diff --git a/ChangeLog b/ChangeLog index 5133ba7b..2a77898c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -* 2018-12-??: Version 1.5.0 +* 2018-12-21: Version 1.5.0 + * RFE getdnsapi/stubby#121 log re-instantiating TLS + upstreams (because they reached tls_backoff_time) at + log level 4 (WARNING) + * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too * ZONEMD rr-type * getdns_query queries for addresses when a query name without a type is given. diff --git a/configure.ac b/configure.ac index 2c40affb..40c94977 100644 --- a/configure.ac +++ b/configure.ac @@ -52,7 +52,7 @@ AC_SUBST([runstatedir], [$with_piddir]) # Don't forget to put a dash in front of the release candidate!!! # That is how it is done with semantic versioning! # -AC_SUBST(RELEASE_CANDIDATE, [-rc1]) +AC_SUBST(RELEASE_CANDIDATE, []) AC_SUBST(STUBBY_RELEASE_CANDIDATE, []) # Set current date from system if not set @@ -63,7 +63,7 @@ AC_ARG_WITH([current-date], [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"]) AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"]) -AC_SUBST(GETDNS_NUMERIC_VERSION, [0x0104ffc1]) +AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050000]) AC_SUBST(API_VERSION, ["December 2015"]) AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00]) GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API" @@ -105,8 +105,8 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.4$STUBBY_RELEASE_CANDIDATE"], # getdns-1.3.0 had libversion 9:0:3 # getdns-1.4.0 had libversion 10:0:0 # getdns-1.4.1 had libversion 10:1:0 -# getdns-1.4.2 has libversion 10:2:0 -# getdns-1.5.0 will have libversion 11:0:1 +# getdns-1.4.2 had libversion 10:2:0 +# getdns-1.5.0 has libversion 11:0:1 GETDNS_LIBVERSION=11:0:1 AC_SUBST(GETDNS_COMPILATION_COMMENT) diff --git a/src/anchor.c b/src/anchor.c index afdf1bf1..cefa2477 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -744,7 +744,7 @@ void _getdns_context_equip_with_anchor( else if (!verify_CA || !*verify_CA) _getdns_log( &context->log , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO - , "Trust anchor verification explicitely " + , "Trust anchor verification explicitly " "disabled by empty verify CA\n"); else if ((r = getdns_context_get_trust_anchors_verify_email( @@ -757,7 +757,7 @@ void _getdns_context_equip_with_anchor( else if (!verify_email || !*verify_email) _getdns_log( &context->log , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO - , "Trust anchor verification explicitely " + , "Trust anchor verification explicitly " "disabled by empty verify email\n"); else if (!(xml_data = _getdns_context_get_priv_file(context, @@ -1599,7 +1599,7 @@ void _getdns_start_fetching_ta( } else if (!verify_CA || !*verify_CA) { _getdns_log( &context->log , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO - , "Trust anchor verification explicitely " + , "Trust anchor verification explicitly " "disabled by empty verify CA\n"); return; @@ -1614,7 +1614,7 @@ void _getdns_start_fetching_ta( } else if (!verify_email || !*verify_email) { _getdns_log( &context->log , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO - , "Trust anchor verification explicitely " + , "Trust anchor verification explicitly " "disabled by empty verify email\n"); return; diff --git a/src/stub.c b/src/stub.c index d7af6eb4..55bd0628 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1224,10 +1224,10 @@ tls_do_handshake(getdns_upstream *upstream) long verify_result = SSL_get_verify_result(upstream->tls_obj); /* In case of DANESSL use, and a tls_auth_name was given alongside a pinset, - * we need to verify auth_name explicitely (otherwise it will not be checked, + * we need to verify auth_name explicitly (otherwise it will not be checked, * because this is not required with DANE with an EE match). * This is not needed with native OpenSSL DANE, because EE name checks have - * to be disabled explicitely. + * to be disabled explicitly. */ #if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH)) int xch; @@ -2144,7 +2144,7 @@ upstream_select_stateful(getdns_network_req *netreq, getdns_transport_list_t tra if (upstreams->upstreams[i].conn_state == GETDNS_CONN_BACKOFF && upstreams->upstreams[i].conn_retry_time < now) { upstreams->upstreams[i].conn_state = GETDNS_CONN_CLOSED; - _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE, + _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING, "%-40s : Upstream : Re-instating %s for this upstream\n", upstreams->upstreams[i].addr_str, upstreams->upstreams[i].transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"); diff --git a/src/test/check_getdns_address.h b/src/test/check_getdns_address.h index 10e4b7b2..a4eaad71 100644 --- a/src/test/check_getdns_address.h +++ b/src/test/check_getdns_address.h @@ -178,7 +178,7 @@ { /* * name = "localhost" name should be resolved from host file - * expect: NOERROR/NODATA response: + * expect: NOERROR response: * status = GETDNS_RESPSTATUS_GOOD * rcode = 0 * ancount = 1 (number of records in ANSWER section) diff --git a/src/test/check_getdns_address_sync.h b/src/test/check_getdns_address_sync.h index 07f8408f..c5c4ae92 100644 --- a/src/test/check_getdns_address_sync.h +++ b/src/test/check_getdns_address_sync.h @@ -147,7 +147,7 @@ /* * name = "willem.getdnsapi.net" need to replace this with domain from unbound zone * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_DATA * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ @@ -162,6 +162,7 @@ EXTRACT_RESPONSE; assert_noerror(&ex_response); + assert_nodata(&ex_response); //assert_soa_in_authority(&ex_response); CONTEXT_DESTROY; diff --git a/src/test/check_getdns_common.c b/src/test/check_getdns_common.c index 192ab661..9816f8ff 100644 --- a/src/test/check_getdns_common.c +++ b/src/test/check_getdns_common.c @@ -160,10 +160,15 @@ void extract_local_response(struct getdns_dict *response, struct extracted_respo void assert_noerror(struct extracted_response *ex_response) { uint32_t rcode; + uint32_t ancount = 0; - ASSERT_RC(ex_response->status, GETDNS_RESPSTATUS_GOOD, "Unexpected value for \"status\""); ASSERT_RC(getdns_dict_get_int(ex_response->header, "rcode", &rcode), GETDNS_RETURN_GOOD, "Failed to extract \"rcode\""); ck_assert_msg(rcode == 0, "Expected rcode == 0, got %d", rcode); + + ASSERT_RC(getdns_dict_get_int(ex_response->header, "ancount", &ancount), + GETDNS_RETURN_GOOD, "Failed to extract \"ancount\""); + + ASSERT_RC(ex_response->status, ((ancount > 0) ? GETDNS_RESPSTATUS_GOOD : GETDNS_RESPSTATUS_NO_NAME), "Unexpected value for \"status\""); } /* @@ -182,6 +187,8 @@ void assert_nodata(struct extracted_response *ex_response) ASSERT_RC(getdns_list_get_length(ex_response->answer, &length), GETDNS_RETURN_GOOD, "Failed to extract \"answer\" length"); ck_assert_msg(length == 0, "Expected \"answer\" length == 0, got %d", length); + + ASSERT_RC(ex_response->status, GETDNS_RESPSTATUS_NO_NAME, "Unexpected value for \"status\""); } /* diff --git a/src/test/check_getdns_general.h b/src/test/check_getdns_general.h index f073cd86..23bb7e77 100644 --- a/src/test/check_getdns_general.h +++ b/src/test/check_getdns_general.h @@ -146,7 +146,7 @@ * name = "google.com" * request_type = 0 (minimum valid RRTYPE) * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ @@ -180,7 +180,7 @@ * name = "google.com" * request_type = 65279 (maximum unassigned RRTYPE) * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ @@ -322,7 +322,7 @@ * name = "willem.getdnsapi.net" and unbound zone * request_type = GETDNS_RRTYPE_MX * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ diff --git a/src/test/check_getdns_general_sync.h b/src/test/check_getdns_general_sync.h index 5386ff53..52eacaff 100644 --- a/src/test/check_getdns_general_sync.h +++ b/src/test/check_getdns_general_sync.h @@ -128,7 +128,7 @@ * name = "google.com" * request_type = 0 (minimum valid RRTYPE) * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ @@ -155,7 +155,7 @@ * name = "google.com" * request_type = 65279 (maximum unassigned