I've already merged in most of the doc fixes etc, here are the remaining
parts (mostly code/build infrastructure).
Any concerns, test reports, OKs?
(See below for diff; changelog entries with inline comments first)..
|FEATURES:
| - support configure --with-dbfile="" for nodb mode by default, where
| there is no binary database, but nsd reads and writes zonefiles.
-- using this; it's safer than relying on an nsd.conf setting to disable the
db. this also required setting --with-zonelistfile which is based on the dir
from --with-dbfile.
| - reuseport: no is the default, because the feature is not troublefree.
-- noop for us
| - configure --enable-ratelimit-default-is-off with --enable-ratelimit
| to set the default ratelimit to disabled but available in nsd.conf.
-- I haven't changed anything here (currently we use --enable-ratelimit)
but it may make sense to set default-is-off and add suitable config sections
to src/etc/nsd.conf. that's for another day though.
| - version: "string" option to set chaos version query reply string.
|BUG FIXES:
| - Fix zones updates from nsd parent event loop when there are a lot
| of interfaces.
| - portability fixes.
| - patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new
| defaults in the ssl libraries.
-- we already have these
| - updated contrib/nsd.spec, from Bálint Szigeti, with new configure
| options.
| - Allocate less memory for TSIG digest.
| - Fix #721: Fix wrong error code (FORMERR) returned for unknown
| opcode. NOTIMP expected.
| - Fix zonec ttl mismatch printout to include more information.
| - Fix TCP responses when REUSEPORT is in use by turning it off.
| - Document default in manpage for rrl-slip, ip4 and 6 prefixlength.
| - Explain rrl-slip better in documentation.
| - Document that ratelimit qps and slip are updated in reconfig.
| - Fix up defaults in manpage.
Index: Makefile.bsd-wrapper
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/Makefile.bsd-wrapper,v
retrieving revision 1.12
diff -u -p -r1.12 Makefile.bsd-wrapper
--- Makefile.bsd-wrapper 15 Oct 2015 21:22:11 -0000 1.12
+++ Makefile.bsd-wrapper 10 Dec 2015 14:47:14 -0000
@@ -17,7 +17,8 @@ CONFIGURE_OPTS= --prefix=/usr \
--with-configdir=${CHROOTDIR}/etc \
--with-pidfile=${CHROOTDIR}/run/nsd.pid \
--with-zonesdir=${CHROOTDIR}/zones \
- --with-dbfile=${CHROOTDIR}/db/nsd.db \
+ --with-dbfile="" \
+ --with-zonelistfile="${CHROOTDIR}/db/zone.list" \
--with-xfrdir=${CHROOTDIR}/run/xfr \
--with-xfrdfile=${CHROOTDIR}/run/xfrd.state \
--with-libevent=/usr \
Index: Makefile.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/Makefile.in,v
retrieving revision 1.17
diff -u -p -r1.17 Makefile.in
--- Makefile.in 17 Jul 2015 17:36:33 -0000 1.17
+++ Makefile.in 10 Dec 2015 14:47:14 -0000
@@ -65,6 +65,7 @@ EDIT = sed \
-e 's,@zonelistfile\@,$(zonelistfile),g' \
-e 's,@nsdconfigfile\@,$(nsdconfigfile),g' \
-e 's,@shell\@,$(SHELL),g' \
+ -e 's,@ratelimit_default\@,@ratelimit_default@,g' \
-e 's,@user\@,$(user),g'
TARGETS=nsd nsd-checkconf nsd-checkzone nsd-control nsd.conf.sample
nsd-control-setup.sh
Index: acx_nlnetlabs.m4
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/acx_nlnetlabs.m4,v
retrieving revision 1.1.1.10
diff -u -p -r1.1.1.10 acx_nlnetlabs.m4
--- acx_nlnetlabs.m4 5 Nov 2015 21:21:05 -0000 1.1.1.10
+++ acx_nlnetlabs.m4 10 Dec 2015 14:47:14 -0000
@@ -2,7 +2,9 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 28
+# Version 30
+# 2015-11-18 spelling check fix.
+# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
@@ -24,7 +26,7 @@
# 2010-07-02 Add check for ss_family (for minix).
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
-# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
+# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
# 2010-01-20 added AHX_COONFIG_STRLCAT
# 2009-07-14 U_CHAR detection improved for windows crosscompile.
@@ -715,12 +717,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
fi
AC_SUBST(HAVE_SSL)
AC_SUBST(RUNTIME_PATH)
- # openssl engine functionality needs dlopen().
