View | Details | Raw Unified | Return to bug 1440
Collapse All | Expand All

(-)b/dnscrypt/dnscrypt.c (-2 / +192 lines)
 Lines 60-65   struct shared_secret_cache_key { Link Here 
60
};
60
};
61
61
62
62
63
struct nonce_cache_key {
64
    /** the nonce used by the client */
65
    uint8_t nonce[crypto_box_HALF_NONCEBYTES];
66
    /** the client_magic used by the client, this is associated to 1 cert only */
67
    uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
68
    /** the client public key */
69
    uint8_t client_publickey[crypto_box_PUBLICKEYBYTES];
70
    /** the hash table entry, data is uint8_t */
71
    struct lruhash_entry entry;
72
};
73
63
/**
74
/**
64
 * Generate a key suitable to find shared secret in slabhash.
75
 * Generate a key suitable to find shared secret in slabhash.
65
 * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
76
 * \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
 Lines 136-141   dnsc_shared_secrets_lookup(struct slabhash* cache, Link Here 
136
}
147
}
137
148
138
/**
149
/**
150
 * Generate a key hash suitable to find a nonce in slabhash.
151
 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
152
 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
153
 * \param[in] pk: The public key of the client. uint8_t pointer of size
154
 * crypto_box_PUBLICKEYBYTES.
155
 * \return the hash of the key.
156
 */
157
static uint32_t
158
dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
159
                          const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
160
                          const uint8_t pk[crypto_box_PUBLICKEYBYTES])
161
{
162
    uint32_t h = 0;
163
    h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h);
164
    h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h);
165
    return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h);
166
}
167
168
/**
169
 * Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash.
170
 * \param[in] cache: the slabhash in which to look for the key.
171
 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
172
 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
173
 * \param[in] pk: The public key of the client. uint8_t pointer of size
174
 * crypto_box_PUBLICKEYBYTES.
175
 * \param[in] hash: the hash of the key.
176
 */
177
static void
178
dnsc_nonce_cache_insert(struct slabhash *cache,
179
                        const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
180
                        const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
181
                        const uint8_t pk[crypto_box_PUBLICKEYBYTES],
182
                        uint32_t hash)
183
{
184
    struct nonce_cache_key* k =
185
        (struct nonce_cache_key*)calloc(1, sizeof(*k));
186
    if(!k) {
187
        free(k);
188
        return;
189
    }
190
    lock_rw_init(&k->entry.lock);
191
    memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES);
192
    memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
193
    memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES);
194
    k->entry.hash = hash;
195
    k->entry.key = k;
196
    k->entry.data = NULL;
197
    slabhash_insert(cache,
198
                    hash, &k->entry,
199
                    NULL,
200
                    NULL);
201
}
202
203
/**
204
 * Lookup a record in nonces_cache.
205
 * \param[in] cache: the slabhash in which to look for the key.
206
 * \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
207
 * \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
208
 * \param[in] pk: The public key of the client. uint8_t pointer of size
209
 * crypto_box_PUBLICKEYBYTES.
210
 * \param[in] hash: the hash of the key.
211
 * \return a pointer to the locked cache entry or NULL on failure.
212
 */
213
static struct lruhash_entry*
214
dnsc_nonces_lookup(struct slabhash* cache,
215
                   const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
216
                   const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
217
                   const uint8_t pk[crypto_box_PUBLICKEYBYTES],
218
                   uint32_t hash)
219
{
220
    struct nonce_cache_key k;
221
    memset(&k, 0, sizeof(k));
222
    k.entry.hash = hash;
223
    memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES);
224
    memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
225
    memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES);
226
227
    return slabhash_lookup(cache, hash, &k, 0);
228
}
229
230
/**
139
 * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
231
 * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
140
 * The client nonce will be extracted from the encrypted query and stored in
232
 * The client nonce will be extracted from the encrypted query and stored in
141
 * client_nonce, a shared secret will be computed and stored in nmkey and the
233
 * client_nonce, a shared secret will be computed and stored in nmkey and the
 Lines 163-173   dnscrypt_server_uncurve(struct dnsc_env* env, Link Here 
163
    struct lruhash_entry* entry;
255
    struct lruhash_entry* entry;
164
    uint32_t hash;
256
    uint32_t hash;
165
257
258
    uint32_t nonce_hash;
259
166
    if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
260
    if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
167
        return -1;
261
        return -1;
168
    }
262
    }
169
263
170
    query_header = (struct dnscrypt_query_header *)buf;
264
    query_header = (struct dnscrypt_query_header *)buf;
265
266
    /* Detect replay attacks */
267
    nonce_hash = dnsc_nonce_cache_key_hash(
268
        query_header->nonce,
269
        cert->magic_query,
270
        query_header->publickey);
271
272
    lock_basic_lock(&env->nonces_cache_lock);
273
    entry = dnsc_nonces_lookup(
274
        env->nonces_cache,
275
        query_header->nonce,
276
        cert->magic_query,
277
        query_header->publickey,
278
        nonce_hash);
279
280
    if(entry) {
281
        lock_rw_unlock(&entry->lock);
282
        lock_basic_unlock(&env->nonces_cache_lock);
283
        verbose(VERB_OPS, "Found existing nonce");
284
        return -1;
285
    }
286
287
    dnsc_nonce_cache_insert(
288
        env->nonces_cache,
289
        query_header->nonce,
290
        cert->magic_query,
291
        query_header->publickey,
292
        nonce_hash);
293
    lock_basic_unlock(&env->nonces_cache_lock);
294
295
    /* Find existing shared secret */
171
    hash = dnsc_shared_secrets_cache_key(key,
296
    hash = dnsc_shared_secrets_cache_key(key,
172
                                         cert->es_version[1],
297
                                         cert->es_version[1],
173
                                         query_header->publickey,
298
                                         query_header->publickey,
 Lines 770-777   dnsc_create(void) Link Here 
770
	env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
895
	env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
771
	lock_basic_init(&env->shared_secrets_cache_lock);
896
	lock_basic_init(&env->shared_secrets_cache_lock);
772
	lock_protect(&env->shared_secrets_cache_lock,
897
	lock_protect(&env->shared_secrets_cache_lock,
773
				 &env->num_query_dnscrypt_secret_missed_cache,
898
                 &env->num_query_dnscrypt_secret_missed_cache,
774
				 sizeof(env->num_query_dnscrypt_secret_missed_cache));
899
                 sizeof(env->num_query_dnscrypt_secret_missed_cache));
900
	lock_basic_init(&env->nonces_cache_lock);
901
	lock_protect(&env->nonces_cache_lock,
902
                 &env->nonces_cache,
903
                 sizeof(env->nonces_cache));
904
775
	return env;
905
	return env;
776
}
906
}
777
907
 Lines 803-808   dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg) Link Here 
803
    if(!env->shared_secrets_cache){
933
    if(!env->shared_secrets_cache){
804
        fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
934
        fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
805
    }
935
    }
936
    env->nonces_cache = slabhash_create(
937
        4,
938
        HASH_DEFAULT_STARTARRAY,
939
        4000000,
940
        dnsc_nonces_sizefunc,
941
        dnsc_nonces_compfunc,
942
        dnsc_nonces_delkeyfunc,
943
        dnsc_nonces_deldatafunc,
944
        NULL
945
    );
806
    return 0;
946
    return 0;
807
}
947
}
808
948
 Lines 817-823   dnsc_delete(struct dnsc_env *env) Link Here 
817
	sodium_free(env->certs);
957
	sodium_free(env->certs);
818
	sodium_free(env->keypairs);
958
	sodium_free(env->keypairs);
819
	slabhash_delete(env->shared_secrets_cache);
959
	slabhash_delete(env->shared_secrets_cache);
960
	slabhash_delete(env->nonces_cache);
820
	lock_basic_destroy(&env->shared_secrets_cache_lock);
961
	lock_basic_destroy(&env->shared_secrets_cache_lock);
962
	lock_basic_destroy(&env->nonces_cache_lock);
821
	free(env);
963
	free(env);
822
}
964
}
823
965
 Lines 858-860   dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg)) Link Here 
858
    uint8_t* data = (uint8_t*)d;
1000
    uint8_t* data = (uint8_t*)d;
859
    free(data);
1001
    free(data);
860
}
1002
}
1003
1004
/**
1005
 * #########################################################
1006
 * ############### Nonces cache functions ##################
1007
 * #########################################################
1008
 */
1009
1010
size_t
1011
dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d))
1012
{
1013
    struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
1014
    size_t key_size = sizeof(struct nonce_cache_key)
1015
        + lock_get_mem(&nk->entry.lock);
1016
    (void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */
1017
    return key_size;
1018
}
1019
1020
int
1021
dnsc_nonces_compfunc(void *m1, void *m2)
1022
{
1023
    struct nonce_cache_key *k1 = m1, *k2 = m2;
1024
    return
1025
        sodium_memcmp(
1026
            k1->nonce,
1027
            k2->nonce,
1028
            crypto_box_HALF_NONCEBYTES) != 0 ||
1029
        sodium_memcmp(
1030
            k1->magic_query,
1031
            k2->magic_query,
1032
            DNSCRYPT_MAGIC_HEADER_LEN) != 0 ||
1033
        sodium_memcmp(
1034
            k1->client_publickey, k2->client_publickey,
1035
            crypto_box_PUBLICKEYBYTES) != 0;
1036
}
1037
1038
void
1039
dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
1040
{
1041
    struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
1042
    lock_rw_destroy(&nk->entry.lock);
1043
    free(nk);
1044
}
1045
1046
void
1047
dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg))
1048
{
1049
    return;
1050
}
(-)b/dnscrypt/dnscrypt.h (+25 lines)
 Lines 68-73   struct dnsc_env { Link Here 
68
	lock_basic_type shared_secrets_cache_lock;
68
	lock_basic_type shared_secrets_cache_lock;
69
	/** number of misses from shared_secrets_cache */
69
	/** number of misses from shared_secrets_cache */
70
	size_t num_query_dnscrypt_secret_missed_cache;
70
	size_t num_query_dnscrypt_secret_missed_cache;
71
	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
72
	struct slabhash *nonces_cache;
73
	/** lock on nonces_cache, used to avoid race condition in updating the hash */
74
	lock_basic_type nonces_cache_lock;
71
};
75
};
72
76
73
struct dnscrypt_query_header {
77
struct dnscrypt_query_header {
 Lines 139-143   void dnsc_shared_secrets_delkeyfunc(void *k, void* arg); Link Here 
139
 */
143
 */
140
void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
144
void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
141
145
146
/**
147
 * Computes the size of the nonce cache entry.
148
 */
149
size_t dnsc_nonces_sizefunc(void *k, void *d);
150
151
/**
152
 * Compares two nonce cache keys.
153
 */
154
int dnsc_nonces_compfunc(void *m1, void *m2);
155
156
/**
157
 * Function to delete a nonce cache key.
