On 2015/10/27 15:06, Stuart Henderson wrote:
> Diff is ordered as follows:
>
> - changelog
> - code
> - lexer/parsers
> - build infrastructure/manpages
>
> any comments, test reports, OKs?
Now with 100% less quoted-printable (triggered by utf8 in DES' name
in Changelog).
Index: doc/Changelog
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v
retrieving revision 1.11
diff -u -p -r1.11 Changelog
--- doc/Changelog 16 Jul 2015 01:44:00 -0000 1.11
+++ doc/Changelog 27 Oct 2015 14:58:50 -0000
@@ -1,3 +1,114 @@
+15 October 2015: Wouter
+ - Fix segfault in the dns64 module in the formaterror error path.
+ - Fix sldns_wire2str_rdata_scan for malformed RRs.
+ - tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+ - ANY responses include DNAME records if present, as per Evan Hunt's
+ remark in dnsop.
+ - Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+ - Default for ssl-port is port 853, the temporary port assignment
+ for secure domain name system traffic.
+ If you used to rely on the older default of port 443, you have
+ to put a clause in unbound.conf for that. The new value is likely
+ going to be the standardised port number for this traffic.
+ - iana portlist update.
+
+6 October 2015: Wouter
+ - 1.5.5 release.
+ - trunk tracks the development of 1.5.6.
+
+28 September 2015: Wouter
+ - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
+ failures.
+ - tag for 1.5.5rc1 release.
+ - makedist.sh: pgp sig echo commands.
+
+25 September 2015: Wouter
+ - Fix unbound-control flush that does not succeed in removing data.
+
+22 September 2015: Wouter
+ - Fix config globbed include chroot treatment, this fixes reload of
+ globs (patch from Dag-Erling Smorgrav).
+ - iana portlist update.
+ - Fix #702: New IPs for for h.root-servers.net.
+ - Remove confusion comment from canonical_compare() function.
+ - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
+ - testbound selftest also works in non-debug mode.
+ - Fix minor error in unbound.conf.5.in
+ - Fix unbound.conf(5) access-control description for precedence
+ and default.
+
+31 August 2015: Wouter
+ - changed windows setup compression to be more transparent.
+
+28 August 2015: Wouter
+ - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
+ 2.4 to 2.6.
+ - Feature #699: --enable-pie option to that builds PIE binary.
+ - Feature #700: --enable-relro-now option that enables full read-only
+ relocation.
+
+24 August 2015: Wouter
+ - Fix deadlock for local data add and zone add when unbound-control
+ list_local_data printout is interrupted.
+ - iana portlist update.
+ - Change default of harden-algo-downgrade to off. This is lenient
+ for algorithm rollover.
+
+13 August 2015: Wouter
+ - 5011 implementation does not insist on all algorithms, when
+ harden-algo-downgrade is turned off.
+ - Reap the child process that libunbound spawns.
+
+11 August 2015: Wouter
+ - Fix #694: configure script does not detect LibreSSL 2.2.2
+
+4 August 2015: Wouter
+ - Document that local-zone nodefault matches exactly and transparent
+ can be used to release a subzone.
+
+3 August 2015: Wouter
+ - Document in the manual more text about configuring locally served
+ zones.
+ - Fix 5011 anchor update timer after reload.
+ - Fix mktime in unbound-anchor not using UTC.
+
+30 July 2015: Wouter
+ - please afl-gcc (llvm) for uninitialised variable warning.
+ - Added permit-small-holddown config to debug fast 5011 rollover.
+
+24 July 2015: Wouter
+ - Fix #690: Reload fails when so-reuseport is yes after changing
+ num-threads.
+ - iana portlist update.
+
+21 July 2015: Wouter
+ - Fix configure to detect SSL_CTX_set_ecdh_auto.
+ - iana portlist update.
+
+20 July 2015: Wouter
+ - Enable ECDHE for servers. Where available, use
+ SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
+ enable ECDHE. Otherwise, manually offer curve p256.
+ Client connections should automatically use ECDHE when available.
+ (thanks Daniel Kahn Gillmor)
+
+18 July 2015: Willem
+ - Allow certificate chain files to allow for intermediate certificates.
+ (thanks Daniel Kahn Gillmor)
+
+13 July 2015: Wouter
+ - makedist produces sha1 and sha256 files for created binaries too.
+
+9 July 2015: Wouter
+ - 1.5.4 release tag
+ - trunk has 1.5.5 in development.
+ - Fix #681: Setting forwarders with unbound-control forward
+ implicitly turns on forward-first.
+
29 June 2015: Wouter
- iana portlist update.
- Fix alloc with log for allocation size checks.
