1/*
2 * unbound.h - unbound validating resolver public API
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains functions to resolve DNS queries and
40 * validate the answers. Synchronously and asynchronously.
41 *
42 * Several ways to use this interface from an application wishing
43 * to perform (validated) DNS lookups.
44 *
45 * All start with
46 *	ctx = ub_ctx_create();
47 *	err = ub_ctx_add_ta(ctx, "...");
48 *	err = ub_ctx_add_ta(ctx, "...");
49 *	... some lookups
50 *	... call ub_ctx_delete(ctx); when you want to stop.
51 *
52 * Application not threaded. Blocking.
53 *	int err = ub_resolve(ctx, "www.example.com", ...
54 *	if(err) fprintf(stderr, "lookup error: %s\n", ub_strerror(err));
55 *	... use the answer
56 *
57 * Application not threaded. Non-blocking ('asynchronous').
58 *      err = ub_resolve_async(ctx, "www.example.com", ... my_callback);
59 *	... application resumes processing ...
60 *	... and when either ub_poll(ctx) is true
61 *	... or when the file descriptor ub_fd(ctx) is readable,
62 *	... or whenever, the app calls ...
63 *	ub_process(ctx);
64 *	... if no result is ready, the app resumes processing above,
65 *	... or process() calls my_callback() with results.
66 *
67 *      ... if the application has nothing more to do, wait for answer
68 *      ub_wait(ctx);
69 *
70 * Application threaded. Blocking.
71 *	Blocking, same as above. The current thread does the work.
72 *	Multiple threads can use the *same context*, each does work and uses
73 *	shared cache data from the context.
74 *
75 * Application threaded. Non-blocking ('asynchronous').
76 *	... setup threaded-asynchronous config option
77 *	err = ub_ctx_async(ctx, 1);
78 *	... same as async for non-threaded
79 *	... the callbacks are called in the thread that calls process(ctx)
80 *
81 * Openssl needs to have locking in place, and the application must set
82 * it up, because a mere library cannot do this, use the calls
83 * CRYPTO_set_id_callback and CRYPTO_set_locking_callback.
84 *
85 * If no threading is compiled in, the above async example uses fork(2) to
86 * create a process to perform the work. The forked process exits when the
87 * calling process exits, or ctx_delete() is called.
88 * Otherwise, for asynchronous with threading, a worker thread is created.
89 *
90 * The blocking calls use shared ctx-cache when threaded. Thus
91 * ub_resolve() and ub_resolve_async() && ub_wait() are
92 * not the same. The first makes the current thread do the work, setting
93 * up buffers, etc, to perform the work (but using shared cache data).
94 * The second calls another worker thread (or process) to perform the work.
95 * And no buffers need to be set up, but a context-switch happens.
96 */
97#ifndef _UB_UNBOUND_H
98#define _UB_UNBOUND_H
99
100#ifdef __cplusplus
101extern "C" {
102#endif
103
104/** the version of this header file */
105#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
106#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
107#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
108
109/**
110 * The validation context is created to hold the resolver status,
111 * validation keys and a small cache (containing messages, rrsets,
112 * roundtrip times, trusted keys, lameness information).
113 *
114 * Its contents are internally defined.
115 */
116struct ub_ctx;
117
118/**
119 * The validation and resolution results.
120 * Allocated by the resolver, and need to be freed by the application
121 * with ub_resolve_free().
122 */
123struct ub_result {
124	/** The original question, name text string. */
125	char* qname;
126	/** the type asked for */
127	int qtype;
128	/** the class asked for */
129	int qclass;
130
131	/**
132	 * a list of network order DNS rdata items, terminated with a
133	 * NULL pointer, so that data[0] is the first result entry,
134	 * data[1] the second, and the last entry is NULL.
135	 * If there was no data, data[0] is NULL.
136	 */
137	char** data;
138
139	/** the length in bytes of the data items, len[i] for data[i] */
140	int* len;
141
142	/**
143	 * canonical name for the result (the final cname).
144	 * zero terminated string.
145	 * May be NULL if no canonical name exists.
146	 */
147	char* canonname;
148
149	/**
150	 * DNS RCODE for the result. May contain additional error code if
151	 * there was no data due to an error. 0 (NOERROR) if okay.