158
 */
159
void dnsc_nonces_delkeyfunc(void *k, void* arg);
160
161
/**
162
 * Function to delete a nonce cache value.
163
 */
164
void dnsc_nonces_deldatafunc(void* d, void* arg);
165
166
142
#endif /* USE_DNSCRYPT */
167
#endif /* USE_DNSCRYPT */
143
#endif
168
#endif
(-)b/util/fptr_wlist.c (-2 / +4 lines)
 Lines 233-238   fptr_whitelist_hash_sizefunc(lruhash_sizefunc_type fptr) Link Here 
233
#endif
233
#endif
234
#ifdef USE_DNSCRYPT
234
#ifdef USE_DNSCRYPT
235
	else if(fptr == &dnsc_shared_secrets_sizefunc) return 1;
235
	else if(fptr == &dnsc_shared_secrets_sizefunc) return 1;
236
	else if(fptr == &dnsc_nonces_sizefunc) return 1;
236
#endif
237
#endif
237
	return 0;
238
	return 0;
238
}
239
}
 Lines 249-254   fptr_whitelist_hash_compfunc(lruhash_compfunc_type fptr) Link Here 
249
	else if(fptr == &test_slabhash_compfunc) return 1;
250
	else if(fptr == &test_slabhash_compfunc) return 1;
250
#ifdef USE_DNSCRYPT
251
#ifdef USE_DNSCRYPT
251
	else if(fptr == &dnsc_shared_secrets_compfunc) return 1;
252
	else if(fptr == &dnsc_shared_secrets_compfunc) return 1;
253
	else if(fptr == &dnsc_nonces_compfunc) return 1;
252
#endif
254
#endif
253
	return 0;
255
	return 0;
254
}
256
}
 Lines 265-270   fptr_whitelist_hash_delkeyfunc(lruhash_delkeyfunc_type fptr) Link Here 
265
	else if(fptr == &test_slabhash_delkey) return 1;
267
	else if(fptr == &test_slabhash_delkey) return 1;
266
#ifdef USE_DNSCRYPT
268
#ifdef USE_DNSCRYPT
267
	else if(fptr == &dnsc_shared_secrets_delkeyfunc) return 1;
269
	else if(fptr == &dnsc_shared_secrets_delkeyfunc) return 1;
270
	else if(fptr == &dnsc_nonces_delkeyfunc) return 1;
268
#endif
271
#endif
269
	return 0;
272
	return 0;
270
}
273
}
 Lines 283-288   fptr_whitelist_hash_deldatafunc(lruhash_deldatafunc_type fptr) Link Here 
283
#endif
286
#endif
284
#ifdef USE_DNSCRYPT
287
#ifdef USE_DNSCRYPT
285
	else if(fptr == &dnsc_shared_secrets_deldatafunc) return 1;
288
	else if(fptr == &dnsc_shared_secrets_deldatafunc) return 1;
289
	else if(fptr == &dnsc_nonces_deldatafunc) return 1;
286
#endif
290
#endif
287
	return 0;
291
	return 0;
288
}
292
}
289
- 
290
--
291
dnscrypt/dnscrypt.c   |  4 ++--
293
dnscrypt/dnscrypt.c   |  4 ++--
292
doc/unbound.conf.5.in | 11 +++++++++++
294
doc/unbound.conf.5.in | 11 +++++++++++
293
util/config_file.c    | 10 ++++++++++
295
util/config_file.c    | 10 ++++++++++
294
util/config_file.h    |  5 ++++-
296
util/config_file.h    |  5 ++++-
295
util/configlexer.lex  |  2 ++
297
util/configlexer.lex  |  2 ++
296
util/configparser.y   | 27 ++++++++++++++++++++++++++-
298
util/configparser.y   | 27 ++++++++++++++++++++++++++-
297
6 files changed, 55 insertions(+), 4 deletions(-)
299
6 files changed, 55 insertions(+), 4 deletions(-)
(-)b/dnscrypt/dnscrypt.c (-2 / +2 lines)
 Lines 934-942   dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg) Link Here 
934
        fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
934
        fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
935
    }
935
    }
936
    env->nonces_cache = slabhash_create(
936
    env->nonces_cache = slabhash_create(
937
        4,
937
        cfg->dnscrypt_nonce_cache_slabs,
938
        HASH_DEFAULT_STARTARRAY,
938
        HASH_DEFAULT_STARTARRAY,
939
        4000000,
939
        cfg->dnscrypt_nonce_cache_size,
940
        dnsc_nonces_sizefunc,
940
        dnsc_nonces_sizefunc,
941
        dnsc_nonces_compfunc,
941
        dnsc_nonces_compfunc,
942
        dnsc_nonces_delkeyfunc,
942
        dnsc_nonces_delkeyfunc,
(-)b/doc/unbound.conf.5.in (+11 lines)
 Lines 1518-1523   using the same public key. It saves a substantial amount of CPU. Link Here 
1518
Give power of 2 number of slabs, this is used to reduce lock contention
1518
Give power of 2 number of slabs, this is used to reduce lock contention
1519
in the dnscrypt shared secrets cache.  Close to the number of cpus is
1519
in the dnscrypt shared secrets cache.  Close to the number of cpus is
1520
a fairly good setting.
1520
a fairly good setting.
1521
.TP
1522
.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
1523
Give the size of the data structure in which the client nonces are kept in.
1524
Default 4m. In bytes or use m(mega), k(kilo), g(giga).
1525
The nonce cache is used to prevent dnscrypt message replaying. Client nonce
1526
should be unique for any pair of client pk/server sk.