- BAKLIBS="$LIBS"
- AC_SEARCH_LIBS([dlopen], [dl])
- if test "$LIBS" != "$BAKLIBS"; then
- LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
- fi
fi
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
retrieving revision 1.19
diff -u -p -r1.19 config.h.in
--- config.h.in 5 Nov 2015 21:21:58 -0000 1.19
+++ config.h.in 10 Dec 2015 14:47:14 -0000
@@ -188,6 +188,9 @@
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
+/* Define to 1 if you have the `ppoll' function. */
+#undef HAVE_PPOLL
+
/* Define to 1 if you have the `pselect' function. */
#undef HAVE_PSELECT
@@ -411,11 +414,11 @@
/* Define this to enable rate limiting. */
#undef RATELIMIT
+/* Define this to set ratelimit to off by default. */
+#undef RATELIMIT_DEFAULT_OFF
+
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
-
-/* enable reuseport option by default. */
-#undef REUSEPORT_BY_DEFAULT
/* Define this to configure as a root server. */
#undef ROOT_SERVER
Index: configlexer.lex
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configlexer.lex,v
retrieving revision 1.1.1.11
diff -u -p -r1.1.1.11 configlexer.lex
--- configlexer.lex 5 Nov 2015 21:21:05 -0000 1.1.1.11
+++ configlexer.lex 10 Dec 2015 14:47:14 -0000
@@ -207,6 +207,7 @@ do-ip4{COLON} { LEXOUT(("v(%s) ", yytex
do-ip6{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP6;}
database{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_DATABASE;}
identity{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_IDENTITY;}
+version{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_VERSION;}
nsid{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_NSID;}
logfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOGFILE;}
server-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_COUNT;}
Index: configparser.y
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configparser.y,v
retrieving revision 1.13
diff -u -p -r1.13 configparser.y
--- configparser.y 5 Nov 2015 21:21:59 -0000 1.13
+++ configparser.y 10 Dec 2015 14:47:14 -0000
@@ -67,7 +67,7 @@ extern config_parser_state_t* cfg_parser
%token VAR_RRL_IPV4_PREFIX_LENGTH VAR_RRL_IPV6_PREFIX_LENGTH
%token VAR_RRL_WHITELIST_RATELIMIT VAR_RRL_WHITELIST
%token VAR_ZONEFILES_CHECK VAR_ZONEFILES_WRITE VAR_LOG_TIME_ASCII
-%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT
+%token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT VAR_VERSION
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -97,7 +97,7 @@ content_server: server_ip_address | serv
server_rrl_ipv4_prefix_length | server_rrl_ipv6_prefix_length |
server_rrl_whitelist_ratelimit |
server_zonefiles_check | server_do_ip4 | server_do_ip6 |
server_zonefiles_write | server_log_time_ascii | server_round_robin |
- server_reuseport;
+ server_reuseport | server_version;
server_ip_address: VAR_IP_ADDRESS STRING
{
OUTYY(("P(server_ip_address:%s)\n", $2));
@@ -213,6 +213,12 @@ server_identity: VAR_IDENTITY STRING
{
OUTYY(("P(server_identity:%s)\n", $2));
cfg_parser->opt->identity =
region_strdup(cfg_parser->opt->region, $2);
+ }
+ ;
+server_version: VAR_VERSION STRING
+ {
+ OUTYY(("P(server_version:%s)\n", $2));
+ cfg_parser->opt->version =
region_strdup(cfg_parser->opt->region, $2);
}
;
server_nsid: VAR_NSID STRING
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configure.ac,v
retrieving revision 1.23
diff -u -p -r1.23 configure.ac
--- configure.ac 5 Nov 2015 21:21:59 -0000 1.23
+++ configure.ac 10 Dec 2015 14:47:14 -0000
@@ -4,7 +4,7 @@ dnl
sinclude(acx_nlnetlabs.m4)
-AC_INIT(NSD,4.1.6,nsd-b...@nlnetlabs.nl)
+AC_INIT(NSD,4.1.7,nsd-b...@nlnetlabs.nl)
AC_CONFIG_HEADER([config.h])
CFLAGS="$CFLAGS"
@@ -91,7 +91,9 @@ AC_ARG_WITH([dbfile],
AC_SUBST(dbfile)
AC_DEFINE_UNQUOTED(DBFILE, ["`eval echo $dbfile`"], [Pathname to the NSD
database])
-dbdir=`dirname $dbfile`
+if test -n "$dbfile"; then
+ dbdir=`dirname $dbfile`
+fi
AC_SUBST(dbdir)
piddir=`dirname $pidfile`
@@ -336,9 +338,6 @@ AC_DEFUN([CHECK_SSL], [
if test x_$ssldir = x_/usr/sfw; then
LDFLAGS="$LDFLAGS -R$ssldir/lib";
fi
- AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
- AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7
or higher is required])
- ])
fi
AC_SUBST(HAVE_SSL)
fi
@@ -504,12 +503,6 @@ AC_CHECK_STRPTIME_WORKS
ACX_CHECK_NONBLOCKING_BROKEN
ACX_MKDIR_ONE_ARG
-# see if reuseport is enabled by default (also a config option).
