vendor/unbound/1.6.2

12 files changed, 308 insertions, 13 deletions

diff --git a/doc/CNAME-basedRedirectionDesignNotes.pdf b/doc/CNAME-basedRedirectionDesignNotes.pdf
index 2be2273edb97..11cea0f0f7e4 100644
--- a/doc/CNAME-basedRedirectionDesignNotes.pdf
+++ b/doc/CNAME-basedRedirectionDesignNotes.pdf
diff --git a/doc/Changelog b/doc/Changelog
index 31c9e4627521..2a90abe3e57b 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,187 @@
+13 April 2017: Wouter
+	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
+	- tag for 1.6.2rc1
+
+12 April 2017: Wouter
+	- subnet mem value is available in shm, also when not enabled,
+	  to make the struct easier to memmap by other applications,
+	  independent of the configuration of unbound.
+
+12 April 2017: Ralph
+	- Fix #1247: unbound does not shorten source prefix length when
+	  forwarding ECS.
+	- Properly check for allocation failure in local_data_find_tag_datas.
+	- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
+	- Set SHM ECS memory usage to 0 when module not loaded.
+
+11 April 2017: Ralph
+	- Display ECS module memory usage.
+
+10 April 2017: Wouter
+	- harden-algo-downgrade: no also makes unbound more lenient about
+	  digest algorithms in DS records.
+
+10 April 2017: Ralph
+	- Remove ECS option after REFUSED answer.
+	- Fix small memory leak in edns_opt_copy_alloc.
+	- Respip dereference after NULL check.
+	- Zero initialize addrtree allocation.
+	- Use correct identifier for SHM destroy.
+
+7 April 2017: George
+	- Fix pythonmod for cb changes.
+	- Some whitespace fixup.
+
+7 April 2017: Ralph
+	- Unlock view in respip unit test
+
+6 April 2017: Ralph
+	- Generalise inplace callback (de)registration
+	- (de)register inplace callbacks for module id
+	- No unbound-control set_option for ECS options
+	- Deprecated client-subnet-opcode config option
+	- Introduced client-subnet-always-forward config option
+	- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
+	- Removed extern ECS config options
+	- module_restart_next now calls clear on all following modules
+	- Also create ECS module qstate on module_event_pass event
+	- remove malloc from inplace_cb_register
+
+6 April 2017: Wouter
+	- Small fixup for documentation.
+	- iana portlist update
+	- Fix respip for braces when locks arent used.
+	- Fix pythonmod for cb changes.
+
+4 April 2017: Wouter
+	- Fix #1244: document that use of chroot requires trust anchor file to
+	  be under chroot.
+	- iana portlist update
+
+3 April 2017: Ralph
+	- Do not add current time twice to TTL before ECS cache store.
+	- Do not touch rrset cache after ECS cache message generation.
+	- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
+
+3 April 2017: Wouter
+	- Fix #1217: Add metrics to unbound-control interface showing
+	  crypted, cert request, plaintext and malformed queries (from
+	  Manu Bretelle).
+	- iana portlist update
+
+27 March 2017: Wouter
+	- Remove (now unused) event2 include from dnscrypt code.
+
+24 March 2017: George
+	- Fix to prevent non-referal query from being cached as referal when the
+	  no_cache_store flag was set.
+
+23 March 2017: Wouter
+	- Fix #1239: configure fails to find python distutils if python
+	  prints warning.
+
+22 March 2017: Wouter
+	- Fix #1238: segmentation fault when adding through the remote
+	  interface a per-view local zone to a view with no previous
+	  (configured) local zones.
+	- Fix #1229: Systemd service sandboxing, options in wrong sections.
+
+21 March 2017: Ralph
+	- Merge EDNS Client subnet implementation from feature branch into main
+	  branch, using new EDNS processing framework. 
+
+21 March 2017: Wouter
+	- Fix doxygen for dnscrypt files.
+
+20 March 2017: Wouter
+	- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
+	  enabled in the config file from Manu Bretelle.
+	- make depend, autoconf, remove warnings about statement before var.
+	- lru_demote and lruhash_insert_or_retrieve functions for getdns.
+	- fixup for lruhash (whitespace and header file comment).
+	- dnscrypt tests.
+
+17 March 2017: Wouter
+	- Patch for view functionality for local-data-ptr from Björn Ketelaars.
+	- Fix #1237 - Wrong resolving in chain, for norec queries that get
+	  SERVFAIL returned.
+
+16 March 2017: Wouter
+	- Fix that SHM is not inited if not enabled.
+	- Add trustanchor.unbound CH TXT that gets a response with a number
+	  of TXT RRs with a string like "example.com. 2345 1234" with
+	  the trust anchors and their keytags.
+	- Fix that looped DNAMEs do not cause unbound to spend effort.
+	- trustanchor tags are sorted.  reusable routine to fetch taglist.
+
+13 March 2017: Wouter
+	- testbound understands Deckard MATCH rcode question answer commands.
+	- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
+	  of YXDOMAIN + query loop, reported by Petr Spacek.
+
+10 March 2017: Wouter
+	- Fix #1234: shortening DNAME loop produces duplicate DNAME records
+	  in ANSWER section.
+
+9 March 2017: Wouter
+	- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
+	  DS records.  NSEC3 is not disabled.
+	- fake-sha1 test option; print warning if used.  To make unit tests.
+	- unbound-control list local zone and data commands listed in the
+	  help output.
+
+8 March 2017: Wouter
+	- make depend for build dependencies.
+	- swig version 2.0.1 required.
+	- fix enum conversion warnings
+
+7 March 2017: Wouter
+	- Fix #1230: swig version 2.0.0 is required for pythonmod, with
+	  1.3.40 it crashes when running repeatly unbound-control reload.
+	- Response actions based on IP address from Jinmei Tatuya (Infoblox).
+
+6 March 2017: Wouter
+	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+	- iana portlist update
+
+28 February 2017: Ralph
+	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
+	  record.
+
+28 February 2017: Wouter
+	- For #1227: if we have sha256, set the cipher list to have no
+	  known vulns.
+
+27 February 2017: Wouter
+	- Fix #1227: Fix that Unbound control allows weak ciphersuits.
+	- Fix #1226: provide official 32bit binary for windows.
+
+24 February 2017: Wouter
+	- include sys/time.h for new shm code on NetBSD.
+
+23 February 2017: Wouter
+	- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
+	  redirect.
+	- Patch from Luiz Fernando Softov for Stats Shared Memory.
+	- unbound-control stats_shm command prints stats using shared memory,
+	  which uses less cpu.
+	- make depend, autoconf, doxygen and lint fixed up.
+
+22 February 2017: Wouter
+	- Fix #1224: Fix that defaults should not fall back to "Program Files
+	  (x86) if Unbound is 64bit by default on windows.
+
+21 February 2017: Wouter
+	- iana portlist update
+
+16 February 2017: Wouter
+	- sldns updated for vfixed and buffer resize indication from getdns.
+
+15 February 2017: Wouter
+	- sldns has ED25519 and ED448 algorithm number and name for display.
+
 14 February 2017: Wouter
-	- tag 1.6.1rc3.
+	- tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
 
