From nobody Sat Oct 01 00:39:37 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MfSsj3nyYz4dlDn; Sat, 1 Oct 2022 00:39:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MfSsj3VQGz3sf0; Sat, 1 Oct 2022 00:39:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664584777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CASztfl0jCzJwdGtC/FWP4HauI+YxuK43aE6PVspCYQ=; b=OLEPrMEt3vEZrtIG+pIv3B4WFL2RVBn/5tq446JQyPs0/KFbaG12zerwwZVoLkAfcWoWLF 2ohyztml5clQDhvazSmitDalkb1oKO2a/4N8k2x+t8SvgSmFbj1X5dS15a3EGtkCwDUI4T 8gOWXYPVp1B5CHbfOY+PXWf/JTCScm3tV+oRHvifBPtLXSDeemt2/B+4D3XdfCifUfb8Qo oo61hpuuDmoSFtWKAa4BFbBiL4bTqomwEXO5TwxD3bdL+UyT/+jECLtaaXvTj0P6WGQBd9 U4C13xZQSat7HZijYW8EIAfZXWCrUqIbTeOVQrfWRXJ4NAp1865lg4yPp/Jm/Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MfSsj2XfyzM0v; Sat, 1 Oct 2022 00:39:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2910dbhm081030; Sat, 1 Oct 2022 00:39:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2910dbb7081029; Sat, 1 Oct 2022 00:39:37 GMT (envelope-from git) Date: Sat, 1 Oct 2022 00:39:37 GMT Message-Id: <202210010039.2910dbb7081029@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 483a5d030309 - stable/13 - unbound: Vendor import 1.16.3 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 483a5d0303096000d51b009068bd2623277f9b27 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664584777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CASztfl0jCzJwdGtC/FWP4HauI+YxuK43aE6PVspCYQ=; b=JiDg7YlaHNwr2G/G0VxSrA6hoOH+TnK+E/y5wc1t0JtuhA8UAfSyOCAN36PdJ+o2H8sXiL /c+nFq4Fyhc4OA8E5hAhrjFcfTAmLADNNK5AzjOj8Wk/Qeo/u199X0riGFh5oI2WUDpIV6 StyNOSredDmufoZwH4oaf2wrH7+7ajmni8sLv/NOUlO5J6nTyExx0k7OfrO/63qqynbkoY T6dHH7pWtHI6RqWivtD3BO0ZaiVYTkZr549qugOwGwNJiHQQrqrAcE1oSpb2Y0V3rt+idN s09e9ffx0xfrtDEPRYULRa/fQCB3Tk5tvIxz2ifwehRcoTto3LhwW4uzbLb+9A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664584777; a=rsa-sha256; cv=none; b=aJ2pjANlUvNeyw1vH2wVldkfAtlQkrVc2fgRjGNBmgThN1aAkXFsCLlySC5hGNRdCFyI0X uW7hAVou14yyYAfutHDtXRMqvhEsZ8A7dRsXLKnQ1/LrRHkNngHXt0XFV6mVvKFqDFpT0u Y74s1Hs5QHCKu9yKeNGc088IJLH/RaEnrxQXd8QfdjJrk8nP/9QCQgNONgIRZIQimIRyPR eGJJSSb53GzsEVJEyW4dR8VTOuykmTGE6hqBn+PtJ5j4Pijq2UgF6TcOmmWK172GepV4mZ QftEjjuTkCqcJuRor/jrmF5wWz8wLM12Vu4OjyiW+cysz/8kzdeMTjQk/z/khQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=483a5d0303096000d51b009068bd2623277f9b27 commit 483a5d0303096000d51b009068bd2623277f9b27 Author: Cy Schubert AuthorDate: 2022-09-29 14:21:04 +0000 Commit: Cy Schubert CommitDate: 2022-10-01 00:39:11 +0000 unbound: Vendor import 1.16.3 Fixes CVE-2022-3204 'Non-Responsive Delegation Attack'. Security: CVE-2022-3204 Security: https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt Changelog: https://nlnetlabs.nl/news/2022/Sep/21/unbound-1.16.3-released/ Merge commit '0dde6f4f8e604df8c6fbdab8b4aadb5ddf80c76f' into unbound/main (cherry picked from commit 4f5c8956cff4b18674006e6ac88bed0d04020723) --- contrib/unbound/config.guess | 4 ++-- contrib/unbound/config.sub | 4 ++-- contrib/unbound/configure | 25 +++++++++++---------- contrib/unbound/configure.ac | 5 +++-- contrib/unbound/doc/Changelog | 3 +++ contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 2 +- contrib/unbound/doc/libunbound.3.in | 4 ++-- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 ++-- contrib/unbound/doc/unbound.conf.5.in | 2 +- contrib/unbound/iterator/iter_delegpt.c | 3 +++ contrib/unbound/iterator/iter_delegpt.h | 2 ++ contrib/unbound/iterator/iter_utils.c | 3 +++ contrib/unbound/iterator/iter_utils.h | 9 ++++++++ contrib/unbound/iterator/iterator.c | 36 +++++++++++++++++++++++++++++- contrib/unbound/services/cache/dns.c | 3 +++ contrib/unbound/services/mesh.c | 7 ++++++ contrib/unbound/services/mesh.h | 11 +++++++++ 22 files changed, 107 insertions(+), 30 deletions(-) diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess index 1817bdce90dc..a419d8643b62 100755 --- a/contrib/unbound/config.guess +++ b/contrib/unbound/config.guess @@ -4,7 +4,7 @@ # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2022-05-25' +timestamp='2022-08-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -1036,7 +1036,7 @@ EOF k1om:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; - loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) + loongarch32:Linux:*:* | loongarch64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m32r*:Linux:*:*) diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub index dba16e84c77c..fbaa37f2352d 100755 --- a/contrib/unbound/config.sub +++ b/contrib/unbound/config.sub @@ -4,7 +4,7 @@ # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2022-01-03' +timestamp='2022-08-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -1207,7 +1207,7 @@ case $cpu-$vendor in | k1om \ | le32 | le64 \ | lm32 \ - | loongarch32 | loongarch64 | loongarchx32 \ + | loongarch32 | loongarch64 \ | m32c | m32r | m32rle \ | m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \ | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \ diff --git a/contrib/unbound/configure b/contrib/unbound/configure index cc44a57502af..f40187910ecc 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.16.2. +# Generated by GNU Autoconf 2.69 for unbound 1.16.3. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.16.2' -PACKAGE_STRING='unbound 1.16.2' +PACKAGE_VERSION='1.16.3' +PACKAGE_STRING='unbound 1.16.3' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.16.2 to adapt to many kinds of systems. +\`configure' configures unbound 1.16.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1543,7 +1543,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.16.2:";; + short | recursive ) echo "Configuration of unbound 1.16.3:";; esac cat <<\_ACEOF @@ -1785,7 +1785,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.16.2 +unbound configure 1.16.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.16.2, which was +It was created by unbound $as_me 1.16.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=16 -UNBOUND_VERSION_MICRO=2 +UNBOUND_VERSION_MICRO=3 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=18 +LIBUNBOUND_REVISION=19 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2936,6 +2936,7 @@ LIBUNBOUND_AGE=1 # 1.16.0 had 9:16:1 # 1.16.1 had 9:17:1 # 1.16.2 had 9:18:1 +# 1.16.3 had 9:19:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -22014,7 +22015,7 @@ _ACEOF -version=1.16.2 +version=1.16.3 date=`date +'%b %e, %Y'` @@ -22533,7 +22534,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.16.2, which was +This file was extended by unbound $as_me 1.16.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22599,7 +22600,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.16.2 +unbound config.status 1.16.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index 224501b3afbe..bf8aa9d8cdb0 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[16]) -m4_define([VERSION_MICRO],[2]) +m4_define([VERSION_MICRO],[3]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=18 +LIBUNBOUND_REVISION=19 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -104,6 +104,7 @@ LIBUNBOUND_AGE=1 # 1.16.0 had 9:16:1 # 1.16.1 had 9:17:1 # 1.16.2 had 9:18:1 +# 1.16.3 had 9:19:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 13f0f11749e0..78f6c7afcb27 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,3 +1,6 @@ +21 September 2022: Wouter + - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. + 1 August 2022: Wouter - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Tests for ghost domain fixes. diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index a6377d85c71e..92a6e88f6624 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.16.2 +README for Unbound 1.16.3 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index 087e6364297f..601165f753b7 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.16.2. +# See unbound.conf(5) man page, version 1.16.3. # # this is a comment. diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index 543e628fd22a..baf29219495f 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "libunbound" "3" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.16.2 functions. +\- Unbound DNS validating resolver 1.16.3 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index 7fc316855320..922c105177f3 