Merge branch 'internetnl' into inl_1.19.1 (upstream: branch-1.19.1)

.gitignore

@@ -46,6 +46,8 @@
 /contrib/libunbound.pc
 /contrib/unbound.service
 /contrib/unbound.socket
+cscope.out
+tags
 /contrib/unbound_portable.service
 /dnstap/dnstap.pb-c.c
 /dnstap/dnstap.pb-c.h

Makefile.in

@@ -122,7 +122,7 @@ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
 iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
-services/rpz.c util/rfc_1982.c \
+services/rpz.c util/rfc_1982.c internetnl/internetnl.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
 util/shm_side/shm_main.c services/authzone.c \
@@ -148,6 +148,7 @@ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
 fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
+internetnl.lo \
 autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
@@ -702,6 +703,7 @@ depend:
 
 # build rules
 ipset.lo ipset.o: $(srcdir)/ipset/ipset.c
+internetnl.lo internetnl.o: $(srcdir)/internetnl/internetnl.c
 
 # Dependencies
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
@@ -861,7 +863,8 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/internetnl/internetnl.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -876,6 +879,17 @@ rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdi
   $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+internetnl.lo internetnl.o: $(srcdir)/internetnl/internetnl.c config.h $(srcdir)/internetnl/internetnl.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/respip/respip.h
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@@ -962,7 +976,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h
+ $(srcdir)/libunbound/worker.h $(srcdir)/cachedb/cachedb.h $(srcdir)/internetnl/internetnl.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
 mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \

README.md

@@ -1,42 +1,143 @@
-# Unbound
+# Unbound internet.nl branch
 
-[![Github Build Status](https://github.com/NLnetLabs/unbound/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/NLnetLabs/unbound/actions)
-[![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions)
-[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound)
-[![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest)
-[![Mastodon Follow](https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)](https://fosstodon.org/@nlnetlabs)
+Unbound branch containing the internetnl module, used for connection test and
+interactive mail test on internet.nl.
 
-Unbound is a validating, recursive, caching DNS resolver. It is designed to be
-fast and lean and incorporates modern features based on open standards. If you
-have any feedback, we would love to hear from you. Don’t hesitate to
-[create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
-or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
-You can learn more about Unbound by reading our
-[documentation](https://unbound.docs.nlnetlabs.nl/).
+## HOW TO KEEP THE FORK UP-TO-DATE
 
-## Compiling
+1. Clone the repository locally and set the upstream (for syncing with upstream):
+   ```
+   git remote add upstream https://github.com/NLnetLabs/unbound.git
+   ```
 
