Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd,
resolvd, slaacd, unwind.
The mitigation story is way better: syscalls are in a randomly located
libc, and every syscall stub is

Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd,
resolvd, slaacd, unwind.
The mitigation story is way better: syscalls are in a randomly located
libc, and every syscall stub is randomly located inside that due to
random relinking. As opposed to fixed offset inside a release binary.
There is one known consequence: /usr nfs mounting must use statically
configured IP addresses.
ok kettenis florian, others

show more ...

Implement DNS64 synthesis.
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 pre

Implement DNS64 synthesis.
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 prefix used according to
RFC7050.
The learned autoconf resolvers are then prevented from upgrading to
the validating state since DNS64 breaks DNSSEC.
unwind(8) can now perform its own synthesis. If a query for a AAAA
record results in no answer we re-send the query for A and if that
leads to an answer we synthesize an AAAA answer using the learned
prefixes.

Testing & OK kn

show more ...

Revert two files committed by accident

Avoid leaks by using the _buf versions of sldns_wire2str_* functions.
Also add some consistentcy checking to detect logic errors. ok @florian

Nuke http captive portal detection; something better is coming.
OK otto

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) an

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

show more ...

Captive portal detection for unwind(8).

Switch to libunbound internals for packet parsing.

These functions / macros (from (s)ldns) are not part of the public
libunbound API so we couldn't use them before. Due to the way we use
libunbound

Switch to libunbound internals for packet parsing.

These functions / macros (from (s)ldns) are not part of the public
libunbound API so we couldn't use them before. Due to the way we use
libunbound (a local copy) we now have access.

show more ...

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

show more ...