head 1.79; access; symbols pkgsrc-2023Q4:1.76.0.2 pkgsrc-2023Q4-base:1.76 pkgsrc-2023Q3:1.75.0.2 pkgsrc-2023Q3-base:1.75 pkgsrc-2023Q2:1.74.0.4 pkgsrc-2023Q2-base:1.74 pkgsrc-2023Q1:1.74.0.2 pkgsrc-2023Q1-base:1.74 pkgsrc-2022Q4:1.73.0.2 pkgsrc-2022Q4-base:1.73 pkgsrc-2022Q3:1.72.0.2 pkgsrc-2022Q3-base:1.72 pkgsrc-2022Q2:1.69.0.2 pkgsrc-2022Q2-base:1.69 pkgsrc-2022Q1:1.68.0.2 pkgsrc-2022Q1-base:1.68 pkgsrc-2021Q4:1.66.0.2 pkgsrc-2021Q4-base:1.66 pkgsrc-2021Q3:1.63.0.2 pkgsrc-2021Q3-base:1.63 pkgsrc-2021Q2:1.62.0.4 pkgsrc-2021Q2-base:1.62 pkgsrc-2021Q1:1.62.0.2 pkgsrc-2021Q1-base:1.62 pkgsrc-2020Q4:1.61.0.2 pkgsrc-2020Q4-base:1.61 pkgsrc-2020Q3:1.58.0.4 pkgsrc-2020Q3-base:1.58 pkgsrc-2020Q2:1.58.0.2 pkgsrc-2020Q2-base:1.58 pkgsrc-2020Q1:1.57.0.2 pkgsrc-2020Q1-base:1.57 pkgsrc-2019Q4:1.56.0.4 pkgsrc-2019Q4-base:1.56 pkgsrc-2019Q3:1.52.0.2 pkgsrc-2019Q3-base:1.52 pkgsrc-2019Q2:1.51.0.2 pkgsrc-2019Q2-base:1.51 pkgsrc-2019Q1:1.50.0.2 pkgsrc-2019Q1-base:1.50 pkgsrc-2018Q4:1.47.0.2 pkgsrc-2018Q4-base:1.47 pkgsrc-2018Q3:1.44.0.2 pkgsrc-2018Q3-base:1.44 pkgsrc-2018Q2:1.43.0.2 pkgsrc-2018Q2-base:1.43 pkgsrc-2018Q1:1.40.0.2 pkgsrc-2018Q1-base:1.40 pkgsrc-2017Q4:1.38.0.2 pkgsrc-2017Q4-base:1.38 pkgsrc-2017Q3:1.37.0.4 pkgsrc-2017Q3-base:1.37 pkgsrc-2017Q2:1.34.0.6 pkgsrc-2017Q2-base:1.34 pkgsrc-2017Q1:1.34.0.4 pkgsrc-2017Q1-base:1.34 pkgsrc-2016Q4:1.34.0.2 pkgsrc-2016Q4-base:1.34 pkgsrc-2016Q3:1.32.0.4 pkgsrc-2016Q3-base:1.32 pkgsrc-2016Q2:1.32.0.2 pkgsrc-2016Q2-base:1.32 pkgsrc-2016Q1:1.31.0.2 pkgsrc-2016Q1-base:1.31 pkgsrc-2015Q4:1.30.0.2 pkgsrc-2015Q4-base:1.30 pkgsrc-2015Q3:1.28.0.2 pkgsrc-2015Q3-base:1.28 pkgsrc-2015Q2:1.27.0.4 pkgsrc-2015Q2-base:1.27 pkgsrc-2015Q1:1.27.0.2 pkgsrc-2015Q1-base:1.27 pkgsrc-2014Q4:1.25.0.2 pkgsrc-2014Q4-base:1.25 pkgsrc-2014Q3:1.23.0.6 pkgsrc-2014Q3-base:1.23 pkgsrc-2014Q2:1.23.0.4 pkgsrc-2014Q2-base:1.23 pkgsrc-2014Q1:1.23.0.2 pkgsrc-2014Q1-base:1.23 pkgsrc-2013Q4:1.22.0.2 pkgsrc-2013Q4-base:1.22 pkgsrc-2013Q3:1.21.0.4 pkgsrc-2013Q3-base:1.21 pkgsrc-2013Q2:1.21.0.2 pkgsrc-2013Q2-base:1.21 pkgsrc-2013Q1:1.20.0.4 pkgsrc-2013Q1-base:1.20 pkgsrc-2012Q4:1.20.0.2 pkgsrc-2012Q4-base:1.20 pkgsrc-2012Q3:1.19.0.2 pkgsrc-2012Q3-base:1.19 pkgsrc-2012Q2:1.18.0.2 pkgsrc-2012Q2-base:1.18 pkgsrc-2012Q1:1.17.0.2 pkgsrc-2012Q1-base:1.17 pkgsrc-2011Q4:1.16.0.2 pkgsrc-2011Q4-base:1.16 pkgsrc-2011Q3:1.15.0.2 pkgsrc-2011Q3-base:1.15 pkgsrc-2011Q2:1.13.0.2 pkgsrc-2011Q2-base:1.13 pkgsrc-2011Q1:1.11.0.2 pkgsrc-2011Q1-base:1.11 pkgsrc-2010Q4:1.10.0.4 pkgsrc-2010Q4-base:1.10 pkgsrc-2010Q3:1.10.0.2 pkgsrc-2010Q3-base:1.10 pkgsrc-2010Q2:1.8.0.2 pkgsrc-2010Q2-base:1.8 pkgsrc-2010Q1:1.7.0.2 pkgsrc-2010Q1-base:1.7 pkgsrc-2009Q4:1.5.0.2 pkgsrc-2009Q4-base:1.5 pkgsrc-2009Q3:1.4.0.2 pkgsrc-2009Q3-base:1.4 pkgsrc-2009Q2:1.3.0.6 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.4 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.2 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.1.1.1.0.8 pkgsrc-2008Q3-base:1.1.1.1 cube-native-xorg:1.1.1.1.0.6 cube-native-xorg-base:1.1.1.1 pkgsrc-2008Q2:1.1.1.1.0.4 pkgsrc-2008Q2-base:1.1.1.1 cwrapper:1.1.1.1.0.2 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.79 date 2024.03.14.09.38.19; author he; state Exp; branches; next 1.78; commitid FbXBsbIDEjoVS62F; 1.78 date 2024.03.07.09.48.53; author he; state Exp; branches; next 1.77; commitid 4NvCG0DfAg437d1F; 1.77 date 2024.02.13.13.53.26; author he; state Exp; branches; next 1.76; commitid 8Q8FOi1Eh1pcghYE; 1.76 date 2023.11.09.14.20.53; author he; state Exp; branches; next 1.75; commitid FUxXUFYPql6XuWLE; 1.75 date 2023.08.30.15.18.26; author he; state Exp; branches; next 1.74; commitid tuzJkrnSXOia6PCE; 1.74 date 2023.01.12.12.09.18; author adam; state Exp; branches; next 1.73; commitid 2NwsrCLyWiCwrf9E; 1.73 date 2022.10.13.12.09.00; author he; state Exp; branches; next 1.72; commitid kDgXkqVZDD4kmyXD; 1.72 date 2022.09.21.11.30.24; author he; state Exp; branches; next 1.71; commitid LtRtrzFaaYTuRIUD; 1.71 date 2022.08.01.12.38.46; author he; state Exp; branches; next 1.70; commitid tkQ4LpZiYROCSaOD; 1.70 date 2022.07.11.15.02.04; author he; state Exp; branches; next 1.69; commitid pILS4crWhDDuluLD; 1.69 date 2022.06.02.13.02.38; author he; state Exp; branches 1.69.2.1; next 1.68; commitid yftmFR7ujjQeWsGD; 1.68 date 2022.02.11.09.28.16; author he; state Exp; branches; next 1.67; commitid TGLArniya65VjbsD; 1.67 date 2022.02.10.13.17.53; author he; state Exp; branches; next 1.66; commitid UZTEB4MHx9RPC4sD; 1.66 date 2021.12.17.18.42.54; author adam; state Exp; branches; next 1.65; commitid PE2w0x6c3dLIb2lD; 1.65 date 2021.10.26.11.07.06; author nia; state Exp; branches; next 1.64; commitid G83yJyZF8er6kjeD; 1.64 date 2021.10.07.14.42.59; author nia; state Exp; branches; next 1.63; commitid EMvsIaZgYm1t8TbD; 1.63 