Ecosyste.ms: Repos
An open API service providing repository metadata for many open source software ecosystems.
GitHub / merlinscholz / lockdoc-netbsd
Experiment-based search for potential synchronization bugs in the NetBSD kernel
JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/merlinscholz%2Flockdoc-netbsd
Stars: 0
Forks: 0
Open Issues: 0
License: None
Language:
Repo Size: 1.66 GB
Dependencies:
344
Created: over 1 year ago
Updated: 7 months ago
Last pushed: 9 months ago
Last synced: 7 months ago
Topics: c, kernel, locking, netbsd
Files
Loading...
Readme
Loading...
Dependencies
- ubuntu 16.04 build
- ubuntu bionic build
- ubuntu bionic build
- launcher.gcr.io/google/debian8 latest build
- ubuntu latest build
- nvidia/cuda 8.0-devel build
- gcr.io/oss-fuzz-base/base-builder latest build
- ubuntu focal build
- ubuntu bionic build
- Carp 0
- Dist::Zilla 5
- Dist::Zilla::PluginBundle::MSCHOUT 0
- Encode 0
- Exporter 0
- ExtUtils::MakeMaker 0
- File::Temp 0
- Safe 0
- Software::License::Perl_5 0
- Test::More 0
- Test::More::UTF8 0
- Test::Pod 1.41
- Test::Signature 0
- Test::Warnings 0
- base 0
- lib 0
- perl 5.008
- strict 0
- utf8 0
- vars 0
- warnings 0
- @types/node ^8.10.59 development
- @types/vscode ^1.39.0 development
- js-yaml ^3.13.1 development
- tslint ^5.16.0 development
- typescript ^3.8.3 development
- VSSDK.CoreUtility 10.0.4
- VSSDK.CoreUtility.10 10.0.4
- VSSDK.Editor 10.0.4
- VSSDK.Editor.10 10.0.4
- VSSDK.IDE 7.0.4
- VSSDK.IDE.10 10.0.4
- VSSDK.IDE.8 8.0.4
- VSSDK.IDE.9 9.0.3
- VSSDK.OLE.Interop 7.0.4
- VSSDK.Shell.10 10.0.3
- VSSDK.Shell.Immutable.10 10.0.3
- VSSDK.Shell.Interop 7.0.4
- VSSDK.Shell.Interop.8 8.0.3
- VSSDK.Shell.Interop.9 9.0.3
- VSSDK.Text 10.0.4
- VSSDK.Text.10 10.0.4
- VSSDK.TextManager.Interop 7.0.4
- VSSDK.TextManager.Interop.8 8.0.4
- 1.Introduction *
- 2.History *
- 3.Goals *
- 3liststhegoals ,whileSection4liststheexplicitnon
- 4.Non-Goals *
- 5.Choices *
- ADSrecordswouldindicateareferral. *
- ASOArecordwouldindicatethatthiswasaNODATAanswer. *
- AbsenceofNSrecordwouldindicateaNODATAansweraswell. *
- Addingfullauthoritysupport ,requiresmuchmorecode,andmorecomplex
- Adirectqueryforthatnamewillattempttogetamsgintothemessage *
- Alsoforzonesforwhichnochainoftrustexists ,butaDSisgivenbythe
- Alsoredirectionofdomainnameswithfixeddataisneededbyservice *
- Amisconfigurationthatsometimeshappensiswheretheparentandchild *
- Andthuspreventscache-snooping *
- ByW.C.A.Wijngaards ,NLnetLabs,October2006.
- Concluding ,aspoofoftheparentdelegationcanbeusedformanycases
- Contents *
- DataintheDNSisstoredinResourceRecordsets *
- Forreferrals ,delegationsthataddasinglelabelcanbecheckedtobe
- Forsomeboxesitisnecessarytoprobeforeveryfailingquery ,a
- However ,someauthorityfeaturesareexpectedinarecursor.Thingslike
- Ifmanyqueriesaremade ,andtheyaremadetonamesforwhichthe
- Ifthecachememoryislow *
- IfthedomainisDNSSECsigned ,bytheway,thenNSECrecordsare
- IftheotherdomainissignedbyDNSSEC ,thefakeswillbedetected.
- InSection2theoriginsoftheUnboundprojectaredocumented.Section *
- Insteadofafalsepositive ,wewantfalsenegatives
- Insummary ,thehardengluefeaturepresentsasecurityriskif
- Itdoesdosomerrsigduplicateremoval ,inthemsgparser,fordnssecqtype
- Itminimizesthechancesofadroppedquerymakinga *
- Itsucceedsifonehas0x20intact ,orelseallareequal.
