v6 placeholder #2153
Open
v6 placeholder #2153
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…iginal binary's end and the appended checksum. This ensures we do not try to verify if no checksum is there, e.g., when using a different toolset than ./build.sh with cmake Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
…ll location Signed-off-by: DL6ER <[email protected]>
…grained: 0 = OK (checksum matches), 1 = FAILED (binary corrupted), 2 = ERROR (e.g. cannot open the file), 3 = NO CHECKSUM FOUND (e.g. compiled using unsupported toolchain) Signed-off-by: DL6ER <[email protected]>
Fix binary verification with modern cmake
Signed-off-by: DL6ER <[email protected]>
… cycled to the minimum. This is achieved by reducing the number of comparisons and avoiding duplicated calculations. We furthermore add checking for proper sorting of the array when SIGRT7 is received as this is mandatory for proper function of the algorithm and add a new macro log_lvl(priority, ...) what may be used to specify the severity (INFO, WARN, ERROR, ...) dynamically Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
…stem Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Slightly optimize the binary search algorithm
Improve build.sh script
…l message length when requesting link information Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Upstream lookups should always check for the magic byte while searching
Fix netlink message length
Signed-off-by: DL6ER <[email protected]>
…ome reason Signed-off-by: DL6ER <[email protected]>
Improve error messages logged within internal name resolver
Signed-off-by: RD WebDesign <[email protected]>
Changes the `dns.domain` validation to accept an empty string as value
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Make <domain> optional in dns.revServer
Signed-off-by: DL6ER <[email protected]>
Ensure we close netlink sockets
…hed. This allows us to debug TCP workers as well as they won't fork Signed-off-by: DL6ER <[email protected]>
…ingdump.txt if debug.gc is true Signed-off-by: DL6ER <[email protected]>
Update embedded CivetWeb
Update dnsmasq to latest v2.91test7
If we get a duplicate answer for a query via UDP which we have either already received and started DNSSEC validation, or was truncated and we've passed to TCP, then just ignore it. The code was already in place, but had evolved wonky and only worked for error replies which would otherwise prompt a retransmit. Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Avoid endless spinning in UDP->TCP path
Update SQLite3 to 3.48.0 released earlier today
Remove surplus SHM unlocking in IPv6 name resolution deceleration code
Signed-off-by: DL6ER <[email protected]>
Use arm64 machines provided by GHA
If the value of CFLAGS is changed between builds, the makefile will rebuid, in the same way as for COPTS. Signed-off-by: DL6ER <[email protected]>
When dnsmasq is configured to act as an authoritative server and has an authoritative zone configured, and recieves a query for that zone _as_forwarder_ it answers the query directly rather than forwarding it. This doesn't affect the answer, but it saves dnsmasq forwarding the query to the recusor upstream, whch then bounces it back to dnsmasq in auth mode. The exception should be when the query is for the root of zone, for a DS RR. The answer to that has to come from the parent, via the recursor, and will typically be a proof-of-nonexistence since dnsmasq doesn't support signed zones. This patch suppresses local answers and forces forwarding to the upstream recursor for such queries. It stops breakage when a DNSSEC validating client makes queries to dnsmasq acting as forwarder for a zone for which it is authoritative. Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
If the client asks for DNSSEC RRs via the do bit, and we have an answer cached, we can only return the cached answer if the RR was not validated. This is because we don't the extra info (RRSIGS, NSECs) for a complete validated answer. In that case we have to forward again. This bug was that the "is the cache entry validated" test was in an outer loop rather than an inner one. A cache hit on a different RRtype that wasn't validated would satify the condition to use the cache, even if the cache entry for the required RRtype didn't. The only time when there can be a mix of validated and non validated cache entries for the same domain is when most are not validated, but one is a negative cache for a DS record. This bug took a long time to find. Signed-off-by: DL6ER <[email protected]>
Let's give the poor programmers a chance. Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Update embedded dnsmasq to v2.91test8
When checking that an answer is the answer to the question that we asked, compare the name in a case-sensitive manner. Clients can set the letters in a query to a random pattern of uppercase and lowercase to add more randomness as protection against cache-poisoning attacks, and we don't want to nullify that. This actually restores the status quo before commit ed6d29a78475f9ec91141120aba53490bc1dc39a since matching questions and answers using a checksum can't help but be case sensitive. This patch is a preparation for introducing DNS-0x20 in the dnsmasq query path. Signed-off-by: DL6ER <[email protected]>
This provides extra protection against reply-spoof attacks. Since DNS queries are case-insensitive, it's possible to randomly flip the case of letters in a query and still get the correct answer back. This adds an extra dimension for a cache-poisoning attacker to guess when sending replies in-the-blind since it's expected that the legitimate answer will have the same pattern of upper and lower case as the query, so any replies which don't can be ignored as malicious. The amount of extra entropy clearly depends on the number of a-z and A-Z characters in the query, and this implementation puts a hard limit of 32 bits to make rescource allocation easy. This about doubles entropy over the standard random ID and random port combination. Signed-off-by: DL6ER <[email protected]>
0x20 encoding makes them look odd, otherwise. Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
…asq (see commit 8132969, Dec, 19, 2024) Signed-off-by: DL6ER <[email protected]>
Signed-off-by: DL6ER <[email protected]>
…A-Z is 0x41..0x5A, a-z is 0x61-0x7A). The 0x20 bit does not carry any information as DNS is case-insensitive. Hence, we can use it as additional "nounce" bits. Signed-off-by: DL6ER <[email protected]>
… create new building test containers already including this package Signed-off-by: DL6ER <[email protected]>
Update dnsmasq to v2.91test9
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Getting ducks in a row...