RRTYPE) * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ @@ -269,7 +269,7 @@ * name = "willem.getdnsapi.net" an unbound zone (as in no MX) * request_type = GETDNS_RRTYPE_MX * expect: NOERROR/NODATA response: - * status = GETDNS_RESPSTATUS_GOOD + * status = GETDNS_RESPSTATUS_NO_NAME * rcode = 0 * ancount = 0 (number of records in ANSWER section) */ diff --git a/src/test/tpkg/290-transports.tpkg/290-transports.test b/src/test/tpkg/290-transports.tpkg/290-transports.test index eba3abc2..c66ac5c5 100644 --- a/src/test/tpkg/290-transports.tpkg/290-transports.test +++ b/src/test/tpkg/290-transports.tpkg/290-transports.test @@ -134,7 +134,7 @@ for (( ii = 0; ii < 1; ii++)); do if [[ $HAVE_SSL_HN_AUTH = 1 ]] then - NUM_GOOD_QUERIES=9 + NUM_GOOD_QUERIES=8 GOOD_QUERIES=( "-s -A getdnsapi.net -l U @${SERVER_IP} +edns_cookies" "U" "-" "-s -A getdnsapi.net -l T @${SERVER_IP}" "T" "-" @@ -143,18 +143,18 @@ for (( ii = 0; ii < 1; ii++)); do "-s -A getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME}" "L" "N" "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP}" "L" "S" "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S" - "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S" - "-s -G DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D" "U" "-") + "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S") +# "-s -G DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D" "U" "-") else - NUM_GOOD_QUERIES=7 + NUM_GOOD_QUERIES=6 GOOD_QUERIES=( "-s -A getdnsapi.net -l U @${SERVER_IP} +edns_cookies" "U" "-" "-s -A getdnsapi.net -l T @${SERVER_IP}" "T" "-" "-s -A getdnsapi.net -l U @${SERVER_IP_TSIG}${TSIG_ALG}:${TSIG_NAME}:${TSIG_SECRET}" "U" "-" "-s -A getdnsapi.net -l U @${SERVER_IP_TSIG}${TSIG_NAME}:${TSIG_SECRET}" "U" "-" "-s -A getdnsapi.net -l L @${TLS_SERVER_IP_NO_NAME}" "L" "N" - "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S" - "-s -G DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D" "U" "-") + "-s -A getdnsapi.net -l L -m @${TLS_SERVER_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_KEY}\"" "L" "S") +# "-s -G DNSKEY getdnsapi.net -l U @${SERVER_IP} -b 512 -D" "U" "-") fi #"-s -A getdnsapi.net -l L -m @${TLS_SERVER_SS_IP_NO_NAME} -K pin-sha256=\"${TLS_SERVER_SS_KEY}\"" "L" "S" diff --git a/src/test/tpkg/run-one.sh b/src/test/tpkg/run-one.sh index 4791cb4a..d8032e04 100755 --- a/src/test/tpkg/run-one.sh +++ b/src/test/tpkg/run-one.sh @@ -3,8 +3,9 @@ export SRCDIR=`dirname $0` . `dirname $0`/setup-env.sh -# pass a single test name as the first parameter (without .tpgk extension) -ONE_TEST=$1 +# pass a single test name as the first parameter +ONE_TEST=${1%/} +ONE_TEST=${ONE_TEST%.tpkg} shift "${TPKG}" $* exe ${SRCDIR}/${ONE_TEST}.tpkg diff --git a/src/util-internal.c b/src/util-internal.c index 45fd2fda..5b007c0b 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -711,7 +711,7 @@ _getdns_create_reply_dict(getdns_context *context, getdns_network_req *req, else goto error; /* other stuff - * Note that spec doesn't explicitely mention these. + * Note that spec doesn't explicitly mention these. * They are only showcased in the response dict example */ if (getdns_dict_set_int(result, "answer_type", GETDNS_NAMETYPE_DNS)) goto error; @@ -1124,6 +1124,7 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0; getdns_dict *netreq_debug; _srvs srvs = { 0, 0, NULL }; + _getdns_rrset_spc answer_spc; /* info (bools) about dns_req */ int dnssec_return_status; @@ -1235,8 +1236,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) /* TODO: Check instead if canonical_name for request_type * is in the answer section. */ - if (GLDNS_RCODE_NOERROR == - GLDNS_RCODE_WIRE(netreq->response)) + if (_getdns_rrset_answer(&answer_spc, netreq->response + , netreq->response_len)) nanswers++; if (dnssec_return_status || diff --git a/stubby b/stubby index 919b7d91..58200cad 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 919b7d914ca618f4a843464d5825383f45809f3e +Subproject commit 58200cadec6371f95e31a7f3735225c5a46ecf75