1527
.TP
1528
.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
1529
Give power of 2 number of slabs, this is used to reduce lock contention
1530
in the dnscrypt nonce cache.  Close to the number of cpus is
1531
a fairly good setting.
1521
.SS "EDNS Client Subnet Module Options"
1532
.SS "EDNS Client Subnet Module Options"
1522
.LP
1533
.LP
1523
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
1534
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
(-)b/util/config_file.c (+10 lines)
 Lines 284-289   config_create(void) Link Here 
284
	cfg->dnscrypt_secret_key = NULL;
284
	cfg->dnscrypt_secret_key = NULL;
285
	cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
285
	cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
286
	cfg->dnscrypt_shared_secret_cache_slabs = 4;
286
	cfg->dnscrypt_shared_secret_cache_slabs = 4;
287
	cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
288
	cfg->dnscrypt_nonce_cache_slabs = 4;
287
#ifdef USE_IPSECMOD
289
#ifdef USE_IPSECMOD
288
	cfg->ipsecmod_enabled = 1;
290
	cfg->ipsecmod_enabled = 1;
289
	cfg->ipsecmod_ignore_bogus = 0;
291
	cfg->ipsecmod_ignore_bogus = 0;
 Lines 571-576   int config_set_option(struct config_file* cfg, const char* opt, Link Here 
571
		dnscrypt_shared_secret_cache_size)
573
		dnscrypt_shared_secret_cache_size)
572
	else S_POW2("dnscrypt-shared-secret-cache-slabs:",
574
	else S_POW2("dnscrypt-shared-secret-cache-slabs:",
573
		dnscrypt_shared_secret_cache_slabs)
575
		dnscrypt_shared_secret_cache_slabs)
576
	else S_MEMSIZE("dnscrypt-nonce-cache-size:",
577
		dnscrypt_nonce_cache_size)
578
	else S_POW2("dnscrypt-nonce-cache-slabs:",
579
		dnscrypt_nonce_cache_slabs)
574
#endif
580
#endif
575
	else if(strcmp(opt, "ip-ratelimit:") == 0) {
581
	else if(strcmp(opt, "ip-ratelimit:") == 0) {
576
	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
582
	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
 Lines 936-941   config_get_option(struct config_file* cfg, const char* opt, Link Here 
936
		dnscrypt_shared_secret_cache_size)
942
		dnscrypt_shared_secret_cache_size)
937
	else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
943
	else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
938
		dnscrypt_shared_secret_cache_slabs)
944
		dnscrypt_shared_secret_cache_slabs)
945
	else O_MEM(opt, "dnscrypt-nonce-cache-size",
946
		dnscrypt_nonce_cache_size)
947
	else O_DEC(opt, "dnscrypt-nonce-cache-slabs",
948
		dnscrypt_nonce_cache_slabs)
939
#endif
949
#endif
940
	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
950
	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
941
	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
951
	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
(-)b/util/config_file.h (-1 / +4 lines)
 Lines 468-474   struct config_file { Link Here 
468
	size_t dnscrypt_shared_secret_cache_size;
468
	size_t dnscrypt_shared_secret_cache_size;
469
	/** number of slabs for dnscrypt shared secrets cache */
469
	/** number of slabs for dnscrypt shared secrets cache */
470
	size_t dnscrypt_shared_secret_cache_slabs;
470
	size_t dnscrypt_shared_secret_cache_slabs;
471
471
	/** memory size in bytes for dnscrypt nonces cache */
472
	size_t dnscrypt_nonce_cache_size;
473
	/** number of slabs for dnscrypt nonces cache */
474
	size_t dnscrypt_nonce_cache_slabs;
472
	/** IPsec module */
475
	/** IPsec module */
473
#ifdef USE_IPSECMOD
476
#ifdef USE_IPSECMOD
474
	/** false to bypass the IPsec module */
477
	/** false to bypass the IPsec module */
(-)b/util/configlexer.lex (+2 lines)
 Lines 421-426   dnscrypt-shared-secret-cache-size{COLON} { Link Here 
421
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
421
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
422
dnscrypt-shared-secret-cache-slabs{COLON}	{
422
dnscrypt-shared-secret-cache-slabs{COLON}	{
423
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
423
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
424
dnscrypt-nonce-cache-size{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
425
dnscrypt-nonce-cache-slabs{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
424
ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
426
ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
425
ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
427
ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
426
ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
428
ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
(-)b/util/configparser.y (-3 / +26 lines)
 Lines 146-151   extern struct config_parser_state* cfg_parser; Link Here 
146
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
146
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
147
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
147
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
148
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
148
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
149
%token VAR_DNSCRYPT_NONCE_CACHE_SIZE
150
%token VAR_DNSCRYPT_NONCE_CACHE_SLABS
149
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
151
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
150
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
152
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
151
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
153
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
 Lines 2327-2333   content_dnsc: Link Here 
2327
	dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
2329
	dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
2328
	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
2330
	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
2329
	dnsc_dnscrypt_shared_secret_cache_size |
2331
	dnsc_dnscrypt_shared_secret_cache_size |
2330
    dnsc_dnscrypt_shared_secret_cache_slabs
2332
	dnsc_dnscrypt_shared_secret_cache_slabs |
2333
	dnsc_dnscrypt_nonce_cache_size |
2334
	dnsc_dnscrypt_nonce_cache_slabs
2331
	;
2335
	;
2332
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
2336
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
2333
	{
2337
	{
 Lines 2391-2396   dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS Link Here 
2391
  	free($2);
2395
  	free($2);
2392
  }
2396
  }
2393
  ;
2397
  ;
2398
dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG
2399
  {
2400
  	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
2401
  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
2402
  		yyerror("memory size expected");
2403
  	free($2);
2404
  }
2405
  ;
2406
dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
2407
  {
2408
  	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
2409
  	if(atoi($2) == 0)
2410
  		yyerror("number expected");
2411
  	else {
2412
  		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
2413
  		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
2414
  			yyerror("must be a power of 2");
2415
  	}
2416
  	free($2);
2417
  }
2418
  ;
2394
cachedbstart: VAR_CACHEDB
2419
cachedbstart: VAR_CACHEDB
2395
	{
2420
	{
2396
		OUTYY(("\nP(cachedb:)\n"));
2421
		OUTYY(("\nP(cachedb:)\n"));
2397
- 
2398
--
2399
daemon/remote.c            | 7 +++++++
2422
daemon/remote.c            | 7 +++++++
2400
daemon/stats.c             | 4 ++++
2423
daemon/stats.c             | 4 ++++
2401
libunbound/unbound.h       | 3 +++
2424
libunbound/unbound.h       | 3 +++
2402
smallapp/unbound-control.c | 3 +++
2425
smallapp/unbound-control.c | 3 +++
2403
util/shm_side/shm_main.c   | 2 ++
2426
util/shm_side/shm_main.c   | 2 ++
2404
5 files changed, 19 insertions(+)
2427
5 files changed, 19 insertions(+)
(-)b/daemon/remote.c (+7 lines)
 Lines 827-832   print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) Link Here 
827
#endif /* USE_IPSECMOD */
827
#endif /* USE_IPSECMOD */
828
#ifdef USE_DNSCRYPT
828
#ifdef USE_DNSCRYPT
829
	size_t dnscrypt_shared_secret = 0;
829
	size_t dnscrypt_shared_secret = 0;
830
	size_t dnscrypt_nonce = 0;
830
#endif /* USE_DNSCRYPT */
831
#endif /* USE_DNSCRYPT */
831
	msg = slabhash_get_mem(daemon->env->msg_cache);
832
	msg = slabhash_get_mem(daemon->env->msg_cache);
832
	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
833
	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
 Lines 843-848   print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) Link Here 
843
	if(daemon->dnscenv) {
844
	if(daemon->dnscenv) {
844
		dnscrypt_shared_secret = slabhash_get_mem(
845
		dnscrypt_shared_secret = slabhash_get_mem(
845
			daemon->dnscenv->shared_secrets_cache);
846
			daemon->dnscenv->shared_secrets_cache);
847
		dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache);
846
	}
848
	}
847
#endif /* USE_DNSCRYPT */
849
#endif /* USE_DNSCRYPT */
848
850
 Lines 868-873   print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon) Link Here 
868
	if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
870
	if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
869
			dnscrypt_shared_secret))
871
			dnscrypt_shared_secret))
870
		return 0;
872
		return 0;
873
	if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ,
874
			dnscrypt_nonce))
875
		return 0;
871
#endif /* USE_DNSCRYPT */
876
#endif /* USE_DNSCRYPT */
872
	return 1;
877
	return 1;
873
}
878
}
 Lines 1058-1063   print_ext(SSL* ssl, struct ub_stats_info* s) Link Here 
1058
#ifdef USE_DNSCRYPT
1063
#ifdef USE_DNSCRYPT
1059
	if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
1064
	if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
1060
		(unsigned)s->svr.shared_secret_cache_count)) return 0;
1065
		(unsigned)s->svr.shared_secret_cache_count)) return 0;
1066
	if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n",
1067
		(unsigned)s->svr.nonce_cache_count)) return 0;
1061
	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
1068
	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
1062
		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
1069
		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
1063
#endif /* USE_DNSCRYPT */
1070
#endif /* USE_DNSCRYPT */
(-)b/daemon/stats.c (+4 lines)
 Lines 225-237   server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset) Link Here 
225
			(long long)get_dnscrypt_cache_miss(worker, reset);
225
			(long long)get_dnscrypt_cache_miss(worker, reset);
226
		s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
226
		s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
227
			worker->daemon->dnscenv->shared_secrets_cache);
227
			worker->daemon->dnscenv->shared_secrets_cache);
228
		s->svr.nonce_cache_count = (long long)count_slabhash_entries(
229
			worker->daemon->dnscenv->nonces_cache);
228
	} else {
230
	} else {
229
		s->svr.num_query_dnscrypt_secret_missed_cache = 0;
231
		s->svr.num_query_dnscrypt_secret_missed_cache = 0;
230
		s->svr.shared_secret_cache_count = 0;
232
		s->svr.shared_secret_cache_count = 0;
233
		s->svr.nonce_cache_count = 0;
231
	}
234
	}
232
#else
235
#else
233
	s->svr.num_query_dnscrypt_secret_missed_cache = 0;
236
