Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (35 commits)
  - Add unit test for validation of repeated use of a DNAME record.
  - Fix validation for repeated use of a DNAME record.
  - Fix typos for 'the the' in text.
  - Fix memory leak in setup of dsa sig.
  - Skip unbound-dnstap-socket unit test when not compiled with   --enable-debug.
  - Fix to squelch connection reset by peer errors from log. And fix   that the tcp read errors are labeled as initial for the first calls.
  - Fix memory leak on exit for unbound-dnstap-socket; creates false negatives   during testing.
  - Fix memory leak when reload_keep_cache is used and num-threads changes.
  - Enable AddressSanitizer error detection in tdir tests.
  - Fix for NLnetLabs#1079: fix RPZ taglist in iterator callback that no client   info is like no taglist intersection.
  - Fix NLnetLabs#1079: tags from tagged rpz zones are no longer honored after   upgrade from 1.19.3 to 1.20.0.
  Changelog note for NLnetLabs#1078. - Merge NLnetLabs#1078: Only check old pid if no username.
  Only check old pid if no username
  - Update patch to remove 'command' shell builtin and update error   text.
  unbound-control-setup: check openssl
  - Fix unused variable warning on compilation with no thread support.
  - Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
  - Fix to enable that SERVFAIL is cached, for a short period, for more   cases. In the cases where limits are exceeded.
  Changelog entry for NLnetLabs#1059: - Fix NLnetLabs#1059: Intermittent DNS blocking failure with local-zone and   always_nxdomain. Addition of local_zones dynamically via   unbound-control was not finding the zone's parent correctly.
  Proper parent identification for dynamically entered local zones (NLnetLabs#1076)
  ...

Author: jedisct1

cachedb/cachedb.c

@@ -322,30 +322,30 @@ error_response(struct module_qstate* qstate, int id, int rcode)
 
 /**
  * Hash the query name, type, class and dbacess-secret into lookup buffer.
- * @param qstate: query state with query info
- * 	and env->cfg with secret.
+ * @param qinfo: query info
+ * @param env: with env->cfg with secret.
  * @param buf: returned buffer with hash to lookup
  * @param len: length of the buffer.
  */
 static void
-calc_hash(struct module_qstate* qstate, char* buf, size_t len)
+calc_hash(struct query_info* qinfo, struct module_env* env, char* buf,
+	size_t len)
 {
 	uint8_t clear[1024];
 	size_t clen = 0;
 	uint8_t hash[CACHEDB_HASHSIZE/8];
 	const char* hex = "0123456789ABCDEF";
-	const char* secret = qstate->env->cfg->cachedb_secret;
+	const char* secret = env->cfg->cachedb_secret;
 	size_t i;
 
 	/* copy the hash info into the clear buffer */
-	if(clen + qstate->qinfo.qname_len < sizeof(clear)) {
-		memmove(clear+clen, qstate->qinfo.qname,
-			qstate->qinfo.qname_len);
-		clen += qstate->qinfo.qname_len;
+	if(clen + qinfo->qname_len < sizeof(clear)) {
+		memmove(clear+clen, qinfo->qname, qinfo->qname_len);
+		clen += qinfo->qname_len;
 	}
 	if(clen + 4 < sizeof(clear)) {
-		uint16_t t = htons(qstate->qinfo.qtype);
-		uint16_t c = htons(qstate->qinfo.qclass);
+		uint16_t t = htons(qinfo->qtype);
+		uint16_t c = htons(qinfo->qclass);
 		memmove(clear+clen, &t, 2);
 		memmove(clear+clen+2, &c, 2);
 		clen += 4;
@@ -645,7 +645,7 @@ cachedb_extcache_lookup(struct module_qstate* qstate, struct cachedb_env* ie,
 	int* msg_expired)
 {
 	char key[(CACHEDB_HASHSIZE/8)*2+1];
-	calc_hash(qstate, key, sizeof(key));
+	calc_hash(&qstate->qinfo, qstate->env, key, sizeof(key));
 
 	/* call backend to fetch data for key into scratch buffer */
 	if( !(*ie->backend->lookup)(qstate->env, ie, key,
@@ -672,7 +672,7 @@ static void
 cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
 {
 	char key[(CACHEDB_HASHSIZE/8)*2+1];
-	calc_hash(qstate, key, sizeof(key));
+	calc_hash(&qstate->qinfo, qstate->env, key, sizeof(key));
 
