upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-06-18 21:09:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Commit graph

  • 9fc79a039a
         Merge 2533d510cf into f6931c794e Kasoo 2026-06-18 17:57:51 +0000
  • f6931c794e - Fix memory leak on DNAME 0TTL records. master Yorgos Thessalonikefs 2026-06-17 17:30:21 +0200
  • 4c5082ad05 - Fix that fast_reload does not terminate the server if random init for DNS cookies fails. The data is only random generated if cookies are enabled, and the random data is necessary. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 16:15:15 +0200
  • 5fb892a097 - Fix that fast_reload does not terminate the server on config read failure after malloc failure. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 16:10:48 +0200
  • 55e9532d16 - Fix after malloc failure for stats, then it drains the pipe so the internal messaging stays correct. Also it does not exit the server if stats pipe communication fails. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 16:05:45 +0200
  • fff6657cea - Fix that fast_reload does not terminate the server on malloc failure for dnstap, or if gethostname fails. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 16:02:21 +0200
  • 45d1e75caf - Fix to check for malloc failure in rpz response create, for nodata and nxdomain, so it does not crash later. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:59:29 +0200
  • b806f16c8b - Fix to check the return value of auth_xfer_create during fast_reload auth-zone add and change processing. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:57:30 +0200
  • 8d3348c71b - Fix that malloc failure during edns subnet addrtree insert is checked, so it does not crash later. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:55:33 +0200
  • e2cc14681e - Fix that malloc failure for rpz_strip_nsdname is checked and handled, so that it does not crash later. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:53:28 +0200
  • 5ae979bb6e - Fix that on malloc failure during accept of TCP, the socket is not left to cause a read event loop. It uses slow-accept to delay accepting new connections, if that fails it drops the new connections. When the tcp connection usage is full, it waits for 50msec, to allow existing queries to be resolved. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:37:04 +0200
  • 8f2fbd66fc - Fix that malloc failure for ngtcp2_conn_server_new cleans up reference that older ngtcp2 versions can leave. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:33:06 +0200
  • b5909d8d22 - Fix that malloc failure in doq connection setup, does not crash in doq connection delete later. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:29:48 +0200
  • fa8e94f155 - Fix that malloc failure for new_local_rrset for RPZ qname trigger RR insert does not crash. It does not link a partial RRset, and logs an error on failure, and cleans up the dname allocation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:26:56 +0200
  • cb5683aeae - Fix that malloc failure in dns64_inform_super does not set up a half-built reply for cache store, that could lead to a crash. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:23:25 +0200
  • c9715724ec - Fix that unbound-control auth_zone_reload stops the server answering from the zone after a failure to read. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:20:22 +0200
  • 78d9cfffd8 - Fix that malloc failure in auth-zone insert rr does not create an empty node and does not cause an infinite loop. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:16:21 +0200
  • b47b1d048d - Fix that unbound-checkconf checks if an auth-zone download can overwrite another file, by filename collision. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-17 15:11:42 +0200
  • 740952fb82 - Fix to remove debug from auth_transfer_limit test. W.C.A. Wijngaards 2026-06-17 11:38:24 +0200
  • 5c550f4548 - Fix that after fast_reload the disown of the auth zone transfer task cleans the chunk list. Also fix the auth_transfer_limit test to use a forwarder for each type of failure, so the one is not blocked by the other waiting. W.C.A. Wijngaards 2026-06-17 11:37:06 +0200
  • ec924ff79b
         Merge 4436251a0c into 3d78cb8d9a Andy Warner 2026-06-16 14:49:50 +0200
  • 4d5e77d7e8
         Merge eb3f58b68c into 3d78cb8d9a Jisakiel 2026-06-16 14:49:50 +0200