-Make sure you have the C toolchain, OpenSSL and its include files, and libexpat
-installed.
-If building from the repository source you also need flex and bison installed.
-Unbound can be compiled and installed using:
+2. If you need to sync with upstream on a previously cloned repo run:
+   ```
+   git fetch upstream master
+   git checkout master
+   git merge upstream/master
+   git push
+   ```
+
+3. Remember to checkout the proper branch again since we don't want any changes
+   on master:
+   ```
+   git checkout internetnl
+   ```
+
+
+## Installation
+ - Make sure that `swig` >= 3.0 is installed on your system
+
+   `apt install swig3.0`
+ - Change #defines on top of internetnl/internetnl.c to match test environment
+ - `./configure --prefix=$HOME/usr/local --enable-internetnl --with-pyunbound --with-libevent --with-libhiredis`
+ - `make install`
+
+## Configuration
+Three delegations from the `<base-domain>` (default base-domain = internet.nl)
+zone are required for this module:
+  - `mail-test`, IPv6 and IPv4 glue required
+  - `test-ns-signed`, IPv6 and IPv4 glue required, and DS at parent
+  - `test-ns6-signed`, must only have IPv6 glue, and DS at parent
+
+Unsigned example zonefiles are available in the `internetnl` directory. Don't
+forget to update the DKIM, SPF, DMARC and TLSA values to match the sending MTA,
+and the IP addresses.
 
 ```
-./configure && make && make install
+server:
+	local-zone: "." refuse
+	local-zone: "mail-test.<base-domain>" transparent
+	local-zone: "test-ns-signed.<base-domain>" transparent
+	local-zone: "test-ns6-signed.<base-domain>" transparent
+	interface: 0.0.0.0
+	access-control: 0.0.0.0/0 allow_setrd
+	module-config: "internetnl iterator"
+
+auth-zone:
+	name: "mail-test.<base-domain>"
+	zonefile: "mail-test.zone"
+	fallback-enabled: no
+	for-upstream: yes
+	for-downstream: no
+
+auth-zone:
+	name: "test-ns-signed.<base-domain>"
+	zonefile: "test-ns-signed.zone.signed"
+	fallback-enabled: no
+	for-upstream: yes
+	for-downstream: no
+
+auth-zone:
+	name: "test-ns6-signed.<base-domain>"
+	zonefile: "test-ns6-signed.zone.signed"
+	fallback-enabled: no
+	for-upstream: yes
+	for-downstream: no
+cachedb:
+	redis-server-host: 127.0.0.1
+	redis-server-port: 6379
+	redis-timeout: 1000
 ```
+## zone signing
+The `test-ns-signed` and `test-ns6-signed` zones must be signed.
+
+First generate the keys for this zone (we use a combined signing key here):
+ - `ldns-keygen -k -a RSASHA256 test-ns-signed.<base-domain>`
+ - `ldns-keygen -k -a RSASHA256 test-ns6-signed.<base-domain>`
+
+Put the DS records in the <base-domain> zone, next to the delegation. The DS
+records can be found in `test-ns-signed.zone Ktest-ns-signed.<basedomain>.<keytag>.ds`
+and `Ktest-ns6-signed.<basedomain>.<keytag>.ds`
+
+Then sign the zones using a recent version of ldns-signzone:
+ - `ldns-signzone -u -n -o test-ns-signed.<base-domain> test-ns-signed.zone Ktest-ns-signed.<basedomain>.<keytag>`
+ - `ldns-signzone -u -n -o test-ns6-signed.<base-domain> test-ns6-signed.zone Ktest-ns-signed6.<basedomain>.<keytag>`
+
+Make the bogus wildcard records bogus by deleting RRSIGs:
+ - `sed -ie '/bogus.*IN\tRRSIG/d' test-ns-signed.zone.signed`
+ - `sed -ie '/bogus.*IN\tRRSIG/d' test-ns6-signed.zone.signed`
+
+After signing the zones need to be reloaded by Unbound:
+ - `~/usr/local/sbin/unbound-control auth_zone_reload test-ns-signed.internet.nl.`
+ - `~/usr/local/sbin/unbound-control auth_zone_reload test-ns6-signed.internet.nl.A`
+
+
+Signing (and making the bogus records bogus) must be done periodically to
+prevent signatures from going to expire! It is recommendable to make a simple
+script to execute the ldns-signzone and sed commands from cron.
+to run from a conjob.
+
+## Interactive mail test query handling
+Email for the interactive mail test will be send from `<testid>`.`mail-test`.`<base-domain>`.
+
+## Testing validation anti spoofing standards
+Receivers of these email messages should now query for DKIM, DMARC and SPF
+records. Queries that will be logged, and there corresponding redis keys:
+  - TXT `<testid>`.`mail-test`.`<base-domain>` -->`interactivemailtest:spf:<testid>`
+  - TXT \_dmarc.`<testid>`.`mail-test`.`<base-domain>` --> `interactivemailtest:dmarc:<testid>`
+  - TXT selector.\_domainkey.`<testid>`.`mail-test`.`<base-domain>` --> `interactivemailtest:dkim:<testid>`
+
+## Testing DANE validation
+If the receiver of the email message will reply the mx record will be requested
+and generated by the internetnl Unbound module:
+ - MX `<testid>`.`mail-test`.`<base-domain>` --> `<testid>`.`test-ns-signed`.`<base-domain>`,
+   the default signed-lab is "test-ns-signed".
 
