vendor/unbound/1.6.6

10 files changed, 250 insertions, 26 deletions

diff --git a/doc/Changelog b/doc/Changelog
index a72f99606e13..39a3a2b7f4aa 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,8 +1,150 @@
-21 Aug 2017: Wouter
+13 September 2017: Wouter
+	- tag 1.6.6rc2
+
+12 September 2017: Wouter
+	- Add dns64 for client-subnet in unbound-checkconf.
+
+4 September 2017: Ralph
+	- Fix #1412: QNAME minimisation strict mode not honored
+	- Fix #1434: Fix windows openssl 1.1.0 linking.
+
+4 September 2017: Wouter
+	- tag 1.6.6rc1
+	- makedist fix for windows binaries, with openssl 1.1.0 windres fix,
+	  and expat 2.2.4 install target fix.
+
+1 September 2017: Wouter
+	- Recommend 1472 buffer size in unbound.conf
+
+31 August 2017: Wouter
+	- Fix #1424: cachedb:testframe is not thread safe.
+	- For #1417: escape ; in dnscrypt tests.
+	- but reverted that, tests fails with that escape.
+	- Fix #1417: [dnscrypt] shared secret cache counters, and works when
+	  dnscrypt is not enabled.  And cache size configuration option.
+	- make depend
+	- Fix #1418: [ip ratelimit] initialize slabhash using
+	  ip-ratelimit-slabs.
+
+30 August 2017: Wouter
+	- updated contrib/fastrpz.patch to apply with configparser changes.
+	- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
+
+29 August 2017: Wouter
+	- Fix #1414: fix segfault on parse failure and log_replies.
+	- zero qinfo in handle_request, this zeroes local_alias and also the
+	  qname member.
+	- new keys and certs for dnscrypt tests.
+	- fixup WKS test on buildhost without servicebyname.
+
+28 August 2017: Wouter
+	- Fix #1415: patch to free dnscrypt environment on reload.
+	- iana portlist update
+	- Fix #1415: [dnscrypt] shared secret cache, patch from
+	  Manu Bretelle.
+	- Small fixes for the shared secret cache patch.
+	- Fix WKS records on kvm autobuild host, with default protobyname
+	  entries for udp and tcp.
+
+23 August 2017: Wouter
+	- Fix #1407: Add ECS options check to unbound-checkconf.
+	- make depend
+	- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
+	  allocation failure.
+
+22 August 2017: Wouter
 	- Fix install of trust anchor when two anchors are present, makes both
-	  valid.  Checks hash of DS but not signature of new key.  This fixes
-	  installs between sep11 and oct11 2017.
-	- Tag 1.6.5
+	  valid. Checks hash of DS but not signature of new key. This fixes
+	  the root.key file if created when unbound is installed between
+	  sep11 and oct11 2017.
+	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
+	- trunk version 1.6.6 in development.
+	- Fix issue on macOX 10.10 where TCP fast open is detected but not
+	  implemented causing TCP to fail. The fix allows fallback to regular
+	  TCP in this case and is also more robust for cases where connectx()
+	  fails for some reason.
+	- Fix #1402: squelch invalid argument error for fd_set_block on windows.
+
+10 August 2017: Wouter
+	- Patch to show DNSCrypt status in help output, from Carsten
+	  Strotmann.
+
+8 August 2017: Wouter
+	- Fix #1398: make cachedb secret configurable.
+	- Remove spaces from Makefile.
+
+7 August 2017: Wouter
+	- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
+
+3 August 2017: Ralph
+	- Remove unused iter_env member (ip6arpa_dname)
+	- Do not reset rrset.bogus stats when called using stats_noreset.
+	- Added stats for queries that have been ratelimited by domain
+	  recursion.
+	- Do not add rrset_bogus and query ratelimiting stats per thread, these
+	  module stats are global.
+
+3 August 2017: Wouter
+	- Fix #1394: mix of serve-expired and response-ip could cause a crash.
+
+24 July 2017: Wouter
+	- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
+	  config.sub(2016-09-05).
+	- annotate case statement fallthrough for gcc 7.1.1.
+	- flex output from flex 2.6.1.
+	- snprintf of thread number does not warn about truncated string.
+	- squelch TCP fast open error on FreeBSD when kernel has it disabled,
+	  unless verbosity is high.
+	- remove warning from windows compile.
+	- Fix compile with libnettle
+	- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
+	- Fix #1365: Add Ed25519 support using libnettle.
+	- iana portlist update
+
+17 July 2017: Wouter
+	- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
+	- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
+	  With the -p option unbound does not create a pidfile.
+
+11 July 2017: Wouter
+	- Fix #1344: RFC6761-reserved domains: test. and invalid.
+	- Redirect all localhost names to localhost address for RFC6761.
+
+6 July 2017: Wouter
+	- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
+	- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
+
+4 July 2017: Wouter
+	- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
+
+3 July 2017: Wouter
+	- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
+	  on.
+	- Fix #1331: libunbound segfault in threaded mode when context is
+	  deleted.
+	- Fix pythonmod link line option flag.
+	- Fix openssl 1.1.0 load of ssl error strings from ssl init.
+
+29 June 2017: Wouter
+	- Fix python example0 return module wait instead of error for pass.
+	- iana portlist update
+	- enhancement for hardened-tls for DNS over TLS.  Removed duplicated
+	  security settings.
+
+27 June 2017: Wouter
+	- Tag 1.6.4 is created with the 1.6.4rc2 contents.
+	- Trunk contains 1.6.5, with changes from 26, 27 june.
+	- Remove signed unsigned warning from authzone.
+	- Fix that infra cache host hash does not change after reconfig.
+
+26 June 2017: Wouter
+	- (for 1.6.5)
+	  Better fixup of dnscrypt_cert_chacha test for different escapes.
+	- First fix for zero b64 and hex text zone format in sldns.
+	- unbound-control dump_infra prints port number for address if not 53.
+
+23 June 2017: Wouter
+	- (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
 