152	 */
153	int rcode;
154
155	/**
156	 * The DNS answer packet. Network formatted. Can contain DNSSEC types.
157	 */
158	void* answer_packet;
159	/** length of the answer packet in octets. */
160	int answer_len;
161
162	/**
163	 * If there is any data, this is true.
164	 * If false, there was no data (nxdomain may be true, rcode can be set).
165	 */
166	int havedata;
167
168	/**
169	 * If there was no data, and the domain did not exist, this is true.
170	 * If it is false, and there was no data, then the domain name
171	 * is purported to exist, but the requested data type is not available.
172	 */
173	int nxdomain;
174
175	/**
176	 * True, if the result is validated securely.
177	 * False, if validation failed or domain queried has no security info.
178	 *
179	 * It is possible to get a result with no data (havedata is false),
180	 * and secure is true. This means that the non-existence of the data
181	 * was cryptographically proven (with signatures).
182	 */
183	int secure;
184
185	/**
186	 * If the result was not secure (secure==0), and this result is due
187	 * to a security failure, bogus is true.
188	 * This means the data has been actively tampered with, signatures
189	 * failed, expected signatures were not present, timestamps on
190	 * signatures were out of date and so on.
191	 *
192	 * If !secure and !bogus, this can happen if the data is not secure
193	 * because security is disabled for that domain name.
194	 * This means the data is from a domain where data is not signed.
195	 */
196	int bogus;
197
198	/**
199	 * If the result is bogus this contains a string (zero terminated)
200	 * that describes the failure.  There may be other errors as well
201	 * as the one described, the description may not be perfectly accurate.
202	 * Is NULL if the result is not bogus.
203	 */
204	char* why_bogus;
205
206	/**
207	 * If the query or one of its subqueries was ratelimited.  Useful if
208	 * ratelimiting is enabled and answer to the client is SERVFAIL as a
209	 * result.
210	 */
211	int was_ratelimited;
212
213	/**
214	 * TTL for the result, in seconds.  If the security is bogus, then
215	 * you also cannot trust this value.
216	 */
217	int ttl;
218};
219
220/**
221 * Callback for results of async queries.
222 * The readable function definition looks like:
223 * void my_callback(void* my_arg, int err, struct ub_result* result);
224 * It is called with
225 *	void* my_arg: your pointer to a (struct of) data of your choice,
226 *		or NULL.
227 *	int err: if 0 all is OK, otherwise an error occured and no results
228 *	     are forthcoming.
229 *	struct result: pointer to more detailed result structure.
230 *		This structure is allocated on the heap and needs to be
231 *		freed with ub_resolve_free(result);
232 */
233typedef void (*ub_callback_type)(void*, int, struct ub_result*);
234
235/**
236 * Create a resolving and validation context.
237 * The information from /etc/resolv.conf and /etc/hosts is not utilised by
238 * default. Use ub_ctx_resolvconf and ub_ctx_hosts to read them.
239 * @return a new context. default initialisation.
240 * 	returns NULL on error.
241 */
242struct ub_ctx* ub_ctx_create(void);
243
244/**
245 * Destroy a validation context and free all its resources.
246 * Outstanding async queries are killed and callbacks are not called for them.
247 * @param ctx: context to delete.
248 */
249void ub_ctx_delete(struct ub_ctx* ctx);
250
251/**
252 * Set an option for the context.
253 * @param ctx: context.
254 * @param opt: option name from the unbound.conf config file format.
255 *	(not all settings applicable). The name includes the trailing ':'
256 *	for example ub_ctx_set_option(ctx, "logfile:", "mylog.txt");
257 * 	This is a power-users interface that lets you specify all sorts
258 * 	of options.
259 * 	For some specific options, such as adding trust anchors, special
260 * 	routines exist.
261 * @param val: value of the option.
262 * @return: 0 if OK, else error.
263 */
264int ub_ctx_set_option(struct ub_ctx* ctx, const char* opt, const char* val);
265
266/**
267 * Get an option from the context.
268 * @param ctx: context.
269 * @param opt: option name from the unbound.conf config file format.
