Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (26 commits)
  - For NLnetLabs#1175, update serve-expired tests.
  - Fix NLnetLabs#1175: serve-expired does not adhere to secure-by-default   principle. The default value of serve-expired-client-timeout   is set to 1800 as suggested by RFC8767.
  - Fix comparison to help static analyzer.
  Changelog entry for NLnetLabs#1169: - Merge NLnetLabs#1169 from Sergey Kacheev, fix: lock-free counters for   auth_zone up/down queries.
  fix: lock-free counters for auth_zone up/down queries
  - Fix for NLnetLabs#1183: release nsec3 hashes per test file.
  - Fix NLnetLabs#1183: the data being used is released in method   nsec3_hash_test_entry.
  - Complete fix for max-global-quota to 200.
  - More descriptive text for 'harden-algo-downgrade'.
  - Increase the default of max-global-quota to 200 from 128 after   operational feedback. Still keeping the possible amplification   factor (CAMP related issues) in the hundreds.
  Changelog entry for: - Fix SETEX check during Redis (re)initialization.
  - Fix SETEX check during Redis (re)initialization.
  - Fix to log redis timeout error string on failure.
  - Fix for the serve expired DNSSEC information fix, it would not allow   current delegation information be updated in cache. The fix allows   current delegation and validation recursion information to be   updated, but as a consequence no longer has certain expired   information around for later dnssec valid expired responses.
  Changelog note for NLnetLabs#1167 - Merge NLnetLabs#1167: Makefile.in: fix occasional parallel build failures   around bison rule.
  Makefile.in: fix occasional parallel build failures around bison rule (NLnetLabs#1167)
  - Fix redis that during a reload it does not fail if the redis   server does not connect or does not respond. It still logs the   errors and if the server is up checks expiration features.
  - Fix redis that during a reload it does not fail if the redis   server does not connect or does not respond. It still logs the   errors and if the server is up checks expiration features.
  Changelog entry for NLnetLabs#1157: - Merge NLnetLabs#1157 from Liang Zhu, Fix heap corruption when calling   ub_ctx_delete in Windows.
  Fix heap corruption when calling ub_ctx_delete in Windows (NLnetLabs#1157)
  ...

Makefile.in

@@ -509,10 +509,15 @@ util/configlexer.c:  $(srcdir)/util/configlexer.lex util/configparser.h
 	fi
 	@if test ! -f $@; then echo "No $@ : need flex and bison to compile from source repository"; exit 1; fi
 
-util/configparser.c util/configparser.h:  $(srcdir)/util/configparser.y
+# Builds both util/configparser.c and util/configparser.h.
+# To avoid double-building we split one target out.
+util/configparser.c:  $(srcdir)/util/configparser.y
 	@-if test ! -d util; then $(INSTALL) -d util; fi
 	$(YACC) -d -o util/configparser.c $(srcdir)/util/configparser.y
 
+util/configparser.h: util/configparser.c
+	touch $@
+
 clean:
 	rm -f *.o *.d *.lo *~ tags
 	rm -f unbound$(EXEEXT) unbound-checkconf$(EXEEXT) unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup libunbound.la unbound.h

cachedb/cachedb.c

@@ -755,7 +755,8 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired)
 	}
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
-		qstate->region, store_flags, qstate->qstarttime);
+		qstate->region, store_flags, qstate->qstarttime,
+		qstate->is_valrec);
 	if(serve_expired && msg_expired) {
 		if(qstate->env->cfg->serve_expired_client_timeout) {
 			/* No expired response from the query state, the

cachedb/redis.c

@@ -61,6 +61,7 @@ struct redis_moddata {
 	struct timeval command_timeout;	 /* timeout for commands */
 	struct timeval connect_timeout;	 /* timeout for connect */
 	int logical_db;		/* the redis logical database to use */
+	int setex_available;    /* if the SETEX command is supported */
 };
 