-# freebsd can compile the option, but it does not work, it works on Linux.
-if test "`uname`" = "Linux"; then
- AC_DEFINE([REUSEPORT_BY_DEFAULT], 1, [enable reuseport option by
default.])
-fi
-
# set -I. and -Isrcdir
if test -n "$CPPFLAGS"; then
CPPFLAGS="$CPPFLAGS -I."
@@ -603,7 +596,7 @@ AC_SYS_LARGEFILE
AC_CHECK_SIZEOF(void*)
AC_CHECK_SIZEOF(off_t)
AC_CHECK_FUNCS([arc4random arc4random_uniform])
-AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap])
+AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid
setresgid setregid getpwnam mmap ppoll])
AC_ARG_ENABLE(recvmmsg, AC_HELP_STRING([--enable-recvmmsg], [Enable recvmmsg
and sendmmsg compilation, faster but some kernel versions may have
implementation problems]))
case "$enable_recvmmsg" in
@@ -819,10 +812,28 @@ case "$enable_ratelimit" in
esac
AC_SUBST(ratelimit)
+AC_ARG_ENABLE(ratelimit-default-is-off,
AC_HELP_STRING([--enable-ratelimit-default-is-off], [Enable this to set default
of ratelimit to off (enable in nsd.conf), otherwise ratelimit is enabled by
default if --enable-ratelimit is enabled]))
+case "$enable_ratelimit_default_is_off" in
+ yes)
+ AC_DEFINE_UNQUOTED([RATELIMIT_DEFAULT_OFF], [], [Define this to
set ratelimit to off by default.])
+ ratelimit_default="off"
+ ;;
+ no|*)
+ ratelimit_default="on"
+ ;;
+esac
+AC_SUBST(ratelimit_default)
+
+
# we need SSL for TSIG (and maybe also for NSEC3).
CHECK_SSL
if test x$HAVE_SSL = x"yes"; then
ACX_LIB_SSL
+ if test -n "$ssldir"; then
+ AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+ AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7
or higher is required])
+ ])
+ fi
SSL_LIBS="-lssl"
AC_SUBST(SSL_LIBS)
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
Index: netio.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/netio.c,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 netio.c
--- netio.c 26 Nov 2013 12:50:14 -0000 1.1.1.5
+++ netio.c 10 Dec 2015 14:47:14 -0000
@@ -13,17 +13,12 @@
#include <sys/time.h>
#include <string.h>
#include <stdlib.h>
+#include <poll.h>
#include "netio.h"
#include "util.h"
-
-#ifndef HAVE_PSELECT
-int pselect(int n, fd_set *readfds, fd_set *writefds, fd_set *exceptfds,
- const struct timespec *timeout, const sigset_t *sigmask);
-#else
-#include <sys/select.h>
-#endif
+#define MAX_NETIO_FDS 1024
netio_type *
netio_create(region_type *region)
@@ -65,6 +60,7 @@ netio_add_handler(netio_type *netio, net
elt->next = netio->handlers;
elt->handler = handler;
+ elt->handler->pfd = -1;
netio->handlers = elt;
}
@@ -111,14 +107,18 @@ netio_current_time(netio_type *netio)
int
netio_dispatch(netio_type *netio, const struct timespec *timeout, const
sigset_t *sigmask)
{
- fd_set readfds, writefds, exceptfds;
- int max_fd;
+ /* static arrays to avoid allocation */
+ static struct pollfd fds[MAX_NETIO_FDS];
+ int numfd;
int have_timeout = 0;
struct timespec minimum_timeout;
netio_handler_type *timeout_handler = NULL;
netio_handler_list_type *elt;
int rc;
int result = 0;
+#ifndef HAVE_PPOLL
+ sigset_t origmask;
+#endif
assert(netio);
@@ -139,26 +139,24 @@ netio_dispatch(netio_type *netio, const
* Initialize the fd_sets and timeout based on the handler
* information.
