Ecosyste.ms: Repos
An open API service providing repository metadata for many open source software ecosystems.
GitHub / FreeBSD-UPB / freebsd-src
FreeBSD src tree (UPB)
JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FreeBSD-UPB%2Ffreebsd-src
Fork of freebsd/freebsd-src
Stars: 4
Forks: 0
Open Issues: 2
License: other
Language: C
Repo Size: 2.51 GB
Dependencies:
279
Created: over 3 years ago
Updated: 9 months ago
Last pushed: 9 months ago
Last synced: 9 months ago
Files
Loading...
Readme
Loading...
Dependencies
- actions/checkout v2 composite
- ubuntu focal build
- bitfuncs * test
- engineering * test
- leadingzero * test
- lib2 * test
- places * test
- rand * test
- scientific * test
- shift * test
- trunc * test
- Babel ==2.8.0
- Click ==7.0
- Flask ==1.1.1
- Jinja2 ==2.10.1
- MarkupSafe ==1.1.1
- PyYAML ==5.3
- Pygments ==2.6.1
- Sphinx ==2.4.4
- Werkzeug ==0.15.5
- alabaster ==0.7.12
- argh ==0.26.2
- breathe ==4.14.1
- certifi ==2019.11.28
- chardet ==3.0.4
- docutils ==0.16
- idna ==2.9
- imagesize ==1.2.0
- itsdangerous ==1.1.0
- livereload ==2.6.1
- packaging ==20.3
- pathtools ==0.1.2
- port-for ==0.3.1
- pyparsing ==2.4.6
- pytz ==2019.3
- requests ==2.23.0
- six ==1.14.0
- snowballstemmer ==2.0.0
- sortedcontainers ==2.1.0
- sphinx-autobuild ==0.7.1
- sphinx-rtd-theme ==0.4.3
- sphinxcontrib-applehelp ==1.0.2
- sphinxcontrib-devhelp ==1.0.2
- sphinxcontrib-htmlhelp ==1.0.3
- sphinxcontrib-jsmath ==1.0.1
- sphinxcontrib-qthelp ==1.0.3
- sphinxcontrib-serializinghtml ==1.1.4
- tornado ==6.0.4
- urllib3 ==1.25.8
- watchdog ==0.10.2
- 1.Introduction *
- 2.History *
- 3.Goals *
- 3liststhegoals ,whileSection4liststheexplicitnon
- 4.Non-Goals *
- 5.Choices *
- ADSrecordswouldindicateareferral. *
- ASOArecordwouldindicatethatthiswasaNODATAanswer. *
- AbsenceofNSrecordwouldindicateaNODATAansweraswell. *
- Addingfullauthoritysupport ,requiresmuchmorecode,andmorecomplex
- Adirectqueryforthatnamewillattempttogetamsgintothemessage *
- Alsoforzonesforwhichnochainoftrustexists ,butaDSisgivenbythe
- Alsoredirectionofdomainnameswithfixeddataisneededbyservice *
- Amisconfigurationthatsometimeshappensiswheretheparentandchild *
- Andthuspreventscache-snooping *
- ByW.C.A.Wijngaards ,NLnetLabs,October2006.
- Concluding ,aspoofoftheparentdelegationcanbeusedformanycases
- Contents *
- DataintheDNSisstoredinResourceRecordsets *
- Forreferrals ,delegationsthataddasinglelabelcanbecheckedtobe
- Forsomeboxesitisnecessarytoprobeforeveryfailingquery ,a
- However ,someauthorityfeaturesareexpectedinarecursor.Thingslike
- Ifmanyqueriesaremade ,andtheyaremadetonamesforwhichthe
- Ifthecachememoryislow *
- IfthedomainisDNSSECsigned ,bytheway,thenNSECrecordsare
- IftheotherdomainissignedbyDNSSEC ,thefakeswillbedetected.
- InSection2theoriginsoftheUnboundprojectaredocumented.Section *
- Insteadofafalsepositive ,wewantfalsenegatives
- Insummary ,thehardengluefeaturepresentsasecurityriskif
- Itdoesdosomerrsigduplicateremoval ,inthemsgparser,fordnssecqtype
- Itminimizesthechancesofadroppedquerymakinga *
- Itsucceedsifonehas0x20intact ,orelseallareequal.