Index: daemon/daemon.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/daemon.c,v
retrieving revision 1.1.1.6
diff -u -p -r1.1.1.6 daemon.c
--- daemon/daemon.c 16 Jul 2015 01:42:20 -0000 1.1.1.6
+++ daemon/daemon.c 27 Oct 2015 14:58:50 -0000
@@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* dae
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+ if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
+ log_warn("cannot reduce num-threads to %d because so-reuseport "
+ "so continuing with %d threads.", (int)daemon->num,
+ (int)daemon->num_ports);
+ daemon->num = (int)daemon->num_ports;
+ }
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
sizeof(struct worker*));
if(daemon->cfg->dnstap) {
@@ -464,7 +470,7 @@ thread_start(void* arg)
#endif
#ifdef SO_REUSEPORT
if(worker->daemon->cfg->so_reuseport)
- port_num = worker->thread_num;
+ port_num = worker->thread_num % worker->daemon->num_ports;
else
port_num = 0;
#endif
Index: daemon/remote.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/remote.c,v
retrieving revision 1.13
diff -u -p -r1.13 remote.c
--- daemon/remote.c 27 Oct 2015 07:58:00 -0000 1.13
+++ daemon/remote.c 27 Oct 2015 14:58:50 -0000
@@ -245,9 +245,9 @@ daemon_remote_create(struct config_file*
goto setup_error;
}
verbose(VERB_ALGO, "setup SSL certificates");
- if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
log_err("Error for server-cert-file: %s", s_cert);
- log_crypto_err("Error in SSL_CTX use_certificate_file");
+ log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
goto setup_error;
}
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
@@ -260,6 +260,23 @@ daemon_remote_create(struct config_file*
log_crypto_err("Error in SSL_CTX check_private_key");
goto setup_error;
}
+#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+ if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
+ log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling
ECDHE");
+ }
+#elif defined(USE_ECDSA)
+ if(1) {
+ EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (!ecdh) {
+ log_crypto_err("could not find p256, not enabling
ECDHE");
+ } else {
+ if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
+ log_crypto_err("Error in SSL_CTX_set_tmp_ecdh,
not enabling ECDHE");
+ }
+ EC_KEY_free (ecdh);
+ }
+ }
+#endif
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
log_crypto_err("Error setting up SSL_CTX verify locations");
setup_error:
@@ -1244,8 +1261,6 @@ struct del_info {
size_t len;
/** labels */
int labs;
- /** now */
- time_t now;
/** time to invalidate to */
time_t expired;
/** number of rrsets removed */
@@ -1274,7 +1289,7 @@ infra_del_host(struct lruhash_entry* e,
d->timeout_AAAA = 0;
d->timeout_other = 0;
rtt_init(&d->rtt);
- if(d->ttl >= inf->now) {
+ if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_keys++;
}
@@ -1303,7 +1318,6 @@ do_flush_infra(SSL* ssl, struct worker*
inf.name = 0;
inf.len = 0;
inf.labs = 0;
- inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@@ -1334,7 +1348,7 @@ zone_del_rrset(struct lruhash_entry* e,
if(dname_subdomain_c(k->rk.dname, inf->name)) {
struct packed_rrset_data* d =
(struct packed_rrset_data*)e->data;
- if(d->ttl >= inf->now) {
+ if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_rrsets++;
}
@@ -1350,7 +1364,7 @@ zone_del_msg(struct lruhash_entry* e, vo
struct msgreply_entry* k = (struct msgreply_entry*)e->key;
if(dname_subdomain_c(k->key.qname, inf->name)) {
struct reply_info* d = (struct reply_info*)e->data;
- if(d->ttl >= inf->now) {
+ if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_msgs++;
}
@@ -1366,7 +1380,7 @@ zone_del_kcache(struct lruhash_entry* e,
struct key_entry_key* k = (struct key_entry_key*)e->key;
if(dname_subdomain_c(k->name, inf->name)) {
struct key_entry_data* d = (struct key_entry_data*)e->data;
- if(d->ttl >= inf->now) {
+ if(d->ttl > inf->expired) {
d->ttl = inf->expired;
inf->num_keys++;
}
@@ -1389,7 +1403,6 @@ do_flush_zone(SSL* ssl, struct worker* w
inf.name = nm;
inf.len = nmlen;
inf.labs = nmlabs;
- inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@@ -1459,7 +1472,6 @@ do_flush_bogus(SSL* ssl, struct worker*
struct del_info inf;
/* what we do is to set them all expired */
inf.worker = worker;
- inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@@ -1535,7 +1547,6 @@ do_flush_negative(SSL* ssl, struct worke
struct del_info inf;
/* what we do is to set them all expired */
inf.worker = worker;
- inf.now = *worker->env.now;
inf.expired = *worker->env.now;
inf.expired -= 3; /* handle 3 seconds skew between threads */
inf.num_rrsets = 0;
@@ -1685,6 +1696,7 @@ parse_delegpt(SSL* ssl, char* args, uint
}
}
}
+ dp->has_parent_side_NS = 1;
return dp;
}
@@ -2267,11 +2279,17 @@ do_list_local_data(SSL* ssl, struct work
for(i=0; i<d->count + d->rrsig_count; i++) {
if(!packed_rr_to_string(p->rrset, i,
0, s, slen)) {
- if(!ssl_printf(ssl, "BADRR\n"))
+ if(!ssl_printf(ssl, "BADRR\n"))
{
+
lock_rw_unlock(&z->lock);
+
lock_rw_unlock(&zones->lock);
return;
+ }
}
- if(!ssl_printf(ssl, "%s\n", s))