270 *	(not all settings applicable). The name excludes the trailing ':'
271 *	for example ub_ctx_get_option(ctx, "logfile", &result);
272 * 	This is a power-users interface that lets you specify all sorts
273 * 	of options.
274 * @param str: the string is malloced and returned here. NULL on error.
275 * 	The caller must free() the string.  In cases with multiple
276 * 	entries (auto-trust-anchor-file), a newline delimited list is
277 * 	returned in the string.
278 * @return 0 if OK else an error code (malloc failure, syntax error).
279 */
280int ub_ctx_get_option(struct ub_ctx* ctx, const char* opt, char** str);
281
282/**
283 * setup configuration for the given context.
284 * @param ctx: context.
285 * @param fname: unbound config file (not all settings applicable).
286 * 	This is a power-users interface that lets you specify all sorts
287 * 	of options.
288 * 	For some specific options, such as adding trust anchors, special
289 * 	routines exist.
290 * @return: 0 if OK, else error.
291 */
292int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
293
294/**
295 * Set machine to forward DNS queries to, the caching resolver to use.
296 * IP4 or IP6 address. Forwards all DNS requests to that machine, which
297 * is expected to run a recursive resolver. If the proxy is not
298 * DNSSEC-capable, validation may fail. Can be called several times, in
299 * that case the addresses are used as backup servers.
300 *
301 * To read the list of nameservers from /etc/resolv.conf (from DHCP or so),
302 * use the call ub_ctx_resolvconf.
303 *
304 * @param ctx: context.
305 *	At this time it is only possible to set configuration before the
306 *	first resolve is done.
307 * @param addr: address, IP4 or IP6 in string format.
308 * 	If the addr is NULL, forwarding is disabled.
309 * @return 0 if OK, else error.
310 */
311int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
312
313/**
314 * Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd().
315 *
316 * @param ctx: context.
317 *	At this time it is only possible to set configuration before the
318 *	first resolve is done.
319 * @param tls: enable or disable DNS over TLS
320 * @return 0 if OK, else error.
321 */
322int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
323
324/**
325 * Add a stub zone, with given address to send to.  This is for custom
326 * root hints or pointing to a local authoritative dns server.
327 * For dns resolvers and the 'DHCP DNS' ip address, use ub_ctx_set_fwd.
328 * This is similar to a stub-zone entry in unbound.conf.
329 *
330 * @param ctx: context.
331 *	It is only possible to set configuration before the
332 *	first resolve is done.
333 * @param zone: name of the zone, string.
334 * @param addr: address, IP4 or IP6 in string format.
335 * 	The addr is added to the list of stub-addresses if the entry exists.
336 * 	If the addr is NULL the stub entry is removed.
337 * @param isprime: set to true to set stub-prime to yes for the stub.
338 * 	For local authoritative servers, people usually set it to false,
339 * 	For root hints it should be set to true.
340 * @return 0 if OK, else error.
341 */
342int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
343	int isprime);
344
345/**
346 * Read list of nameservers to use from the filename given.
347 * Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
348 * If they do not support DNSSEC, validation may fail.
349 *
350 * Only nameservers are picked up, the searchdomain, ndots and other
351 * settings from resolv.conf(5) are ignored.
352 *
353 * @param ctx: context.
354 *	At this time it is only possible to set configuration before the
355 *	first resolve is done.
356 * @param fname: file name string. If NULL "/etc/resolv.conf" is used.
357 * @return 0 if OK, else error.
358 */
359int ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname);
360
361/**
362 * Read list of hosts from the filename given.
363 * Usually "/etc/hosts".
364 * These addresses are not flagged as DNSSEC secure when queried for.
365 *
366 * @param ctx: context.
367 *	At this time it is only possible to set configuration before the
368 *	first resolve is done.
369 * @param fname: file name string. If NULL "/etc/hosts" is used.
370 * @return 0 if OK, else error.
371 */
372int ub_ctx_hosts(struct ub_ctx* ctx, const char* fname);
373
374/**
375 * Add a trust anchor to the given context.
376 * The trust anchor is a string, on one line, that holds a valid DNSKEY or
377 * DS RR.
378 * @param ctx: context.
379 *	At this time it is only possible to add trusted keys before the
380 *	first resolve is done.
