nlnetlabs / ldns Goto Github PK
View Code? Open in Web Editor NEWLDNS is a DNS library that facilitates DNS tool programming
Home Page: https://nlnetlabs.nl/ldns
License: BSD 3-Clause "New" or "Revised" License
LDNS is a DNS library that facilitates DNS tool programming
Home Page: https://nlnetlabs.nl/ldns
License: BSD 3-Clause "New" or "Revised" License
Contents: REQUIREMENTS INSTALLATION libdns examples drill INFORMATION FOR SPECIFIC OPERATING SYSTEMS Mac OS X Solaris KNOWN ISSUES pyldns Your Support Project page: http://www.nlnetlabs.nl/ldns/ On that page you can also subscribe to the ldns mailing list. * Development ldns is mainly developed on Linux and FreeBSD. It is regularly tested to compile on other systems like Solaris and Mac OS X. REQUIREMENTS - OpenSSL (Optional, but needed for features like DNSSEC) - OpenSSL >= 0.9.7f for DANE support - OpenSSL >= 1.0.0 for ECDSA and GOST support - libpcap (Optional, but needed for examples/ldns-dpa) - (GNU) libtool (in OSX, that's glibtool, not libtool) - GNU make INSTALLATION 1. Unpack the tarball 2. cd ldns-<VERSION> 3. ./configure --with-examples --with-drill (optionally compile python bindings too with: --with-pyldns) 4. make 5. make install * Building from repository If you are building from the repository you will need to have (gnu) autotools like libtool and autoreconf installed. A list of all the commands needed to build everything can be found in README.git. Note that the actual commands may be a little bit different on your machine. Most notably, you'll need to run libtoolize (or glibtoolize). If you skip this step, you'll get an error about missing config.sub. * Developers ldns is developed by the ldns team at NLnet Labs. This team currently consists of: o Willem Toorop o Wouter Wijngaards Former main developers: o Jelte Jansen o Miek Gieben o Matthijs Mekking * Credits We have received patches from the following people, thanks! o Bedrich Kosata o Erik Rozendaal o Håkan Olsson o Jakob Schlyter o Paul Wouters o Simon Vallet o Ondřej Surý o Karel Slany o Havard Eidnes o Leo Baltus o Dag-Erling Smørgrav o Felipe Gasper INFORMATION FOR SPECIFIC OPERATING SYSTEMS MAC OS X For MACOSX 10.4 and later, it seems that you have to set the MACOSX_DEPLOYMENT_TARGET environment variable to 10.4 before running make. Apparently it defaults to 10.1. This appears to be a known problem in 10.2 to 10.4, see: http://developer.apple.com/qa/qa2001/qa1233.html for more information. SOLARIS In Solaris multi-architecture systems (which have both 32-bit and 64-bit support), it can be a bit taxing to convince the system to compile in 64-bit mode. Jakob Schlyter has kindly contributed a build script that sets the right build and link options. You can find it in contrib/build-solaris.sh KNOWN ISSUES A complete list of currently known open issues can be found here: https://github.com/NLnetLabs/ldns/issues * pyldns Compiling pyldns produces many ``unused parameter'' warnings. Those are harmless and may safely be ignored. Also, when building with SWIG older than 2.0.4, compiling pyldns produces many ``missing initializer'' warnings. Those are harmless too.
I'm not sure what exactly is going on here, so I can only describe drill's unexpected behaviour in a (seemingly) simple situation:
Trace query for imap.fim.uni-passau.de
— drill -T -V5 imap.fim.uni-passau.de
.
Normally, it should walk through .
, de.
, uni-passau.de.
and then get an authoritative answer from one of fim.uni-passau.de.
's authoritative nameservers.
Instead, the following exchange occurs (in chronological order, verified in Wireshark):
It looks like drill
should have all the information it needs after the fourth query, but it sends another query and the CNAME and A record do not show up in its output:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
de. 172800 IN NS l.de.net.
de. 172800 IN NS f.nic.de.
de. 172800 IN NS a.nic.de.
de. 172800 IN NS n.de.net.
de. 172800 IN NS s.de.net.
de. 172800 IN NS z.nic.de.
uni-passau.de. 86400 IN NS ns.rz.uni-passau.de.
uni-passau.de. 86400 IN NS ns.fim.uni-passau.de.
uni-passau.de. 86400 IN NS ns.forwiss.uni-passau.de.
uni-passau.de. 86400 IN NS dns-1.dfn.de.
fim.uni-passau.de. 7200 IN NS ns.forwiss.uni-passau.de.
fim.uni-passau.de. 7200 IN NS ns.rz.uni-passau.de.
fim.uni-passau.de. 7200 IN NS ns.fim.uni-passau.de.
This problem occurs frequently, but not every time that I run this trace query.
I have attached the debug output from the execution shown above (somewhat polluted by the additional PTR requests for the nameservers it prints, but unfortunately -V5 reveals all queries while -V4 reveals none).
Hi Everyone,
This result was produced on a 32-bit machine. It is real 32-bit hardware from the early 2000's. You can probably reproduce it in a virtual machine.
...
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -I/usr/local/include -c ./duration.c -o duration.lo
./duration.c: In function ‘ldns_duration2string’:
./duration.c:265:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uY", (unsigned int) duration->years);
^~
./duration.c:265:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uY", (unsigned int) duration->years);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:271:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uM", (unsigned int) duration->months);
^~
./duration.c:271:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uM", (unsigned int) duration->months);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:277:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uW", (unsigned int) duration->weeks);
^~
./duration.c:277:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uW", (unsigned int) duration->weeks);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:283:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uD", (unsigned int) duration->days);
^~
./duration.c:283:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uD", (unsigned int) duration->days);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:292:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uH", (unsigned int) duration->hours);
^~
./duration.c:292:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uH", (unsigned int) duration->hours);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:298:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uM", (unsigned int) duration->minutes);
^~
./duration.c:298:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uM", (unsigned int) duration->minutes);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./duration.c:304:33: warning: ‘%u’ directive output may be truncated writing between 1 and 10 bytes into a region of size 6 [-Wformat-truncation=]
snprintf(num, count+2, "%uS", (unsigned int) duration->seconds);
^~
./duration.c:304:32: note: directive argument in the range [1, 2147483647]
snprintf(num, count+2, "%uS", (unsigned int) duration->seconds);
^~~~~
In file included from /usr/include/stdio.h:862:0,
from ./ldns/config.h:529,
from ./duration.c:40:
/usr/include/i386-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 3 and 12 bytes into a destination of size 6
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
Björn Jacke 2015-06-10 13:24:24 CEST
something like
ldns-dane verify mail.example.com 25
doesn't work because ldns-dane wants to issue the start tls command and doesn't support start tls initiated TLS connections. It would be nice if ldns-dane would have an option to issue start tls optionally
At before, we use ndk-r17c to build ldns for android. In ndk-r17c toolchain, there is gcc tool for cross-compiling. Now we decide to upgrade ndk to ndk-r20b, however there is no gcc in ndk-r20b, so I am wondering how to builld ldns for android with ndk-r20b?
ldns 1.7.1 will be released soon. util.c
has a dirty compile with GCC 8.3. It would be nice to see it cleared before release.
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -I/var/sanitize/include -DNDEBUG -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/var/sanitize/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g2 -O2 -fsanitize=address -fno-omit-frame-pointer -march=native -fPIC -pthread -I/var/sanitize/include -c ./zone.c -o zone.lo
./util.c: In function ‘ldns_b32_ntop_base’:
./util.c:550:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
c = src[3] >> 7 ;
~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:551:2: note: here
case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c];
^~~~
./util.c:554:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
c = src[2] >> 4 ;
~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:555:2: note: here
case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c];
^~~~
./util.c:561:21: warning: this statement may fall through [-Wimplicit-fallthrough=]
c = src[1] >> 6 ;
~~^~~~~~~~~~~~~~~~~~~~~~
./util.c:562:2: note: here
case 1: dst[1] = b32[(src[0] & 0x07) << 2 | c];
^~~~
./util.c:571:12: warning: this statement may fall through [-Wimplicit-fallthrough=]
dst[3] = '=';
~~~~~~~^~~~~
./util.c:572:4: note: here
case 2: dst[4] = '=';
^~~~
./util.c:572:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
case 2: dst[4] = '=';
~~~~~~~^~~~~
./util.c:573:4: note: here
case 3: dst[5] = '=';
^~~~
./util.c:574:12: warning: this statement may fall through [-Wimplicit-fallthrough=]
dst[6] = '=';
~~~~~~~^~~~~
./util.c:575:4: note: here
case 4: dst[7] = '=';
^~~~
./util.c: In function ‘ldns_b32_pton_base’:
./util.c:698:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
dst[3] = buf[4] << 7 | buf[5] << 2 | buf[6] >> 3;
~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:700:3: note: here
case 5: /* ........ ........ ....4444 4....... ........ */
^~~~
./util.c:702:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
dst[2] = buf[3] << 4 | buf[4] >> 1;
~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:704:3: note: here
case 4: /* ........ .......3 3333.... ........ ........ */
^~~~
./util.c:707:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
dst[1] = buf[1] << 6 | buf[2] << 1 | buf[3] >> 4;
~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util.c:709:3: note: here
case 2: /* .....111 11...... ........ ........ ........ */
^~~~
Fall through is OK, just mark it as such. Both GCC and Clang will recognize:
case 3: dst[4] = b32[(src[2] & 0x0f) << 1 | c];
/* fall through */
case 2: dst[3] = b32[(src[1] & 0x01) << 4 | c];
/* fall through */
...
https://github.com/matteocorti/check_ssl_cert can if the TLSA records match the offered certificate (DANE) and can obtain the TLSA records using “dig +short” or “delv +short”. To be able to use a different resolver, like “drill -D” or “drill -DT” that uses the same output/input format, please introduce option +short
to drill.
When the zone file is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file. When the memcpy is copied, the 0xfe - ldns_rdf_size(salt_rdf) byte data can be copied, causing heap information leakage.
Vulnerability location:
w100wcrash-8f078e69e2781bbc4811a12d51df1c8674672306.txt
The subject line says it all. It appears that the drill command, unlike its BIND counterpart (dig) fails to support the use of the -T and -x options together. The resulting output, if this is attempted, does not actually show a trace.
In contrast, BIND dig supports the use of its +trace and -x options together in one command and then produces expected output.
Relevant version information is as follows:
drill version 1.7.0 (ldns version 1.7.0)
Hi Everyone,
I was looking through some of the self test drivers and came across this comment:
CC = @CC@
CFLAGS = @CFLAGS@
CPPFLAGS = @CPPFLAGS@ @LIBSSL_CPPFLAGS@ -I../..
LDFLAGS = @LDFLAGS@ @LIBSSL_LDFLAGS@ -L../../.libs
LIBS = @LIBS@ @LIBSSL_SSL_LIBS@ -lldns
# Hmmm gcc 4.6.1 expects $(LIBS) as the last argument
COMPILE = $(CC) $(CPPFLAGS) $(CFLAGS)
LINK = $(CC) $(CFLAGS) $(LDFLAGS)
That is actually expected for single pass linkers. Single pass linkers move from left to right looking for symbols. Based on the way the makefile is written (and linker options), I believe the list should be:
LIBS = -lldns @LIBSSL_SSL_LIBS@ @LIBS@
This way, when -lldns
needs symbols for OpenSSL, the linker will find them because OpenSSL libs follow -lldns
. And if OpenSSL needs symbols from -lpthread
or -ldl
, the linker will find them because @LIBS@
follows @LIBSSL_SSL_LIBS@
.
Another trick you can use is to create a "group" to make the linker multi-pass. Below, the linker will visit OpenSSL libs multiple times looking for symbols. This is helpful when there are circular dependencies in libraries.
LIBS = @LIBS@ @LIBSSL_SSL_LIBS@ -lldns @LIBSSL_SSL_LIBS@ @LIBS@
Also see the ld(1)
man page. Linux's linker actually has an option to make a list of libraries a group. See the --start-group archives --end-group
option. (But the portable way is to list the library multiple times).
Hi Everyone, @wcawijngaards, @wtoorop,
I'm working on FreeBSD 12.1. make test
has a small issue:
PASSED: 15 (94 %) FAILED: 1 (6 %) unknown: 0 (0 %)
--------------- Start Output: 02-lint ------------------
!! FAILED !! !! FAILED !!
DateRunEnd: 1583966993
BaseName: 02-lint
Description: Do a make lint on libdns
DateRunStart: 1583966993
--------------- Test Output ------------------
gmake[1]: Entering directory '/usr/home/jwalton/ldns'
for i in ./*.c; do \
splint +quiet -weak -warnposix -unrecog -Din_addr_t=uint32_t -Du_int=unsigned -D
u_char=uint8_t -preproc -Drlimit=rlimit64 -D__gnuc_va_list=va_list "-DBN_ULONG=
unsigned long" -Dkrb5_int32=int "-Dkrb5_ui_4=unsigned int" -DPQ_64BIT=uint64_t -
DRC4_INT=unsigned -fixedformalarray -D"ENGINE=unsigned" -D"RSA=unsigned" -D"DSA=
unsigned" -D"EVP_PKEY=unsigned" -D"EVP_MD=unsigned" -D"SSL=unsigned" -D"SSL_CTX=
unsigned" -D"X509=unsigned" -D"RC4_KEY=unsigned" -D"EVP_MD_CTX=unsigned" -D"EC_K
EY=unsigned" -D"EC_POINT=unsigned" -D"EC_GROUP=unsigned" -D"EVP_PKEY_ASN1_METHOD
=struct evp_pkey_asn1_method_st" -D"EVP_PKEY_CTX=struct evp_pkey_ctx_st" "-Dsigs
et_t=long" "-D__uint16_t=uint16_t" -D"__pure2=" -D"__wchar_t=wchar_t" -D"__packe
d=" -D"__aligned(x)=" -D"__BEGIN_DECLS=" -D"__ssize_t=ssize_t" -D"__intptr_t=int
ptr_t" -D"__nonnull(x)=" -D"__THROW=" -D"__wur=" -D"__off_t=unsigned" -D"__off64
_t=unsigned" -D"__useconds_t=unsigned" -D"__uid_t=unsigned" -D"__gid_t=unsigned"
-D"__attribute_deprecated__=" -D"__pid_t=unsigned" -D"__restrict=" -D"__END_DEC
LS=" -D"__BEGIN_NAMESPACE_STD=" -D"__END_NAMESPACE_STD=" -D"__BEGIN_NAMESPACE_C9
9=" -D"__END_NAMESPACE_C99=" -D"__socklen_t=unsigned" -D"sa_family_t=unsigned "
-D"__mode_t=unsigned" -D"u_int16_t=uint16_t" -D"u_int32_t=uint32_t" -D"u_int8_t
=uint8_t" -D"u_short=unsigned short" -D"__u16=uint16_t" -D"__u32=uint32_t" -D"__
u64=uint64_t" -D"_RuneLocale=int" -I. -I. ./$i ; \
if test $? -ne 0 ; then exit 1 ; fi ; \
done
/usr/include/pthread.h:208:27: Parse Error:
New function scope inside function. (For help on parse errors,
see splint -help parseerrors.)
*** Cannot continue.
gmake[1]: *** [Makefile:483: lint-lib] Error 1
gmake[1]: Leaving directory '/usr/home/jwalton/ldns'
exit code: 2
--------------- End Output: 02-lint ------------------
And:
$ cat -n /usr/include/pthread.h
1 /*-
2 * SPDX-License-Identifier: BSD-4-Clause
...
204 int pthread_cond_signal(pthread_cond_t *);
205 int pthread_cond_timedwait(pthread_cond_t *,
206 pthread_mutex_t * __mutex,
207 const struct timespec *)
208 __requires_exclusive(*__mutex);
209 int pthread_cond_wait(pthread_cond_t * __restrict,
210 pthread_mutex_t * __restrict __mutex)
211 __requires_exclusive(*__mutex);
...
I don't have experience with splint
so it would probably be a good idea if someone else looked at the issue.
Related, I'd be interested in learning how well Splint performs nowadays. According to its manual, Splint is from 2010. Does Splint find things that modern GCC, Clang or Coverity does not? Is it worth the maintenance costs?
Two name servers behind aegee.org return correct NSEC records and two of the name servers return broken NSEC. For TLSA _25._tcp.mail.aegee.org drill -TDV5
tries to obtain NS and DS records for mail.aegee.org and as this fails (sometimes), the resulting TLSA records cannot be validated. „unbound-host -v -t tlsa _25._tcp.mail.aegee.org“ also prints (insecure). I have not checked why, but I guess it is for this reason.
However https://viewdns.info/dnssec/?domain=_25._tcp.mail.aegee.org and https://dnsviz.net/d/_25._tcp.mail.aegee.org/dnssec/ validate the TLSA record always.
Can the logic of drill/unbound be changed, so that it can validate the TLSA records, even if NSEC is broken?
Copied from bugzilla
Viachaslau Khalikin 2018-08-09 17:01:33 CEST
At the moment drill interprets the cyrillic domain as escape sequence instead punycode. As a result DNS not give the right entry.
I'm working on an iOS port of LDNS. I'm working from Master. I'm catching an error during compile:
./libtool --tag=CC --quiet --mode=compile clang -I. -I. -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/Users
/travis/AppleTVOS-arm64/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall
-arch arm64 -mappletvos-version-min=6 --sysroot=/Applications/Xcode-10.1.app/Contents/Developer/Platforms
/AppleTVOS.platform/Developer/SDKs/AppleTVOS12.1.sdk -I/Users/travis/AppleTVOS-arm64/include -c
examples/ldns-testns.c -o examples/ldns-testns.o
./examples/ldns-testns.c:429:15: error: 'fork' is unavailable: not available on tvOS
pid_t pid = fork();
^
/Applications/Xcode-10.1.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS12.1.sdk
/usr/include/unistd.h:446:8: note: 'fork' has been explicitly marked unavailable here
pid_t fork(void) __WATCHOS_PROHIBITED __TVOS_PROHIBITED;
^
1 error generated.
make: *** [examples/ldns-testns.lo] Error 1
This will affect AppleTVOS, WatchOS, AppleTVSimulator and WatchSimulator.
I guess we will omit --with-examples
from iOS builds. But the report was filled in case LDNS wants to do something more with it.
ldns $ grep -IR 'fork()'
examples/ldns-testns.c: log_msg("fork() not available.\n");
examples/ldns-testns.c: pid_t pid = fork();
acx_nlnetlabs.m4: if((p=fork()) == 0) {
Hi,
I noticed ldns-read-zone -czs and verify-zone taking a long time over a big zonefile. Only one core of a multicore CPU was used.
How can we speed this up by using all cores?
Thanks
With release tarball 1.7.1 I can no longer build ldns outside its source tree.
If I run this from a directory next to the unpacked tarball:
../ldns-1.7.1/configure
make
make DESTDIR=$(pwd)/test install
I get the following error message from make install:
make: *** No rule to make target 'packaging/libldns.pc.in', needed by 'packaging/libldns.pc'. Stop.
Makefile.in tries to reference it relative to the generated Makefile (i.e. as 'packaging/libldns.pc.in') instead of prefixing it with $(srcdir).
Pull request #41 seems to fix it for me.
Example of broken zone:
. 0 IN SOA . . 0 0 0 0 0
ns1.exporterapp.com 86400 IN NS ns1.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns2.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns3.exporterapp.com
ns1.exporterapp.com 86400 IN NS ns4.exporterapp.com
ns1.exporterapp.com 14400 IN A 5.9.101.204
ns1.exporterapp.com 14400 IN AAAA 5.9.101.204
ns2.exporterapp.com 14400 IN A 5.9.101.204
ns2.exporterapp.com 14400 IN AAAA 5.9.101.204
This zone produces output:
Syntax error, could not parse the RR's rdata at 7
7 what? I originally thought it is file offset and only after fining the problem realized it is a line number! :-) Please rephrase it to something like rdata at line 7
or something.
One of my systems can only access the IPv6 internet via a tunnel, so I have increased the precedence of IPv4 over IPv6 in /etc/gai.conf
:
$ cat /etc/gai.conf
# Configuration for getaddrinfo(3).
# […]
# precedence <mask> <value>
# Add another rule to the RFC 3484 precedence table. See section 2.1
# and 10.3 in RFC 3484. The default is: […]
#
# For sites which prefer IPv4 connections change the last line to
precedence ::ffff:0:0/96 100
Most programs (including, for example, dig
) respect this and use IPv4 to connect to dual-stack hosts (a.iana-servers.net
in this example):
$ dig example.com @a.iana-servers.net.
;; ANSWER SECTION:
example.com. 86400 IN A 93.184.216.34
;; SERVER: 199.43.135.53#53(199.43.135.53)
drill, however, does not:
$ drill example.com @a.iana-servers.net.
;; ANSWER SECTION:
example.com. 86400 IN A 93.184.216.34
;; SERVER: 2001:500:8f::53
The same happens in trace mode (-T
), which is where I originally discovered this behaviour.
It appears that configure.ac isn't accounting for LibreSSL, which should support ED25519.
I'm unclear of whether this is a problem with autoconf or how the checks are being done here, but wanted to bring it up regardless for visibility.
I finally got something I could test... A git clone
provided it.
It looks like the source of tpkg
was not provided, so it could not be built:
**********************
Testing package
**********************
if test -x "`which bash`"; then bash test/test_all.sh; else sh test/test_all.sh; fi
start the test at Wed May 15 21:52:01 EDT 2019 in /home/jwalton/Build-Scripts/ldns-master/test
test/test_all.sh: line 21: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 22: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 23: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 24: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 25: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 26: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 27: /home/jwalton/repos/tpkg/tpkg: No such file or directory
test/test_all.sh: line 28: /home/jwalton/repos/tpkg/tpkg: No such file or directory
which: no indent in (/usr/share/Modules/bin:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/opt/local/bin)
test/test_all.sh: line 29: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 01-compile.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 02-lint.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 03-run.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 04-run-normal.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 05-iana-rr-types.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 08-zonereader.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 09-doc-check.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 12-unit-tests-dnssec.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 13-unit-tests-base.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 14-read-zone.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 15-unit-tests-rrtypes.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 16-compile-builddir.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 17-stub-resolver.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 18-drill-tests1.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 19-keygen.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 20-sign-zone.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 30-load-pyldns.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 31-load-pyldnsx.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 32-unbound-regression.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe 999-compile-nossl.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
/home/jwalton/repos/tpkg/tpkg -a ../.. exe codingstyle.tpkg
test/test_all.sh: line 35: /home/jwalton/repos/tpkg/tpkg: No such file or directory
finished the test at Wed May 15 21:52:01 EDT 2019 in /home/jwalton/Build-Scripts/ldns-master/test
test/test_all.sh: line 38: /home/jwalton/repos/tpkg/tpkg: No such file or directory
Please provide us with everything we need for testing this library.
See:
if (verbosity >= 5) {
printf("VERIFY DENIAL FROM:\n");
ldns_pkt_print(stdout, pkt);
}
for example:
VERIFY DENIAL FROM:
null[U] No data found for: csas.cz. type A
;;[S] self sig OK; [B] bogus; [T] trusted
(see the "null" above)
I have seen this for a few domains that have:
... id: 0
;; Query time: 0 msec
...
;; MSG SIZE rcvd: 0
But the verbose output doesn't show what the problem is. Maybe because no SERVER?
In output I am missing several SERVER: lines. Why is _answerfrom not defined? (Maybe this is related.)
The following tools are not supporting the $INCLUDE directive (version 1.7.1):
Isn't ldns supposed to be compliant to rfc1035? There is no error, no warning, the $INCLUDE directive gets silently ignored. Is there another tool I'm supposed to use in order to compile a zone file when signing it? (I'm using nsd for the DNS server, I did not find such a compile zonefile tool within nsd)
I'm trying to build ldns from sources. I'm still trying to test the library, so I thought I give git clone
a try since the test files are present. (I performed a git checkout release-1.7.0
after the clone).
Attempting to autoreconf -f -i
seems to work until configure
is ran:
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
configure: error: cannot find install-sh, install.sh, or shtool in "." "./.." "./../.."
Failed to configure LDNS
When I open configure.ac
and add AM_INIT_AUTOMAKE
to install the missing files:
AC_INIT(ldns, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), [email protected], libdns)
AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([packet.c])
autoreconf -f -i
results in:
$ autoreconf -f -i
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
libtoolize: Consider adding '-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
configure.ac:34: installing './compile'
configure.ac:38: installing './config.guess'
configure.ac:38: installing './config.sub'
configure.ac:11: installing './install-sh'
configure.ac:11: installing './missing'
automake: error: no 'Makefile.am' found for any configure output
autoreconf: automake failed with exit status: 1
I'm not sure how to proceed.
Do you need help with a Makefile.am
? Or is there something else we can do to support ldns?
I'm happy to do help so make check
runs the self tests. I've got to be able to test this library.
When I call drill -DTtV5 TLSA _25._tcp.mail.aegee.org
, it prints some SERVER: \<ip-address\>
sections and the IP address changes over time to the different name servers offered for “aegee.org”.
Does drill on purpose do not use reuse the TCP connection established to one of the name servers?
Hi all,
we are using ldns in our software Tstat to have log files for DNS traffic. We were using the ldns_rr2str()
function, but we noticed a slow memory leak which was causing our program to saturate the memory in the long term.
We managed to use a workaround. My guess is that the leak is inside the ldns_buffer_export2str()
function. Our workaround was based on the re-writing of the ldns_rr2str()
as follows:
static inline char * my_ldns_rr2str(ldns_rr * rr){
ldns_buffer *tmp_buffer = ldns_buffer_new(MAX_STR_DNS);
if (!tmp_buffer)
return NULL;
int ret = ldns_rr2buffer_str_fmt(tmp_buffer, ldns_output_format_default, rr);
if (ret != LDNS_STATUS_OK ){
ldns_buffer_free(tmp_buffer);
return NULL;
}
char * rr_str = malloc(tmp_buffer->_position + 1);
if (!rr_str){
ldns_buffer_free(tmp_buffer);
return NULL;
}
memcpy(rr_str, tmp_buffer->_data, tmp_buffer->_position);
rr_str[tmp_buffer->_position] = '\0';
ldns_buffer_free(tmp_buffer);
return rr_str;
}
In trace (-T) output show glue record returned from overlying ns if set verbose level
I did not see any convenient tool that would show the entire chain of addresses through which the request is made.
The following patch is for:
diff --git a/drill/securetrace.c b/drill/securetrace.c
index 6967265d..63259cc8 100644
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@@ -520,8 +520,8 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
labels[i-1]);
printf(", but valid CNAME");
} else {
- printf("[B] Unable to verify de"
- "nial of existence for ");
+ printf(BOGUS " Unable to verify "
+ "denial of existence for ");
ldns_rdf_print(stdout,
labels[i-1]);
printf(", because of BOGUS CNAME");
@@ -644,7 +644,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
printf(";; No DS for ");
ldns_rdf_print(stdout, labels[i - 1]);
} else {
- printf("[B] Unable to verify denial of existence for ");
+ printf(BOGUS " Unable to verify denial of existence for ");
ldns_rdf_print(stdout, labels[i - 1]);
printf(" DS: %s\n", ldns_get_errorstr_by_id(status));
}
@@ -748,7 +748,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
}
printf("\n");
} else {
- printf("[B] Unable to verify denial of existence for ");
+ printf(BOGUS " Unable to verify denial of existence for ");
ldns_rdf_print(stdout, name);
printf(" type ");
if (descriptor && descriptor->_name) {
@@ -774,7 +774,7 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
ldns_rr_list_deep_free(ds_sig_list);
ds_sig_list = NULL;
}
- printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted\n");
+ printf(";;" SELF " self sig OK; " BOGUS " bogus; " TRUST " trusted; " UNSIGNED " unsigned\n");
/* verbose mode?
printf("Trusted keys:\n");
ldns_rr_list_print(stdout, trusted_keys);
diff --git a/host2str.c b/host2str.c
index 3ca23c20..bfa9cbc5 100644
--- a/host2str.c
+++ b/host2str.c
@@ -1984,6 +1984,8 @@ ldns_pkt2buffer_str_fmt(ldns_buffer *output,
ldns_buffer_printf(output, ";; MSG SIZE rcvd: %d\n",
(int)ldns_pkt_size(pkt));
+
+ ldns_buffer_printf(output, "\n");
} else {
return ldns_buffer_status(output);
}
The 1.7.1 RC1 code suggests that ldns-notify can now sign a NOTIFY message with more than the hmac-md5 algorithm. However, there is no mention of it in the man page.
Hi Everyone,
You may want to pick this commit up: https://github.com/noloader/ldns/commit/fd2fce1a0f9f9214 .
The commit enables GCC and Clang testing on Linux Aarch64 and PowerPC64 arches.
You can verify the build worker architecture by looking at the job details. In the attached image, notice "Arm64" architecture:
Here is the updated .travis.yml
file. You can drop it in place: travis.yml.zip
Hi Everyone,
I'm testing ldns 1.7.0 from the release tarball. make
builds the library OK. make test
is failing after the build:
make test
...
if test -x "`which bash`"; then bash test/test_all.sh; else sh test/test_all.sh; fi
bash: test/test_all.sh: No such file or directory
gmake: *** [Makefile:461: test] Error 127
Maybe that test should be [ -f test/test_all.sh]
or don't try the self tests.
drill -DT CAA bapha.be
returns currently
[T] bapha.be. 86400 IN DS 40930 8 1 21030062ada4568f20ec47c85ecfb70a29798ac4
bapha.be. 86400 IN DS 40930 8 2 36adf92655d9fe7f68aed69d1afc086cb9f3a6b8a46b71ee39176b6ce45cf33b
;; Domain: bapha.be.
[T] bapha.be. 3600 IN DNSKEY 256 3 8 ;{id = 34233 (zsk), size = 2048b}
bapha.be. 3600 IN DNSKEY 257 3 8 ;{id = 40930 (ksk), size = 2048b}
[U] bapha.be. 3600 IN CAA 0 issue "letsencrypt.org"
bapha.be. 3600 IN CAA 0 iodef "mailto:[email protected]"
bapha.be. 3600 IN CAA 0 issuewild ";"
;;[S] self sig OK; [B] bogus; [T] trusted
[U]
Asan testing is producing some findings in 13-unit-tests-base.c
. Also see Travis test results.
==5323==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 195 byte(s) in 11 object(s) allocated from:
#0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55f7923b25a2 in test_base32_decode_extended_hex 13-unit-tests-base.c:250
Direct leak of 135 byte(s) in 9 object(s) allocated from:
#0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55f7923b2052 in test_base32_decode 13-unit-tests-base.c:158
Direct leak of 55 byte(s) in 10 object(s) allocated from:
#0 0x7f0df9b5db50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55f7923b1ab0 in test_base64_decode 13-unit-tests-base.c:68
SUMMARY: AddressSanitizer: 385 byte(s) leaked in 30 allocation(s).
It looks like ed25519 support was added nearly 2 years ago. Are there any plans to release it anytime soon?
I'm specifically using ldns-signzone, and would really like to replace some of my SHA1-based signatures.
Thanks!
ldns-signzone inserts in a zone file NSEC records with TTL 170800 and the corresponding RRSIG of the NSEC have the same TTL. Where does this value come from and how can it be changed?
For getting the service records from consul (https://www.consul.io/docs/agent/dns.html#standard-lookup) normally I could do:
$ dig @10.0.0.2 -p 8600 <service>.service.consul SRV
But I can't find a way to get the records using drill
In some cases I get the warning:
;; WARNING: The answer packet was truncated; you might want to
;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)
but I still can't get the records using option -t
or -b
Any ideas?
I have been using as an alternative host
, for example:
host -t srv consul.service.consul
Trying this in latest stable FreeBSD 12.1, drill version 1.7.0 (ldns version 1.7.0)
I am trying querying directly the consul server at port 8600 or an unbound with this configuration:
#Allow insecure queries to local resolvers
server:
do-not-query-localhost: no
domain-insecure: "consul"
#Add consul as a stub-zone
stub-zone:
name: "consul"
stub-addr: 127.0.0.1@8600
Hi Everyone,
From the low hanging fruit department... Build with -fsanitize=undefined
and run the self tests:
CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined" ./make-master.sh
...
CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined" make test
...
make-master.sh
just bootstraps the Autotools gear, runs configure, and then runs make. After the tests run, inspect for runtime errors:
ldns$ grep -IR 'runtime error:'
test/result.08-zonereader:util.c:298:10: runtime error: signed integer overflow: -1264526704 - 1582503583 cannot be represented in type 'int'
One finding is very good.
The code for the util.c
finding is:
static int64_t
ldns_serial_arithmitics_time(int32_t time, time_t now)
{
int32_t offset = time - (int32_t) now;
return (int64_t) now + offset;
}
I'm guessing you will need to move to int64_t
, or use an unsigned type. Unsigned types do not suffer signed overflow. Rather, unsigned types experience unsigned wrap and that is well defined per the C standards.
Trying both uint64_t
and uint64_t
consistently in the function results in the following failure. Both clear the undefined behavior, but both also arrive at the wrong result.
[08-zonereader] [log] Extracting...
[08-zonereader] [log] Executing test
[08-zonereader] [warning] Test executed with errors: 1.
[08-zonereader] [log] !! FAILED !!
[08-zonereader] [log] Removing temp directory 08-zonereader.s4uv7F
[08-zonereader] [log] Cleaning up
I'm going to turn this over to the experts.
[email protected] 2014-02-04 13:51:16 CET
Drill is a great dig alternative; it would be even better if it would support +short like dig does.
When extracting the owner from an ldns packet, it seems a trailing dot is always appended. Is it possible to get the owner without trailing dot?
Possibly relevant:
Lines 46 to 50 in 2131ed5
$ dig @127.0.0.1 google.com
server
fprintf(stdout, "owner: %s\n", ldns_rdf2str(ldns_rr_owner(...)));
stdout
owner: google.com.
When a WKS record has services which port number is over 65528, ldns_rdf2buffer_str_wks never return.
In host2str.c:841 (in 1.7.1)
822 uint16_t current_service;
// ...
840 for (current_service = 0;
841 current_service < (ldns_rdf_size(rdf)-1)*8; current_service++) {
In this case, (ldns_rdf_size(rdf)-1)* 8
is 65536 but the variable current_service
is uint16_t so overflows after checking port 65535, the condition never become false.
Asan testing is producing some findings in 12-unit-tests-dnssec.c
. Also see Travis test results.
==5141==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f913b3cce4a in ldns_rr_new rr.c:27
Indirect leak of 48 byte(s) in 2 object(s) allocated from:
#0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f913b3c5b4d in ldns_rdf_new_frm_data rdata.c:203
Indirect leak of 20 byte(s) in 2 object(s) allocated from:
#0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f913b3c5b61 in ldns_rdf_new_frm_data rdata.c:207
Indirect leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f913b6fbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f913b3cd015 in ldns_rr_push_rdf rr.c:860
SUMMARY: AddressSanitizer: 124 byte(s) leaked in 6 allocation(s).
selfagency-macpro:~ daniel$ brew install ldns --HEAD
Updating Homebrew...
==> Downloading https://nlnetlabs.nl/downloads/ldns/ldns-1.7.0.tar.gz
Already downloaded: /Users/daniel/Library/Caches/Homebrew/downloads/95bb5b8984276f4dd8d6ce135b473e8a28545114332949a45e98d840d8f1626b--ldns-1.7.0.tar.gz
==> ./configure --prefix=/usr/local/Cellar/ldns/1.7.0_1 --with-drill --with-examples --with-ssl=/usr/local/opt/openssl --with-pyldns PYTHON_SITE_PKG=/usr/local/Cellar/ldns/1.7.0_1/lib/python2.7/site-packages --disable-dane-verify
==> make
Last 15 lines from /Users/daniel/Library/Logs/Homebrew/ldns/02.make:
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-dpa.lo -lpcap -lldns \
-o examples/ldns-dpa
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-dane.lo -lssl -lcrypto -lldns \
-o examples/ldns-dane
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-nsec3-hash.lo -lcrypto -lldns -o examples/ldns-nsec3-hash
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-revoke.lo -lcrypto -lldns -o examples/ldns-revoke
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-signzone.lo -lcrypto -lldns -o examples/ldns-signzone
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib examples/ldns-verify-zone.lo -lcrypto -lldns -o examples/ldns-verify-zone
./libtool --tag=CC --quiet --mode=link clang -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -L/usr/local/opt/openssl/lib linktest.lo -lcrypto -lldns -o linktest
./libtool --tag=CC --quiet --mode=compile clang -I. -I. -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/Cellar/ldns/1.7.0_1/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g -O2 -mmacosx-version-min=10.10 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk -I./include/ldns -I/usr/local/opt/openssl/include -I/System/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 -Wno-unused-variable -Wno-unused-parameter -Wno-missing-field-initializers -fno-strict-aliasing -c ./contrib/python/ldns_wrapper.c -o ldns_wrapper.lo
./contrib/python/ldns_wrapper.c:37536:51: error: use of undeclared identifier 'obj1'
ldns_key_set_pubkey_owner(arg1,arg2); Py_INCREF(obj1);
^
1 error generated.
make: *** [ldns_wrapper.lo] Error 1
It looks like 60-compile-builddir has a chronic failure. I think it was introduced at Commit cdd567826405.
Hello, I am compiling from the tarball on Mac (Catalina 10.15 (19A602)).
I get the following:
Undefined symbols for architecture x86_64:
"_ldns_rr_free", referenced from:
_main in linktest.o
"_ldns_rr_new", referenced from:
_main in linktest.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [linktest] Error 1
Hi Everyone,
I'm working on an antique PowerMac running OS X 10.5 on a PowerPC. It is one of my favorite testing platforms. The 2.0 GHz processor is fast, and it still puts Intel Atoms and Celerons to shame. It offers OS X 10.5, Bash 3.2, GCC 4.0.1, Apple cc-tools linker, and big-endian PowerPC. I like to work on it so I often need to build newer tools like cURL, Git, SSH and Wget.
It looks like ldns is having some trouble on the PowerMac:
./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -I/usr/local/include -DNDEBUG -DHAVE_CONFIG_H -DLDNS_TRUST_ANCHOR_FILE="\"/usr/local/etc/unbound/root.key\"" -Wunused-function -Wstrict-prototypes -Wwrite-strings -W -Wall -g2 -O2 -fPIC -pthread -mmacosx-version-min=10.10 -isysroot /Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -I/usr/local/include -c ./buffer.c -o buffer.lo
<built-in>:1: error: Unknown value '10.10' of -mmacosx-version-min
In file included from ./buffer.c:10:
./ldns/config.h:508:19: error: stdio.h: No such file or directory
./ldns/config.h:509:20: error: string.h: No such file or directory
./ldns/config.h:510:20: error: unistd.h: No such file or directory
./ldns/config.h:511:20: error: assert.h: No such file or directory
./ldns/config.h:530:20: error: stdlib.h: No such file or directory
./ldns/config.h:531:20: error: stddef.h: No such file or directory
./ldns/config.h:535:20: error: stdint.h: No such file or directory
./ldns/config.h:539:24: error: sys/socket.h: No such file or directory
./ldns/config.h:543:24: error: netinet/in.h: No such file or directory
./ldns/config.h:547:23: error: arpa/inet.h: No such file or directory
I believe the issue is here in configure.ac
:
# check OSX deployment target, if needed
if echo $build_os | grep darwin > /dev/null; then
sdk_p=`xcode-select -print-path`;
sdk_v="$( /usr/bin/xcrun --show-sdk-version )";
case $sdk_v in
10.9|10.8) sdk_c="10.7";;
10.11|10.10|*) sdk_c="10.10";;
esac
export MACOSX_DEPLOYMENT_TARGET="${sdk_c}";
export CFLAGS="$CFLAGS -mmacosx-version-min=${sdk_c} -isysroot ${sdk_p}/Platforms/MacOSX.platform/Developer/SDKs/MacOSX${sdk_v}.sdk";
fi
I believe the version of Xcode on the PowerMac is 2.5 or 3.1. It has been a while since I checked, and xcrun
does not work like expected on the early versions:
checking whether the C compiler (gcc) accepts the "format" attribute... yes
checking whether the C compiler (gcc) accepts the "unused" attribute... yes
xcrun: error: unrecognized option: --show-sdk-version
usage:
xcrun [-verbose] [-no-cache] [-sdk <sdkroot>] [-log] [-run] <utility> [argument ...]
xcrun [-verbose] [-no-cache] [-sdk <sdkroot>] -find <utility>
<tool> [tool arguments ...]
configure: Default trust anchor: /usr/local/etc/unbound/root.key
configure: Using CAfile: /usr/local/etc/unbound/icannbundle.pem
configure: Using CApath: /usr/local/etc/unbound
configure: creating ./config.status
I think I am going to delete the Xcode block from configure.ac
and use the regular build tools from CC Tools. (As opposed to the Xcode toolchain that is being used above).
You are welcomed to SSH access the box. I need your authorized_keys
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.