#
46ebbf29 |
| 29-Aug-2022 |
deraadt <deraadt@openbsd.org> |
Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd, resolvd, slaacd, unwind. The mitigation story is way better: syscalls are in a randomly located libc, and every syscall stub is
Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd, resolvd, slaacd, unwind. The mitigation story is way better: syscalls are in a randomly located libc, and every syscall stub is randomly located inside that due to random relinking. As opposed to fixed offset inside a release binary. There is one known consequence: /usr nfs mounting must use statically configured IP addresses. ok kettenis florian, others
show more ...
|
#
00b0420e |
| 24-Jan-2021 |
florian <florian@openbsd.org> |
Implement DNS64 synthesis. When unwind(8) learns new autoconf resolvers (from dhcp or router advertisements) it checks if a DNS64 is present in this network location and tries to recover the IPv6 pre
Implement DNS64 synthesis. When unwind(8) learns new autoconf resolvers (from dhcp or router advertisements) it checks if a DNS64 is present in this network location and tries to recover the IPv6 prefix used according to RFC7050. The learned autoconf resolvers are then prevented from upgrading to the validating state since DNS64 breaks DNSSEC. unwind(8) can now perform its own synthesis. If a query for a AAAA record results in no answer we re-send the query for A and if that leads to an answer we synthesize an AAAA answer using the learned prefixes.
Testing & OK kn
show more ...
|
#
7e27e97f |
| 13-Dec-2019 |
otto <otto@openbsd.org> |
Revert two files committed by accident
|
#
4595f84c |
| 13-Dec-2019 |
otto <otto@openbsd.org> |
Avoid leaks by using the _buf versions of sldns_wire2str_* functions. Also add some consistentcy checking to detect logic errors. ok @florian
|
#
f3ea9bf1 |
| 27-Nov-2019 |
florian <florian@openbsd.org> |
Nuke http captive portal detection; something better is coming. OK otto
|
#
58b5b9b8 |
| 01-Mar-2019 |
florian <florian@openbsd.org> |
Due to the way we build libunbound inside of unwind .o files collide in the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) an
Due to the way we build libunbound inside of unwind .o files collide in the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) and prefixing the source filename of colliding .o files in unwind with uw_.
However, these files are shared through out our tree (namely parse.y, log.c and log.h) and we try to keep them in sync.
Move files back to their original name and instead symlink colliding source files in libunbound to unique filenames by prefixing them with the directory they live in: obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c
Idea to use symlinks deraadt@ via jsg@ OK benno
show more ...
|
#
b2501ead |
| 03-Feb-2019 |
florian <florian@openbsd.org> |
Captive portal detection for unwind(8).
|
#
71f565e7 |
| 24-Jan-2019 |
florian <florian@openbsd.org> |
Switch to libunbound internals for packet parsing.
These functions / macros (from (s)ldns) are not part of the public libunbound API so we couldn't use them before. Due to the way we use libunbound
Switch to libunbound internals for packet parsing.
These functions / macros (from (s)ldns) are not part of the public libunbound API so we couldn't use them before. Due to the way we use libunbound (a local copy) we now have access.
show more ...
|
#
018cebfb |
| 23-Jan-2019 |
florian <florian@openbsd.org> |
Import unwind(8).
unwind(8) is a hybrid validating stub & recursive resolver.
It actively observes the local net to decide how to best resolve names. It can chose to recurse on it's own or talk to
Import unwind(8).
unwind(8) is a hybrid validating stub & recursive resolver.
It actively observes the local net to decide how to best resolve names. It can chose to recurse on it's own or talk to dhcp provided forwardes or statically defined forwarders in the config file.
The intention is to be able to run it on localhost on every machine.
"toss it in man" deraadt@
show more ...
|