 	/* prepare data in scratch buffer */
 	if(!prep_data(qstate, qstate->env->scratch_buffer))
@@ -745,6 +745,10 @@ cachedb_intcache_store(struct module_qstate* qstate, int msg_expired)
 		 * going to be now-3 seconds. Making it expired
 		 * in the cache. */
 		set_msg_ttl(qstate->return_msg, (time_t)-3);
+		/* The expired entry does not get checked by the validator
+		 * and we need a validation value for it. */
+		if(qstate->env->cfg->cachedb_check_when_serve_expired)
+			qstate->return_msg->rep->security = sec_status_insecure;
 	}
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
@@ -1003,21 +1007,26 @@ cachedb_is_enabled(struct module_stack* mods, struct module_env* env)
 }
 
 void cachedb_msg_remove(struct module_qstate* qstate)
+{
+	cachedb_msg_remove_qinfo(qstate->env, &qstate->qinfo);
+}
+
+void cachedb_msg_remove_qinfo(struct module_env* env, struct query_info* qinfo)
 {
 	char key[(CACHEDB_HASHSIZE/8)*2+1];
-	int id = modstack_find(qstate->env->modstack, "cachedb");
-	struct cachedb_env* ie = (struct cachedb_env*)qstate->env->modinfo[id];
+	int id = modstack_find(env->modstack, "cachedb");
+	struct cachedb_env* ie = (struct cachedb_env*)env->modinfo[id];
 
-	log_query_info(VERB_ALGO, "cachedb msg remove", &qstate->qinfo);
-	calc_hash(qstate, key, sizeof(key));
-	sldns_buffer_clear(qstate->env->scratch_buffer);
-	sldns_buffer_write_u32(qstate->env->scratch_buffer, 0);
-	sldns_buffer_flip(qstate->env->scratch_buffer);
+	log_query_info(VERB_ALGO, "cachedb msg remove", qinfo);
+	calc_hash(qinfo, env, key, sizeof(key));
+	sldns_buffer_clear(env->scratch_buffer);
+	sldns_buffer_write_u32(env->scratch_buffer, 0);
+	sldns_buffer_flip(env->scratch_buffer);
 
 	/* call backend */
-	(*ie->backend->store)(qstate->env, ie, key,
-		sldns_buffer_begin(qstate->env->scratch_buffer),
-		sldns_buffer_limit(qstate->env->scratch_buffer),
+	(*ie->backend->store)(env, ie, key,
+		sldns_buffer_begin(env->scratch_buffer),
+		sldns_buffer_limit(env->scratch_buffer),
 		0);
 }
 #endif /* USE_CACHEDB */

cachedb/cachedb.h

@@ -126,3 +126,11 @@ int cachedb_is_enabled(struct module_stack* mods, struct module_env* env);
  * @param qstate: query state.
  */
 void cachedb_msg_remove(struct module_qstate* qstate);
+
+/**
+ * Remove message from the cachedb cache, by query info.
+ * @param env: module environment to look up cachedb state.
+ * @param qinfo: the message to remove.
+ */
+void cachedb_msg_remove_qinfo(struct module_env* env,
+	struct query_info* qinfo);

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for unbound 1.20.0.
+# Generated by GNU Autoconf 2.71 for unbound 1.20.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -622,8 +622,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.20.0'
-PACKAGE_STRING='unbound 1.20.0'
+PACKAGE_VERSION='1.20.1'
+PACKAGE_STRING='unbound 1.20.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1508,7 +1508,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.20.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.20.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1574,7 +1574,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.20.0:";;
+     short | recursive ) echo "Configuration of unbound 1.20.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1821,7 +1821,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.20.0
+unbound configure 1.20.1
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2478,7 +2478,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.20.0, which was
+It was created by unbound $as_me 1.20.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3242,11 +3242,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=20
 
-UNBOUND_VERSION_MICRO=0
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=27
+LIBUNBOUND_REVISION=28
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -3341,6 +3341,7 @@ LIBUNBOUND_AGE=1
 # 1.19.2 had 9:25:1
 # 1.19.3 had 9:26:1
 # 1.20.0 had 9:27:1
+# 1.20.1 had 9:28:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -24466,7 +24467,7 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 10240" >>confdefs.h
 
 
 
-version=1.20.0
+version=1.20.1
 
 date=`date +'%b %e, %Y'`
 
@@ -24978,7 +24979,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.20.0, which was
+This file was extended by unbound $as_me 1.20.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -25046,7 +25047,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-unbound config.status 1.20.0
+unbound config.status 1.20.1
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[20])
-m4_define([VERSION_MICRO],[0])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=27
+LIBUNBOUND_REVISION=28
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -113,6 +113,7 @@ LIBUNBOUND_AGE=1
 # 1.19.2 had 9:25:1
 # 1.19.3 had 9:26:1
 # 1.20.0 had 9:27:1
+# 1.20.1 had 9:28:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary

daemon/daemon.c

@@ -503,7 +503,10 @@ daemon_clear_allocs(struct daemon* daemon)
 {
 	int i;
 
-	for(i=0; i<daemon->num; i++) {
+	/* daemon->num may be different during reloads (after configuration
+	 * read). Use old_num which has the correct value used to setup the
+	 * worker_allocs */
+	for(i=0; i<daemon->old_num; i++) {
 		alloc_clear(daemon->worker_allocs[i]);
 		free(daemon->worker_allocs[i]);
 	}