- Mainpoints *
- MattLarson *
- NSECandNSEC3recordswereobtained *
- NameSystem *
- Notallglueisletthrough *
- Otherwise ,itresultsina5secondwaittimebeforeEDNStimeoutis
- Otherwise ,servfailisreturnedtotheclient.
- RRmaybeinserted ,withinthemessageTTLtime,andthusreturnthe
- RequirementsforRecursiveCachingResolver *
- Retriesonavalidationfailurearenow5xtoadifferentnameserverIP *
- SissonandRoyArendsfromNominet.Around2006theideacametocreate *
- So ,onlymessagesthatidentifythezoneareusedtomarkthezone
- SoitwillfaithfullynegativecachefortheexactTTLasoriginally *
- SomemiddleboxesdropEDNS0queries ,mainlywhenforwarding,notwhen
- Sopossibly ,forcomplicatedsetups,withmultiple
- ThatincludesalmostallnegativeresponsesandalsoA ,AAAAqtypes.
- Thatwouldbemostresponsesfromservers. *
- TheJavaprototypeworkedverywell ,withcontributionsfromGeoff
- Thecasingfromthequerynameisusedinpreferencetothecasing *
- ThecurrentunboundcodeusesanegativecacheforqueriesfortypeDS. *
- Thednssec-lamenessdetectionisusedtodetectoperatorfailures ,
- Thedraftdescribestobackofftothenextserver ,andgothroughall
- Thefollowingissueneedstoberesolved *
- Thegluethatisletthroughisstoredinthecache *
- Thelast50 *
- Thelimitedsupportallowsaddingsomestaticdata *
- ThemaincomponentsaretheValidatorthatvalidatesthesecurity *
- ThemessagehasaTTLsmallerorequaltotheTTLoftheanswerRR. *
- Thenthereceiverdoesnotknowwhetherthiswasareferral *
- Theservercanbespoofedbygettingittovisitaespeciallyprepared *
- ThesesituationsbecomeconsistentoncetheoriginalTTLexpires. *
- Thetimeoutcanbeconfigured. *
- TheunboundresolverprojectstartedbyBillManning ,DavidBlacka,and
- Theyaresenttoarandomserver ,butnooneaddressmorethan4times.
- Thisdeniesqueriesthatarenotauthoritative ,orversion.bind,orany.
- Thisisarecursiveserver ,andauthorityfeaturesareoutofscope.
- ThisistherequirementsdocumentforaDNSnameserverandaimsto *
- Thisprojectaimstodevelopsuchanameserverinmodularcomponents ,so
- Thisspeedsupbuildingchainsoftrust ,andusesNSECandNSEC3
- Thisworksverywellwhendetectinganaddressthatyouusemuch-like *
- Thus ,evenlongqueriesgeta50
- Tocombatthisthefirst50 *
- UnboundassumesEDNS0supportforthefirstquery.Thenitcandetect *
- UnboundkeepsTTLvaluesformessageformats ,andthusrcodes,such
- Unboundpreservesthecasingreceivedfromauthorityserversasbest *
- Whenanewquerycomesin ,andaplaceinthefirst50
- Youcanputauthoritydataonaseparateserver ,andsettheserverin
- additionalsection *
- addresses ,andthenmakes3
- aforwarderaddress-whichiswherethemiddleboxesneedtobedetected. *
- afull-fledgedCimplementationreadyfordeployeduse.NLnetLabs *
- andqueriedforagain ,sothatitsproofcanbecheckedagain.
- andtorespondwithafixedrcode *
- answerwillbeputinthecache ,markedas
- areferral.Whenansweringtoclients ,aSOArecordisneededfor
- arepickedup. *
- aretheonlyonesworking ,andserversreportedbythechilddonot.
- asNXDOMAIN.Alsoitkeepsthelatestrrsetsintherrsetcache. *
- ascertainsthatRRSIGsareOK *
- asingleprobequeryissent.Thisprobehasasub-secondtimeout ,and
- asmoreglueispresentfortherecursiveservicetouse.Thefeature *
- aspossible.Itcompresseswithoutcase ,socasecangetlostthere.
- atno-dataproof.Itcouldbedeterminedbyattemptingtoprove *
- authoritativeservers ,doesnotperformduplicateremoval.
- authorityserversdonotrespond ,thentherequestlistforunbound
- beforethevalidatorwillproperlyverifythemessages. *
- behaviour. *
- bynewerquerieswhenolder *
- cache.SinceAandAAAAqueriesarenotsynthesizedbytheunboundcache ,
- checkNSEC *
- clientswhenpossible *
- createdaJavabasedprototyperesolvercalledUnbound.Thebasic *
- datafrompreviousqueries.Thenetworkingandquerymanagementcode *
- datafromtheparentofazone.Thiscanbeused ,byspoofingtheparent,
- designdecisionsofcleanmoduleswasexecuted. *
- detectdnssec-lamenessislessofaproblemthanmarkinghonest *
- detected ,whichisslowbutitworksatleast.
- disabled.Disablingthefeatureleadstopossiblebetterperformance *
- documentthegoalsandnon-goalsoftheproject.TheDNS *
- domain.Thisdomaintheninsertsanaddressforanotherauthoritative *
- doubt.Thiscaseisvalidatedbyunboundasa *
- duplicates ,butwhenpresentedwithduplicatesonthewirefromthe
- effectofmanyresolverslessandeasiertohandle ,butpenalizes
- eithercondition *
- falselyEDNS-nonsupporting ,andthusDNSSEC
- fillsupfast.Thisresultsindenialofservicefornewqueries. *
- finalanswer.Tohelplookups ,unboundwillhoweverusetheparent
- fingerprintsondatasets ,theIteratorthatsendsqueriestothe
- fromtheirzone ,thiscoversmostdelegation
- fromtheserverwithoutmakingunboundauthoritativeforthezones. *
- havedifferentNS ,glueinformation.Thechildisauthoritative,and
- hierarchicalDNSserversthatownthedataandtheCachethatstores *
- iftheserverresponds *
- indicatesazoneversionwherethisdomainisnotanylongerNXDOMAIN. *
- individualresolversbyhavinglessprobesandalongertimebeforefixes *
- isdetected.Insteadthezonethatisdnssec-lamebecomesbogus. *
- isimplementedsoastominimisethesecurityrisk ,whiletryingto
- ispreferred.Otherwise ,itcanreplaceolderqueriesoutofthelast50
- iswhenaserverhasthezoneinquestion ,butlacksdnssecdata,suchas
- keepthisperformancegain. *
- keycacheadditionally ,aftertheprobing,abadkeyentryiscreatedthat
- lame ,andnotusedfor900seconds,andthesecondwillresultina
- lame.ThezoneisidentifiedbySOAorNSRRsetsintheanswer *
- localhost ,reverselookupfor127.0.0.1,orblockingAS112traffic.
- looksupdataintheDNSforclientsandcachespreviousanswersto *
- maintenance. *
- makestheentirezonebogusfor900seconds.Thisisafixedvalueat *
- messagefromcachewhichis *
- middleboxes ,andcandetecttheoccasionalauthoritythatdropsEDNS.
- negativecachedNXDOMAINreplywithaSOARRwheretheserialnumber *
- nooutofzoneglueisusedforfurtherresolving ,ismorecomplicated
- o0x20backoff. *
- oAnauthoritativenameserver. *
- oAvalidatingrecursiveDNSresolver. *
- oCasepreservation *
- oCodediversityintheDNSresolvermonoculture. *
- oDNSSECsupport. *
- oDenialofserviceprotection *
- oDrop-inreplacementforBINDapartfromconfig. *
- oEDNSfallback.IsdoneaccordingtotheEDNSRFC *
- oElegantdesignofvalidator ,resolver,cachemodules.
- oFailureofvalidationandprobing. *
- oFullyRFCcompliant. *
- oHighlyportable ,targetsincludemodernUnixsystems,suchas
- oHighperformance *
- oIfaclientmakesaquerywithoutRDbit ,inthecaseofareturned
- oInC ,opensource
- oNXDOMAINandSOAserialnumbers. *
- oParentandchildwithdifferentnameserverinformation. *
- oRobust. *
- oSOArecordsinnegativecachedanswersforDSqueries. *
- oSmallestaspossiblecomponentthatdoesthejob. *
- oStub-zonescanbeconfigured *
- oTheharden-gluefeature ,whenyesalloutofzoneglueisdeleted,when
- oThemethodbywhichdnssec-lamenessisdetectedisnotsecure.DNSSEClame *
- oToomanyFeatures. *
- oUsedas *
- oauthorityfeatures. *
- ofdenialofservice.I.e.acompletelydifferentNSsetcouldbereturned ,
- oftheauthorityserver.ThisisthesameasBIND.RFC4343allowseither *
- onaserver ,dnssec
- oneortworound-tripresolvescanbedoneinthelast50 *
- ordnssec-non-lamenessinthechild.Thefirstresultsintheservermarked *
- orfc2181discouragesduplicatesRRsinRRsets.unbounddoesnotcreate *
- ortheinformationwithheld.Allofthesealterationscanbecaughtby *
- otheaccesscontroldeniesqueriesbeforeanyotherprocessing. *
- parent ,dnssec
- presentintheNSrecordintheauthoritysectionisletthrough. *
- project.Section5discusseschoicesmadeduringdevelopment. *
- proofscouldbevalid ,orneithercouldbevalid,whichcreates
- providers.Limitedsupportisaddedspecificallytoaddressthis. *
- queriesandgetanswersfromthecache *
- queriesareperformedtogetthedata. *
- reassurancethattheDNSserverdoesEDNSdoesnotmeanthatpathcan *
- returnedtotheclient. *
- routingpackets.Todetectthis ,whentimeoutskeephappening,asthe
- rrsigandany ,becauseofspecialrrsigprocessinginthemsgparser.
- runasaserver ,butalinkedintoanapplication
- serverintothecache ,whenvisitingthatotherdomain,thisaddressmay
- serverslame.dnssec-lamenessisaconfigerroranddeservesthetrouble. *
- serversseveraltimes.Unboundgoesongetthefulllistofnameserver *
- signatures.Themethodtodetectdnsseclamenesslooksatnonvalidated *
- solaris ,linux,andmaybealsothewindowsplatform.
- specifiedforanNXDOMAINmessage ,butsendanewerSOArecordif
- speedupprocessingiscalledacaching ,recursivenameserver.
- spoofedgluetoaclient.Whenthemessageexpires ,itisrefetchedand
- structureforqueries. *
- support *
- takelargeDNSanswers. *
- thanthat ,seebelow.
- thatalsoDNSSEC *
- thebareNSEC *
- thecachedRRisupdatedwiththecorrectcontent. *
- thecorrectmessageformat ,aSOArecordispickedfromthecache
- themessagecache.IfaDNSKEYorDSfailsinthechainoftrustinthe *
- thenbeusedtosendqueriesto.Andfakeanswersmaybereturned. *
- theninterfacewiththemodulestoperformthenecessaryprocessing. *
- thevalidatoriftheparentissigned ,andresultin900secondsbogus.
- thishasbeenfoundinthemeantime.Inpoint ,thiscouldleadtoa
- thisquerywillbe *
- thistimeandisconservativeinsendingprobes.Itmakesthecompound *
- thosemisconfigureddomainswheretheserversreportedbytheparent *
- thusremovethe *
- thususefultocachedatatospeedupfuturelookups.Aserverthat *
- timeoutapproached5-10seconds ,andEDNSstatushasnotbeendetectedyet,
- timetolive *
- tocreateafalsesenseofdnssec-lamenessinthechild ,orafalsesense
- unbound.confasstubforthosezones ,thisallowsclientstoaccessdata
- unboundwillnottrustinformationfromtheparentnameserversasthe *
- updatedfromanotherquery ,theNXDOMAINisdroppedfromthecache,
- updatedmorecarefully.IfoneoftheNSECrecordsinanNXDOMAINis *
- validatorfailure *
- versionoftheglueasalastresortlookup.Thisresolveslookupsfor *
- volunteeredtowritethisimplementation. *
- whichispresentinadelegation ,oftypeAandAAAA,wherethenameis
- willnotbepresentinthereplytotheclient *
- withattemptatno-DSproof *