Vendor import of Unbound 1.9.1.vendor/unbound/1.9.1

7 files changed, 96 insertions, 38 deletions

diff --git a/services/cache/infra.c b/services/cache/infra.c
index 07c41928d67e..c2484a9f1aa8 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -41,6 +41,8 @@
 #include "config.h"
 #include "sldns/rrdef.h"
 #include "sldns/str2wire.h"
+#include "sldns/sbuffer.h"
+#include "sldns/wire2str.h"
 #include "services/cache/infra.h"
 #include "util/storage/slabhash.h"
 #include "util/storage/lookup3.h"
@@ -907,7 +909,8 @@ int infra_rate_max(void* data, time_t now)
 }
 
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow)
+	size_t namelen, time_t timenow, struct query_info* qinfo,
+	struct comm_reply* replylist)
 {
 	int lim, max;
 	struct lruhash_entry* entry;
@@ -930,9 +933,19 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 		lock_rw_unlock(&entry->lock);
 
 		if(premax < lim && max >= lim) {
-			char buf[257];
+			char buf[257], qnm[257], ts[12], cs[12], ip[128];
 			dname_str(name, buf);
-			verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim);
+			dname_str(qinfo->qname, qnm);
+			sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts));
+			sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
+			ip[0]=0;
+			if(replylist) {
+				addr_to_str((struct sockaddr_storage *)&replylist->addr,
+					replylist->addrlen, ip, sizeof(ip));
+				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
+			} else {
+				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
+			}
 		}
 		return (max < lim);
 	}
@@ -991,7 +1004,7 @@ infra_get_mem(struct infra_cache* infra)
 }
 
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-  struct comm_reply* repinfo, time_t timenow)
+  struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
 {
 	int max;
 	struct lruhash_entry* entry;
@@ -1010,11 +1023,28 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 		lock_rw_unlock(&entry->lock);
 
 		if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
-			char client_ip[128];
+			char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
 			addr_to_str((struct sockaddr_storage *)&repinfo->addr,
 				repinfo->addrlen, client_ip, sizeof(client_ip));
-			verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
-				client_ip, infra_ip_ratelimit);
+			qnm[0]=0;
+			if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
+				LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
+				(void)sldns_wire2str_rrquestion_buf(
+					sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
+					sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
+					qnm, sizeof(qnm));
+				if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
+					qnm[strlen(qnm)-1] = 0; /*remove newline*/
+				if(strchr(qnm, '\t'))
+					*strchr(qnm, '\t') = ' ';
+				if(strchr(qnm, '\t'))
+					*strchr(qnm, '\t') = ' ';
+				verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
+					client_ip, infra_ip_ratelimit, qnm);
+			} else {
+				verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
+					client_ip, infra_ip_ratelimit);
+			}
 		}
 		return (max <= infra_ip_ratelimit);
 	}
diff --git a/services/cache/infra.h b/services/cache/infra.h
index 10db796bfcdd..e33f2a6c04ee 100644
--- a/services/cache/infra.h
+++ b/services/cache/infra.h
@@ -366,12 +366,15 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param qinfo: for logging, query name.
+ * @param replylist: for logging, querier's address (if any).
  * @return 1 if it could be incremented. 0 if the increment overshot the
  * ratelimit or if in the previous second the ratelimit was exceeded.
  * Failures like alloc failures are not returned (probably as 1).
  */
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow);
+	size_t namelen, time_t timenow, struct query_info* qinfo,
+	struct comm_reply* replylist);
 
 /**
  * Decrement the query rate counter for a delegation point.
@@ -410,10 +413,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
  *  @param infra: infra cache
  *  @param repinfo: information about client
  *  @param timenow: what time it is now.
+ *  @param buffer: with query for logging.
  *  @return 1 if it could be incremented. 0 if the increment overshot the
  *  ratelimit and the query should be dropped. */
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow);
+	struct comm_reply* repinfo, time_t timenow,
+	struct sldns_buffer* buffer);
 
 /**
  * Get memory used by the infra cache.
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index f86a83d96736..e74d1abcffc5 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1636,10 +1636,12 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
 	
 	if(wr) {
 		req->cp->tcp_is_reading = 0;
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 	} else if(rd) {
 		req->cp->tcp_is_reading = 1;
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 		/* and also read it (from SSL stack buffers), so
@@ -1647,6 +1649,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
 		 * the TLS frame is sitting in the buffers. */
 		req->read_again = 1;
 	} else {
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 		comm_point_listen_for_rw(req->cp, 0, 0);
@@ -1759,6 +1762,7 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
 		 * clear to write to */
 	send_it:
 		c->tcp_is_reading = 0;
+		comm_point_stop_listening(c);
 		comm_point_start_listening(c, -1, c->tcp_timeout_msec);
 		return;
 	}
@@ -1779,6 +1783,12 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
 	/* If mesh failed(mallocfail) and called commpoint_send_reply with
 	 * something like servfail then we pick up that reply below. */
 	if(req->is_reply) {
+		/* reply from mesh is in the spool_buffer */
+		sldns_buffer_clear(c->buffer);
+		sldns_buffer_write(c->buffer,
+			sldns_buffer_begin(req->spool_buffer),
+			sldns_buffer_limit(req->spool_buffer));
+		sldns_buffer_flip(c->buffer);
 		goto send_it;
 	}
 
diff --git a/services/localzone.c b/services/localzone.c
index 902a29f21d48..6295b17e2fc5 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -464,7 +464,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 		return 0;
 	}
 	log_assert(z->dclass == rrclass);
-	if(z->type == local_zone_redirect &&
+	if((z->type == local_zone_redirect ||
+		z->type == local_zone_inform_redirect) &&
 		query_dname_compare(z->name, nm) != 0) {
 		log_err("local-data in redirect zone must reside at top of zone"
 			", not at %s", rrstr);
@@ -481,7 +482,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
 
 	/* Reject it if we would end up having CNAME and other data (including
 	 * another CNAME) for a redirect zone. */
-	if(z->type == local_zone_redirect && node->rrsets) {
+	if((z->type == local_zone_redirect ||
+		z->type == local_zone_inform_redirect) && node->rrsets) {
 		const char* othertype = NULL;
 		if (rrtype == LDNS_RR_TYPE_CNAME)
 			othertype = "other";
@@ -1323,7 +1325,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 	key.name = qinfo->qname;
 	key.namelen = qinfo->qname_len;
 	key.namelabs = labs;
-	if(lz_type == local_zone_redirect) {
+	if(lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) {
 		key.name = z->name;
 		key.namelen = z->namelen;
 		key.namelabs = z->namelabs;
@@ -1355,7 +1358,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 		return 0;
 
 	/* Special case for alias matching.  See local_data_answer(). */
-	if(lz_type == local_zone_redirect &&
+	if((lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) &&
 		qinfo->qtype != LDNS_RR_TYPE_CNAME &&
 		lr->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
 		qinfo->local_alias =
@@ -1370,7 +1374,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 		qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
 		return 1;
 	}
-	if(lz_type == local_zone_redirect) {
+	if(lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect) {
 		/* convert rrset name to query name; like a wildcard */
 		struct ub_packed_rrset_key r = *lr->rrset;
 		r.rk.dname = qinfo->qname;
@@ -1442,6 +1447,7 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
 		return 1;
 	} else if(lz_type == local_zone_static ||
 		lz_type == local_zone_redirect ||
+		lz_type == local_zone_inform_redirect ||
 		lz_type == local_zone_always_nxdomain) {
 		/* for static, reply nodata or nxdomain
 		 * for redirect, reply nodata */
@@ -1450,7 +1456,8 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
 		 * or using closest match for NSEC.
 		 * or using closest match for returning delegation downwards
 		 */
-		int rcode = (ld || lz_type == local_zone_redirect)?
+		int rcode = (ld || lz_type == local_zone_redirect ||
+			lz_type == local_zone_inform_redirect)?
 			LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
 		if(z->soa)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
@@ -1624,7 +1631,9 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
 		}
 	}
 	if((env->cfg->log_local_actions ||
-			lzt == local_zone_inform || lzt == local_zone_inform_deny)
+			lzt == local_zone_inform ||
+			lzt == local_zone_inform_deny ||
+			lzt == local_zone_inform_redirect)
 			&& repinfo)
 		lz_inform_print(z, qinfo, repinfo);
 
@@ -1656,6 +1665,7 @@ const char* local_zone_type2str(enum localzone_type t)
 		case local_zone_nodefault: return "nodefault";
 		case local_zone_inform: return "inform";
 		case local_zone_inform_deny: return "inform_deny";
+		case local_zone_inform_redirect: return "inform_redirect";
 		case local_zone_always_transparent: return "always_transparent";
 		case local_zone_always_refuse: return "always_refuse";
 		case local_zone_always_nxdomain: return "always_nxdomain";
@@ -1682,6 +1692,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_inform;
 	else if(strcmp(type, "inform_deny") == 0)
 		*t = local_zone_inform_deny;
+	else if(strcmp(type, "inform_redirect") == 0)
+		*t = local_zone_inform_redirect;
 	else if(strcmp(type, "always_transparent") == 0)
 		*t = local_zone_always_transparent;
 	else if(strcmp(type, "always_refuse") == 0)
diff --git a/services/localzone.h b/services/localzone.h
index dd7aa584c461..1d6caeff2c74 100644
--- a/services/localzone.h
+++ b/services/localzone.h
@@ -83,6 +83,8 @@ enum localzone_type {
 	local_zone_inform,
 	/** log client address, and block (drop) */
 	local_zone_inform_deny,
+	/** log client address, and direct */
+	local_zone_inform_redirect,
 	/** resolve normally, even when there is local data */	
 	local_zone_always_transparent,
 	/** answer with error, even when there is local data */	
@@ -491,6 +493,8 @@ enum respip_action {
 	respip_inform = local_zone_inform,
         /** log query source and don't answer query */
 	respip_inform_deny = local_zone_inform_deny,
+        /** log query source and redirect */
+	respip_inform_redirect = local_zone_inform_redirect,
         /** resolve normally, even when there is response-ip data */
 	respip_always_transparent = local_zone_always_transparent,
         /** answer with 'refused' response */
diff --git a/services/modstack.c b/services/modstack.c
index 136245a96838..05b949d1e330 100644
--- a/services/modstack.c
+++ b/services/modstack.c
@@ -113,8 +113,14 @@ modstack_config(struct module_stack* stack, const char* module_conf)
         for(i=0; i<stack->num; i++) {
                 stack->mod[i] = module_factory(&module_conf);
                 if(!stack->mod[i]) {
-                        log_err("Unknown value for next module: '%s'",
-                                module_conf);
+			char md[256];
+			snprintf(md, sizeof(md), "%s", module_conf);
+			if(strchr(md, ' ')) *(strchr(md, ' ')) = 0;
+			if(strchr(md, '\t')) *(strchr(md, '\t')) = 0;
+                        log_err("Unknown value in module-config, module: '%s'."
+				" This module is not present (not compiled in),"
+				" See the list of linked modules with unbound -h",
+                                md);
                         return 0;
                 }
         }
diff --git a/services/outside_network.c b/services/outside_network.c
index 8ed5de375852..16d63df4395a 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1964,7 +1964,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 	struct serviced_query* sq = (struct serviced_query*)arg;
 	struct outside_network* outnet = sq->outnet;
 	struct timeval now = *sq->outnet->now_tv;
-	int fallback_tcp = 0;
 
 	sq->pending = NULL; /* removed after callback */
 	if(error == NETEVENT_TIMEOUT) {
@@ -1996,14 +1995,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 			}
 			return 0;
 		}
-		if(rto >= RTT_MAX_TIMEOUT) {
-			/* fallback_tcp = 1; */
-			/* UDP does not work, fallback to TCP below */
-		} else {
-			serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);
-			return 0;
-		}
-	} else if(error != NETEVENT_NOERROR) {
+	}
+	if(error != NETEVENT_NOERROR) {
 		/* udp returns error (due to no ID or interface available) */
 		serviced_callbacks(sq, error, c, rep);
 		return 0;
@@ -2016,9 +2009,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 		sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
 		&sq->last_sent_time, sq->outnet->now_tv, c->buffer);
 #endif
-	if(!fallback_tcp) {
-	    if( (sq->status == serviced_query_UDP_EDNS 
-	        ||sq->status == serviced_query_UDP_EDNS_FRAG)
+	if( (sq->status == serviced_query_UDP_EDNS 
+		||sq->status == serviced_query_UDP_EDNS_FRAG)
 		&& (LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) 
 			== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
 			sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL
@@ -2032,7 +2024,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 			serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
 		}
 		return 0;
-	    } else if(sq->status == serviced_query_UDP_EDNS && 
+	} else if(sq->status == serviced_query_UDP_EDNS && 
 		!sq->edns_lame_known) {
 		/* now we know that edns queries received answers store that */
 		log_addr(VERB_ALGO, "serviced query: EDNS works for",
@@ -2042,7 +2034,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 			log_err("Out of memory caching edns works");
 		}
 		sq->edns_lame_known = 1;
-	    } else if(sq->status == serviced_query_UDP_EDNS_fallback &&
+	} else if(sq->status == serviced_query_UDP_EDNS_fallback &&
 		!sq->edns_lame_known && (LDNS_RCODE_WIRE(
 		sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOERROR || 
 		LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) == 
@@ -2060,12 +2052,12 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 		  }
 		} else {
 		  log_addr(VERB_ALGO, "serviced query: EDNS fails, but "
-		  	"not stored because need DNSSEC for", &sq->addr,
+			"not stored because need DNSSEC for", &sq->addr,
 			sq->addrlen);
 		}
 		sq->status = serviced_query_UDP;
-	    }
-	    if(now.tv_sec > sq->last_sent_time.tv_sec ||
+	}
+	if(now.tv_sec > sq->last_sent_time.tv_sec ||
 		(now.tv_sec == sq->last_sent_time.tv_sec &&
 		now.tv_usec > sq->last_sent_time.tv_usec)) {
 		/* convert from microseconds to milliseconds */
@@ -2081,11 +2073,10 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 			sq->last_rtt, (time_t)now.tv_sec))
 			log_err("out of memory noting rtt.");
 		}
-	    }
-	} /* end of if_!fallback_tcp */
+	}
 	/* perform TC flag check and TCP fallback after updating our
 	 * cache entries for EDNS status and RTT times */
-	if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer)) || fallback_tcp) {
+	if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer))) {
 		/* fallback to TCP */
 		/* this discards partial UDP contents */
 		if(sq->status == serviced_query_UDP_EDNS ||