]> granicus.if.org Git - pdns/log
pdns
7 years agoBackport #5525
Remi Gacogne [Mon, 13 Nov 2017 17:05:34 +0000 (18:05 +0100)]
Backport #5525

7 years agoBackport #5523
Remi Gacogne [Mon, 13 Nov 2017 17:05:30 +0000 (18:05 +0100)]
Backport #5523

7 years agoBackport #5488
Remi Gacogne [Mon, 13 Nov 2017 17:05:25 +0000 (18:05 +0100)]
Backport #5488

7 years agoBackport #5406
Remi Gacogne [Mon, 13 Nov 2017 17:05:21 +0000 (18:05 +0100)]
Backport #5406

7 years agoBackport #5320
Remi Gacogne [Mon, 13 Nov 2017 17:05:16 +0000 (18:05 +0100)]
Backport #5320

7 years agoBackport #5261
Remi Gacogne [Mon, 13 Nov 2017 17:05:12 +0000 (18:05 +0100)]
Backport #5261

7 years agoBackport #5078
Remi Gacogne [Mon, 13 Nov 2017 17:05:08 +0000 (18:05 +0100)]
Backport #5078

7 years agoBackport #4960
Remi Gacogne [Mon, 13 Nov 2017 17:05:03 +0000 (18:05 +0100)]
Backport #4960

7 years agoBackport #4824
Remi Gacogne [Mon, 13 Nov 2017 17:04:59 +0000 (18:04 +0100)]
Backport #4824

7 years agoBackport #4646
Remi Gacogne [Mon, 13 Nov 2017 17:04:55 +0000 (18:04 +0100)]
Backport #4646

7 years agoBackport #4561
Remi Gacogne [Mon, 13 Nov 2017 17:04:47 +0000 (18:04 +0100)]
Backport #4561

7 years agorec: Fix validation at the exact RRSIG inception or expiration time
Remi Gacogne [Mon, 17 Jul 2017 08:29:45 +0000 (10:29 +0200)]
rec: Fix validation at the exact RRSIG inception or expiration time

Reported by Petr Špaček of cz.nic (thanks!).

(cherry picked from commit 179b340d522e36a65e799b048dcdae85c0237fdc)

7 years agoFix typo in two log messages
Ruben Kerkhof [Fri, 14 Jul 2017 17:55:53 +0000 (19:55 +0200)]
Fix typo in two log messages

(cherry picked from commit 59d26fc8d63fd2ff924be2fa5b3bda3699081914)

7 years agorec: Only increase `no-packet-error` on the first read
Remi Gacogne [Mon, 3 Jul 2017 11:04:58 +0000 (13:04 +0200)]
rec: Only increase `no-packet-error` on the first read

We try to read as many messages as possible after being woken up,
but only the first read can count as a no-packet error.

(cherry picked from commit 390f1dab05bbbb5d9ba2782e89600ca62c4bec14)

7 years agorec: Make more specific Netmask < to less specific ones
Remi Gacogne [Wed, 14 Jun 2017 16:16:26 +0000 (18:16 +0200)]
rec: Make more specific Netmask < to less specific ones

Having the most specific ones first, then the less specific ones
then the empty one makes it easier to match the most specific first.

(cherry picked from commit a009559d3bc4d648edc3b5fff062b622bbde2389)

7 years agoTogether with Mukund Sivaraman we found out PowerDNS sdig does not truncate
bert hubert [Fri, 12 May 2017 19:25:16 +0000 (21:25 +0200)]
Together with Mukund Sivaraman we found out PowerDNS sdig does not truncate
trailing bits of EDNS Client Subnet mask.  So if you'd truncate something as
a /9, we'd have to use 2 bytes anyhow, but we would not zero the last 7 bits.

We do now. Thanks Mukund & ISC!

(cherry picked from commit d7da15c560946cadaadfc173b8964dd6b40932ed)

7 years agoget-remote-ring's "other" report should only have two items.
Patrick Cloke [Sun, 23 Apr 2017 13:11:12 +0000 (09:11 -0400)]
get-remote-ring's "other" report should only have two items.

