debian/0000775000000000000000000000000013306274670007200 5ustar debian/root-auto-trust-anchor-file.conf0000664000000000000000000000027612310113675015340 0ustar server: # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: "/var/lib/unbound/root.key" debian/unbound.prerm0000664000000000000000000000004612310113675011710 0ustar #!/bin/sh set -e #DEBHELPER# exit 0 debian/compat0000664000000000000000000000000212310113675010365 0ustar 9 debian/unbound.install0000664000000000000000000000065012310113675012232 0ustar debian/unbound.conf etc/unbound debian/root-auto-trust-anchor-file.conf etc/unbound/unbound.conf.d usr/sbin/unbound-control usr/sbin usr/sbin/unbound-control-setup usr/sbin usr/sbin/unbound-checkconf usr/sbin usr/share/man/man5/unbound.conf.5 usr/share/man/man5 usr/share/man/man8/unbound-checkconf.8 usr/share/man/man8 usr/share/man/man8/unbound-control.8 usr/share/man/man8 usr/share/man/man8/unbound.8 usr/share/man/man8 debian/resolvconf0000664000000000000000000000201312310113675011266 0ustar #!/bin/sh -e PATH=/usr/sbin:/usr/bin:/sbin:/bin if [ ! -x /usr/sbin/unbound ]; then exit 0 fi if [ ! -f /etc/unbound/unbound_control.key ]; then exit 0 fi if [ ! -x /lib/resolvconf/list-records ]; then exit 1 fi RESOLVCONF_FORWARDERS=false if [ -f /etc/default/unbound ]; then . /etc/default/unbound case "x$RESOLVCONF_FORWARDERS" in xtrue|x1|xyes) RESOLVCONF_FORWARDERS=true ;; *) RESOLVCONF_FORWARDERS=false ;; esac fi if $RESOLVCONF_FORWARDERS; then RESOLVCONF_FILES="$(/lib/resolvconf/list-records)" if [ -n "$RESOLVCONF_FILES" ]; then NS_IPS="$(sed -rne 's/^[[:space:]]*nameserver[[:space:]]+//p' $RESOLVCONF_FILES \ | egrep -v '^(127\.|::1)' | sort -u)" else NS_IPS="" fi if [ -n "$NS_IPS" ]; then FWD="$(echo $NS_IPS | tr '\n' ' ')" unbound-control forward $FWD 1>/dev/null 2>&1 || true else unbound-control forward off 1>/dev/null 2>&1 || true fi fi debian/source/0000775000000000000000000000000012310113675010467 5ustar debian/source/options0000664000000000000000000000002412310113675012101 0ustar single-debian-patch debian/source/format0000664000000000000000000000001412310113675011675 0ustar 3.0 (quilt) debian/unbound.postrm0000664000000000000000000000056012310113675012110 0ustar #!/bin/sh -e if [ "$1" = remove ]; then rm -rf /var/lib/unbound deluser --quiet unbound >/dev/null || true fi if [ "$1" = purge ]; then rm -f /etc/unbound/unbound_control.key \ /etc/unbound/unbound_control.pem \ /etc/unbound/unbound_server.key \ /etc/unbound/unbound_server.pem rm -f /var/lib/unbound/root.key fi #DEBHELPER# debian/control0000664000000000000000000000662512453522201010600 0ustar Source: unbound Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Robert S. Edmonds Build-Depends: dpkg-dev (>= 1.16.1~), debhelper (>= 9~), dh-autoreconf, doxygen, autoconf, automake, autotools-dev, libtool, flex, bison, libssl-dev, libevent-dev, libexpat1-dev, python-all-dev (>= 2.6.6-3~), swig Standards-Version: 3.9.5 Homepage: https://www.unbound.net/ Vcs-Browser: http://anonscm.debian.org/gitweb/?p=users/edmonds/unbound.git Vcs-Git: git://anonscm.debian.org/users/edmonds/unbound.git Package: unbound Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, unbound-anchor, adduser, openssl Description: validating, recursive, caching DNS resolver Unbound is a recursive-only caching DNS server which can perform DNSSEC validation of results. It implements only a minimal amount of authoritative service to prevent leakage to the root nameservers: forward lookups for localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by AS112. Stub and forward zones are supported. . This package contains the unbound daemon. Package: unbound-anchor Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Replaces: unbound (<< 1.4.13-1) Breaks: unbound (<< 1.4.13-1) Description: utility to securely fetch the root DNS trust anchor unbound-anchor is a utility which securely fetches or updates the root DNS zone trust anchor. A copy of the current root anchor and root update certificate is embedded in unbound-anchor. RFC 5011 trust anchor tracking is performed, with fallback to an SSL fetch if this fails. Package: unbound-host Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Description: reimplementation of the 'host' command This package provides the 'unbound-host' program that is bundled with the Unbound domain name server. This version differs from the one provided in the package called host, which is from NIKHEF, and bind9-host, which is from ISC, and has a similar but different set of features and options. Package: libunbound2 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: library implementing DNS resolution and validation libunbound performs and validates DNS lookups; it can be used to convert hostnames to IP addresses and back and obtain other information from the DNS. Cryptographic validation of results is performed with DNSSEC. Package: libunbound-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, libunbound2 (= ${binary:Version}) Multi-Arch: same Description: static library, header files, and docs for libunbound Static library, header files, and documentation for libunbound. . libunbound performs and validates DNS lookups; it can be used to convert hostnames to IP addresses and back and obtain other information from the DNS. Cryptographic validation of results is performed with DNSSEC. Package: python-unbound Section: python Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends} Description: library implementing DNS resolution and validation (Python bindings) Python extension module for libunbound. . libunbound performs and validates DNS lookups; it can be used to convert hostnames to IP addresses and back and obtain other information from the DNS. Cryptographic validation of results is performed with DNSSEC. debian/unbound.init0000664000000000000000000001143112310113675011526 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: unbound # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO NAME=unbound DESC="recursive DNS server" DAEMON=/usr/sbin/unbound PIDFILE="/var/run/unbound.pid" test -x $DAEMON || exit 0 test -x ${DAEMON}-checkconf || exit 0 . /lib/lsb/init-functions UNBOUND_ENABLE=true UNBOUND_CONF=/etc/unbound/unbound.conf UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF) CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g") ROOT_TRUST_ANCHOR_UPDATE=false ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key RESOLVCONF=false RESOLVCONF_FORWARDERS=false if [ -f /etc/default/$NAME ]; then . /etc/default/$NAME case "x$UNBOUND_ENABLE" in xtrue|x1|xyes) UNBOUND_ENABLE=true ;; *) UNBOUND_ENABLE=false ;; esac case "x$ROOT_TRUST_ANCHOR_UPDATE" in xtrue|x1|xyes) ROOT_TRUST_ANCHOR_UPDATE=true ;; *) ROOT_TRUST_ANCHOR_UPDATE=false ;; esac case "x$RESOLVCONF" in xtrue|x1|xyes) RESOLVCONF=true ;; *) RESOLVCONF=false esac case "x$RESOLVCONF_FORWARDERS" in xtrue|x1|xyes) RESOLVCONF_FORWARDERS=true ;; *) RESOLVCONF_FORWARDERS=false esac fi do_resolvconf_start() { if $RESOLVCONF; then if [ -x /sbin/resolvconf ]; then unbound-checkconf $CHROOT_DIR/$UNBOUND_CONF -o interface | ( default=yes while read interface; do default=no if [ "x$interface" = x0.0.0.0 -o "x$interface" = x127.0.0.1 ]; then echo "nameserver 127.0.0.1" elif [ "x$interface" = x::0 -o "x$interface" = x::1 ]; then echo "nameserver ::1" fi done if [ $default = yes ]; then # unbound defaults to listening on localhost echo "nameserver 127.0.0.1" fi ) | /sbin/resolvconf -a lo.unbound fi fi } do_resolvconf_stop() { if $RESOLVCONF; then if [ -x /sbin/resolvconf ]; then /sbin/resolvconf -d lo.unbound fi fi } do_chroot_setup() { if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then cd / tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -) fi } case "$1" in start) if $UNBOUND_ENABLE; then do_chroot_setup if $ROOT_TRUST_ANCHOR_UPDATE; then unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE fi log_daemon_msg "Starting $DESC" "$NAME" if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then do_resolvconf_start log_end_msg 0 else log_end_msg 1 fi else log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME" fi ;; stop) if $UNBOUND_ENABLE; then log_daemon_msg "Stopping $DESC" "$NAME" if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then do_resolvconf_stop log_end_msg 0 else log_end_msg 1 fi fi ;; restart|force-reload) if $UNBOUND_ENABLE; then log_daemon_msg "Restarting $DESC" "$NAME" start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5 do_resolvconf_stop if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then do_chroot_setup do_resolvconf_start log_end_msg 0 else log_end_msg 1 fi fi ;; reload) if $UNBOUND_ENABLE; then log_daemon_msg "Reloading $DESC" "$NAME" if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then do_chroot_setup log_end_msg 0 else log_end_msg 1 fi fi ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2 exit 1 ;; esac exit 0; debian/unbound.dirs0000664000000000000000000000027412310113675011527 0ustar etc/default etc/insserv.conf.d etc/resolvconf/update.d etc/unbound etc/unbound/unbound.conf.d usr/sbin usr/share/doc/unbound/examples usr/share/man/man5 usr/share/man/man8 var/lib/unbound debian/unbound.default0000664000000000000000000000110512310113675012204 0ustar # If set, the unbound daemon will be started and stopped by the init script. UNBOUND_ENABLE=true # Whether to automatically update the root trust anchor file. ROOT_TRUST_ANCHOR_UPDATE=true # File in which to store the root trust anchor. ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key # If set, the unbound init script will provide unbound's listening # IP addresses as nameservers to resolvconf. RESOLVCONF=true # If set, resolvconf nameservers will be configured as forwarders # to be used by unbound. RESOLVCONF_FORWARDERS=true #DAEMON_OPTS="-c /etc/unbound/unbound.conf" debian/watch0000664000000000000000000000012212310113675010213 0ustar version=3 http://www.unbound.net/download.html \ downloads/unbound-(.+)\.tar\.gz debian/unbound.conf0000664000000000000000000000051412310113675011510 0ustar # Unbound configuration file for Debian. # # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. # # The following line includes additional configuration files from the # /etc/unbound/unbound.conf.d directory. include: "/etc/unbound/unbound.conf.d/*.conf" debian/patches/0000775000000000000000000000000013306274622010624 5ustar debian/patches/CVE-2017-15105.patch0000664000000000000000000011067313306274534013334 0ustar Description: vulnerability in the processing of wildcard synthesized NSEC records Origin: https://unbound.net/downloads/patch_cve_2017_15105.diff Forwarded: not-needed [Adjusted for minor type name changes in unbound 1.5.8 --sbeattie] --- testcode/unitverify.c | 4 +++- validator/autotrust.c | 23 ++++++++++++++--------- validator/autotrust.h | 5 ++++- validator/val_nsec.c | 13 ++++++++----- validator/val_nsec.h | 4 +++- validator/val_nsec3.c | 9 +++++---- validator/val_nsec3.h | 5 ++++- validator/val_sigcrypt.c | 40 +++++++++++++++++++++++++++++++--------- validator/val_sigcrypt.h | 22 ++++++++++++++++++---- validator/val_utils.c | 37 ++++++++++++++++++++++--------------- validator/val_utils.h | 29 ++++++++++++++++++++++------- validator/validator.c | 24 ++++++++++++++---------- 12 files changed, 148 insertions(+), 67 deletions(-) Index: b/testcode/unitverify.c =================================================================== --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env, ntohs(rrset->rk.rrset_class)); } setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */ - sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason); + /* ok to give null as qstate here, won't be used for answer section. */ + sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason, + LDNS_SECTION_ANSWER, NULL); if(vsig) { printf("verify outcome is: %s %s\n", sec_status_to_string(sec), reason?reason:""); Index: b/validator/autotrust.c =================================================================== --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -1217,17 +1217,20 @@ void autr_write_file(struct module_env* * @param ve: validator environment (with options) for verification. * @param tp: trust point to verify with * @param rrset: DNSKEY rrset to verify. + * @param qstate: qstate with region. * @return false on failure, true if verification successful. */ static int verify_dnskey(struct module_env* env, struct val_env* ve, - struct trust_anchor* tp, struct ub_packed_rrset_key* rrset) + struct trust_anchor* tp, struct ub_packed_rrset_key* rrset, + struct module_qstate* qstate) { char* reason = NULL; uint8_t sigalg[ALGO_NEEDS_MAX+1]; int downprot = 1; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset, - tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason); + tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason, + qstate); /* sigalg is ignored, it returns algorithms signalled to exist, but * in 5011 there are no other rrsets to check. if downprot is * enabled, then it checks that the DNSKEY is signed with all @@ -1266,7 +1269,8 @@ min_expiry(struct module_env* env, struc /** Is rr self-signed revoked key */ static int rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve, - struct ub_packed_rrset_key* dnskey_rrset, size_t i) + struct ub_packed_rrset_key* dnskey_rrset, size_t i, + struct module_qstate* qstate) { enum sec_status sec; char* reason = NULL; @@ -1275,7 +1279,7 @@ rr_is_selfsigned_revoked(struct module_e /* no algorithm downgrade protection necessary, if it is selfsigned * revoked it can be removed. */ sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i, - &reason); + &reason, LDNS_SECTION_ANSWER, qstate); return (sec == sec_status_secure); } @@ -1487,7 +1491,7 @@ init_events(struct trust_anchor* tp) static void check_contains_revoked(struct module_env* env, struct val_env* ve, struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, - int* changed) + int* changed, struct module_qstate* qstate) { struct packed_rrset_data* dd = (struct packed_rrset_data*) dnskey_rrset->entry.data; @@ -1507,7 +1511,7 @@ check_contains_revoked(struct module_env } if(!ta) continue; /* key not found */ - if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) { + if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i, qstate)) { /* checked if there is an rrsig signed by this key. */ /* same keytag, but stored can be revoked already, so * compare keytags, with +0 or +128(REVOKE flag) */ @@ -2100,7 +2104,8 @@ autr_tp_remove(struct module_env* env, s } int autr_process_prime(struct module_env* env, struct val_env* ve, - struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset) + struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, + struct module_qstate* qstate) { int changed = 0; log_assert(tp && tp->autr); @@ -2141,7 +2146,7 @@ int autr_process_prime(struct module_env return 1; /* trust point exists */ } /* check for revoked keys to remove immediately */ - check_contains_revoked(env, ve, tp, dnskey_rrset, &changed); + check_contains_revoked(env, ve, tp, dnskey_rrset, &changed, qstate); if(changed) { verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble"); if(!autr_assemble(tp)) { @@ -2157,7 +2162,7 @@ int autr_process_prime(struct module_env } } /* verify the dnskey rrset and see if it is valid. */ - if(!verify_dnskey(env, ve, tp, dnskey_rrset)) { + if(!verify_dnskey(env, ve, tp, dnskey_rrset, qstate)) { verbose(VERB_ALGO, "autotrust: dnskey did not verify."); /* only increase failure count if this is not the first prime, * this means there was a previous succesful probe */ Index: b/validator/autotrust.h =================================================================== --- a/validator/autotrust.h +++ b/validator/autotrust.h @@ -47,6 +47,7 @@ struct val_anchors; struct trust_anchor; struct ub_packed_rrset_key; struct module_env; +struct module_qstate; struct val_env; struct sldns_buffer; @@ -188,12 +189,14 @@ void autr_point_delete(struct trust_anch * @param tp: trust anchor to process. * @param dnskey_rrset: DNSKEY rrset probed (can be NULL if bad prime result). * allocated in a region. Has not been validated yet. + * @param qstate: qstate with region. * @return false if trust anchor was revoked completely. * Otherwise logs errors to log, does not change return value. * On errors, likely the trust point has been unchanged. */ int autr_process_prime(struct module_env* env, struct val_env* ve, - struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset); + struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset, + struct module_qstate* qstate); /** * Debug printout of rfc5011 tracked anchors Index: b/validator/val_nsec.c =================================================================== --- a/validator/val_nsec.c +++ b/validator/val_nsec.c @@ -176,7 +176,7 @@ val_nsec_proves_no_ds(struct ub_packed_r static int nsec_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, - char** reason) + char** reason, struct module_qstate* qstate) { struct packed_rrset_data* d = (struct packed_rrset_data*) nsec->entry.data; @@ -185,7 +185,8 @@ nsec_verify_rrset(struct module_env* env rrset_check_sec_status(env->rrset_cache, nsec, *env->now); if(d->security == sec_status_secure) return 1; - d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason); + d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason, + LDNS_SECTION_AUTHORITY, qstate); if(d->security == sec_status_secure) { rrset_update_sec_status(env->rrset_cache, nsec, *env->now); return 1; @@ -196,7 +197,8 @@ nsec_verify_rrset(struct module_env* env enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, struct query_info* qinfo, struct reply_info* rep, - struct key_entry_key* kkey, time_t* proof_ttl, char** reason) + struct key_entry_key* kkey, time_t* proof_ttl, char** reason, + struct module_qstate* qstate) { struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns( rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, @@ -213,7 +215,7 @@ val_nsec_prove_nodata_dsreply(struct mod * 1) this is a delegation point and there is no DS * 2) this is not a delegation point */ if(nsec) { - if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) { + if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) { verbose(VERB_ALGO, "NSEC RRset for the " "referral did not verify."); return sec_status_bogus; @@ -242,7 +244,8 @@ val_nsec_prove_nodata_dsreply(struct mod i++) { if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC)) continue; - if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) { + if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason, + qstate)) { verbose(VERB_ALGO, "NSEC for empty non-terminal " "did not verify."); return sec_status_bogus; Index: b/validator/val_nsec.h =================================================================== --- a/validator/val_nsec.h +++ b/validator/val_nsec.h @@ -46,6 +46,7 @@ #include "util/data/packed_rrset.h" struct val_env; struct module_env; +struct module_qstate; struct ub_packed_rrset_key; struct reply_info; struct query_info; @@ -64,6 +65,7 @@ struct key_entry_key; * @param kkey: key entry to use for verification of signatures. * @param proof_ttl: if secure, the TTL of how long this proof lasts. * @param reason: string explaining why bogus. + * @param qstate: qstate with region. * @return security status. * SECURE: proved absence of DS. * INSECURE: proved that this was not a delegation point. @@ -73,7 +75,7 @@ struct key_entry_key; enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, struct query_info* qinfo, struct reply_info* rep, struct key_entry_key* kkey, - time_t* proof_ttl, char** reason); + time_t* proof_ttl, char** reason, struct module_qstate* qstate); /** * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. Index: b/validator/val_nsec3.c =================================================================== --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1339,7 +1339,7 @@ nsec3_prove_wildcard(struct module_env* static int list_is_secure(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, - struct key_entry_key* kkey, char** reason) + struct key_entry_key* kkey, char** reason, struct module_qstate* qstate) { struct packed_rrset_data* d; size_t i; @@ -1353,7 +1353,7 @@ list_is_secure(struct module_env* env, s if(d->security == sec_status_secure) continue; d->security = val_verify_rrset_entry(env, ve, list[i], kkey, - reason); + reason, LDNS_SECTION_AUTHORITY, qstate); if(d->security != sec_status_secure) { verbose(VERB_ALGO, "NSEC3 did not verify"); return 0; @@ -1366,7 +1366,8 @@ list_is_secure(struct module_env* env, s enum sec_status nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, - struct query_info* qinfo, struct key_entry_key* kkey, char** reason) + struct query_info* qinfo, struct key_entry_key* kkey, char** reason, + struct module_qstate* qstate) { rbtree_t ct; struct nsec3_filter flt; @@ -1379,7 +1380,7 @@ nsec3_prove_nods(struct module_env* env, *reason = "no valid NSEC3s"; return sec_status_bogus; /* no valid NSEC3s, bogus */ } - if(!list_is_secure(env, ve, list, num, kkey, reason)) + if(!list_is_secure(env, ve, list, num, kkey, reason, qstate)) return sec_status_bogus; /* not all NSEC3 records secure */ rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */ filter_init(&flt, list, num, qinfo); /* init RR iterator */ Index: b/validator/val_nsec3.h =================================================================== --- a/validator/val_nsec3.h +++ b/validator/val_nsec3.h @@ -71,6 +71,7 @@ struct val_env; struct regional; struct module_env; +struct module_qstate; struct ub_packed_rrset_key; struct reply_info; struct query_info; @@ -185,6 +186,7 @@ nsec3_prove_wildcard(struct module_env* * @param qinfo: query that is verified for. * @param kkey: key entry that signed the NSEC3s. * @param reason: string for bogus result. + * @param qstate: qstate with region. * @return: * sec_status SECURE of the proposition is proven by the NSEC3 RRs, * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored. @@ -194,7 +196,8 @@ nsec3_prove_wildcard(struct module_env* enum sec_status nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, - struct query_info* qinfo, struct key_entry_key* kkey, char** reason); + struct query_info* qinfo, struct key_entry_key* kkey, char** reason, + struct module_qstate* qstate); /** * Prove NXDOMAIN or NODATA. Index: b/validator/val_sigcrypt.c =================================================================== --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -479,7 +479,8 @@ int algo_needs_missing(struct algo_needs enum sec_status dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, - uint8_t* sigalg, char** reason) + uint8_t* sigalg, char** reason, sldns_pkt_section section, + struct module_qstate* qstate) { enum sec_status sec; size_t i, num; @@ -506,7 +507,7 @@ dnskeyset_verify_rrset(struct module_env } for(i=0; inow, rrset, - dnskey, i, &sortree, reason); + dnskey, i, &sortree, reason, section, qstate); /* see which algorithm has been fixed up */ if(sec == sec_status_secure) { if(!sigalg) @@ -547,7 +548,8 @@ void algo_needs_reason(struct module_env enum sec_status dnskey_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, - size_t dnskey_idx, char** reason) + size_t dnskey_idx, char** reason, sldns_pkt_section section, + struct module_qstate* qstate) { enum sec_status sec; size_t i, num, numchecked = 0; @@ -571,7 +573,8 @@ dnskey_verify_rrset(struct module_env* e buf_canon = 0; sec = dnskey_verify_rrset_sig(env->scratch, env->scratch_buffer, ve, *env->now, rrset, - dnskey, dnskey_idx, i, &sortree, &buf_canon, reason); + dnskey, dnskey_idx, i, &sortree, &buf_canon, reason, + section, qstate); if(sec == sec_status_secure) return sec; numchecked ++; @@ -585,7 +588,8 @@ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t sig_idx, - struct rbtree_t** sortree, char** reason) + struct rbtree_t** sortree, char** reason, sldns_pkt_section section, + struct module_qstate* qstate) { /* find matching keys and check them */ enum sec_status sec = sec_status_bogus; @@ -610,7 +614,7 @@ dnskeyset_verify_rrset_sig(struct module /* see if key verifies */ sec = dnskey_verify_rrset_sig(env->scratch, env->scratch_buffer, ve, now, rrset, dnskey, i, - sig_idx, sortree, &buf_canon, reason); + sig_idx, sortree, &buf_canon, reason, section, qstate); if(sec == sec_status_secure) return sec; } @@ -1117,12 +1121,15 @@ int rrset_canonical_equal(struct regiona * signer name length. * @param sortree: if NULL is passed a new sorted rrset tree is built. * Otherwise it is reused. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return false on alloc error. */ static int rrset_canonical(struct regional* region, sldns_buffer* buf, struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen, - struct rbtree_t** sortree) + struct rbtree_t** sortree, sldns_pkt_section section, + struct module_qstate* qstate) { struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; uint8_t* can_owner = NULL; @@ -1169,6 +1176,20 @@ rrset_canonical(struct regional* region, canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]); } sldns_buffer_flip(buf); + + /* Replace RR owner with canonical owner for NSEC records in authority + * section, to prevent that a wildcard synthesized NSEC can be used in + * the non-existence proves. */ + if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC && + section == LDNS_SECTION_AUTHORITY) { + k->rk.dname = regional_alloc_init(qstate->region, can_owner, + can_owner_len); + if(!k->rk.dname) + return 0; + k->rk.dname_len = can_owner_len; + } + + return 1; } @@ -1304,7 +1325,8 @@ dnskey_verify_rrset_sig(struct regional* struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, - struct rbtree_t** sortree, int* buf_canon, char** reason) + struct rbtree_t** sortree, int* buf_canon, char** reason, + sldns_pkt_section section, struct module_qstate* qstate) { enum sec_status sec; uint8_t* sig; /* RRSIG rdata */ @@ -1403,7 +1425,7 @@ dnskey_verify_rrset_sig(struct regional* /* create rrset canonical format in buffer, ready for * signature */ if(!rrset_canonical(region, buf, rrset, sig+2, - 18 + signer_len, sortree)) { + 18 + signer_len, sortree, section, qstate)) { log_err("verify: failed due to alloc error"); return sec_status_unchecked; } Index: b/validator/val_sigcrypt.h =================================================================== --- a/validator/val_sigcrypt.h +++ b/validator/val_sigcrypt.h @@ -44,8 +44,10 @@ #ifndef VALIDATOR_VAL_SIGCRYPT_H #define VALIDATOR_VAL_SIGCRYPT_H #include "util/data/packed_rrset.h" +#include "ldns/pkthdr.h" struct val_env; struct module_env; +struct module_qstate; struct ub_packed_rrset_key; struct rbtree_t; struct regional; @@ -237,13 +239,16 @@ uint16_t dnskey_get_flags(struct ub_pack * @param sigalg: if nonNULL provide downgrade protection otherwise one * algorithm is enough. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return SECURE if one key in the set verifies one rrsig. * UNCHECKED on allocation errors, unsupported algorithms, malformed data, * and BOGUS on verification failures (no keys match any signatures). */ enum sec_status dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason); + struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason, + sldns_pkt_section section, struct module_qstate* qstate); /** * verify rrset against one specific dnskey (from rrset) @@ -253,12 +258,15 @@ enum sec_status dnskeyset_verify_rrset(s * @param dnskey: DNSKEY rrset, keyset. * @param dnskey_idx: which key from the rrset to try. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return secure if *this* key signs any of the signatures on rrset. * unchecked on error or and bogus on bad signature. */ enum sec_status dnskey_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason); + struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason, + sldns_pkt_section section, struct module_qstate* qstate); /** * verify rrset, with dnskey rrset, for a specific rrsig in rrset @@ -271,13 +279,16 @@ enum sec_status dnskey_verify_rrset(stru * @param sortree: reused sorted order. Stored in region. Pass NULL at start, * and for a new rrset. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return secure if any key signs *this* signature. bogus if no key signs it, * or unchecked on error. */ enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t sig_idx, - struct rbtree_t** sortree, char** reason); + struct rbtree_t** sortree, char** reason, sldns_pkt_section section, + struct module_qstate* qstate); /** * verify rrset, with specific dnskey(from set), for a specific rrsig @@ -295,6 +306,8 @@ enum sec_status dnskeyset_verify_rrset_s * pass false at start. pass old value only for same rrset and same * signature (but perhaps different key) for reuse. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return secure if this key signs this signature. unchecked on error or * bogus if it did not validate. */ @@ -302,7 +315,8 @@ enum sec_status dnskey_verify_rrset_sig( struct sldns_buffer* buf, struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, - struct rbtree_t** sortree, int* buf_canon, char** reason); + struct rbtree_t** sortree, int* buf_canon, char** reason, + sldns_pkt_section section, struct module_qstate* qstate); /** * canonical compare for two tree entries Index: b/validator/val_utils.c =================================================================== --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -309,7 +309,8 @@ rrset_get_ttl(struct ub_packed_rrset_key enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, - uint8_t* sigalg, char** reason) + uint8_t* sigalg, char** reason, sldns_pkt_section section, + struct module_qstate* qstate) { enum sec_status sec; struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> @@ -331,7 +332,8 @@ val_verify_rrset(struct module_env* env, } log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); - sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason); + sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, + section, qstate); verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); regional_free_all(env->scratch); @@ -364,7 +366,7 @@ val_verify_rrset(struct module_env* env, enum sec_status val_verify_rrset_entry(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, - char** reason) + char** reason, sldns_pkt_section section, struct module_qstate* qstate) { /* temporary dnskey rrset-key */ struct ub_packed_rrset_key dnskey; @@ -377,7 +379,8 @@ val_verify_rrset_entry(struct module_env dnskey.rk.dname_len = kkey->namelen; dnskey.entry.key = &dnskey; dnskey.entry.data = kd->rrset_data; - sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason); + sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, + section, qstate); return sec; } @@ -385,7 +388,8 @@ val_verify_rrset_entry(struct module_env static enum sec_status verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason) + struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, + struct module_qstate* qstate) { enum sec_status sec = sec_status_bogus; size_t i, num, numchecked = 0, numhashok = 0; @@ -416,7 +420,7 @@ verify_dnskeys_with_ds_rr(struct module_ /* Otherwise, we have a match! Make sure that the DNSKEY * verifies *with this key* */ sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - dnskey_rrset, i, reason); + dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { return sec; } @@ -452,7 +456,8 @@ int val_favorite_ds_algo(struct ub_packe enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason) + struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, + struct module_qstate* qstate) { /* as long as this is false, we can consider this DS rrset to be * equivalent to no DS rrset. */ @@ -489,7 +494,7 @@ val_verify_DNSKEY_with_DS(struct module_ has_useful_ds = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ds_rrset, i, reason); + ds_rrset, i, reason, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)ds_get_key_algo(ds_rrset, i))) { @@ -522,11 +527,12 @@ val_verify_DNSKEY_with_DS(struct module_ struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason) + struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, + struct module_qstate* qstate) { uint8_t sigalg[ALGO_NEEDS_MAX+1]; enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, - dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason); + dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate); if(sec == sec_status_secure) { return key_entry_create_rrset(region, @@ -548,7 +554,8 @@ enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds, - struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason) + struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, + struct module_qstate* qstate) { /* as long as this is false, we can consider this anchor to be * equivalent to no anchor. */ @@ -599,7 +606,7 @@ val_verify_DNSKEY_with_TA(struct module_ has_useful_ta = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ta_ds, i, reason); + ta_ds, i, reason, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)ds_get_key_algo(ta_ds, i))) { @@ -625,7 +632,7 @@ val_verify_DNSKEY_with_TA(struct module_ has_useful_ta = 1; sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - ta_dnskey, i, reason); + ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)dnskey_get_algo(ta_dnskey, i))) { @@ -659,12 +666,12 @@ val_verify_new_DNSKEYs_with_ta(struct re struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds_rrset, struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, - char** reason) + char** reason, struct module_qstate* qstate) { uint8_t sigalg[ALGO_NEEDS_MAX+1]; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, - downprot?sigalg:NULL, reason); + downprot?sigalg:NULL, reason, qstate); if(sec == sec_status_secure) { return key_entry_create_rrset(region, Index: b/validator/val_utils.h =================================================================== --- a/validator/val_utils.h +++ b/validator/val_utils.h @@ -42,10 +42,12 @@ #ifndef VALIDATOR_VAL_UTILS_H #define VALIDATOR_VAL_UTILS_H #include "util/data/packed_rrset.h" +#include "ldns/pkthdr.h" struct query_info; struct reply_info; struct val_env; struct module_env; +struct module_qstate; struct ub_packed_rrset_key; struct key_entry_key; struct regional; @@ -120,11 +122,14 @@ void val_find_signer(enum val_classifica * @param sigalg: if nonNULL provide downgrade protection otherwise one * algorithm is enough. Algo list is constructed in here. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return security status of verification. */ enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, - uint8_t* sigalg, char** reason); + uint8_t* sigalg, char** reason, sldns_pkt_section section, + struct module_qstate* qstate); /** * Verify RRset with keys from a keyset. @@ -133,11 +138,14 @@ enum sec_status val_verify_rrset(struct * @param rrset: what to verify * @param kkey: key_entry to verify with. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. * @return security status of verification. */ enum sec_status val_verify_rrset_entry(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct key_entry_key* kkey, char** reason); + struct key_entry_key* kkey, char** reason, sldns_pkt_section section, + struct module_qstate* qstate); /** * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but @@ -150,13 +158,15 @@ enum sec_status val_verify_rrset_entry(s * algorithm is enough. The list of signalled algorithms is returned, * must have enough space for ALGO_NEEDS_MAX+1. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param qstate: qstate with region. * @return: sec_status_secure if a DS matches. * sec_status_insecure if end of trust (i.e., unknown algorithms). * sec_status_bogus if it fails. */ enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason); + struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, + struct module_qstate* qstate); /** * Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS @@ -170,6 +180,7 @@ enum sec_status val_verify_DNSKEY_with_D * algorithm is enough. The list of signalled algorithms is returned, * must have enough space for ALGO_NEEDS_MAX+1. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param qstate: qstate with region. * @return: sec_status_secure if a DS matches. * sec_status_insecure if end of trust (i.e., unknown algorithms). * sec_status_bogus if it fails. @@ -177,7 +188,8 @@ enum sec_status val_verify_DNSKEY_with_D enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds, - struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason); + struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, + struct module_qstate* qstate); /** * Verify new DNSKEYs with DS rrset. The DS contains hash values that should @@ -192,6 +204,7 @@ enum sec_status val_verify_DNSKEY_with_T * @param downprot: if true provide downgrade protection otherwise one * algorithm is enough. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param qstate: qstate with region. * @return a KeyEntry. This will either contain the now trusted * dnskey_rrset, a "null" key entry indicating that this DS * rrset/DNSKEY pair indicate an secure end to the island of trust @@ -205,7 +218,8 @@ enum sec_status val_verify_DNSKEY_with_T struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason); + struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, + struct module_qstate* qstate); /** @@ -220,6 +234,7 @@ struct key_entry_key* val_verify_new_DNS * @param downprot: if true provide downgrade protection otherwise one * algorithm is enough. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param qstate: qstate with region. * @return a KeyEntry. This will either contain the now trusted * dnskey_rrset, a "null" key entry indicating that this DS * rrset/DNSKEY pair indicate an secure end to the island of trust @@ -235,7 +250,7 @@ struct key_entry_key* val_verify_new_DNS struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds_rrset, struct ub_packed_rrset_key* ta_dnskey_rrset, - int downprot, char** reason); + int downprot, char** reason, struct module_qstate* qstate); /** * Determine if DS rrset is usable for validator or not. @@ -252,7 +267,7 @@ int val_dsset_isusable(struct ub_packed_ * the result of a wildcard expansion. If so, return the name of the * generating wildcard. * - * @param rrset The rrset to chedck. + * @param rrset The rrset to check. * @param wc: the wildcard name, if the rrset was synthesized from a wildcard. * unchanged if not. The wildcard name, without "*." in front, is * returned. This is a pointer into the rrset owner name. Index: b/validator/validator.c =================================================================== --- a/validator/validator.c +++ b/validator/validator.c @@ -461,7 +461,8 @@ validate_msg_signatures(struct module_qs } /* Verify the answer rrset */ - sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason); + sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, + LDNS_SECTION_ANSWER, qstate); /* If the (answer) rrset failed to validate, then this * message is BAD. */ if(sec != sec_status_secure) { @@ -490,7 +491,8 @@ validate_msg_signatures(struct module_qs for(i=chase_reply->an_numrrsets; ian_numrrsets+ chase_reply->ns_numrrsets; i++) { s = chase_reply->rrsets[i]; - sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason); + sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, + LDNS_SECTION_AUTHORITY, qstate); /* If anything in the authority section fails to be secure, * we have a bad message. */ if(sec != sec_status_secure) { @@ -516,7 +518,7 @@ validate_msg_signatures(struct module_qs val_find_rrset_signer(s, &sname, &slen); if(sname && query_dname_compare(sname, key_entry->name)==0) (void)val_verify_rrset_entry(env, ve, s, key_entry, - &reason); + &reason, LDNS_SECTION_ADDITIONAL, qstate); /* the additional section can fail to be secure, * it is optional, check signature in case we need * to clean the additional section later. */ @@ -2297,7 +2299,7 @@ primeResponseToKE(struct ub_packed_rrset /* attempt to verify with trust anchor DS and DNSKEY */ kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot, - &reason); + &reason, qstate); if(!kkey) { log_err("out of memory: verifying prime TA"); return NULL; @@ -2387,7 +2389,7 @@ ds_response_to_ke(struct module_qstate* /* Verify only returns BOGUS or SECURE. If the rrset is * bogus, then we are done. */ sec = val_verify_rrset_entry(qstate->env, ve, ds, - vq->key_entry, &reason); + vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); if(sec != sec_status_secure) { verbose(VERB_DETAIL, "DS rrset in DS response did " "not verify"); @@ -2434,7 +2436,7 @@ ds_response_to_ke(struct module_qstate* /* Try to prove absence of the DS with NSEC */ sec = val_nsec_prove_nodata_dsreply( qstate->env, ve, qinfo, msg->rep, vq->key_entry, - &proof_ttl, &reason); + &proof_ttl, &reason, qstate); switch(sec) { case sec_status_secure: verbose(VERB_DETAIL, "NSEC RRset for the " @@ -2462,7 +2464,8 @@ ds_response_to_ke(struct module_qstate* sec = nsec3_prove_nods(qstate->env, ve, msg->rep->rrsets + msg->rep->an_numrrsets, - msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason); + msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason, + qstate); switch(sec) { case sec_status_insecure: /* case insecure also continues to unsigned @@ -2523,7 +2526,7 @@ ds_response_to_ke(struct module_qstate* goto return_bogus; } sec = val_verify_rrset_entry(qstate->env, ve, cname, - vq->key_entry, &reason); + vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { verbose(VERB_ALGO, "CNAME validated, " "proof that DS does not exist"); @@ -2689,7 +2692,7 @@ process_dnskey_response(struct module_qs } downprot = 1; vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, - ve, dnskey, vq->ds_rrset, downprot, &reason); + ve, dnskey, vq->ds_rrset, downprot, &reason, qstate); if(!vq->key_entry) { log_err("out of memory in verify new DNSKEYs"); @@ -2764,7 +2767,8 @@ process_prime_response(struct module_qst ta->dclass); } if(ta->autr) { - if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) { + if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset, + qstate)) { /* trust anchor revoked, restart with less anchors */ vq->state = VAL_INIT_STATE; vq->trust_anchor_name = NULL; debian/patches/disable_chroot_by_default0000664000000000000000000000474612320525535015736 0ustar Description: Disable chroot by default. Author: Robert S. Edmonds --- unbound-1.4.21.orig/acx_python.m4 +++ unbound-1.4.21/acx_python.m4 @@ -90,7 +90,12 @@ $ac_distutils_result]) if test -n "${python_path}"; then python_path="-I$python_path" fi - PYTHON_CPPFLAGS=$python_path + python_multiarch_path=`$PYTHON -c "import distutils.sysconfig; \ + print distutils.sysconfig.get_python_inc(plat_specific=1);"` + if test -n "${python_multiarch_path}"; then + python_multiarch_path="-I$python_multiarch_path" + fi + PYTHON_CPPFLAGS="$python_path $python_multiarch_path" fi AC_MSG_RESULT([$PYTHON_CPPFLAGS]) AC_SUBST([PYTHON_CPPFLAGS]) --- unbound-1.4.21.orig/doc/unbound.conf.5.in +++ unbound-1.4.21/doc/unbound.conf.5.in @@ -921,7 +921,7 @@ section for options. To setup the corre \fIunbound\-control\-setup\fR(8) utility. .TP 5 .B control\-enable: \fI -The option is used to enable remote control, default is "no". +The option is used to enable remote control, default is "yes". If turned off, the server does not listen for control commands. .TP 5 .B control\-interface: --- unbound-1.4.21.orig/smallapp/unbound-control-setup.sh +++ unbound-1.4.21/smallapp/unbound-control-setup.sh @@ -157,6 +157,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $ rm -f request.cfg rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl" -echo "Setup success. Certificates created. Enable in unbound.conf file to use" +echo "Setup success. Certificates created." exit 0 --- unbound-1.4.21.orig/util/config_file.c +++ unbound-1.4.21/util/config_file.c @@ -139,7 +139,7 @@ config_create(void) init_outgoing_availports(cfg->outgoing_avail_ports, 65536); if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit; #ifdef HAVE_CHROOT - if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit; + if(!(cfg->chrootdir = strdup(""))) goto error_exit; #endif if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit; if(!(cfg->logfile = strdup(""))) goto error_exit; @@ -198,7 +198,7 @@ config_create(void) cfg->local_zones_nodefault = NULL; cfg->local_data = NULL; cfg->python_script = NULL; - cfg->remote_control_enable = 0; + cfg->remote_control_enable = 1; cfg->control_ifs = NULL; cfg->control_port = UNBOUND_CONTROL_PORT; cfg->minimal_responses = 0; debian/patches/disable_sldns_str2wire_rr_buf_tests0000664000000000000000000000213112317664160017775 0ustar Description: Disable unit tests 3 and 5 of rr_test suite. Author: Jonathan Davies --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: vendor Bug: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=572 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1302925 Last-Update: <2014-04-05> --- unbound-1.4.22.orig/testcode/unitldns.c +++ unbound-1.4.22/testcode/unitldns.c @@ -205,9 +205,9 @@ rr_tests(void) { rr_test_file("testdata/test_ldnsrr.1", "testdata/test_ldnsrr.c1"); rr_test_file("testdata/test_ldnsrr.2", "testdata/test_ldnsrr.c2"); - rr_test_file("testdata/test_ldnsrr.3", "testdata/test_ldnsrr.c3"); + /*rr_test_file("testdata/test_ldnsrr.3", "testdata/test_ldnsrr.c3");*/ rr_test_file("testdata/test_ldnsrr.4", "testdata/test_ldnsrr.c4"); - rr_test_file("testdata/test_ldnsrr.5", "testdata/test_ldnsrr.c5"); + /*rr_test_file("testdata/test_ldnsrr.5", "testdata/test_ldnsrr.c5");*/ } void debian/patches/series0000664000000000000000000000032413306274622012040 0ustar disable_chroot_by_default disable_sldns_str2wire_rr_buf_tests silence_open_files_limit_warning disable_remote_control_in_tests CVE-2014-8602.patch increase-max_sent_count unbound-r4302.patch CVE-2017-15105.patch debian/patches/silence_open_files_limit_warning0000664000000000000000000000077012320524157017317 0ustar Description: Silence open file limit warning Author: Jonathan Davies Bug-Ubuntu: https://bugs.launchpad.net/bugs/1303088 Last-Update: <2014-04-07> --- unbound-1.4.22.orig/daemon/unbound.c +++ unbound-1.4.22/daemon/unbound.c @@ -280,8 +280,6 @@ checkrlimits(struct config_file* cfg) "ports in config to remove this warning"); return; } - log_warn("increased limit(open files) from %u to %u", - (unsigned)avail, (unsigned)total+10); } #else (void)cfg; debian/patches/increase-max_sent_count0000664000000000000000000000157612551723657015405 