*/
- max_fd = -1;
- FD_ZERO(&readfds);
- FD_ZERO(&writefds);
- FD_ZERO(&exceptfds);
+ numfd = 0;
for (elt = netio->handlers; elt; elt = elt->next) {
netio_handler_type *handler = elt->handler;
- if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE) {
- if (handler->fd > max_fd) {
- max_fd = handler->fd;
- }
+ if (handler->fd != -1 && numfd < MAX_NETIO_FDS) {
+ fds[numfd].fd = handler->fd;
+ fds[numfd].events = 0;
+ fds[numfd].revents = 0;
+ handler->pfd = numfd;
if (handler->event_types & NETIO_EVENT_READ) {
- FD_SET(handler->fd, &readfds);
+ fds[numfd].events |= POLLIN;
}
if (handler->event_types & NETIO_EVENT_WRITE) {
- FD_SET(handler->fd, &writefds);
- }
- if (handler->event_types & NETIO_EVENT_EXCEPT) {
- FD_SET(handler->fd, &exceptfds);
+ fds[numfd].events |= POLLOUT;
}
+ numfd++;
+ } else {
+ handler->pfd = -1;
}
if (handler->timeout && (handler->event_types &
NETIO_EVENT_TIMEOUT)) {
struct timespec relative;
@@ -180,7 +178,7 @@ netio_dispatch(netio_type *netio, const
if (have_timeout && minimum_timeout.tv_sec < 0) {
/*
- * On negative timeout for a handler, immediatly
+ * On negative timeout for a handler, immediately
* dispatch the timeout event without checking for
* other events.
*/
@@ -191,12 +189,17 @@ netio_dispatch(netio_type *netio, const
}
/* Check for events. */
- rc = pselect(max_fd + 1, &readfds, &writefds, &exceptfds,
- have_timeout ? &minimum_timeout : NULL,
- sigmask);
+#ifdef HAVE_PPOLL
+ rc = ppoll(fds, numfd, (have_timeout?&minimum_timeout:NULL), sigmask);
+#else
+ sigprocmask(SIG_SETMASK, sigmask, &origmask);
+ rc = poll(fds, numfd, (have_timeout?minimum_timeout.tv_sec*1000+
+ minimum_timeout.tv_nsec/1000000:-1));
+ sigprocmask(SIG_SETMASK, &origmask, NULL);
+#endif /* HAVE_PPOLL */
if (rc == -1) {
if(errno == EINVAL || errno == EACCES || errno == EBADF) {
- log_msg(LOG_ERR, "fatal error pselect: %s.",
+ log_msg(LOG_ERR, "fatal error poll: %s.",
strerror(errno));
exit(1);
}
@@ -225,26 +228,27 @@ netio_dispatch(netio_type *netio, const
* calling the current handler!
*/
assert(netio->dispatch_next == NULL);
+
for (elt = netio->handlers; elt && rc; ) {
netio_handler_type *handler = elt->handler;
netio->dispatch_next = elt->next;
- if (handler->fd != -1 && handler->fd < (int)FD_SETSIZE)
{
+ if (handler->fd != -1 && handler->pfd != -1) {
netio_event_types_type event_types
= NETIO_EVENT_NONE;
- if (FD_ISSET(handler->fd, &readfds)) {
+ if ((fds[handler->pfd].revents & POLLIN)) {
event_types |= NETIO_EVENT_READ;
- FD_CLR(handler->fd, &readfds);
- rc--;
}
- if (FD_ISSET(handler->fd, &writefds)) {
+ if ((fds[handler->pfd].revents & POLLOUT)) {
event_types |= NETIO_EVENT_WRITE;
- FD_CLR(handler->fd, &writefds);
- rc--;
}
- if (FD_ISSET(handler->fd, &exceptfds)) {
- event_types |= NETIO_EVENT_EXCEPT;
- FD_CLR(handler->fd, &exceptfds);
- rc--;
+ if ((fds[handler->pfd].revents &
+ (POLLNVAL|POLLHUP|POLLERR))) {
+ /* closed/error: give a read event,
+ * or otherwise, a write event */
+
if((handler->event_types&NETIO_EVENT_READ))
+ event_types |= NETIO_EVENT_READ;
+ else
if((handler->event_types&NETIO_EVENT_WRITE))
+ event_types |=
NETIO_EVENT_WRITE;
}
if (event_types & handler->event_types) {
Index: netio.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/netio.h,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 netio.h
--- netio.h 26 Nov 2013 12:50:18 -0000 1.1.1.5
+++ netio.h 10 Dec 2015 14:47:14 -0000
@@ -16,7 +16,6 @@
*
* NETIO_EVENT_READ: reading will not block.
* NETIO_EVENT_WRITE: writing will not block.
- * NETIO_EVENT_EXCEPT: an exception occurred.
* NETIO_EVENT_TIMEOUT: the timeout expired.
*
* A file descriptor must be specified if the handler is interested in
@@ -58,8 +57,7 @@ enum netio_event_types {
NETIO_EVENT_NONE = 0,
NETIO_EVENT_READ = 1,
NETIO_EVENT_WRITE = 2,
- NETIO_EVENT_EXCEPT = 4,
- NETIO_EVENT_TIMEOUT = 8,
+ NETIO_EVENT_TIMEOUT = 4,
};
typedef enum netio_event_types netio_event_types_type;
@@ -104,6 +102,9 @@ struct netio_handler
* checked for.
*/
int fd;
+
+ /** index of the pollfd array for this handler */
+ int pfd;
/*
* The time when no events should be checked for and the
Index: nsd-checkconf.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkconf.8.in,v
retrieving revision 1.17
diff -u -p -r1.17 nsd-checkconf.8.in
--- nsd-checkconf.8.in 5 Nov 2015 21:21:59 -0000 1.17
+++ nsd-checkconf.8.in 10 Dec 2015 14:47:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6"
+.TH "nsd\-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkconf.c,v
retrieving revision 1.13
diff -u -p -r1.13 nsd-checkconf.c
--- nsd-checkconf.c 5 Nov 2015 21:21:59 -0000 1.13
+++ nsd-checkconf.c 10 Dec 2015 14:47:14 -0000
@@ -352,6 +352,7 @@ config_print_zone(nsd_options_t* opt, co
/* str */
SERV_GET_PATH(final, database, o);
SERV_GET_STR(identity, o);
+ SERV_GET_STR(version, o);
SERV_GET_STR(nsid, o);
SERV_GET_PATH(final, logfile, o);
SERV_GET_PATH(final, pidfile, o);
@@ -447,6 +448,7 @@ config_test_print_server(nsd_options_t*
printf("\thide-version: %s\n", opt->hide_version?"yes":"no");
print_string_var("database:", opt->database);
print_string_var("identity:", opt->identity);
+ print_string_var("version:", opt->version);
print_string_var("nsid:", opt->nsid);
print_string_var("logfile:", opt->logfile);
printf("\tserver_count: %d\n", opt->server_count);
@@ -585,6 +587,11 @@ additional_checks(nsd_options_t* opt, co
if (opt->identity && strlen(opt->identity) > UCHAR_MAX) {
fprintf(stderr, "%s: server identity too long (%u
characters)\n",
filename, (unsigned) strlen(opt->identity));
+ errors ++;
+ }
+ if (opt->version && strlen(opt->version) > UCHAR_MAX) {
+ fprintf(stderr, "%s: server version too long (%u
characters)\n",
+ filename, (unsigned) strlen(opt->version));
errors ++;
}
Index: nsd-checkzone.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkzone.8.in,v
retrieving revision 1.1.1.4
diff -u -p -r1.1.1.4 nsd-checkzone.8.in
--- nsd-checkzone.8.in 5 Nov 2015 21:21:05 -0000 1.1.1.4
+++ nsd-checkzone.8.in 10 Dec 2015 14:47:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6"
+.TH "nsd\-checkzone" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd-control.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-control.8.in,v
retrieving revision 1.5
diff -u -p -r1.5 nsd-control.8.in
--- nsd-control.8.in 5 Nov 2015 21:21:59 -0000 1.5
+++ nsd-control.8.in 10 Dec 2015 14:47:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6"
+.TH "nsd\-control" "8" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
Index: nsd.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.8.in,v
retrieving revision 1.18
diff -u -p -r1.18 nsd.8.in
--- nsd.8.in 5 Nov 2015 21:21:59 -0000 1.18
+++ nsd.8.in 10 Dec 2015 14:47:14 -0000
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Oct 22, 2015" "NLnet Labs" "NSD 4.1.6"
+.TH "NSD" "8" "Dec 10, 2015" "NLnet Labs" "NSD 4.1.7"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.1.6.