 static redisReply* redis_command(struct module_env*, struct cachedb_env*,
@@ -102,7 +103,7 @@ redis_connect(const struct redis_moddata* moddata)
 		goto fail;
 	}
 	if(redisSetTimeout(ctx, moddata->command_timeout) != REDIS_OK) {
-		log_err("failed to set redis timeout");
+		log_err("failed to set redis timeout, %s", ctx->errstr);
 		goto fail;
 	}
 	if(moddata->server_password && moddata->server_password[0]!=0) {
@@ -182,24 +183,24 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
 	for(i = 0; i < moddata->numctxs; i++) {
 		redisContext* ctx = redis_connect(moddata);
 		if(!ctx) {
-			log_err("redis_init: failed to init redis");
-			goto fail;
+			log_err("redis_init: failed to init redis "
+				"(for thread %d)", i);
+			/* And continue, the context can be established
+			 * later, just like after a disconnect. */
 		}
 		moddata->ctxs[i] = ctx;
 	}
 	cachedb_env->backend_data = moddata;
-	if(env->cfg->redis_expire_records) {
+	if(env->cfg->redis_expire_records &&
+		moddata->ctxs[env->alloc->thread_num] != NULL) {
 		redisReply* rep = NULL;
 		int redis_reply_type = 0;
 		/** check if setex command is supported */
 		rep = redis_command(env, cachedb_env,
 			"SETEX __UNBOUND_REDIS_CHECK__ 1 none", NULL, 0);
 		if(!rep) {
 			/** init failed, no response from redis server*/
-			log_err("redis_init: failed to init redis, the "
-				"redis-expire-records option requires the SETEX command "
-				"(redis >= 2.0.0)");
-			goto fail;
+			goto setex_fail;
 		}
 		redis_reply_type = rep->type;
 		freeReplyObject(rep);
@@ -208,14 +209,17 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
 			break;
 		default:
 			/** init failed, setex command not supported */
-			log_err("redis_init: failed to init redis, the "
-				"redis-expire-records option requires the SETEX command "
-				"(redis >= 2.0.0)");
-			goto fail;
+			goto setex_fail;
 		}
+		moddata->setex_available = 1;
 	}
 	return 1;
 
+setex_fail:
+	log_err("redis_init: failure during redis_init, the "
+		"redis-expire-records option requires the SETEX command "
+		"(redis >= 2.0.0)");
+	return 1;
 fail:
 	moddata_clean(&moddata);
 	return 0;
@@ -346,7 +350,10 @@ redis_store(struct module_env* env, struct cachedb_env* cachedb_env,
 {
 	redisReply* rep;
 	int n;
-	int set_ttl = (env->cfg->redis_expire_records &&
+	struct redis_moddata* moddata = (struct redis_moddata*)
+		cachedb_env->backend_data;
+	int set_ttl = (moddata->setex_available &&
+		env->cfg->redis_expire_records &&
 		(!env->cfg->serve_expired || env->cfg->serve_expired_ttl > 0));
 	/* Supported commands:
 	 * - "SET " + key + " %b"

daemon/cachedump.c

@@ -692,7 +692,7 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
 		return 1; /* skip this one, not all references satisfied */
 
 	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags,
-		*worker->env.now)) {
+		*worker->env.now, 1)) {
 		log_warn("error out of memory");
 		return 0;
 	}

daemon/remote.c

@@ -707,6 +707,10 @@ print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
 		(unsigned long)s->svr.num_queries_cookie_client)) return 0;
 	if(!ssl_printf(ssl, "%s.num.queries_cookie_invalid"SQ"%lu\n", nm,
 		(unsigned long)s->svr.num_queries_cookie_invalid)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_discard_timeout"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_discard_timeout)) return 0;
+	if(!ssl_printf(ssl, "%s.num.queries_wait_limit"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_queries_wait_limit)) return 0;
 	if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
 		(unsigned long)(s->svr.num_queries
 			- s->svr.num_queries_missed_cache))) return 0;

