vendor/unbound/1.17.0

10 files changed, 236 insertions, 20 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 78f6c7afcb27..727d1543ea4e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,9 +1,116 @@
+11 October 2022: George
+	- Fix PROXYv2 header read for TCP connections when no proxied addresses
+	  are provided.
+
+7 October 2022: George
+	- Fix to stop possible loops in the tcp reuse code (write_wait list
+	  and tcp_wait list). Based on analysis and patch from Prad Seniappan
+	  and Karthik Umashankar.
+	- Fix unit test to properly test the reuse_write_wait_pop function.
+
+6 October 2022: Wouter
+	- Fix to stop responses with TC flag from resulting in partial
+	  responses. It retries to fetch the data elsewhere, or fails the
+	  query and in depth fix removes the TC flag from the cached item.
+	- Fix proxy length debug output printout typecasts.
+
+5 October 2022: Wouter
+	- Fix dnscrypt compile for proxy protocol code changes.
+
+5 October 2022: George
+	- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
+	- Fix string comparison in mini_tdir.sh.
+	- Make ede.tdir test more predictable by using static data.
+	- Fix checkconf test for dnscrypt and proxy port.
+
+4 October 2022: George
+	- Merge #764: Leniency for target discovery when under load (for
+	  NRDelegation changes).
+
+4 October 2022: Wouter
+	- Fix static analysis report to remove dead code from the
+	  rpz_callback_from_iterator_module function.
+	- Fix to clean up after the acl_interface unit test.
+
+3 October 2022: George
+	- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
+	  configuration option).
+
+3 October 2022: Wouter
+	- Fix to remove erroneous TC flag from TCP upstream.
+	- Fix test tdir skip report printout.
+	- Fix windows compile, the identifier interface is defined in headers.
+	- Fix to close errno block in comm_point_tcp_handle_read outside of
+	  ifdef.
+
+26 September 2022: George
+	- Better output for skipped tdir tests.
+
 21 September 2022: Wouter
 	- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
+	- This patch was released in 1.16.3, the code repository continues
+	  with the previous features and fixes for 1.17.0.
+	- Fix doxygen warning in respip.h.
+
+20 September 2022: George
+	- Convert tdir tests to use the new skip_test functionality.
+	- Remove unused testcode/mini_tpkg.sh file.
+
+16 September 2022: George
+	- Merge #753: ACL per interface. (New interface-* configuration
+	  options).
+
+2 September 2022: Wouter
+	- Remove include that was there for debug purposes.
+	- Fix to check pthread_t size after pthread has been detected.
+
+1 September 2022: Wouter
+	- Fix to update config tests to fix checking if nonblocking sockets
+	  work on OpenBSD.
+	- Slow down log frequency of write wait failures.
+	- Fix to set out of file descriptor warning to operational verbosity.
+	- Fix to log a verbose message at operational notice level if a
+	  thread is not responding, to stats requests. It is logged with
+	  thread identifiers.
+
+31 August 2022: Wouter
+	- Fix to avoid process wide fcntl calls mixed with nonblocking
+	  operations after a blocked write.
+	- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
+	  operations, so that instruction reordering does not cause mistakenly
+	  blocking socket operations.
+	- Fix to wait for blocked write on UDP sockets, with a timeout if it
+	  takes too long the packet is dropped.
+	- Fix for wait for udp send to stop when packet is successfully sent.
+
+22 August 2022: Wouter
+	- Fix #741: systemd socket activation fails on IPv6.
+
+12 August 2022: Wouter
+	- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
+	  per 10 seconds. Also log accept failures when no slow down is used.
+
+5 August 2022: Wouter
+	- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
+	  errors.
+
+4 August 2022: Wouter
+	- Fix ratelimit inconsistency, for ip-ratelimits the value is the
+	  amount allowed, like for ratelimits.
+
+2 August 2022: Wouter
+	- Fix edns subnet so that scope 0 answers only match sourcemask 0
+	  queries for answers from cache if from a query with sourcemask 0.
+	- Fix unittest for edns subnet change.
+	- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
+	  to unsupported IPV6_USER_MTU socket option being set.
 
 1 August 2022: Wouter
 	- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
 	- Tests for ghost domain fixes.
+	- Tag for 1.16.2 release. The code repo continues with 1.16.3.
+	- Fix #728: alloc_reg_obtain() core dump. Stop double
+	  alloc_reg_release when serviced_create fails.
 
 19 July 2022: George
 	- Update documentation for 'outbound-msg-retry:'.
diff --git a/doc/README b/doc/README
index 92a6e88f6624..88444a5e3c99 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.16.3
+README for Unbound 1.17.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 601165f753b7..df0b2a1fb2c0 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.16.3.
+# See unbound.conf(5) man page, version 1.17.0.
 #
 # this is a comment.
 
@@ -17,7 +17,7 @@ server:
 	# whitespace is not necessary, but looks cleaner.
 
