Sync to unbound 1.21.0; heavy lifting by sthen

parse_edns_from_query_pkt() grew a parameter to handle cookies, which
we don't use.

Add 2024 root zone trust-anchor, it is expected to be used in 2026.

The trust-anchor was copied from the upcoming unbound(8) release and
verified against https://www.iana.org/reports/2024/root-ksk-2

Add 2024 root zone trust-anchor, it is expected to be used in 2026.

The trust-anchor was copied from the upcoming unbound(8) release and
verified against https://www.iana.org/reports/2024/root-ksk-2024.pdf

While here switch the 2017 trust-anchor from DNSKEY to DS to use the
same record type as for the 2024 trust-anchor. They are functionally
equivalent. It was verified against
https://www.iana.org/reports/2017/root-ksk-2017.pdf
As well as with run-time testing, i.e. unwind would still perform
DNSSEC validation.

checked pdfs & OK phessler

show more ...

remove prototypes with no matching function and externs with no var
partly checked by millert@

Use imsg_get_fd() to access the fd passed with the imsg.
Go ahead florian@ OK tb@

Fix built.

The api changed to handle cookies and extended error codes.

Passing in NULL for config_file disables cookie handling so we do not
need to pass a valid comm_reply, NULL will do.

avoid use after free
ok florian@

unwind: add two missing void to function definitions

Silences -Wstrict-prototype warnings seen with clang 15 on amd64 and arm64.

ok florian

Plug leak of tmp in case allocation of pq->abuf fails

ok florian

KNF nit: place brace correctly

ok florian

Do not crash when a tcp query is larger than the length field
indicated.

Found by kn with amap.
Input bluhm.
OK deraadt, tb, otto, kn
from florian@

parse_packet() is used by unbound to parse response packets, not
queries. There is no need to do all this work just to get access to
the query id and flags.

OK bket, sthen

Use LDNS_RCODE define; no functional change

Update to libunbound 1.15.0; heavy lifting by sthen in unbound(8).

Upstream renamed parse_edns_from_pkt to parse_edns_from_query_pkt and
added two arguments (config_file and comm_point) that we don'

Update to libunbound 1.15.0; heavy lifting by sthen in unbound(8).

Upstream renamed parse_edns_from_pkt to parse_edns_from_query_pkt and
added two arguments (config_file and comm_point) that we don't use,
adjust callers in frontend accordingly.

show more ...

Upstream renamed parse_extract_edns to
parse_extract_edns_from_response_msg and parse_edns_from_pkt to
parse_edns_from_query_pkt in libunbound 1.14.0.
Both funktions work equally well for us but it w

Upstream renamed parse_extract_edns to
parse_extract_edns_from_response_msg and parse_edns_from_pkt to
parse_edns_from_query_pkt in libunbound 1.14.0.
Both funktions work equally well for us but it would look weird to use
the "from_response_msg" function on the query so switch to
parse_edns_from_pkt in preparation for the libunbound update.

testing & OK sthen

show more ...

Validate RTM_PROPOSAL in resolver not frontend

The resolver is the actual consumer and shouldn't trust the frontend.
Fold the IPv4/IPv6 specific checks thanks to the previous commit.

Idea from flor

Validate RTM_PROPOSAL in resolver not frontend

The resolver is the actual consumer and shouldn't trust the frontend.
Fold the IPv4/IPv6 specific checks thanks to the previous commit.

Idea from florian
OK florian

show more ...

Revert delayed opening of trust anchor file. The code was somewhat
ugly and the underlying problem (dhclient and unwind playing well
together) should be solved differently.
Final straw was jca report

Revert delayed opening of trust anchor file. The code was somewhat
ugly and the underlying problem (dhclient and unwind playing well
together) should be solved differently.
Final straw was jca reporting that it breaks his setup.

show more ...

Re-try to open DNSSEC trust anchor file if /var is not mounted yet.
This is a step towards starting unwind earlier, before the network is
up and partitions are mounted.
OK kn

Determine available address families (and monitor when this changes)
to configure libunbound accordingly. This way it no longer tries to
talk to IPv6 nameservers when only IPv4 is available and vice

Determine available address families (and monitor when this changes)
to configure libunbound accordingly. This way it no longer tries to
talk to IPv6 nameservers when only IPv4 is available and vice versa.
input deraadt
OK kn

show more ...

Implement DNS64 synthesis.
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 pre

Implement DNS64 synthesis.
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 prefix used according to
RFC7050.
The learned autoconf resolvers are then prevented from upgrading to
the validating state since DNS64 breaks DNSSEC.
unwind(8) can now perform its own synthesis. If a query for a AAAA
record results in no answer we re-send the query for A and if that
leads to an answer we synthesize an AAAA answer using the learned
prefixes.

Testing & OK kn

show more ...

Make imsg event structs static to fix -fno-common.
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.

Move control_state and ctl_conns to control.c, it's not needed
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer

Reduce scope of routesock unbreaking -fno-common.
Problem reported by mortimer.

No need for a global uw_process; unbreaks -fno-common.
Problem reported by mortimer

Implement listening on 53/TCP
Since we are only serving localhost we could get away with doing
serving over UDP only because we have a huge MTU on lo0, it's still
not correct behavior.
This also enab

Implement listening on 53/TCP
Since we are only serving localhost we could get away with doing
serving over UDP only because we have a huge MTU on lo0, it's still
not correct behavior.
This also enables sending truncated answers with TC set if the answer
does not fit into the edns announced udp size.

Testing at least by matthieu, jca, otto, phessler
OK phessler

show more ...

Rewrite query parsing and answer formatting using libunbound provided
functions.
With this we can filter out DNSSEC RRsets if the client did not ask
for them. We will also be able to send truncated a

Rewrite query parsing and answer formatting using libunbound provided
functions.
With this we can filter out DNSSEC RRsets if the client did not ask
for them. We will also be able to send truncated answers to indicate
to the client to switch to tcp. This will be enabled in the next
commit.

Testing at least by matthieu, jca, otto, phessler
OK phessler

show more ...