Closed Bug 773648 Opened 12 years ago Closed 9 years ago

integrate libunbound

Categories

(Core :: Networking: DNS, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: jaas, Unassigned)

References

Details

Attachments

(7 files, 10 obsolete files)

(deleted), text/plain
Details
(deleted), patch
Details | Diff | Splinter Review
(deleted), application/octet-stream
Details
(deleted), application/octet-stream
Details
(deleted), application/octet-stream
Details
(deleted), patch
Details | Diff | Splinter Review
(deleted), patch
Details | Diff | Splinter Review
Attached patch fix v1.0 (obsolete) (deleted) — Splinter Review
We are planning to use libunbound as our own host resolver, to replace usage of 'getaddrinfo'. This patch applies on top of ldns integration.
Attached patch fix v1.1 (obsolete) (deleted) — Splinter Review
Minor updates, still doesn't actually work.
Attachment #641899 - Attachment is obsolete: true
Assignee: joshmoz → nobody
Attached patch v1.2 patch, builds (obsolete) (deleted) — Splinter Review
the includes for nss,nspr used include <nss3/file.h> and changed to include "file.h", and it builds successfully.
Attached patch v1.3 patch, builds and removed warning (obsolete) (deleted) — Splinter Review
fixed warnings reported by the compiler.
Attachment #707542 - Attachment is obsolete: true
Attachment #707578 - Attachment is obsolete: true
Attached patch unbound code in this patch (config.h edited) (obsolete) (deleted) — Splinter Review
Added attachment for netwerk, unbound and a 1.2 ldns to the ldns page. Together, they make firefox resolve using libunbound. Libunbound is code-configured to use 8.8.8.8 as resolver.
Attachment #644008 - Attachment is obsolete: true
Attached patch network part v1.5 (obsolete) (deleted) — Splinter Review
Updated for hg diff compatibility.
Attachment #709056 - Attachment is obsolete: true
Attached patch unbound part 1.5 (obsolete) (deleted) — Splinter Review
Updated for hg diff compatibility.
Attachment #709057 - Attachment is obsolete: true
this shell script I used to update the source and header files. it does not touch the config.h files, and the ldns-version in its util.h. It also does not update Makefiles, or hg add. Just puts source files in the correct place. Used it to update to the latest (svn) version of unbound and ldns, this unbound version has a ttl in its libunbound lookup results.
Attached patch patch 1.6.diff (ldns + unbound + netwerk) (obsolete) (deleted) — Splinter Review
This is with hg diff. Contains ldns, unbound and other changes in one bundle. Also fixed are build error for Josh (I hope), it can cancel queries, it cleans up on resolver shutdown.
Attached patch patch v1.7 (deleted) — Splinter Review
Includes build fixes for OS X. Now builds and runs on OS X and Linux, Windows not tested yet.
Attachment #711404 - Attachment is obsolete: true
Attachment #711406 - Attachment is obsolete: true
Attachment #711785 - Attachment is obsolete: true
This is 1.7 with - include cmath in other unrelated windows code to make it compile for me (gcc 4.7.2?) - ifdefs in net.h, config.h util.h in ldns for _WINDOWS (ssize_t, other includes). This makes ldns compile.
Attached file unbound, ldns, libevent 1.8 (deleted) —
Compiles on linux. Contains the libevent patch. - I had to adjust the shutdown code, so that it exits more cleanly.
Attachment #713854 - Attachment is obsolete: true
(In reply to Wouter Wijngaards from comment #13) > Created attachment 716567 [details] > unbound, ldns, libevent 1.8 > > Compiles on linux. Contains the libevent patch. > - I had to adjust the shutdown code, so that it exits more cleanly. Lets not mix those two patches, leave them separate. Just require both to build. Both patches are already gigantic.
sure, how do you separate them? hg diff ipc > one patch and hg diff ... > other patch?
Attached file unbound (set 1.9) patch (deleted) —
tweaked to compile on windows.
Attached file netwerk/dns 1.9 patch (deleted) —
updated to compile on windows.
Depends on: 842887
Are there plans to provide a --with-system-libunbound configure flag ? (same question for ldns of course...)
(In reply to Wouter Wijngaards from comment #6) > Added attachment for netwerk, unbound and a 1.2 ldns to the ldns page. > Together, they make firefox resolve using libunbound. Libunbound is > code-configured to use 8.8.8.8 as resolver. If i look at the comment attachment #709056 [details] [diff] [review], do i get it right that 'hardcoding' 8.8.8.8 is used only for debug purposes, and in production the dns servers from resolv.conf will be used ?
Attachment #716567 - Attachment is patch: true
Attachment #716567 - Attachment mime type: application/octet-stream → text/plain
Comment on attachment 716567 [details] unbound, ldns, libevent 1.8 Hrm, sorry for messing up patch flags.. i though bugzilla was able to ungzip files on the fly.
Attachment #716567 - Attachment is patch: false
Attachment #716567 - Attachment mime type: text/plain → application/octet-stream
(In reply to Landry Breuil (:gaston) from comment #19) > If i look at the comment attachment #709056 [details] [diff] [review] [diff] [review], do i > get it right that 'hardcoding' 8.8.8.8 is used only for debug purposes, and > in production the dns servers from resolv.conf will be used ? In production something else would be good. This is an open problem really, as very often the dns resolvers from resolv.conf are not good enough (do not support DNSSEC). An in-between is to set libunbound to be a full-recursor and fetch the data from the internet itself, that requires that the router lets UDP traffic (with DNSSEC in it) through, and not all do (especially in hotspots, shops, hotels, bad isps). Getting the servers from resolv.conf is also pretty tricky (OSX, Windows). One way to do this is to probe the servers to see if they support DNSSEC (i.e. like our dnssec-trigger project does). But I am not sure if this is the direction you want to go into. It does not always work, and you can end up in situations where you cannot get DNSSEC to work (traffic to 8.8.8.8 is blocked and you cannot get a certified answer that it is blocked, so this means someone could preted it is blocked to force you to fallback to insecure mode ...).
Attached patch bsd config (for v1.9) (deleted) — Splinter Review
Works fine here: $ ./dist/bin/firefox -P test -no-remote www.freebsd.org [1367056860] libunbound[54131:0] notice: init module 0: validator [1367056860] libunbound[54131:0] notice: init module 1: iterator [1367056860] libunbound[54131:0] info: resolving www.freebsd.org. A IN DNS lookup answer thread starting execution. DNS answer handler evloop once. [1367056860] libunbound[54131:0] info: response for www.freebsd.org. A IN [1367056860] libunbound[54131:0] info: reply from <.> 8.8.8.8#53 [1367056860] libunbound[54131:0] info: query response was CNAME [1367056860] libunbound[54131:0] info: resolving www.freebsd.org. A IN [1367056860] libunbound[54131:0] info: response for www.freebsd.org. A IN [1367056860] libunbound[54131:0] info: reply from <.> 8.8.8.8#53 [1367056860] libunbound[54131:0] info: query response was ANSWER DNS answer handler evloop once. ... Why not just run as subconfigure? It'd leave some porting issues at vendor expense.
unbound fallbacks to event2/*.h headers without HAVE_EVENT_H while only event.h is listed under config/system-headers. This would break visibility for gcc_hidden.h + --with-system-libevent. And downstream may prefer libevent-1.4 for various reasons e.g., OpenBSD have it as part of base system.
Comment on attachment 742694 [details] [diff] [review] bsd config (for v1.9) Review of attachment 742694 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/dns/unbound/config.h @@ +259,5 @@ > > /* Define to 1 if you have the `sendmsg' function. */ > #define HAVE_SENDMSG 1 > > +#if defined(__linux__) || defined(__DragonFly__) || defined(__FreeBSD__) OpenBSD has setresgid/setresuid in addition to setregid/setreuid. NetBSD only have the latter.
Note that those who care about dnssec run a validating resolver locally (either on each lan, each box or even each vm). It would be most inappropriate for gecko to ignore a local validating resolver. Which does not imply that it shouldn’t re-do the validation. Just that it should use the local cache whenever it can. The data might already be local, and it shouldn’t presume that it is the only app on the box which cares about the data it queries. It seems that telling libunbound to proxy its queries via the resolv.conf resolvers, and validate the results, should cover all bases.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: