head 1.6; access; symbols pkgsrc-2026Q1:1.6.0.16 pkgsrc-2026Q1-base:1.6 pkgsrc-2025Q4:1.6.0.14 pkgsrc-2025Q4-base:1.6 pkgsrc-2025Q3:1.6.0.12 pkgsrc-2025Q3-base:1.6 pkgsrc-2025Q2:1.6.0.10 pkgsrc-2025Q2-base:1.6 pkgsrc-2025Q1:1.6.0.8 pkgsrc-2025Q1-base:1.6 pkgsrc-2024Q4:1.6.0.6 pkgsrc-2024Q4-base:1.6 pkgsrc-2024Q3:1.6.0.4 pkgsrc-2024Q3-base:1.6 pkgsrc-2024Q2:1.6.0.2 pkgsrc-2024Q2-base:1.6 pkgsrc-2024Q1:1.5.0.12 pkgsrc-2024Q1-base:1.5 pkgsrc-2023Q4:1.5.0.10 pkgsrc-2023Q4-base:1.5 pkgsrc-2023Q3:1.5.0.8 pkgsrc-2023Q3-base:1.5 pkgsrc-2023Q2:1.5.0.6 pkgsrc-2023Q2-base:1.5 pkgsrc-2023Q1:1.5.0.4 pkgsrc-2023Q1-base:1.5 pkgsrc-2022Q4:1.5.0.2 pkgsrc-2022Q4-base:1.5 pkgsrc-2022Q3:1.4.0.22 pkgsrc-2022Q3-base:1.4 pkgsrc-2022Q2:1.4.0.20 pkgsrc-2022Q2-base:1.4 pkgsrc-2022Q1:1.4.0.18 pkgsrc-2022Q1-base:1.4 pkgsrc-2021Q4:1.4.0.16 pkgsrc-2021Q4-base:1.4 pkgsrc-2021Q3:1.4.0.14 pkgsrc-2021Q3-base:1.4 pkgsrc-2021Q2:1.4.0.12 pkgsrc-2021Q2-base:1.4 pkgsrc-2021Q1:1.4.0.10 pkgsrc-2021Q1-base:1.4 pkgsrc-2020Q4:1.4.0.8 pkgsrc-2020Q4-base:1.4 pkgsrc-2020Q3:1.4.0.6 pkgsrc-2020Q3-base:1.4 pkgsrc-2020Q2:1.4.0.4 pkgsrc-2020Q2-base:1.4 pkgsrc-2020Q1:1.4.0.2 pkgsrc-2020Q1-base:1.4 pkgsrc-2019Q4:1.3.0.12 pkgsrc-2019Q4-base:1.3 pkgsrc-2019Q3:1.3.0.8 pkgsrc-2019Q3-base:1.3 pkgsrc-2019Q2:1.3.0.6 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.4 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.3.0.2 pkgsrc-2018Q4-base:1.3 pkgsrc-2018Q3:1.2.0.4 pkgsrc-2018Q3-base:1.2 pkgsrc-2018Q2:1.2.0.2 pkgsrc-2018Q2-base:1.2 pkgsrc-2018Q1:1.1.0.8 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.6 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.4 pkgsrc-2017Q3-base:1.1; locks; strict; comment @# @; 1.6 date 2024.05.08.11.16.49; author he; state Exp; branches; next 1.5; commitid MJNSwsrpb9gXEb9F; 1.5 date 2022.10.13.12.09.00; author he; state Exp; branches; next 1.4; commitid kDgXkqVZDD4kmyXD; 1.4 date 2020.02.20.20.39.07; author he; state Exp; branches; next 1.3; commitid y3widfg7LyfQesXB; 1.3 date 2018.12.04.12.04.22; author he; state Exp; branches 1.3.12.1; next 1.2; commitid 0915XEcjDmh7Dt2B; 1.2 date 2018.05.07.07.13.28; author he; state Exp; branches; next 1.1; commitid WA6WwiMns8RUNkBA; 1.1 date 2017.07.09.08.09.41; author adam; state Exp; branches; next ; commitid a1GGQ2u6JrstOwYz; 1.3.12.1 date 2020.02.20.14.40.46; author he; state Exp; branches; next 1.3.12.2; commitid 9ReIFlkXLaH5gqXB; 1.3.12.2 date 2020.02.20.15.59.37; author he; state Exp; branches; next ; commitid n3T1CWoXSh90HqXB; desc @@ 1.6 log @Update net/unbound to version 1.20.0. Pkgsrc changes: * Adjust patch-configure so it still applies. * Adjust checksums. Upstream changes: Features - The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. - Merge #1027: Introduce 'cache-min-negative-ttl' option. - Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. - Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. - Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. - Remove unused portion from iter_dname_ttl unit test. - Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. - Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. - Fix doc test so it ignores but outputs unsupported doxygen options. - Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. - Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. - Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected. - Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. - Fix to unify codepath for local alias for rpz cname action override. - Fix rpz for cname override action after nsdname and nsip triggers. - Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. - Merge #1030: Persist the openssl and expat directories for repeated Windows builds. - Fix that rpz CNAME content is limited to the max number of cnames. - Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. - Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. - Add rpz unit test for nsip action override. - Fix rpz for qtype CNAME after nameserver trigger. - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. - Fix localdata and rpz localdata to match CNAME only if no direct type match is available. - Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). - For #831: Format text, use exclamation icon and explicit label names. - Fix name of unit test for subnet cache response. - Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. - Fix for #1032, add safeguard to make table space positive. - Fix comment in lruhash space function. - Fix to add unit test for lruhash space that exercises the routines. - Fix that when the server truncates the pidfile, it does not follow symbolic links. - Fix that the server does not chown the pidfile. - Fix #1034: DoT forward-zone via unbound-control. - Fix for crypto related failures to have a better error string. - Fix #1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. - Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. - Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. - For #1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. - Fix comment syntax for view function views_find_view. - Fix #595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. - Fixup compile without cachedb. - Add test for cachedb serve expired. - Extended test for cachedb serve expired. - Fix makefile dependencies for fake_event.c. - Fix cachedb for serve-expired with serve-expired-reply-ttl. - Fix to not reply serve expired unless enabled for cachedb. - Fix cachedb for serve-expired with serve-expired-client-timeout. - Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. - Fixup cachedb to not refetch when serve-expired-client-timeout is used. - Merge #1049 from Petr Men#ík: Py_NoSiteFlag is not needed since Python 3.8 - Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4. - Fix configure, autoconf for #1048. - Add checklock feature verbose_locking to trace locks and unlocks. - Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. - Merge #1053: Remove child delegations from cache when grandchild delegations are returned from parent. - Fix ci workflow for macos for moved install locations. - Fix configure flto check error, by finding grep for it. - Merge #1041: Stub and Forward unshare. This has one structure for them and fixes #1038: fatal error: Could not initialize thread / error: reading root hints. - Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. - Fix doc unit test for out of directory build. - Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. - Add unit tests for cachedb and subnet cache expired data. - Man page entry for unbound-checkconf -q. - Cleanup unnecessary strdup calls for EDE strings. - Fix doxygen comment for errinf_to_str_bogus. @ text @$NetBSD: patch-configure,v 1.5 2022/10/13 12:09:00 he Exp $ Pretend expat.h is found: it is guaranteed by PkgSrc, but on Darwin it might be buried inside an SDK; we don't want the SDK path being exposed in CFLAGS. --- configure.orig 2017-07-09 07:41:42.000000000 +0000 +++ configure @@@@ -21900,7 +21900,7 @@@@ fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5 printf %s "checking for libexpat... " >&6; } -found_libexpat="no" +found_libexpat="yes" for dir in $withval ; do if test -f "$dir/include/expat.h"; then found_libexpat="yes" @ 1.5 log @Update net/unbound to version 1.17.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This release has new interface acl configuration options. These allow access-control actions, per interface. Also tags, and views can be configured per interface, queries over the interface are answered with these tags and views. It is configured with the options `interface-action`, `interface-tag`, `interface-tag-action`, `interface-tag-data` and `interface-view`. If there is also an access-control setting for the query, this overrides the interface settings for that query. The PROXYv2 protocol is supported. It can be configured with the `proxy-protocol-port: portno` option. It is used to convey the IP addresses of clients that connect via a proxy to Unbound. There are also fixes for a number of bugs. In some cases a blocking wait on a socket could happen, and this has been fixed. If the upstream sends a TC flag, erroneously, the reply is ignored and retried. When under load, with the new NRDelegation fixes from the previous release, there are mitigations to continue target discovery. There is also a fix for possible loops in the tcp reuse code. The release version differs from the RC1, there is a bugfix for the proxy protocol for tcp read when no proxied addresses are provided. Features - Merge #753: ACL per interface. (New interface-* configuration options). - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option). Bug Fixes - Fix #728: alloc_reg_obtain() core dump. Stop double alloc_reg_release when serviced_create fails. - Fix edns subnet so that scope 0 answers only match sourcemask 0 queries for answers from cache if from a query with