6 files changed, 221 insertions, 3 deletions

diff --git a/contrib/unbound/util/as112.c b/contrib/unbound/util/as112.c
new file mode 100644
index 000000000000..6ee69404656e
--- /dev/null
+++ b/contrib/unbound/util/as112.c
@@ -0,0 +1,143 @@
+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file provides a list of lan zones.
+ */
+
+#include "util/as112.h"
+
+static const char* as112_zone_array[] = {
+	"10.in-addr.arpa.",
+	"16.172.in-addr.arpa.",
+	"17.172.in-addr.arpa.",
+	"18.172.in-addr.arpa.",
+	"19.172.in-addr.arpa.",
+	"20.172.in-addr.arpa.",
+	"21.172.in-addr.arpa.",
+	"22.172.in-addr.arpa.",
+	"23.172.in-addr.arpa.",
+	"24.172.in-addr.arpa.",
+	"25.172.in-addr.arpa.",
+	"26.172.in-addr.arpa.",
+	"27.172.in-addr.arpa.",
+	"28.172.in-addr.arpa.",
+	"29.172.in-addr.arpa.",
+	"30.172.in-addr.arpa.",
+	"31.172.in-addr.arpa.",
+	"168.192.in-addr.arpa.",
+	"0.in-addr.arpa.",
+	"64.100.in-addr.arpa.",
+	"65.100.in-addr.arpa.",
+	"66.100.in-addr.arpa.",
+	"67.100.in-addr.arpa.",
+	"68.100.in-addr.arpa.",
+	"69.100.in-addr.arpa.",
+	"70.100.in-addr.arpa.",
+	"71.100.in-addr.arpa.",
+	"72.100.in-addr.arpa.",
+	"73.100.in-addr.arpa.",
+	"74.100.in-addr.arpa.",
+	"75.100.in-addr.arpa.",
+	"76.100.in-addr.arpa.",
+	"77.100.in-addr.arpa.",
+	"78.100.in-addr.arpa.",
+	"79.100.in-addr.arpa.",
+	"80.100.in-addr.arpa.",
+	"81.100.in-addr.arpa.",
+	"82.100.in-addr.arpa.",
+	"83.100.in-addr.arpa.",
+	"84.100.in-addr.arpa.",
+	"85.100.in-addr.arpa.",
+	"86.100.in-addr.arpa.",
+	"87.100.in-addr.arpa.",
+	"88.100.in-addr.arpa.",
+	"89.100.in-addr.arpa.",
+	"90.100.in-addr.arpa.",
+	"91.100.in-addr.arpa.",
+	"92.100.in-addr.arpa.",
+	"93.100.in-addr.arpa.",
+	"94.100.in-addr.arpa.",
+	"95.100.in-addr.arpa.",
+	"96.100.in-addr.arpa.",
+	"97.100.in-addr.arpa.",
+	"98.100.in-addr.arpa.",
+	"99.100.in-addr.arpa.",
+	"100.100.in-addr.arpa.",
+	"101.100.in-addr.arpa.",
+	"102.100.in-addr.arpa.",
+	"103.100.in-addr.arpa.",
+	"104.100.in-addr.arpa.",
+	"105.100.in-addr.arpa.",
+	"106.100.in-addr.arpa.",
+	"107.100.in-addr.arpa.",
+	"108.100.in-addr.arpa.",
+	"109.100.in-addr.arpa.",
+	"110.100.in-addr.arpa.",
+	"111.100.in-addr.arpa.",
+	"112.100.in-addr.arpa.",
+	"113.100.in-addr.arpa.",
+	"114.100.in-addr.arpa.",
+	"115.100.in-addr.arpa.",
+	"116.100.in-addr.arpa.",
+	"117.100.in-addr.arpa.",
+	"118.100.in-addr.arpa.",
+	"119.100.in-addr.arpa.",
+	"120.100.in-addr.arpa.",
+	"121.100.in-addr.arpa.",
+	"122.100.in-addr.arpa.",
+	"123.100.in-addr.arpa.",
+	"124.100.in-addr.arpa.",
+	"125.100.in-addr.arpa.",
+	"126.100.in-addr.arpa.",
+	"127.100.in-addr.arpa.",
+	"254.169.in-addr.arpa.",
+	"2.0.192.in-addr.arpa.",
+	"100.51.198.in-addr.arpa.",
+	"113.0.203.in-addr.arpa.",
+	"255.255.255.255.in-addr.arpa.",
+	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
+	"d.f.ip6.arpa.",
+	"8.e.f.ip6.arpa.",
+	"9.e.f.ip6.arpa.",
+	"a.e.f.ip6.arpa.",
+	"b.e.f.ip6.arpa.",
+	"8.b.d.0.1.0.0.2.ip6.arpa.",
+	0
+};
+
+const char** as112_zones = as112_zone_array;
diff --git a/contrib/unbound/util/as112.h b/contrib/unbound/util/as112.h
new file mode 100644
index 000000000000..7d0329e82b68
--- /dev/null
+++ b/contrib/unbound/util/as112.h
@@ -0,0 +1,57 @@
+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file provides a list of lan zones
+ */
+
+#ifndef UTIL_AS112_H
+#define UTIL_AS112_H
+
+/** 
+ * Array of text-format domain names of the AS112 zones.