  • 3d78cb8d9a - Fix for #1462: Fix that auth primary host name lookup allows CNAMEs. W.C.A. Wijngaards 2026-06-16 11:13:47 +0200
  • 1ab75c0043 - Fix after malloc failure the rrset_insert_rr in localzone processing, during RPZ qname trigger processing, the RRset retains its previous data correcly. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:59:37 +0200
  • bebc8d516b - Fix incorrect cleanup after an allocation failure for a delegation point in a region. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:56:36 +0200
  • a7debe7ff6 - Fix that after shared memory cannot be created, from shm-enable, the server does not crash. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:53:40 +0200
  • 215e3920ef - Fix that after malloc failure in find_tag_datas, the local_alias is cleaned up. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:51:49 +0200
  • aabf28aef5 - Fix incorrect cleanup after an allocation failure for a delegation point. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:49:50 +0200
  • aa09835c90 - Fix for neater solution to clear log thread id after worker init failure. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:48:17 +0200
  • 9b9e13b665 - Fix that libunbound pipe functions fail with error after an event base is set. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:44:41 +0200
  • f72e11ef5b - Fix locking in libunbound ub_ctx_set_event call. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:42:39 +0200
  • a45e54555d - Fix that dnscrypt configuration does not crash, due to inconsistency between secret and public keys. Also duplicate files are skipped. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:40:10 +0200
  • 4693c00c9f - Fix that after malloc failure in RPZ load a half built list does not crash later. The newly created RRset is linked after creation has succeeded. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:35:41 +0200
  • 8fe23e0297 - Fix that for a zonefile only zone, if that file does not exist on server start, the server continues to start with a warning log message. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:26:25 +0200
  • 8557788699 - Fix that after malloc failure a half-built local_alias does not crash the server. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:12:19 +0200
  • 81a19ebeb3 - Fix that a signed wildcard NSEC, is checked before use, so it does not allow insecure DS proofs inappropriately. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 10:09:00 +0200
  • 299df5ec77 - Fix that dns64 does not ignore the forward-no-cache and stub-no-cache options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 09:52:46 +0200
  • 6f9b6db7be - Fix that auth-zone, and RPZ zones, do not allow out-of-zone records. These are records that are not under the zone apex. The out-of-zone records are dropped from the zone contents. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 09:48:10 +0200
  • 96f15b9160 - Fix that a half-written trust anchor file does not crash the server at runtime. It unlinks a wrong file from the list. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 09:45:10 +0200
  • 159384c2a9 - Fix that when SVCB records cannot be written out, and are written in unknown format, that the zone read allows such unknown format SVCB records. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 09:36:33 +0200
  • c9e5908608
         Merge d67ca6bfed into d725d94793 Wouter Wijngaards 2026-06-16 07:33:40 +0000
  • d67ca6bfed Disallow $INCLUDE for secondary zones. This matches the change in the code repository, and is meant for after merge of the simdzone change. rpz-zone-load W.C.A. Wijngaards 2026-06-16 09:32:24 +0200
  • 621fc91453 - Fix to disallow $INCLUDE for secondary zones. Start up of server continues if a secondary zone fails to load. Failed loads clear the zone data, so there is no partial zone. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-16 09:30:52 +0200
  • a04a14655c
         Merge 4b8686f1f1 into 543c49f76c TomasKorbar 2026-06-15 17:48:33 +0200
  • 543c49f76c - Fix that dns64 bypasses rpz-passthru rule during synthesis. This restricted more than necessary. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:50:42 +0200