+ if(!ssl_printf(ssl, "%s\n", s)) {
+ lock_rw_unlock(&z->lock);
+ lock_rw_unlock(&zones->lock);
return;
+ }
}
}
}
Index: dns64/dns64.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/dns64/dns64.c,v
retrieving revision 1.3
diff -u -p -r1.3 dns64.c
--- dns64/dns64.c 16 Jul 2015 01:44:00 -0000 1.3
+++ dns64/dns64.c 27 Oct 2015 14:58:50 -0000
@@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_pa
dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
for(i = 0; i < fd->count; ++i) {
if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
- || fd->rr_data[i][1] != 4)
+ || fd->rr_data[i][1] != 4) {
+ *dd_out = NULL;
return;
+ }
dd->rr_len[i] = 18;
dd->rr_data[i] =
(uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
@@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_pa
*/
if(!dk) {
log_err("no key");
+ *dd_out = NULL;
return;
}
@@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_pa
if(!dk->rk.dname) {
log_err("out of memory");
+ *dd_out = NULL;
return;
}
Index: iterator/iter_hints.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/iterator/iter_hints.c,v
retrieving revision 1.6
diff -u -p -r1.6 iter_hints.c
--- iterator/iter_hints.c 16 Jul 2015 01:44:00 -0000 1.6
+++ iterator/iter_hints.c 27 Oct 2015 14:58:50 -0000
@@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed;
if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed;
- if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed;
+ if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed;
@@ -148,7 +148,7 @@ compile_time_root_prime(int do_ip4, int
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
- if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed;
+ if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
Index: iterator/iterator.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/iterator/iterator.h,v
retrieving revision 1.3
diff -u -p -r1.3 iterator.h
--- iterator/iterator.h 16 Jul 2015 01:44:00 -0000 1.3
+++ iterator/iterator.h 27 Oct 2015 14:58:50 -0000
@@ -54,7 +54,7 @@ struct iter_priv;
struct rbtree_t;
/** max number of targets spawned for a query and its subqueries */
-#define MAX_TARGET_COUNT 32
+#define MAX_TARGET_COUNT 64
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 8
/** max number of referrals. Makes sure resolver does not run away */
Index: libunbound/libunbound.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/libunbound.c,v
retrieving revision 1.2
diff -u -p -r1.2 libunbound.c
--- libunbound/libunbound.c 5 Sep 2015 09:38:24 -0000 1.2
+++ libunbound/libunbound.c 27 Oct 2015 14:58:50 -0000
@@ -65,6 +65,9 @@
#ifdef HAVE_PTHREAD
#include <signal.h>
#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
#include <windows.h>
@@ -218,6 +221,12 @@ static void ub_stop_bg(struct ub_ctx* ct
ub_thread_join(ctx->bg_tid);
} else {
lock_basic_unlock(&ctx->cfglock);
+#ifndef UB_ON_WINDOWS
+ if(waitpid(ctx->bg_pid, NULL, 0) == -1) {
+ if(verbosity > 2)
+ log_err("waitpid: %s", strerror(errno));
+ }
+#endif
}
}
else {
Index: services/cache/dns.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/cache/dns.c,v
retrieving revision 1.3
diff -u -p -r1.3 dns.c
--- services/cache/dns.c 16 Jul 2015 01:44:00 -0000 1.3
+++ services/cache/dns.c 27 Oct 2015 14:58:50 -0000
@@ -656,8 +656,9 @@ fill_any(struct module_env* env,
time_t now = *env->now;
struct dns_msg* msg = NULL;
uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
- LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
- int i, num=5; /* number of RR types to look up */
+ LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
+ LDNS_RR_TYPE_DNAME, 0};
+ int i, num=6; /* number of RR types to look up */
log_assert(lookup[num] == 0);
for(i=0; i<num; i++) {
Index: sldns/rrdef.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/rrdef.h,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 rrdef.h
--- sldns/rrdef.h 16 Jul 2015 01:42:20 -0000 1.1.1.1
+++ sldns/rrdef.h 27 Oct 2015 14:58:50 -0000
@@ -342,7 +342,7 @@ enum sldns_enum_rdf_type
/** A <character-string> encoding of the value field as specified
* [RFC1035], Section 5.1., encoded as remaining rdata.
- * For CAA.
+ * For CAA, URI.
*/
LDNS_RDF_TYPE_LONG_STR,
Index: sldns/wire2str.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/wire2str.c,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 wire2str.c
--- sldns/wire2str.c 16 Jul 2015 01:42:20 -0000 1.1.1.1
+++ sldns/wire2str.c 27 Oct 2015 14:58:50 -0000
@@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t**
}
w += n;
}
+ if(*dlen != 0) {
+ goto failed;
+ }
return w;
}
Index: smallapp/unbound-anchor.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-anchor.c,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 unbound-anchor.c
--- smallapp/unbound-anchor.c 16 Jul 2015 01:42:20 -0000 1.1.1.5
+++ smallapp/unbound-anchor.c 27 Oct 2015 14:58:50 -0000
@@ -117,6 +117,7 @@
#include "config.h"
#include "libunbound/unbound.h"
#include "sldns/rrdef.h"
+#include "sldns/parseutil.h"
#include <expat.h>
#ifndef HAVE_EXPAT_H
#error "need libexpat to parse root-anchors.xml file."