0ustar Description: Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier. Origin: upstream, http://unbound.nlnetlabs.nl/svn/ revision 3127 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1472510 Index: unbound-1.4.22/iterator/iterator.h =================================================================== --- unbound-1.4.22.orig/iterator/iterator.h 2015-07-16 12:42:41.000000000 +0200 +++ unbound-1.4.22/iterator/iterator.h 2015-07-16 12:44:34.880857528 +0200 @@ -59,7 +59,7 @@ /** max number of referrals. Makes sure resolver does not run away */ #define MAX_REFERRAL_COUNT 130 /** max number of queries-sent-out. Make sure large NS set does not loop */ -#define MAX_SENT_COUNT 16 +#define MAX_SENT_COUNT 32 /** at what query-sent-count to stop target fetch policy */ #define TARGET_FETCH_STOP 3 /** how nice is a server without further information, in msec debian/patches/CVE-2014-8602.patch0000664000000000000000000001204412453522116013240 0ustar Description: fix denial of service via large number of referrals Origin: upstream, http://unbound.net/downloads/patch_cve_2014_8602.diff Index: unbound-1.4.22/iterator/iterator.c =================================================================== --- unbound-1.4.22.orig/iterator/iterator.c 2014-02-07 08:28:39.000000000 -0500 +++ unbound-1.4.22/iterator/iterator.c 2015-01-08 10:05:59.919675617 -0500 @@ -120,6 +120,7 @@ iq->query_restart_count = 0; iq->referral_count = 0; iq->sent_count = 0; + iq->target_count = NULL; iq->wait_priming_stub = 0; iq->refetch_glue = 0; iq->dnssec_expected = 0; @@ -445,6 +446,26 @@ return 1; } +/** create target count structure for this query */ +static void +target_count_create(struct iter_qstate* iq) +{ + if(!iq->target_count) { + iq->target_count = (int*)calloc(2, sizeof(int)); + /* if calloc fails we simply do not track this number */ + if(iq->target_count) + iq->target_count[0] = 1; + } +} + +static void +target_count_increase(struct iter_qstate* iq, int num) +{ + target_count_create(iq); + if(iq->target_count) + iq->target_count[1] += num; +} + /** * Generate a subrequest. * Generate a local request event. Local events are tied to this module, and @@ -516,6 +537,10 @@ subiq = (struct iter_qstate*)subq->minfo[id]; memset(subiq, 0, sizeof(*subiq)); subiq->num_target_queries = 0; + target_count_create(iq); + subiq->target_count = iq->target_count; + if(iq->target_count) + iq->target_count[0] ++; /* extra reference */ subiq->num_current_queries = 0; subiq->depth = iq->depth+1; outbound_list_init(&subiq->outlist); @@ -1342,6 +1367,12 @@ if(iq->depth == ie->max_dependency_depth) return 0; + if(iq->depth > 0 && iq->target_count && + iq->target_count[1] > MAX_TARGET_COUNT) { + verbose(VERB_QUERY, "request has exceeded the maximum " + "number of glue fetches %d", iq->target_count[1]); + return 0; + } iter_mark_cycle_targets(qstate, iq->dp); missing = (int)delegpt_count_missing_targets(iq->dp); @@ -1524,6 +1555,7 @@ return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } iq->num_target_queries += qs; + target_count_increase(iq, qs); if(qs != 0) { qstate->ext_state[id] = module_wait_subquery; return 0; /* and wait for them */ @@ -1533,6 +1565,12 @@ verbose(VERB_QUERY, "maxdepth and need more nameservers, fail"); return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); } + if(iq->depth > 0 && iq->target_count && + iq->target_count[1] > MAX_TARGET_COUNT) { + verbose(VERB_QUERY, "request has exceeded the maximum " + "number of glue fetches %d", iq->target_count[1]); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } /* mark cycle targets for parent-side lookups */ iter_mark_pside_cycle_targets(qstate, iq->dp); /* see if we can issue queries to get nameserver addresses */ @@ -1562,6 +1600,7 @@ if(query_count != 0) { /* suspend to await results */ verbose(VERB_ALGO, "try parent-side glue lookup"); iq->num_target_queries += query_count; + target_count_increase(iq, query_count); qstate->ext_state[id] = module_wait_subquery; return 0; } @@ -1717,6 +1756,7 @@ return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } iq->num_target_queries += extra; + target_count_increase(iq, extra); if(iq->num_target_queries > 0) { /* wait to get all targets, we want to try em */ verbose(VERB_ALGO, "wait for all targets for fallback"); @@ -1757,6 +1797,7 @@ /* errors ignored, these targets are not strictly necessary for * this result, we do not have to reply with SERVFAIL */ iq->num_target_queries += extra; + target_count_increase(iq, extra); } /* Add the current set of unused targets to our queue. */ @@ -1802,6 +1843,7 @@ return 1; } iq->num_target_queries += qs; + target_count_increase(iq, qs); } /* Since a target query might have been made, we * need to check again. */ @@ -2894,6 +2936,8 @@ iq = (struct iter_qstate*)qstate->minfo[id]; if(iq) { outbound_list_clear(&iq->outlist); + if(iq->target_count && --iq->target_count[0] == 0) + free(iq->target_count); iq->num_current_queries = 0; } qstate->minfo[id] = NULL; Index: unbound-1.4.22/iterator/iterator.h =================================================================== --- unbound-1.4.22.orig/iterator/iterator.h 2014-02-07 08:28:39.000000000 -0500 +++ unbound-1.4.22/iterator/iterator.h 2015-01-08 10:05:59.919675617 -0500 @@ -52,6 +52,8 @@ struct iter_prep_list; struct iter_priv; +/** max number of targets spawned for a query and its subqueries */ +#define MAX_TARGET_COUNT 32 /** max number of query restarts. Determines max number of CNAME chain. */ #define MAX_RESTART_COUNT 8 /** max number of referrals. Makes sure resolver does not run away */ @@ -254,6 +256,10 @@ /** number of queries fired off */ int sent_count; + + /** number of target queries spawned in [1], for this query and its + * subqueries, the malloced-array is shared, [0] refcount. */ + int* target_count; /** * The query must store NS records from referrals as parentside RRs debian/patches/unbound-r4302.patch0000664000000000000000000000213513306273074014070 0ustar Description: Fix install of trust anchor when two anchors are present Origin: upstream svn commit 4302 Forwarded: not-needed - Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017. [Included as a prerequisite for the CVE-2017-15105 patch --sbeattie] Index: b/validator/autotrust.c =================================================================== --- a/validator/autotrust.c (revision 4301) +++ b/validator/autotrust.c (revision 4302) @@ -1571,6 +1571,11 @@ verbose(VERB_ALGO, "DS match attempt failed"); continue; } + /* match of hash is sufficient for bootstrap of trust point */ + (void)reason; + (void)ve; + return 1; + /* no need to check RRSIG, DS hash already matched with source if(dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, key_idx, &reason) == sec_status_secure) { return 1; @@ -1578,6 +1583,7 @@ verbose(VERB_ALGO, "DS match failed because the key " "does not verify the keyset: %s", reason); } + */ } return 0; } debian/patches/disable_remote_control_in_tests0000664000000000000000000000130712320565145017174 0ustar Description: Disable remote control in tests. Debian has a patch which enables remote control by default, which breaks the testbound test suite. . This patch disables this remote control setting in the tests. Author: Jonathan Davies --- Origin: vendor Last-Update: <2014-04-07> --- unbound-1.4.22.orig/testcode/testbound.c +++ unbound-1.4.22/testcode/testbound.c @@ -193,6 +193,7 @@ setup_config(FILE* in, int* lineno, int* fprintf(cfg, " username: \"\"\n"); fprintf(cfg, " pidfile: \"\"\n"); fprintf(cfg, " val-log-level: 2\n"); + fprintf(cfg, "remote-control: control-enable: no\n"); while(fgets(line, MAX_LINE_LEN-1, in)) { parse = line; (*lineno)++; debian/libunbound-dev.install0000664000000000000000000000012512310113675013472 0ustar usr/include/unbound.h usr/include usr/share/man/man3/libunbound.3 usr/share/man/man3 debian/libunbound-dev.dirs0000664000000000000000000000003712310113675012767 0ustar usr/include usr/share/man/man3 debian/libunbound2.symbols0000664000000000000000000000161312310113675013025 0ustar libunbound.so.2 libunbound2 #MINVER# ub_cancel@Base 1.4.1 ub_ctx_add_ta@Base 1.4.1 ub_ctx_add_ta_file@Base 1.4.1 ub_ctx_async@Base 1.4.1 ub_ctx_config@Base 1.4.1 ub_ctx_create@Base 1.4.1 ub_ctx_create_event@Base 1.4.22 ub_ctx_data_add@Base 1.4.1 ub_ctx_data_remove@Base 1.4.1 ub_ctx_debuglevel@Base 1.4.1 ub_ctx_debugout@Base 1.4.1 ub_ctx_delete@Base 1.4.1 ub_ctx_get_option@Base 1.4.2 ub_ctx_hosts@Base 1.4.1 ub_ctx_print_local_zones@Base 1.4.1 ub_ctx_resolvconf@Base 1.4.1 ub_ctx_set_event@Base 1.4.22 ub_ctx_set_fwd@Base 1.4.1 ub_ctx_set_option@Base 1.4.1 ub_ctx_trustedkeys@Base 1.4.1 ub_ctx_zone_add@Base 1.4.1 ub_ctx_zone_remove@Base 1.4.1 ub_fd@Base 1.4.1 ub_poll@Base 1.4.1 ub_process@Base 1.4.1 ub_resolve@Base 1.4.1 ub_resolve_async@Base 1.4.1 ub_resolve_event@Base 1.4.22 ub_resolve_free@Base 1.4.1 ub_strerror@Base 1.4.1 ub_version@Base 1.4.16 ub_wait@Base 1.4.1 debian/copyright0000664000000000000000000002472112310113675011130 0ustar This package was debianized by Robert S. Edmonds on Wed, 21 May 2008 14:13:28 -0400. It was downloaded from http://unbound.net/download.html Upstream Author: Wouter Wijngaards, NLnet Labs Copyright: Copyright (C) 2008 Wouter Wijngaards Copyright (C) 2008 NLnet Labs License: This software is open source. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the NLNET LABS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Debian packaging is: Copyright (C) 2008-2011 Robert S. Edmonds and is licensed under the GPL version 3, see `/usr/share/common-licenses/GPL-3'. Files: compat/fake-rfc2553.c, compat/fake-rfc2553.h Copyright: 2000-2003 Damien Miller, 1999 WIDE Project License: BSD-3 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: compat/inet_aton.c Copyright: 1983, 1990, 1993 The Regents of the University of California License: BSD-3 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: compat/inet_aton.c Copyright: 1993 Digital Equipment Corporation License: other Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without specific, written prior permission. . THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Files: compat/inet_ntop.c, compat/inet_pton.c Copyright: 1996 Internet Software Consortium License: ISC Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Files: compat/strlcpy.c Copyright: 1998 Todd C. Miller License: ISC Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Files: acx_pthread.m4 Copyright: 2006 Steven G. Johnson License: GPL-2+ | other This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . As a special exception, the respective Autoconf Macro's copyright owner gives unlimited permission to copy, distribute and modify the configure scripts that are the output of Autoconf when processing the Macro. You need not follow the terms of the GNU General Public License when using or distributing such scripts, even though portions of the text of the Macro appear in them. The GNU General Public License (GPL) does govern all other use of the material that constitutes the Autoconf Macro. . This special exception to the GPL applies to versions of the Autoconf Macro released by the Autoconf Macro Archive. When you make and distribute a modified version of the Autoconf Macro, you may extend this special exception to the GPL to apply to your modified version as well. Files: util/configparser.h, util/configparser.c Copyright: (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ /* As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work under terms of your choice, so long as that work isn't itself a parser generator using the skeleton or a modified version thereof as a parser skeleton. Alternatively, if you modify or redistribute the parser skeleton itself, you may (at your option) remove this special exception, which will cause the skeleton and the resulting Bison output files to be licensed under the GNU General Public License without this special exception. This special exception was added by the Free Software Foundation in version 2.2 of Bison. */ debian/rules0000775000000000000000000000560612320562467010266 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 include /usr/share/dpkg/architecture.mk ifneq ($(DEB_HOST_ARCH), amd64) CONFIGURE_ARGS = --disable-flto endif LIBRARY = libunbound2 export DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk override_dh_auto_clean: dh_autoreconf_clean dh_auto_clean clean: dh clean build: build-arch: build-indep: autoreconf: autoreconf -f -i cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub . binary-arch: build dh_testdir dh_autoreconf debian/rules -- autoreconf # first build -- build unbound daemon CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --disable-rpath \ --with-pidfile=/var/run/unbound.pid \ --with-libevent \ --with-pythonmodule \ --with-pyunbound \ $(CONFIGURE_ARGS) $(MAKE) unbound install -D -m 0755 unbound debian/unbound/usr/sbin/unbound # XXX gross hack to prevent python module from linking against everything rm -f _unbound.la sed -i -e 's/^dependency_libs=.*/dependency_libs=''/' libunbound.la make _unbound.la LIBS="" install -D -m 0644 .libs/_unbound.so.2.*.* \ debian/python-unbound/usr/lib/$(shell pyversions -d)/dist-packages/_unbound.so install -m 0644 \ pythonmod/unboundmodule.py \ libunbound/python/unbound.py \ debian/python-unbound/usr/lib/$(shell pyversions -d)/dist-packages $(MAKE) clean # second build -- build libunbound and utilities, without extra dependencies CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --disable-rpath \ --without-libevent \ --without-pythonmodule \ --without-pyunbound \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) $(MAKE) $(MAKE) test $(MAKE) install DESTDIR="$(CURDIR)/debian/tmp" dh_installdirs dh_installinit --error-handler=true --restart-after-upgrade echo '$$named unbound' > debian/unbound/etc/insserv.conf.d/unbound install -m 0755 debian/resolvconf debian/unbound/etc/resolvconf/update.d/unbound install -m 0644 doc/example.conf debian/unbound/usr/share/doc/unbound/examples/unbound.conf mkdir -p debian/libunbound-dev/usr/lib/$(DEB_HOST_MULTIARCH) mv \ debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libunbound.a \ debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libunbound.so \ debian/libunbound-dev/usr/lib/$(DEB_HOST_MULTIARCH) mkdir -p debian/$(LIBRARY)/usr/lib/$(DEB_HOST_MULTIARCH) mv \ debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/*.so.* \ debian/$(LIBRARY)/usr/lib/$(DEB_HOST_MULTIARCH) chmod 0644 debian/$(LIBRARY)/usr/lib/$(DEB_HOST_MULTIARCH)/* dh_install dh_installchangelogs dh_installdocs dh_installman dh_python2 --no-guessing-versions dh_strip dh_compress -Xusr/share/doc/unbound/examples/unbound.conf dh_fixperms dh_makeshlibs dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary-indep: binary: binary-arch binary-indep debian/unbound-host.install0000664000000000000000000000012312310113675013200 0ustar usr/sbin/unbound-host usr/bin usr/share/man/man1/unbound-host.1 usr/share/man/man1 debian/unbound-host.dirs0000664000000000000000000000003312310113675012473 0ustar usr/bin usr/share/man/man1 debian/changelog0000664000000000000000000003163513306273473011062 0ustar unbound (1.4.22-1ubuntu4.14.04.3) trusty-security; urgency=medium * SECURITY UPDATE: vulnerability in the processing of wildcard synthesized NSEC records (LP: #1773720) - debian/patches/CVE-2017-15105.patch - CVE-2017-15105 * Fix install of trust anchor when two anchors are present - debian/patches/unbound-r4302.patch -- Steve Beattie Thu, 07 Jun 2018 11:19:28 -0700 unbound (1.4.22-1ubuntu4.14.04.2) trusty; urgency=medium * Make some lookups on a dual stacked (IPv4 and IPv6) host work. - debian/patches/increase-max_sent_count: Increase MAX_SENT_COUNT to 32, backported from Unbound 1.5.0 (LP: #1472510). - Can be verified with: # unbound-host -f /var/lib/unbound/root.key a.root-servers.net -- Patrik Lundin Thu, 16 Jul 2015 12:45:58 +0200 unbound (1.4.22-1ubuntu4.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via large number of referrals - debian/patches/CVE-2014-8602.patch: limit number of targets in iterator/iterator.h, iterator/iterator.c. - CVE-2014-8602 -- Marc Deslauriers Thu, 08 Jan 2015 10:37:56 -0500 unbound (1.4.22-1ubuntu4) trusty; urgency=medium * debian/rules: Enable full testsuite. * debian/patches/disable_remote_control_in_tests: Disable remote control in testbound suite so tests succeed. -- Jonathan Davies Mon, 07 Apr 2014 13:45:15 +0000 unbound (1.4.22-1ubuntu3) trusty; urgency=low * debian/patches/disable_chroot_by_default: Readded disable-chroot-by-default functionality (LP: #1303088). * debian/patches/silence_open_files_limit_warning: Readded patch. -- Jonathan Davies Mon, 07 Apr 2014 13:02:09 +0000 unbound (1.4.22-1ubuntu2) trusty; urgency=medium * debian/rules: Set to run unittests. * debian/patches/debian-changes: Removed lingering changes from 1.4.22-1 upload. * debian/patches/disable_sldns_str2wire_rr_buf_tests: Disable test files 3 and 5 (issue reported upstream #572). -- Jonathan Davies Fri, 04 Apr 2014 23:21:00 +0000 unbound (1.4.22-1ubuntu1) trusty; urgency=low * Bring back dh-autoreconf stuff from upload 1.4.21-1ubuntu1. -- Jonathan Davies Fri, 04 Apr 2014 19:37:52 +0000 unbound (1.4.22-1) unstable; urgency=medium * New upstream release. * Drop Build-Dependency on libldns-dev. Unbound no longer relies on libldns. -- Robert S. Edmonds Wed, 12 Mar 2014 13:21:58 -0400 unbound (1.4.21-1) unstable; urgency=low * New upstream release. * Don't compress the example config file in /usr/share/doc/unbound; closes: #722708. * Fully enable hardening options; closes: #709837. (Patch from Simon Deziel.) * Add support for .d style configuration in /etc/unbound/unbound.conf.d; closes: #656549. * Move auto-trust-anchor-file configuration for the root into the new /etc/unbound/unbound.conf.d directory. -- Robert S. Edmonds Thu, 19 Sep 2013 21:45:39 -0400 unbound (1.4.20-1) unstable; urgency=low * New upstream release. - Updates IPv4 address hint for D.ROOT-SERVERS.NET; closes: #697351. * Correct exit code for "/etc/init.d/unbound status"; closes: #685052. (Patch from micah anderson.) * Finish dh_python2 conversion; closes: #697575. (Patch from Micah Gersten.) * Check for multiarch Python headers; closes: #697576. (Patch from Micah Gersten.) * Automatically set up the chroot directory if enabled; closes: #579622. (Patch from Simon Deziel.) -- Robert S. Edmonds Sat, 13 Apr 2013 15:34:47 -0400 unbound (1.4.19-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Fri, 14 Dec 2012 21:33:42 -0500 