381 * @param ta: string, with zone-format RR on one line.
382 * 	[domainname] [TTL optional] [type] [class optional] [rdata contents]
383 * @return 0 if OK, else error.
384 */
385int ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta);
386
387/**
388 * Add trust anchors to the given context.
389 * Pass name of a file with DS and DNSKEY records (like from dig or drill).
390 * @param ctx: context.
391 *	At this time it is only possible to add trusted keys before the
392 *	first resolve is done.
393 * @param fname: filename of file with keyfile with trust anchors.
394 * @return 0 if OK, else error.
395 */
396int ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname);
397
398/**
399 * Add trust anchor to the given context that is tracked with RFC5011
400 * automated trust anchor maintenance.  The file is written to when the
401 * trust anchor is changed.
402 * Pass the name of a file that was output from eg. unbound-anchor,
403 * or you can start it by providing a trusted DNSKEY or DS record on one
404 * line in the file.
405 * @param ctx: context.
406 *	At this time it is only possible to add trusted keys before the
407 *	first resolve is done.
408 * @param fname: filename of file with trust anchor.
409 * @return 0 if OK, else error.
410 */
411int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname);
412
413/**
414 * Add trust anchors to the given context.
415 * Pass the name of a bind-style config file with trusted-keys{}.
416 * @param ctx: context.
417 *	At this time it is only possible to add trusted keys before the
418 *	first resolve is done.
419 * @param fname: filename of file with bind-style config entries with trust
420 * 	anchors.
421 * @return 0 if OK, else error.
422 */
423int ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname);
424
425/**
426 * Set debug output (and error output) to the specified stream.
427 * Pass NULL to disable. Default is stderr.
428 * @param ctx: context.
429 * @param out: FILE* out file stream to log to.
430 * 	Type void* to avoid stdio dependency of this header file.
431 * @return 0 if OK, else error.
432 */
433int ub_ctx_debugout(struct ub_ctx* ctx, void* out);
434
435/**
436 * Set debug verbosity for the context
437 * Output is directed to stderr.
438 * @param ctx: context.
439 * @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed,
440 *	and 3 is lots.
441 * @return 0 if OK, else error.
442 */
443int ub_ctx_debuglevel(struct ub_ctx* ctx, int d);
444
445/**
446 * Set a context behaviour for asynchronous action.
447 * @param ctx: context.
448 * @param dothread: if true, enables threading and a call to resolve_async()
449 *	creates a thread to handle work in the background.
450 *	If false, a process is forked to handle work in the background.
451 *	Changes to this setting after async() calls have been made have
452 *	no effect (delete and re-create the context to change).
453 * @return 0 if OK, else error.
454 */
455int ub_ctx_async(struct ub_ctx* ctx, int dothread);
456
457/**
458 * Poll a context to see if it has any new results
459 * Do not poll in a loop, instead extract the fd below to poll for readiness,
460 * and then check, or wait using the wait routine.
461 * @param ctx: context.
462 * @return: 0 if nothing to read, or nonzero if a result is available.
463 * 	If nonzero, call ctx_process() to do callbacks.
464 */
465int ub_poll(struct ub_ctx* ctx);
466
467/**
468 * Wait for a context to finish with results. Calls ub_process() after
469 * the wait for you. After the wait, there are no more outstanding
470 * asynchronous queries.
471 * @param ctx: context.
472 * @return: 0 if OK, else error.
473 */
474int ub_wait(struct ub_ctx* ctx);
475
476/**
477 * Get file descriptor. Wait for it to become readable, at this point
478 * answers are returned from the asynchronous validating resolver.
479 * Then call the ub_process to continue processing.
480 * This routine works immediately after context creation, the fd
481 * does not change.
482 * @param ctx: context.
483 * @return: -1 on error, or file descriptor to use select(2) with.
484 */
485int ub_fd(struct ub_ctx* ctx);
486
487/**
488 * Call this routine to continue processing results from the validating
489 * resolver (when the fd becomes readable).
490 * Will perform necessary callbacks.
491 * @param ctx: context
492 * @return: 0 if OK, else error.
493 */
494int ub_process(struct ub_ctx* ctx);
495
496/**
497 * Perform resolution and validation of the target name.
