update unbound from upstream

external/unbound/validator/autotrust.c

@@ -902,13 +902,13 @@ static int
 handle_origin(char* line, uint8_t** origin, size_t* origin_len)
 {
 	size_t len = 0;
-	while(isspace((int)*line))
+	while(isspace((unsigned char)*line))
 		line++;
 	if(strncmp(line, "$ORIGIN", 7) != 0)
 		return 0;
 	free(*origin);
 	line += 7;
-	while(isspace((int)*line))
+	while(isspace((unsigned char)*line))
 		line++;
 	*origin = sldns_str2wire_dname(line, &len);
 	*origin_len = len;

external/unbound/validator/val_anchor.c

@@ -563,7 +563,7 @@ readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments)
 		/* not a comment, complete the keyword */
 		if(numdone > 0) {
 			/* check same type */
-			if(isspace(c)) {
+			if(isspace((unsigned char)c)) {
 				ungetc(c, in);
 				return numdone;
 			}
@@ -582,12 +582,12 @@ readkeyword_bindfile(FILE* in, sldns_buffer* buf, int* line, int comments)
 		}
 		sldns_buffer_write_u8(buf, (uint8_t)c);
 		numdone++;
-		if(isspace(c)) {
+		if(isspace((unsigned char)c)) {
 			/* collate whitespace into ' ' */
 			while((c = getc(in)) != EOF ) {
 				if(c == '\n')
 					(*line)++;
-				if(!isspace(c)) {
+				if(!isspace((unsigned char)c)) {
 					ungetc(c, in);
 					break;
 				}
@@ -607,7 +607,7 @@ skip_to_special(FILE* in, sldns_buffer* buf, int* line, int spec)
 	int rdlen;
 	sldns_buffer_clear(buf);
 	while((rdlen=readkeyword_bindfile(in, buf, line, 1))) {
-		if(rdlen == 1 && isspace((int)*sldns_buffer_begin(buf))) {
+		if(rdlen == 1 && isspace((unsigned char)*sldns_buffer_begin(buf))) {
 			sldns_buffer_clear(buf);
 			continue;
 		}
@@ -648,7 +648,7 @@ process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf,
 	sldns_buffer_clear(buf);
 	while((rdlen=readkeyword_bindfile(in, buf, line, comments))) {
 		if(rdlen == 1 && sldns_buffer_position(buf) == 1
-			&& isspace((int)*sldns_buffer_begin(buf))) {
+			&& isspace((unsigned char)*sldns_buffer_begin(buf))) {
 			/* starting whitespace is removed */
 			sldns_buffer_clear(buf);
 			continue;
@@ -703,7 +703,7 @@ process_bind_contents(struct val_anchors* anchors, sldns_buffer* buf,
 			}
 			return 1;
 		} else if(rdlen == 1 && 
-			isspace((int)sldns_buffer_current(buf)[-1])) {
+			isspace((unsigned char)sldns_buffer_current(buf)[-1])) {
 			/* leave whitespace here */
 		} else {
 			/* not space or whatnot, so actual content */

external/unbound/validator/val_nsec3.c

@@ -731,8 +731,8 @@ label_compare_lower(uint8_t* lab1, uint8_t* lab2, size_t lablen)
 {
 	size_t i;
 	for(i=0; i<lablen; i++) {
-		if(tolower((int)*lab1) != tolower((int)*lab2)) {
-			if(tolower((int)*lab1) < tolower((int)*lab2))
+		if(tolower((unsigned char)*lab1) != tolower((unsigned char)*lab2)) {
+			if(tolower((unsigned char)*lab1) < tolower((unsigned char)*lab2))
 				return -1;
 			return 1;
 		}

external/unbound/validator/validator.c

@@ -283,12 +283,25 @@ needs_validation(struct module_qstate* qstate, int ret_rc,
 {
 	int rcode;
 
-	/* If the CD bit is on in the original request, then we don't bother to
-	 * validate anything.*/
+	/* If the CD bit is on in the original request, then you could think
+	 * that we don't bother to validate anything.
+	 * But this is signalled internally with the valrec flag.
+	 * User queries are validated with BIT_CD to make our cache clean
+	 * so that bogus messages get retried by the upstream also for
+	 * downstream validators that set BIT_CD.
+	 * For DNS64 bit_cd signals no dns64 processing, but we want to
+	 * provide validation there too */
+	/*
 	if(qstate->query_flags & BIT_CD) {
 		verbose(VERB_ALGO, "not validating response due to CD bit");
 		return 0;
 	}
+	*/
+	if(qstate->is_valrec) {
+		verbose(VERB_ALGO, "not validating response, is valrec"
+			"(validation recursion lookup)");
+		return 0;
+	}
 
 	if(ret_rc != LDNS_RCODE_NOERROR || !ret_msg)
 		rcode = ret_rc;
@@ -351,14 +364,20 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
 	struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
 	struct module_qstate* newq;
 	struct query_info ask;
+	int valrec;
 	ask.qname = name;
 	ask.qname_len = namelen;
 	ask.qtype = qtype;
 	ask.qclass = qclass;
 	log_query_info(VERB_ALGO, "generate request", &ask);
 	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+	/* enable valrec flag to avoid recursion to the same validation
+	 * routine, this lookup is simply a lookup. DLVs need validation */
+	if(qtype == LDNS_RR_TYPE_DLV)
+		valrec = 0;
+	else valrec = 1;
 	if(!(*qstate->env->attach_sub)(qstate, &ask, 
-		(uint16_t)(BIT_RD|flags), 0, &newq)){
+		(uint16_t)(BIT_RD|flags), 0, valrec, &newq)){
 		log_err("Could not generate request: out of memory");
 		return 0;
 	}
@@ -2005,14 +2024,16 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 		/* if secure, this will override cache anyway, no need
 		 * to check if from parentNS */
 		if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 
-			vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL)) {
+			vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL,
+			qstate->query_flags)) {
 			log_err("out of memory caching validator results");
 		}
 	} else {
 		/* for a referral, store the verified RRsets */
 		/* and this does not get prefetched, so no leeway */
 		if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 
-			vq->orig_msg->rep, 1, 0, 0, NULL)) {
+			vq->orig_msg->rep, 1, 0, 0, NULL,
+			qstate->query_flags)) {
 			log_err("out of memory caching validator results");
 		}
 	}