nlnetlabs / ldns Goto Github PK

LDNS is a DNS library that facilitates DNS tool programming

License: BSD 3-Clause "New" or "Revised" License

Makefile 3.77% M4 5.35% C 61.13% Shell 2.79% Python 10.70% Emacs Lisp 0.01% Lua 0.38% Perl 0.07% Roff 1.41% NewLisp 0.07% SWIG 13.54% Vim Script 0.76%

dns dnssec

ldns's Introduction

Contents: 
	REQUIREMENTS
	INSTALLATION
		libdns
		examples
		drill
	INFORMATION FOR SPECIFIC OPERATING SYSTEMS
		Mac OS X
		Solaris
	KNOWN ISSUES
		pyldns
        Your Support

Project page:
http://www.nlnetlabs.nl/ldns/
On that page you can also subscribe to the ldns mailing list.

* Development 
ldns is mainly developed on Linux and FreeBSD. It is regularly tested to
compile on other systems like Solaris and Mac OS X.

REQUIREMENTS
- OpenSSL (Optional, but needed for features like DNSSEC)
  - OpenSSL >= 0.9.7f for DANE support
  - OpenSSL >= 1.0.0  for ECDSA and GOST support
- libpcap (Optional, but needed for examples/ldns-dpa)
- (GNU) libtool (in OSX, that's glibtool, not libtool)
- GNU make

INSTALLATION
1. Unpack the tarball
2. cd ldns-<VERSION>
3. ./configure --with-examples --with-drill
   (optionally compile python bindings too with: --with-pyldns)
4. make
5. make install


* Building from repository

If you are building from the repository you will need to have (gnu)
autotools like libtool and autoreconf installed. A list of all the commands
needed to build everything can be found in README.git. Note that the actual
commands may be a little bit different on your machine. Most notably, you'll
need to run libtoolize (or glibtoolize). If you skip this step, you'll get
an error about missing config.sub.

* Developers
ldns is developed by the ldns team at NLnet Labs. This team currently
consists of:
  o Willem Toorop
  o Wouter Wijngaards

Former main developers:
  o Jelte Jansen
  o Miek Gieben
  o Matthijs Mekking

* Credits
We have received patches from the following people, thanks!
  o Bedrich Kosata
  o Erik Rozendaal
  o Håkan Olsson
  o Jakob Schlyter
  o Paul Wouters
  o Simon Vallet
  o Ondřej Surý
  o Karel Slany
  o Havard Eidnes
  o Leo Baltus
  o Dag-Erling Smørgrav
  o Felipe Gasper


INFORMATION FOR SPECIFIC OPERATING SYSTEMS

MAC OS X

For MACOSX 10.4 and later, it seems that you have to set the
MACOSX_DEPLOYMENT_TARGET environment variable to 10.4 before running
make. Apparently it defaults to 10.1.

This appears to be a known problem in 10.2 to 10.4, see:
http://developer.apple.com/qa/qa2001/qa1233.html
for more information.


SOLARIS

In Solaris multi-architecture systems (which have both 32-bit and
64-bit support), it can be a bit taxing to convince the system to
compile in 64-bit mode. Jakob Schlyter has kindly contributed a build
script that sets the right build and link options. You can find it in
contrib/build-solaris.sh

KNOWN ISSUES

A complete list of currently known open issues can be found here:
https://github.com/NLnetLabs/ldns/issues

* pyldns
Compiling pyldns produces many ``unused parameter'' warnings.  Those are
harmless and may safely be ignored.
Also, when building with SWIG older than 2.0.4, compiling
pyldns produces many ``missing initializer'' warnings. Those are harmless
too.

ldns's People

Contributors

Stargazers

Watchers

Forkers

jedisct1 tjeb fcelda jameslinus gazeboxu liumorgan marchon wujcheng oakaigh trotux lavawong sha-512 eest ajwstl needfulthings blackbit42 tigerjibo beldmit qupeng110 acidburn0zzz ericluehrsen elamaran619 yuuki-w zzl133 michaelforney reedjc elindsey adam-stoler gabrielgbs97 edudleon infrastructureservices sidn ekmixon andreasschulze val-verde 5433d-r32433 hrs-allbsd fgasper orbea niknah alexanderband rakhithjk jsoref sitedata moose0621 mrshunz webfutureiorepo webfutureio lupata isabella232 zhouhesheng dkg ns1 eternalerrors illyakolisnichenko kaerez violethaze74 bbczeuz webzcc sp1l betatang k0ekk0ek duthils trofi inmoncorp rijswijk clayne khorben dag-erling mariotpc emaste doomhammerhell gjherbiet jschauma michalbiesek jamestiotio redfoxymoon marc-vanderwal sysfce2 ffontaine dogo42 wsfulton fweimer-rh scantist-ossops-m2 jefferyq2 xiaoxiang781216 botovq nonoco1200 ngie-eign riverwolf67 tload

ldns's Issues

Parsing and printing of individual OPT options

drill discards authoritative response

I'm not sure what exactly is going on here, so I can only describe drill's unexpected behaviour in a (seemingly) simple situation:
Trace query for imap.fim.uni-passau.de — drill -T -V5 imap.fim.uni-passau.de.
Normally, it should walk through ., de., uni-passau.de. and then get an authoritative answer from one of fim.uni-passau.de.'s authoritative nameservers.
Instead, the following exchange occurs (in chronological order, verified in Wireshark):

query . @ e.root-servers.net
response: [list of NSs: a.root-servers.net, b.root-servers.net, …], authoritative
query: imap.fim.uni-passau.de @ b.root-servers.net
response: [list of NSs for de.: a.nic.de, l.de.net, …], not authoritative
query: imap.fim.uni-passau.de @ l.de.net
response: [list of NSs for uni-passau.de.: ns.rz.uni-passau.de, ns.fim.uni-passau.de, ns.forwiss.uni-passau.de, dns-1.dfn.de], not authoritative
query: imap.fim.uni-passau.de @ ns.rz.uni-passau.de
response: [CNAME imap.fim = maxilla.fim, A maxilla.fim = 132.231.4.25], authoritative
query: imap.fim.uni-passau.de @ dns-1.dfn.de
response: [list of NSs for fim.uni-passau.de.: ns.rz.uni-passau.de, ns.fim.uni-passau.de, ns.forwiss.uni-passau.de], not authoritative

It looks like drill should have all the information it needs after the fourth query, but it sends another query and the CNAME and A record do not show up in its output:

.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
de.	172800	IN	NS	l.de.net.
de.	172800	IN	NS	f.nic.de.
de.	172800	IN	NS	a.nic.de.
de.	172800	IN	NS	n.de.net.
de.	172800	IN	NS	s.de.net.
de.	172800	IN	NS	z.nic.de.
uni-passau.de.	86400	IN	NS	ns.rz.uni-passau.de.
uni-passau.de.	86400	IN	NS	ns.fim.uni-passau.de.
uni-passau.de.	86400	IN	NS	ns.forwiss.uni-passau.de.
uni-passau.de.	86400	IN	NS	dns-1.dfn.de.
fim.uni-passau.de.	7200	IN	NS	ns.forwiss.uni-passau.de.
fim.uni-passau.de.	7200	IN	NS	ns.rz.uni-passau.de.
fim.uni-passau.de.	7200	IN	NS	ns.fim.uni-passau.de.

This problem occurs frequently, but not every time that I run this trace query.
I have attached the debug output from the execution shown above (somewhat polluted by the additional PTR requests for the nameservers it prints, but unfortunately -V5 reveals all queries while -V4 reveals none).

warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6

Hi Everyone,

This result was produced on a 32-bit machine. It is real 32-bit hardware from the early 2000's. You can probably reproduce it in a virtual machine.

...
./libtool --tag=CC --quiet --mode=compile gcc -I. -I.  -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -I/usr/local/include -c ./duration.c -o duration.lo
./duration.c: In function ‘ldns_duration2string’:
./duration.c:265:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uY", (unsigned int) duration->years);
                                 ^~
./duration.c:265:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uY", (unsigned int) duration->years);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:271:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uM", (unsigned int) duration->months);
                                 ^~
./duration.c:271:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uM", (unsigned int) duration->months);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:277:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uW", (unsigned int) duration->weeks);
                                 ^~
./duration.c:277:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uW", (unsigned int) duration->weeks);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:283:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uD", (unsigned int) duration->days);
                                 ^~
./duration.c:283:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uD", (unsigned int) duration->days);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:292:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uH", (unsigned int) duration->hours);
                                 ^~
./duration.c:292:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uH", (unsigned int) duration->hours);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:298:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uM", (unsigned int) duration->minutes);
                                 ^~
./duration.c:298:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uM", (unsigned int) duration->minutes);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:304:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
         snprintf(num, count+2, "%uS", (unsigned int) duration->seconds);
                                 ^~
./duration.c:304:32: note: directive argument in the range [1, 2147483647]
         snprintf(num, count+2, "%uS", (unsigned int) duration->seconds);
                                ^~~~~
In file included from /usr/include/stdio.h:862:0,
                 from ./ldns/config.h:529,
                 from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());

start tls support for ldns-dane

Björn Jacke 2015-06-10 13:24:24 CEST
something like

ldns-dane verify mail.example.com 25

doesn't work because ldns-dane wants to issue the start tls command and doesn't support start tls initiated TLS connections. It would be nice if ldns-dane would have an option to issue start tls optionally

Build android ldns library with ndk-r20b

At before, we use ndk-r17c to build ldns for android. In ndk-r17c toolchain, there is gcc tool for cross-compiling. Now we decide to upgrade ndk to ndk-r20b, however there is no gcc in ndk-r20b, so I am wondering how to builld ldns for android with ndk-r20b?

More precise TSIG validation errors

Dirty compile in util.c

ldns 1.7.1 will be released soon. util.c has a dirty compile with GCC 8.3. It would be nice to see it cleared before release.

./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -I/var/sanitize/include -DNDEBUG -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/var/sanitize/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g2 -O2 -fsanitize=address -fno-omit-frame-pointer -march=native -fPIC -pthread -I/var/sanitize/include -c ./zone.c -o zone.lo
./util.c: In function ‘ldns_b32_ntop_base’:
./util.c:550:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
            c =  src[3]         >> 7 ;
            ~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:551:2: note: here
  case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c];
  ^~~~
./util.c:554:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
     c =  src[2]         >> 4 ;
     ~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:555:2: note: here
  case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c];
  ^~~~
./util.c:561:21: warning: this statement may fall through [-Wimplicit-fallthrough=]
                   c =  src[1]         >> 6 ;
                   ~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:562:2: note: here
  case 1: dst[1] = b32[(src[0] & 0x07) << 2 | c];
  ^~~~
./util.c:571:12: warning: this statement may fall through [-Wimplicit-fallthrough=]
     dst[3] = '=';
     ~~~~~~~^~~~~
./util.c:572:4: note: here
    case 2: dst[4] = '=';
    ^~~~
./util.c:572:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
    case 2: dst[4] = '=';
            ~~~~~~~^~~~~
./util.c:573:4: note: here
    case 3: dst[5] = '=';
    ^~~~
./util.c:574:12: warning: this statement may fall through [-Wimplicit-fallthrough=]
     dst[6] = '=';
     ~~~~~~~^~~~~
./util.c:575:4: note: here
    case 4: dst[7] = '=';
    ^~~~
./util.c: In function ‘ldns_b32_pton_base’:
./util.c:698:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
    dst[3] = buf[4] << 7 | buf[5] << 2 | buf[6] >> 3;
    ~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:700:3: note: here
   case 5: /* ........ ........ ....4444 4....... ........ */
   ^~~~
./util.c:702:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
    dst[2] = buf[3] << 4 | buf[4] >> 1;
    ~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:704:3: note: here
   case 4: /* ........ .......3 3333.... ........ ........ */
   ^~~~
./util.c:707:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
    dst[1] = buf[1] << 6 | buf[2] << 1 | buf[3] >> 4;
    ~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:709:3: note: here
   case 2: /* .....111 11...... ........ ........ ........ */
   ^~~~

Fall through is OK, just mark it as such. Both GCC and Clang will recognize:

  case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c];
          /* fall through */
  case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c];
          /* fall through */
  ...