 22 June 2017: Wouter
 	- Tag 1.6.4rc2
diff --git a/doc/README b/doc/README
index 6c4b28537703..d0c0bf34f3fb 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.5
+README for Unbound 1.6.6
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 481f2e0c214b..e7978b79c898 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.5.
+# See unbound.conf(5) man page, version 1.6.6.
 #
 # this is a comment.
 
@@ -116,7 +116,7 @@ server:
 	# ip-freebind: no
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
 	# edns-buffer-size: 4096
 
 	# Maximum UDP response size (not applied to TCP response).
@@ -563,6 +563,8 @@ server:
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
 	# local-zone: "onion." nodefault
+	# local-zone: "test." nodefault
+	# local-zone: "invalid." nodefault
 	# local-zone: "10.in-addr.arpa." nodefault
 	# local-zone: "16.172.in-addr.arpa." nodefault
 	# local-zone: "17.172.in-addr.arpa." nodefault
@@ -838,3 +840,13 @@ remote-control:
 #     dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
 #     dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
 #     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
+
+# CacheDB
+# Enable external backend DB as auxiliary cache.  Specify the backend name
+# (default is "testframe", which has no use other than for debugging and
+# testing) and backend-specific options.  The 'cachedb' module must be
+# included in module-config.
+# cachedb:
+#     backend: "testframe"
+#     # secret seed string to calculate hashed keys
+#     secret-seed: "default"
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 40f3ba20def5..fbf3cd832af6 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.5 functions.
+\- Unbound DNS validating resolver 1.6.6 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 8436c3cd5f5e..a008e0c0e262 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 9778ebddee16..2e38e76b9979 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 5b220d664dd0..66ea690390a0 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -493,6 +493,10 @@ number of queries that had an EDNS OPT record present.
 number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
 These queries are also included in the num.query.edns.present number.
 .TP
+.I num.query.ratelimited
+The number of queries that are turned away from being send to nameserver due to
+ratelimiting.
+.TP
 .I num.answer.rcode.NXDOMAIN
 The number of answers to queries, from cache or from recursion, that had the
 return code NXDOMAIN. Also printed for the other return codes.
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 5a088b606f78..de8f0bdd052c 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 87f1b6ef0123..24959ba26cec 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,11 +9,12 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.5.
+\- Unbound DNS validating resolver 1.6.6.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
 .RB [ \-d ]
+.RB [ \-p ]
 .RB [ \-v ]
 .RB [ \-c
 .IR cfgfile ]
@@ -67,6 +68,11 @@ the thread\-spawn time, so that most config and setup errors appear on
 stderr. If given twice or more, logging does not switch to the log file
 or to syslog, but the log messages are printed to stderr all the time.
 .TP
+.B \-p
+Don't use a pidfile.  This argument should only be used by supervision
+systems which can ensure that only one instance of unbound will run
+concurrently.
+.TP
 .B \-v
 Increase verbosity. If given multiple times, more information is logged.
 This is in addition to the verbosity (if any) from the config file.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 2acf2622c5da..f48ef9214afa 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Aug 21, 2017" "NLnet Labs" "unbound 1.6.5"
+.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -197,7 +197,7 @@ This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
 not set higher than that value.  Default is 4096 which is RFC recommended.
 If you have fragmentation reassembly problems, usually seen as timeouts,
-then a value of 1480 can fix it.  Setting to 512 bypasses even the most
+then a value of 1472 can fix it.  Setting to 512 bypasses even the most
 stringent path MTU problems, but is seen as extreme, since the amount
 of TCP fallback generated is excessive (probably also for this resolver,
 consider tuning the outgoing tcp number).
@@ -1048,19 +1048,19 @@ has no other effect than turning off default contents for the
 given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
 use a subzone, use \fItransparent\fR.
 .P
-The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
-the AS112 zones. The AS112 zones are reverse DNS zones for private use and