+ * The array ends with NULL.  "AS112" is a service on the internet that
+ * that this array is named after.  The names in this list (or some of them)
+ * are null-routed by this service to avoid load on central servers caused by
+ * mistaken lookups for local content on the global internet.
+ *
+ * This is the list of names that unbound should not normally be sending
+ * on towards the internet, because they are local-use.
+ */
+extern const char** as112_zones;
+
+#endif
diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c
index 6354e99f46a7..4d8f806bb538 100644
--- a/contrib/unbound/util/config_file.c
+++ b/contrib/unbound/util/config_file.c
@@ -210,6 +210,7 @@ config_create(void)
 	cfg->local_zones_nodefault = NULL;
 	cfg->local_data = NULL;
 	cfg->unblock_lan_zones = 0;
+	cfg->insecure_lan_zones = 0;
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
@@ -458,6 +459,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
 	else S_STRLIST("local-data:", local_data)
 	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
+	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
 	else S_YNO("control-enable:", remote_control_enable)
 	else S_STRLIST("control-interface:", control_ifs)
 	else S_NUMBER_NONZERO("control-port:", control_port)
@@ -739,6 +741,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "minimal-responses", minimal_responses)
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
+	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
 	else O_DEC(opt, "max-udp-size", max_udp_size)
 	else O_STR(opt, "python-script", python_script)
 	else O_DEC(opt, "ratelimit", ratelimit)
diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h
index 8fa163ed7cc9..c758d647550e 100644
--- a/contrib/unbound/util/config_file.h
+++ b/contrib/unbound/util/config_file.h
@@ -285,8 +285,10 @@ struct config_file {
 	struct config_strlist* local_zones_nodefault;
 	/** local data RRs configured */
 	struct config_strlist* local_data;
-	/** unblock lan zones (reverse lookups for 10/8 and so on) */
+	/** unblock lan zones (reverse lookups for AS112 zones) */
 	int unblock_lan_zones;
+	/** insecure lan zones (don't validate AS112 zones) */
+	int insecure_lan_zones;
 
 	/** remote control section. enable toggle. */
 	int remote_control_enable;
diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex
index a3680664e986..5b25ef537598 100644
--- a/contrib/unbound/util/configlexer.lex
+++ b/contrib/unbound/util/configlexer.lex
@@ -321,6 +321,7 @@ local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
 unblock-lan-zones{COLON}	{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+insecure-lan-zones{COLON}	{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
 statistics-interval{COLON}	{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
 statistics-cumulative{COLON}	{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 extended-statistics{COLON}	{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y
index abc0bb0d77f8..a276faea90d3 100644
--- a/contrib/unbound/util/configparser.y
+++ b/contrib/unbound/util/configparser.y
@@ -106,7 +106,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
 %token VAR_INFRA_CACHE_MIN_RTT
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
@@ -180,7 +181,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-	server_so_reuseport | server_delay_close | server_unblock_lan_zones |
+	server_so_reuseport | server_delay_close |
+	server_unblock_lan_zones | server_insecure_lan_zones |
 	server_dns64_prefix | server_dns64_synthall |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
 	server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
@@ -722,6 +724,16 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 		free($2);
 	}
 	;
+server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
+	{
+		OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->insecure_lan_zones = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_rrset_cache_size:%s)\n", $2));