(cherry picked from commit d6dcfe36c0d2bb5563322ec90167b5bd4e9efb6b)

7 years agoThrow an error when lua-conf-file can't be loaded
Pieter Lexis [Thu, 23 Feb 2017 10:08:16 +0000 (11:08 +0100)]
Throw an error when lua-conf-file can't be loaded

This ensures we cannot start up if the file is unreadable.
Closes #4939

(cherry picked from commit 0f5785a6c441b043564f3ba26a39145aee74b1c2)

7 years agorecursor: use explicit yes for default-enabled settings
Christian Hofstaedtler [Tue, 31 Jan 2017 11:13:47 +0000 (12:13 +0100)]
recursor: use explicit yes for default-enabled settings

(cherry picked from commit e498dac1aa762f2ace690e1e7a1631f9611096b6)

7 years agoCheck in the detected OpenSSL/libcrypto for ECDSA
Pieter Lexis [Thu, 29 Dec 2016 17:01:30 +0000 (18:01 +0100)]
Check in the detected OpenSSL/libcrypto for ECDSA

We used to 'just' use the default includes for this detection.

Fixes #4680

(cherry picked from commit 2a4c374451d50e240872cc9907b69c2d2464f2cc)

7 years agoextract nested exception from Luawrapper
Peter van Dijk [Fri, 28 Oct 2016 13:31:53 +0000 (15:31 +0200)]
extract nested exception from Luawrapper

Before:
Oct 28 15:30:34 STL error (www.foobar.com/A from 127.0.0.1): Exception thrown by a callback function called by Lua

After:
Oct 28 15:30:34 STL error (www.foobar.com/A from 127.0.0.1): Exception thrown by a callback function called by Lua. Extra info: Found . in wrong position in DNSName www.foobar.com..internal

reported by @elad, thanks!

(cherry picked from commit 068c763422b5830dc15598089f7760e79f5bdf81)

7 years agoUpdate rec_control.1.md
Winfried Angele [Wed, 12 Oct 2016 12:08:02 +0000 (14:08 +0200)]
Update rec_control.1.md

(cherry picked from commit 2c04bf0c18f5e32ff498529162e71982bd3333bf)

7 years agoMerge pull request #5843 from Habbie/b-root-4.0.x
Pieter Lexis [Wed, 25 Oct 2017 13:45:34 +0000 (15:45 +0200)]
Merge pull request #5843 from Habbie/b-root-4.0.x

b.root renumbering, effective 2017-10-24

7 years agob.root renumbering, effective 2017-10-24
Peter van Dijk [Wed, 25 Oct 2017 11:11:10 +0000 (13:11 +0200)]
b.root renumbering, effective 2017-10-24

7 years agoMerge pull request #5765 from pieterlexis/rec-40-lowercase-outgoing-all-the-things
Pieter Lexis [Mon, 16 Oct 2017 15:56:15 +0000 (17:56 +0200)]
Merge pull request #5765 from pieterlexis/rec-40-lowercase-outgoing-all-the-things

Backport #5740: Lowercase all outgoing qnames when lowercase-outgoing is set

7 years agoMerge pull request #5726 from pieterlexis/auth-406-per-cut-validation
Pieter Lexis [Mon, 16 Oct 2017 11:04:43 +0000 (13:04 +0200)]
Merge pull request #5726 from pieterlexis/auth-406-per-cut-validation

Rec 4.0.x: be more resilient with broken auths

7 years agoMerge pull request #5812 from rgacogne/rec40-travis-encrypt-channel
Remi Gacogne [Wed, 11 Oct 2017 16:11:53 +0000 (18:11 +0200)]
Merge pull request #5812 from rgacogne/rec40-travis-encrypt-channel

Backport #5802: Encrypt the IRC channel name so notifications are not sent for forks

7 years agoEncrypt the IRC channel name so notifications are not sent for forks
Remi Gacogne [Mon, 9 Oct 2017 08:46:59 +0000 (10:46 +0200)]
Encrypt the IRC channel name so notifications are not sent for forks

(cherry picked from commit f4614876f16ac3223786b26b18a4386045102f09)

7 years agoMerge pull request #5813 from rgacogne/rec40-backport-5755
Remi Gacogne [Wed, 11 Oct 2017 15:23:10 +0000 (17:23 +0200)]
Merge pull request #5813 from rgacogne/rec40-backport-5755

Backport #5755: Improve dnsbulktest experience in travis for more robustness

7 years agowe actually resolve 98% by new definition, so can affort upping threshold from 90...
bert hubert [Mon, 2 Oct 2017 07:27:03 +0000 (09:27 +0200)]
we actually resolve 98% by new definition, so can affort upping threshold from 90 to 95%.

(cherry picked from commit 9fb6940f8b1c96c735af3856976ea7a7bc92d3d8)

7 years agoImprove dnsbulktest experience in travis for more robustness
bert hubert [Fri, 29 Sep 2017 20:40:53 +0000 (22:40 +0200)]
Improve dnsbulktest experience in travis for more robustness

This commit changes our dnsbulktest source from Alexa to Cisco Umbrella, but this turned out not to be as important as we thought.
In addition, it turns out we had been installing pdns-tools incorrectly because of wrong apt-settings. We now install pdns-tools from the master repo at repo.powerdns.com
This commit also tunes pdns_recursor to use less simultaneous outbound connections during testing, which appears to make Travis NAT happier, leading to less errors.
Finally, we use new features of dnsbulktest to extract more statistics for how well we are doing. Success is now dependent on errors and timeouts, and less on NXDOMAIN.

(cherry picked from commit 8a27076c38e2d399204d41928374e1bb9c45969c)

7 years agoAllow no-EDNS fallback when DNSSEC is needed
Pieter Lexis [Tue, 12 Sep 2017 10:28:33 +0000 (12:28 +0200)]
Allow no-EDNS fallback when DNSSEC is needed

7 years agoStop DNSSEC processing at Insecure
Pieter Lexis [Tue, 12 Sep 2017 10:28:19 +0000 (12:28 +0200)]
Stop DNSSEC processing at Insecure

7 years agoLowercase all outgoing qnames when lowercase-outgoing is set
Pieter Lexis [Thu, 28 Sep 2017 11:13:13 +0000 (13:13 +0200)]
Lowercase all outgoing qnames when lowercase-outgoing is set

This is a backport of #5740

7 years agoMerge pull request #5676 from aerique/feature/update-copryright-year-rec-4.0.x
aerique [Thu, 7 Sep 2017 12:52:56 +0000 (14:52 +0200)]
Merge pull request #5676 from aerique/feature/update-copryright-year-rec-4.0.x

Update copyright year in publicly visible output and files

7 years agoUpdate copyright year in publicly visible output and files
Pieter Lexis [Thu, 16 Feb 2017 13:08:40 +0000 (14:08 +0100)]
Update copyright year in publicly visible output and files

(cherry picked from commit ff8f70b800e8b81a6d97c2d2568483d03228df2a)

7 years agoMerge pull request #5627 from rgacogne/rec40-remove-syncres-unit-tests
Remi Gacogne [Tue, 22 Aug 2017 08:41:39 +0000 (10:41 +0200)]
Merge pull request #5627 from rgacogne/rec40-remove-syncres-unit-tests

rec: Remove the SyncRes unit tests from the 4.0 branch

7 years agoMerge pull request #5629 from rgacogne/rec40-travis-build-dir
Remi Gacogne [Mon, 21 Aug 2017 08:02:57 +0000 (10:02 +0200)]
Merge pull request #5629 from rgacogne/rec40-travis-build-dir

Backport #4986: Use `${TRAVIS_BUILD_DIR}` instead of assuming the repo is in `pdns`

7 years agoUse `${TRAVIS_BUILD_DIR}` instead of assuming the repo is in `pdns`
Remi Gacogne [Wed, 8 Feb 2017 14:33:57 +0000 (15:33 +0100)]
Use `${TRAVIS_BUILD_DIR}` instead of assuming the repo is in `pdns`

Thus avoiding issues when/if the repository is cloned with a different
name.

(cherry picked from commit 1e0253cad96199647f92ef4fa8230f614637e80c)

7 years agorec: Remove the SyncRes unit tests from the 4.0 branch
Remi Gacogne [Fri, 18 Aug 2017 10:37:26 +0000 (12:37 +0200)]
rec: Remove the SyncRes unit tests from the 4.0 branch

test-syncres_cc.cc is not used and was added by mistake in a commit
backporting IXFR tests: c8f3468f102a4ab17ea1b5a9f408ce2bad3ddeab

7 years agoMerge pull request #5608 from rgacogne/rec40-cache-inttypes
Remi Gacogne [Mon, 14 Aug 2017 12:43:59 +0000 (14:43 +0200)]
Merge pull request #5608 from rgacogne/rec40-cache-inttypes

rec: Add missing cinttypes include for PRId64

7 years agorec: Add missing cinttypes include for PRId64
Remi Gacogne [Mon, 14 Aug 2017 10:37:58 +0000 (12:37 +0200)]
rec: Add missing cinttypes include for PRId64

7 years agoMerge pull request #5596 from pieterlexis/rec-dump-rrsigs-from-cache
Remi Gacogne [Mon, 14 Aug 2017 08:14:11 +0000 (10:14 +0200)]
Merge pull request #5596 from pieterlexis/rec-dump-rrsigs-from-cache

Backport #5511: Dump RRSIGs on `dump-cache`

7 years agorec: Show auth state recursor cache dump
Pieter Lexis [Mon, 17 Jul 2017 12:14:29 +0000 (14:14 +0200)]
rec: Show auth state recursor cache dump

cherry-picked from commit ea9831c08f4c54514006efc1c61990963b10080f

7 years agorec: Dump RRSIGs from record cache
Pieter Lexis [Mon, 10 Jul 2017 11:29:49 +0000 (13:29 +0200)]
rec: Dump RRSIGs from record cache

7 years agoMerge pull request #5415 from rgacogne/rec40-ecs-fixes rec-4.0.6
Peter van Dijk [Tue, 4 Jul 2017 13:09:41 +0000 (15:09 +0200)]
Merge pull request #5415 from rgacogne/rec40-ecs-fixes

rec40: Backport ECS fixes

7 years agorec: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set
Remi Gacogne [Wed, 14 Jun 2017 11:31:18 +0000 (13:31 +0200)]
rec: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set

Otherwise we insert into the cache based on the incoming ECS but
later do the lookup based on the query's source IP.

(cherry picked from commit 5736e55e0d2d8cd9a064b8377e87d08a540cb1b1)

7 years agoAdd more tests to the Netmask unit tests
Remi Gacogne [Thu, 15 Jun 2017 14:36:52 +0000 (16:36 +0200)]
Add more tests to the Netmask unit tests

Additional tests:

 * getBits()
 * isIpv4()
 * isIPv6()
 * getNetwork()
 * getMaskedNetwork()
 * check that Netmasks constructed from ComboAddresses with different
ports match

(cherry picked from commit 7f3e6acd659a9fee8ed027e7abe99ea77b3ee691)

7 years agowhen making a netmask from a comboaddress, we neglected to zero the port. This could...
bert hubert [Thu, 15 Jun 2017 01:14:01 +0000 (03:14 +0200)]
when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.

(cherry picked from commit 0bdabe94e6fd873455d34b88f8954d8cc6034a72)

7 years agorec: Don't take the initial ECS source for a scope one if EDNS is off
Remi Gacogne [Fri, 2 Jun 2017 11:52:00 +0000 (13:52 +0200)]
rec: Don't take the initial ECS source for a scope one if EDNS is off

(cherry picked from commit fe61f5d87871b56a17612c5a8334a84391f0d962)

7 years agowith this, EDNS Client Subnet becomes compatible with the packet cache, using the...
bert hubert [Wed, 14 Jun 2017 06:35:53 +0000 (08:35 +0200)]
with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.

(cherry picked from commit 8bec43b3a28df7d31a4bb464dd043d7ec9caeab0)

7 years agoalso set d_requestor without Lua: the ECS logic needs it
bert hubert [Tue, 13 Jun 2017 22:41:27 +0000 (00:41 +0200)]
also set d_requestor without Lua: the ECS logic needs it

(cherry picked from commit cd00142f8ba7a70a59095249b601eb64257e146c)

7 years agoMerge pull request #5479 from rgacogne/rec40-5476-ixfr-fix
Pieter Lexis [Mon, 3 Jul 2017 08:50:04 +0000 (10:50 +0200)]
Merge pull request #5479 from rgacogne/rec40-5476-ixfr-fix

rec: Backport #5476: Fix IXFR skipping the additions part of the last sequence

7 years agoMerge pull request #5480 from rgacogne/rec40-5416-cache-expired
Pieter Lexis [Mon, 3 Jul 2017 08:49:56 +0000 (10:49 +0200)]
Merge pull request #5480 from rgacogne/rec40-5416-cache-expired

rec: Backport #5416: Move expired cache entries to the front so they are expunged

7 years agoRemove just enough entries from the cache, not one more than asked
Remi Gacogne [Tue, 20 Jun 2017 15:09:56 +0000 (17:09 +0200)]
Remove just enough entries from the cache, not one more than asked

(cherry picked from commit f3cb7c78abe3ad639d4583880ae9302b3be99a9e)

7 years agorec: Move expired cache entries to the front so they are expunged
Remi Gacogne [Thu, 15 Jun 2017 16:17:23 +0000 (18:17 +0200)]
rec: Move expired cache entries to the front so they are expunged

(cherry picked from commit 197d755ea3972251352170261a9d7024ca95175c)

7 years agorec: Add IXFR unit tests
Remi Gacogne [Thu, 29 Jun 2017 13:29:40 +0000 (15:29 +0200)]
rec: Add IXFR unit tests

(cherry picked from commit e503653f7d4c7e28b594336b37bcf602c7f5119a)

7 years agorec: Fix IXFR skipping the additions part of the last sequence
Remi Gacogne [Wed, 28 Jun 2017 16:26:33 +0000 (18:26 +0200)]
rec: Fix IXFR skipping the additions part of the last sequence

Under certain conditions, we could have skipped the additions part
of the last `IXFR` sequence, because we stopped processing records
after seeing a `SOA` record with the new serial. However, as stated
in rfc1995's "Response format" section:

"the first RR of the added RRs is the newer SOA RR"

(cherry picked from commit d67ae3b477c9cf9d2a98f0edad9977dc34a2c8bf)

7 years agoMerge pull request #5471 from pieterlexis/rec-406-b-root
bert hubert [Thu, 29 Jun 2017 18:54:58 +0000 (20:54 +0200)]
Merge pull request #5471 from pieterlexis/rec-406-b-root

Backport #4497 and #5470: Add E and B root IPv6 addresses

7 years agorec: changed IPv6 addr of b.root-servers.net
Arsen Stasic [Tue, 27 Jun 2017 11:02:53 +0000 (13:02 +0200)]
rec: changed IPv6 addr of b.root-servers.net

http://www.internic.net/domain/db.cache
last update:    June 01, 2017
is effective since 2017-06-01

(cherry picked from commit 951ab1a12096a6cf8514282c5f5d4d7641bc87ae)

7 years agoe.root-servers.net has IPv6 now
phonedph1 [Fri, 23 Sep 2016 00:41:58 +0000 (18:41 -0600)]
e.root-servers.net has IPv6 now

(cherry picked from commit b815c62e1a4be01b4a2a7833855116b8781f86f6)

7 years agoMerge pull request #5462 from pieterlexis/rex-406-backport-5455
Pieter Lexis [Tue, 27 Jun 2017 10:05:31 +0000 (12:05 +0200)]
Merge pull request #5462 from pieterlexis/rex-406-backport-5455

Backport 5455: Travis: Use auth 4.0 for recursor tests

7 years agoTravis: Use auth 4.0 for recursor tests
Pieter Lexis [Fri, 23 Jun 2017 08:43:37 +0000 (10:43 +0200)]
Travis: Use auth 4.0 for recursor tests

(cherry picked from commit dad54543abf80aedefbe47f1d538542763794173)

7 years agoMerge pull request #5451 from rgacogne/rec40-requestor-payload-512
Peter van Dijk [Thu, 22 Jun 2017 14:07:25 +0000 (16:07 +0200)]
Merge pull request #5451 from rgacogne/rec40-requestor-payload-512

Backport #5446: rec: Treat requestor's payload size lower than 512 as equal to 512

7 years agorec: Treat requestor's payload size lower than 512 as equal to 512
Remi Gacogne [Thu, 22 Jun 2017 08:25:47 +0000 (10:25 +0200)]
rec: Treat requestor's payload size lower than 512 as equal to 512

(cherry picked from commit 320157487ec1cd0a9c4bcfd5309d9d651c26eb72)

7 years agoMerge pull request #5447 from Habbie/rec-4.0.x-uri
Pieter Lexis [Thu, 22 Jun 2017 12:22:51 +0000 (14:22 +0200)]
Merge pull request #5447 from Habbie/rec-4.0.x-uri

rec backport: make URI integers 16 bits, fixes #5443

7 years agoMerge pull request #5448 from mind04/rec-4.0.x
Pieter Lexis [Thu, 22 Jun 2017 12:22:42 +0000 (14:22 +0200)]
Merge pull request #5448 from mind04/rec-4.0.x

