| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Pointed out by deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
able to send answers back to the correct client in case two are
connecting at the same time. We also need to pass the pid around to
the resolver process so that it can hand it back to us.
Debugged by deraadt and dlg who noticed that answers would always
arrive on the first control connection.
deraadt@ points out that tracking the pid is not the best choice in
case one process wants to hold open two connections but at least this
brings us in line with all the other privsep daemons with control
tools. If we change this we should change it in all daemons.
|
| | |
|
| |
|
|
|
| |
rewording by jmc@
ok jmc@
|
| |
|
|
|
|
|
|
|
| |
provided nameservers, i.e. the stub resolver check succeeded.
Previously we would only probe DNS64 on network change but would not
reschedule when it failed. Sometimes (most of the time?) this failes
because our address is still tentative or a default route has
not yet been installed.
OK phessler
|
| |
|
|
|
|
| |
ugly and the underlying problem (dhclient and unwind playing well
together) should be solved differently.
Final straw was jca reporting that it breaks his setup.
|
| |
|
|
| |
localhost.
|
| |
|
|
|
|
| |
This is a step towards starting unwind earlier, before the network is
up and partitions are mounted.
OK kn
|
| |
|
|
|
| |
resolver so we have to schedule a re-check.
OK kn
|
| |
|
|
| |
While here also set SOCK_NONBLOCK on the frontend routesock.
|
| |
|
|
|
|
|
|
|
| |
old configuration. We will then request another check that runs in
parallel to the old check. If the new check finishes earlier, the
current check result will be overwritten by an outdated check result
which is likely wrong.
While here fix some whitespace.
OK phessler
|
| |
|
|
|
|
|
| |
to configure libunbound accordingly. This way it no longer tries to
talk to IPv6 nameservers when only IPv4 is available and vice versa.
input deraadt
OK kn
|
| |
|
|
|
| |
handle them like UNKNOWN.
Found the hard way by kn.
|
| |
|
|
|
| |
libunbound.
OK phessler
|
| |
|
|
|
|
|
| |
useful for us out of it and it can be quite noisy when we are missing
IPv4 or IPv6 addresses.
It is still available when logging to stderr when running with -d.
OK phessler
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 prefix used according to
RFC7050.
The learned autoconf resolvers are then prevented from upgrading to
the validating state since DNS64 breaks DNSSEC.
unwind(8) can now perform its own synthesis. If a query for a AAAA
record results in no answer we re-send the query for A and if that
leads to an answer we synthesize an AAAA answer using the learned
prefixes.
Testing & OK kn
|
| |
|
|
| |
upcomming DNS64 diff simpler.
|
| |
|
|
|
|
| |
Let's go through the check_resolver() / new_resolver() code path
which will also hook up the resovler to the shared cache.
This means also one less special case for upcomming DNS64 support.
|
| |
|
|
|
| |
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
| |
|
|
|
|
| |
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer
|
| |
|
|
| |
Problem reported by mortimer.
|
| |
|
|
| |
Problem reported by mortimer.
|
| |
|
|
| |
Problem reported by mortimer
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are only serving localhost we could get away with doing
serving over UDP only because we have a huge MTU on lo0, it's still
not correct behavior.
This also enables sending truncated answers with TC set if the answer
does not fit into the edns announced udp size.
Testing at least by matthieu, jca, otto, phessler
OK phessler
|
| |
|
|
|
|
|
|
|
|
|
| |
functions.
With this we can filter out DNSSEC RRsets if the client did not ask
for them. We will also be able to send truncated answers to indicate
to the client to switch to tcp. This will be enabled in the next
commit.
Testing at least by matthieu, jca, otto, phessler
OK phessler
|
| |
|
|
| |
ok florian@
|
| |
|
|
| |
OK florian
|
| |
|
|
|
|
|
| |
Log the query and answer SERVFAIL instead of exiting fataly.
That way we can at least figure out where libunbound goes off the
rail.
OK otto
|
| |
|
|
| |
OK kn some time ago
|
| |
|
|
|
|
|
|
|
|
| |
has the downside to always copy the maximum IMSG size (about 16k)
between the resolver and frontend process for DNS answers because
we had to keep it as simple as possible.
We can now rearange things in -current to be less wasteful. This copies
only the usually small DNS answer.
In the unusual case that a DNS answer is larger than the maximum IMSG size
fragment the message and send multiple IMSGs.
|
| |
|
|
| |
upstream.
|
| |
|
|
| |
upstream.
|
| |
|
|
|
| |
Support for channel reuse of TCP and TLS (DoT) streams should improve
latency when the DoT strategy is used in unwind.
|
| |
|
|
|
|
| |
No binary change on amd64.
ok florian
|
| |
|
|
|
|
|
|
|
|
| |
If the configuration contains duplicate domains in the block list
file or a force list, the nodes would leak in the frontend process
each time the config is reloaded. Also add a check when copying the
force list over imsg and fatal if a duplicate is encountered. This
should never happen.
ok florian
|
| |
|
|
|
|
|
|
| |
Domains contained in the block list file were not correctly freed.
This would grow the frontend process by the size of the blocklist
file on each config reload.
ok florian
|
| |
|
|
|
|
|
|
|
|
|
|
| |
16k) by splitting them up.
Previously unwind would send meta-data about the finished query from
the resolver process to the frontend process and then silently fail to
send the actual answer because it was too big for imsg.
When receiving the meta-data for the next query the frontend process
would then exit via fatal() because it was still expecting an answer.
This likely fixes rare crashes observed by Leo Unglaub.
Note that even with DNSSEC signatures, answers this big are very rare.
OK tb, benno
|
| |
|
|
|
|
|
| |
done in unwind.
Inputs from jmc@ florian@
ok jmc@ florian@
|
| | |
|
| |
|
|
|
| |
freeing it is a no-op.
Leak detected by my experimental malloc leak detector. ok florian@
|
| |
|
|
|
| |
resolvers.
OK kn
|
| |
|
|
|
| |
Lets unwind(8) run when another name server listens on the wildcard
address. Conflict with unbound(8) spotted by sthen@, ok florian@ deraadt@
|
| |
|
|
| |
Reported upstream.
|
| |
|
|
|
| |
all heavy lifting done by sthen in unbound
testing benno
|
| |
|
|
|
|
|
|
|
|
|
|
| |
slaacd and unwind start very early in the boot process and syslog is
not fully available yet so these messages tend to get lost.
But they are also not particularly useful.
Prompted by a report by Jason Mader on bugs@
OK deraadt, claudio, bluhm
Note that this code has been copied around to all our privsep daemons
and also lives in usr.sbin. Leave it alone there because multiple people
said they find it useful for those daemons.
|
| | |
|
| |
|
|
|
|
| |
memcpy the address into a local var before comparing it with code
that reads ints using int *. at least sparc64 and landisk suffer from this.
with and ok jca@
|
| |
|
|
|
| |
Fixes a crash on landisk (strict alignement arch) reported by otto@
ok deraadt@ otto@
|
florian
jmc
solene
anton
kn
tb
otto
jca
sthen