diff --git a/unbound-1.6.2-permissive.patch b/unbound-1.6.2-permissive.patch new file mode 100644 index 0000000..3c095d2 --- /dev/null +++ b/unbound-1.6.2-permissive.patch @@ -0,0 +1,131 @@ +diff --git a/validator/val_utils.c b/validator/val_utils.c +index e3677e1..e4eff1b 100644 +--- a/validator/val_utils.c ++++ b/validator/val_utils.c +@@ -54,6 +54,7 @@ + #include "util/net_help.h" + #include "util/module.h" + #include "util/regional.h" ++#include "util/config_file.h" + #include "sldns/wire2str.h" + #include "sldns/parseutil.h" + +@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index) + } + + void +-val_check_nonsecure(struct val_env* ve, struct reply_info* rep) ++val_check_nonsecure(struct module_env* env, struct reply_info* rep) + { + size_t i; + /* authority */ +@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep) + } + } + /* additional */ +- if(!ve->clean_additional) ++ if(!env->cfg->val_clean_additional) + return; + for(i=rep->an_numrrsets+rep->ns_numrrsets; irrset_count; i++) { + if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data) +diff --git a/validator/val_utils.h b/validator/val_utils.h +index 051824a..649adc2 100644 +--- a/validator/val_utils.h ++++ b/validator/val_utils.h +@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index); + * So that unsigned data does not get let through to clients, when we have + * found the data to be secure. + * +- * @param ve: validator environment with cleaning options. ++ * @param env: environment with cleaning options. + * @param rep: reply to dump all nonsecure stuff out of. + */ +-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep); ++void val_check_nonsecure(struct module_env* env, struct reply_info* rep); + + /** + * Mark all unchecked rrset entries not below a trust anchor as indeterminate. +diff --git a/validator/validator.c b/validator/validator.c +index e8b6317..5f4a1eb 100644 +--- a/validator/validator.c ++++ b/validator/validator.c +@@ -113,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env, + { + int c; + val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; +- val_env->clean_additional = cfg->val_clean_additional; +- val_env->permissive_mode = cfg->val_permissive_mode; + if(!env->anchors) + env->anchors = anchors_create(); + if(!env->anchors) { +@@ -171,7 +169,6 @@ val_init(struct module_env* env, int id) + } + env->modinfo[id] = (void*)val_env; + env->need_to_validate = 1; +- val_env->permissive_mode = 0; + lock_basic_init(&val_env->bogus_lock); + lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus, + sizeof(val_env->num_rrset_bogus)); +@@ -619,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env, + } + } + +- /* attempt to validate the ADDITIONAL section rrsets */ +- if(!ve->clean_additional) ++ /* If set, the validator should clean the additional section of ++ * secure messages. */ ++ if(!env->cfg->val_clean_additional) + return 1; ++ /* attempt to validate the ADDITIONAL section rrsets */ + for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; + irrset_count; i++) { + s = chase_reply->rrsets[i]; +@@ -2129,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, + * a different signer name). And drop additional rrsets + * that are not secure (if clean-additional option is set) */ + /* this may cause the msg to be marked bogus */ +- val_check_nonsecure(ve, vq->orig_msg->rep); ++ val_check_nonsecure(qstate->env, vq->orig_msg->rep); + if(vq->orig_msg->rep->security == sec_status_secure) { + log_query_info(VERB_DETAIL, "validation success", + &qstate->qinfo); +@@ -2170,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, + free(err); + } + } ++ /* ++ * If set, the validator will not make messages bogus, instead ++ * indeterminate is issued, so that no clients receive SERVFAIL. ++ * This allows an operator to run validation 'shadow' without ++ * hurting responses to clients. ++ */ + /* If we are in permissive mode, bogus gets indeterminate */ +- if(ve->permissive_mode) ++ if(qstate->env->cfg->val_permissive_mode) + vq->orig_msg->rep->security = sec_status_indeterminate; + } + +diff --git a/validator/validator.h b/validator/validator.h +index 23d3072..9a59107 100644 +--- a/validator/validator.h ++++ b/validator/validator.h +@@ -93,19 +93,6 @@ struct val_env { + * seconds. */ + uint32_t bogus_ttl; + +- /** If set, the validator should clean the additional section of +- * secure messages. +- */ +- int clean_additional; +- +- /** +- * If set, the validator will not make messages bogus, instead +- * indeterminate is issued, so that no clients receive SERVFAIL. +- * This allows an operator to run validation 'shadow' without +- * hurting responses to clients. +- */ +- int permissive_mode; +- + /** + * Number of entries in the NSEC3 maximum iteration count table. + * Keep this table short, and sorted by size diff --git a/unbound.spec b/unbound.spec index 5521732..99a0874 100644 --- a/unbound.spec +++ b/unbound.spec @@ -21,7 +21,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.6.2 -Release: 1%{?extra_version:.%{extra_version}}%{?dist} +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -43,6 +43,8 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service +Patch1: unbound-1.6.2-permissive.patch + Group: System Environment/Daemons BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel @@ -135,6 +137,9 @@ Python 3 modules and extensions for unbound %prep %{?extra_version:%global pkgname %{name}-%{version}%{extra_version}}%{!?extra_version:%global pkgname %{name}-%{version}} %setup -qcn %{pkgname} +pushd %{pkgname} +%patch1 -p1 +popd %if 0%{with_python} mv %{pkgname} %{pkgname}_python2 @@ -439,6 +444,9 @@ popd %changelog +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + * Wed Apr 26 2017 Paul Wouters - 1.6.2-1 - Update to 1.6.2 (rhbz#1425649) - Updated unbound.conf with new options