Carry the answer in the pending_query struct. Makes it clearer who is
responsible for freeing allocated memory.

Be more strict with which queries to accept. Modeled after
worker_handle_request() in unbound(8).

Don't hand parse the query, libunbound has query_info_parse() for that.
This requires a switch to sldns_buffer to satisfy the API. But it will
be benefitial later on for even stricter input validatio

Don't hand parse the query, libunbound has query_info_parse() for that.
This requires a switch to sldns_buffer to satisfy the API. But it will
be benefitial later on for even stricter input validation.

show more ...

Make sure struct pending_query is fully initialized by using calloc.

Doesn't matter currently but lead to some head scratching while
working on new things.

Eek, check overflow with destination size, not source

annoying trailing whitespaces

Do not leak cur_ns in case of malformed lease file.
Found by llvm's scan-build.
OK deraadt, benno

Be more robust when dealing with malformed lease files.
Do not assume that required tokens have been generated by strsep.
(toks[0] cannot be NULL but it doesn't hurt to be explicit about it.)
Found b

Be more robust when dealing with malformed lease files.
Do not assume that required tokens have been generated by strsep.
(toks[0] cannot be NULL but it doesn't hurt to be explicit about it.)
Found by llvm's scan-build.
OK deraadt, kn

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Move common config passing code into a function.
OK pamela

Implement DNS block lists. If unwind is queried for a domain
in the block list it answers with rcode REFUSED.

When starting up use the built-in DNSSEC trust anchor as well as the
on-disk one to give us a better chance on root KSK roll. Either we
were online during the time the key rolled or we are r

When starting up use the built-in DNSSEC trust anchor as well as the
on-disk one to give us a better chance on root KSK roll. Either we
were online during the time the key rolled or we are running on a
version of unwind(8) that has the new KSK.

show more ...

Do not check every resolver every 30 seconds as that is wasteful and
pointless.

Trigger a check
- on startup
- when forwarders change on config reload
- when dhcp provided forwarders change
- on net

Do not check every resolver every 30 seconds as that is wasteful and
pointless.

Trigger a check
- on startup
- when forwarders change on config reload
- when dhcp provided forwarders change
- on network interface state change

When a check finishes and the checked resolver cannot resolve anything
configure a timer to run another check in the future using an
exponential backoff for the timeout.

show more ...

Correctly interlock config reloads imsgs.
Only accept a new config reload if it's not currently running and
on accept a config reload end if one is currently running.
OK pamela

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) an

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

show more ...

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Since we do a naive string comparison to see if the trust anchor
changed we need to fix the TTL to the value we would get from the root
for the ksk DNSKEY (currently 2 days). Otherwise we would inter

Since we do a naive string comparison to see if the trust anchor
changed we need to fix the TTL to the value we would get from the root
for the ksk DNSKEY (currently 2 days). Otherwise we would interpret a
lowerd TTL from a cache as changed trust anchor.
Use the same define everywhere.

(Considering the glacial speed with which the root ksk rotates this should
be fine for the forseable future.)

show more ...

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Simplify trust anchor handling.

Open trust anchor file for reading and writing on startup and pass it
to the frontend process. The frontend process seeks and truncates the
file apropriately when wri

Simplify trust anchor handling.

Open trust anchor file for reading and writing on startup and pass it
to the frontend process. The frontend process seeks and truncates the
file apropriately when writing out new trust anchors learned via DNS
but never closes the file. On error the file is truncated to zero
length.

This is in turn handled on startup by switching to the built in trust
anchor when no trustanchor can be read from disk.

This side steps the need for an unveil'ed directory with "c" permission
and also removes the wpath and cpath pledges from the parent process.

deraadt@ pointed out that my previous design didn't make sense and I
had confused myself along the way. (It did work, but was too
complicated for no good reason).

While here validate that we actually read a trust anchor from disk by
trying to parse it and checking that it is a DNSKEY. Unfortunately
ub_ctx_add_ta() accepts just any string as a trust anchor without any
validation.

show more ...

Rewrite trust anchor handling.

Do not use the libunbound's auto trust anchor file feature since it
then the resolver process needs rpath, wpath, and cpath pledges and
permission on the trust anchor

Rewrite trust anchor handling.

Do not use the libunbound's auto trust anchor file feature since it
then the resolver process needs rpath, wpath, and cpath pledges and
permission on the trust anchor file.

Instead configure the trust anchor as resource record strings. The
parent process opens the file, passes a filedescriptor to the frontend
process to parse the file and then passes trust anchors to the
resolver process to (re-) configure the resolver contexts.

The resolver process periodically probes for new trust anchors (DNSKEY
records of the root zone) and passes those to the frontend process.
This in turn requests a file descripter for writing from the parent
process. Once the trust anchors have been written the parent process
renames the tmp file to the final location.

Also provide a built in trust anchor for boot strapping purposes if no
file is found on disk. That way we can get rid of unbound-anchor in
unwind's rc.d script.

show more ...

Captive portal detection for unwind(8).

port is in network byte order

fix parsing of imcomplete dhclient.lease files, initialize epoch to 0.
ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fis

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

show more ...

We don't need IMSG_SHUTDOWN, we can just close the sockets.
pointed out by deraadt