+\- Name Server Daemon (NSD) version 4.1.7.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
Index: nsd.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.c,v
retrieving revision 1.24
diff -u -p -r1.24 nsd.c
--- nsd.c 21 Nov 2015 21:12:46 -0000 1.24
+++ nsd.c 10 Dec 2015 14:47:14 -0000
@@ -662,6 +662,9 @@ main(int argc, char *argv[])
if(nsd.options->identity)
nsd.identity = nsd.options->identity;
}
+ if(nsd.options->version) {
+ nsd.version = nsd.options->version;
+ }
if (nsd.options->logfile && !nsd.log_filename) {
nsd.log_filename = nsd.options->logfile;
}
Index: nsd.conf.5.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.conf.5.in,v
retrieving revision 1.18
diff -u -p -r1.18 nsd.conf.5.in
--- nsd.conf.5.in 9 Dec 2015 00:40:08 -0000 1.18
+++ nsd.conf.5.in 10 Dec 2015 14:47:14 -0000
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6"
+.TH "nsd.conf" "5" "Dec 10, 2015" "NLnet Labs" "nsd 4.1.7"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -173,11 +173,9 @@ that it can answer immediately when the
Use the SO_REUSEPORT socket option, and create file descriptors for every
server in the server\-count. This improves performance of the network
stack. Only really useful if you also configure a server\-count higher
-than 1 (such as, equal to the number of cpus). The default is yes on
-Linux (where it works, and has been (backported) to 2.6 and 3.x kernels).
-On FreeBSD it is known to fail (default is no), but you can enable it
-if you think it is fixed. And a cautious default of no is used for
-other systems.
+than 1 (such as, equal to the number of cpus). The default is no.
+It works on Linux, but does not work on FreeBSD, and likely does not
+work on other systems.
.TP
.B debug\-mode:\fR <yes or no>
Turns on debugging mode for nsd, does not fork a daemon process.
@@ -216,6 +214,11 @@ Default is the name as returned by getho
commandline option
.BR \-i .
.TP
+.B version:\fR <string>
+Returns the specified version string when asked for CH TXT version.server,
+and version.bind queries. Default is the compiled package version.
+See hide\-version to set the server to not respond to such queries.
+.TP
.B nsid:\fR <string>
Add the specified nsid to the EDNS section of the answer when queried
with an NSID EDNS enabled packet. As a sequence of hex characters or
@@ -366,16 +369,24 @@ This option gives the size of the hashta
use more memory, and reduce the chance of hash collisions.
.TP
.B rrl\-ratelimit:\fR <qps>
-The max qps allowed (from one query source). Default 200 qps. If set to 0
-then it is disabled (unlimited rate), also set the whilelist\-ratelimit
+The max qps allowed (from one query source). Default is @ratelimit_default@
(with a suggested 200 qps). If set to 0
+then it is disabled (unlimited rate), also set the whitelist\-ratelimit
to 0 to disable ratelimit processing. If you set verbosity to 2 the
blocked and unblocked subnets are logged. Blocked queries are blocked
-and some receive TCP fallback replies.
+and some receive TCP fallback replies. Once the rate limit is reached,
+NSD begins dropping responses. However, one in every "rrl\-slip" number
+of responses is allowed, with the TC bit set. If slip is set to 2, the
+outgoing response rate will be halved. If it's set to 3, the outgoing
+response rate will be one\-third, and so on. If you set rrl\-slip to 10,
+traffic is reduced to 1/10th. Ratelimit options rrl\-ratelimit, rrl\-size and
+rrl\-whitelist\-ratelimit are updated when nsd\-control reconfig is done (also
+the zone\-specific ratelimit options are updated).
.TP
.B rrl\-slip:\fR <numpackets>
This option controls the number of packets discarded before we send back a
SLIP response
(a response with "truncated" bit set to one). 0 disables the sending of SLIP
packets,
-1 means every query will get a SLIP response.
+1 means every query will get a SLIP response. Default is 2, cuts traffic in
+half and legit users have a fair chance to get a +TC response.
.TP
.B rrl\-ipv4\-prefix\-length:\fR <subnet>
IPv4 prefix length. Addresses are grouped by netblock. Default 24.
@@ -385,7 +396,7 @@ IPv6 prefix length. Addresses are groupe
.TP
.B rrl\-whitelist\-ratelimit:\fR <qps>
The max qps for query sorts for a source, which have been
-whitelisted. Default 2000 qps. With the rrl\-whitelist option you can set
+whitelisted. Default @ratelimit_default@ (with a suggested 2000 qps). With the
rrl\-whitelist option you can set
specific queries to receive this qps limit instead of the normal limit.
With the value 0 the rate is unlimited.
.\" rrlend
Index: nsd.conf.sample.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd.conf.sample.in,v
retrieving revision 1.1.1.12
diff -u -p -r1.1.1.12 nsd.conf.sample.in
--- nsd.conf.sample.in 5 Nov 2015 21:21:04 -0000 1.1.1.12
+++ nsd.conf.sample.in 10 Dec 2015 14:47:14 -0000
@@ -27,8 +27,7 @@ server:
# Allow binding to non local addresses. Default no.
# ip-transparent: no
- # use the reuseport socket option for performance.
- # The default is yes on linux, no for others.
+ # use the reuseport socket option for performance. Default no.
# reuseport: no
# enable debug mode, does not fork daemon process into the background.
@@ -83,6 +82,10 @@ server:
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
# hide-version: no
+ # version string the server responds with for chaos queries.
+ # default is 'NSD x.y.z' with the server's version number.
+ # version: "NSD"
+
# identify the server (CH TXT ID.SERVER entry).
# identity: "unidentified server"
@@ -130,8 +133,9 @@ server:
# rrl-size: 1000000
# Response Rate Limiting, maximum QPS allowed (from one query source).
- # Default 200. If set to 0, ratelimiting is disabled. Also set
+ # If set to 0, ratelimiting is disabled. Also set
# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
+ # Default is @ratelimit_default@.
# rrl-ratelimit: 200
# Response Rate Limiting, number of packets to discard before
@@ -139,7 +143,8 @@ server:
# resolver to retry with TCP). Default is 2 (one half of the
# queries will receive a SLIP response, 0 disables SLIP (all
# packets are discarded), 1 means every request will get a
- # SLIP response.
+ # SLIP response. When the ratelimit is hit the traffic is
+ # divided by the rrl-slip value.
# rrl-slip: 2
# Response Rate Limiting, IPv4 prefix length. Addresses are
@@ -151,7 +156,7 @@ server:
# rrl-ipv6-prefix-length: 64
# Response Rate Limiting, maximum QPS allowed (from one query source)
- # for whitelisted types. Default 2000.
+ # for whitelisted types. Default is @ratelimit_default@.
# rrl-whitelist-ratelimit: 2000
# RRLend
Index: options.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/options.c,v
retrieving revision 1.3
diff -u -p -r1.3 options.c
--- options.c 5 Nov 2015 21:21:59 -0000 1.3
+++ options.c 10 Dec 2015 14:47:14 -0000
@@ -56,6 +56,7 @@ nsd_options_create(region_type* region)
opt->do_ip6 = 1;
opt->database = DBFILE;
opt->identity = 0;
+ opt->version = 0;
opt->nsid = 0;
opt->logfile = 0;
opt->log_time_ascii = 1;
@@ -69,11 +70,7 @@ nsd_options_create(region_type* region)
opt->pidfile = PIDFILE;
opt->port = UDP_PORT;
/* deprecated? opt->port = TCP_PORT; */
-#ifdef REUSEPORT_BY_DEFAULT
- opt->reuseport = 1;
-#else
opt->reuseport = 0;
-#endif
opt->statistics = 0;
opt->chroot = 0;
opt->username = USER;
@@ -83,11 +80,16 @@ nsd_options_create(region_type* region)
opt->zonelistfile = ZONELISTFILE;
#ifdef RATELIMIT
opt->rrl_size = RRL_BUCKETS;
- opt->rrl_ratelimit = RRL_LIMIT/2;
opt->rrl_slip = RRL_SLIP;
opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH;
opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH;
+# ifdef RATELIMIT_DEFAULT_OFF
+ opt->rrl_ratelimit = 0;
+ opt->rrl_whitelist_ratelimit = 0;
+# else
+ opt->rrl_ratelimit = RRL_LIMIT/2;
opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2;
+# endif
#endif
opt->zonefiles_check = 1;
if(opt->database == NULL || opt->database[0] == 0)
@@ -1507,7 +1509,7 @@ acl_key_matches(acl_options_t* acl, stru
}
if(!acl->key_options->tsig_key) {
DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config"));
- return 0; /* key not properly configged */
+ return 0; /* key not properly configured */
}
if(dname_compare(q->tsig.key_name,
acl->key_options->tsig_key->name) != 0) {
Index: options.h
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/options.h,v
retrieving revision 1.2
diff -u -p -r1.2 options.h
--- options.h 9 Dec 2015 00:36:26 -0000 1.2
+++ options.h 10 Dec 2015 14:47:14 -0000
@@ -67,6 +67,7 @@ struct nsd_options {
int do_ip6;
const char* database;
const char* identity;
+ const char* version;
const char* logfile;
int server_count;
int tcp_count;
Index: query.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/query.c,v
retrieving revision 1.19
diff -u -p -r1.19 query.c
--- query.c 9 Dec 2015 00:36:26 -0000 1.19
+++ query.c 10 Dec 2015 14:47:14 -0000
@@ -309,7 +309,6 @@ process_query_section(query_type *query)
&query->qtype, &query->qclass))
return 0;
query->qname = dname_make(query->region, qnamebuf, 1);
- query->opcode = OPCODE(query->packet);
return 1;
}
@@ -1316,6 +1315,15 @@ query_process(query_type *q, nsd_type *n
if (QR(q->packet)) {
/* Not a query? Drop it on the floor. */
return QUERY_DISCARDED;
+ }
+
+ /* check opcode early on, because new opcodes may have different
+ * specification of the meaning of the rest of the packet */
+ q->opcode = OPCODE(q->packet);
+ if(q->opcode != OPCODE_QUERY && q->opcode != OPCODE_NOTIFY) {
+ if(query_ratelimit_err(nsd))
+ return QUERY_DISCARDED;
+ return query_error(q, NSD_RC_IMPL);
}
if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) {
Index: region-allocator.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/region-allocator.c,v
retrieving revision 1.9
diff -u -p -r1.9 region-allocator.c
--- region-allocator.c 17 Jul 2015 17:36:33 -0000 1.9
+++ region-allocator.c 10 Dec 2015 14:47:14 -0000
@@ -12,6 +12,7 @@
#include <assert.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "region-allocator.h"
#include "util.h"
Index: server.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/server.c,v
retrieving revision 1.22
diff -u -p -r1.22 server.c
--- server.c 21 Nov 2015 21:12:46 -0000 1.22
+++ server.c 10 Dec 2015 14:47:14 -0000
@@ -760,6 +760,11 @@ server_init_ifs(struct nsd *nsd, size_t
continue;
}
nsd->tcp[i].fam = (int)addr->ai_family;
+ /* turn off REUSEPORT for TCP by copying the socket fd */
+ if(i >= nsd->ifs) {
+ nsd->tcp[i].s = nsd->tcp[i%nsd->ifs].s;
+ continue;
+ }
if ((nsd->tcp[i].s = socket(addr->ai_family, addr->ai_socktype,
0)) == -1) {
#if defined(INET6)
if (addr->ai_family == AF_INET6 &&
Index: tsig-openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.c,v
retrieving revision 1.1.1.7
diff -u -p -r1.1.1.7 tsig-openssl.c
--- tsig-openssl.c 17 Jul 2015 17:36:01 -0000 1.1.1.7
+++ tsig-openssl.c 10 Dec 2015 14:47:14 -0000
@@ -44,7 +44,9 @@ tsig_openssl_init_algorithm(region_type*
log_msg(LOG_ERR, "cannot parse %s algorithm", wireformat);
return 0;
}
- algorithm->maximum_digest_size = EVP_MAX_MD_SIZE;
+ algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm);
+ if(algorithm->maximum_digest_size < 20)
+ algorithm->maximum_digest_size = EVP_MAX_MD_SIZE;
algorithm->data = hmac_algorithm;
algorithm->hmac_create_context = create_context;
algorithm->hmac_init_context = init_context;
Index: zonec.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/zonec.c,v
retrieving revision 1.18
diff -u -p -r1.18 zonec.c
--- zonec.c 9 Dec 2015 00:36:26 -0000 1.18
+++ zonec.c 10 Dec 2015 14:47:14 -0000
@@ -1434,7 +1434,10 @@ process_rr(void)
rr_type* o;
if (rr->type != TYPE_RRSIG && rrset->rrs[0].ttl != rr->ttl) {
zc_warning_prev_line(
- "TTL does not match the TTL of the RRset");
+ "%s TTL %u does not match the TTL %u of the %s
RRset",
+ domain_to_string(rr->owner), (unsigned)rr->ttl,
+ (unsigned)rrset->rrs[0].ttl,
+ rrtype_to_string(rr->type));
}
/* Search for possible duplicates... */
