Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (66 commits)
  - Tag for release 1.21.0, the repository continues with 1.21.1   in development.
  - Fix spelling for the cache-min-negative-ttl entry in the   example.conf.
  - Fix that for windows the module startup is called and sets up   the module-config.
  - Set version number to 1.21.0 for release.
  - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,   Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv   University and Reichman University).
  - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco   Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
  - Fix that alloc stats for forwards and hints are printed, and when   alloc stats is enabled, the unit test for unbound control waits for   reloads to complete.
  Changelog note for NLnetLabs#1090 - Merge NLnetLabs#1090: Cookie secret file. Adds   `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store   cookie secrets for EDNS COOKIE secret rollover. The remote control   add_cookie_secret, activate_cookie_secret and drop_cookie_secret   commands can be used for rollover, the command print_cookie_secrets   shows the values in use.
  Cookie secret file (NLnetLabs#1090)
  Update changelog. - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix that alloc stats has strdup checks, it stops debuggers from   complaining about mismatch at free time.
  - Fix that the worker mem report with alloc stats does not attempt   to print memory use of forwards and hints if they have been   deleted already.
  - Fix dnstap test program, cleans up to have clean memory on exit,   for tap_data_free, does not delete NULL items. Also it does not try   to free the tail, specifically in the free of the list since that   picked up the next item in the list for its loop causing invalid   free. Added internal unit test to unbound-dnstap-socket for that.
  - Fix for NLnetLabs#1114: Fix that cache fill for forward-host names is   performed, so that with nonzero target-fetch-policy it fetches   forwarder addresses and uses them from cache. Also updated that   delegation point cache fill routines use CDflag for AAAA message   lookups, so that its negative lookup stops a recursion since the   cache uses the bit for disambiguation for dns64 but the recursion   uses CDflag for the AAAA target lookups, so the check correctly   stops a useless recursion by its cache lookup.
  - Fix to document parameters of auth_zone_verify_zonemd_with_key.
  - Add root key 38696 from 2024 for DNSSEC validation. It is added   to the default root keys in unbound-anchor. The content can be   inspected with `unbound-anchor -l`.
  - For NLnetLabs#935 and NLnetLabs#1104, clarify RPZ order and semantics.
  - Cleanup ede.tdir test.
  - Fix link of unbound-dnstap-socket without openssl.
  ...

Author: jedisct1

.gitignore

@@ -10,6 +10,9 @@
 /config.status
 /dnstap/dnstap_config.h
 /dnscrypt/dnscrypt_config.h
+/util/configlexer.c
+/util/configparser.c
+/util/configparser.h
 /clubsyms.def
 /doc/example.conf
 /doc/libunbound.3
@@ -55,6 +58,7 @@
 /pythonmod/unboundmodule.py
 /testdata/result.*
 /testdata/.done-*
+/testdata/.skip-*
 /testdata/.perfstats.txt
 /doc/html
 /doc/xml

Makefile.in

@@ -439,7 +439,8 @@ unbound-control-setup:	smallapp/unbound-control-setup.sh
 dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h dnstap/dnstap_config.h \
 	dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h $(srcdir)/dnstap/dnstap.h \
 	$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
-	$(srcdir)/util/netevent.h $(srcdir)/util/net_help.h
+	$(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \
+	$(srcdir)/util/locks.h
 
 dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
 	@-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi
@@ -1297,7 +1298,7 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
  $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \
  $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/wire2str.h $(srcdir)/util/edns.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \

cachedb/cachedb.c

@@ -983,7 +983,7 @@ cachedb_get_mem(struct module_env* env, int id)
  */
 static struct module_func_block cachedb_block = {
 	"cachedb",
-	&cachedb_init, &cachedb_deinit, &cachedb_operate,
+	NULL, NULL, &cachedb_init, &cachedb_deinit, &cachedb_operate,
 	&cachedb_inform_super, &cachedb_clear, &cachedb_get_mem
 };
 

config.h.in

@@ -1,5 +1,8 @@
 /* config.h.in.  Generated from configure.ac by autoheader.  */
 
+/* apply the fallthrough attribute. */
+#undef ATTR_FALLTHROUGH
+
 /* apply the noreturn attribute to a function that exits the program */
 #undef ATTR_NORETURN
 