sourcemask 0. - Fix unittest for edns subnet change. - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due to unsupported IPV6_USER_MTU socket option being set. - Fix ratelimit inconsistency, for ip-ratelimits the value is the amount allowed, like for ratelimits. - Fix #734 [FR] enable unbound-checkconf to detect more (basic) errors. - Fix to log accept error ENFILE and EMFILE errno, but slowly, once per 10 seconds. Also log accept failures when no slow down is used. - Fix to avoid process wide fcntl calls mixed with nonblocking operations after a blocked write. - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive operations, so that instruction reordering does not cause mistakenly blocking socket operations. - Fix to wait for blocked write on UDP sockets, with a timeout if it takes too long the packet is dropped. - Fix for wait for udp send to stop when packet is successfully sent. - Fix #741: systemd socket activation fails on IPv6. - Fix to update config tests to fix checking if nonblocking sockets work on OpenBSD. - Slow down log frequency of write wait failures. - Fix to set out of file descriptor warning to operational verbosity. - Fix to log a verbose message at operational notice level if a thread is not responding, to stats requests. It is logged with thread identifiers. - Remove include that was there for debug purposes. - Fix to check pthread_t size after pthread has been detected. - Convert tdir tests to use the new skip_test functionality. - Remove unused testcode/mini_tpkg.sh file. - Better output for skipped tdir tests. - Fix doxygen warning in respip.h. - Fix to remove erroneous TC flag from TCP upstream. - Fix test tdir skip report printout. - Fix windows compile, the identifier interface is defined in headers. - Fix to close errno block in comm_point_tcp_handle_read outside of ifdef. - Fix static analysis report to remove dead code from the rpz_callback_from_iterator_module function. - Fix to clean up after the acl_interface unit test. - Merge #764: Leniency for target discovery when under load (for NRDelegation changes). - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. - Fix string comparison in mini_tdir.sh. - Make ede.tdir test more predictable by using static data. - Fix checkconf test for dnscrypt and proxy port. - Fix dnscrypt compile for proxy protocol code changes. - Fix to stop responses with TC flag from resulting in partial responses. It retries to fetch the data elsewhere, or fails the query and in depth fix removes the TC flag from the cached item. - Fix proxy length debug output printout typecasts. - Fix to stop possible loops in the tcp reuse code (write_wait list and tcp_wait list). Based on analysis and patch from Prad Seniappan and Karthik Umashankar. - Fix PROXYv2 header read for TCP connections when no proxied addresses are provided. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.4 2020/02/20 20:39:07 he Exp $ d8 1 a8 1 @@@@ -19850,7 +19850,7 @@@@ fi d10 2 a11 2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5 $as_echo_n "checking for libexpat... " >&6; } @ 1.4 log @Update unbound to version 1.10.0. (This time on the main CVS branch...) Pkgsrc changes: * Adjust line numbers in patch. Upstream changes: The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes. The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Enabling the respip module using `module-config` is required to use RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like: server: module-config: "respip validator iterator" rpz: name: "rpz.example.com" # name of the policy zone master: 192.0.2.0 # address of the name server to transfer from The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other. The DSA algorithms have been disabled by default, this is because of RFC 8624. There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec. In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view. Features: - Merge RPZ support into master. Only QNAME and Response IP triggers are supported. - Added serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used to configure the behavior. - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies come with a configurable TTL value (`serve-expired-reply-ttl`). - Merge #135 from Florian Obser: Use passed in neg and key cache if non-NULL. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. Bug Fixes: - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by Florian Obser - Update mailing list URL. - Fix #140: Document slave not downloading new zonefile upon update. - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. The dl_iterate_phdr() function introduced in newer versions raises compilation errors on solaris 10. - Changes to compat/getentropy_solaris.c for, ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fix 'make test' to work for --disable-sha1 configure option. - Fix out-of-bounds null-byte write in sldns_bget_token_par while parsing type WKS, reported by Luis Merino from X41 D-Sec. - Updated sldns_bget_token_par fix for also space for the zero delimiter after the character. And update for more spare space. - Fix #138: stop binding pidfile inside chroot dir in systemd service file. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Fix unreachable code in ssl set options code. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix auth zone support for NSEC3 records without salt. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file. - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - iana portlist updated. - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. - Merge PR#147; change rfc reference for reserved top level dns names. - Fix #157: undefined reference to `htobe64'. - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. - updated .gitignore for added contrib file. - Add build rule for ipset to Makefile - Add getentropy_freebsd.o to Makefile dependencies. - Fix memory leak in error condition remote.c - Fix double free in error condition view.c - Fix memory leak in do_auth_zone_transfer on success - Stop working on socket when socket() call returns an error. - Check malloc return values in TLS session ticket code - Fix fclose on error in TLS session ticket code. - Add assertion to please static analyzer - Fixed stats when replying with cached, cname-aliased records. - Added missing default values for redis cachedb backend. - Fix num_reply_addr counting in mesh and tcp drop due to size after serve_stale commit. - Fix to create and destroy rpz_lock in auth_zones structure. - Fix to lock zone before adding rpz qname trigger. - Fix to lock and release once in mesh_serve_expired_lookup. - Fix to put braces around empty if body when threading is disabled. - Fix num_reply_states and num_detached_states counting with serve_expired_callback. - Cleaner code in mesh_serve_expired_lookup. - Document in unbound.conf manpage that configuration clauses can be repeated in the configuration file. - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale fixes, but it does not compile, conflicts with new rpz code. - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. - Fix compile warning when threads disabled. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.3 2018/12/04 12:04:22 he Exp $ d8 1 a8 1 @@@@ -19489,7 +19489,7 @@@@ fi @ 1.3 log @Update unbound to version 1.8.2 Pkgsrc changes: * Re-position configure diff. Upstream changes: Features - Add fast-server-permil and fast-server-num options. - Deprecate low-rtt and low-rtt-permil options. - Change fast-server-num default to 3. - Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options. - Fix #4190: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY. - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem. - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. - Add unbound-control view_local_datas command, like local_datas. Bug Fixes - dnscrypt.c removed sizeof to get array bounds. - Fix testlock code to set noreturn on error routine. - Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings - clang analyze test is used only when assertions are enabled. - Squelch EADDRNOTAVAIL errors when the interface goes away, this omits 'can't assign requested address' errors unless verbosity is set to a high value. - Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default. - iana port update. - Squelch log of failed to tcp initiate after TCP Fastopen failure. - Fix #4192: unbound-control-setup generates keys not readable by group. - check that the dnstap socket file can be opened and exists, print error if not. - Add markdel function to ECS slabhash. - Limit ECS scope returned to client to the scope used for caching. - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4141: More randomness to rrset-roundrobin. - Fix #4132: Openness/closeness of RANGE intervals in rpl files. - remade makefile dependencies. - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. - Scrub NS records from NODATA responses as well. - Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation. - Removed compile warnings in pythonmod sockaddr routines. - With ./configure --with-pyunbound --with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module. - pythonmod logs the python error and traceback on failure. - ignore debug python module for test in doxygen output. - review fixes for python module. - Fix #4209: Crash in libunbound when called from getdns. - auth zone zonefiles can be in a chroot, the chroot directory components are removed before use. - Fix that empty zonefile means the zonefile is not set and not used. - Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order. - Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished. - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page. - stat count SERVFAIL downstream auth-zone queries for expired zones. - Put new logos into windows installer. - Fix windows compile for new rrset roundrobin fix. - Update contrib fastrpz patch for latest release. - Fix chroot auth-zone fix to remove chroot prefix. - windows icon updated. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2018/05/07 07:13:28 he Exp $ d8 1 a8 1 @@@@ -19030,7 +19030,7 @@@@ fi @ 1.3.12.1 log @Update unbound to version 1.10.0. Pkgsrc changes: * Adjust line numbers in patch. Upstream changes: The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes. The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Enabling the respip module using `module-config` is required to use RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like: server: module-config: "respip validator iterator" rpz: name: "rpz.example.com" # name of the policy zone master: 192.0.2.0 # address of the name server to transfer from The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other. The DSA algorithms have been disabled by default, this is because of RFC 8624. There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec. In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view. Features: - Merge RPZ support into master. Only QNAME and Response IP triggers are supported. - Added serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used to configure the behavior. - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies come with a configurable TTL value (`serve-expired-reply-ttl`). - Merge #135 from Florian Obser: Use passed in neg and key cache if non-NULL. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. Bug Fixes: - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by Florian Obser - Update mailing list URL. - Fix #140: Document slave not downloading new zonefile upon update. - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. The dl_iterate_phdr() function introduced in newer versions raises compilation errors on solaris 10. - Changes to compat/getentropy_solaris.c for, ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fix 'make test' to work for --disable-sha1 configure option. - Fix out-of-bounds null-byte write in sldns_bget_token_par while parsing type WKS, reported by Luis Merino from X41 D-Sec. - Updated sldns_bget_token_par fix for also space for the zero delimiter after the character. And update for more spare space. - Fix #138: stop binding pidfile inside chroot dir in systemd service file. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Fix unreachable code in ssl set options code. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix auth zone support for NSEC3 records without salt. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file. - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - iana portlist updated. - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. - Merge PR#147; change rfc reference for reserved top level dns names. - Fix #157: undefined reference to `htobe64'. - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. - updated .gitignore for added contrib file. - Add build rule for ipset to Makefile - Add getentropy_freebsd.o to Makefile dependencies. - Fix memory leak in error condition remote.c - Fix double free in error condition view.c - Fix memory leak in do_auth_zone_transfer on success - Stop working on socket when socket() call returns an error. - Check malloc return values in TLS session ticket code - Fix fclose on error in TLS session ticket code. - Add assertion to please static analyzer - Fixed stats when replying with cached, cname-aliased records. - Added missing default