date 2021.08.27.07.55.36; author adam; state Exp; branches; next 1.62; commitid i1aoIxOBIGTecA6D; 1.62 date 2021.02.09.08.32.17; author he; state Exp; branches; next 1.61; commitid Tab8pfnqqaKeO0HC; 1.61 date 2020.12.04.15.03.12; author he; state Exp; branches; next 1.60; commitid QI8SXzrIiWIT7ryC; 1.60 date 2020.11.13.17.05.39; author jperkin; state Exp; branches; next 1.59; commitid pA1FG8ObKPMKtKvC; 1.59 date 2020.10.08.07.30.39; author he; state Exp; branches; next 1.58; commitid jcxb98PqsEe8s4rC; 1.58 date 2020.05.19.08.39.31; author he; state Exp; branches; next 1.57; commitid 2OHavUO8la9NoP8C; 1.57 date 2020.02.20.20.39.07; author he; state Exp; branches 1.57.2.1; next 1.56; commitid y3widfg7LyfQesXB; 1.56 date 2019.12.12.14.26.38; author he; state Exp; branches 1.56.4.1; next 1.55; commitid azhp6E2WMOmAqqOB; 1.55 date 2019.12.03.08.08.58; author he; state Exp; branches; next 1.54; commitid IbAWReLxS1OWCeNB; 1.54 date 2019.11.19.10.10.44; author he; state Exp; branches; next 1.53; commitid Bhdur6P57EkPKrLB; 1.53 date 2019.10.03.09.44.38; author he; state Exp; branches; next 1.52; commitid Slg1wDjCrXny7pFB; 1.52 date 2019.08.27.09.25.25; author he; state Exp; branches 1.52.2.1; next 1.51; commitid fwEID5JjP2gGcEAB; 1.51 date 2019.06.17.09.49.08; author he; state Exp; branches; next 1.50; commitid d7eajTbV1oAjCwrB; 1.50 date 2019.03.12.12.13.08; author he; state Exp; branches; next 1.49; commitid 8WcnwfH8C073x4fB; 1.49 date 2019.02.12.10.52.28; author he; state Exp; branches; next 1.48; commitid lgLvlEXA7IoxYsbB; 1.48 date 2019.02.05.09.44.57; author he; state Exp; branches; next 1.47; commitid 4mcWysRhnmFUPyaB; 1.47 date 2018.12.11.17.06.46; author he; state Exp; branches; next 1.46; commitid TEgj16V85e295p3B; 1.46 date 2018.12.04.12.04.22; author he; state Exp; branches; next 1.45; commitid 0915XEcjDmh7Dt2B; 1.45 date 2018.10.08.12.26.17; author he; state Exp; branches; next 1.44; commitid qcjdRyZrldQjA9VA; 1.44 date 2018.09.10.14.31.48; author he; state Exp; branches; next 1.43; commitid J4fMKkQJzpqfbzRA; 1.43 date 2018.06.21.15.32.22; author he; state Exp; branches; next 1.42; commitid 74xIRspvc6Ek7aHA; 1.42 date 2018.06.11.10.06.58; author he; state Exp; branches; next 1.41; commitid PZpYcs6ZQgfMDQFA; 1.41 date 2018.05.07.07.13.28; author he; state Exp; branches; next 1.40; commitid WA6WwiMns8RUNkBA; 1.40 date 2018.03.15.10.22.49; author he; state Exp; branches; next 1.39; commitid rlpB6jPekFyByxuA; 1.39 date 2018.01.19.10.10.03; author he; state Exp; branches; next 1.38; commitid JaKCfxzOAGfIftnA; 1.38 date 2017.10.10.08.07.08; author he; state Exp; branches 1.38.2.1; next 1.37; commitid DHfggl9uLYcSOtaA; 1.37 date 2017.09.18.13.02.39; author he; state Exp; branches; next 1.36; commitid K4v8ZxO7xzm8aG7A; 1.36 date 2017.08.21.11.14.18; author he; state Exp; branches; next 1.35; commitid GdKVk4dZNIJCs44A; 1.35 date 2017.07.09.08.09.41; author adam; state Exp; branches; next 1.34; commitid a1GGQ2u6JrstOwYz; 1.34 date 2016.12.23.19.25.45; author pettai; state Exp; branches; next 1.33; commitid EpkyBHSnBdf9U8zz; 1.33 date 2016.10.05.20.28.01; author pettai; state Exp; branches; next 1.32; commitid BLEV4CGlU2fPMZoz; 1.32 date 2016.06.16.13.50.39; author pettai; state Exp; branches; next 1.31; commitid 9Z65lgrpHchkbHaz; 1.31 date 2016.03.09.05.24.38; author pettai; state Exp; branches; next 1.30; commitid 8rzf0i8hKGDRxVXy; 1.30 date 2015.12.12.23.50.06; author pettai; state Exp; branches; next 1.29; commitid dlSuhDsQZ0gavIMy; 1.29 date 2015.10.22.18.14.40; author pettai; state Exp; branches; next 1.28; commitid IPfeK9vhf31If8Gy; 1.28 date 2015.07.15.18.09.05; author pettai; state Exp; branches; next 1.27; commitid 5h7FPjDF12Yxppty; 1.27 date 2015.03.19.22.37.06; author pettai; state Exp; branches; next 1.26; commitid vZVVXpfQRxqzIgey; 1.26 date 2015.02.21.10.53.40; author pettai; state Exp; branches; next 1.25; commitid 1J468yTyqsixDRay; 1.25 date 2014.12.11.14.26.16; author pettai; state Exp; branches; next 1.24; commitid W2zZTRTE4jBD5D1y; 1.24 date 2014.12.09.10.11.27; author pettai; state Exp; branches; next 1.23; commitid sN37D0pcDwgbOl1y; 1.23 date 2014.03.12.16.16.00; author pettai; state Exp; branches 1.23.6.1; next 1.22; commitid u97Nc31vAbCoyqsx; 1.22 date 2013.11.17.22.57.38; author pettai; state Exp; branches; next 1.21; commitid Nt2nS3xlxjZqqGdx; 1.21 date 2013.04.01.22.34.41; author pettai; state Exp; branches; next 1.20; 1.20 date 2012.12.25.08.54.26; author pettai; state Exp; branches; next 1.19; 1.19 date 2012.08.13.14.00.03; author pettai; state Exp; branches; next 1.18; 1.18 date 2012.06.08.21.52.00; author pettai; state Exp; branches; next 1.17; 1.17 date 2012.02.28.20.05.05; author pettai; state Exp; branches; next 1.16; 1.16 date 2011.12.20.14.02.02; author pettai; state