daemon/stats.c

@@ -281,6 +281,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 		s->svr.rpz_action[i] += (long long)worker->env.mesh->rpz_action[i];
 	timehist_export(worker->env.mesh->histogram, s->svr.hist,
 		NUM_BUCKETS_HIST);
+	s->svr.num_queries_discard_timeout +=
+		(long long)worker->env.mesh->num_queries_discard_timeout;
+	s->svr.num_queries_wait_limit +=
+		(long long)worker->env.mesh->num_queries_wait_limit;
 	/* values from outside network */
 	s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
 	s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
@@ -325,20 +329,8 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	s->svr.num_query_dnscrypt_replay = 0;
 #endif /* USE_DNSCRYPT */
 	if(worker->env.auth_zones) {
-		if(reset && !worker->env.cfg->stat_cumulative) {
-			lock_rw_wrlock(&worker->env.auth_zones->lock);
-		} else {
-			lock_rw_rdlock(&worker->env.auth_zones->lock);
-		}
-		s->svr.num_query_authzone_up = (long long)worker->env.
-			auth_zones->num_query_up;
-		s->svr.num_query_authzone_down = (long long)worker->env.
-			auth_zones->num_query_down;
-		if(reset && !worker->env.cfg->stat_cumulative) {
-			worker->env.auth_zones->num_query_up = 0;
-			worker->env.auth_zones->num_query_down = 0;
-		}
-		lock_rw_unlock(&worker->env.auth_zones->lock);
+		s->svr.num_query_authzone_up += (long long)worker->env.mesh->num_query_authzone_up;
+		s->svr.num_query_authzone_down += (long long)worker->env.mesh->num_query_authzone_down;
 	}
 	s->svr.mem_stream_wait =
 		(long long)tcp_req_info_get_stream_buffer_size();
@@ -451,9 +443,14 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 	total->svr.num_queries_cookie_valid += a->svr.num_queries_cookie_valid;
 	total->svr.num_queries_cookie_client += a->svr.num_queries_cookie_client;
 	total->svr.num_queries_cookie_invalid += a->svr.num_queries_cookie_invalid;
+	total->svr.num_queries_discard_timeout +=
+		a->svr.num_queries_discard_timeout;
+	total->svr.num_queries_wait_limit += a->svr.num_queries_wait_limit;
 	total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
 	total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
 	total->svr.num_queries_timed_out += a->svr.num_queries_timed_out;
+	total->svr.num_query_authzone_up += a->svr.num_query_authzone_up;
+	total->svr.num_query_authzone_down += a->svr.num_query_authzone_down;
 	if (total->svr.max_query_time_us < a->svr.max_query_time_us)
 		total->svr.max_query_time_us = a->svr.max_query_time_us;
 	total->svr.sum_query_list_size += a->svr.sum_query_list_size;

dns64/dns64.c

@@ -658,7 +658,8 @@ handle_event_moddone(struct module_qstate* qstate, int id)
 		!dns_cache_store(
 			qstate->env, &qstate->qinfo, qstate->return_msg->rep,
 			0, qstate->prefetch_leeway, 0, NULL,
-			qstate->query_flags, qstate->qstarttime))
+			qstate->query_flags, qstate->qstarttime,
+			qstate->is_valrec))
 		log_err("out of memory");
 
 	/* do nothing */
@@ -1008,7 +1009,8 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 	/* Store the generated response in cache. */
 	if ( (!super_dq || !super_dq->started_no_cache_store) &&
 		!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
-		0, super->prefetch_leeway, 0, NULL, super->query_flags, qstate->qstarttime))
+		0, super->prefetch_leeway, 0, NULL, super->query_flags,
+		qstate->qstarttime, qstate->is_valrec))
 		log_err("out of memory");
 }
 