- Mainpoints *
- MattLarson *
- NSECandNSEC3recordswereobtained *
- NameSystem *
- Notallglueisletthrough *
- Otherwise ,itresultsina5secondwaittimebeforeEDNStimeoutis
- Otherwise ,servfailisreturnedtotheclient.
- RRmaybeinserted ,withinthemessageTTLtime,andthusreturnthe
- RequirementsforRecursiveCachingResolver *
- Retriesonavalidationfailurearenow5xtoadifferentnameserverIP *
- SissonandRoyArendsfromNominet.Around2006theideacametocreate *
- So ,onlymessagesthatidentifythezoneareusedtomarkthezone
- SoitwillfaithfullynegativecachefortheexactTTLasoriginally *
- SomemiddleboxesdropEDNS0queries ,mainlywhenforwarding,notwhen
- Sopossibly ,forcomplicatedsetups,withmultiple
- ThatincludesalmostallnegativeresponsesandalsoA ,AAAAqtypes.
- Thatwouldbemostresponsesfromservers. *
- TheJavaprototypeworkedverywell ,withcontributionsfromGeoff
- Thecasingfromthequerynameisusedinpreferencetothecasing *
- ThecurrentunboundcodeusesanegativecacheforqueriesfortypeDS. *
- Thednssec-lamenessdetectionisusedtodetectoperatorfailures ,
- Thedraftdescribestobackofftothenextserver ,andgothroughall
- Thefollowingissueneedstoberesolved *
- Thegluethatisletthroughisstoredinthecache *
- Thelast50 *
- Thelimitedsupportallowsaddingsomestaticdata *
- ThemaincomponentsaretheValidatorthatvalidatesthesecurity *
- ThemessagehasaTTLsmallerorequaltotheTTLoftheanswerRR. *
- Thenthereceiverdoesnotknowwhetherthiswasareferral *
- Theservercanbespoofedbygettingittovisitaespeciallyprepared *
- ThesesituationsbecomeconsistentoncetheoriginalTTLexpires. *
- Thetimeoutcanbeconfigured. *
- TheunboundresolverprojectstartedbyBillManning ,DavidBlacka,and
- Theyaresenttoarandomserver ,butnooneaddressmorethan4times.
- Thisdeniesqueriesthatarenotauthoritative ,orversion.bind,orany.
- Thisisarecursiveserver ,andauthorityfeaturesareoutofscope.
- ThisistherequirementsdocumentforaDNSnameserverandaimsto *
- Thisprojectaimstodevelopsuchanameserverinmodularcomponents ,so
- Thisspeedsupbuildingchainsoftrust ,andusesNSECandNSEC3
- Thisworksverywellwhendetectinganaddressthatyouusemuch-like *
- Thus ,evenlongqueriesgeta50
- Tocombatthisthefirst50 *
- UnboundassumesEDNS0supportforthefirstquery.Thenitcandetect *
- UnboundkeepsTTLvaluesformessageformats ,andthusrcodes,such
- Unboundpreservesthecasingreceivedfromauthorityserversasbest *
- Whenanewquerycomesin ,andaplaceinthefirst50
- Youcanputauthoritydataonaseparateserver ,andsettheserverin
- additionalsection *
- addresses ,andthenmakes3
- aforwarderaddress-whichiswherethemiddleboxesneedtobedetected. *
- afull-fledgedCimplementationreadyfordeployeduse.NLnetLabs *
- andqueriedforagain ,sothatitsproofcanbecheckedagain.
- andtorespondwithafixedrcode *
- answerwillbeputinthecache ,markedas
- areferral.Whenansweringtoclients ,aSOArecordisneededfor
- arepickedup. *
- aretheonlyonesworking ,andserversreportedbythechilddonot.
- asNXDOMAIN.Alsoitkeepsthelatestrrsetsintherrsetcache. *
- ascertainsthatRRSIGsareOK *
- asingleprobequeryissent.Thisprobehasasub-secondtimeout ,and
- asmoreglueispresentfortherecursiveservicetouse.Thefeature *
- aspossible.Itcompresseswithoutcase ,socasecangetlostthere.
- atno-dataproof.Itcouldbedeterminedbyattemptingtoprove *
- authoritativeservers ,doesnotperformduplicateremoval.
- authorityserversdonotrespond ,thentherequestlistforunbound
- beforethevalidatorwillproperlyverifythemessages. *
- behaviour. *
- bynewerquerieswhenolder *
- cache.SinceAandAAAAqueriesarenotsynthesizedbytheunboundcache ,
- checkNSEC *
- clientswhenpossible *
- createdaJavabasedprototyperesolvercalledUnbound.Thebasic *
- datafrompreviousqueries.Thenetworkingandquerymanagementcode *
- datafromtheparentofazone.Thiscanbeused ,byspoofingtheparent,
- designdecisionsofcleanmoduleswasexecuted. *
- detectdnssec-lamenessislessofaproblemthanmarkinghonest *
- detected ,whichisslowbutitworksatleast.
