Commit Graph

262 Commits

Author SHA1 Message Date
wouter
346ff9c3ff - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
git-svn-id: https://unbound.nlnetlabs.nl/svn/tags/release-1.7.3rc2@4740 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-06-18 09:46:01 +00:00
wouter
0f9b6582fa - Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4730 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-06-14 08:14:43 +00:00
wouter
ab61a40dd4 - Rename tls-additional-ports to tls-additional-port, because every
line adds one port.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4721 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-06-12 08:45:57 +00:00
wouter
7ad84e32e0 - #4102 for NSD, but for Unbound. Named unix pipes do not use
certificate and key files, access can be restricted with file and
  directory permissions.  The option control-use-cert is no longer
  used, and ignored if found in unbound.conf.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4718 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-06-12 07:43:52 +00:00
wouter
472d02ab51 - Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4703 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-06-01 08:02:04 +00:00
wouter
4a5ccf25b0 - tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections.  It can be used instead
  of the tls-cert-bundle option, or with it to add certificates.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4698 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-05-28 14:15:06 +00:00
wouter
8fa54ec661 - Add routine from getdns to add windows cert store to the SSL_CTX.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4697 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-05-28 13:22:10 +00:00
ralph
8b19239862 - Qname minimisation default changed to yes.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4685 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-05-17 10:33:19 +00:00
wouter
e02f387278 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4683 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-05-15 07:30:53 +00:00
ralph
38b5b4c8c6 - Added root-key-sentinel support
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4652 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-24 09:03:49 +00:00
wouter
40de1a23fa - Fix #4092: libunbound: use-caps-for-id lacks colon in
config_set_option.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4644 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-23 07:51:21 +00:00
wouter
1586971688 - For addr with #authname and no @port notation, the default is 853.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4637 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-19 14:23:14 +00:00
wouter
329a8e105e - allow-notify: config statement for auth-zones.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4628 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-17 13:23:35 +00:00
wouter
e0854f3847 get_option and set_option for low-rtt and low-rtt-pct.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4613 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-09 13:39:29 +00:00
wouter
a6494a30da - low-rtt and low-rtt-pct in unbound.conf enable the server selection
of fast servers for some percentage of the time.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4612 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-09 13:27:28 +00:00
wouter
0e69ab1789 - Accept both option names with and without colon for get_option
and set_option.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4611 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-09 10:42:48 +00:00
ralph
8d778e3a8d - Fix unbound-control get_option aggressive-nsec
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4597 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-03-23 12:23:02 +00:00
wouter
c549551a6c - Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4588 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-03-15 14:19:02 +00:00
wouter
4d4669b2cc - tls-cert-bundle option in unbound.conf enables TLS authentication.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4532 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-13 10:35:09 +00:00
ralph
35bc8a1ecc - Aggressive use of NSEC implementation. Use cached NSEC records to generate
NXDOMAIN, NODATA and positive wildcard answers.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4522 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-08 13:16:36 +00:00
wouter
77d3988ed5 - Work on local root zone code.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4376 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-10-17 15:16:31 +00:00
wouter
cbb64b3ab6 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
duplicates
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
	This option allows handling multiple cert/key pairs while only
	distributing some of them.
	In order to reliably match a client magic with a given key without
	strong assumption as to how those were generated, we need both key and
	cert. Likewise, in order to know which ES version should be used.
	On the other hand, when rotating a cert, it can be desirable to only
	serve the new cert but still be able to handle clients that are still
	using the old certs's public key.
	The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
	publish the cert as part of the DNS's provider_name's TXT answer.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4373 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-10-17 07:34:49 +00:00
ralph
c42f53614d - Set trust-anchor-signaling default to yes
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4360 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-10-05 10:17:25 +00:00
wouter
87a108b346 - Fix #1440: [dnscrypt] client nonce cache.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4351 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-09-18 08:55:08 +00:00
wouter
e2aaf5e9a7 - Fix #1435: Please allow UDP to be disabled separately upstream and
downstream.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4349 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-09-18 08:42:24 +00:00
wouter
39ba948040 - Spelling fixes, from Phil Porada.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4344 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-09-15 14:29:28 +00:00
wouter
dfb7048b28 dnscrypt cache size configuration option.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4328 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-08-31 11:58:29 +00:00
wouter
94f66ee00f - Fix #1398: make cachedb secret configurable.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4295 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-08-08 09:04:51 +00:00
wouter
fe4f8851d3 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4275 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-07-17 08:21:19 +00:00
wouter
ec862f2591 - Fix #1279: Memory leak on reload when python module is enabled.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4220 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-06-13 07:10:58 +00:00
ralph
449e49f035 - Added domain name based ECS whitelist.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4217 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-06-08 14:44:55 +00:00
ralph
9babcab33c - Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using unbound-control.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4199 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-05-30 13:04:19 +00:00
george
51e798d701 - Implemented opportunistic IPsec support module (ipsecmod).
- Some whitespace fixup.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4158 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-05-16 12:39:24 +00:00
ralph
0be5e03a03 - Implemented trust anchor signaling using key tag query.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4134 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-26 12:58:13 +00:00
wouter
0a217826f9 variables get_option and set_option also for dnscrypt.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4130 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-24 09:00:45 +00:00
wouter
9c78af8fd0 - unbound-checkconf -o allows query of dnstap config variables.
Also unbound-control get_option.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4129 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-24 08:30:32 +00:00
wouter
059c3b9f93 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4113 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-13 07:17:05 +00:00
ralph
4113eb0a41 - Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4092 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-06 13:13:06 +00:00
ralph
5db6e95520 - Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4086 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-03 09:36:18 +00:00
ralph
12728301d7 - Merge EDNS Client subnet implementation from feature branch into main branch,
using new EDNS processing framework.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4074 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-03-21 12:08:17 +00:00
wouter
a48c8c5ba0 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4065 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-03-20 14:55:31 +00:00
wouter
27d8c63674 - Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
  the trust anchors and their keytags.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4051 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-03-16 09:17:58 +00:00
wouter
099cd16231 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4035 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-03-07 14:58:51 +00:00
wouter
f0a9c86a73 - Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
  which uses less cpu.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4020 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-02-23 12:05:05 +00:00
wouter
3510c9fe88 - Fix #1185: Source IP rate limiting, patch from Larissa Feng.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3981 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-01-05 13:57:12 +00:00
wouter
59ef29ffc6 - Fix #1184: Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
  patch from Larissa Feng.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3980 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-01-05 11:39:54 +00:00
wouter
3ea720544a - configure --enable-systemd and lets unbound use systemd sockets if
you enable use-systemd: yes in unbound.conf.
  Also there are contrib/unbound.socket and contrib/unbound.service:
  systemd files for unbound, install them in /usr/lib/systemd/system.
  Contributed by Sami Kerola and Pavel Odintsov.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3975 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-01-03 13:43:29 +00:00
ralph
3fb4900c0e - Added stub-ssl-upstream and forward-ssl-upstream options.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3923 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-11-04 12:07:52 +00:00
wouter
ea515755f0 Free log_identity config string.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3918 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-11-03 13:19:12 +00:00
wouter
b565dd0a77 - log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" <robbat2@gentoo.org>


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3917 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-11-03 08:51:40 +00:00