @@ -715,12 +717,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [ fi AC_SUBST(HAVE_SSL) AC_SUBST(RUNTIME_PATH) - # openssl engine functionality needs dlopen(). - BAKLIBS="$LIBS" - AC_SEARCH_LIBS([dlopen], [dl]) - if test "$LIBS" != "$BAKLIBS"; then - LIBSSL_LIBS="$LIBSSL_LIBS -ldl" - fi fi AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT]) diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in index b2b1c3884dc..2a2e5b68655 100644 --- a/usr.sbin/nsd/config.h.in +++ b/usr.sbin/nsd/config.h.in @@ -188,6 +188,9 @@ /* Define to 1 if you have the <openssl/ssl.h> header file. */ #undef HAVE_OPENSSL_SSL_H +/* Define to 1 if you have the `ppoll' function. */ +#undef HAVE_PPOLL + /* Define to 1 if you have the `pselect' function. */ #undef HAVE_PSELECT @@ -411,12 +414,12 @@ /* Define this to enable rate limiting. */ #undef RATELIMIT +/* Define this to set ratelimit to off by default. */ +#undef RATELIMIT_DEFAULT_OFF + /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE -/* enable reuseport option by default. */ -#undef REUSEPORT_BY_DEFAULT - /* Define this to configure as a root server. */ #undef ROOT_SERVER diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex index e38e952a3f1..20304b7be5b 100644 --- a/usr.sbin/nsd/configlexer.lex +++ b/usr.sbin/nsd/configlexer.lex @@ -207,6 +207,7 @@ do-ip4{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP4;} do-ip6{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP6;} database{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DATABASE;} identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IDENTITY;} +version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_VERSION;} nsid{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NSID;} logfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOGFILE;} server-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_COUNT;} diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y index 03310ca27ba..36a3dddd3b8 100644 --- a/usr.sbin/nsd/configparser.y +++ b/usr.sbin/nsd/configparser.y @@ -67,7 +67,7 @@ extern config_parser_state_t* cfg_parser; %token VAR_RRL_IPV4_PREFIX_LENGTH VAR_RRL_IPV6_PREFIX_LENGTH %token VAR_RRL_WHITELIST_RATELIMIT VAR_RRL_WHITELIST %token VAR_ZONEFILES_CHECK VAR_ZONEFILES_WRITE VAR_LOG_TIME_ASCII -%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT +%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT VAR_VERSION %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -97,7 +97,7 @@ content_server: server_ip_address | server_ip_transparent | server_debug_mode | server_rrl_ipv4_prefix_length | server_rrl_ipv6_prefix_length | server_rrl_whitelist_ratelimit | server_zonefiles_check | server_do_ip4 | server_do_ip6 | server_zonefiles_write | server_log_time_ascii | server_round_robin | - server_reuseport; + server_reuseport | server_version; server_ip_address: VAR_IP_ADDRESS STRING { OUTYY(("P(server_ip_address:%s)\n", $2)); @@ -215,6 +215,12 @@ server_identity: VAR_IDENTITY STRING cfg_parser->opt->identity = region_strdup(cfg_parser->opt->region, $2); } ; +server_version: VAR_VERSION STRING + { + OUTYY(("P(server_version:%s)\n", $2)); + cfg_parser->opt->version = region_strdup(cfg_parser->opt->region, $2); + } + ; server_nsid: VAR_NSID STRING { unsigned char* nsid = 0; diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac index d559af34d7c..c04deacc25e 100644 --- a/usr.sbin/nsd/configure.ac +++ b/usr.sbin/nsd/configure.ac @@ -4,7 +4,7 @@ dnl sinclude(acx_nlnetlabs.m4) -AC_INIT(NSD,4.1.6,nsd-bugs@nlnetlabs.nl) +AC_INIT(NSD,4.1.7,nsd-bugs@nlnetlabs.nl) AC_CONFIG_HEADER([config.h]) CFLAGS="$CFLAGS" @@ -91,7 +91,9 @@ AC_ARG_WITH([dbfile], AC_SUBST(dbfile) AC_DEFINE_UNQUOTED(DBFILE, ["`eval echo $dbfile`"], [Pathname to the NSD database]) -dbdir=`dirname $dbfile` +if test -n "$dbfile"; then + dbdir=`dirname $dbfile` +fi AC_SUBST(dbdir) piddir=`dirname $pidfile` @@ -336,9 +338,6 @@ AC_DEFUN([CHECK_SSL], [ if test x_$ssldir = x_/usr/sfw; then LDFLAGS="$LDFLAGS -R$ssldir/lib"; fi - AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ - AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) - ]) fi AC_SUBST(HAVE_SSL) fi @@ -504,12 +503,6 @@ AC_CHECK_STRPTIME_WORKS ACX_CHECK_NONBLOCKING_BROKEN ACX_MKDIR_ONE_ARG -# see if reuseport is enabled by default (also a config option). -# freebsd can compile the option, but it does not work, it works on Linux. -if test "`uname`" = "Linux"; then - AC_DEFINE([REUSEPORT_BY_DEFAULT], 1, [enable reuseport option by default.]) -fi - # set -I. and -Isrcdir if test -n "$CPPFLAGS"; then CPPFLAGS="$CPPFLAGS -I." @@ -603,7 +596,7 @@ AC_SYS_LARGEFILE AC_CHECK_SIZEOF(void*) AC_CHECK_SIZEOF(off_t) AC_CHECK_FUNCS([arc4random arc4random_uniform]) -AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid setresgid setregid getpwnam mmap]) +AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid setresgid setregid getpwnam mmap ppoll]) AC_ARG_ENABLE(recvmmsg, AC_HELP_STRING([--enable-recvmmsg], [Enable recvmmsg and sendmmsg compilation, faster but some kernel versions may have implementation problems])) case "$enable_recvmmsg" in @@ -819,10 +812,28 @@ case "$enable_ratelimit" in esac AC_SUBST(ratelimit) +AC_ARG_ENABLE(ratelimit-default-is-off, AC_HELP_STRING([--enable-ratelimit-default-is-off], [Enable this to set default of ratelimit to off (enable in nsd.conf), otherwise ratelimit is enabled by default if --enable-ratelimit is enabled])) +case "$enable_ratelimit_default_is_off" in + yes) + AC_DEFINE_UNQUOTED([RATELIMIT_DEFAULT_OFF], [], [Define this to set ratelimit to off by default.]) + ratelimit_default="off" + ;; + no|*) + ratelimit_default="on" + ;; +esac +AC_SUBST(ratelimit_default) + + # we need SSL for TSIG (and maybe also for NSEC3). CHECK_SSL if test x$HAVE_SSL = x"yes"; then ACX_LIB_SSL + if test -n "$ssldir"; then + AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ + AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required]) + ]) + fi SSL_LIBS="-lssl" AC_SUBST(SSL_LIBS) AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) diff --git a/usr.sbin/nsd/netio.c b/usr.sbin/nsd/netio.c index ad8ee16ee60..6c4b395babe 100644 --- a/usr.sbin/nsd/netio.c +++ b/usr.sbin/nsd/netio.c @@ -13,17 +13,12 @@ #include <sys/time.h> #include <string.h> #include <stdlib.h> +#include <poll.h> #include "netio.h" #include "util.h" - -#ifndef HAVE_PSELECT -int pselect(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, - const struct timespec *timeout, const sigset_t *sigmask); -#else -#include <sys/select.h> -#endif +#define MAX_NETIO_FDS 1024 netio_type * netio_create(region_type *region) @@ -65,6 +60,7 @@ netio_add_handler(netio_type *netio, netio_handler_type *handler) elt->next = netio->handlers; elt->handler = handler; + elt->handler->pfd = -1; netio->handlers = elt; } @@ -111,14 +107,18 @@ netio_current_time(netio_type *netio) int netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t *sigmask) { - fd_set readfds, writefds, exceptfds; - int max_fd; + /* static arrays to avoid allocation */ + static struct pollfd fds[MAX_NETIO_FDS]; + int numfd; int have_timeout = 0; struct timespec minimum_timeout; netio_handler_type *timeout_handler = NULL; netio_handler_list_type *elt; int rc; int result = 0; +#ifndef HAVE_PPOLL + sigset_t origmask; +#endif