Introduce +short option to drill

https://github.com/matteocorti/check_ssl_cert can if the TLSA records match the offered certificate (DANE) and can obtain the TLSA records using “dig +short” or “delv +short”. To be able to use a different resolver, like “drill -D” or “drill -DT” that uses the same output/input format, please introduce option +short to drill.

Heap Out-of-bound Read vulnerability

Description：

When the zone file is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file. When the memcpy is copied, the 0xfe - ldns_rdf_size(salt_rdf) byte data can be copied, causing heap information leakage.
Vulnerability location：

fuzz log：

INFO-w100wcrash.docx

fuzz payload：

w100wcrash-8f078e69e2781bbc4811a12d51df1c8674672306.txt

Repaire Suggestion：

how to run program?

hello . i installed ldns . but i can't run

./configure && make

which of them starts the ldns-walk program?

drill (1.7.0) fails to support use of both -T and -x options together

The subject line says it all. It appears that the drill command, unlike its BIND counterpart (dig) fails to support the use of the -T and -x options together. The resulting output, if this is attempted, does not actually show a trace.

In contrast, BIND dig supports the use of its +trace and -x options together in one command and then produces expected output.

Relevant version information is as follows:
drill version 1.7.0 (ldns version 1.7.0)

gcc 4.6.1 expects $(LIBS) as the last argument

Hi Everyone,

I was looking through some of the self test drivers and came across this comment:

CC = @CC@
CFLAGS = @CFLAGS@
CPPFLAGS = @CPPFLAGS@ @LIBSSL_CPPFLAGS@ -I../..
LDFLAGS = @LDFLAGS@ @LIBSSL_LDFLAGS@ -L../../.libs
LIBS = @LIBS@ @LIBSSL_SSL_LIBS@ -lldns

# Hmmm gcc 4.6.1 expects $(LIBS) as the last argument

COMPILE         = $(CC) $(CPPFLAGS) $(CFLAGS)
LINK            = $(CC) $(CFLAGS) $(LDFLAGS)

That is actually expected for single pass linkers. Single pass linkers move from left to right looking for symbols. Based on the way the makefile is written (and linker options), I believe the list should be:

LIBS = -lldns @LIBSSL_SSL_LIBS@ @LIBS@

This way, when -lldns needs symbols for OpenSSL, the linker will find them because OpenSSL libs follow -lldns. And if OpenSSL needs symbols from -lpthread or -ldl, the linker will find them because @LIBS@ follows @LIBSSL_SSL_LIBS@.

Another trick you can use is to create a "group" to make the linker multi-pass. Below, the linker will visit OpenSSL libs multiple times looking for symbols. This is helpful when there are circular dependencies in libraries.

LIBS = @LIBS@ @LIBSSL_SSL_LIBS@ -lldns @LIBSSL_SSL_LIBS@ @LIBS@

Also see the ld(1) man page. Linux's linker actually has an option to make a list of libraries a group. See the --start-group archives --end-group option. (But the portable way is to list the library multiple times).

Splint and Parse Error: New function scope inside function.

Hi Everyone, @wcawijngaards, @wtoorop,

I'm working on FreeBSD 12.1. make test has a small issue:

PASSED: 15 (94 %)	FAILED: 1 (6 %)	unknown: 0 (0 %)

--------------- Start Output: 02-lint ------------------
!! FAILED !!     !! FAILED !!
DateRunEnd: 1583966993
BaseName: 02-lint
Description: Do a make lint on libdns
DateRunStart: 1583966993 
--------------- Test Output ------------------
gmake[1]: Entering directory '/usr/home/jwalton/ldns'
for i in ./*.c; do \
splint +quiet -weak -warnposix -unrecog -Din_addr_t=uint32_t -Du_int=unsigned -D
u_char=uint8_t -preproc -Drlimit=rlimit64 -D__gnuc_va_list=va_list  "-DBN_ULONG=
unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -
DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=
unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=
unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"EC_K
EY=unsigned" -D"EC_POINT=unsigned" -D"EC_GROUP=unsigned" -D"EVP_PKEY_ASN1_METHOD
=struct evp_pkey_asn1_method_st" -D"EVP_PKEY_CTX=struct evp_pkey_ctx_st" "-Dsigs
et_t=long" "-D__uint16_t=uint16_t" -D"__pure2=" -D"__wchar_t=wchar_t" -D"__packe
d=" -D"__aligned(x)=" -D"__BEGIN_DECLS=" -D"__ssize_t=ssize_t" -D"__intptr_t=int
ptr_t" -D"__nonnull(x)=" -D"__THROW=" -D"__wur=" -D"__off_t=unsigned" -D"__off64
_t=unsigned" -D"__useconds_t=unsigned" -D"__uid_t=unsigned" -D"__gid_t=unsigned"
 -D"__attribute_deprecated__=" -D"__pid_t=unsigned" -D"__restrict=" -D"__END_DEC
LS=" -D"__BEGIN_NAMESPACE_STD=" -D"__END_NAMESPACE_STD=" -D"__BEGIN_NAMESPACE_C9
9=" -D"__END_NAMESPACE_C99="  -D"__socklen_t=unsigned" -D"sa_family_t=unsigned "
 -D"__mode_t=unsigned" -D"u_int16_t=uint16_t" -D"u_int32_t=uint32_t" -D"u_int8_t
=uint8_t" -D"u_short=unsigned short" -D"__u16=uint16_t" -D"__u32=uint32_t" -D"__
u64=uint64_t" -D"_RuneLocale=int" -I. -I. ./$i ; \
if test $? -ne 0 ; then exit 1 ; fi ; \
done
/usr/include/pthread.h:208:27: Parse Error:
               New function scope inside function. (For help on parse errors,
               see splint -help parseerrors.)
*** Cannot continue.
gmake[1]: *** [Makefile:483: lint-lib] Error 1
gmake[1]: Leaving directory '/usr/home/jwalton/ldns'
exit code: 2
--------------- End Output: 02-lint ------------------

And:

$ cat -n /usr/include/pthread.h
     1	/*-
     2	 * SPDX-License-Identifier: BSD-4-Clause
   ...
   204	int		pthread_cond_signal(pthread_cond_t *);
   205	int		pthread_cond_timedwait(pthread_cond_t *,
   206			    pthread_mutex_t * __mutex,
   207			    const struct timespec *)
   208			    __requires_exclusive(*__mutex);
   209	int		pthread_cond_wait(pthread_cond_t * __restrict,
   210			    pthread_mutex_t * __restrict __mutex)
   211			    __requires_exclusive(*__mutex);
   ...

I don't have experience with splint so it would probably be a good idea if someone else looked at the issue.

Related, I'd be interested in learning how well Splint performs nowadays. According to its manual, Splint is from 2010. Does Splint find things that modern GCC, Clang or Coverity does not? Is it worth the maintenance costs?

Validating TLSA records, when NSEC cannot validate the absense of NS and DS records

Two name servers behind aegee.org return correct NSEC records and two of the name servers return broken NSEC. For TLSA _25._tcp.mail.aegee.org drill -TDV5 tries to obtain NS and DS records for mail.aegee.org and as this fails (sometimes), the resulting TLSA records cannot be validated. „unbound-host -v -t tlsa _25._tcp.mail.aegee.org“ also prints (insecure). I have not checked why, but I guess it is for this reason.

However https://viewdns.info/dnssec/?domain=_25._tcp.mail.aegee.org and https://dnsviz.net/d/_25._tcp.mail.aegee.org/dnssec/ validate the TLSA record always.

Can the logic of drill/unbound be changed, so that it can validate the TLSA records, even if NSEC is broken?

Punnycode support

Copied from bugzilla

Viachaslau Khalikin 2018-08-09 17:01:33 CEST
At the moment drill interprets the cyrillic domain as escape sequence instead punycode. As a result DNS not give the right entry.

ldns-testns.c:429:15: error: 'fork' is unavailable: not available on tvOS

I'm working on an iOS port of LDNS. I'm working from Master. I'm catching an error during compile:

./libtool --tag=CC --quiet --mode=compile clang -I. -I.  -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/Users
/travis/AppleTVOS-arm64/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall
-arch arm64 -mappletvos-version-min=6 --sysroot=/Applications/Xcode-10.1.app/Contents/Developer/Platforms
/AppleTVOS.platform/Developer/SDKs/AppleTVOS12.1.sdk -I/Users/travis/AppleTVOS-arm64/include -c
examples/ldns-testns.c -o examples/ldns-testns.o

./examples/ldns-testns.c:429:15: error: 'fork' is unavailable: not available on tvOS
                pid_t pid = fork();
                            ^
/Applications/Xcode-10.1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS12.1.sdk
/usr/include/unistd.h:446:8: note: 'fork' has been explicitly marked unavailable here
pid_t    fork(void) __WATCHOS_PROHIBITED __TVOS_PROHIBITED;
         ^
1 error generated.
make: *** [examples/ldns-testns.lo] Error 1

This will affect AppleTVOS, WatchOS, AppleTVSimulator and WatchSimulator.

I guess we will omit --with-examples from iOS builds. But the report was filled in case LDNS wants to do something more with it.

ldns $ grep -IR 'fork()'
examples/ldns-testns.c:         log_msg("fork() not available.\n");
examples/ldns-testns.c:         pid_t pid = fork();
acx_nlnetlabs.m4:       if((p=fork()) == 0) {

Multihreading multicore

Hi,
I noticed ldns-read-zone -czs and verify-zone taking a long time over a big zonefile. Only one core of a multicore CPU was used.

How can we speed this up by using all cores?

Thanks

Out-of-tree build no longer working with release 1.7.1

With release tarball 1.7.1 I can no longer build ldns outside its source tree.

If I run this from a directory next to the unpacked tarball:

../ldns-1.7.1/configure
make
make DESTDIR=$(pwd)/test install

I get the following error message from make install:

make: *** No rule to make target 'packaging/libldns.pc.in', needed by 'packaging/libldns.pc'. Stop.

Makefile.in tries to reference it relative to the generated Makefile (i.e. as 'packaging/libldns.pc.in') instead of prefixing it with $(srcdir).

Pull request #41 seems to fix it for me.

Unclear error message from ldns-read-zone

Example of broken zone:

. 0 IN SOA . . 0 0 0 0 0
ns1.exporterapp.com 86400 IN NS ns1.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns2.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns3.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns4.exporterapp.com
ns1.exporterapp.com 14400 IN A 5.9.101.204
ns1.exporterapp.com 14400 IN AAAA 5.9.101.204
ns2.exporterapp.com 14400 IN A 5.9.101.204
ns2.exporterapp.com 14400 IN AAAA 5.9.101.204

This zone produces output:

Syntax error, could not parse the RR's rdata at 7

7 what? I originally thought it is file offset and only after fining the problem realized it is a line number! :-) Please rephrase it to something like rdata at line 7 or something.

drill does not respect IPv4/IPv6 precedence in gai.conf

One of my systems can only access the IPv6 internet via a tunnel, so I have increased the precedence of IPv4 over IPv6 in /etc/gai.conf:

$ cat /etc/gai.conf
# Configuration for getaddrinfo(3).
# […]
# precedence  <mask>   <value>
#    Add another rule to the RFC 3484 precedence table.  See section 2.1
#    and 10.3 in RFC 3484.  The default is: […]
#
#    For sites which prefer IPv4 connections change the last line to
precedence ::ffff:0:0/96  100

Most programs (including, for example, dig) respect this and use IPv4 to connect to dual-stack hosts (a.iana-servers.net in this example):

$ dig example.com @a.iana-servers.net.
;; ANSWER SECTION:
example.com.		86400	IN	A	93.184.216.34
;; SERVER: 199.43.135.53#53(199.43.135.53)

drill, however, does not:

$ drill example.com @a.iana-servers.net.
;; ANSWER SECTION:
example.com.	86400	IN	A	93.184.216.34
;; SERVER: 2001:500:8f::53

The same happens in trace mode (-T), which is where I originally discovered this behaviour.

ED25519 support with LibreSSL

It appears that configure.ac isn't accounting for LibreSSL, which should support ED25519.

I'm unclear of whether this is a problem with autoconf or how the checks are being done here, but wanted to bring it up regardless for visibility.

Missing tpkg for testing the build

I finally got something I could test... A git clone provided it.

It looks like the source of tpkg was not provided, so it could not be built:

**********************
Testing package
**********************
if test -x "`which bash`"; then bash test/test_all.sh; else sh test/test_all.sh; fi
start the test at Wed May 15 21:52:01 EDT 2019 in /home/jwalton/Build-Scripts/ldns-master/test
test/test_all.sh: line 21: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 22: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 23: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 24: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 25: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 26: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 27: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 28: /home/jwalton/repos/tpkg/tpkg: No such file or directory
which: no indent in (/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/opt/local/bin)
test/test_all.sh: line 29: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 01-compile.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 02-lint.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 03-run.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 04-run-normal.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 05-iana-rr-types.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 08-zonereader.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 09-doc-check.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 12-unit-tests-dnssec.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 13-unit-tests-base.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 14-read-zone.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 15-unit-tests-rrtypes.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 16-compile-builddir.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 17-stub-resolver.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 18-drill-tests1.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 19-keygen.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 20-sign-zone.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 30-load-pyldns.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 31-load-pyldnsx.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 32-unbound-regression.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 999-compile-nossl.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe codingstyle.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
finished the test at Wed May 15 21:52:01 EDT 2019 in /home/jwalton/Build-Scripts/ldns-master/test
test/test_all.sh: line 38: /home/jwalton/repos/tpkg/tpkg: No such file or directory

Please provide us with everything we need for testing this library.

ldns_verify_denial() prints pkt even if null

See:

    if (verbosity >= 5) {
            printf("VERIFY DENIAL FROM:\n");
            ldns_pkt_print(stdout, pkt);
    }

for example:

VERIFY DENIAL FROM:
null[U] No data found for: csas.cz. type A
;;[S] self sig OK; [B] bogus; [T] trusted

(see the "null" above)

I have seen this for a few domains that have:
... id: 0
;; Query time: 0 msec
...
;; MSG SIZE rcvd: 0
But the verbose output doesn't show what the problem is. Maybe because no SERVER?

In output I am missing several SERVER: lines. Why is _answerfrom not defined? (Maybe this is related.)

ldns tools do not support $INCLUDE in zone files

The following tools are not supporting the $INCLUDE directive (version 1.7.1):

ldns-read-zone
ldns-gen-zone
ldns-signzone

Isn't ldns supposed to be compliant to rfc1035? There is no error, no warning, the $INCLUDE directive gets silently ignored. Is there another tool I'm supposed to use in order to compile a zone file when signing it? (I'm using nsd for the DNS server, I did not find such a compile zonefile tool within nsd)

heap Out-of-bound Read vulnerability

ldns heap Out-of-bound Read.pdf

Missing Makefile.am

I'm trying to build ldns from sources. I'm still trying to test the library, so I thought I give git clone a try since the test files are present. (I performed a git checkout release-1.7.0 after the clone).

Attempting to autoreconf -f -i seems to work until configure is ran:

checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
configure: error: cannot find install-sh, install.sh, or shtool in "." "./.." "./../.."
Failed to configure LDNS

When I open configure.ac and add AM_INIT_AUTOMAKE to install the missing files:

AC_INIT(ldns, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), [email protected], libdns)
AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([packet.c])

autoreconf -f -i results in:

$ autoreconf -f -i
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
libtoolize: Consider adding '-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
configure.ac:34: installing './compile'
configure.ac:38: installing './config.guess'
configure.ac:38: installing './config.sub'
configure.ac:11: installing './install-sh'
configure.ac:11: installing './missing'
automake: error: no 'Makefile.am' found for any configure output
autoreconf: automake failed with exit status: 1

I'm not sure how to proceed.

Do you need help with a Makefile.am? Or is there something else we can do to support ldns?

I'm happy to do help so make check runs the self tests. I've got to be able to test this library.

drill: reuse the TCP connection

When I call drill -DTtV5 TLSA _25._tcp.mail.aegee.org, it prints some SERVER: \<ip-address\> sections and the IP address changes over time to the different name servers offered for “aegee.org”.

Does drill on purpose do not use reuse the TCP connection established to one of the name servers?

Memory Leak in ldns_rr2str

Hi all,

we are using ldns in our software Tstat to have log files for DNS traffic. We were using the ldns_rr2str() function, but we noticed a slow memory leak which was causing our program to saturate the memory in the long term.

We managed to use a workaround. My guess is that the leak is inside the ldns_buffer_export2str() function. Our workaround was based on the re-writing of the ldns_rr2str() as follows:

static inline char * my_ldns_rr2str(ldns_rr * rr){
  
  ldns_buffer *tmp_buffer = ldns_buffer_new(MAX_STR_DNS);
  if (!tmp_buffer)
    return NULL;

  int ret = ldns_rr2buffer_str_fmt(tmp_buffer, ldns_output_format_default, rr);
  if (ret != LDNS_STATUS_OK ){
    ldns_buffer_free(tmp_buffer);
    return NULL;
  }

  char * rr_str = malloc(tmp_buffer->_position + 1);
  if (!rr_str){
    ldns_buffer_free(tmp_buffer);
    return NULL;
  }

  memcpy(rr_str, tmp_buffer->_data, tmp_buffer->_position);
  rr_str[tmp_buffer->_position] = '\0';
  ldns_buffer_free(tmp_buffer);

  return rr_str;

}

drill: show glue record

In trace (-T) output show glue record returned from overlying ns if set verbose level
I did not see any convenient tool that would show the entire chain of addresses through which the request is made.

minor drill output changes

The following patch is for:

use BOGUS macro (but note this is untested by me)
add UNSIGNED to the legend
add a blank line at end of verbose form output (so end of one query/response is separate from the next).

diff --git a/drill/securetrace.c b/drill/securetrace.c
index 6967265d..63259cc8 100644
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@@ -520,8 +520,8 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 							labels[i-1]);
 						printf(", but valid CNAME");
 					} else {
-						printf("[B] Unable to verify de"
-						       "nial of existence for ");
+						printf(BOGUS " Unable to verify "
+						       "denial of existence for ");
 						ldns_rdf_print(stdout,
 							labels[i-1]);
 						printf(", because of BOGUS CNAME");
@@ -644,7 +644,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 							printf(";; No DS for ");
 							ldns_rdf_print(stdout, labels[i - 1]);
 						} else {
-							printf("[B] Unable to verify denial of existence for ");
+							printf(BOGUS " Unable to verify denial of existence for ");
 							ldns_rdf_print(stdout, labels[i - 1]);
 							printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
 						}
@@ -748,7 +748,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 						}
 						printf("\n");
 					} else {
-						printf("[B] Unable to verify denial of existence for ");
+						printf(BOGUS " Unable to verify denial of existence for ");
 						ldns_rdf_print(stdout, name);
 						printf(" type ");
 						if (descriptor && descriptor->_name) {
@@ -774,7 +774,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 		ldns_rr_list_deep_free(ds_sig_list);
 		ds_sig_list = NULL;
 	}
-	printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
+	printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n");
 	/* verbose mode?
 	printf("Trusted keys:\n");
 	ldns_rr_list_print(stdout, trusted_keys);
diff --git a/host2str.c b/host2str.c
index 3ca23c20..bfa9cbc5 100644
--- a/host2str.c
+++ b/host2str.c
@@ -1984,6 +1984,8 @@ ldns_pkt2buffer_str_fmt(ldns_buffer *output,
 
 		ldns_buffer_printf(output, ";; MSG SIZE  rcvd: %d\n",
 				(int)ldns_pkt_size(pkt));
+
+		ldns_buffer_printf(output, "\n");
 	} else {
 		return ldns_buffer_status(output);
 	}

ldns-notify man page missing algorithm information

The 1.7.1 RC1 code suggests that ldns-notify can now sign a NOTIFY message with more than the hmac-md5 algorithm. However, there is no mention of it in the man page.

Travis run with libressl

Travis testing on Aarch64 and PowerPC

Hi Everyone,

You may want to pick this commit up: https://github.com/noloader/ldns/commit/fd2fce1a0f9f9214 .

The commit enables GCC and Clang testing on Linux Aarch64 and PowerPC64 arches.

You can verify the build worker architecture by looking at the job details. In the attached image, notice "Arm64" architecture:

Here is the updated .travis.yml file. You can drop it in place: travis.yml.zip

'make test' fails due to missing test/test_all.sh

Hi Everyone,

I'm testing ldns 1.7.0 from the release tarball. make builds the library OK. make test is failing after the build:

make test
...

if test -x "`which bash`"; then bash test/test_all.sh; else sh test/test_all.sh; fi
bash: test/test_all.sh: No such file or directory
gmake: *** [Makefile:461: test] Error 127

Maybe that test should be [ -f test/test_all.sh] or don't try the self tests.

Explain [U] in the legend in the output of drill

drill -DT CAA bapha.be returns currently

[T] bapha.be. 86400 IN DS 40930 8 1 21030062ada4568f20ec47c85ecfb70a29798ac4 
bapha.be. 86400 IN DS 40930 8 2 36adf92655d9fe7f68aed69d1afc086cb9f3a6b8a46b71ee39176b6ce45cf33b 
;; Domain: bapha.be.
[T] bapha.be. 3600 IN DNSKEY 256 3 8 ;{id = 34233 (zsk), size = 2048b}
bapha.be. 3600 IN DNSKEY 257 3 8 ;{id = 40930 (ksk), size = 2048b}
[U] bapha.be.   3600    IN      CAA     0 issue "letsencrypt.org"
bapha.be.       3600    IN      CAA     0 iodef "mailto:[email protected]"
bapha.be.       3600    IN      CAA     0 issuewild ";"
;;[S] self sig OK; [B] bogus; [T] trusted

Add in the legend at the end the meaning of [U]

13-unit-tests-base.c:250: Direct leak of 195 byte(s) in 11 object(s)

Asan testing is producing some findings in 13-unit-tests-base.c. Also see Travis test results.

==5323==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 195 byte(s) in 11 object(s) allocated from:
    #0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f7923b25a2 in test_base32_decode_extended_hex 13-unit-tests-base.c:250

Direct leak of 135 byte(s) in 9 object(s) allocated from:
    #0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f7923b2052 in test_base32_decode 13-unit-tests-base.c:158

Direct leak of 55 byte(s) in 10 object(s) allocated from:
    #0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55f7923b1ab0 in test_base64_decode 13-unit-tests-base.c:68

SUMMARY: AddressSanitizer: 385 byte(s) leaked in 30 allocation(s).

Release 1.7.1

It looks like ed25519 support was added nearly 2 years ago. Are there any plans to release it anytime soon?

I'm specifically using ldns-signzone, and would really like to replace some of my SHA1-based signatures.

Thanks!

Why ldns-signzone uses 170800 for the NSEC TTL's?

ldns-signzone inserts in a zone file NSEC records with TTL 170800 and the corresponding RRSIG of the NSEC have the same TTL. Where does this value come from and how can it be changed?

How to query consul SRV records

For getting the service records from consul (https://www.consul.io/docs/agent/dns.html#standard-lookup) normally I could do:

$ dig @10.0.0.2 -p 8600 <service>.service.consul SRV

But I can't find a way to get the records using drill

In some cases I get the warning:

;; WARNING: The answer packet was truncated; you might want to
;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)

but I still can't get the records using option -t or -b

Any ideas?

I have been using as an alternative host, for example:

host -t srv consul.service.consul

Trying this in latest stable FreeBSD 12.1, drill version 1.7.0 (ldns version 1.7.0)

I am trying querying directly the consul server at port 8600 or an unbound with this configuration:

#Allow insecure queries to local resolvers
server:
  do-not-query-localhost: no
  domain-insecure: "consul"

#Add consul as a stub-zone
stub-zone:
  name: "consul"
  stub-addr: 127.0.0.1@8600

util.c:298:10: runtime error: signed integer overflow: -1264526704 - 1582503583 cannot be represented in type 'int'

Hi Everyone,

From the low hanging fruit department... Build with -fsanitize=undefined and run the self tests:

CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined" ./make-master.sh
...
CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined" make test
...

make-master.sh just bootstraps the Autotools gear, runs configure, and then runs make. After the tests run, inspect for runtime errors:

ldns$ grep -IR 'runtime error:'
test/result.08-zonereader:util.c:298:10: runtime error: signed integer overflow: -1264526704 - 1582503583 cannot be represented in type 'int'

One finding is very good.

The code for the util.c finding is:

static int64_t
ldns_serial_arithmitics_time(int32_t time, time_t now)
{
	int32_t offset = time - (int32_t) now;
	return (int64_t) now + offset;
}

I'm guessing you will need to move to int64_t, or use an unsigned type. Unsigned types do not suffer signed overflow. Rather, unsigned types experience unsigned wrap and that is well defined per the C standards.

Trying both uint64_t and uint64_t consistently in the function results in the following failure. Both clear the undefined behavior, but both also arrive at the wrong result.

[08-zonereader]  [log] Extracting...
[08-zonereader]  [log] Executing test
[08-zonereader]  [warning] Test executed with errors: 1.
[08-zonereader]  [log] !! FAILED !!
[08-zonereader]  [log] Removing temp directory 08-zonereader.s4uv7F
[08-zonereader]  [log] Cleaning up

I'm going to turn this over to the experts.

option for ldns-read-zone to strip/show occluded data

+short flag for drill

[email protected] 2014-02-04 13:51:16 CET
Drill is a great dig alternative; it would be even better if it would support +short like dig does.

ldns build fails with SWIG 4.0.0

SWIG was updated to version 4.0.0 in Fedora Rawhide.
Then I tried to rebuild ldns with this version and it failed. I reported it to upstream and they recommended me the solution.

I created the patch which will be applied in Fedora and solve the issue.

Possible to get query owner without trailing dot?

When extracting the owner from an ldns packet, it seems a trailing dot is always appended. Is it possible to get the owner without trailing dot?

Possibly relevant:

ldns/examples/ldns-mx.c

Lines 46 to 50 in 2131ed5

 /* ldns_dname_new_frm_str makes absolute dnames always! 

  * So deabsolutify domain. 

  * TODO: Create ldns_dname_new_frm_str_relative? Yuck! 

  */ 

 ldns_rdf_set_size(domain, ldns_rdf_size(domain) - 1);

query

$ dig @127.0.0.1 google.com

server

fprintf(stdout, "owner: %s\n", ldns_rdf2str(ldns_rr_owner(...)));

stdout

owner: google.com.

ldns_rdf2buffer_str_wks never return when WKS record includes port number 65528 or higher

When a WKS record has services which port number is over 65528, ldns_rdf2buffer_str_wks never return.

In host2str.c:841 (in 1.7.1)

 822     uint16_t current_service;
// ...
 840     for (current_service = 0;
 841          current_service < (ldns_rdf_size(rdf)-1)*8; current_service++) {

In this case, (ldns_rdf_size(rdf)-1)* 8 is 65536 but the variable current_service is uint16_t so overflows after checking port 65535, the condition never become false.

ldns_rr_new rr.c:27: Direct leak of 48 byte(s) in 1 object(s)

Asan testing is producing some findings in 12-unit-tests-dnssec.c. Also see Travis test results.

==5141==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f913b3cce4a in ldns_rr_new rr.c:27

Indirect leak of 48 byte(s) in 2 object(s) allocated from:
    #0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f913b3c5b4d in ldns_rdf_new_frm_data rdata.c:203

Indirect leak of 20 byte(s) in 2 object(s) allocated from:
    #0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f913b3c5b61 in ldns_rdf_new_frm_data rdata.c:207

Indirect leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f913b3cd015 in ldns_rr_push_rdf rr.c:860

SUMMARY: AddressSanitizer: 124 byte(s) leaked in 6 allocation(s).

Homebrew install fails under MacOS Catalina 10.15

selfagency-macpro:~ daniel$ brew install ldns --HEAD
Updating Homebrew...

==> Downloading https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0.tar.gz
Already downloaded: /Users/daniel/Library/Caches/Homebrew/downloads/95bb5b8984276f4dd8d6ce135b473e8a28545114332949a45e98d840d8f1626b--ldns-1.7.0.tar.gz
==> ./configure --prefix=/usr/local/Cellar/ldns/1.7.0_1 --with-drill --with-examples --with-ssl=/usr/local/opt/openssl --with-pyldns PYTHON_SITE_PKG=/usr/local/Cellar/ldns/1.7.0_1/lib/python2.7/site-packages --disable-dane-verify
==> make
Last 15 lines from /Users/daniel/Library/Logs/Homebrew/ldns/02.make:
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-dpa.lo  -lpcap -lldns \
		 -o examples/ldns-dpa
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-dane.lo  -lssl  -lcrypto -lldns \
		 -o examples/ldns-dane
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-nsec3-hash.lo  -lcrypto -lldns -o examples/ldns-nsec3-hash
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-revoke.lo  -lcrypto -lldns -o examples/ldns-revoke
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-signzone.lo  -lcrypto -lldns -o examples/ldns-signzone
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib examples/ldns-verify-zone.lo  -lcrypto -lldns -o examples/ldns-verify-zone
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk  -L/usr/local/opt/openssl/lib linktest.lo  -lcrypto -lldns -o linktest
./libtool --tag=CC --quiet --mode=compile clang -I. -I.  -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/Cellar/ldns/1.7.0_1/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -I./include/ldns -I/usr/local/opt/openssl/include -I/System/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 -Wno-unused-variable -Wno-unused-parameter -Wno-missing-field-initializers -fno-strict-aliasing -c ./contrib/python/ldns_wrapper.c -o ldns_wrapper.lo
./contrib/python/ldns_wrapper.c:37536:51: error: use of undeclared identifier 'obj1'
  ldns_key_set_pubkey_owner(arg1,arg2); Py_INCREF(obj1);
                                                  ^
1 error generated.
make: *** [ldns_wrapper.lo] Error 1

Build failures in 60-compile-builddir

It looks like 60-compile-builddir has a chronic failure. I think it was introduced at Commit cdd567826405.

ld: symbol(s) not found for architecture x86_64

Hello, I am compiling from the tarball on Mac (Catalina 10.15 (19A602)).

I get the following:

Undefined symbols for architecture x86_64:
  "_ldns_rr_free", referenced from:
      _main in linktest.o
  "_ldns_rr_new", referenced from:
      _main in linktest.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [linktest] Error 1

OS X and Xcode assumptions

Hi Everyone,

I'm working on an antique PowerMac running OS X 10.5 on a PowerPC. It is one of my favorite testing platforms. The 2.0 GHz processor is fast, and it still puts Intel Atoms and Celerons to shame. It offers OS X 10.5, Bash 3.2, GCC 4.0.1, Apple cc-tools linker, and big-endian PowerPC. I like to work on it so I often need to build newer tools like cURL, Git, SSH and Wget.

It looks like ldns is having some trouble on the PowerMac:

./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -I/usr/local/include -DNDEBUG -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g2 -O2 -fPIC -pthread -mmacosx-version-min=10.10 -isysroot /Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/usr/local/include -c ./buffer.c -o buffer.lo
<built-in>:1: error: Unknown value '10.10' of -mmacosx-version-min
In file included from ./buffer.c:10:
./ldns/config.h:508:19: error: stdio.h: No such file or directory
./ldns/config.h:509:20: error: string.h: No such file or directory
./ldns/config.h:510:20: error: unistd.h: No such file or directory
./ldns/config.h:511:20: error: assert.h: No such file or directory
./ldns/config.h:530:20: error: stdlib.h: No such file or directory
./ldns/config.h:531:20: error: stddef.h: No such file or directory
./ldns/config.h:535:20: error: stdint.h: No such file or directory
./ldns/config.h:539:24: error: sys/socket.h: No such file or directory
./ldns/config.h:543:24: error: netinet/in.h: No such file or directory
./ldns/config.h:547:23: error: arpa/inet.h: No such file or directory

I believe the issue is here in configure.ac:

# check OSX deployment target, if needed
if echo $build_os | grep darwin > /dev/null; then
  sdk_p=`xcode-select -print-path`;
  sdk_v="$( /usr/bin/xcrun --show-sdk-version )";
  case $sdk_v in
       10.9|10.8)   sdk_c="10.7";;
       10.11|10.10|*) sdk_c="10.10";;
  esac
  export MACOSX_DEPLOYMENT_TARGET="${sdk_c}";
  export CFLAGS="$CFLAGS -mmacosx-version-min=${sdk_c} -isysroot ${sdk_p}/Platforms/MacOSX.platform/Developer/SDKs/MacOSX${sdk_v}.sdk";
fi

I believe the version of Xcode on the PowerMac is 2.5 or 3.1. It has been a while since I checked, and xcrun does not work like expected on the early versions:

checking whether the C compiler (gcc) accepts the "format" attribute... yes
checking whether the C compiler (gcc) accepts the "unused" attribute... yes
xcrun: error: unrecognized option: --show-sdk-version

usage:
xcrun [-verbose] [-no-cache] [-sdk <sdkroot>] [-log] [-run] <utility> [argument ...]
xcrun [-verbose] [-no-cache] [-sdk <sdkroot>] -find <utility>
<tool> [tool arguments ...]
configure: Default trust anchor: /usr/local/etc/unbound/root.key
configure: Using CAfile: /usr/local/etc/unbound/icannbundle.pem
configure: Using CApath: /usr/local/etc/unbound
configure: creating ./config.status

I think I am going to delete the Xcode block from configure.ac and use the regular build tools from CC Tools. (As opposed to the Xcode toolchain that is being used above).

You are welcomed to SSH access the box. I need your authorized_keys.

	/* ldns_dname_new_frm_str makes absolute dnames always!
	* So deabsolutify domain.
	* TODO: Create ldns_dname_new_frm_str_relative? Yuck!
	*/
	ldns_rdf_set_size(domain, ldns_rdf_size(domain) - 1);

nlnetlabs / ldns Goto Github PK

ldns's Introduction

ldns's People

Contributors

Stargazers

Watchers

Forkers

ldns's Issues

Description：

fuzz log：

fuzz payload：

Repaire Suggestion：

Recommend Projects

Recommend Topics

Recommend Org