@@ -1328,7 +1329,7 @@ xml_convertdate(const char* str)
/* but ignore, (lenient) */
}
- t = mktime(&tm);
+ t = sldns_mktime_from_utc(&tm);
if(t == (time_t)-1) {
if(verb) printf("xml_convertdate mktime failure\n");
return 0;
Index: smallapp/unbound-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-control.c,v
retrieving revision 1.2
diff -u -p -r1.2 unbound-control.c
--- smallapp/unbound-control.c 27 Oct 2015 07:58:00 -0000 1.2
+++ smallapp/unbound-control.c 27 Oct 2015 14:58:50 -0000
@@ -163,7 +163,7 @@ setup_ctx(struct config_file* cfg)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
- if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
+ if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx))
ssl_err("Error setting up SSL_CTX client key and cert");
Index: util/config_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.c,v
retrieving revision 1.6
diff -u -p -r1.6 config_file.c
--- util/config_file.c 16 Jul 2015 01:44:01 -0000 1.6
+++ util/config_file.c 27 Oct 2015 14:58:50 -0000
@@ -70,6 +70,8 @@
uid_t cfg_uid = (uid_t)-1;
/** from cfg username, after daemonise setup performed */
gid_t cfg_gid = (gid_t)-1;
+/** for debug allow small timeout values for fast rollovers */
+int autr_permit_small_holddown = 0;
/** global config during parsing */
struct config_parser_state* cfg_parser = 0;
@@ -98,7 +100,7 @@ config_create(void)
cfg->tcp_upstream = 0;
cfg->ssl_service_key = NULL;
cfg->ssl_service_pem = NULL;
- cfg->ssl_port = 443;
+ cfg->ssl_port = 853;
cfg->ssl_upstream = 0;
cfg->use_syslog = 1;
cfg->log_time_ascii = 0;
@@ -172,7 +174,7 @@ config_create(void)
cfg->harden_dnssec_stripped = 1;
cfg->harden_below_nxdomain = 0;
cfg->harden_referral_path = 0;
- cfg->harden_algo_downgrade = 1;
+ cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
cfg->caps_whitelist = NULL;
cfg->private_address = NULL;
@@ -200,6 +202,7 @@ config_create(void)
cfg->add_holddown = 30*24*3600;
cfg->del_holddown = 30*24*3600;
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
+ cfg->permit_small_holddown = 0;
cfg->key_cache_size = 4 * 1024 * 1024;
cfg->key_cache_slabs = 4;
cfg->neg_cache_size = 1 * 1024 * 1024;
@@ -444,6 +447,9 @@ int config_set_option(struct config_file
else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
+ else if(strcmp(opt, "permit-small-holddown:") == 0)
+ { IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
+ autr_permit_small_holddown = cfg->permit_small_holddown; }
else S_MEMSIZE("key-cache-size:", key_cache_size)
else S_POW2("key-cache-slabs:", key_cache_slabs)
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
@@ -705,6 +711,7 @@ config_get_option(struct config_file* cf
else O_UNS(opt, "add-holddown", add_holddown)
else O_UNS(opt, "del-holddown", del_holddown)
else O_UNS(opt, "keep-missing", keep_missing)
+ else O_YNO(opt, "permit-small-holddown", permit_small_holddown)
else O_MEM(opt, "key-cache-size", key_cache_size)
else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
else O_MEM(opt, "neg-cache-size", neg_cache_size)
@@ -1243,6 +1250,7 @@ config_apply(struct config_file* config)
MINIMAL_RESPONSES = config->minimal_responses;
RRSET_ROUNDROBIN = config->rrset_roundrobin;
log_set_time_asc(config->log_time_ascii);
+ autr_permit_small_holddown = config->permit_small_holddown;
}
void config_lookup_uid(struct config_file* cfg)
Index: util/config_file.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.h,v
retrieving revision 1.3
diff -u -p -r1.3 config_file.h
--- util/config_file.h 16 Jul 2015 01:44:01 -0000 1.3
+++ util/config_file.h 27 Oct 2015 14:58:50 -0000
@@ -269,6 +269,8 @@ struct config_file {
unsigned int del_holddown;
/** autotrust keep_missing time, in seconds. 0 is forever. */
unsigned int keep_missing;
+ /** permit small holddown values, allowing 5011 rollover very fast */
+ int permit_small_holddown;
/** size of the key cache */
size_t key_cache_size;
@@ -368,6 +370,8 @@ struct config_file {
extern uid_t cfg_uid;
/** from cfg username, after daemonise setup performed */
extern gid_t cfg_gid;
+/** debug and enable small timeouts */
+extern int autr_permit_small_holddown;
/**
* Stub config options
Index: util/net_help.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/net_help.c,v
retrieving revision 1.5
diff -u -p -r1.5 net_help.c
--- util/net_help.c 27 Oct 2015 07:58:00 -0000 1.5
+++ util/net_help.c 27 Oct 2015 14:58:50 -0000
@@ -631,9 +631,9 @@ void* listen_sslctx_create(char* key, ch
SSL_CTX_free(ctx);
return NULL;
}
- if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+ if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
log_err("error for cert file: %s", pem);
- log_crypto_err("error in SSL_CTX use_certificate_file");
+ log_crypto_err("error in SSL_CTX use_certificate_chain_file");
SSL_CTX_free(ctx);
return NULL;
}
@@ -649,6 +649,23 @@ void* listen_sslctx_create(char* key, ch
SSL_CTX_free(ctx);
return NULL;
}
+#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+ if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+ log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling
ECDHE");
+ }
+#elif defined(USE_ECDSA)
+ if(1) {
+ EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (!ecdh) {
+ log_crypto_err("could not find p256, not enabling
ECDHE");
+ } else {
+ if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+ log_crypto_err("Error in SSL_CTX_set_tmp_ecdh,
not enabling ECDHE");
+ }
+ EC_KEY_free (ecdh);
+ }
+ }
+#endif
if(verifypem && verifypem[0]) {
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
@@ -688,7 +705,7 @@ void* connect_sslctx_create(char* key, c
return NULL;
}
if(key && key[0]) {
- if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+ if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
log_err("error in client certificate %s", pem);
log_crypto_err("error in certificate file");
SSL_CTX_free(ctx);
Index: util/data/msgencode.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgencode.c,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 msgencode.c
--- util/data/msgencode.c 16 Jul 2015 01:42:20 -0000 1.1.1.5
+++ util/data/msgencode.c 27 Oct 2015 14:58:50 -0000
@@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_ke
size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
{
struct compress_tree_node* p;
- struct compress_tree_node** insertpt;
+ struct compress_tree_node** insertpt = NULL;
if(!*owner_ptr) {
/* compress first time dname */
if((p = compress_tree_lookup(tree, key->rk.dname,
Index: validator/autotrust.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/autotrust.c,v
retrieving revision 1.1.1.7
diff -u -p -r1.1.1.7 autotrust.c
--- validator/autotrust.c 16 Jul 2015 01:42:20 -0000 1.1.1.7
+++ validator/autotrust.c 27 Oct 2015 14:58:50 -0000
@@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, st
{
char* reason = NULL;
uint8_t sigalg[ALGO_NEEDS_MAX+1];
- int downprot = 1;
+ int downprot = env->cfg->harden_algo_downgrade;
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
/* sigalg is ignored, it returns algorithms signalled to exist, but
@@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, ti
if(rrsig_exp_interval/2 < x)