- disabled.Disablingthefeatureleadstopossiblebetterperformance *
- documentthegoalsandnon-goalsoftheproject.TheDNS *
- domain.Thisdomaintheninsertsanaddressforanotherauthoritative *
- doubt.Thiscaseisvalidatedbyunboundasa *
- duplicates ,butwhenpresentedwithduplicatesonthewirefromthe
- effectofmanyresolverslessandeasiertohandle ,butpenalizes
- eithercondition *
- falselyEDNS-nonsupporting ,andthusDNSSEC
- fillsupfast.Thisresultsindenialofservicefornewqueries. *
- finalanswer.Tohelplookups ,unboundwillhoweverusetheparent
- fingerprintsondatasets ,theIteratorthatsendsqueriestothe
- fromtheirzone ,thiscoversmostdelegation
- fromtheserverwithoutmakingunboundauthoritativeforthezones. *
- havedifferentNS ,glueinformation.Thechildisauthoritative,and
- hierarchicalDNSserversthatownthedataandtheCachethatstores *
- iftheserverresponds *
- indicatesazoneversionwherethisdomainisnotanylongerNXDOMAIN. *
- individualresolversbyhavinglessprobesandalongertimebeforefixes *
- isdetected.Insteadthezonethatisdnssec-lamebecomesbogus. *
- isimplementedsoastominimisethesecurityrisk ,whiletryingto
- ispreferred.Otherwise ,itcanreplaceolderqueriesoutofthelast50
- iswhenaserverhasthezoneinquestion ,butlacksdnssecdata,suchas
- keepthisperformancegain. *
- keycacheadditionally ,aftertheprobing,abadkeyentryiscreatedthat
- lame ,andnotusedfor900seconds,andthesecondwillresultina
- lame.ThezoneisidentifiedbySOAorNSRRsetsintheanswer *
- localhost ,reverselookupfor127.0.0.1,orblockingAS112traffic.
- looksupdataintheDNSforclientsandcachespreviousanswersto *
- maintenance. *
- makestheentirezonebogusfor900seconds.Thisisafixedvalueat *
- messagefromcachewhichis *
- middleboxes ,andcandetecttheoccasionalauthoritythatdropsEDNS.
- negativecachedNXDOMAINreplywithaSOARRwheretheserialnumber *
- nooutofzoneglueisusedforfurtherresolving ,ismorecomplicated
- o0x20backoff. *
- oAnauthoritativenameserver. *
- oAvalidatingrecursiveDNSresolver. *
- oCasepreservation *
- oCodediversityintheDNSresolvermonoculture. *
- oDNSSECsupport. *
- oDenialofserviceprotection *
- oDrop-inreplacementforBINDapartfromconfig. *
- oEDNSfallback.IsdoneaccordingtotheEDNSRFC *
- oElegantdesignofvalidator ,resolver,cachemodules.
- oFailureofvalidationandprobing. *
- oFullyRFCcompliant. *
- oHighlyportable ,targetsincludemodernUnixsystems,suchas
- oHighperformance *
- oIfaclientmakesaquerywithoutRDbit ,inthecaseofareturned
- oInC ,opensource
- oNXDOMAINandSOAserialnumbers. *
- oParentandchildwithdifferentnameserverinformation. *
- oRobust. *
- oSOArecordsinnegativecachedanswersforDSqueries. *
- oSmallestaspossiblecomponentthatdoesthejob. *
- oStub-zonescanbeconfigured *
- oTheharden-gluefeature ,whenyesalloutofzoneglueisdeleted,when
- oThemethodbywhichdnssec-lamenessisdetectedisnotsecure.DNSSEClame *
- oToomanyFeatures. *
- oUsedas *
- oauthorityfeatures. *
- ofdenialofservice.I.e.acompletelydifferentNSsetcouldbereturned ,
- oftheauthorityserver.ThisisthesameasBIND.RFC4343allowseither *
- onaserver ,dnssec
- oneortworound-tripresolvescanbedoneinthelast50 *
- ordnssec-non-lamenessinthechild.Thefirstresultsintheservermarked *
- orfc2181discouragesduplicatesRRsinRRsets.unbounddoesnotcreate *
- ortheinformationwithheld.Allofthesealterationscanbecaughtby *
- otheaccesscontroldeniesqueriesbeforeanyotherprocessing. *
- parent ,dnssec
- presentintheNSrecordintheauthoritysectionisletthrough. *
- project.Section5discusseschoicesmadeduringdevelopment. *
- proofscouldbevalid ,orneithercouldbevalid,whichcreates
- providers.Limitedsupportisaddedspecificallytoaddressthis. *
- queriesandgetanswersfromthecache *
- queriesareperformedtogetthedata. *
- reassurancethattheDNSserverdoesEDNSdoesnotmeanthatpathcan *
- returnedtotheclient. *
- routingpackets.Todetectthis ,whentimeoutskeephappening,asthe
- rrsigandany ,becauseofspecialrrsigprocessinginthemsgparser.