assert(netio); @@ -139,26 +139,24 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * Initialize the fd_sets and timeout based on the handler * information. */ - max_fd = -1; - FD_ZERO(&readfds); - FD_ZERO(&writefds); - FD_ZERO(&exceptfds); + numfd = 0; for (elt = netio->handlers; elt; elt = elt->next) { netio_handler_type *handler = elt->handler; - if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE) { - if (handler->fd > max_fd) { - max_fd = handler->fd; - } + if (handler->fd != -1 && numfd < MAX_NETIO_FDS) { + fds[numfd].fd = handler->fd; + fds[numfd].events = 0; + fds[numfd].revents = 0; + handler->pfd = numfd; if (handler->event_types & NETIO_EVENT_READ) { - FD_SET(handler->fd, &readfds); + fds[numfd].events |= POLLIN; } if (handler->event_types & NETIO_EVENT_WRITE) { - FD_SET(handler->fd, &writefds); - } - if (handler->event_types & NETIO_EVENT_EXCEPT) { - FD_SET(handler->fd, &exceptfds); + fds[numfd].events |= POLLOUT; } + numfd++; + } else { + handler->pfd = -1; } if (handler->timeout && (handler->event_types & NETIO_EVENT_TIMEOUT)) { struct timespec relative; @@ -180,7 +178,7 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t if (have_timeout && minimum_timeout.tv_sec < 0) { /* - * On negative timeout for a handler, immediatly + * On negative timeout for a handler, immediately * dispatch the timeout event without checking for * other events. */ @@ -191,12 +189,17 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t } /* Check for events. */ - rc = pselect(max_fd + 1, &readfds, &writefds, &exceptfds, - have_timeout ? &minimum_timeout : NULL, - sigmask); +#ifdef HAVE_PPOLL + rc = ppoll(fds, numfd, (have_timeout?&minimum_timeout:NULL), sigmask); +#else + sigprocmask(SIG_SETMASK, sigmask, &origmask); + rc = poll(fds, numfd, (have_timeout?minimum_timeout.tv_sec*1000+ + minimum_timeout.tv_nsec/1000000:-1)); + sigprocmask(SIG_SETMASK, &origmask, NULL); +#endif /* HAVE_PPOLL */ if (rc == -1) { if(errno == EINVAL || errno == EACCES || errno == EBADF) { - log_msg(LOG_ERR, "fatal error pselect: %s.", + log_msg(LOG_ERR, "fatal error poll: %s.", strerror(errno)); exit(1); } @@ -225,26 +228,27 @@ netio_dispatch(netio_type *netio, const struct timespec *timeout, const sigset_t * calling the current handler! */ assert(netio->dispatch_next == NULL); + for (elt = netio->handlers; elt && rc; ) { netio_handler_type *handler = elt->handler; netio->dispatch_next = elt->next; - if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE) { + if (handler->fd != -1 && handler->pfd != -1) { netio_event_types_type event_types = NETIO_EVENT_NONE; - if (FD_ISSET(handler->fd, &readfds)) { + if ((fds[handler->pfd].revents & POLLIN)) { event_types |= NETIO_EVENT_READ; - FD_CLR(handler->fd, &readfds); - rc--; } - if (FD_ISSET(handler->fd, &writefds)) { + if ((fds[handler->pfd].revents & POLLOUT)) { event_types |= NETIO_EVENT_WRITE; - FD_CLR(handler->fd, &writefds); - rc--; } - if (FD_ISSET(handler->fd, &exceptfds)) { - event_types |= NETIO_EVENT_EXCEPT; - FD_CLR(handler->fd, &exceptfds); - rc--; + if ((fds[handler->pfd].revents & + (POLLNVAL|POLLHUP|POLLERR))) { + /* closed/error: give a read event, + * or otherwise, a write event */ + if((handler->event_types&NETIO_EVENT_READ)) + event_types |= NETIO_EVENT_READ; + else if((handler->event_types&NETIO_EVENT_WRITE)) + event_types |= NETIO_EVENT_WRITE; } if (event_types & handler->event_types) { diff --git a/usr.sbin/nsd/netio.h b/usr.sbin/nsd/netio.h index c8299b97adb..a0e805e9ea5 100644 --- a/usr.sbin/nsd/netio.h +++ b/usr.sbin/nsd/netio.h @@ -16,7 +16,6 @@ * * NETIO_EVENT_READ: reading will not block. * NETIO_EVENT_WRITE: writing will not block. - * NETIO_EVENT_EXCEPT: an exception occurred. * NETIO_EVENT_TIMEOUT: the timeout expired. * * A file descriptor must be specified if the handler is interested in @@ -58,8 +57,7 @@ enum netio_event_types { NETIO_EVENT_NONE = 0, NETIO_EVENT_READ = 1, NETIO_EVENT_WRITE = 2, - NETIO_EVENT_EXCEPT = 4, - NETIO_EVENT_TIMEOUT = 8, + NETIO_EVENT_TIMEOUT = 4, }; typedef enum netio_event_types netio_event_types_type; @@ -105,6 +103,9 @@ struct netio_handler */ int fd; + /** index of the pollfd array for this handler */ + int pfd; + /* * The time when no events should be checked for and the * handler should be called with the NETIO_EVENT_TIMEOUT diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in index 6cb43541ae9..9bf830647a1 100644 --- a/usr.sbin/nsd/nsd-checkconf.8.in +++ b/usr.sbin/nsd/nsd-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkconf" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd\-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-checkconf.c b/usr.sbin/nsd/nsd-checkconf.c index 96bc89eca89..6cbe71e55c6 100644 --- a/usr.sbin/nsd/nsd-checkconf.c +++ b/usr.sbin/nsd/nsd-checkconf.c @@ -352,6 +352,7 @@ config_print_zone(nsd_options_t* opt, const char* k, int s, const char *o, /* str */ SERV_GET_PATH(final, database, o); SERV_GET_STR(identity, o); + SERV_GET_STR(version, o); SERV_GET_STR(nsid, o); SERV_GET_PATH(final, logfile, o); SERV_GET_PATH(final, pidfile, o); @@ -447,6 +448,7 @@ config_test_print_server(nsd_options_t* opt) printf("\thide-version: %s\n", opt->hide_version?"yes":"no"); print_string_var("database:", opt->database); print_string_var("identity:", opt->identity); + print_string_var("version:", opt->version); print_string_var("nsid:", opt->nsid); print_string_var("logfile:", opt->logfile); printf("\tserver_count: %d\n", opt->server_count); @@ -587,6 +589,11 @@ additional_checks(nsd_options_t* opt, const char* filename) filename, (unsigned) strlen(opt->identity)); errors ++; } + if (opt->version && strlen(opt->version) > UCHAR_MAX) { + fprintf(stderr, "%s: server version too long (%u characters)\n", + filename, (unsigned) strlen(opt->version)); + errors ++; + } /* not done here: parsing of ip-address. parsing of username. */ diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in index 3216c8c9ba0..f58e0daa6e1 100644 --- a/usr.sbin/nsd/nsd-checkzone.8.in +++ b/usr.sbin/nsd/nsd-checkzone.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd\-checkzone" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd-control.8.in b/usr.sbin/nsd/nsd-control.8.in index b6af80ce551..4f6a59024cd 100644 --- a/usr.sbin/nsd/nsd-control.8.in +++ b/usr.sbin/nsd/nsd-control.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-control" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd\-control" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2011, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in index eeea5054c94..0ef0cfa09bb 100644 --- a/usr.sbin/nsd/nsd.8.in +++ b/usr.sbin/nsd/nsd.8.in @@ -1,9 +1,9 @@ -.TH "NSD" "8" "Oct 22, 2015" "NLnet Labs" "NSD 4.1.6" +.TH "NSD" "8" "Dec 10, 2015" "NLnet Labs" "NSD 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" .B nsd -\- Name Server Daemon (NSD) version 4.1.6. +\- Name Server Daemon (NSD) version 4.1.7. .SH "SYNOPSIS" .B nsd .RB [ \-4 ] diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c index d2084b77ae2..3d682cd347a 100644 --- a/usr.sbin/nsd/nsd.c +++ b/usr.sbin/nsd/nsd.c @@ -662,6 +662,9 @@ main(int argc, char *argv[]) if(nsd.options->identity) nsd.identity = nsd.options->identity; } + if(nsd.options->version) { + nsd.version = nsd.options->version; + } if (nsd.options->logfile && !nsd.log_filename) { nsd.log_filename = nsd.options->logfile; } diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in index 99b3544968b..2fe1bf4ddad 100644 --- a/usr.sbin/nsd/nsd.conf.5.in +++ b/usr.sbin/nsd/nsd.conf.5.in @@ -1,4 +1,4 @@ -.TH "nsd.conf" "5" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" +.TH "nsd.conf" "5" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" @@ -173,11 +173,9 @@ that it can answer immediately when the address is added. Default is no. Use the SO_REUSEPORT socket option, and create file descriptors for every server in the server\-count. This improves performance of the network stack. Only really useful if you also configure a server\-count higher -than 1 (such as, equal to the number of cpus). The default is yes on -Linux (where it works, and has been (backported) to 2.6 and 3.x kernels). -On FreeBSD it is known to fail (default is no), but you can enable it -if you think it is fixed. And a cautious default of no is used for -other systems. +than 1 (such as, equal to the number of cpus). The default is no. +It works on Linux, but does not work on FreeBSD, and likely does not +work on other systems. .TP .B debug\-mode:\fR <yes or no> Turns on debugging mode for nsd, does not fork a daemon process. @@ -216,6 +214,11 @@ Default is the name as returned by gethostname(3). Same as commandline option .BR \-i . .TP +.B version:\fR <string> +Returns the specified version string when asked for CH TXT version.server, +and version.bind queries. Default is the compiled package version. +See hide\-version to set the server to not respond to such queries. +.TP .B nsid:\fR <string> Add the specified nsid to the EDNS section of the answer when queried with an NSID EDNS enabled packet. As a sequence of hex characters or @@ -366,16 +369,24 @@ This option gives the size of the hashtable. Default 1000000. More buckets use more memory, and reduce the chance of hash collisions. .TP .B rrl\-ratelimit:\fR <qps> -The max qps allowed (from one query source). Default 200 qps. If set to 0 -then it is disabled (unlimited rate), also set the whilelist\-ratelimit +The max qps allowed (from one query source). Default is @ratelimit_default@ (with a suggested 200 qps). If set to 0 +then it is disabled (unlimited rate), also set the whitelist\-ratelimit to 0 to disable ratelimit processing. If you set verbosity to 2 the blocked and unblocked subnets are logged. Blocked queries are blocked -and some receive TCP fallback replies. +and some receive TCP fallback replies. Once the rate limit is reached, +NSD begins dropping responses. However, one in every "rrl\-slip" number +of responses is allowed, with the TC bit set. If slip is set to 2, the +outgoing response rate will be halved. If it's set to 3, the outgoing +response rate will be one\-third, and so on. If you set rrl\-slip to 10, +traffic is reduced to 1/10th. Ratelimit options rrl\-ratelimit, rrl\-size and +rrl\-whitelist\-ratelimit are updated when nsd\-control reconfig is done (also +the zone\-specific ratelimit options are updated). .TP .B rrl\-slip:\fR <numpackets> This option controls the number of packets discarded before we send back a SLIP response (a response with "truncated" bit set to one). 