x = rrsig_exp_interval/2;
/* MAX(1hr, x) */
- if(x < 3600)
- tp->autr->query_interval = 3600;
- else tp->autr->query_interval = x;
+ if(!autr_permit_small_holddown) {
+ if(x < 3600)
+ tp->autr->query_interval = 3600;
+ else tp->autr->query_interval = x;
+ } else tp->autr->query_interval = x;
/* x= MIN(1day, ttl/10, expire/10) */
x = 24 * 3600;
@@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, ti
if(rrsig_exp_interval/10 < x)
x = rrsig_exp_interval/10;
/* MAX(1hr, x) */
- if(x < 3600)
- tp->autr->retry_time = 3600;
- else tp->autr->retry_time = x;
+ if(!autr_permit_small_holddown) {
+ if(x < 3600)
+ tp->autr->retry_time = 3600;
+ else tp->autr->retry_time = x;
+ } else tp->autr->retry_time = x;
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
*changed = 1;
@@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env,
{
/* make it random, 90-100% */
time_t rnd, rest;
- if(wait < 3600)
- wait = 3600;
+ if(!autr_permit_small_holddown) {
+ if(wait < 3600)
+ wait = 3600;
+ } else {
+ if(wait == 0) wait = 1;
+ }
rnd = wait/10;
rest = wait-rnd;
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
@@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
/* in case of revoked anchors */
lock_basic_unlock(&env->anchors->lock);
+ /* signal that there are no anchors to probe */
+ *next = 0;
return NULL;
}
tp = (struct trust_anchor*)el->key;
@@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env)
struct trust_anchor* tp;
time_t next_probe = 3600;
int num = 0;
+ if(autr_permit_small_holddown) next_probe = 1;
verbose(VERB_ALGO, "autotrust probe timer callback");
/* while there are still anchors to probe */
while( (tp = todo_probe(env, &next_probe)) ) {
@@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env)
num++;
}
regional_free_all(env->scratch);
- if(num == 0)
+ if(next_probe == 0)
return 0; /* no trust points to probe */
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
return next_probe;
Index: validator/val_sigcrypt.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/val_sigcrypt.c,v
retrieving revision 1.1.1.6
diff -u -p -r1.1.1.6 val_sigcrypt.c
--- validator/val_sigcrypt.c 16 Jul 2015 01:42:20 -0000 1.1.1.6
+++ validator/val_sigcrypt.c 27 Oct 2015 14:58:50 -0000
@@ -795,10 +795,6 @@ canonical_compare(struct ub_packed_rrset
if(i==j)
return 0;
- /* in case rdata-len is to be compared for canonical order
- c = memcmp(d->rr_data[i], d->rr_data[j], 2);
- if(c != 0)
- return c; */
switch(type) {
/* These RR types have only a name as RDATA.
Index: validator/validator.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/validator.c,v
retrieving revision 1.4
diff -u -p -r1.4 validator.c
--- validator/validator.c 16 Jul 2015 01:44:01 -0000 1.4
+++ validator/validator.c 27 Oct 2015 14:58:51 -0000
@@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qs
vq->state = VAL_VALIDATE_STATE;
return;
}
- downprot = 1;
+ downprot = qstate->env->cfg->harden_algo_downgrade;
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
ve, dnskey, vq->ds_rrset, downprot, &reason);
Index: util/configlexer.lex
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/configlexer.lex,v
retrieving revision 1.1.1.7
diff -u -p -r1.1.1.7 configlexer.lex
--- util/configlexer.lex 16 Jul 2015 01:42:20 -0000 1.1.1.7
+++ util/configlexer.lex 27 Oct 2015 14:58:50 -0000
@@ -126,6 +126,10 @@ static void config_start_include_glob(co
#endif
;
memset(&g, 0, sizeof(g));
+ if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot,
+ strlen(cfg_parser->chroot)) == 0) {
+ filename += strlen(cfg_parser->chroot);
+ }
r = glob(filename, flags, NULL, &g);
if(r) {
/* some error */
@@ -306,6 +310,7 @@ val-nsec3-keysize-iterations{COLON} {
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) }
+permit-small-holddown{COLON} { YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) }
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
Index: util/configparser.y
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/configparser.y,v
retrieving revision 1.1.1.7
diff -u -p -r1.1.1.7 configparser.y
--- util/configparser.y 16 Jul 2015 01:42:20 -0000 1.1.1.7
+++ util/configparser.y 27 Oct 2015 14:58:50 -0000
@@ -121,7 +121,7 @@ extern struct config_parser_state* cfg_p
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
-%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL
+%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -185,7 +185,8 @@ content_server: server_num_threads | ser
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
server_ratelimit_size | server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
- server_caps_whitelist | server_cache_max_negative_ttl
+ server_caps_whitelist | server_cache_max_negative_ttl |
+ server_permit_small_holddown
;
stubstart: VAR_STUB_ZONE
{
@@ -1125,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING ST
free($2);
}
;
+server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
+ {
+ OUTYY(("P(server_permit_small_holddown:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->permit_small_holddown =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
{
OUTYY(("P(server_key_cache_size:%s)\n", $2));
Index: Makefile.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/Makefile.in,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile.in
--- Makefile.in 16 Jul 2015 01:44:00 -0000 1.15
+++ Makefile.in 27 Oct 2015 14:58:50 -0000
@@ -168,7 +168,7 @@ HOST_OBJ=unbound-host.lo
HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4)
@WIN_HOST_OBJ_LINK@
UBANCHOR_SRC=smallapp/unbound-anchor.c
UBANCHOR_OBJ=unbound-anchor.lo
-UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \
+UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \
$(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@
TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \
daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
@@ -1178,7 +1178,7 @@ delayer.lo delayer.o: $(srcdir)/testcode
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c
config.h \
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h
$(srcdir)/util/net_help.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c
config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
Index: README
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/README,v
retrieving revision 1.1.1.2
diff -u -p -r1.1.1.2 README
--- README 23 Aug 2012 22:36:12 -0000 1.1.1.2
+++ README 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-Unbound README
+README for Unbound 1.5.6
* ./configure && make && make install
* You can use libevent if you want. libevent is useful when using
many (10000) outgoing ports. By default max 256 ports are opened at
Index: acx_nlnetlabs.m4
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/acx_nlnetlabs.m4,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 acx_nlnetlabs.m4
--- acx_nlnetlabs.m4 16 Jul 2015 01:42:20 -0000 1.1.1.5
+++ acx_nlnetlabs.m4 27 Oct 2015 14:58:50 -0000
@@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 27
+# Version 28
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
@@ -94,6 +95,8 @@
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED.