  • d0a760a587 - Fix misconfigured ipsecmod hook causing path name similarity with other file. The ipsecmod is changed for exec of the hook. The ipsecmod hook, if a script, has to start now with a line like #!/bin/sh. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:45:53 +0200
  • f68cca4097 - Fix DNAME synthesis from cache that keeps use of 0TTL entries in a sliding window. It did not surpass RRSIG expiry. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:39:34 +0200
  • 3129357874 - Fix log of an aliased qname, to not use freed region memory. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:34:17 +0200
  • fc09352df6 - Fix that fast_reload does not terminate the server for errors in config, for key files. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:31:37 +0200
  • 06da5d45a3 - Fix integer overflow for very high values of sock-queue-timeout. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:28:30 +0200
  • 69524cadad - Fix erroneous DNS error report values after bogus AAAA query caused error information that was not cleared by a successful A subquery. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:26:35 +0200
  • 98e95d80e6 - Fix integer overflow in infra-cache-max-rtt calculation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:22:50 +0200
  • 2f8aa8a43a - Fix for fast_reload that removes an auth zone while its lookups are in progress, for a primary name. Also after the change, it no longer picks up the old results. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:18:56 +0200
  • 56e60e37ae - Fix that fast_reload when a zonemd verification lookup it in progress with subnet loaded, deregisters the callback. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:16:50 +0200
  • 8f5348ab47 - Fix that misconfigured iter-scrub-ns: 0 causes request failures. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:04:24 +0200
  • c5d693b21c - Fix buffer overflow when configured with lower than default size and http transfer. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 16:01:51 +0200
  • 27e3ac55b9 - Fix assertion failure for long HTTP header that fills buffer. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 15:54:37 +0200
  • 7879218773 Fix comment. W.C.A. Wijngaards 2026-06-15 15:53:00 +0200
  • 1354624ba4 - Fix perform a full transfer every number of incremental transfers, to stop increasing memory usage, for auth-zone and rpz zones. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 15:51:03 +0200
  • 153f8d5353 - Fix to add max-transfer-size and max-transfer-time that limit auth-zone and rpz transfer amount and time taken. Default is disabled. This hardens against unbounded transfers. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-15 15:45:03 +0200
  • 3104219e24
         Merge 98b0e6f80a into a1cecf7462 张欣接 2026-06-14 10:00:12 +0000
  • ccec723bbb
         Merge e843532159 into a1cecf7462 Nikolay Shopik 2026-06-12 23:50:38 +0300
  • a1cecf7462 - Fix that for auth-zone and rpz zones the allow-notify addresses and netblocks are available from start, and fix the probe step skip. W.C.A. Wijngaards 2026-06-12 11:48:14 +0200
  • 2533d510cf Add support for nftables sets mirroring existing ipset support Jonathan Duncan 2026-05-10 22:23:07 +0100
  • e2dac8a00a - Fix compile for OpenSSL 1.0.2 and before in server cleanup. W.C.A. Wijngaards 2026-06-11 17:31:19 +0200
  • ecd41bef27 - Fix #1437: Fix compile with OpenSSL 4.0.1. W.C.A. Wijngaards 2026-06-11 17:31:01 +0200
  • 05ae713e84
         Merge f2a2d9c1e9 into fd2131687a Paul Menzel 2026-06-11 07:20:21 -0400
  • fd2131687a - Fix for #1306: configure checks if the ngtcp2_crypto_ossl header file is available, and prints an error otherwise. W.C.A. Wijngaards 2026-06-11 11:43:46 +0200
  • 316b9ab4fc - Fix for #1306: configure detects specifically the call to SSL_set_quic_tls_early_data_enabled and SSL_set_quic_early_data_enabled, so the correct one is used. W.C.A. Wijngaards 2026-06-11 11:04:50 +0200
  • fe9691f11b
         Merge d4999d418c into d45daaf313 Willem Toorop 2026-06-11 09:45:41 +0200
  • d45daaf313 - Fix warnings with gcc in compat/inet_pton.c. W.C.A. Wijngaards 2026-06-10 16:43:41 +0200
  • db1c6d6557 - Fix pythonmod script read for numeric overflow. W.C.A. Wijngaards 2026-06-10 11:24:02 +0200
  • e7a713a525 - Fix unit test for ecs to check for malloc success. W.C.A. Wijngaards 2026-06-09 16:41:37 +0200
  • 39e67508c9
         change mailing list to forum Alex Band 2026-06-08 21:48:04 +0200