Exp; branches; next 1.15; 1.15 date 2011.09.17.22.46.50; author pettai; state Exp; branches; next 1.14; 1.14 date 2011.07.27.04.11.25; author pettai; state Exp; branches; next 1.13; 1.13 date 2011.06.19.16.15.57; author pettai; state Exp; branches; next 1.12; 1.12 date 2011.04.20.10.44.46; author pettai; state Exp; branches; next 1.11; 1.11 date 2011.03.21.15.04.32; author pettai; state Exp; branches; next 1.10; 1.10 date 2010.08.30.18.16.45; author pettai; state Exp; branches; next 1.9; 1.9 date 2010.07.26.19.09.19; author pettai; state Exp; branches; next 1.8; 1.8 date 2010.05.06.09.38.24; author pettai; state Exp; branches; next 1.7; 1.7 date 2010.03.16.13.51.50; author joerg; state Exp; branches; next 1.6; 1.6 date 2010.03.08.19.56.20; author pettai; state Exp; branches; next 1.5; 1.5 date 2009.10.19.17.03.33; author joerg; state Exp; branches; next 1.4; 1.4 date 2009.08.23.14.17.39; author hasso; state Exp; branches 1.4.2.1; next 1.3; 1.3 date 2008.12.17.18.14.01; author joerg; state Exp; branches; next 1.2; 1.2 date 2008.10.09.01.31.35; author joerg; state Exp; branches; next 1.1; 1.1 date 2008.05.26.22.36.56; author joerg; state Exp; branches 1.1.1.1; next ; 1.69.2.1 date 2022.08.27.15.50.45; author spz; state Exp; branches; next ; commitid xsRbDLLoagLH6xRD; 1.57.2.1 date 2020.05.20.19.15.21; author bsiegert; state Exp; branches; next ; commitid UEEWkGD2vmJ0T09C; 1.56.4.1 date 2020.02.20.14.40.46; author he; state Exp; branches; next 1.56.4.2; commitid 9ReIFlkXLaH5gqXB; 1.56.4.2 date 2020.02.20.15.59.37; author he; state Exp; branches; next ; commitid n3T1CWoXSh90HqXB; 1.52.2.1 date 2019.10.03.15.35.58; author bsiegert; state Exp; branches; next 1.52.2.2; commitid 23AwhcipoiD74rFB; 1.52.2.2 date 2019.12.07.11.00.42; author bsiegert; state Exp; branches; next ; commitid SiSvSi33UMk9sLNB; 1.38.2.1 date 2018.02.05.09.38.11; author spz; state Exp; branches; next ; commitid Ql1WWMhfSMQ4xEpA; 1.23.6.1 date 2014.12.10.20.02.00; author tron; state Exp; branches; next ; commitid HXf3PoQCzQ3U2x1y; 1.4.2.1 date 2009.10.19.21.16.56; author tron; state Exp; branches; next ; 1.1.1.1 date 2008.05.26.22.36.56; author joerg; state Exp; branches; next ; desc @@ 1.79 log @Update net/unbound to version 1.19.3. Pkgsrc changes: * Add dependency on devel/protobuf-c/buildlink3.mk * Add pkg-config as tool dependency * Adjust checksums Upstream changes: Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. Bug Fixes: - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. @ text @$NetBSD: distinfo,v 1.78 2024/03/07 09:48:53 he Exp $ BLAKE2s (unbound-1.19.3.tar.gz) = c3825b7651b250ca5531cd11089ece3157e7419ad174c1ab100567df1e49f042 SHA512 (unbound-1.19.3.tar.gz) = f860614f090a5a081cceff8ca7f4b3d416c00a251ae14ceb6b4159dc8cd022f025592074d3d78aee2f86c3eeae9d1a314713e4740aa91062579143199accd159 Size (unbound-1.19.3.tar.gz) = 6338685 bytes SHA1 (patch-configure) = fe43ed9fdcfe12897e30f03833aec631d473529d @ 1.78 log @net/unbound: update to version 1.19.2. Upstream changes: Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.77 2024/02/13 13:53:26 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.19.2.tar.gz) = 3a8a028475ff59596326c88502f714d3b84e50a55f851f4db03556ad68890dca SHA512 (unbound-1.19.2.tar.gz) = 03183f9d52df5644808d7cbbf2d15458a2cf5bf79bd952bbd4384bcef2e6899631605ce7780700169d7532cec0203c16765bb7706e3717241300904763914350 Size (unbound-1.19.2.tar.gz) = 6340281 bytes @ 1.77 log @Update net/unbound to version 1.19.1. Pkgsrc changes: * none, other than checksums. Upstream changes: This security release fixes two DNSSEC validation vulnerabilities: CVE-2023-50387 (referred here as the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the NSEC3 vulnerability). The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. Both can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. From version 1.19.1 on, Unbound introduces suspension on DNSSEC response validations that seem to require more attempts than Unbound is willing to make per response validation run. Suspension means that Unbound will continue with other work before resuming a suspended validation offering CPU time between validation resumptions to other tasks. There is a backoff timer when suspending which is further influenced by the number of suspends already used and the amount of work currently in Unbound. The introduced builtin limits in Unbound are: - Max 4 DNSSEC key collissions are allowed when building chain of trust. More than that without a secure key treats the delegation as bogus. - 8 validation attempts per RRSET (combination of keys + signatures). If more are needed and Unbound has yet to find a valid signature the RRSET is treated as bogus. - More than 8 validation attempts per answer will suspend validation. - 8 NSEC3 hash calculations are