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE - add --enable-pie option and check if
works
+# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
#
dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
@@ -1385,5 +1388,47 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
#include <arpa/inet.h>
#endif
]) ])
+
+dnl Check if CC and linker support -fPIE and -pie.
+dnl If so, sets them in CFLAGS / LDFLAGS.
+AC_DEFUN([ACX_CHECK_PIE], [
+ AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable
Position-Independent Executable (eg. to fully benefit from ASLR, small
performance penalty)]))
+ AS_IF([test "x$enable_pie" = "xyes"], [
+ AC_MSG_CHECKING([if $CC supports PIE])
+ BAKLDFLAGS="$LDFLAGS"
+ BAKCFLAGS="$CFLAGS"
+ LDFLAGS="$LDFLAGS -pie"
+ CFLAGS="$CFLAGS -fPIE"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep
"warning: no debug symbols in executable" >/dev/null; then
+ LDFLAGS="$BAKLDFLAGS"
+ AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(yes)
+ fi
+ rm -f conftest conftest.c conftest.o
+ ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
+ ])
+])
+
+dnl Check if linker supports -Wl,-z,relro,-z,now.
+dnl If so, adds it to LDFLAGS.
+AC_DEFUN([ACX_CHECK_RELRO_NOW], [
+ AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable
full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor
areas)]))
+ AS_IF([test "x$enable_relro_now" = "xyes"], [
+ AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
+ BAKLDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep
"warning: no debug symbols in executable" >/dev/null; then
+ LDFLAGS="$BAKLDFLAGS"
+ AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(yes)
+ fi
+ rm -f conftest conftest.c conftest.o
+ ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
+ ])
+])
dnl End of file
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/config.h.in,v
retrieving revision 1.1.1.9
diff -u -p -r1.1.1.9 config.h.in
--- config.h.in 16 Jul 2015 01:42:20 -0000 1.1.1.9
+++ config.h.in 27 Oct 2015 14:58:50 -0000
@@ -82,6 +82,10 @@
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
#undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
+/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
+ 0 if you don't. */
+#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
don't. */
#undef HAVE_DECL_STRLCAT
Index: configure
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure,v
retrieving revision 1.14
diff -u -p -r1.14 configure
--- configure 16 Jul 2015 01:44:00 -0000 1.14
+++ configure 27 Oct 2015 14:58:50 -0000
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.5.4.
+# Generated by GNU Autoconf 2.69 for unbound 1.5.6.
#
# Report bugs to <unbound-b...@nlnetlabs.nl>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.5.4'
-PACKAGE_STRING='unbound 1.5.4'
+PACKAGE_VERSION='1.5.6'
+PACKAGE_STRING='unbound 1.5.6'
PACKAGE_BUGREPORT='unbound-b...@nlnetlabs.nl'
PACKAGE_URL=''
@@ -804,6 +804,8 @@ with_username
enable_checking
enable_debug
enable_flto
+enable_pie
+enable_relro_now
enable_shared
enable_static
with_pic
@@ -1389,7 +1391,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.5.4 to adapt to many kinds of systems.
+\`configure' configures unbound 1.5.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1454,7 +1456,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.5.4:";;
+ short | recursive ) echo "Configuration of unbound 1.5.6:";;
esac
cat <<\_ACEOF
@@ -1465,6 +1467,10 @@ Optional Features:
--enable-checking Enable warnings, asserts, makefile-dependencies
--enable-debug same as enable-checking
--disable-flto Disable link-time optimization (gcc specific option)
+ --enable-pie Enable Position-Independent Executable (eg. to fully
+ benefit from ASLR, small performance penalty)
+ --enable-relro-now Enable full relocation binding at load-time (RELRO
+ NOW, to protect GOT and .dtor areas)
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS]
@@ -1629,7 +1635,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.5.4
+unbound configure 1.5.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2338,7 +2344,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.5.4, which was
+It was created by unbound $as_me 1.5.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2690,11 +2696,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=5
-UNBOUND_VERSION_MICRO=4
+UNBOUND_VERSION_MICRO=6
LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=7
+LIBUNBOUND_REVISION=9
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -2738,6 +2744,8 @@ LIBUNBOUND_AGE=3
# 1.5.2 had 5:5:3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
+# 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -5879,6 +5887,96 @@ rm -f core conftest.err conftest.$ac_obj
fi
+ # Check whether --enable-pie was given.