Rec 4.0.x: backport decaf signer

7 years agoadd ED448 to signers unit test
Kees Monshouwer [Mon, 19 Jun 2017 09:09:47 +0000 (11:09 +0200)]
add ED448 to signers unit test

7 years agoinitial stab at signer testing; has one 8080 test vector for now
Peter van Dijk [Sat, 17 Jun 2017 17:01:52 +0000 (19:01 +0200)]
initial stab at signer testing; has one 8080 test vector for now

7 years agodon't use the libdecaf ed25519 signer when libsodium is enabled
Kees Monshouwer [Wed, 21 Jun 2017 12:23:34 +0000 (14:23 +0200)]
don't use the libdecaf ed25519 signer when libsodium is enabled

7 years agohello decaf signers (ED25519 and ED448)
Kees Monshouwer [Sat, 17 Jun 2017 15:31:41 +0000 (17:31 +0200)]
hello decaf signers (ED25519 and ED448)
Testing algorithm 15: 'Decaf ED25519' ->'Decaf ED25519' -> 'Decaf ED25519' Signature & verify ok, signature 68usec, verify 93usec
Testing algorithm 16: 'Decaf ED448' ->'Decaf ED448' -> 'Decaf ED448' Signature & verify ok, signature 163usec, verify 252usec

7 years agomake URI integers 16 bits, fixes #5443
Peter van Dijk [Thu, 22 Jun 2017 08:09:01 +0000 (10:09 +0200)]
make URI integers 16 bits, fixes #5443

7 years agoMerge pull request #5411 from Habbie/4.0.x-5401
Peter van Dijk [Mon, 19 Jun 2017 15:12:00 +0000 (17:12 +0200)]
Merge pull request #5411 from Habbie/4.0.x-5401

unbreak quoting; fixes #5401

7 years agoMerge pull request #5424 from mind04/ed25519-r40
Peter van Dijk [Mon, 19 Jun 2017 14:46:21 +0000 (16:46 +0200)]
Merge pull request #5424 from mind04/ed25519-r40

Backport of #5422 do not hash the message in the ed25519 signer

7 years agodo not hash the message in the ed25519 signer
Kees Monshouwer [Fri, 16 Jun 2017 20:29:13 +0000 (22:29 +0200)]
do not hash the message in the ed25519 signer

https://www.rfc-editor.org/errata_search.php?rfc=8080

This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 1 (CSK), flags = 257, tag = 3613, algo = 15, bits = 256      Active ( ED25519 )
CSK DNSKEY = example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4= ; ( ED25519 )
DS = example.com. IN DS 3613 15 1 b2c63605467c4a40942b47a953e9c0d38f81083a ; ( SHA1 digest )
DS = example.com. IN DS 3613 15 2 3aa5ab37efce57f737fc1627013fee07bdf241bd10f3b1964ab55c78e79a304b ; ( SHA256 digest )
DS = example.com. IN DS 3613 15 4 89389da437fca8372e67359dfc0dd4428fa2615df6e31bc5501677dd068514fea5c4efaf82188530a8a1645d9d3ef884 ; ( SHA-384 digest )

DNSKEY and DS match

7 years agoMerge pull request #5405 from rgacogne/rec40-disable-use-incoming-ecs
Peter van Dijk [Thu, 15 Jun 2017 12:30:59 +0000 (14:30 +0200)]
Merge pull request #5405 from rgacogne/rec40-disable-use-incoming-ecs

Backport #5402: rec: Disable use-incoming-edns-subnet by default

7 years agounbreak quoting; fixes #5401
Peter van Dijk [Thu, 15 Jun 2017 07:36:57 +0000 (09:36 +0200)]
unbreak quoting; fixes #5401

7 years agorec: Disable use-incoming-edns-subnet by default
Remi Gacogne [Wed, 14 Jun 2017 12:26:18 +0000 (14:26 +0200)]
rec: Disable use-incoming-edns-subnet by default

(cherry picked from commit a16c4536496ab0d3cf959bcb45e7a6cf41d02e3e)