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-anchor" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index 628f841b36f4..9b56c79252e4 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-checkconf" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index d18a407cb5eb..e42e0cd544e7 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound-control" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index d3b701fb9e48..aae95827d92c 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound\-host" "1" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 73b9e4b7a8d0..81a8f4f63f5e 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.16.2. +\- Unbound DNS validating resolver 1.16.3. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 47250e4f88f0..4f542eb4757e 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Aug 1, 2022" "NLnet Labs" "unbound 1.16.2" +.TH "unbound.conf" "5" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound.conf.5 -- unbound.conf manual .\" diff --git a/contrib/unbound/iterator/iter_delegpt.c b/contrib/unbound/iterator/iter_delegpt.c index 4bffa1b3a7d5..fd07aaa13355 100644 --- a/contrib/unbound/iterator/iter_delegpt.c +++ b/contrib/unbound/iterator/iter_delegpt.c @@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region) if(!delegpt_add_ns(copy, region, ns->name, ns->lame, ns->tls_auth_name, ns->port)) return NULL; + copy->nslist->cache_lookup_count = ns->cache_lookup_count; copy->nslist->resolved = ns->resolved; copy->nslist->got4 = ns->got4; copy->nslist->got6 = ns->got6; @@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name, ns->namelen = len; dp->nslist = ns; ns->name = regional_alloc_init(region, name, ns->namelen); + ns->cache_lookup_count = 0; ns->resolved = 0; ns->got4 = 0; ns->got6 = 0; @@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame, } ns->next = dp->nslist; dp->nslist = ns; + ns->cache_lookup_count = 0; ns->resolved = 0; ns->got4 = 0; ns->got6 = 0; diff --git a/contrib/unbound/iterator/iter_delegpt.h b/contrib/unbound/iterator/iter_delegpt.h index 62c8edc51225..586597a69a1f 100644 --- a/contrib/unbound/iterator/iter_delegpt.h +++ b/contrib/unbound/iterator/iter_delegpt.h @@ -101,6 +101,8 @@ struct delegpt_ns { uint8_t* name; /** length of name */ size_t namelen; + /** number of cache lookups for the name */ + int cache_lookup_count; /** * If the name has been resolved. false if not queried for yet. * true if the A, AAAA queries have been generated. diff --git a/contrib/unbound/iterator/iter_utils.c b/contrib/unbound/iterator/iter_utils.c index 3e13e595c63d..56b184a02fb8 100644 --- a/contrib/unbound/iterator/iter_utils.c +++ b/contrib/unbound/iterator/iter_utils.c @@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env, struct delegpt_ns* ns; size_t num = delegpt_count_targets(dp); for(ns = dp->nslist; ns; ns = ns->next) { + if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE) + continue; + ns->cache_lookup_count++; /* get cached parentside A */ akey = rrset_cache_lookup(env->rrset_cache, ns->name, ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, diff --git a/contrib/unbound/iterator/iter_utils.h b/contrib/unbound/iterator/iter_utils.h index 8583fde58a44..850be96a6e16 100644 --- a/contrib/unbound/iterator/iter_utils.h +++ b/contrib/unbound/iterator/iter_utils.h @@ -62,6 +62,15 @@ struct ub_packed_rrset_key; struct module_stack; struct outside_network; +/* max number of lookups in the cache for target nameserver names. + * This stops, for large delegations, N*N lookups in the cache. */ +#define ITERATOR_NAME_CACHELOOKUP_MAX 3 +/* max number of lookups in the cache for parentside glue for nameserver names + * This stops, for larger delegations, N*N lookups in the cache. + * It is a little larger than the nonpside max, so it allows a couple extra + * lookups of parent side glue. */ +#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE 5 + /** * Process config options and set iterator module state. * Sets default values if no config is found. diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index 25e5cfee4645..da9b7990c506 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate, (qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){ return; } + /* we do not generate this prefetch when the query list is full, + * the query is fetched, if needed, when the validator wants it. + * At that time the validator waits for it, after spawning it. + * This means there is one state that uses cpu and a socket, the + * spawned while this one waits, and not several at the same time, + * if we had created the lookup here. And this helps to keep + * the total load down, but the query still succeeds to resolve. */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + return; /* if the DNSKEY is in the cache this lookup will stop quickly */ log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch", @@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } query_count++; + /* If the mesh query list is full, exit the loop here. + * This makes the routine spawn one query at a time, + * and this means there is no query state load + * increase, because the spawned state uses cpu and a + * socket while this state waits for that spawned + * state. Next time we can look up further targets */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + break; } /* Send the A request. */ if(ie->supports_ipv4 && @@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } query_count++; + /* If the mesh query list is full, exit the loop. */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + break; } /* mark this target as in progress. */ @@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, } ns->done_pside6 = 1; query_count++; + if(mesh_jostle_exceeded(qstate->env->mesh)) { + /* Wait for the lookup; do not spawn multiple + * lookups at a time. */ + verbose(VERB_ALGO, "try parent-side glue lookup"); + iq->num_target_queries += query_count; + target_count_increase(iq, query_count); + qstate->ext_state[id] = module_wait_subquery; + return 0; + } } if(ie->supports_ipv4 && !ns->done_pside4) { /* Send the A request. */ @@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, if(iq->depth < ie->max_dependency_depth && iq->num_target_queries == 0 && (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0) - && iq->sent_count < TARGET_FETCH_STOP) { + && iq->sent_count < TARGET_FETCH_STOP + /* if the mesh query list is full, then do not waste cpu + * and sockets to fetch promiscuous targets. They can be + * looked up when needed. */ + && !mesh_jostle_exceeded(qstate->env->mesh) + ) { tf_policy = ie->target_fetch_policy[iq->depth]; } diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index 6bca8d85fadb..b6e5697349c2 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass, struct ub_packed_rrset_key* akey; time_t now = *env->now; for(ns = dp->nslist; ns; ns = ns->next) { + if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX) + continue; + ns->cache_lookup_count++; akey = rrset_cache_lookup(env->rrset_cache, ns->name, ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0); if(akey) { diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index 30bcf7cda155..2a411942663d 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg) mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv); } } + +int mesh_jostle_exceeded(struct mesh_area* mesh) +{ + if(mesh->all.count < mesh->max_reply_states) + return 0; + return 1; +} diff --git a/contrib/unbound/services/mesh.h b/contrib/unbound/services/mesh.h index 3be9b63faedd..25121a67b3a5 100644 --- a/contrib/unbound/services/mesh.h +++ b/contrib/unbound/services/mesh.h @@ -685,4 +685,15 @@ struct dns_msg* mesh_serve_expired_lookup(struct module_qstate* qstate, struct query_info* lookup_qinfo); +/** + * See if the mesh has space for more queries. You can allocate queries + * anyway, but this checks for the allocated space. + * @param mesh: mesh area. + * @return true if the query list is full. + * It checks the number of all queries, not just number of reply states, + * that have a client address. So that spawned queries count too, + * that were created by the iterator, or other modules. + */ +int mesh_jostle_exceeded(struct mesh_area* mesh); + #endif /* SERVICES_MESH_H */