 13 February 2017: Wouter
 	- Fix autoconf of systemd check for lack of pkg-config.
diff --git a/doc/IP-BasedActions.pdf b/doc/IP-BasedActions.pdf
new file mode 100644
index 000000000000..07cec0fa6281
--- /dev/null
+++ b/doc/IP-BasedActions.pdf
diff --git a/doc/README b/doc/README
index acffafacc7d5..8ee9bce56dca 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.1
+README for Unbound 1.6.2
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 83e7c5c4c4e9..5b185e0e97e8 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.1.
+# See unbound.conf(5) man page, version 1.6.2.
 #
 # this is a comment.
 
@@ -19,6 +19,14 @@ server:
 	# Set to "" or 0 to disable. Default is disabled.
 	# statistics-interval: 0
 
+	# enable shm for stats, default no.  if you enable also enable
+	# statistics-interval, every time it also writes stats to the
+	# shared memory segment keyed with shm-key.
+	# shm-enable: no
+
+	# shm for stats uses this key, and key+1 for the shared mem segment.
+	# shm-key: 11777
+
 	# enable cumulative statistics, without clearing them after printing.
 	# statistics-cumulative: no
 
@@ -308,6 +316,9 @@ server:
 
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
+	
+	# enable to not answer trustanchor.unbound queries.
+	# hide-trustanchor: no
 