- runasaserver ,butalinkedintoanapplication
- serverintothecache ,whenvisitingthatotherdomain,thisaddressmay
- serverslame.dnssec-lamenessisaconfigerroranddeservesthetrouble. *
- serversseveraltimes.Unboundgoesongetthefulllistofnameserver *
- signatures.Themethodtodetectdnsseclamenesslooksatnonvalidated *
- solaris ,linux,andmaybealsothewindowsplatform.
- specifiedforanNXDOMAINmessage ,butsendanewerSOArecordif
- speedupprocessingiscalledacaching ,recursivenameserver.
- spoofedgluetoaclient.Whenthemessageexpires ,itisrefetchedand
- structureforqueries. *
- support *
- takelargeDNSanswers. *
- thanthat ,seebelow.
- thatalsoDNSSEC *
- thebareNSEC *
- thecachedRRisupdatedwiththecorrectcontent. *
- thecorrectmessageformat ,aSOArecordispickedfromthecache
- themessagecache.IfaDNSKEYorDSfailsinthechainoftrustinthe *
- thenbeusedtosendqueriesto.Andfakeanswersmaybereturned. *
- theninterfacewiththemodulestoperformthenecessaryprocessing. *
- thevalidatoriftheparentissigned ,andresultin900secondsbogus.
- thishasbeenfoundinthemeantime.Inpoint ,thiscouldleadtoa
- thisquerywillbe *
- thistimeandisconservativeinsendingprobes.Itmakesthecompound *
- thosemisconfigureddomainswheretheserversreportedbytheparent *
- thusremovethe *
- thususefultocachedatatospeedupfuturelookups.Aserverthat *
- timeoutapproached5-10seconds ,andEDNSstatushasnotbeendetectedyet,
- timetolive *
- tocreateafalsesenseofdnssec-lamenessinthechild ,orafalsesense
- unbound.confasstubforthosezones ,thisallowsclientstoaccessdata
- unboundwillnottrustinformationfromtheparentnameserversasthe *
- updatedfromanotherquery ,theNXDOMAINisdroppedfromthecache,
- updatedmorecarefully.IfoneoftheNSECrecordsinanNXDOMAINis *
- validatorfailure *
- versionoftheglueasalastresortlookup.Thisresolveslookupsfor *
- volunteeredtowritethisimplementation. *
- whichispresentinadelegation ,oftypeAandAAAA,wherethenameis
- willnotbepresentinthereplytotheclient *
- withattemptatno-DSproof *
- @babel/code-frame 7.8.3 development
- @babel/highlight 7.8.3 development
- @types/node 8.10.59 development
- @types/vscode 1.42.0 development
- ansi-styles 3.2.1 development
- argparse 1.0.10 development
- balanced-match 1.0.0 development
- brace-expansion 1.1.11 development
- builtin-modules 1.1.1 development
- chalk 2.4.2 development
- color-convert 1.9.3 development
- color-name 1.1.3 development
- commander 2.20.3 development
- concat-map 0.0.1 development
- diff 4.0.2 development
- escape-string-regexp 1.0.5 development
- esprima 4.0.1 development
- esutils 2.0.3 development
- fs.realpath 1.0.0 development
- glob 7.1.6 development
- has-flag 3.0.0 development
- inflight 1.0.6 development
- inherits 2.0.4 development
- js-tokens 4.0.0 development
- js-yaml 3.13.1 development
- minimatch 3.0.4 development
- minimist 0.0.8 development
- mkdirp 0.5.1 development
- once 1.4.0 development
- path-is-absolute 1.0.1 development
- path-parse 1.0.6 development
- resolve 1.15.1 development
- semver 5.7.1 development
- sprintf-js 1.0.3 development
- supports-color 5.5.0 development
- tslib 1.11.1 development
- tslint 5.20.1 development
- tsutils 2.29.0 development
- typescript 3.8.3 development
- wrappy 1.0.2 development