vendor/unbound/1.6.7

11 files changed, 139 insertions, 17 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 39a3a2b7f4aa..3a03d6888810 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,55 @@
+10 October 2017: Wouter 
+	- tag 1.6.7
+
+6 October 2017: Wouter 
+	- Fix spelling in unbound-control man page.
+
+5 October 2017: Wouter 
+	- Fix trust-anchor-signaling works in libunbound.
+	- Fix some more crpls in testdata for different signaling default.
+	- tag 1.6.7rc1
+
+5 October 2017: Ralph 
+	- Set trust-anchor-signaling default to yes
+	- Use RCODE from A query on DNS64 synthesized answer.
+
+2 October 2017: Wouter
+	- Fix param unused warning for windows exportsymbol compile.
+
+25 September 2017: Ralph
+	- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
+	   (by Danilo G. Baio).
+
+21 September 2017: Ralph
+	- Log name of looping module
+
+19 September 2017: Wouter
+	- use a cachedb answer even if it's "expired" when serve-expired is yes
+	  (patch from Jinmei Tatuya).
+	- trigger refetching of the answer in that case (this will bypass
+	  cachedb lookup)
+	- allow storing a 0-TTL answer from cachedb in the in-memory message
+	  cache when serve-expired is yes
+	- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
+
+18 September 2017: Ralph
+	- Fix #1400: allowing use of global cache on ECS-forwarding unless
+	  always-forward.
+
+18 September 2017: Wouter
+	- tag 1.6.6 (is 1.6.6rc2)
+	- Fix that looping modules always stop the query, and don't pass
+	  control.
+	- Fix #1435: Please allow UDP to be disabled separately upstream and
+	  downstream.
+	- Fix #1440: [dnscrypt] client nonce cache.
+
+15 September 2017: Wouter
+	- Fix unbound-host to report error for DNSSEC state of failed lookups.
+	- Spelling fixes, from Josh Soref.
+
 13 September 2017: Wouter
-	- tag 1.6.6rc2
+	- tag 1.6.6rc2, became 1.6.6 on 18 sep.  trunk 1.6.7 in development.
 
 12 September 2017: Wouter
 	- Add dns64 for client-subnet in unbound-checkconf.
diff --git a/doc/README b/doc/README
index d0c0bf34f3fb..6d8cc2ef8a28 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.6
+README for Unbound 1.6.7
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index e7978b79c898..e636dc858201 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.6.
+# See unbound.conf(5) man page, version 1.6.7.
 #
 # this is a comment.
 
@@ -199,6 +199,10 @@ server:
 	# upstream connections use TCP only (and no UDP), "yes" or "no"
 	# useful for tunneling scenarios, default no.
 	# tcp-upstream: no
+	
+	# upstream connections also use UDP (even if do-udp is no).
+	# useful if if you want UDP upstream, but don't provide UDP downstream.
+	# udp-upstream-without-downstream: no
 
 	# Maximum segment size (MSS) of TCP socket on which the server
 	# responds to queries. Default is 0, system default MSS.
@@ -449,7 +453,7 @@ server:
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
-	# trust-anchor-signaling: no
+	# trust-anchor-signaling: yes
 
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
@@ -512,7 +516,7 @@ server:
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
-	# Serve expired reponses from cache, with TTL 0 in the response,
+	# Serve expired responses from cache, with TTL 0 in the response,
 	# and then attempt to fetch the data afresh.
 	# serve-expired: no
 
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index fbf3cd832af6..7dd8de65273b 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.6 functions.
+\- Unbound DNS validating resolver 1.6.7 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/requirements.txt b/doc/requirements.txt
index a66962d4a401..b643cec17d3b 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -81,7 +81,7 @@ o Too many Features.
 
 5. Choices
 ----------
-o rfc2181 decourages duplicates RRs in RRsets. unbound does not create
+o rfc2181 discourages duplicates RRs in RRsets. unbound does not create
   duplicates, but when presented with duplicates on the wire from the
   authoritative servers, does not perform duplicate removal.
   It does do some rrsig duplicate removal, in the msgparser, for dnssec qtype
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index a008e0c0e262..1e07f5e2b839 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 2e38e76b9979..3a7e1e98a465 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 66ea690390a0..80501a7227fb 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -337,6 +337,19 @@ number of queries that were successfully answered using a cache lookup
 .I threadX.num.cachemiss
 number of queries that needed recursive processing
 .TP
+.I threadX.num.dnscrypt.crypted
+number of queries that were encrypted and successfully decapsulated by dnscrypt.
+.TP
+.I threadX.num.dnscrypt.cert
+number of queries that were requesting dnscrypt certificates.
+.TP
+.I threadX.num.dnscrypt.cleartext
+number of queries received on dnscrypt port that were cleartext and not a
+request for certificates.
+.TP
+.I threadX.num.dnscrypt.malformed
+number of request that were neither cleartext, not valid dnscrypt messages.
+.TP
 .I threadX.num.prefetch
 number of cache prefetches performed.  This number is included in
 cachehits, as the original query had the unprefetched answer from cache,
@@ -393,6 +406,18 @@ summed over threads.
 .I total.num.cachemiss
 summed over threads.
 .TP
+.I total.num.dnscrypt.crypted
+summed over threads.
+.TP
+.I total.num.dnscrypt.cert
+summed over threads.
+.TP
+.I total.num.dnscrypt.cleartext
+summed over threads.
+.TP
+.I total.num.dnscrypt.malformed
+summed over threads.
+.TP
 .I total.num.prefetch
 summed over threads.
 .TP
@@ -439,6 +464,12 @@ Memory in bytes in use by the RRset cache.
 .I mem.cache.message
 Memory in bytes in use by the message cache.
 .TP
+.I mem.cache.dnscrypt_shared_secret
+Memory in bytes in use by the dnscrypt shared secrets cache.
+.TP
+.I mem.cache.dnscrypt_nonce
+Memory in bytes in use by the dnscrypt nonce cache.
+.TP
 .I mem.mod.iterator
 Memory in bytes in use by the iterator module.
 .TP
@@ -497,6 +528,14 @@ These queries are also included in the num.query.edns.present number.
 The number of queries that are turned away from being send to nameserver due to
 ratelimiting.
 .TP
+.I num.query.dnscrypt.shared_secret.cachemiss
+The number of dnscrypt queries that did not find a shared secret in the cache.
+The can be use to compute the shared secret hitrate.
+.TP
+.I num.query.dnscrypt.replay
+The number of dnscrypt queries that found a nonce hit in the nonce cache and
+hence are considered a query replay.
+.TP
 .I num.answer.rcode.NXDOMAIN
 The number of answers to queries, from cache or from recursion, that had the
 return code NXDOMAIN. Also printed for the other return codes.
@@ -546,6 +585,19 @@ timing and protocol support information.
 .I key.cache.count
 The number of items in the key cache.  These are DNSSEC keys, one item
 per delegation point, and their validation status.
+.TP
+.I dnscrypt_shared_secret.cache.count
+The number of items in the shared secret cache. These are precomputed shared
+secrets for a given client public key/server secret key pair. Shared secrets
+are CPU intensive and this cache allows unbound to avoid recomputing the
+shared secret when multiple dnscrypt queries are sent from the same client.
+.TP
+.I dnscrypt_nonce.cache.count
+The number of items in the client nonce cache. This cache is used to prevent
+dnscrypt queries replay. The client nonce must be unique for each client public
+key/server secret key pair. This cache should be able to host QPS * `replay
+window` interval keys to prevent replay of a query during `replay window`
+seconds.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index de8f0bdd052c..b16363c5d536 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 24959ba26cec..1f70ef6685f9 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.6.
+\- Unbound DNS validating resolver 1.6.7.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index f48ef9214afa..73c4db9561d6 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -391,6 +391,11 @@ negotiation between Unbound and other servers.
 Enable or disable whether the upstream queries use TCP only for transport.
 Default is no.  Useful in tunneling scenarios.
 .TP
+.B udp\-upstream\-without\-downstream: \fI<yes or no>
+Enable udp upstream even if do-udp is no.  Default is no, and this does not
+change anything.  Useful for TLS service providers, that want no udp downstream
+but use udp to fetch data upstream.
+.TP
 .B ssl\-upstream: \fI<yes or no>
 Enabled or disable whether the upstream queries use SSL only for transport.
 Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
@@ -807,7 +812,7 @@ It is possible to use wildcards with this statement, the wildcard is
 expanded on start and on reload.
 .TP
 .B trust\-anchor\-signaling: \fI<yes or no>
-Send RFC8145 key tag query after trust anchor priming. Default is off.
+Send RFC8145 key tag query after trust anchor priming. Default is on.
 .TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
@@ -1518,6 +1523,17 @@ using the same public key. It saves a substantial amount of CPU.
 Give power of 2 number of slabs, this is used to reduce lock contention
 in the dnscrypt shared secrets cache.  Close to the number of cpus is
 a fairly good setting.
+.TP
+.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
+Give the size of the data structure in which the client nonces are kept in.
+Default 4m. In bytes or use m(mega), k(kilo), g(giga).
+The nonce cache is used to prevent dnscrypt message replaying. Client nonce
+should be unique for any pair of client pk/server sk.
+.TP
+.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the dnscrypt nonce cache.  Close to the number of cpus is
+a fairly good setting.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@@ -1531,7 +1547,7 @@ specialized cache. If the authority indicated no support, the response is
 stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority if prensent in the whitelist, or
+forward the option to the authority if present in the whitelist, or
 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
 the regular cache is skipped.
 .LP