@@ -57,6 +60,9 @@
 /* Define to 1 if you have the <arpa/inet.h> header file. */
 #undef HAVE_ARPA_INET_H
 
+/* Whether the C compiler accepts the "fallthrough" attribute */
+#undef HAVE_ATTR_FALLTHROUGH
+
 /* Whether the C compiler accepts the "format" attribute */
 #undef HAVE_ATTR_FORMAT
 
@@ -406,6 +412,9 @@
 /* Define to 1 if you have the <net/if.h> header file. */
 #undef HAVE_NET_IF_H
 
+/* Define to 1 if you have the <net/pfvar.h> header file. */
+#undef HAVE_NET_PFVAR_H
+
 /* Define this to use nghttp2 client. */
 #undef HAVE_NGHTTP2
 
@@ -1487,6 +1496,7 @@ struct sockaddr_storage;
 #  define calloc(n,s) unbound_stat_calloc_log(n, s, __FILE__, __LINE__, __func__)
 #  define free(p) unbound_stat_free_log(p, __FILE__, __LINE__, __func__)
 #  define realloc(p,s) unbound_stat_realloc_log(p, s, __FILE__, __LINE__, __func__)
+#  define strdup(s) unbound_stat_strdup_log(s, __FILE__, __LINE__, __func__)
 void *unbound_stat_malloc(size_t size);
 void *unbound_stat_calloc(size_t nmemb, size_t size);
 void unbound_stat_free(void *ptr);
@@ -1499,6 +1509,8 @@ void unbound_stat_free_log(void *ptr, const char* file, int line,
 	const char* func);
 void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 	int line, const char* func);
+char *unbound_stat_strdup_log(const char *s, const char* file, int line,
+	const char* func);
 #elif defined(UNBOUND_ALLOC_LITE)
 #  include "util/alloc.h"
 #endif /* UNBOUND_ALLOC_LITE and UNBOUND_ALLOC_STATS */

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for unbound 1.20.1.
+# Generated by GNU Autoconf 2.71 for unbound 1.21.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -622,8 +622,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.20.1'
-PACKAGE_STRING='unbound 1.20.1'
+PACKAGE_VERSION='1.21.1'
+PACKAGE_STRING='unbound 1.21.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1508,7 +1508,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.20.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.21.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1574,7 +1574,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.20.1:";;
+     short | recursive ) echo "Configuration of unbound 1.21.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1822,7 +1822,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.20.1
+unbound configure 1.21.1
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2479,7 +2479,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.20.1, which was
+It was created by unbound $as_me 1.21.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3241,13 +3241,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=20
+UNBOUND_VERSION_MINOR=21
 
 UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=28
+LIBUNBOUND_REVISION=29
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -3342,7 +3342,8 @@ LIBUNBOUND_AGE=1
 # 1.19.2 had 9:25:1
 # 1.19.3 had 9:26:1
 # 1.20.0 had 9:27:1
-# 1.20.1 had 9:28:1
+# 1.21.0 had 9:28:1
+# 1.21.1 had 9:29:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -6976,6 +6977,10 @@ printf "%s\n" "#define HAVE_ATTR_WEAK 1" >>confdefs.h
 
