1 files changed, 80 insertions, 50 deletions

diff --git a/contrib/unbound/libunbound/unbound.h b/contrib/unbound/libunbound/unbound.h
index ee8558759065..c274f80ab897 100644
--- a/contrib/unbound/libunbound/unbound.h
+++ b/contrib/unbound/libunbound/unbound.h
@@ -4,22 +4,22 @@
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -36,7 +36,7 @@
 /**
  * \file
  *
- * This file contains functions to resolve DNS queries and 
+ * This file contains functions to resolve DNS queries and
  * validate the answers. Synchronously and asynchronously.
  *
  * Several ways to use this interface from an application wishing
@@ -65,7 +65,7 @@
  *	... or process() calls my_callback() with results.
  *
  *      ... if the application has nothing more to do, wait for answer
- *      ub_wait(ctx); 
+ *      ub_wait(ctx);
  *
  * Application threaded. Blocking.
  *	Blocking, same as above. The current thread does the work.
@@ -83,7 +83,7 @@
  * CRYPTO_set_id_callback and CRYPTO_set_locking_callback.
  *
  * If no threading is compiled in, the above async example uses fork(2) to
- * create a process to perform the work. The forked process exits when the 
+ * create a process to perform the work. The forked process exits when the
  * calling process exits, or ctx_delete() is called.
  * Otherwise, for asynchronous with threading, a worker thread is created.
  *
@@ -94,8 +94,8 @@
  * The second calls another worker thread (or process) to perform the work.
  * And no buffers need to be set up, but a context-switch happens.
  */
-#ifndef _UB_UNBOUND_H
-#define _UB_UNBOUND_H
+#ifndef UB_UNBOUND_H
+#define UB_UNBOUND_H
 
 #ifdef __cplusplus
 extern "C" {
@@ -128,10 +128,10 @@ struct ub_result {
 	/** the class asked for */
 	int qclass;
 
-	/** 
-	 * a list of network order DNS rdata items, terminated with a 
+	/**
+	 * a list of network order DNS rdata items, terminated with a
 	 * NULL pointer, so that data[0] is the first result entry,
-	 * data[1] the second, and the last entry is NULL. 
+	 * data[1] the second, and the last entry is NULL.
 	 * If there was no data, data[0] is NULL.
 	 */
 	char** data;
@@ -139,8 +139,8 @@ struct ub_result {
 	/** the length in bytes of the data items, len[i] for data[i] */
 	int* len;
 
-	/** 
-	 * canonical name for the result (the final cname). 
+	/**
+	 * canonical name for the result (the final cname).
 	 * zero terminated string.
 	 * May be NULL if no canonical name exists.
 	 */
@@ -165,9 +165,9 @@ struct ub_result {
 	 */
 	int havedata;
 
-	/** 
+	/**
 	 * If there was no data, and the domain did not exist, this is true.
-	 * If it is false, and there was no data, then the domain name 
+	 * If it is false, and there was no data, then the domain name
 	 * is purported to exist, but the requested data type is not available.
 	 */
 	int nxdomain;
@@ -182,19 +182,19 @@ struct ub_result {
 	 */
 	int secure;
 
-	/** 
-	 * If the result was not secure (secure==0), and this result is due 
+	/**
+	 * If the result was not secure (secure==0), and this result is due
 	 * to a security failure, bogus is true.
 	 * This means the data has been actively tampered with, signatures
-	 * failed, expected signatures were not present, timestamps on 
+	 * failed, expected signatures were not present, timestamps on
 	 * signatures were out of date and so on.
 	 *
-	 * If !secure and !bogus, this can happen if the data is not secure 
-	 * because security is disabled for that domain name. 
+	 * If !secure and !bogus, this can happen if the data is not secure
+	 * because security is disabled for that domain name.
 	 * This means the data is from a domain where data is not signed.
 	 */
 	int bogus;
-	
+
 	/**
 	 * If the result is bogus this contains a string (zero terminated)
 	 * that describes the failure.  There may be other errors as well
@@ -222,7 +222,7 @@ struct ub_result {
  * The readable function definition looks like:
  * void my_callback(void* my_arg, int err, struct ub_result* result);
  * It is called with
- *	void* my_arg: your pointer to a (struct of) data of your choice, 
+ *	void* my_arg: your pointer to a (struct of) data of your choice,
  *		or NULL.
  *	int err: if 0 all is OK, otherwise an error occurred and no results
  *	     are forthcoming.
@@ -301,8 +301,8 @@ int ub_ctx_set_option(struct ub_ctx* ctx, const char* opt, const char* val);
  * 	This is a power-users interface that lets you specify all sorts
  * 	of options.
  * @param str: the string is malloced and returned here. NULL on error.
- * 	The caller must free() the string.  In cases with multiple 
- * 	entries (auto-trust-anchor-file), a newline delimited list is 
+ * 	The caller must free() the string.  In cases with multiple
+ * 	entries (auto-trust-anchor-file), a newline delimited list is
  * 	returned in the string.
  * @return 0 if OK else an error code (malloc failure, syntax error).
  */
@@ -321,10 +321,10 @@ int ub_ctx_get_option(struct ub_ctx* ctx, const char* opt, char** str);
 int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
 