 	# verbosity number, 0 is least verbose. 1 is default.
-	verbosity: 1
+	# verbosity: 1
 
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
@@ -50,6 +50,7 @@ server:
 	# interface: 192.0.2.154
 	# interface: 192.0.2.154@5003
 	# interface: 2001:DB8::5
+	# interface: eth0@5003
 
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental.
@@ -217,7 +218,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 
-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"
 
@@ -273,9 +275,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
@@ -284,7 +284,7 @@ server:
 	# are tagged with one of these tags.
 	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
 
-	# set action for particular tag for given access control element
+	# set action for particular tag for given access control element.
 	# if you have multiple tag values, the tag used to lookup the action
 	# is the first tag match between access-control-tag and local-zone-tag
 	# where "first" comes from the order of the define-tag values.
@@ -296,6 +296,58 @@ server:
 	# Set view for access control element
 	# access-control-view: 192.0.2.0/24 viewname
 
+	# Similar to 'access-control:' but for interfaces.
+	# Control which listening interfaces are allowed to accept (recursive)
+	# queries for this server.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the action.
+	# The actions are the same as 'access-control:' above.
+	# By default all the interfaces configured are refused.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-action: 192.0.2.153 allow
+	# interface-action: 192.0.2.154 allow
+	# interface-action: 192.0.2.154@5003 allow
+	# interface-action: 2001:DB8::5 allow
+	# interface-action: eth0@5003 allow
+
+	# Similar to 'access-control-tag:' but for interfaces.
+	# Tag interfaces with a list of tags (in "" with spaces between).
+	# Interfaces using these tags use localzones that are tagged with one
+	# of these tags.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the list of tags.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag: eth0@5003 "tag2 tag3"
+
+	# Similar to 'access-control-tag-action:' but for interfaces.
+	# Set action for particular tag for a given interface element.
+	# If you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between interface-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and action.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-action: eth0@5003 tag3 refuse
+
+	# Similar to 'access-control-tag-data:' but for interfaces.
+	# Set redirect data for a particular tag for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and the redirect data.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
+
+	# Similar to 'access-control-view:' but for interfaces.
+	# Set view for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the view name.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-view: eth0@5003 viewname
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@@ -850,6 +902,10 @@ server:
 	# Disable TLS for DNS-over-HTTP downstream service.
 	# http-notls-downstream: no
 
+	# The interfaces that use these listed port numbers will support and
+	# expect PROXYv2. For UDP and TCP/TLS interfaces.
+	# proxy-protocol-port: portno for each of the port numbers.
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index baf29219495f..b87289e0d764 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.16.3 functions.
+\- Unbound DNS validating resolver 1.17.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 922c105177f3..dc61b72dadb4 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 9b56c79252e4..ba6c334c7c78 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index e42e0cd544e7..3841b9737f4e 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index aae95827d92c..8371084c575b 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 81a8f4f63f5e..ac61b0f7a10c 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.16.3.
+\- Unbound DNS validating resolver 1.17.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 4f542eb4757e..6c021b900d89 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -118,7 +118,7 @@ The number of threads to create to serve clients. Use 1 for no threading.
 .B port: \fI<port number>
 The port number, default 53, on which the server responds to queries.
 .TP
-.B interface: \fI<ip address[@port]>
+.B interface: \fI<ip address or interface name [@port]>
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
@@ -129,7 +129,7 @@ A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
 \fBport\fR) is used.
 .TP
-.B ip\-address: \fI<ip address[@port]>
+.B ip\-address: \fI<ip address or interface name [@port]>
 Same as interface: (for ease of compatibility with nsd.conf).
 .TP
 .B interface\-automatic: \fI<yes or no>
@@ -656,6 +656,17 @@ Ignored if the option is not available. Default is yes.
 Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
 local back end servers.  Default is no.
 .TP
+.B proxy\-protocol\-port: \fI<portnr>
+List port numbers as proxy\-protocol\-port, and when interfaces are defined,
+eg. with the @port suffix, as this port number, they support and expect PROXYv2.
+In this case the proxy address will only be used for the network communication
+and initial ACL (check if the proxy itself is denied/refused by configuration).
+The proxied address (if any) will then be used as the true client address and
+will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting.
+PROXYv2 is supported for UDP and TCP/TLS listening interfaces.
+There is no support for PROXYv2 on a DoH or DNSCrypt listening interface.
+Can list multiple, each on a new statement.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -675,7 +686,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
 \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIdeny\fR is used.
+The most specific netblock match is used, if none match \fIrefuse\fR is used.
 The order of the access\-control statements therefore does not matter.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -741,6 +752,46 @@ Set redirect data for particular tag for given access control element.
 .B access\-control\-view: \fI<IP netblock> <view name>
 Set view for given access control element.
 .TP
+.B interface\-action: \fI<ip address or interface name [@port]> <action>
+Similar to \fBaccess\-control:\fR but for interfaces.
+.IP
+The action is the same as the ones defined under \fBaccess\-control:\fR.
+Interfaces are \fIrefuse\fRd by default.
+By default only localhost (the IP netblock, not the loopback interface) is
+\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
+Similar to \fBaccess\-control-tag:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
+Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
+Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-view: \fI<ip address or interface name [@port]> <view name>
+Similar to \fBaccess\-control-view:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -1823,9 +1874,11 @@ section for options.  To setup the correct self\-signed certificates use the
 The option is used to enable remote control, default is "no".
 If turned off, the server does not listen for control commands.
 .TP 5
-.B control\-interface: \fI<ip address or path>
+.B control\-interface: \fI<ip address or interface name or path>
 Give IPv4 or IPv6 addresses or local socket path to listen on for
 control commands.
+If an interface name is used instead of an ip address, the list of ip addresses
+on that interface are used.
 By default localhost (127.0.0.1 and ::1) is listened to.
 Use 0.0.0.0 and ::0 to listen to all interfaces.
 If you change this and permissions have been dropped, you must restart