| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
provided nameservers, i.e. the stub resolver check succeeded.
Previously we would only probe DNS64 on network change but would not
reschedule when it failed. Sometimes (most of the time?) this failes
because our address is still tentative or a default route has
not yet been installed.
OK phessler
|
| |
|
|
|
|
| |
ugly and the underlying problem (dhclient and unwind playing well
together) should be solved differently.
Final straw was jca reporting that it breaks his setup.
|
| |
|
|
| |
localhost.
|
| |
|
|
|
|
| |
This is a step towards starting unwind earlier, before the network is
up and partitions are mounted.
OK kn
|
| |
|
|
|
| |
resolver so we have to schedule a re-check.
OK kn
|
| |
|
|
|
|
|
|
|
| |
old configuration. We will then request another check that runs in
parallel to the old check. If the new check finishes earlier, the
current check result will be overwritten by an outdated check result
which is likely wrong.
While here fix some whitespace.
OK phessler
|
| |
|
|
|
|
|
| |
to configure libunbound accordingly. This way it no longer tries to
talk to IPv6 nameservers when only IPv4 is available and vice versa.
input deraadt
OK kn
|
| |
|
|
|
| |
handle them like UNKNOWN.
Found the hard way by kn.
|
| |
|
|
|
|
|
| |
useful for us out of it and it can be quite noisy when we are missing
IPv4 or IPv6 addresses.
It is still available when logging to stderr when running with -d.
OK phessler
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 prefix used according to
RFC7050.
The learned autoconf resolvers are then prevented from upgrading to
the validating state since DNS64 breaks DNSSEC.
unwind(8) can now perform its own synthesis. If a query for a AAAA
record results in no answer we re-send the query for A and if that
leads to an answer we synthesize an AAAA answer using the learned
prefixes.
Testing & OK kn
|
| |
|
|
| |
upcomming DNS64 diff simpler.
|
| |
|
|
|
|
| |
Let's go through the check_resolver() / new_resolver() code path
which will also hook up the resovler to the shared cache.
This means also one less special case for upcomming DNS64 support.
|
| |
|
|
|
| |
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
| |
|
|
| |
Problem reported by mortimer
|
| |
|
|
|
|
|
| |
Log the query and answer SERVFAIL instead of exiting fataly.
That way we can at least figure out where libunbound goes off the
rail.
OK otto
|
| |
|
|
| |
OK kn some time ago
|
| |
|
|
|
|
|
|
|
|
| |
has the downside to always copy the maximum IMSG size (about 16k)
between the resolver and frontend process for DNS answers because
we had to keep it as simple as possible.
We can now rearange things in -current to be less wasteful. This copies
only the usually small DNS answer.
In the unusual case that a DNS answer is larger than the maximum IMSG size
fragment the message and send multiple IMSGs.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
16k) by splitting them up.
Previously unwind would send meta-data about the finished query from
the resolver process to the frontend process and then silently fail to
send the actual answer because it was too big for imsg.
When receiving the meta-data for the next query the frontend process
would then exit via fatal() because it was still expecting an answer.
This likely fixes rare crashes observed by Leo Unglaub.
Note that even with DNSSEC signatures, answers this big are very rare.
OK tb, benno
|
| |
|
|
|
| |
resolvers.
OK kn
|
| |
|
|
|
|
| |
memcpy the address into a local var before comparing it with code
that reads ints using int *. at least sparc64 and landisk suffer from this.
with and ok jca@
|
| |
|
|
|
|
| |
in 'resolvers[type]->state = state'.
ok florian@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
resulting in a "fatal in resolver: wrong unified cache set on
resolver".
I believe this happens because we are using an UNKNOWN resolving
strategy to resolve queries.
Disable the upgrade logic for now and always construct a fresh
resolver context and set the unified context on it before any cache
gets allocated. This causes a bit of memory churn on startup and when
changing networks, but better than a crashing unwind.
First observed by deraadt
|
| |
|
|
| |
OK florian@. reads ok benno@
|
| |
|
|
|
|
|
|
| |
The resolving only strategies mess up the negative cache by claiming
DNSSEC related records do not exist which confuses the validating
strategies.
Found the hard way by kn@ and analysed by otto@
OK kn@
|
| |
|
|
|
|
| |
ub_event_pluggable.c instead of ub_event.c.
( https://github.com/NLnetLabs/unbound/issues/99 )
We have been the odd one out, so switch to ub_event_pluggable, too.
|
| |
|
|
|
|
|
| |
https://github.com/NLnetLabs/unbound/issues/99
ub_ctx_delete would free the passed in event_base leading to
use-after-free since libunbound never allocated the memory and
unwind expects to continue using the event_base.
|
| |
|
|
| |
testing by otto & pamela as part of a larger diff
|
| |
|
|
| |
testing by otto & pamela as part of a larger diff
|
| | |
|
| |
|
|
|
|
|
| |
recursor. Also change strategy to not fetch addresses of nameservers
pro-actively, it does not help a lot in typical unwind setups and
consumes resources we would like to spend on actual resolving user
queries. ok florian@
|
| | |
|
| |
|
|
|
|
|
|
| |
- check if this is an answer to a still running query up front,
if not there is nothing more to do
- get rid of the retry case, we can now just inline it
- reduce indent by always calculating elapsed time for DOUBT_NXDOMAIN_SEC
Triggered by, input and OK otto
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also add some consistentcy checking to detect logic errors. ok @florian
|
| |
|
|
|
| |
Unfortunately this required a fair amount of deck chair shuffling.
Input & OK otto
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
need to doubt validation errors as we might find ourselves behind a
captive portal.
The hotspot at schiphol airport uses login.hotspotschiphol.nl:
- it is NXDOMAIN on the public internet
- hotspotschiphol.nl is signed and attests that login does not exist.
- resolves to 1.1.1.5(!) when asking the dhcp nameservers
- the dhcp nameservers pass DNSSEC records so validation works
This resulted in unwind doing validation and answering SERVFAIL since
the answer is bogus.
Input & OK otto
|
| |
|
|
|
| |
fragmentation issues.
OK otto
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is beneficial since we prefer strategies according to their
performance.
Previously name servers were upgraded to opportunistic DoT if it was
available even if the round trip times went through the roof and there
was no way to got back to plain udp/53 DNS.
To make up a bit of space in the unwindctl status output, name servers
learned via DHCP or SLAAC are printed in a new subcommand.
The status output will be further improved shortly.
Input & OK otto
|
| |
|
|
| |
OK otto
|
| |
|
|
| |
instead of the right-hand side; ok florian@
|
| | |
|
| |
|
|
|
|
| |
time is wrong enable a timer to check it again later. ntpd might have
corrected the time.
input & OK otto
|
| |
|
|
| |
validating; ok florian@
|
| |
|
|
|
|
| |
Debug log level 1 gives us basic query progress, level 2 writes out
packages.
looks good to otto
|
| |
|
|
|
| |
Log answer packet only at debug level 2.
looks good to otto
|
| |
|
|
|
|
|
| |
with this. Currently only available as a command line flag (-vvv).
With this we now have two debug levels available in unwind proper, to
be used shortly.
looks good to otto
|
| |
|
|
|
|
|
| |
showing it in unwindctl.
But log it with level warn for check_resolver so that one can find out
what's wrong with a resolver strategy.
looks good to otto
|
florian
otto
tobhe
bket