+if test "${enable_pie+set}" = set; then :
+ enableval=$enable_pie;
+fi
+
+ if test "x$enable_pie" = "xyes"; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE"
>&5
+$as_echo_n "checking if $CC supports PIE... " >&6; }
+ BAKLDFLAGS="$LDFLAGS"
+ BAKCFLAGS="$CFLAGS"
+ LDFLAGS="$LDFLAGS -pie"
+ CFLAGS="$CFLAGS -fPIE"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep
"warning: no debug symbols in executable" >/dev/null; then
+ LDFLAGS="$BAKLDFLAGS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ fi
+ rm -f conftest conftest.c conftest.o
+
+else
+ LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo
"$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+
+ # Check whether --enable-relro_now was given.
+if test "${enable_relro_now+set}" = set; then :
+ enableval=$enable_relro_now;
+fi
+
+ if test "x$enable_relro_now" = "xyes"; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports
-Wl,-z,relro,-z,now" >&5
+$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; }
+ BAKLDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep
"warning: no debug symbols in executable" >/dev/null; then
+ LDFLAGS="$BAKLDFLAGS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ fi
+ rm -f conftest conftest.c conftest.o
+
+else
+ LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no"
>&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
$as_echo_n "checking for inline... " >&6; }
if ${ac_cv_c_inline+:} false; then :
@@ -16101,7 +16199,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5
fi
- PY_MAJOR_VERSION="`$PYTHON -c "import sys;
print(sys.version_info.major)"`"
+ PY_MAJOR_VERSION="`$PYTHON -c \"import sys;
print(sys.version_info[0])\"`"
# Have Python
@@ -16684,7 +16782,7 @@ rm -f core conftest.err conftest.$ac_obj
conftest$ac_exeext conftest.$ac_ext
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
$as_echo_n "checking for LibreSSL... " >&6; }
-if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep
"LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL"
>/dev/null; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
@@ -16845,6 +16943,36 @@ fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
_ACEOF
+ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto"
"ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
+$ac_includes_default
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl
+_ACEOF
fi
@@ -18890,7 +19018,7 @@ _ACEOF
-version=1.5.4
+version=1.5.6
date=`date +'%b %e, %Y'`
@@ -19405,7 +19533,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.5.4, which was
+This file was extended by unbound $as_me 1.5.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19471,7 +19599,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-unbound config.status 1.5.4
+unbound config.status 1.5.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure.ac,v
retrieving revision 1.14
diff -u -p -r1.14 configure.ac
--- configure.ac 16 Jul 2015 01:44:00 -0000 1.14
+++ configure.ac 27 Oct 2015 14:58:50 -0000
@@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[5])
-m4_define([VERSION_MICRO],[4])
+m4_define([VERSION_MICRO],[6])
AC_INIT(unbound,
m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),
unbound-b...@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=7
+LIBUNBOUND_REVISION=9
LIBUNBOUND_AGE=3
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -61,6 +61,8 @@ LIBUNBOUND_AGE=3
# 1.5.2 had 5:5:3
# 1.5.3 had 5:6:3
# 1.5.4 had 5:7:3
+# 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -246,6 +248,8 @@ case "$debug_enabled" in
;;
esac
ACX_CHECK_FLTO
+ACX_CHECK_PIE
+ACX_CHECK_RELRO_NOW
AC_C_INLINE
ACX_CHECK_FORMAT_ATTRIBUTE
@@ -475,7 +479,7 @@ if test x_$ub_test_python != x_no; then
AC_ERROR([Python version >= 2.4.0 is required])
fi
- PY_MAJOR_VERSION="`$PYTHON -c "import sys;
print(sys.version_info.major)"`"
+ [PY_MAJOR_VERSION="`$PYTHON -c \"import sys;
print(sys.version_info[0])\"`"]
AC_SUBST(PY_MAJOR_VERSION)
# Have Python
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header
files.])
@@ -566,7 +570,7 @@ if test $USE_NSS = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
AC_MSG_CHECKING([for LibreSSL])
-if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep
"LibreSSL" >/dev/null; then
+if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL"
>/dev/null; then
AC_MSG_RESULT([yes])
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
# libressl provides these compat functions, but they may also be
@@ -578,7 +582,7 @@ fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [],
[], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto],
[], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
Index: doc/example.conf.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/example.conf.in,v
retrieving revision 1.3
diff -u -p -r1.3 example.conf.in
--- doc/example.conf.in 16 Jul 2015 01:44:00 -0000 1.3
+++ doc/example.conf.in 27 Oct 2015 14:58:50 -0000
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.5.4.
+# See unbound.conf(5) man page, version 1.5.6.
#
# this is a comment.
@@ -294,7 +294,7 @@ server:
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
# to validate the zone.
- # harden-algo-downgrade: yes
+ # harden-algo-downgrade: no
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@@ -444,6 +444,9 @@ server:
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
+ # debug option that allows very small holddown times for key rollover
+ # permit-small-holddown: no
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -549,7 +552,7 @@ server:
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
- # ssl-port: 443
+ # ssl-port: 853
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
@@ -623,6 +626,8 @@ remote-control:
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
Index: doc/libunbound.3.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/libunbound.3.in,v
retrieving revision 1.3
diff -u -p -r1.3 libunbound.3.in
--- doc/libunbound.3.in 16 Jul 2015 01:44:00 -0000 1.3
+++ doc/libunbound.3.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "libunbound" "3" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@@ -42,7 +42,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.4 functions.