0 disables the sending of SLIP packets, -1 means every query will get a SLIP response. +1 means every query will get a SLIP response. Default is 2, cuts traffic in +half and legit users have a fair chance to get a +TC response. .TP .B rrl\-ipv4\-prefix\-length:\fR <subnet> IPv4 prefix length. Addresses are grouped by netblock. Default 24. @@ -385,7 +396,7 @@ IPv6 prefix length. Addresses are grouped by netblock. Default 64. .TP .B rrl\-whitelist\-ratelimit:\fR <qps> The max qps for query sorts for a source, which have been -whitelisted. Default 2000 qps. With the rrl\-whitelist option you can set +whitelisted. Default @ratelimit_default@ (with a suggested 2000 qps). With the rrl\-whitelist option you can set specific queries to receive this qps limit instead of the normal limit. With the value 0 the rate is unlimited. .\" rrlend diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index e3d1ff70fd8..a78548e0fc8 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -27,8 +27,7 @@ server: # Allow binding to non local addresses. Default no. # ip-transparent: no - # use the reuseport socket option for performance. - # The default is yes on linux, no for others. + # use the reuseport socket option for performance. Default no. # reuseport: no # enable debug mode, does not fork daemon process into the background. @@ -83,6 +82,10 @@ server: # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries # hide-version: no + # version string the server responds with for chaos queries. + # default is 'NSD x.y.z' with the server's version number. + # version: "NSD" + # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" @@ -130,8 +133,9 @@ server: # rrl-size: 1000000 # Response Rate Limiting, maximum QPS allowed (from one query source). - # Default 200. If set to 0, ratelimiting is disabled. Also set + # If set to 0, ratelimiting is disabled. Also set # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. + # Default is @ratelimit_default@. # rrl-ratelimit: 200 # Response Rate Limiting, number of packets to discard before @@ -139,7 +143,8 @@ server: # resolver to retry with TCP). Default is 2 (one half of the # queries will receive a SLIP response, 0 disables SLIP (all # packets are discarded), 1 means every request will get a - # SLIP response. + # SLIP response. When the ratelimit is hit the traffic is + # divided by the rrl-slip value. # rrl-slip: 2 # Response Rate Limiting, IPv4 prefix length. Addresses are @@ -151,7 +156,7 @@ server: # rrl-ipv6-prefix-length: 64 # Response Rate Limiting, maximum QPS allowed (from one query source) - # for whitelisted types. Default 2000. + # for whitelisted types. Default is @ratelimit_default@. # rrl-whitelist-ratelimit: 2000 # RRLend diff --git a/usr.sbin/nsd/options.c b/usr.sbin/nsd/options.c index f86e99bf420..88968518a86 100644 --- a/usr.sbin/nsd/options.c +++ b/usr.sbin/nsd/options.c @@ -56,6 +56,7 @@ nsd_options_create(region_type* region) opt->do_ip6 = 1; opt->database = DBFILE; opt->identity = 0; + opt->version = 0; opt->nsid = 0; opt->logfile = 0; opt->log_time_ascii = 1; @@ -69,11 +70,7 @@ nsd_options_create(region_type* region) opt->pidfile = PIDFILE; opt->port = UDP_PORT; /* deprecated? opt->port = TCP_PORT; */ -#ifdef REUSEPORT_BY_DEFAULT - opt->reuseport = 1; -#else opt->reuseport = 0; -#endif opt->statistics = 0; opt->chroot = 0; opt->username = USER; @@ -83,11 +80,16 @@ nsd_options_create(region_type* region) opt->zonelistfile = ZONELISTFILE; #ifdef RATELIMIT opt->rrl_size = RRL_BUCKETS; - opt->rrl_ratelimit = RRL_LIMIT/2; opt->rrl_slip = RRL_SLIP; opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH; opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH; +# ifdef RATELIMIT_DEFAULT_OFF + opt->rrl_ratelimit = 0; + opt->rrl_whitelist_ratelimit = 0; +# else + opt->rrl_ratelimit = RRL_LIMIT/2; opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2; +# endif #endif opt->zonefiles_check = 1; if(opt->database == NULL || opt->database[0] == 0) @@ -1507,7 +1509,7 @@ acl_key_matches(acl_options_t* acl, struct query* q) } if(!acl->key_options->tsig_key) { DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config")); - return 0; /* key not properly configged */ + return 0; /* key not properly configured */ } if(dname_compare(q->tsig.key_name, acl->key_options->tsig_key->name) != 0) { diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h index d2cd0c4d8ee..34ed295eb4a 100644 --- a/usr.sbin/nsd/options.h +++ b/usr.sbin/nsd/options.h @@ -67,6 +67,7 @@ struct nsd_options { int do_ip6; const char* database; const char* identity; + const char* version; const char* logfile; int server_count; int tcp_count; diff --git a/usr.sbin/nsd/query.c b/usr.sbin/nsd/query.c index 295598cbadb..4f26112adc1 100644 --- a/usr.sbin/nsd/query.c +++ b/usr.sbin/nsd/query.c @@ -309,7 +309,6 @@ process_query_section(query_type *query) &query->qtype, &query->qclass)) return 0; query->qname = dname_make(query->region, qnamebuf, 1); - query->opcode = OPCODE(query->packet); return 1; } @@ -1318,6 +1317,15 @@ query_process(query_type *q, nsd_type *nsd) return QUERY_DISCARDED; } + /* check opcode early on, because new opcodes may have different + * specification of the meaning of the rest of the packet */ + q->opcode = OPCODE(q->packet); + if(q->opcode != OPCODE_QUERY && q->opcode != OPCODE_NOTIFY) { + if(query_ratelimit_err(nsd)) + return QUERY_DISCARDED; + return query_error(q, NSD_RC_IMPL); + } + if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) { return query_formerr(q, nsd); } diff --git a/usr.sbin/nsd/region-allocator.c b/usr.sbin/nsd/region-allocator.c index 5a280d832aa..95454a66678 100644 --- a/usr.sbin/nsd/region-allocator.c +++ b/usr.sbin/nsd/region-allocator.c @@ -12,6 +12,7 @@ #include <assert.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #include "region-allocator.h" #include "util.h" diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c index 13093165098..2b3be10618f 100644 --- a/usr.sbin/nsd/server.c +++ b/usr.sbin/nsd/server.c @@ -760,6 +760,11 @@ server_init_ifs(struct nsd *nsd, size_t from, size_t to, int* reuseport_works) continue; } nsd->tcp[i].fam = (int)addr->ai_family; + /* turn off REUSEPORT for TCP by copying the socket fd */ + if(i >= nsd->ifs) { + nsd->tcp[i].s = nsd->tcp[i%nsd->ifs].s; + continue; + } if ((nsd->tcp[i].s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { #if defined(INET6) if (addr->ai_family == AF_INET6 && diff --git a/usr.sbin/nsd/tsig-openssl.c b/usr.sbin/nsd/tsig-openssl.c index 40a35f50324..1088573a048 100644 --- a/usr.sbin/nsd/tsig-openssl.c +++ b/usr.sbin/nsd/tsig-openssl.c @@ -44,7 +44,9 @@ tsig_openssl_init_algorithm(region_type* region, log_msg(LOG_ERR, "cannot parse %s algorithm", wireformat); return 0; } - algorithm->maximum_digest_size = EVP_MAX_MD_SIZE; + algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm); + if(algorithm->maximum_digest_size < 20) + algorithm->maximum_digest_size = EVP_MAX_MD_SIZE; algorithm->data = hmac_algorithm; algorithm->hmac_create_context = create_context; algorithm->hmac_init_context = init_context; diff --git a/usr.sbin/nsd/zonec.c b/usr.sbin/nsd/zonec.c index a3409f7853f..666b0cc3dd7 100644 --- a/usr.sbin/nsd/zonec.c +++ b/usr.sbin/nsd/zonec.c @@ -1434,7 +1434,10 @@ process_rr(void) rr_type* o; if (rr->type != TYPE_RRSIG && rrset->rrs[0].ttl != rr->ttl) { zc_warning_prev_line( - "TTL does not match the TTL of the RRset"); + "%s TTL %u does not match the TTL %u of the %s RRset", + domain_to_string(rr->owner), (unsigned)rr->ttl, + (unsigned)rrset->rrs[0].ttl, + rrtype_to_string(rr->type)); } /* Search for possible duplicates... */ |