unbound (1.4.18-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Sun, 05 Aug 2012 21:54:05 -0400 unbound (1.4.17-2) unstable; urgency=low * Build-depend on libldns-dev (>= 1.6.13~) for ECDSA support. -- Robert S. Edmonds Mon, 28 May 2012 14:19:57 -0400 unbound (1.4.17-1) unstable; urgency=low * New upstream release; closes: #674434. * Implement 'status' command in init script; closes: #666388. * Fix build system bug that negated fully hardening the build; closes: #658021. (Patch from Simon Ruderich.) * Disable ECDSA support (for now) as this requires a newer ldns than is in the archive. -- Robert S. Edmonds Sun, 27 May 2012 16:41:41 -0400 unbound (1.4.16-2) unstable; urgency=low * Enable hardened build flags; closes: #658021. -- Robert S. Edmonds Sat, 21 Apr 2012 15:35:16 -0400 unbound (1.4.16-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Sun, 05 Feb 2012 20:02:24 -0500 unbound (1.4.14-2) unstable; urgency=high * Work around gcc bugs by disabling link time optimization on build architectures that are not i386/amd64. -- Robert S. Edmonds Wed, 21 Dec 2011 15:52:17 -0500 unbound (1.4.14-1) unstable; urgency=high * New upstream release. - CVE-2011-4528. * Call dh_python2 in debian/rules; closes: #652294. -- Robert S. Edmonds Mon, 19 Dec 2011 11:00:46 -0500 unbound (1.4.13-2) unstable; urgency=low * Reduce the run-time dependencies of libunbound and the unbound-* utilities. -- Robert S. Edmonds Sat, 29 Oct 2011 16:16:19 -0400 unbound (1.4.13-1) unstable; urgency=low * New upstream release. * Only install forwarders learned from resolvconf into unbound if RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #637198. * Split unbound-anchor utility into separate binary package. * Support multi-arch. * Fix FTBFS with dpkg-dev 1.16.1. -- Robert S. Edmonds Sun, 23 Oct 2011 16:55:45 -0400 unbound (1.4.12-1) unstable; urgency=medium * New upstream release. -- Robert S. Edmonds Mon, 18 Jul 2011 15:56:42 -0400 unbound (1.4.11-1) unstable; urgency=low * New upstream release. * Fix FTBFS with default python >> 2.6; closes: #625520. -- Robert S. Edmonds Sun, 03 Jul 2011 16:32:49 -0400 unbound (1.4.10-1) unstable; urgency=low * New upstream release: - CVE-2011-1922. -- Robert S. Edmonds Wed, 25 May 2011 15:48:34 -0700 unbound (1.4.9-2) unstable; urgency=low * Build-depend on libldns-dev (>= 1.6.9-2~) for GOST support. * Configure without --disable-gost. -- Robert S. Edmonds Sun, 03 Apr 2011 14:31:40 -0400 unbound (1.4.9-1) unstable; urgency=low * New upstream release. * Convert packaging to git. * Configure with --with-pythonmodule. * Configure with --with-pyunbound. * Build new python-unbound package; closes: #542094. * Automatically create and remove remote control key material on package configuration and package purge. * Set default remote control port to 53953 to avoid conflicting with the bind9 package's default use of port 953 for rndc. * Securely fetch or update the root trust anchor at postinst and before starting the unbound daemon if ROOT_TRUST_ANCHOR_UPDATE is set in /etc/default/unbound; closes: #594911. * If unbound is listening on a loopback address, provide this address as a nameserver to resolvconf if RESOLVCONF is enabled in /etc/default/unbound; closes: #562031. * Configure resolvconf discovered nameservers as forwarders if RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #567879. * Don't exit from the init script with an error if UNBOUND_ENABLE is not true; default UNBOUND_ENABLE to true if the default file is missing entirely; closes: #618815. * Support /etc/init.d/unbound reload; closes: #620256. -- Robert S. Edmonds Sat, 02 Apr 2011 22:52:16 -0400 unbound (1.4.8-2) unstable; urgency=low * Add build-dependency on libexpat1-dev; closes: #612261. * Install unbound-anchor utility in unbound package. -- Robert S. Edmonds Mon, 07 Feb 2011 16:06:00 -0500 unbound (1.4.8-1) unstable; urgency=low * New upstream release; closes: #611527. * Add /etc/insserv.conf.d/unbound file declaring unbound to be a name daemon; closes: #596488, #600118. -- Robert S. Edmonds Sun, 06 Feb 2011 23:33:04 -0500 unbound (1.4.6-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Sun, 15 Aug 2010 18:26:43 -0400 unbound (1.4.5-1) unstable; urgency=low * New upstream release. * Add dependency on openssl to the unbound binary package; closes: #585808. -- Robert S. Edmonds Sun, 20 Jun 2010 16:50:42 -0400 unbound (1.4.4-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Thu, 22 Apr 2010 15:24:06 -0400 unbound (1.4.3-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Thu, 11 Mar 2010 15:55:33 -0500 unbound (1.4.2-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Tue, 09 Mar 2010 14:13:31 -0500 unbound (1.4.1-2) unstable; urgency=low * Invoke dh_installinit with --restart-after-upgrade; closes: #563033. -- Robert S. Edmonds Tue, 29 Dec 2009 21:54:26 -0500 unbound (1.4.1-1) unstable; urgency=low * New upstream release. * Document copyright status of util/configparser.c, util/configparser.h; closes: #552066. * Enable libev support; closes: #552424. -- Robert S. Edmonds Sat, 26 Dec 2009 17:19:10 -0500 unbound (1.4.0-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Fri, 04 Dec 2009 20:32:52 -0800 unbound (1.3.4-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Wed, 07 Oct 2009 12:59:21 -0400 unbound (1.3.3-1) unstable; urgency=low * New upstream release. * Drop .la file from libunbound-dev; closes: #541640. -- Robert S. Edmonds Sun, 23 Aug 2009 13:25:53 -0400 unbound (1.3.2-1) unstable; urgency=low * New upstream release. -- Robert S. Edmonds Mon, 13 Jul 2009 05:50:47 -0400 unbound (1.3.0-1) unstable; urgency=low * New upstream release; closes: #533613. * Move pid file to /var/run; closes: #533611. * Use "unbound-checkconf -o pidfile" in init script to determine pid file location (thanks Michael Tokarev). -- Robert S. Edmonds Mon, 29 Jun 2009 01:10:00 -0400 unbound (1.2.1-2) unstable; urgency=low * Closes: #527753, #509535. -- Robert S. Edmonds Sat, 09 May 2009 16:46:32 -0400 unbound (1.2.1-1) unstable; urgency=low * New upstream release. * Remove init script chroot setup. -- Robert S. Edmonds Sat, 28 Feb 2009 19:46:09 -0500 unbound (1.0.2-1.2) unstable; urgency=low * Enable unbound by default (Closes: #508884) * Call dh_installinit with --error-handler=true (Closes: #500176) -- Ondřej Surý Tue, 16 Dec 2008 11:54:15 +0100 unbound (1.0.2-1.1) unstable; urgency=low [ Hideki Yamane (Debian-JP) ] * debian/{unbound.init,unbound.default} + set not start by default, to avoid that port 53 blocking by other name servers will cause install problems * debian/unbound.prerm + fix lintian "unbound: maintainer-script-hides-init-failure prerm:5" error [ Ondřej Surý ] * Non-maintainer upload. * Minor tweaks to patched init.d file to make it work. -- Ondřej Surý Mon, 15 Dec 2008 19:54:44 +0100 unbound (1.0.2-1) unstable; urgency=low * New upstream release; + stricter filtering of DNS messages to combat cache poisoning -- Robert S. Edmonds Mon, 25 Aug 2008 01:03:59 -0400 unbound (1.0.1-2) unstable; urgency=low * unbound tries too hard to chroot(); ship a default config that doesn't fail to start on new installs; closes: #492243. -- Robert S. Edmonds Sat, 02 Aug 2008 17:46:24 -0400 unbound (1.0.1-1) unstable; urgency=low * New upstream release. * Drop 'return' from init script; closes: #488650. -- Robert S. Edmonds Wed, 16 Jul 2008 12:38:55 -0400 unbound (1.0.0-3) unstable; urgency=low * Lintian clean; closes: #485438. * Don't chroot by default; note manual syslog configuration in README.Debian; closes: #486303. * Update to policy 3.8.0.0. -- Robert S. Edmonds Sun, 15 Jun 2008 17:25:04 -0400 unbound (1.0.0-2) unstable; urgency=low * Fix Build-Deps. * Split unbound-host into a separate package. -- Robert S. Edmonds Sun, 25 May 2008 16:12:21 -0400 unbound (1.0.0-1) unstable; urgency=low * Initial release; closes: #482277. -- Robert S. Edmonds Wed, 21 May 2008 14:13:28 -0400 debian/unbound-anchor.install0000664000000000000000000000013012310113675013473 0ustar usr/sbin/unbound-anchor usr/sbin usr/share/man/man8/unbound-anchor.8 usr/share/man/man8 debian/unbound-anchor.dirs0000664000000000000000000000003412310113675012771 0ustar usr/sbin usr/share/man/man8 debian/unbound.doc0000664000000000000000000000005512310113675011330 0ustar doc/CREDITS doc/FEATURES doc/README doc/TODO debian/unbound.postinst0000664000000000000000000000156512310113675012455 0ustar #!/bin/sh -e ROOT_TRUST_ANCHOR_UPDATE=false ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key if [ -f /etc/default/unbound ]; then . /etc/default/unbound fi if [ "$1" = configure ]; then if ! getent passwd unbound >/dev/null; then adduser --quiet --system --group --no-create-home --home /var/lib/unbound unbound chown unbound:unbound /var/lib/unbound fi if [ -f /etc/default/unbound ]; then . /etc/default/unbound case "x$ROOT_TRUST_ANCHOR_UPDATE" in xtrue|x1|xyes) unbound-anchor -a "$ROOT_TRUST_ANCHOR_FILE" -v 2>&1 | logger -p daemon.info -t unbound-anchor chown unbound:unbound "$ROOT_TRUST_ANCHOR_FILE" || true ;; esac fi if [ ! -f /etc/unbound/unbound_control.key ]; then unbound-control-setup 1>/dev/null 2>&1 || true fi fi #DEBHELPER# debian/gbp.conf0000664000000000000000000000010512310113675010602 0ustar [buildpackage] pristine-tar = True [import-orig] pristine-tar = True