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
@@ -771,7 +782,28 @@ remote-control:
 #	name: "viewname"
 #	local-zone: "example.com" redirect
 #	local-data: "example.com A 192.0.2.3"
+# 	local-data-ptr: "192.0.2.3 www.example.com"
 #	view-first: no
 # view:
 #	name: "anotherview"
 #	local-zone: "example.com" refuse
+
+# DNSCrypt
+# Caveats:
+# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+#   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
+#   listen on `dnscrypt-port` with the follo0wing snippet:
+# server:
+#     interface: 0.0.0.0@443
+#     interface: ::0@443
+#
+# Finally, `dnscrypt` config has its own section.
+# dnscrypt:
+#     dnscrypt-enable: yes
+#     dnscrypt-port: 443
+#     dnscrypt-provider: 2.dnscrypt-cert.example.com.
+#     dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
+#     dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
+#     dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
+#     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 5be1d9019f57..4fa7b19e3e38 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "libunbound" "3" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.1 functions.
+\- Unbound DNS validating resolver 1.6.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 06b0f5c89764..1d4f18126184 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound-anchor" "8" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index ea1cf4eb89cf..e569cd73e899 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound-checkconf" "8" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index af574d249f7b..14c0ec3b4fcd 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound-control" "8" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index eba19e07eb21..95f79d95c83d 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound\-host" "1" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 52cd85341e8d..14f819ea8fd8 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound" "8" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.1.
+\- Unbound DNS validating resolver 1.6.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 45248ac58c4f..75ecc77ed587 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Feb 21, 2017" "NLnet Labs" "unbound 1.6.1"
+.TH "unbound.conf" "5" "Apr 24, 2017" "NLnet Labs" "unbound 1.6.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -596,6 +596,9 @@ If enabled version.server and version.bind queries are refused.
 Set the version to report. If set to "", the default, then the package
 version is returned.
 .TP
+.B hide\-trustanchor: \fI<yes or no>
+If enabled trustanchor.unbound queries are refused.
+.TP
 .B target\-fetch\-policy: \fI<"list of numbers">
 Set the target fetch policy used by unbound to determine if it should fetch
 nameserver target addresses opportunistically. The policy is described per
@@ -782,7 +785,8 @@ frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
 so the unbound user must have write permission.  Write permission to the file,
 but also to the directory it is in (to create a temporary file, which is
-necessary to deal with filesystem full events).
+necessary to deal with filesystem full events), it must also be inside the
+chroot (if that is used).
 .TP
 .B trust\-anchor: \fI<"Resource Record">
 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
@@ -1403,6 +1407,10 @@ global local\-zone elements.
 View specific local\-data elements. Has the same behaviour as the global
 local\-data elements.
 .TP
+.B local\-data\-ptr: \fI"IPaddr name"
+View specific local\-data\-ptr elements. Has the same behaviour as the global
+local\-data\-ptr elements.
+.TP
 .B view\-first: \fI<yes or no>
 If enabled, it attempts to use the global local\-zone and local\-data if there
 is no match in the view specific options.
@@ -1438,6 +1446,79 @@ It must be /96 or shorter.  The default prefix is 64:ff9b::/96.
 .B dns64\-synthall: \fI<yes or no>\fR
 Debug option, default no.  If enabled, synthesize all AAAA records
 despite the presence of actual AAAA records.
+.SS "DNSCrypt Options"
+.LP
+The
+.B dnscrypt:
+clause give the settings of the dnscrypt channel. While those options are
+available, they are only meaningful if unbound was compiled with
+\fB\-\-enable\-dnscrypt\fR.
+Currently certificate and secret/public keys cannot be generated by unbound.
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+.TP
+.B dnscrypt\-enable: \fI<yes or no>\fR
+Whether or not the \fBdnscrypt\fR config should be enabled. You may define
+configuration but not activate it.
+The default is no.
+.TP
+.B dnscrypt\-port: \fI<port number>
+On which port should \fBdnscrypt\fR should be activated. Note that you should
+have a matching \fBinterface\fR option defined in the \fBserver\fR section for
+this port.
+.TP
+.B dnscrypt\-provider: \fI<provider name>\fR
+The provider name to use to distribute certificates. This is of the form:
+\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
+.TP
+.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
+Path to the time limited secret key file. This option may be specified multiple
+times.
+.TP
+.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
+may be specified multiple times.
+.SS "EDNS Client Subnet Module Options"
+.LP
+The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.LP
+If the destination address is whitelisted with Unbound will add the EDNS0 option
+to the query containing the relevant part of the client's address. When an
+answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is stored
+in the regular cache.
+.LP
+Additionally, when a client includes the option in its queries, Unbound will
+forward the option to the authority regardless of the authorities presence in
+the whitelist. In this case the lookup in the regular cache is skipped.
+.LP
+The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
+configuration file. On top of that, for each query only 100 different subnets
+are allowed to be stored for each address family. Exceeding that number, older
+entries will be purged from cache.
+.TP
+.B send\-client\-subnet: \fI<IP address>\fR
+Send client source address to this authority. Append /num to indicate a
+classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
+be given multiple times. Authorities not listed will not receive edns-subnet
+information.
+.TP
+.B client\-subnet\-always\-forward: \fI<yes or no>\fR
+Specify whether the ECS whitelist check (configured using
+\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
+query contains an ECS record, or only for queries for which the ECS record is
+generated using the querier address (and therefore did not contain ECS data in
+the client query). If enabled, the whitelist check is skipped when the client
+query contains an ECS record. Default is no.
+.TP
+.B max\-client\-subnet\-ipv6: \fI<number>\fR
+Specifies the maximum prefix length of the client source address we are willing
+to expose to third parties for IPv6.  Defaults to 56.
+.TP
+.B max\-client\-subnet\-ipv4: \fI<number>\fR
+Specifies the maximum prefix length of the client source address we are willing
+to expose to third parties for IPv4. Defaults to 24.
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer