Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (33 commits)
  - Fix NLnetLabs#618: enabling interface-automatic disables DNS-over-TLS.   Adds the option to list interface-automatic-ports.
  - Fix NLnetLabs#624: Unable to stop Unbound in Windows console (does not   respond to CTRL+C command).
  Release 1.15.0 on 10 feb 2022. The repository continues with version 1.15.1. And Changelog note.
  Note 1.15.0rc1 tag creation in Changelog. - Tag for 1.15.0rc1 created.
  - Fix that TCP interface does not use TLS when TLS is also configured.
  - Fix NLnetLabs#412: cache invalidation issue with CNAME+A.
  - Fix for NLnetLabs#611: Integer overflow in sldns_wire2str_pkt_scan.
  - Update contrib/aaaa-filter-iterator.patch with diff for current   software version.
  - Fix docker splint test to use more portable uname.
  - please clang analyzer for loop in test code.
  - Changelog entry clarification.
  - Fix header comment for doxygen for authextstrtoaddr.
  - Update version number in repo to 1.15.0 for upcoming release,   since it changes the aggressive-nsec default and the ratelimit change.
  - Update stream_ssl.tdir test to also use the new forward-host notation.
  - Merge PR NLnetLabs#617: Update stub/forward-host notation to accept port and   tls-auth-name.
  Don't accidentaly introduce a troff macro
  - Change aggressive-nsec default to yes.
  Changelog entry for NLnetLabs#616 - Merge PR NLnetLabs#616: Update ratelimit logic. It also introduces   ratelimit-backoff and ip-ratelimit-backoff configuration options.
  Changelog entry for NLnetLabs#532 - Merge PR NLnetLabs#532 from Shchelk: Fix: buffer overflow bug.
  Changelog note for NLnetLabs#603: - Merge PR NLnetLabs#603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA   internals.
  ...

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.14.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.15.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.14.1'
-PACKAGE_STRING='unbound 1.14.1'
+PACKAGE_VERSION='1.15.1'
+PACKAGE_STRING='unbound 1.15.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.14.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.15.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1531,7 +1531,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.14.1:";;
+     short | recursive ) echo "Configuration of unbound 1.15.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1773,7 +1773,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.14.1
+unbound configure 1.15.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2482,7 +2482,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.14.1, which was
+It was created by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2832,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=14
+UNBOUND_VERSION_MINOR=15
 
 UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=15
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2920,7 +2920,8 @@ LIBUNBOUND_AGE=1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
 # 1.14.0 had 9:14:1
-# 1.14.1 had 9:15:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -17941,7 +17942,7 @@ if test "`uname`" = "NetBSD"; then
 
 fi
 
-if test "`uname -o`" = "GNU/Linux"; then
+if test "`uname`" = "Linux"; then
 	# splint cannot parse modern c99 header files
 	GCC_DOCKER_LINTFLAGS='-syntax'
 
@@ -21886,7 +21887,7 @@ _ACEOF
 
 
 
-version=1.14.1
+version=1.15.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22405,7 +22406,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.14.1, which was
+This file was extended by unbound $as_me 1.15.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22471,7 +22472,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.14.1
+unbound config.status 1.15.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[14])
+m4_define([VERSION_MINOR],[15])
 m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=15
+LIBUNBOUND_REVISION=16
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -100,7 +100,8 @@ LIBUNBOUND_AGE=1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
 # 1.14.0 had 9:14:1
-# 1.14.1 had 9:15:1
+# 1.15.0 had 9:15:1
+# 1.15.1 had 9:16:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -816,7 +817,7 @@ if test "`uname`" = "NetBSD"; then
 	AC_SUBST(NETBSD_LINTFLAGS)
 fi
 
-if test "`uname -o`" = "GNU/Linux"; then
+if test "`uname`" = "Linux"; then
 	# splint cannot parse modern c99 header files
 	GCC_DOCKER_LINTFLAGS='-syntax'
 	AC_SUBST(GCC_DOCKER_LINTFLAGS)

contrib/aaaa-filter-iterator.patch

@@ -1,5 +1,5 @@
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index 50f9224..09456f5 100644
+index 5a75e319..c6c6dbe2 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
 @@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
@@ -17,13 +17,14 @@ index 50f9224..09456f5 100644
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
 diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index f093c1b..e55a224 100644
+index f093c1bf..e55a2246 100644
 --- a/iterator/iter_scrub.c
 +++ b/iterator/iter_scrub.c
-@@ -680,6 +680,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
+@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
+ 	return 0;
  }
 
- /**
++/**
 + * ASN: Lookup A records from rrset cache.
 + * @param qinfo: the question originally asked.
 + * @param env: module environment with config and cache.
@@ -49,10 +50,9 @@ index f093c1b..e55a224 100644
 +	return 0;
 +}
 +
-+/**
+ /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-  * the response to be in a "normalized" state -- that is, all "irrelevant"
 @@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
@@ -101,7 +101,7 @@ index f093c1b..e55a224 100644
  		if( (rrset->type == LDNS_RR_TYPE_A || 
  			rrset->type == LDNS_RR_TYPE_AAAA)) {
 diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
-index 2482a1f..bd5ba24 100644
+index 2482a1f4..bd5ba243 100644
 --- a/iterator/iter_utils.c
 +++ b/iterator/iter_utils.c
 @@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
@@ -113,10 +113,10 @@ index 2482a1f..bd5ba24 100644
  }
 
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 48238a2..34ba249 100644
+index 54006940..768fe202 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
-@@ -2184,6 +2184,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 
  	return 0;
  }
@@ -170,7 +170,7 @@ index 48238a2..34ba249 100644
 
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -2243,6 +2290,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
 
@@ -184,7 +184,7 @@ index 48238a2..34ba249 100644
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3688,6 +3742,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
 
@@ -246,7 +246,7 @@ index 48238a2..34ba249 100644
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3707,6 +3816,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
+@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ index 48238a2..34ba249 100644
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3744,6 +3856,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ index 48238a2..34ba249 100644
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -4080,6 +4195,8 @@ iter_state_to_string(enum iter_state state)
+@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ index 48238a2..34ba249 100644
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -4104,6 +4221,7 @@ iter_state_is_responsestate(enum iter_state s)
+@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -284,7 +284,7 @@ index 48238a2..34ba249 100644
  		case COLLECT_CLASS_STATE :
  			return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index a9e5856..ace68c6 100644
+index 8b840528..a61c4195 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
 @@ -133,6 +133,9 @@ struct iter_env {
@@ -297,21 +297,21 @@ index a9e5856..ace68c6 100644
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -188,6 +191,14 @@ enum iter_state {
+@@ -187,6 +190,14 @@ enum iter_state {
+ 	 */
  	INIT_REQUEST_3_STATE,
 
- 	/**
++	/**
 +	 * This state is responsible for intercepting AAAA queries,
 +	 * and launch a A subquery on the same target, to populate the
 +	 * cache with A records, so the AAAA filter scrubbing logic can
 +	 * work.
 +	 */
 +	ASN_FETCH_A_FOR_AAAA_STATE,
 +
-+	/**
+ 	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is responsible for iterating through a list of 
 @@ -376,6 +387,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
@@ -327,10 +327,10 @@ index a9e5856..ace68c6 100644
  	struct outbound_list outlist;
 
 diff --git a/pythonmod/interface.i b/pythonmod/interface.i
-index 03483ab..a8c30b5 100644
+index 1ca8686a..d91b19ec 100644
 --- a/pythonmod/interface.i
 +++ b/pythonmod/interface.i
-@@ -994,6 +994,7 @@ struct config_file {
+@@ -995,6 +995,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -339,7 +339,7 @@ index 03483ab..a8c30b5 100644
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
 diff --git a/util/config_file.c b/util/config_file.c
-index 39050f5..326b0b9 100644
+index 969d664b..8d94b008 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
 @@ -231,6 +231,7 @@ config_create(void)
@@ -351,7 +351,7 @@ index 39050f5..326b0b9 100644
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
 diff --git a/util/config_file.h b/util/config_file.h
-index 18910be..bd59144 100644
+index c7c9a0a4..e3aa15b0 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
 @@ -285,6 +285,8 @@ struct config_file {
@@ -364,7 +364,7 @@ index 18910be..bd59144 100644
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 71da924..b58b4b6 100644
+index 34a0e5dd..c890be2a 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
 @@ -317,6 +317,7 @@ use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
@@ -376,7 +376,7 @@ index 71da924..b58b4b6 100644
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 diff --git a/util/configparser.y b/util/configparser.y
-index 1daf853..cd39618 100644
+index d4f965f9..8cc237c6 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
 @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
@@ -387,15 +387,15 @@ index 1daf853..cd39618 100644
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -245,6 +246,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
  	server_private_domain | server_extended_statistics |
 +	server_aaaa_filter |
  	server_local_data_ptr | server_jostle_timeout |
  	server_unwanted_reply_threshold | server_log_time_ascii |
  	server_domain_insecure | server_val_sig_skew_min |
-@@ -1742,6 +1744,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
+@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
  	}
  	;