-You can use libevent if you want. libevent is useful when using many (10000)
-outgoing ports. By default max 256 ports are opened at the same time and the
-builtin alternative is equally capable and a little faster.
+If the user's MTA will validate DANE, a query will be send and logged in redis:
+  - TLSA \_25.\_tcp.`<testid>`.`test-ns-signed`.`<base-domain>` --> `interactivemailtest:dane:<testid>`.
 
-Use the `--with-libevent` configure option to compile Unbound with libevent
-support.
+## Connection test query handling
+For queries for the connection test the address of the resolver contacting us
+will be logged.
 
-## Unbound configuration
+Connection test queries are a subdomain of:
+ - `conn`.`test-ns-signed`.`<base-domain>` 
+ - `bogus`.`conn`.`test-ns-signed`.`<base-domain>` 
+ - `conn`.`test-ns6-signed`.`<base-domain>`
+ - `bogus`.`conn`.`test-ns6-signed`.`<base-domain>`
 
-All of Unbound's configuration options are described in the man pages, which
-will be installed and are available on the Unbound
-[documentation page](https://unbound.docs.nlnetlabs.nl/).
+Queries that are subdomain of the bogus names will be answered with a DNSSEC
+bogus answer.
 
-An example configuration file is located in
-[doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).
+Addresses will be logged in a redis set, with as key "ns\_`<qname>`"

config.h.in

@@ -860,6 +860,9 @@
 /* Define to 1 to use cachedb support */
 #undef USE_CACHEDB
 
+/* Define to 1 to use internetnl support */
+#undef USE_INTERNETNL
+
 /* Define to 1 to enable dnscrypt support */
 #undef USE_DNSCRYPT
 

configure

@@ -900,6 +900,7 @@ with_protobuf_c
 enable_dnscrypt
 with_libsodium
 enable_cachedb
+enable_internetnl
 enable_ipsecmod
 enable_ipset
 with_libmnl
@@ -1602,6 +1603,7 @@ Optional Features:
   --enable-dnscrypt       Enable dnscrypt support (requires libsodium)
   --enable-cachedb        enable cachedb module that can use external cache
                           storage
+  --enable-internetnl     enable internetnl module
   --enable-ipsecmod       Enable ipsecmod module that facilitates
                           opportunistic IPsec
   --enable-ipset          enable ipset module
@@ -15548,7 +15550,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15594,7 +15596,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15618,7 +15620,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15663,7 +15665,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15687,7 +15689,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -21628,6 +21630,23 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
     	;;
 esac
 
+# check for internetnl if requested
+# Check whether --enable-internetnl was given.
+if test "${enable_internetnl+set}" = set; then :
+  enableval=$enable_internetnl;
+fi
+
+case "$enable_internetnl" in
+    yes)
+
+$as_echo "#define USE_INTERNETNL 1" >>confdefs.h
+
+    	;;
+    no|*)
+    	# nothing
+    	;;
+esac
+
 # check for ipsecmod if requested
 # Check whether --enable-ipsecmod was given.
 if test "${enable_ipsecmod+set}" = set; then :

configure.ac

@@ -1878,6 +1878,17 @@ case "$enable_cachedb" in
     	;;
 esac
 
+# check for internetnl if requested
+AC_ARG_ENABLE(internetnl, AC_HELP_STRING([--enable-internetnl], [enable internetnl module]))
+case "$enable_internetnl" in
+    yes)
+    	AC_DEFINE([USE_INTERNETNL], [1], [Define to 1 to use internetnl support])
+    	;;
+    no|*)
+    	# nothing
+    	;;
+esac
+
 # check for ipsecmod if requested
 AC_ARG_ENABLE(ipsecmod, AS_HELP_STRING([--enable-ipsecmod],[Enable ipsecmod module that facilitates opportunistic IPsec]))
 case "$enable_ipsecmod" in