  • 0942a3376e
         Merge e3263636d3 into 3eab974ca2 DavidKorczynski 2026-06-04 03:49:58 +0200
  • 22f2680ff5
         Merge bc31a34416 into 3eab974ca2 Toria 2026-06-04 03:48:51 +0200
  • 3eab974ca2 - Fix that dns64 cleans up the allocated message if the adjust routines fail, and checks if there is a reply before cache store, also unbound checks if A and AAAA are malformed for auth-zones. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-03 14:56:20 +0200
  • b1d1dcb3b6 - Fix that dump_cache has a larger buffer for records, and it checks that an owner name does not collide with BADRR on the input, and changes verbosity on the log of failure in rrset to string. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-03 14:51:16 +0200
  • 10cb62aca2 - Fix that validation canonicalization of domain names in rdata checks for buffer bounds. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-03 14:48:06 +0200
  • 6da73aba38 - Fix fast_reload for when a ZONEMD lookup is in progress. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-03 14:42:47 +0200
  • 1b1b9626ee - Fix negative cache NSEC3 nodata proof, to use the correct message size. Thanks to Qifan Zhang, Palo Alto Networks, for the report. W.C.A. Wijngaards 2026-06-03 14:40:17 +0200
  • 8bc074043a - Fix PROXYv2 header read and consume, it checks the header size. Thanks to Qifan Zhang, Palo Alto Networks for the report. W.C.A. Wijngaards 2026-06-03 14:37:37 +0200
  • 04a6322aa4 - Fix ipset module to use larger domain name buffers, and check buffer lengths. Thanks to Qifan Zhang, Palo Alto Networks for the report. W.C.A. Wijngaards 2026-06-03 14:35:06 +0200
  • 5748f518d1 - Fix that quotation and escaping works the same in auth-zone url content, as in the zonefile read. Thanks to Qifan Zhang, Palo Alto Networks for the report. W.C.A. Wijngaards 2026-06-03 14:32:14 +0200
  • d05eff4d54 - Fix parse of svcbparam ech, it had incorrect length. Thanks to Qifan Zhang, Palo Alto Networks for the report. W.C.A. Wijngaards 2026-06-03 14:05:48 +0200
  • 4544eaa4cc - Fix const as reported by newest compiler warnings. Yorgos Thessalonikefs 2026-06-03 14:00:04 +0200
  • 5d0770d0ad - Fix negative cache to work with NSEC3 records without salt. Thanks to Xin Wang, Jiapeng Li, and Jiajia Liu, Northwestern Polytechnical University, for the report. W.C.A. Wijngaards 2026-06-03 13:56:31 +0200
  • 7f4beb846e - Fix that the processing of class responses does not have a heap use-after-free. That could happen if at least two distinct classes are configured for resolution. Thanks to Qifan Zhang, Palo Alto Networks for the report. In addition, thanks to Xin Wang, Jiapeng Li, and Jiajia Liu, Northwestern Polytechnical University, for also reporting this. W.C.A. Wijngaards 2026-06-03 12:14:30 +0200
  • e843532159 doc: revert Changelog and fix man-page whitespace regressions Nikolay Shopik 2026-05-31 10:02:37 +0300
  • f99f5ecb20 doc: trim client-wait-timeout man page entry to operator altitude Nikolay Shopik 2026-05-31 01:01:38 +0300
  • 26491da097 Changelog: add client-wait-timeout Nikolay Shopik 2026-05-30 23:58:33 +0300
  • e698495f51 doc: document client-wait-timeout in example.conf and man page Nikolay Shopik 2026-05-30 23:58:05 +0300
  • f52b7e2bc0 checkconf: reject negative client-wait-timeout and warn when it pre-empts serve-expired Nikolay Shopik 2026-05-30 23:53:33 +0300
  • 598ed97093 test: add serve-expired interaction tests for client-wait-timeout Nikolay Shopik 2026-05-30 23:47:39 +0300
  • 69f39aaf13 test: add client-wait-timeout fairness (staggered) and TCP timeout replay tests Nikolay Shopik 2026-05-30 23:38:31 +0300
  • b7f979297e test: add client_wait_timeout_basic.rpl — SERVFAIL+EDE22 on timeout Nikolay Shopik 2026-05-30 23:30:42 +0300
  • f6c70499a1 mesh: implement client-wait-timeout timer, callback, and SERVFAIL+EDE22 emission Nikolay Shopik 2026-05-30 23:20:42 +0300
  • 9614631dd9 stats: wire num_queries_client_wait_timeout through stats, remote, control, and fast-reload copy Nikolay Shopik 2026-05-30 23:04:10 +0300
  • 3e05a92dab mesh: add client_wait_data, mesh_cb.start_time, and num_queries_client_wait_timeout counter Nikolay Shopik 2026-05-30 22:59:19 +0300
  • bd3b3296d8 config: add client-wait-timeout keyword (default 0, disabled) Nikolay Shopik 2026-05-30 22:54:12 +0300