+\- Unbound DNS validating resolver 1.5.6 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
Index: doc/unbound-anchor.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-anchor.8.in,v
retrieving revision 1.3
diff -u -p -r1.3 unbound-anchor.8.in
--- doc/unbound-anchor.8.in 16 Jul 2015 01:44:00 -0000 1.3
+++ doc/unbound-anchor.8.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-anchor" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
Index: doc/unbound-checkconf.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-checkconf.8.in,v
retrieving revision 1.3
diff -u -p -r1.3 unbound-checkconf.8.in
--- doc/unbound-checkconf.8.in 16 Jul 2015 01:44:00 -0000 1.3
+++ doc/unbound-checkconf.8.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-checkconf" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
Index: doc/unbound-control.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-control.8.in,v
retrieving revision 1.3
diff -u -p -r1.3 unbound-control.8.in
--- doc/unbound-control.8.in 16 Jul 2015 01:44:00 -0000 1.3
+++ doc/unbound-control.8.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-control" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
Index: doc/unbound-host.1.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-host.1.in,v
retrieving revision 1.5
diff -u -p -r1.5 unbound-host.1.in
--- doc/unbound-host.1.in 16 Jul 2015 01:44:00 -0000 1.5
+++ doc/unbound-host.1.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound\-host" "1" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
Index: doc/unbound.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.8.in,v
retrieving revision 1.6
diff -u -p -r1.6 unbound.8.in
--- doc/unbound.8.in 16 Jul 2015 01:44:00 -0000 1.6
+++ doc/unbound.8.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound.8 -- unbound manual
.\"
@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
-\- Unbound DNS validating resolver 1.5.4.
+\- Unbound DNS validating resolver 1.5.6.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
Index: doc/unbound.conf.5.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.conf.5.in,v
retrieving revision 1.5
diff -u -p -r1.5 unbound.conf.5.in
--- doc/unbound.conf.5.in 27 Oct 2015 14:47:17 -0000 1.5
+++ doc/unbound.conf.5.in 27 Oct 2015 14:58:50 -0000
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound.conf" "5" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -260,7 +260,7 @@ trust (very large) TTL values.
.TP
.B cache\-min\-ttl: \fI<seconds>
Time to live minimum for RRsets and messages in the cache. Default is 0.
-If the the minimum kicks in, the data is cached for longer than the domain
+If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
higher values, especially more than an hour or so, can lead to trouble as
@@ -326,7 +326,7 @@ The public key certificate pem file for
turned off.
.TP
.B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B do\-daemonize: \fI<yes or no>
@@ -337,6 +337,7 @@ a daemon. Default is yes.
The netblock is given as an IP4 or IP6 address with /size appended for a
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+The most specific netblock match is used, if none match \fIdeny\fR is used.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
@@ -522,7 +523,7 @@ to increase the max depth that is checke
.B harden\-algo\-downgrade: \fI<yes or no>
Harden against algorithm downgrade when multiple algorithms are
advertised in the DS record. If no, allows the weakest algorithm to
-validate the zone. Default is yes. Zone signers must produce zones
+validate the zone. Default is no. Zone signers must produce zones
that allow this feature to work, but sometimes they do not, and turning
this option off avoids that validation failure.
.TP
@@ -756,6 +757,10 @@ mechanism work with zones that perform r
The default is 366 days. The value 0 does not remove missing anchors,
as per the RFC.
.TP
+.B permit\-small\-holddown: \fI<yes or no>
+Debug option that allows the autotrust 5011 rollover timers to assume
+very small values. Default is no.
+.TP
.B key\-cache\-size: \fI<number>
Number of bytes size of the key cache. Default is 4 megabytes.
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -850,7 +855,8 @@ infected machines without answering the
Used to turn off default contents for AS112 zones. The other types
also turn off default contents for the zone. The 'nodefault' option
has no other effect than turning off default contents for the
-given zone.
+given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
+use a subzone, use \fItransparent\fR.
.P
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
zones. The AS112 zones are reverse DNS zones for private use and reserved
@@ -1079,6 +1085,12 @@ bit on replies for the private zone (aut
AD bit). This setup makes unbound capable of answering queries for the
private zone, and can even set the AD bit ('authentic'), but the AA
('authoritative') bit is not set on these replies.
+.P
+Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
+for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
+served zone. The insecure clause stops DNSSEC from invalidating the
+zone. The local zone nodefault (or \fItransparent\fR) clause makes the
+(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
.TP
.B name: \fI<domain name>
Name of the stub zone.
Index: util/iana_ports.inc
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/iana_ports.inc,v
retrieving revision 1.1.1.9
diff -u -p -r1.1.1.9 iana_ports.inc
--- util/iana_ports.inc 16 Jul 2015 01:42:20 -0000 1.1.1.9
+++ util/iana_ports.inc 27 Oct 2015 14:58:50 -0000
@@ -660,6 +660,7 @@
833,
847,
848,
+853,
860,
861,
862,
@@ -3840,6 +3841,8 @@
4404,
4405,
4406,
+4412,
+4413,
4425,
4426,
4430,
@@ -4666,6 +4669,7 @@
7725,
7726,
7727,
+7728,
7734,
7738,
7741,
@@ -4780,6 +4784,7 @@
8301,
8320,
8321,
+8322,
8351,
8376,
8377,
@@ -5170,6 +5175,8 @@
17220,
17221,
17222,
+17224,
+17225,
17234,
17235,
17500,