-reserved IP addresses for which the servers on the internet cannot provide
-correct answers. They are configured by default to give nxdomain (no reverse
-information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a
-list of the default zone contents.
+The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test,
+invalid and the AS112 zones. The AS112 zones are reverse DNS zones for
+private use and reserved IP addresses for which the servers on the internet
+cannot provide correct answers. They are configured by default to give
+nxdomain (no reverse information) answers. The defaults can be turned off
+by specifying your own local\-zone of that name, or using the 'nodefault'
+type. Below is a list of the default zone contents.
 .TP 10
 \h'5'\fIlocalhost\fR
 The IP4 and IP6 localhost information is given. NS and SOA records are provided
 for completeness and to satisfy some DNS update tools. Default content:
 .nf
-local\-zone: "localhost." static
+local\-zone: "localhost." redirect
 local\-data: "localhost. 10800 IN NS localhost."
 local\-data: "localhost. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
@@ -1104,6 +1104,24 @@ local\-data: "onion. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 .fi
 .TP 10
+\h'5'\fItest (RFC 7686)\fR
+Default content:
+.nf
+local\-zone: "test." static
+local\-data: "test. 10800 IN NS localhost."
+local\-data: "test. 10800 IN
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
+\h'5'\fIinvalid (RFC 7686)\fR
+Default content:
+.nf
+local\-zone: "invalid." static
+local\-data: "invalid. 10800 IN NS localhost."
+local\-data: "invalid. 10800 IN
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
 \h'5'\fIreverse RFC1918 local use zones\fR
 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
@@ -1461,7 +1479,7 @@ despite the presence of actual AAAA records.
 .LP
 The
 .B dnscrypt:
-clause give the settings of the dnscrypt channel. While those options are
+clause gives the settings of the dnscrypt channel. While those options are
 available, they are only meaningful if unbound was compiled with
 \fB\-\-enable\-dnscrypt\fR.
 Currently certificate and secret/public keys cannot be generated by unbound.
@@ -1489,6 +1507,17 @@ times.
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
 This option may be specified multiple times.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
+Give the size of the data structure in which the shared secret keys are kept
+in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).
+The shared secret cache is used when a same client is making multiple queries
+using the same public key. It saves a substantial amount of CPU.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the dnscrypt shared secrets cache.  Close to the number of cpus is
+a fairly good setting.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@@ -1603,6 +1632,37 @@ A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
 Whitelist the domain so that the module logic will be executed.  Can
 be given multiple times, for different domains.  If the option is not
 specified, all domains are treated as being whitelisted (default).
+.SS "Cache DB Module Options"
+.LP
+The Cache DB module must be configured in the \fBmodule\-config:\fR
+"validator cachedb iterator" directive and be compiled into the daemon
+with \fB\-\-enable\-cachedb\fR.
+If this module is enabled and configured, the specified backend database
+works as a second level cache:
+When Unbound cannot find an answer to a query in its built-in in-memory
+cache, it consults the specified backend.
+If it finds a valid answer in the backend, Unbound uses it to respond
+to the query without performing iterative DNS resolution.
+If Unbound cannot even find an answer in the backend, it resolves the
+query as usual, and stores the answer in the backend.
+The
+.B cachedb:
+clause gives custom settings of the cache DB module.
+.TP
+.B backend: \fI<backend name>\fR
+Specify the backend database name.
+Currently, only the in-memory "testframe" backend is supported.
+As the name suggests this backend is not of any practical use.
+This option defaults to "testframe".
+.TP
+.B secret-seed: \fI<"secret string">\fR
+Specify a seed to calculate a hash value from query information.
+This value will be used as the key of the corresponding answer for the
+backend database and can be customized if the hash should not be predictable
+operationally.
+If the backend database is shared by multiple Unbound instances,
+all instances must use the same secret seed.
+This option defaults to "default".
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer