vendor/unbound/1.6.1

10 files changed, 194 insertions, 16 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 57a13c8c537d..31c9e4627521 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,103 @@
+14 February 2017: Wouter
+	- tag 1.6.1rc3.
+
+13 February 2017: Wouter
+	- Fix autoconf of systemd check for lack of pkg-config.
+
+10 February 2017: Wouter
+	- Fix pythonmod for typedef changes.
+	- Fix dnstap for warning of set but not used.
+	- tag 1.6.1rc2.
+
+9 February 2017: Wouter
+	- tag 1.6.1rc1.
+
+8 February 2017: Wouter
+	- Fix for type name change and fix warning on windows compile.
+
+7 February 2017: Wouter
+	- Include root trust anchor id 20326 in unbound-anchor.
+
+6 February 2017: Wouter
+	- Fix compile on solaris of the fix to use $host detect.
+
+4 February 2017: Wouter
+	- fix root_anchor test for updated icannbundle.pem lower certificates.
+
+26 January 2017: Wouter
+	- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
+	  more helpful error message.
+
+20 January 2017: Wouter
+	- Increase MAX_MODULE to 16.
+
+19 January 2017: Wouter
+	- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
+	  reserves _t typedefs.
+	- Fix to rename internally used types from _t to _type, because _t
+	  type names are reserved by POSIX.
+	- iana portlist update
+
+12 January 2017: Wouter
+	- Fix to also block meta types 128 through to 248 with formerr. 
+	- Fix #1206: Some view-related commands are missing from 'unbound-control -h'
+
+9 January 2017: Wouter
+	- Fix #1202: Fix code comment that packed_rrset_data is not always
+	  'packed'.
+
+6 January 2017: Wouter
+	- Fix #1201: Fix missing unlock in answer_from_cache error condition.
+
+5 January 2017: Wouter
+	- Fix to return formerr for queries for meta-types, to avoid
+	  packet amplification if this meta-type is sent on to upstream.
+	- Fix #1184: Log DNS replies. This includes the same logging
+	  information that DNS queries and response code and response size,
+	  patch from Larissa Feng.
+	- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
+
+3 January 2017: Wouter
+	- configure --enable-systemd and lets unbound use systemd sockets if
+	  you enable use-systemd: yes in unbound.conf.
+	  Also there are contrib/unbound.socket and contrib/unbound.service:
+	  systemd files for unbound, install them in /usr/lib/systemd/system.
+	  Contributed by Sami Kerola and Pavel Odintsov.
+	- Fix reload chdir failure when also chrooted to that directory.
+
+2 January 2017: Wouter
+	- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
+
+23 December 2016: Ralph
+	- Fix #1190: Do not echo back EDNS options in local-zone error response.
+	- iana portlist update
+
+21 December 2016: Ralph
+	- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
+	  with Nettle
+
+19 December 2016: Ralph
+	- Fix #1191: remove comment about view deletion.
+
+15 December 2016: Wouter
+	- iana portlist update
+	- 64bit is default for windows builds.
+	- Fix inet_ntop and inet_pton warnings in windows compile.
+
+14 December 2016: Wouter
+	- Fix #1178: attempt to fix setup error at end, pop result values
+	  at end of install.
+
+13 December 2016: Wouter
+	- Fix #1182: Fix Resource leak (socket), at startup.
+	- Fix unbound-control and ipv6 only.
+
+9 December 2016: Wouter
+	- Fix #1176: stack size too small for Alpine Linux.
+
 8 December 2016: Wouter
 	- Fix downcast warnings from visual studio in sldns code.
+	- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
 
 7 December 2016: Ralph
 	- Add DSA support for OpenSSL 1.1.0
diff --git a/doc/README b/doc/README
index 661adcbdf236..acffafacc7d5 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.0
+README for Unbound 1.6.1
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 55bbc32e616f..83e7c5c4c4e9 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.0.
+# See unbound.conf(5) man page, version 1.6.1.
 #
 # this is a comment.
 
@@ -200,7 +200,11 @@ server:
 	# Default is 0, system default MSS.
 	# outgoing-tcp-mss: 0
 
+	# Use systemd socket activation for UDP, TCP, and control sockets.
+	# use-systemd: no
+
 	# Detach from the terminal, run in background, "yes" or "no".
+	# Set the value to "no" when unbound runs as systemd service.
 	# do-daemonize: yes
 
 	# control which clients are allowed to make (recursive) queries
@@ -288,6 +292,10 @@ server:
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 
+	# print one line per reply, with time, IP, name, type, class, rcode,
+	# timetoresolve, fromcache and responsesize.
+	# log-replies: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	# pidfile: "@UNBOUND_PIDFILE@"
 
@@ -666,6 +674,20 @@ server:
 	# can give this multiple times, the name closest to the zone is used.
 	# ratelimit-below-domain: com 1000
 
+	# global query ratelimit for all ip addresses.
+	# feature is experimental.
+	# if 0(default) it is disabled, otherwise states qps allowed per ip address
+	# ip-ratelimit: 0
+
+	# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+	# ip-ratelimit-size: 4m
+	# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
+	# ip-ratelimit-slabs: 4
+
+	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
+	# ip-ratelimit-factor: 10
+
+
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 37d63a5d2452..5be1d9019f57 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "libunbound" "3" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -12,7 +12,7 @@
 .B unbound.h,
 .B ub_ctx,
 .B ub_result,
-.B ub_callback_t,
+.B ub_callback_type,
 .B ub_ctx_create,
 .B ub_ctx_delete,
 .B ub_ctx_set_option,
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.0 functions.
+\- Unbound DNS validating resolver 1.6.1 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
@@ -120,7 +120,7 @@
 .br
                  \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, 
 .br
-                 \fIub_callback_t\fR callback, \fIint*\fR async_id);
+                 \fIub_callback_type\fR callback, \fIint*\fR async_id);
 .LP
 \fIint\fR
 \fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 31a48c26e1e5..06b0f5c89764 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound-anchor" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index d9a5b03aea1a..ea1cf4eb89cf 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound-checkconf" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index aa801c4bda71..af574d249f7b 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound-control" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -194,7 +194,7 @@ harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
 hide\-identity, hide\-version, identity, version, val\-log\-level,
 val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
 keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit,
-cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
+ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
 .TP
 .B get_option \fIopt
 Get the value of the option.  Give the option name without a trailing ':'.
@@ -280,6 +280,12 @@ just the ratelimited domains, with their estimated qps.  The ratelimited
 domains return an error for uncached (new) queries, but cached queries work
 as normal.
 .TP
+.B ip_ratelimit_list \fR[\fI+a\fR]
+List the ip addresses that are ratelimited.  Printed one per line with current
+estimated qps and qps limit from config.  With +a it prints all ips, not
+just the ratelimited ips, with their estimated qps.  The ratelimited
+ips are dropped before checking the cache.
+.TP
 .B view_list_local_zones \fIview\fR
 \fIlist_local_zones\fR for given view.
 .TP
@@ -289,6 +295,9 @@ as normal.
 .B view_local_zone_remove \fIview\fR \fIname
 \fIlocal_zone_remove\fR for given view.
 .TP
+.B view_list_local_data \fIview\fR
+\fIlist_local_data\fR for given view.
+.TP
 .B view_local_data \fIview\fR \fIRR data...
 \fIlocal_data\fR for given view.
 .TP
@@ -319,6 +328,9 @@ The \fIstats\fR command shows a number of statistic counters.
 .I threadX.num.queries
 number of queries received by thread
 .TP
+.I threadX.num.queries_ip_ratelimited
+number of queries rate limited by thread
+.TP
 .I threadX.num.cachehits
 number of queries that were successfully answered using a cache lookup
 .TP
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index b7fe345cbe27..eba19e07eb21 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound\-host" "1" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index af2ac111b73e..52cd85341e8d 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.0.
+\- Unbound DNS validating resolver 1.6.1.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 39ce95c57993..45248ac58c4f 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
+.TH "unbound.conf" "5" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -413,9 +413,14 @@ turned off.
 The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
+.B use\-systemd: \fI<yes or no>
+Enable or disable systemd socket activation.
+Default is no.
+.TP
 .B do\-daemonize: \fI<yes or no>
 Enable or disable whether the unbound server forks into the background as
-a daemon. Default is yes.
+a daemon.  Set the value to \fIno\fR when unbound runs as systemd service.
+Default is yes.
 .TP
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
@@ -552,6 +557,13 @@ name, type and class.  Default is no.  Note that it takes time to print these
 lines which makes the server (significantly) slower.  Odd (nonprintable)
 characters in names are printed as '?'.
 .TP
+.B log\-replies: \fI<yes or no>
+Prints one line per reply to the log, with the log timestamp and IP address,
+name, type, class, return code, time to resolve, from cache and response size.
+Default is no.  Note that it takes time to print these
+lines which makes the server (significantly) slower.  Odd (nonprintable)
+characters in names are printed as '?'.
+.TP
 .B pidfile: \fI<filename>
 The process id is written to the file. Default is "@UNBOUND_PIDFILE@". 
 So,
@@ -1193,6 +1205,34 @@ in different parts of the namespace.  The closest matching suffix is used
 to determine the qps limit.  The rate for the exact matching domain name
 is not changed, use ratelimit\-for\-domain to set that, you might want
 to use different settings for a top\-level\-domain and subdomains.
+.TP 5
+.B ip\-ratelimit: \fI<number or 0>
+Enable global ratelimiting of queries accepted per ip address.
+If 0, the default, it is disabled.  This option is experimental at this time.
+The ratelimit is in queries per second that are allowed.  More queries are
+completely dropped and will not receive a reply, SERVFAIL or otherwise.
+IP ratelimiting happens before looking in the cache. This may be useful for
+mitigating amplification attacks.
+.TP 5
+.B ip\-ratelimit\-size: \fI<memory size>
+Give the size of the data structure in which the current ongoing rates are
+kept track in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).
+The ip ratelimit structure is small, so this data structure likely does
+not need to be large.
+.TP 5
+.B ip\-ratelimit\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the ip ratelimit tracking data structure.  Close to the number of cpus is
+a fairly good setting.
+.TP 5
+.B ip\-ratelimit\-factor: \fI<number>
+Set the amount of queries to rate limit when the limit is exceeded.
+If set to 0, all queries are dropped for addresses where the limit is
+exceeded.  If set to another value, 1 in that number is allowed through
+to complete.  Default is 10, allowing 1/10 traffic to flow normally.
+This can make ordinary queries complete (if repeatedly queried for),
+and enter the cache, whilst also mitigating the traffic flow by the
+factor given.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1376,9 +1416,15 @@ acts like the iterator and validator modules do, on queries and answers.
 To enable the script module it has to be compiled into the daemon,
 and the word "python" has to be put in the \fBmodule\-config:\fR option
 (usually first, or between the validator and iterator).
+.LP
+If the \fBchroot:\fR option is enabled, you should make sure Python's
+library directory structure is bind mounted in the new root environment, see
+\fImount\fR(8).  Also the \fBpython\-script:\fR path should be specified as an
+absolute path relative to the new root, or as a relative path to the working
+directory.
 .TP
 .B python\-script: \fI<python file>\fR
-The script file to load. 
+The script file to load.
 .SS "DNS64 Module Options"
 .LP
 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64