 printf "%s\n" "#define ATTR_WEAK __attribute__((weak))" >>confdefs.h
 
+else
+
+printf "%s\n" "#define ATTR_WEAK /**/" >>confdefs.h
+
 fi
 
 
@@ -7023,6 +7028,79 @@ printf "%s\n" "#define HAVE_ATTR_NORETURN 1" >>confdefs.h
 
 printf "%s\n" "#define ATTR_NORETURN __attribute__((__noreturn__))" >>confdefs.h
 
+else
+
+printf "%s\n" "#define ATTR_NORETURN /**/" >>confdefs.h
+
+fi
+
+
+
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler (${CC-cc}) accepts the \"fallthrough\" attribute" >&5
+printf %s "checking whether the C compiler (${CC-cc}) accepts the \"fallthrough\" attribute... " >&6; }
+BAKCFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -Werror"
+if test ${ac_cv_c_fallthrough_attribute+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  ac_cv_c_fallthrough_attribute=no
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <stdio.h>
+void f(int x) {
+	int y = 0;
+	switch(x) {
+	case 1:
+		y = 1;
+		__attribute__((fallthrough));
+		/* fallthrough */
+	case 2:
+		y++;
+		break;
+	case 3:
+		y = 3;
+		break;
+	}
+	printf("%d", y);
+}
+
+int
+main (void)
+{
+
+   f(1);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+  ac_cv_c_fallthrough_attribute="yes"
+else $as_nop
+  ac_cv_c_fallthrough_attribute="no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+
+fi
+
+CFLAGS="$BAKCFLAGS"
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_fallthrough_attribute" >&5
+printf "%s\n" "$ac_cv_c_fallthrough_attribute" >&6; }
+if test $ac_cv_c_fallthrough_attribute = yes; then
+
+printf "%s\n" "#define HAVE_ATTR_FALLTHROUGH 1" >>confdefs.h
+
+
+printf "%s\n" "#define ATTR_FALLTHROUGH __attribute__((fallthrough));" >>confdefs.h
+
+else
+
+printf "%s\n" "#define ATTR_FALLTHROUGH /**/" >>confdefs.h
+
 fi
 
 
@@ -24317,7 +24395,21 @@ printf "%s\n" "#define USE_IPSET 1" >>confdefs.h
 		IPSET_OBJ="ipset.lo"
 
 
-		# mnl
+		# BSD's pf
+		       for ac_header in net/pfvar.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "net/pfvar.h" "ac_cv_header_net_pfvar_h" "
+		  #include <netinet/in.h>
+		  #include <net/if.h>
+
+"
+if test "x$ac_cv_header_net_pfvar_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_NET_PFVAR_H 1" >>confdefs.h
+
+else $as_nop
+
+		    # mnl
 
 # Check whether --with-libmnl was given.
 if test ${with_libmnl+y}
@@ -24327,13 +24419,13 @@ else $as_nop
    withval="yes"
 fi
 
-		found_libmnl="no"
-		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
+		    found_libmnl="no"
+		    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
 printf %s "checking for libmnl... " >&6; }
-		if test x_$withval = x_ -o x_$withval = x_yes; then
+		    if test x_$withval = x_ -o x_$withval = x_yes; then
 			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
-		fi
-		for dir in $withval ; do
+		    fi
+		    for dir in $withval ; do
 			if test -f "$dir/include/libmnl/libmnl.h" -o -f "$dir/include/libmnl/libmnl/libmnl.h"; then
 				found_libmnl="yes"
 								extralibmnl=""
@@ -24351,10 +24443,14 @@ printf "%s\n" "found in $dir" >&6; }
 				LIBS="$LIBS -lmnl"
 				break;
 			fi
-		done
-		if test x_$found_libmnl != x_yes; then
-			as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
-		fi
+		    done
+		    if test x_$found_libmnl != x_yes; then
+			  as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
+		    fi
+
+fi
+
+done
 		;;
     no|*)
     	# nothing
@@ -24549,7 +24645,7 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 10240" >>confdefs.h
 
 
 
-version=1.20.1
+version=1.21.1
 
 date=`date +'%b %e, %Y'`
 
@@ -25061,7 +25157,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.20.1, which was
+This file was extended by unbound $as_me 1.21.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -25129,7 +25225,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-unbound config.status 1.20.1
+unbound config.status 1.21.1
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"