doc/Changelog

@@ -1,3 +1,60 @@
+22 November 2024: Yorgos
+	- Fix #1175: serve-expired does not adhere to secure-by-default
+	  principle. The default value of serve-expired-client-timeout
+	  is set to 1800 as suggested by RFC8767.
+	- For #1175, update serve-expired tests.
+
+20 November 2024: Yorgos
+	- Fix comparison to help static analyzer.
+
+19 November 2024: Yorgos
+	- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
+	  auth_zone up/down queries.
+
+15 November 2024: Wouter
+	- Fix #1183: the data being used is released in method
+	  nsec3_hash_test_entry.
+	- Fix for #1183: release nsec3 hashes per test file.
+
+8 November 2024: Yorgos
+	- More descriptive text for 'harden-algo-downgrade'.
+	- Complete fix for max-global-quota to 200.
+
+6 November 2024: Yorgos
+	- Increase the default of max-global-quota to 200 from 128 after
+	  operational feedback. Still keeping the possible amplification
+	  factor (CAMP related issues) in the hundreds.
+
+5 November 2024: Wouter
+	- Fix for the serve expired DNSSEC information fix, it would not allow
+	  current delegation information be updated in cache. The fix allows
+	  current delegation and validation recursion information to be
+	  updated, but as a consequence no longer has certain expired
+	  information around for later dnssec valid expired responses.
+	- Fix to log redis timeout error string on failure.
+
+5 November 2024: Yorgos
+	- Fix SETEX check during Redis (re)initialization.
+
+4 November 2024: Wouter
+	- Fix redis that during a reload it does not fail if the redis
+	  server does not connect or does not respond. It still logs the
+	  errors and if the server is up checks expiration features.
+	- Merge #1167: Makefile.in: fix occasional parallel build failures
+	  around bison rule.
+
+1 November 2024: Yorgos
+	- Merge #1159: Stats for discard-timeout and wait-limit.
+	- Add test case for #1159.
+	- Some clean up for stat_values.test.
+	- Merge #1170 from Melroy van den Berg, Fix chroot manpage
+	  description.
+	- Merge #1157 from Liang Zhu, Fix heap corruption when calling
+	  ub_ctx_delete in Windows.
+
+25 October 2024: Yorgos
+	- Fix #1163: Typos in unbound.conf documentation.
+
 17 October 2024: Wouter
 	- Tag for 1.22.0 release. This did not contain the 1154 fix
 	  from 16 oct. The code repository continues with

doc/example.conf.in

@@ -194,7 +194,7 @@ server:
 	# iter-scrub-cname: 11
 
 	# Limit on upstream queries for an incoming query and its recursion.
-	# max-global-quota: 128
+	# max-global-quota: 200
 
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
@@ -556,8 +556,9 @@ server:
 	# harden-referral-path: no
 
 	# Harden against algorithm downgrade when multiple algorithms are
-	# advertised in the DS record.  If no, allows the weakest algorithm
-	# to validate the zone.
+	# advertised in the DS record.  If no, allows any algorithm
+	# to validate the zone which is the standard behavior for validators.
+	# Check the manpage for detailed information.
 	# harden-algo-downgrade: no
 
 	# Harden against unknown records in the authority section and the
@@ -730,7 +731,8 @@ server:
 	# disable-edns-do: no
 
 	# Serve expired responses from cache, with serve-expired-reply-ttl in
-	# the response, and then attempt to fetch the data afresh.
+	# the response. By default it first tries to refresh an expired answer.
+	# Can be configured with serve-expired-client-timeout.
 	# serve-expired: no
 	#
 	# Limit serving of expired responses to configured seconds after
@@ -748,10 +750,9 @@ server:
 	#
 	# Time in milliseconds before replying to the client with expired data.
 	# This essentially enables the serve-stale behavior as specified in
-	# RFC 8767 that first tries to resolve before
-	# immediately responding with expired data.  0 disables this behavior.
-	# A recommended value is 1800.
-	# serve-expired-client-timeout: 0
+	# RFC 8767 that first tries to resolve before immediately responding
+	# with expired data.  0 disables this behavior.
+	# serve-expired-client-timeout: 1800
 
 	# Return the original TTL as received from the upstream name server rather
 	# than the decrementing TTL as stored in the cache.  Enabling this feature

doc/unbound-control.8.in

@@ -422,6 +422,12 @@ number of queries with a client part only DNS Cookie by thread
 .I threadX.num.queries_cookie_invalid
 number of queries with an invalid DNS Cookie by thread
 .TP
+.I threadX.num.queries_discard_timeout
+number of queries removed due to discard-timeout by thread
+.TP
+.I threadX.num.queries_wait_limit
+number of queries removed due to wait-limit by thread
+.TP
 .I threadX.num.cachehits
 number of queries that were successfully answered using a cache lookup
 .TP
@@ -511,6 +517,12 @@ summed over threads.
 .I total.num.queries_cookie_invalid
 summed over threads.
 .TP
+.I total.num.queries_discard_timeout
+summed over threads.
+.TP
+.I total.num.queries_wait_limit
+summed over threads.
+.TP
 .I total.num.cachehits
 summed over threads.
 .TP