 /**
- * Set machine to forward DNS queries to, the caching resolver to use. 
- * IP4 or IP6 address. Forwards all DNS requests to that machine, which 
- * is expected to run a recursive resolver. If the proxy is not 
- * DNSSEC-capable, validation may fail. Can be called several times, in 
+ * Set machine to forward DNS queries to, the caching resolver to use.
+ * IP4 or IP6 address. Forwards all DNS requests to that machine, which
+ * is expected to run a recursive resolver. If the proxy is not
+ * DNSSEC-capable, validation may fail. Can be called several times, in
  * that case the addresses are used as backup servers.
  *
  * To read the list of nameservers from /etc/resolv.conf (from DHCP or so),
@@ -389,7 +389,7 @@ int ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname);
 
 /**
  * Read list of hosts from the filename given.
- * Usually "/etc/hosts". 
+ * Usually "/etc/hosts".
  * These addresses are not flagged as DNSSEC secure when queried for.
  *
  * @param ctx: context.
@@ -403,7 +403,7 @@ int ub_ctx_hosts(struct ub_ctx* ctx, const char* fname);
 /**
  * Add a trust anchor to the given context.
  * The trust anchor is a string, on one line, that holds a valid DNSKEY or
- * DS RR. 
+ * DS RR.
  * @param ctx: context.
  *	At this time it is only possible to add trusted keys before the
  *	first resolve is done.
@@ -465,7 +465,7 @@ int ub_ctx_debugout(struct ub_ctx* ctx, void* out);
  * Set debug verbosity for the context
  * Output is directed to stderr.
  * @param ctx: context.
- * @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed, 
+ * @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed,
  *	and 3 is lots.
  * @return 0 if OK, else error.
  */
@@ -474,10 +474,10 @@ int ub_ctx_debuglevel(struct ub_ctx* ctx, int d);
 /**
  * Set a context behaviour for asynchronous action.
  * @param ctx: context.
- * @param dothread: if true, enables threading and a call to resolve_async() 
+ * @param dothread: if true, enables threading and a call to resolve_async()
  *	creates a thread to handle work in the background.
  *	If false, a process is forked to handle work in the background.
- *	Changes to this setting after async() calls have been made have 
+ *	Changes to this setting after async() calls have been made have
  *	no effect (delete and re-create the context to change).
  * @return 0 if OK, else error.
  */
@@ -495,7 +495,7 @@ int ub_poll(struct ub_ctx* ctx);
 
 /**
  * Wait for a context to finish with results. Calls ub_process() after
- * the wait for you. After the wait, there are no more outstanding 
+ * the wait for you. After the wait, there are no more outstanding
  * asynchronous queries.
  * @param ctx: context.
  * @return: 0 if OK, else error.
@@ -530,11 +530,11 @@ int ub_process(struct ub_ctx* ctx);
  * @param rrtype: type of RR in host order, 1 is A (address).
  * @param rrclass: class of RR in host order, 1 is IN (for internet).
  * @param result: the result data is returned in a newly allocated result
- * 	structure. May be NULL on return, return value is set to an error 
+ * 	structure. May be NULL on return, return value is set to an error
  * 	in that case (out of memory).
  * @return 0 if OK, else error.
  */
-int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype, 
+int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
 	int rrclass, struct ub_result** result);
 
 /**
@@ -561,11 +561,11 @@ int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
  * 	If an error happens during processing, your callback will be called
  * 	with error set to a nonzero value (and result==NULL).
  * @param async_id: if you pass a non-NULL value, an identifier number is
- *	returned for the query as it is in progress. It can be used to 
+ *	returned for the query as it is in progress. It can be used to
  *	cancel the query.
  * @return 0 if OK, else error.
  */
-int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype, 
+int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
 	int rrclass, void* mydata, ub_callback_type callback, int* async_id);
 
 /**
@@ -589,7 +589,7 @@ int ub_cancel(struct ub_ctx* ctx, int async_id);
  */
 void ub_resolve_free(struct ub_result* result);
 
-/** 
+/**
  * Convert error value to a human readable string.
  * @param err: error code from one of the libunbound functions.
  * 	The error codes are from the type enum ub_ctx_err.
@@ -605,7 +605,7 @@ const char* ub_strerror(int err);
 int ub_ctx_print_local_zones(struct ub_ctx* ctx);
 
 /**
- * Add a new zone with the zonetype to the local authority info of the 
+ * Add a new zone with the zonetype to the local authority info of the
  * library.
  * @param ctx: context.  Is finalized by the routine.
  * @param zone_name: name of the zone in text, "example.com"
@@ -613,7 +613,7 @@ int ub_ctx_print_local_zones(struct ub_ctx* ctx);
  * @param zone_type: type of the zone (like for unbound.conf) in text.
  * @return 0 if OK, else error.
  */
-int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name, 
+int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name,
 	const char *zone_type);
 
 /**
@@ -649,7 +649,7 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
  */
 const char* ub_version(void);
 
-/** 
+/**
  * Some global statistics that are not in struct stats_info,
  * this struct is shared on a shm segment (shm-key in unbound.conf)
  */
@@ -695,13 +695,22 @@ struct ub_server_stats {
 	long long num_queries;
 	/** number of queries that have been dropped/ratelimited by ip. */
 	long long num_queries_ip_ratelimited;
+	/** number of queries with a valid DNS Cookie. */
+	long long num_queries_cookie_valid;
+	/** number of queries with only the client part of the DNS Cookie. */
+	long long num_queries_cookie_client;
+	/** number of queries with invalid DNS Cookie. */
+	long long num_queries_cookie_invalid;
 	/** number of queries that had a cache-miss. */
 	long long num_queries_missed_cache;
 	/** number of prefetch queries - cachehits with prefetch */
 	long long num_queries_prefetch;
-
+	/** number of queries which are too late to process */
+	long long num_queries_timed_out;
+	/** the longest wait time in the queue */
+	long long max_query_time_us;
 	/**
-	 * Sum of the querylistsize of the worker for 
+	 * Sum of the querylistsize of the worker for
 	 * every query that missed cache. To calculate average.
 	 */
 	long long sum_query_list_size;
@@ -725,6 +734,8 @@ struct ub_server_stats {
 	long long qtcp;
 	/** number of outgoing queries over TCP */
 	long long qtcp_outgoing;
+	/** number of outgoing queries over UDP */
+	long long qudp_outgoing;
 	/** number of queries over (DNS over) TLS */
 	long long qtls;
 	/** number of queries over (DNS over) HTTPS */
@@ -761,6 +772,8 @@ struct ub_server_stats {
 	long long ans_bogus;
 	/** rrsets marked bogus by validator */
 	long long rrset_bogus;
+	/** number of signature validation operations performed by validator */
+	long long val_ops;
 	/** number of queries that have been ratelimited by domain recursion. */
 	long long queries_ratelimited;
 	/** unwanted traffic received on server-facing ports */
@@ -771,12 +784,12 @@ struct ub_server_stats {
 	long long tcp_accept_usage;
 	/** expired answers served from cache */
 	long long ans_expired;
-	/** histogram data exported to array 
+	/** histogram data exported to array
 	 * if the array is the same size, no data is lost, and
 	 * if all histograms are same size (is so by default) then
 	 * adding up works well. */
 	long long hist[UB_STATS_BUCKET_NUM];
-	
+
 	/** number of message cache entries */
 	long long msg_cache_count;
 	/** number of rrset cache entries */
@@ -786,6 +799,11 @@ struct ub_server_stats {
 	/** number of key cache entries */
 	long long key_cache_count;
 
+	/** maximum number of collisions in the msg cache */
+	long long msg_cache_max_collisions;
+	/** maximum number of collisions in the rrset cache */
+	long long rrset_cache_max_collisions;
+
 	/** number of queries that used dnscrypt */
 	long long num_query_dnscrypt_crypted;
 	/** number of queries that queried dnscrypt certificates */
@@ -817,6 +835,8 @@ struct ub_server_stats {
 	/** number of queries answered from edns-subnet specific data, and
 	 * the answer was from the edns-subnet cache. */
 	long long num_query_subnet_cache;
+	/** number of queries served from cachedb */
+	long long num_query_cachedb;
 	/** number of bytes in the stream wait buffers */
 	long long mem_stream_wait;
 	/** number of bytes in the HTTP2 query buffers */
@@ -827,9 +847,19 @@ struct ub_server_stats {
 	long long qtls_resume;
 	/** RPZ action stats */
 	long long rpz_action[UB_STATS_RPZ_ACTION_NUM];
+	/** number of bytes in QUIC buffers */
+	long long mem_quic;
+	/** number of queries over (DNS over) QUIC */
+	long long qquic;
+	/** number of queries removed due to discard-timeout */
+	long long num_queries_discard_timeout;
+	/** number of queries removed due to wait-limit */
+	long long num_queries_wait_limit;
+	/** number of dns error reports generated */
+	long long num_dns_error_reports;
 };
 
-/** 
+/**
  * Statistics to send over the control pipe when asked
  * This struct is made to be memcopied, sent in binary.
  * shm mapped with (number+1) at num_threads+1, with first as total
@@ -858,4 +888,4 @@ struct ub_stats_info {
 }
 #endif
 
-#endif /* _UB_UNBOUND_H */
+#endif /* UB_UNBOUND_H */