7 years agoMerge pull request #5392 from pieterlexis/rec-405-sync-boost-m4 rec-4.0.5
Pieter Lexis [Tue, 13 Jun 2017 09:50:50 +0000 (11:50 +0200)]
Merge pull request #5392 from pieterlexis/rec-405-sync-boost-m4

Sync boost.m4 from master

7 years agoSync boost.m4 from master
Pieter Lexis [Tue, 13 Jun 2017 08:26:54 +0000 (10:26 +0200)]
Sync boost.m4 from master

7 years agoMerge pull request #5355 from rgacogne/rec40-backport-4924-1988 rec-4.0.5-rc2
Pieter Lexis [Thu, 1 Jun 2017 09:33:28 +0000 (11:33 +0200)]
Merge pull request #5355 from rgacogne/rec40-backport-4924-1988

rec-4.0.x: Backport #4924 and #4988

7 years agoMerge pull request #5345 from shinsterneck/backport-5335-rec-4.0.x
Pieter Lexis [Thu, 1 Jun 2017 09:33:19 +0000 (11:33 +0200)]
Merge pull request #5345 from shinsterneck/backport-5335-rec-4.0.x

Backport of #5335 to rec-4.0.x: configure.ac: corrects syntax error in test statement on existance of libcrypto_ecdsa

7 years agorec: Add `use-incoming-edns-subnet` to process and pass along ECS
Remi Gacogne [Thu, 9 Feb 2017 14:01:41 +0000 (15:01 +0100)]
rec: Add `use-incoming-edns-subnet` to process and pass along ECS

If set, the recusor will process and pass along a received EDNS
Client Subnet to authoritative servers.
The ECS information will only be sent for netmasks and domains listed
in `edns-subnet-whitelist`, and will be truncated if the received scope
exceeds `ecs-ipv4-bits` for IPv4 or `ecs-ipv6-bits` for IPv6.
An incoming ECS source prefix-length of 0 can also be used to
request that no ECS value be sent to the authoritative servers,
in accordance with RFC7871.

(cherry picked from commit b40562da39e3be0dcf193163c386eef369dcc4af)

7 years agoCorrectly parse ECS with a source prefix-length value of 0
Remi Gacogne [Thu, 9 Feb 2017 13:50:11 +0000 (14:50 +0100)]
Correctly parse ECS with a source prefix-length value of 0

It means there is no address there, but the family and source
prefix-length values are still relevant. rfc7871 explicitly says
that the family SHOULD be set to the transport over which the query
is sent if source prefix-length is 0.
It also states that a source prefix-length means the client is
asking that no ECS value be sent.

(cherry picked from commit 53221eafae3fe410586daf98cca0df3d81ea344c)

7 years agoadd iputils.cc to remotebackend tests
bert hubert [Wed, 18 Jan 2017 17:49:51 +0000 (18:49 +0100)]
add iputils.cc to remotebackend tests

(cherry picked from commit 4d541cb1bf211c1a707d34691ea0f3329be0bf1f)

7 years agolink in iputils.o in places that need it now for truncation of netmask
bert hubert [Wed, 18 Jan 2017 17:18:00 +0000 (18:18 +0100)]
link in iputils.o in places that need it now for truncation of netmask

(cherry picked from commit 4ba0ebc5fe17ea9263ade38d4e76b63072397296)

7 years agoadd ecs-ipv4-bits and ecs-ipv6-bits tunables for EDNS Client Subnet & document them...
bert hubert [Wed, 18 Jan 2017 15:18:46 +0000 (16:18 +0100)]
add ecs-ipv4-bits and ecs-ipv6-bits tunables for EDNS Client Subnet & document them. Split out ECS code from pdns_recursor.cc.

(cherry picked from commit 35695d184316e0686d1dc2d50ef4a4420bc95157)

7 years agomake EDNS client subnet do some better logging on --trace
bert hubert [Wed, 18 Jan 2017 15:18:23 +0000 (16:18 +0100)]
make EDNS client subnet do some better logging on --trace

(cherry picked from commit 43f759413685af3cc06587c3631009eea3434396)

7 years agoComboAddress truncate() is assumed to never throw. Enforce this.
bert hubert [Wed, 18 Jan 2017 15:17:06 +0000 (16:17 +0100)]
ComboAddress truncate() is assumed to never throw. Enforce this.

(cherry picked from commit 5b6099b2397c1b5a4789235ad5c06ac83ecfa818)

7 years agoEDNS Client Subnet parser delivered 'over precise' netmasks, like 1.2.3.4/16. This...
bert hubert [Wed, 18 Jan 2017 15:16:19 +0000 (16:16 +0100)]
EDNS Client Subnet parser delivered 'over precise' netmasks, like 1.2.3.4/16. This might have caused problems, but at the very least looks odd. We truncate now.

(cherry picked from commit b85f49a0aa392d40f00e134708c2e12aa1231870)

7 years agocorrects syntax error in test statement on existance of libcrypto_ecdsa
Shin Sterneck [Tue, 23 May 2017 00:12:26 +0000 (09:12 +0900)]
corrects syntax error in test statement on existance of libcrypto_ecdsa

(cherry picked from commit 8189c881e5ebaa13f5f14d9345335d656bd34e43)

7 years agoUse un-annotated tags for determining version rec-4.0.5-rc1
Pieter Lexis [Thu, 18 May 2017 09:08:55 +0000 (11:08 +0200)]
Use un-annotated tags for determining version

7 years agoMerge pull request #5304 from pieterlexis/rec-405-backports
Pieter Lexis [Thu, 18 May 2017 08:23:33 +0000 (10:23 +0200)]
Merge pull request #5304 from pieterlexis/rec-405-backports

Recursor backports

7 years agoRecursor 4.0.5: Backport #5319
Pieter Lexis [Wed, 17 May 2017 19:22:41 +0000 (21:22 +0200)]
Recursor 4.0.5: Backport #5319

7 years agorec: Only check the netmask for subnet specific cache entries
Remi Gacogne [Fri, 12 May 2017 12:12:10 +0000 (14:12 +0200)]
rec: Only check the netmask for subnet specific cache entries

We used to check the netmask for all entries for a qname
if at least one of them was a subnet specific one. Since an empty
`Netmask` doesn't match anything, we would effectively ignore every
non subnet specific entries if we had at least one subnet specific
one.
This caused a very hard to reproduce issue with for example
f.root-servers.net that includes an EDNS Client Subnet option in its
answer for `NS .` if the query has an EDNS Client Subnet option.
This caused the recursor to cache a subnet specific entry for `NS .`.
When that entry expired, we retrieved and cached a non subnet specific
one, but that new one was ignored as long as the subnet specific
was not expunged from the cache.
Under certain circumstances that could cause a root refresh loop
using a lot of stack memory.

(cherry picked from commit 65fdd185f4930f685b87340d29535f40d8b52fb3)

7 years agoMerge pull request #5324 from rgacogne/rec40-yahttp-backports
Pieter Lexis [Wed, 17 May 2017 08:04:34 +0000 (10:04 +0200)]
Merge pull request #5324 from rgacogne/rec40-yahttp-backports

rec-4.0.x: YaHTTP: Sync with upstream changes

7 years agoYaHTTP: Sync with upstream changes
Remi Gacogne [Mon, 15 May 2017 10:50:24 +0000 (12:50 +0200)]
YaHTTP: Sync with upstream changes

Backport changes from upstream up to c5b83288a4c2f8ec07cb8cb7bd150f2210db67b6
"Add missing `YaHTTP::isdigit()`, fix locale-enabled versions"

7 years agoRecursor 4.0.5: Backport #5318
Pieter Lexis [Sat, 13 May 2017 09:42:32 +0000 (11:42 +0200)]
Recursor 4.0.5: Backport #5318

7 years agowhen (re)priming the root, we do so with auth=0. We'll only set auth=1 after we have...
bert hubert [Fri, 12 May 2017 10:34:44 +0000 (12:34 +0200)]
when (re)priming the root, we do so with auth=0. We'll only set auth=1 after we have an answer from the roots. This however opens up a small race condition in which the root is expired (ttl=0), but still auth=1 in the cache. Our attempt to replace it with auth=0 dta fails at that point. This is probably due to some fencepost error somewhere. To not be subtle about this, explicitly nuke the root when we reprime.

(cherry picked from commit 0d032a66afe508cc86a25eef26fc9be0867a117e)

7 years agoRecursor 4.0.5: Backport #5304
Pieter Lexis [Sat, 13 May 2017 08:16:37 +0000 (10:16 +0200)]
Recursor 4.0.5: Backport #5304