values for redis cachedb backend. - Fix num_reply_addr counting in mesh and tcp drop due to size after serve_stale commit. - Fix to create and destroy rpz_lock in auth_zones structure. - Fix to lock zone before adding rpz qname trigger. - Fix to lock and release once in mesh_serve_expired_lookup. - Fix to put braces around empty if body when threading is disabled. - Fix num_reply_states and num_detached_states counting with serve_expired_callback. - Cleaner code in mesh_serve_expired_lookup. - Document in unbound.conf manpage that configuration clauses can be repeated in the configuration file. - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale fixes, but it does not compile, conflicts with new rpz code. - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. - Fix compile warning when threads disabled. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.3 2018/12/04 12:04:22 he Exp $ d8 1 a8 1 @@@@ -19489,7 +19489,7 @@@@ fi @ 1.3.12.2 log @Sorry, the 1.10.0 update was mistakenly committed to pkgsrc-2019Q4 branch, reverted. Thanks to leot@@ for alerting me. @ text @d8 1 a8 1 @@@@ -19030,7 +19030,7 @@@@ fi @ 1.2 log @Upgrade unbound to version 1.7.1. Upstream changes: Features - Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox). - Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. - ED448 support. - num.query.authzone.up and num.query.authzone.down statistics counters. - Accept both option names with and without colon for get_option and set_option. - low-rtt and low-rtt-pct in unbound.conf enable the server selection of fast servers for some percentage of the time. - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics counters. - allow-notify: config statement for auth-zones. - Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@@853#dns.quad9.net or 1.1.1.1@@853#cloudflare-dns.com - list_auth_zones unbound-control command. - Added root-key-sentinel support Bug Fixes - Fix #3727: Protocol name is TLS, options have been renamed but documentation is not consistent. - Check IXFR start serial. - Fix typo in documentation. - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually flushed with serve-expired on. - Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. - corrected a minor typo in the changelog. - move htobe64/be64toh portability code to cachedb.c. - iana port update. - Do not use cached NSEC records to generate negative answers for domains under DNSSEC Negative Trust Anchors. - Fix unbound-control get_option aggressive-nsec - Check "result" in dup_all(), by Florian Obser. - Fix #4043: make test fails due to v6 presentation issue in macOS. - Fix unable to resolve after new WLAN connection, due to auth-zone failing with a forwarder set. Now, auth-zone is only used for answers (not referrals) when a forwarder is set. - Combine write of tcp length and tcp query for dns over tls. - nitpick fixes in example.conf. - Fix above stub queries for type NS and useless delegation point. - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3 tls_choose_sigalg routine does not allow the ciphers for the pipe, so use TLSv1.2. - Fix that flush_zone sets prefetch ttl expired, so that with serve-expired enabled it'll start prefetching those entries. - Fix downstream auth zone, only fallback when auth zone fails to answer and fallback is enabled. - Fix for max include depth for authzones. - Fix memory free on fail for $INCLUDE in authzone. - Fix that an internal error to look up the wrong rr type for auth zone gets stopped, before trying to send there. - Fix auth zone target lookup iterator. - Fix auth-zone retry timer to be on schedule with retry timeout, with backoff. Also time a refresh at the zone expiry. - Fix #658: unbound using TLS in a forwarding configuration does not verify the server's certificate (RFC 8310 support). - For addr with #authname and no @@port notation, the default is 853. - man page documentation for dns-over-tls forward-addr '#' notation. - removed free from failed parse case. - Fix #4091: Fix that reload of auth-zone does not merge the zonefile with the previous contents. - Delete auth zone when removed from config. - makedist uses bz2 for expat code, instead of tar.gz. - Fix #4092: libunbound: use-caps-for-id lacks colon in config_set_option. - auth zone http download stores exact copy of downloaded file, including comments in the file. - Fix sldns parse failure for CDS alternate delete syntax empty hex. - Attempt for auth zone fix; add of callback in mesh gets from callback does not skip callback of result. - Fix cname classification with qname minimisation enabled. - Fix contrib/fastrpz.patch for this release. - Fix auth https for libev. - Fix memory leak when caching wildcard records for aggressive NSEC use - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.1 2017/07/09 08:09:41 adam Exp $ d8 1 a8 1 @@@@ -18815,7 +18815,7 @@@@ fi @ 1.1 log @Changes 1.6.4: Features: * Implemented trust anchor signaling using key tag query. * unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt. * unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames. * Implemented opportunistic IPsec support module (ipsecmod). * Added redirect-bogus.patch to contrib directory. * Support for the ED25519 algorithm with openssl (from openssl 1.1.1). * renumbering B-Root's IPv6 address to 2001:500:200::b. * Fix 1276: [dnscrypt] add XChaCha20-Poly1305 cipher. * Fix 1277: disable domain ratelimit by setting value to 0. * Added fastrpz patch to contrib Bug Fixes: * Added ECS unit test (from Manu Bretelle). * ECS documentation fix (from Manu Bretelle). * Fix 1252: more indentation inconsistencies. * Fix 1253: unused variable in edns-subnet/addrtree.c:getbit(). * Fix 1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). * iana portlist update * Based on 1257: check parse limit before t increment in sldns RR string parse routine. * Fix 1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86). * Fix 1259: "--disable-ecdsa" argument overwritten by "ifdef SHA256_DIGEST_LENGTH@@daemon/remote.c". * iana portlist update * Added test for leak of stub information. * Fix sldns wire2str printout of RR type CAA tags. * Fix sldns int16_data parse. * Fix sldns parse and printout of TSIG RRs. * sldns SMIMEA and AVC definitions, same as getdns definitions. * Fix tcp-mss failure printout text. * Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations). * Add 'c' to getopt() in testbound. * Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there. * Fix queries for nameservers under a stub leaking to the internet. * document trust-anchor-signaling in example config file. * updated configure, dependencies and flex output. * better module memory lookup, fix of unbound-control shm names for module memory printout of statistics. * Fix type AVC sldns rrdef. * Some whitespace fixup. * Fix 1265: contrib/unbound.service contains hardcoded path. * Fix 1265 to use /bin/kill. * Fix 1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL. * Fix 1268: SIGSEGV after log_reopen. * exec_prefix is by default equal to prefix. * printout localzone for duplicate local-zone warnings. * Fix assertion for low buffer size and big edns payload when worker overrides udpsize. * Support for openssl EVP_DigestVerify. * Fix 1269: inconsistent use of built-in local zones with views. * Add defaults for new local-zone trees added to views using unbound-control. * Fix 1273: cachedb.c doesn't compile with -Wextra. * If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. * Also use global local-zones when there is a matching view that does not have any local-zone specified. * Fix fastopen EPIPE fallthrough to perform connect. * Fix 1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle). * Fix 1275: cached data in cachedb is never used. * Fix that unbound-control can set val_clean_additional and val_permissive_mode. * Add dnscrypt XChaCha20 tests. * Detect chacha for dnscrypt at configure time. * dnscrypt unit tests with chacha. * Added domain name based ECS whitelist. * Fix 1278: Incomplete wildcard proof. * Fix 1279: Memory leak on reload when python module is enabled. * Fix 1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly. * More fixes in depth for buffer checks in 0x20 qname checks. * Fix stub zone queries leaking to the internet for harden-referral-path ns checks. * Fix query for refetch_glue of stub leaking to internet. * Fix 1301: memory leak in respip and tests. * Free callback in edns-subnetmod on exit and restart. * Fix memory leak in sldns_buffer_new_frm_data. * Fix memory leak in dnscrypt config read. * Fix dnscrypt chacha cert support ifdefs. * Fix dnscrypt chacha cert unit test escapes in grep. * Fix to unlock view in view test. * Fix warning in pythonmod under clang compiler. * Fix lintian typo. * Fix 1316: heap read buffer overflow in parse_edns_options. @ text @d1 1 a1 1 $NetBSD$ d8 1 a8 1 @@@@ -18563,7 +18563,7 @@@@ fi @