498 * @param ctx: context.
499 *	The context is finalized, and can no longer accept config changes.
500 * @param name: domain name in text format (a zero terminated text string).
501 * @param rrtype: type of RR in host order, 1 is A (address).
502 * @param rrclass: class of RR in host order, 1 is IN (for internet).
503 * @param result: the result data is returned in a newly allocated result
504 * 	structure. May be NULL on return, return value is set to an error
505 * 	in that case (out of memory).
506 * @return 0 if OK, else error.
507 */
508int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
509	int rrclass, struct ub_result** result);
510
511/**
512 * Perform resolution and validation of the target name.
513 * Asynchronous, after a while, the callback will be called with your
514 * data and the result.
515 * @param ctx: context.
516 *	If no thread or process has been created yet to perform the
517 *	work in the background, it is created now.
518 *	The context is finalized, and can no longer accept config changes.
519 * @param name: domain name in text format (a string).
520 * @param rrtype: type of RR in host order, 1 is A.
521 * @param rrclass: class of RR in host order, 1 is IN (for internet).
522 * @param mydata: this data is your own data (you can pass NULL),
523 * 	and is passed on to the callback function.
524 * @param callback: this is called on completion of the resolution.
525 * 	It is called as:
526 * 	void callback(void* mydata, int err, struct ub_result* result)
527 * 	with mydata: the same as passed here, you may pass NULL,
528 * 	with err: is 0 when a result has been found.
529 * 	with result: a newly allocated result structure.
530 *		The result may be NULL, in that case err is set.
531 *
532 * 	If an error happens during processing, your callback will be called
533 * 	with error set to a nonzero value (and result==NULL).
534 * @param async_id: if you pass a non-NULL value, an identifier number is
535 *	returned for the query as it is in progress. It can be used to
536 *	cancel the query.
537 * @return 0 if OK, else error.
538 */
539int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
540	int rrclass, void* mydata, ub_callback_type callback, int* async_id);
541
542/**
543 * Cancel an async query in progress.
544 * Its callback will not be called.
545 *
546 * @param ctx: context.
547 * @param async_id: which query to cancel.
548 * @return 0 if OK, else error.
549 * This routine can return an error if the async_id passed does not exist
550 * or has already been delivered. If another thread is processing results
551 * at the same time, the result may be delivered at the same time and the
552 * cancel fails with an error.  Also the cancel can fail due to a system
553 * error, no memory or socket failures.
554 */
555int ub_cancel(struct ub_ctx* ctx, int async_id);
556
557/**
558 * Free storage associated with a result structure.
559 * @param result: to free
560 */
561void ub_resolve_free(struct ub_result* result);
562
563/**
564 * Convert error value to a human readable string.
565 * @param err: error code from one of the libunbound functions.
566 * @return pointer to constant text string, zero terminated.
567 */
568const char* ub_strerror(int err);
569
570/**
571 * Debug routine.  Print the local zone information to debug output.
572 * @param ctx: context.  Is finalized by the routine.
573 * @return 0 if OK, else error.
574 */
575int ub_ctx_print_local_zones(struct ub_ctx* ctx);
576
577/**
578 * Add a new zone with the zonetype to the local authority info of the
579 * library.
580 * @param ctx: context.  Is finalized by the routine.
581 * @param zone_name: name of the zone in text, "example.com"
582 *	If it already exists, the type is updated.
583 * @param zone_type: type of the zone (like for unbound.conf) in text.
584 * @return 0 if OK, else error.
585 */
586int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name,
587	const char *zone_type);
588
589/**
590 * Remove zone from local authority info of the library.
591 * @param ctx: context.  Is finalized by the routine.
592 * @param zone_name: name of the zone in text, "example.com"
593 *	If it does not exist, nothing happens.
594 * @return 0 if OK, else error.
595 */
596int ub_ctx_zone_remove(struct ub_ctx* ctx, const char *zone_name);
597
598/**
599 * Add localdata to the library local authority info.
600 * Similar to local-data config statement.
601 * @param ctx: context.  Is finalized by the routine.
602 * @param data: the resource record in text format, for example
603 *	"www.example.com IN A 127.0.0.1"
604 * @return 0 if OK, else error.
605 */
606int ub_ctx_data_add(struct ub_ctx* ctx, const char *data);
607
608/**
609 * Remove localdata from the library local authority info.
610 * @param ctx: context.  Is finalized by the routine.
611 * @param data: the name to delete all data from, like "www.example.com".
612 * @return 0 if OK, else error.
613 */
614int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
615
616/**
617 * Get a version string from the libunbound implementation.
618 * @return a static constant string with the version number.
619 */
620const char* ub_version(void);
621
622/**
623 * Some global statistics that are not in struct stats_info,
624 * this struct is shared on a shm segment (shm-key in unbound.conf)
625 */
626struct ub_shm_stat_info {
627	int num_threads;
628
629	struct {
630		long long now_sec, now_usec;
631		long long up_sec, up_usec;
632		long long elapsed_sec, elapsed_usec;
633	} time;
634
635	struct {
636		long long msg;
637		long long rrset;
638		long long val;
639		long long iter;
640		long long subnet;
641		long long ipsecmod;
642		long long respip;
643		long long dnscrypt_shared_secret;
644		long long dnscrypt_nonce;
645		long long dynlib;
646	} mem;
647};
648
649/** number of qtype that is stored for in array */
650#define UB_STATS_QTYPE_NUM 256
651/** number of qclass that is stored for in array */
652#define UB_STATS_QCLASS_NUM 256
653/** number of rcodes in stats */
654#define UB_STATS_RCODE_NUM 16
655/** number of opcodes in stats */
656#define UB_STATS_OPCODE_NUM 16
657/** number of histogram buckets */
658#define UB_STATS_BUCKET_NUM 40
659/** number of RPZ actions */
660#define UB_STATS_RPZ_ACTION_NUM 10
661
662/** per worker statistics. */
663struct ub_server_stats {
664	/** number of queries from clients received. */
665	long long num_queries;
666	/** number of queries that have been dropped/ratelimited by ip. */
667	long long num_queries_ip_ratelimited;
668	/** number of queries that had a cache-miss. */
669	long long num_queries_missed_cache;
670	/** number of prefetch queries - cachehits with prefetch */
671	long long num_queries_prefetch;
672
673	/**
674	 * Sum of the querylistsize of the worker for
675	 * every query that missed cache. To calculate average.
676	 */
677	long long sum_query_list_size;
678	/** max value of query list size reached. */
679	long long max_query_list_size;
680
681	/** Extended stats below (bool) */
682	int extended;
683
684	/** qtype stats */
685	long long qtype[UB_STATS_QTYPE_NUM];
686	/** bigger qtype values not in array */
687	long long qtype_big;
688	/** qclass stats */
689	long long qclass[UB_STATS_QCLASS_NUM];
690	/** bigger qclass values not in array */
691	long long qclass_big;
692	/** query opcodes */
693	long long qopcode[UB_STATS_OPCODE_NUM];
694	/** number of queries over TCP */
695	long long qtcp;
696	/** number of outgoing queries over TCP */
697	long long qtcp_outgoing;
698	/** number of queries over (DNS over) TLS */
699	long long qtls;
700	/** number of queries over (DNS over) HTTPS */
701	long long qhttps;
702	/** number of queries over IPv6 */
703	long long qipv6;
704	/** number of queries with QR bit */
705	long long qbit_QR;
706	/** number of queries with AA bit */
707	long long qbit_AA;
708	/** number of queries with TC bit */
709	long long qbit_TC;
710	/** number of queries with RD bit */
711	long long qbit_RD;
712	/** number of queries with RA bit */
713	long long qbit_RA;
714	/** number of queries with Z bit */
715	long long qbit_Z;
716	/** number of queries with AD bit */
717	long long qbit_AD;
718	/** number of queries with CD bit */
719	long long qbit_CD;
720	/** number of queries with EDNS OPT record */
721	long long qEDNS;
722	/** number of queries with EDNS with DO flag */
723	long long qEDNS_DO;
724	/** answer rcodes */
725	long long ans_rcode[UB_STATS_RCODE_NUM];
726	/** answers with pseudo rcode 'nodata' */
727	long long ans_rcode_nodata;
728	/** answers that were secure (AD) */
729	long long ans_secure;
730	/** answers that were bogus (withheld as SERVFAIL) */
731	long long ans_bogus;
732	/** rrsets marked bogus by validator */
733	long long rrset_bogus;
734	/** number of queries that have been ratelimited by domain recursion. */
735	long long queries_ratelimited;
736	/** unwanted traffic received on server-facing ports */
737	long long unwanted_replies;
738	/** unwanted traffic received on client-facing ports */
739	long long unwanted_queries;
740	/** usage of tcp accept list */
741	long long tcp_accept_usage;
742	/** expired answers served from cache */
743	long long ans_expired;
744	/** histogram data exported to array
745	 * if the array is the same size, no data is lost, and
746	 * if all histograms are same size (is so by default) then
747	 * adding up works well. */
748	long long hist[UB_STATS_BUCKET_NUM];
749
750	/** number of message cache entries */
751	long long msg_cache_count;
752	/** number of rrset cache entries */
753	long long rrset_cache_count;
754	/** number of infra cache entries */
755	long long infra_cache_count;
756	/** number of key cache entries */
757	long long key_cache_count;
758
759	/** number of queries that used dnscrypt */
760	long long num_query_dnscrypt_crypted;
761	/** number of queries that queried dnscrypt certificates */
762	long long num_query_dnscrypt_cert;
763	/** number of queries in clear text and not asking for the certificates */
764	long long num_query_dnscrypt_cleartext;
765	/** number of malformed encrypted queries */
766	long long num_query_dnscrypt_crypted_malformed;
767	/** number of queries which did not have a shared secret in cache */
768	long long num_query_dnscrypt_secret_missed_cache;
769	/** number of dnscrypt shared secret cache entries */
770	long long shared_secret_cache_count;
771	/** number of queries which are replays */
772	long long num_query_dnscrypt_replay;
773	/** number of dnscrypt nonces cache entries */
774	long long nonce_cache_count;
775	/** number of queries for unbound's auth_zones, upstream query */
776	long long num_query_authzone_up;
777	/** number of queries for unbound's auth_zones, downstream answers */
778	long long num_query_authzone_down;
779	/** number of times neg cache records were used to generate NOERROR
780	 * responses. */
781	long long num_neg_cache_noerror;
782	/** number of times neg cache records were used to generate NXDOMAIN
783	 * responses. */
784	long long num_neg_cache_nxdomain;
785	/** number of queries answered from edns-subnet specific data */
786	long long num_query_subnet;
787	/** number of queries answered from edns-subnet specific data, and
788	 * the answer was from the edns-subnet cache. */
789	long long num_query_subnet_cache;
790	/** number of bytes in the stream wait buffers */
791	long long mem_stream_wait;
792	/** number of bytes in the HTTP2 query buffers */
793	long long mem_http2_query_buffer;
794	/** number of bytes in the HTTP2 response buffers */
795	long long mem_http2_response_buffer;
796	/** number of TLS connection resume */
797	long long qtls_resume;
798	/** RPZ action stats */
799	long long rpz_action[UB_STATS_RPZ_ACTION_NUM];
800};
801
802/**
803 * Statistics to send over the control pipe when asked
804 * This struct is made to be memcopied, sent in binary.
805 * shm mapped with (number+1) at num_threads+1, with first as total
806 */
807struct ub_stats_info {
808	/** the thread stats */
809	struct ub_server_stats svr;
810
811	/** mesh stats: current number of states */
812	long long mesh_num_states;
813	/** mesh stats: current number of reply (user) states */
814	long long mesh_num_reply_states;
815	/** mesh stats: number of reply states overwritten with a new one */
816	long long mesh_jostled;
817	/** mesh stats: number of incoming queries dropped */
818	long long mesh_dropped;
819	/** mesh stats: replies sent */
820	long long mesh_replies_sent;
821	/** mesh stats: sum of waiting times for the replies */
822	long long mesh_replies_sum_wait_sec, mesh_replies_sum_wait_usec;
823	/** mesh stats: median of waiting times for replies (in sec) */
824	double mesh_time_median;
825};
826
827#ifdef __cplusplus
828}
829#endif
830
831#endif /* _UB_UNBOUND_H */
832