	s->svr.num_query_dnscrypt_secret_missed_cache = 0;
234
	s->svr.shared_secret_cache_count = 0;
237
	s->svr.shared_secret_cache_count = 0;
238
	s->svr.nonce_cache_count = 0;
235
#endif /* USE_DNSCRYPT */
239
#endif /* USE_DNSCRYPT */
236
240
237
	/* get tcp accept usage */
241
	/* get tcp accept usage */
(-)b/libunbound/unbound.h (+3 lines)
 Lines 623-628   struct ub_shm_stat_info { Link Here 
623
		long long ipsecmod;
623
		long long ipsecmod;
624
		long long respip;
624
		long long respip;
625
		long long dnscrypt_shared_secret;
625
		long long dnscrypt_shared_secret;
626
		long long dnscrypt_nonce;
626
	} mem;
627
	} mem;
627
};
628
};
628
629
 Lines 742-747   struct ub_server_stats { Link Here 
742
	long long num_query_dnscrypt_secret_missed_cache;
743
	long long num_query_dnscrypt_secret_missed_cache;
743
	/** number of dnscrypt shared secret cache entries */
744
	/** number of dnscrypt shared secret cache entries */
744
	long long shared_secret_cache_count;
745
	long long shared_secret_cache_count;
746
	/** number of dnscrypt nonces cache entries */
747
	long long nonce_cache_count;
745
};
748
};
746
749
747
/** 
750
/** 
(-)b/smallapp/unbound-control.c (+3 lines)
 Lines 254-259   static void print_mem(struct ub_shm_stat_info* shm_stat) Link Here 
254
#ifdef USE_DNSCRYPT
254
#ifdef USE_DNSCRYPT
255
	PR_LL("mem.cache.dnscrypt_shared_secret",
255
	PR_LL("mem.cache.dnscrypt_shared_secret",
256
		shm_stat->mem.dnscrypt_shared_secret);
256
		shm_stat->mem.dnscrypt_shared_secret);
257
	PR_LL("mem.cache.dnscrypt_nonce",
258
		shm_stat->mem.dnscrypt_nonce);
257
#endif
259
#endif
258
}
260
}
259
261
 Lines 360-365   static void print_extended(struct ub_stats_info* s) Link Here 
360
			 s->svr.shared_secret_cache_count);
362
			 s->svr.shared_secret_cache_count);
361
	PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
363
	PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
362
			 s->svr.num_query_dnscrypt_secret_missed_cache);
364
			 s->svr.num_query_dnscrypt_secret_missed_cache);
365
	PR_UL("dnscrypt_nonce.cache.count", s->svr.nonce_cache_count);
363
#endif /* USE_DNSCRYPT */
366
#endif /* USE_DNSCRYPT */
364
}
367
}
365
368
(-)b/util/shm_side/shm_main.c (-2 / +2 lines)
 Lines 254-259   void shm_main_run(struct worker *worker) Link Here 
254
		if(worker->daemon->dnscenv) {
254
		if(worker->daemon->dnscenv) {
255
			shm_stat->mem.dnscrypt_shared_secret = (long long)slabhash_get_mem(
255
			shm_stat->mem.dnscrypt_shared_secret = (long long)slabhash_get_mem(
256
				worker->daemon->dnscenv->shared_secrets_cache);
256
				worker->daemon->dnscenv->shared_secrets_cache);
257
			shm_stat->mem.dnscrypt_nonce = (long long)slabhash_get_mem(
258
				worker->daemon->dnscenv->nonces_cache);
257
		}
259
		}
258
#endif
260
#endif
259
		shm_stat->mem.val = (long long)mod_get_mem(&worker->env,
261
		shm_stat->mem.val = (long long)mod_get_mem(&worker->env,
260
- 
261
--
262
daemon/remote.c            |  2 ++
262
daemon/remote.c            |  2 ++
263
daemon/stats.c             | 19 +++++++++++++++++++
263
daemon/stats.c             | 19 +++++++++++++++++++
264
dnscrypt/dnscrypt.c        |  5 ++++-
264
dnscrypt/dnscrypt.c        |  5 ++++-
265
dnscrypt/dnscrypt.h        |  5 +++++
265
dnscrypt/dnscrypt.h        |  5 +++++
266
libunbound/unbound.h       |  2 ++
266
libunbound/unbound.h       |  2 ++
267
smallapp/unbound-control.c |  2 ++
267
smallapp/unbound-control.c |  2 ++
268
6 files changed, 34 insertions(+), 1 deletion(-)
268
6 files changed, 34 insertions(+), 1 deletion(-)
(-)b/daemon/remote.c (+2 lines)
 Lines 1067-1072   print_ext(SSL* ssl, struct ub_stats_info* s) Link Here 
1067
		(unsigned)s->svr.nonce_cache_count)) return 0;
1067
		(unsigned)s->svr.nonce_cache_count)) return 0;
1068
	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
1068
	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
1069
		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
1069
		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
1070
	if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n",
1071
		(unsigned long)s->svr.num_query_dnscrypt_replay)) return 0;
1070
#endif /* USE_DNSCRYPT */
1072
#endif /* USE_DNSCRYPT */
1071
	return 1;
1073
	return 1;
1072
}
1074
}
(-)b/daemon/stats.c (+19 lines)
 Lines 174-179   get_dnscrypt_cache_miss(struct worker* worker, int reset) Link Here 
174
	lock_basic_unlock(&de->shared_secrets_cache_lock);
174
	lock_basic_unlock(&de->shared_secrets_cache_lock);
175
	return r;
175
	return r;
176
}
176
}
177
178
/** get the number of replayed queries */
179
static size_t
180
get_dnscrypt_replay(struct worker* worker, int reset)
181
{
182
	size_t r;
183
	struct dnsc_env* de = worker->daemon->dnscenv;
184
185
	lock_basic_lock(&de->nonces_cache_lock);
186
	r = de->num_query_dnscrypt_replay;
187
	if(reset && !worker->env.cfg->stat_cumulative)
188
		de->num_query_dnscrypt_replay = 0;
189
	lock_basic_unlock(&de->nonces_cache_lock);
190
	return r;
191
}
177
#endif /* USE_DNSCRYPT */
192
#endif /* USE_DNSCRYPT */
178
193
179
void
194
void
 Lines 227-241   server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset) Link Here 
227
			worker->daemon->dnscenv->shared_secrets_cache);
242
			worker->daemon->dnscenv->shared_secrets_cache);
228
		s->svr.nonce_cache_count = (long long)count_slabhash_entries(
243
		s->svr.nonce_cache_count = (long long)count_slabhash_entries(
229
			worker->daemon->dnscenv->nonces_cache);
244
			worker->daemon->dnscenv->nonces_cache);
245
		s->svr.num_query_dnscrypt_replay =
246
			(long long)get_dnscrypt_replay(worker, reset);
230
	} else {
247
	} else {
231
		s->svr.num_query_dnscrypt_secret_missed_cache = 0;
248
		s->svr.num_query_dnscrypt_secret_missed_cache = 0;
232
		s->svr.shared_secret_cache_count = 0;
249
		s->svr.shared_secret_cache_count = 0;
233
		s->svr.nonce_cache_count = 0;
250
		s->svr.nonce_cache_count = 0;
251
		s->svr.num_query_dnscrypt_replay = 0;
234
	}
252
	}
235
#else
253
#else
236
	s->svr.num_query_dnscrypt_secret_missed_cache = 0;
254
	s->svr.num_query_dnscrypt_secret_missed_cache = 0;
237
	s->svr.shared_secret_cache_count = 0;
255
	s->svr.shared_secret_cache_count = 0;
238
	s->svr.nonce_cache_count = 0;
256
	s->svr.nonce_cache_count = 0;
257
	s->svr.num_query_dnscrypt_replay = 0;
239
#endif /* USE_DNSCRYPT */
258
#endif /* USE_DNSCRYPT */
240
259
241
	/* get tcp accept usage */
260
	/* get tcp accept usage */
(-)b/dnscrypt/dnscrypt.c (-1 / +4 lines)
 Lines 279-286   dnscrypt_server_uncurve(struct dnsc_env* env, Link Here 
279
279
280
    if(entry) {
280
    if(entry) {
281
        lock_rw_unlock(&entry->lock);
281
        lock_rw_unlock(&entry->lock);
282
        env->num_query_dnscrypt_replay++;
282
        lock_basic_unlock(&env->nonces_cache_lock);
283
        lock_basic_unlock(&env->nonces_cache_lock);
283
        verbose(VERB_OPS, "Found existing nonce");
284
        return -1;
284
        return -1;
285
    }
285
    }
286
286
 Lines 901-906   dnsc_create(void) Link Here 
901
	lock_protect(&env->nonces_cache_lock,
901
	lock_protect(&env->nonces_cache_lock,
902
                 &env->nonces_cache,
902
                 &env->nonces_cache,
903
                 sizeof(env->nonces_cache));
903
                 sizeof(env->nonces_cache));
904
	lock_protect(&env->nonces_cache_lock,
905
                 &env->num_query_dnscrypt_replay,
906
                 sizeof(env->num_query_dnscrypt_replay));
904
907
905
	return env;
908
	return env;
906
}
909
}
(-)b/dnscrypt/dnscrypt.h (+5 lines)
 Lines 63-77   struct dnsc_env { Link Here 
63
	uint64_t nonce_ts_last;
63
	uint64_t nonce_ts_last;
64
	unsigned char hash_key[crypto_shorthash_KEYBYTES];
64
	unsigned char hash_key[crypto_shorthash_KEYBYTES];
65
	char * provider_name;
65
	char * provider_name;
66
67
    /** Caches */
66
	struct slabhash *shared_secrets_cache;
68
	struct slabhash *shared_secrets_cache;
67
	/** lock on shared secret cache counters */
69
	/** lock on shared secret cache counters */
68
	lock_basic_type shared_secrets_cache_lock;
70
	lock_basic_type shared_secrets_cache_lock;
69
	/** number of misses from shared_secrets_cache */
71
	/** number of misses from shared_secrets_cache */
70
	size_t num_query_dnscrypt_secret_missed_cache;
72
	size_t num_query_dnscrypt_secret_missed_cache;
73
71
	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
74
	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
72
	struct slabhash *nonces_cache;
75
	struct slabhash *nonces_cache;
73
	/** lock on nonces_cache, used to avoid race condition in updating the hash */
76
	/** lock on nonces_cache, used to avoid race condition in updating the hash */
74
	lock_basic_type nonces_cache_lock;
77
	lock_basic_type nonces_cache_lock;
78
	/** number of replayed queries */
79
	size_t num_query_dnscrypt_replay;
75
};
80
};
76
81
77
struct dnscrypt_query_header {
82
struct dnscrypt_query_header {
(-)b/libunbound/unbound.h (+2 lines)
 Lines 743-748   struct ub_server_stats { Link Here 
743
	long long num_query_dnscrypt_secret_missed_cache;
743
	long long num_query_dnscrypt_secret_missed_cache;
744
	/** number of dnscrypt shared secret cache entries */
744
	/** number of dnscrypt shared secret cache entries */
745
	long long shared_secret_cache_count;
745
	long long shared_secret_cache_count;
746
	/** number of queries which are replays */
747
	long long num_query_dnscrypt_replay;
746
	/** number of dnscrypt nonces cache entries */
748
	/** number of dnscrypt nonces cache entries */
747
	long long nonce_cache_count;
749
	long long nonce_cache_count;
748
};
750
};
(-)b/smallapp/unbound-control.c (-2 / +2 lines)
 Lines 363-368   static void print_extended(struct ub_stats_info* s) Link Here 
363
	PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
363
	PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
364
			 s->svr.num_query_dnscrypt_secret_missed_cache);
364
			 s->svr.num_query_dnscrypt_secret_missed_cache);
365
	PR_UL("dnscrypt_nonce.cache.count", s->svr.nonce_cache_count);
365
	PR_UL("dnscrypt_nonce.cache.count", s->svr.nonce_cache_count);
366
	PR_UL("num.query.dnscrypt.replay",
367
			 s->svr.num_query_dnscrypt_replay);
366
#endif /* USE_DNSCRYPT */
368
#endif /* USE_DNSCRYPT */
367
}
369
}
368
370
369
- 
370
metrics
371
metrics
371
--
372
doc/unbound-control.8.in | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
372
doc/unbound-control.8.in | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
373
1 file changed, 52 insertions(+)
373
1 file changed, 52 insertions(+)
(-)b/doc/unbound-control.8.in (-1 / +52 lines)
 Lines 337-342   number of queries that were successfully answered using a cache lookup Link Here 
337
.I threadX.num.cachemiss
337
.I threadX.num.cachemiss
338
number of queries that needed recursive processing
338
number of queries that needed recursive processing
339
.TP
339
.TP
340
.I threadX.num.dnscrypt.crypted
341
number of queries that were encrypted and sucessfully decapsulated by dnscrypt.
342
.TP
343
.I threadX.num.dnscrypt.cert
344
number of queries that were requesting dnscrypt certificates.
345
.TP
346
.I threadX.num.dnscrypt.cleartext
347
number of queries received on dnscrypt port that were cleartext and not a
348
request for certificates.
349
.TP
350
.I threadX.num.dnscrypt.malformed
351
number of request that were neither cleartext, not valid dnscrypt messages.
352
.TP
340
.I threadX.num.prefetch
353
.I threadX.num.prefetch
341
number of cache prefetches performed.  This number is included in
354
number of cache prefetches performed.  This number is included in
342
cachehits, as the original query had the unprefetched answer from cache,
355
cachehits, as the original query had the unprefetched answer from cache,
 Lines 393-398   summed over threads. Link Here 
393
.I total.num.cachemiss
406
.I total.num.cachemiss
394
summed over threads.
407
summed over threads.
395
.TP
408
.TP
409
.I total.num.dnscrypt.crypted
410
summed over threads.
411
.TP
412
.I total.num.dnscrypt.cert
413
summed over threads.
414
.TP
415
.I total.num.dnscrypt.cleartext
416
summed over threads.
417
.TP
418
.I total.num.dnscrypt.malformed
419
summed over threads.
420
.TP
396
.I total.num.prefetch
421
.I total.num.prefetch
397
summed over threads.
422
summed over threads.
398
.TP
423
.TP
 Lines 439-444   Memory in bytes in use by the RRset cache. Link Here 
439
.I mem.cache.message
464
.I mem.cache.message
440
Memory in bytes in use by the message cache.
465
Memory in bytes in use by the message cache.
441
.TP
466
.TP
467
.I mem.cache.dnscrypt_shared_secret
468
Memory in bytes in use by the dnscrypt shared secrets cache.
469
.TP
470
.I mem.cache.dnscrypt_nonce
471
Memory in bytes in use by the dnscrypt nonce cache.
472
.TP
442
.I mem.mod.iterator
473
.I mem.mod.iterator
443
Memory in bytes in use by the iterator module.
474
Memory in bytes in use by the iterator module.
444
.TP
475
.TP
 Lines 497-502   These queries are also included in the num.query.edns.present number. Link Here 
497
The number of queries that are turned away from being send to nameserver due to
528
The number of queries that are turned away from being send to nameserver due to
498
ratelimiting.
529
ratelimiting.
499
.TP
530
.TP
531
.I num.query.dnscrypt.shared_secret.cachemiss
532
The number of dnscrypt queries that did not find a shared secret in the cache.
533
The can be use to compute the shared secret hitrate.
534
.TP
535
.I num.query.dnscrypt.replay
536
The number of dnscrypt queries that found a nonce hit in the nonce cache and
537
hence are considered a query replay.
538
.TP
500
.I num.answer.rcode.NXDOMAIN
539
.I num.answer.rcode.NXDOMAIN
501
The number of answers to queries, from cache or from recursion, that had the
540
The number of answers to queries, from cache or from recursion, that had the
502
return code NXDOMAIN. Also printed for the other return codes.
541
return code NXDOMAIN. Also printed for the other return codes.
 Lines 546-551   timing and protocol support information. Link Here 
546
.I key.cache.count
585
.I key.cache.count
547
The number of items in the key cache.  These are DNSSEC keys, one item
586
The number of items in the key cache.  These are DNSSEC keys, one item
548
per delegation point, and their validation status.
587
per delegation point, and their validation status.
588
.TP
589
.I dnscrypt_shared_secret.cache.count
590
The number of items in the shared secret cache. These are precomputed shared
591
secrets for a given client public key/server secret key pair. Shared secrets
592
are CPU intensive and this cache allow to avoid recomputing the shared secret
593
when multiple dnscrypt queries are sent from the same client.
594
.TP
595
.I dnscrypt_nonce.cache.count
596
The number of items in the client nonce cache. This cache is used to prevent
597
dnscrypt queries replay. The client nonce must be unique for each client public
598
key/server secret key pair. This cache should be able to host QPS * `replay
599
window` interval keys to prevent replay of a query during `replay window`
600
seconds.
549
.SH "FILES"
601
.SH "FILES"
550
.TP
602
.TP
551
.I @ub_conf_file@
603
.I @ub_conf_file@
552
- 

Return to bug 1440