allowed before suspension. More than that will suspend validation. - The limit of total suspensions is 16 after which the query will error out. Any completed RRSET validations populate the cache for use in future queries. While under attack Unbound could show higher CPU load because of the needed validations but the suspend strategy would guarantee the CPU is not locked on any particular validation task. We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for discovering and responsibly disclosing the KeyTrap vulnerability. We would like to thank Petr Spacek from ISC for discovering and responsibly disclosing the NSEC3 vulnerability. Bug Fixes - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.76 2023/11/09 14:20:53 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.19.1.tar.gz) = 99c678716a6e80197f0dd5a51145aaeb39f15e46585f151eed364fd6eb8de89d SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a Size (unbound-1.19.1.tar.gz) = 6340435 bytes @ 1.76 log @Update net/unbound to version 1.19.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This release fixes a number of bugs, and adds some smaller features. The redis-logical-db option and cachedb-no-store option can be used for cachedb configuration. The disable-edns-do option can be used for working around broken network parts. For DNS64 there is fallback to plain AAAA when no A record exists. There is a bug fix that when the UDP interface keeps returning that sending is not possible, unbound does not loop endlessly and waits for the condition to go away. Resource records of type A and AAAA that are an inappropriate length are removed from responses. This hardens against bad content. Features - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. Bug Fixes - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.75 2023/08/30 15:18:26 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.19.0.tar.gz) = c43ad21e86e224c4fe8fc7590d9edcc5eb42e583876cb15bb6240d9d5ee71f82 SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4 Size (unbound-1.19.0.tar.gz) = 6336113 bytes @ 1.75 log @Update net/unbound to version 1.18.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This release adds DNS cookies downstream, support to respond with EDE error codes from cache, NAT64 support, and the capability to use a socket queue timeout to discard old packets, and other features and bug fixes. The downstream DNS server cookies are from RFC7873 and RFC9018, it is turned on with `answer-cookie: yes`. It generates a random cookie secret, but for anycast setups the cookie secret can be configured with `cookie-secret: "128bithex"` with the same value as the other instances. Non cookie traffic can be disallowed with the `allow_cookie` acl option for access-control. Queries with valid cookie bypass the ordinary ratelimit, but a ratelimit can be configured for cookie queries with `ip-ratelimit-cookie: 100`. The statistics has counters for `query_cookie_valid` and `query_cookie_client` and `query_cookie_invalid`. When queries come in with CD flag, a DNSSEC validation EDE can be returned, with information regarding a failure. EDE error information is also stored in the cache with the query responses. There is also EDE error information stored for the cachedb and the subnetcache. There is NAT64 support, that is enabled with `do-nat64: yes`. The NAT64 prefix can be configured too, if not the default `nat64-prefix: 64:ff9b::0/96`. This is useful for an IPv6 only host where Unbound is running, so that Unbound can use NAT64 to connect to IPv4 servers. The new default for the maximum UDP response size is 1232, with `max-udp-size: 1232`. This is similar to other resolvers. The new default is smaller and that makes it harder to get large responses. Thanks to Xiang Li, from NISL Lab, Tsinghua University. There is a new option `harden-unknown-additional: yes`. This removes unknown records from the authority and additional section. This stops unknown records from being copied from the upstream to the downstream client, potentially exposing those clients to the extra records. Default is no, because it could hamper future protocol developments that want to add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University. With the `sock-queue-timeout: 3` option kernel timestamps are turned on for UDP queries, and old packets are dropped. Queries that have waited in the socket buffer for a long time are then discarded, and is useful if the host was not running for a while. The statistics has `num.queries_timed_out` and `query.queue_time_us.max` counters. The local-zone type `block_a` is for when queries to IPv4 have to be stopped to force IPv6 usage. It stops type A queries with nodata, and transparently allows other queries. The redis server can be contacted over a unix socket with `redis-server-path: "/var/lib/redis/redis-server.sock"`. The redis server password can be configured with `redis-server-password: "password"`. The number of hashtable collisions is logged in the statistics counters `msg.cache.max_collisions` and `rrset.cache.max_collisions`. It can be used to monitor for mistakes where the wrong or same hash value occurs too frequently. The repository does not have the bison and flex generated output in it, so these tools are necessary to compile from a checkout, the tarball distribution contains pregenerated files and can use either those files or bison and flex tools on the compile system. If kernel timestamps are enabled, with the sock-queue-timeout option, they are also used to set the time for dnstap logs. There is a yocto compatible init script available in the contrib directory of the source code, `unbound.init_yocto`. The number of cachedb hits from cache is output in `num.query.cachedb`. There is support for the dohpath parameter for the SVCB record type. Prefetch is supported for subnet cache entries. Detection of the python paths on the system has been expanded. Compared to the release candidate rc1, this release has an extra fix to fix a compile issue on NetBSD. Features - Merge #826: #dd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li, from NISL Lab, Tsinghua University. - Merge #819: Added new static zone type block_a to suppress all A queries for specific zones. - Fix #835: [FR] Ability to use Redis unix sockets. - Fix #833: [FR] Ability to set the Redis password. - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - Merge #722 from David 'eqvinox' Lamparter: NAT64 support. - Fix #888: [FR] Use kernel timestamps for dnstap. - Merge #903: contrib: add yocto compatible init script. - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Merge #739: Add SVCB dohpath support. - Merge #802: add validation EDEs to queries where the CD bit is set. - Merge #664 from tilan7763: Add prefetch support for subnet cache entries. - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching. - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache. - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. A `cookie-secret:` can be configured for anycast setups. Without one, a random cookie secret is generated. The acl option `allow_cookie` allows queries with either a valid cookie or over a stateful transport. The statistics output has `queries_cookie_valid` and `queries_cookie_client` and `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` value determines a rate limit for queries with cookies, if desired. Bug Fixes - Fix #823: Response change to NODATA for some ANY queries since 1.12, tested on 1.16.1. - Fix python module install path detection. - Fix python version detection in configure. - Improve documentation for #826, describe the large collisions amount. - Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, Tsinghua University. The fix stops query loops, by refusing to send RD=0 queries to a forwarder, they still get answered from cache. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix test for new default. - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes. - Add duration variable for speed_local.test. - Fix #841: Unbound won't build with aaaa-filter-iterator.patch. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Fix unit tests for spurious empty messages. - Fix consistency of unit test without roundrobin answers for the cnametooptout unit test. - Fix to git ignore the library symbol file that configure can create. - Allow TTL refresh of expired error responses. - Add testcase for refreshing expired error responses. - Clean up iterator/iterator.c::error_response_cache() and allow for better interaction with serve-expired, prefetch and cached error responses. - Fix #825: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix for #852: Completion of error handling. - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix ssl.h include brackets, instead of quotes. - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option to ignore the unexpected eof while reading in openssl >= 3. - iana portlist update. - Fix issue #851: reserved identifier violation - Fix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix for #870: Add test case for the qname minimisation and CNAME. - Fix build badge, from failing travis link to github ci action link. - Merge #875: change obsolete txt URL in unbound-anchor.c to point to RFC 7958, and Fix #874. - Fix for #878: Invalid IP address in unbound.conf causes Segmentation Fault on OpenBSD. - Fix for #882: small changes, date updated in Copyright for util/timeval_func.c and util/timeval_func.h. Man page entries and example entry. - Fix for #882: document variable to stop doxygen warning. - Fix issue #860: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries, that they are dropped. - For #722: minor fixes, formatting, refactoring. - Fix #885: Error: util/configlexer.c: No such file or directory, adds error messages explaining to install flex and bison. - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h. - Fix doxygen in addr_to_nat64 header definition. - Fix warning in windows compile, in set_recvtimestamp. - Fix to print debug log for ancillary data with correct IP address. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix to remove unused variables from RPZ clientip data structure. - Fix unbound-dnstap-socket printout when no query is present. - Fix unbound-dnstap-socket time fraction conversion for printout. - Merge #896: Fix: #895: pythonmodule: add all site-packages directories to sys.path. - Fix #895: python + sysconfig gives ANOTHER path comparing to distutils. - Fix for uncertain unit test for doh buffer size events. - Properly handle all return values of worker_check_request during early EDE code. - Do not check the incoming request more than once. - Fix for issue #887 (Timeouts to forward servers on BSD based system with ASLR) - Probably fixes #516 (Stream reuse does not work on Windows) as well - Remove warning about unknown cast-function-type warning pragma. - Fix python modules with multiple scripts, by incrementing reference counts. - More fixes for reference counting for python module and clean up failure code. - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading which causes memory leaks. - Fix #906: warning: `Py_SetProgramName' is deprecated. - Fix dereference of NULL variable warning in mesh_do_callback. - Code cleanup for sldns_str2wire_svcparam_key_lookup. - For #802: Cleanup comments and add RCODE check for CD bit test case. - Skip the 00-lint test. splint is not maintained; it either does not work or produces false positives. Static analysis is handled in the clang test. - For #664: Easier code flow for subnetcache prefetching. - For #664: Add testcase. - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to differentiate from the new subnet prefetch support. - Merge #880 from chipitsine: services/authzone.c: remove redundant check. - More clear description of the different auth-zone behaviors on the man page. - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and CLASSXX representation. - For #909: Fix return values. - Merge #901 from Sergei Trofimovich: config: improve handling of unknown modules. - For #909: Fix RR class comparison. - Merge #857 from eaglegai: fix potential memory leaks when errors happen. - For #857: fix mixed declarations and code. - Merge #118 from mibere: Changed verbosity level for Redis init & deinit. - Merge #390 from Frank Riley: Add missing callbacks to the python module. - Cleaner failure code for callback functions in interface.i. - Merge #889 from borisVanhoof: Free memory in error case + remove unused function. - For #889: use netcat-openbsd instead of netcat-traditional. - For #889: Account for num_detached_states before possible mesh_state_delete when erroring out. - Fix unused variable compile warning for kernel timestamps in netevent.c - Merge #911 from natalie-reece: Exclude EDE before other EDNS options when there isn't enough space. - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options altogether) before giving up on attaching EDE options. - More braces and formatting for Fix for EDNS EDE size calculation to avoid future bugs. - Fix to use the now cached EDE, if any, for CD_bit queries. - Fix for EDNS EDE size calculation. - Move a cache reply callback in worker.c closer to the cache reply generation. - Fix regional_alloc_init for potential unaligned source of the copy. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - Debug Windows ci workflow. - Fix windows ci workflow to install bison and flex. - Fix for #925: unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix #923: processQueryResponse() THROWAWAY should be mindful of fail_reply. - Fix unit test for unbound-control to work when threads are disabled, and fix cache dump check. - Fix compile error on NetBSD in util/netevent.h. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.74 2023/01/12 12:09:18 adam Exp $ d3 3 a5 3 BLAKE2s (unbound-1.18.0.tar.gz) = e12b30f0e41bceb2418083b26863d5ff0491f6eb1b7f5d6c9bb652a840eb4aa0 SHA512 (unbound-1.18.0.tar.gz) = 24ca6bfe0ed493eb6aaa5cb1b2b108076ce97c48de7470adf596d1154254351e382b83aae33fcd8d4fa64847e359613e00c979b6f3ba7671215b2d0fd2b03b14 Size (unbound-1.18.0.tar.gz) = 6315297 bytes @ 1.74 log @unbound: updated to 1.17.1 1.17.1 Features Expose 'statistics-inhibit-zero' as a configuration option; the default value retains Unbound's behavior. Expose 'max-sent-count' as a configuration option; the default value retains Unbound's behavior. Merge 461 from Christian Allred: Add max-query-restarts option. Exposes an internal configuration but the default value retains Unbound's behavior. Merge 569 from JINMEI Tatuya: add keep-cache option to 'unbound-control reload' to keep caches. Bug Fixes Merge 768 from fobser: Arithmetic on a pointer to void is a GNU extension. In unit test, print python script name list correctly. testcode/dohclient sets log identity to its name. Clarify the use of MAX_SENT_COUNT in the iterator code. Fix that cachedb does not store failures in the external cache. Merge 767 from jonathangray: consistently use IPv4/IPv6 in unbound.conf.5. Fix to ignore tcp events for closed comm points. Fix to make sure to not read again after a tcp comm point is closed. Fix 775: libunbound: subprocess reap causes parent process reap to hang. iana portlist update. Complementary fix for distutils.sysconfig deprecation in Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. Fix 779: [doc] Missing documention in ub_resolve_event() for callback parameter was_ratelimited. Ignore expired error responses. Merge 720 from jonathangray: fix use after free when WSACreateEvent() fails. Fix for the ignore of tcp events for closed comm points, preserve the use after free protection features. Fix 782: Segmentation fault in stats.c:404. Add SVCB and HTTPS to the types removed by 'unbound-control flush'. Clear documentation for interactivity between the subnet module and the serve-expired and prefetch configuration options. Fix 773: When used with systemd-networkd, unbound does not start until systemd-networkd-wait-online.service times out. Merge 808: Wrap Makefile script's directory variables in quotes. Fix to wrap Makefile scripts directory in quotes for uninstall. Fix windows compile for libunbound subprocess reap comm point closes. Update github workflows to use checkout v3. Fix wildcard in hyperlocal zone service degradation, reported by Sergey Kacheev. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.73 2022/10/13 12:09:00 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.17.1.tar.gz) = 90beced69ca314757ad9173bcfa3514e2b98407506134a6b332c5d424b584cb7 SHA512 (unbound-1.17.1.tar.gz) = 10dd4c3aff77f1c0d19eb3c66956ed6ef1aae19e827d0b3259dc75d9de28dedd41862982a299e67ee07e17fb52058b4beee9d4b1d3bb0a3f633b9ba5b864d168 Size (unbound-1.17.1.tar.gz) = 6244773 bytes @ 1.73 log @Update net/unbound to version 1.17.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This release has new interface acl configuration options. These allow access-control actions, per interface. Also tags, and views can be configured per interface, queries over the interface are answered with these tags and views. It is configured with the options `interface-action`, `interface-tag`, `interface-tag-action`, `interface-tag-data` and `interface-view`. If there is also an access-control setting for the query, this overrides the interface settings for that query. The PROXYv2 protocol is supported. It can be configured with the `proxy-protocol-port: portno` option. It is used to convey the IP addresses of clients that connect via a proxy to Unbound. There are also fixes for a number of bugs. In some cases a blocking wait on a socket could happen, and this has been fixed. If the upstream sends a TC flag, erroneously, the reply is ignored and retried. When under load, with the new NRDelegation fixes from the previous release, there are mitigations to continue target discovery. There is also a fix for possible loops in the tcp reuse code. The release version differs from the RC1, there is a bugfix for the proxy protocol for tcp read when no proxied addresses are provided. Features - Merge #753: ACL per interface. (New interface-* configuration options). - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option). Bug Fixes - Fix #728: alloc_reg_obtain() core dump. Stop double alloc_reg_release when serviced_create fails. - Fix edns subnet so that scope 0 answers only match sourcemask 0 queries for answers from cache if from a query with sourcemask 0. - Fix unittest for edns subnet change. - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due to unsupported IPV6_USER_MTU socket option being set. - Fix ratelimit inconsistency, for ip-ratelimits the value is the amount allowed, like for ratelimits. - Fix #734 [FR] enable unbound-checkconf to detect more (basic) errors. - Fix to log accept error ENFILE and EMFILE errno, but slowly, once per 10 seconds. Also log accept failures when no slow down is used. - Fix to avoid process wide fcntl calls mixed with nonblocking operations after a blocked write. - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive operations, so that instruction reordering does not cause mistakenly blocking socket operations. - Fix to wait for blocked write on UDP sockets, with a timeout if it takes too long the packet is dropped. - Fix for wait for udp send to stop when packet is successfully sent. - Fix #741: systemd socket activation fails on IPv6. - Fix to update config tests to fix checking if nonblocking sockets work on OpenBSD. - Slow down log frequency of write wait failures. - Fix to set out of file descriptor warning to operational verbosity. - Fix to log a verbose message at operational notice level if a thread is not responding, to stats requests. It is logged with thread identifiers. - Remove include that was there for debug purposes. - Fix to check pthread_t size after pthread has been detected. - Convert tdir tests to use the new skip_test functionality. - Remove unused testcode/mini_tpkg.sh file. - Better output for skipped tdir tests. - Fix doxygen warning in respip.h. - Fix to remove erroneous TC flag from TCP upstream. - Fix test tdir skip report printout. - Fix windows compile, the identifier interface is defined in headers. - Fix to close errno block in comm_point_tcp_handle_read outside of ifdef. - Fix static analysis report to remove dead code from the rpz_callback_from_iterator_module function. - Fix to clean up after the acl_interface unit test. - Merge #764: Leniency for target discovery when under load (for NRDelegation changes). - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. - Fix string comparison in mini_tdir.sh. - Make ede.tdir test more predictable by using static data. - Fix checkconf test for dnscrypt and proxy port. - Fix dnscrypt compile for proxy protocol code changes. - Fix to stop responses with TC flag from resulting in partial responses. It retries to fetch the data elsewhere, or fails the query and in depth fix removes the TC flag from the cached item. - Fix proxy length debug output printout typecasts. - Fix to stop possible loops in the tcp reuse code (write_wait list and tcp_wait list). Based on analysis and patch from Prad Seniappan and Karthik Umashankar. - Fix PROXYv2 header read for TCP connections when no proxied addresses are provided. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.72 2022/09/21 11:30:24 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.17.0.tar.gz) = 95ff1d8c1d72600fbf14c09dca954714dfd1de6ec6da6426aa58ce045ecc7998 SHA512 (unbound-1.17.0.tar.gz) = f6b9f279330fb19b5feca09524959940aad8c4e064528aa82b369c726d77e9e8e5ca23f366f6e9edcf2c061b96f482ed7a2c26ac70fc15ae5762b3d7e36a5284 Size (unbound-1.17.0.tar.gz) = 6235060 bytes @ 1.72 log @Update net/unbound to version 1.16.3. Pkgsrc changes: * none, other than checksums. Upstream changes: Bug Fixes - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.71 2022/08/01 12:38:46 he Exp $ d3 4 a6 4 BLAKE2s (unbound-1.16.3.tar.gz) = d8b1bdf0e2d70634fe78d1785c5af80231a795905497deaa0679bd9b8ed0c462 SHA512 (unbound-1.16.3.tar.gz) = ef5cda926dd1082a750615d8687bccd756869c66e9f24f984fda4c6613f94f3e4884db328b8d7b490777a75d3e616dcb61c5258e7777923c0590e6fabacd207c Size (unbound-1.16.3.tar.gz) = 6204330 bytes SHA1 (patch-configure) = a949bdb26b37950c0301946af4521c9d0e984cf9 @ 1.71 log @Update net/unbound to version 1.16.2. Pkgsrc changes: * none, other than checksums. Upstream changes: Features - Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout. Bug Fixes - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. - Fix verbose EDE error printout. - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. - For windows crosscompile, fix setting the IPV6_MTU socket option equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions. - Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code. - iana portlist update. - Update documentation for 'outbound-msg-retry:'. - Tests for ghost domain fixes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.70 2022/07/11 15:02:04 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.16.2.tar.gz) = 31ce353b16be4330598b918ca3596f2e5c9c85ca190f69b9c3aaeb5cf18c7602 SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 Size (unbound-1.16.2.tar.gz) = 6204297 bytes @ 1.70 log @Update net/unbound to version 1.16.1. Pkgsrc changes: * none, other than checksums. Upstream changes: Features - Fix #704: [FR] Statistics counter for number of outgoing UDP queries sent; introduces 'num.query.udpout' to the 'unbound-control stats' command. Bug Fixes - makedist.sh picks up 32bit libssp-0.dll when 32bit compile. - Fix for edns client subnet to respect not looking in its cache when instructed to do so (e.g., prefetch). - Merge PR #688: Rpz url notify issue. - Note in the unbound.conf text that NOTIFY is allowed from the url: addresses for auth and rpz zones. - Remove unused LDNS function check for GOST Engine unloading. - Fix for loading locally stored zones that have lines with blanks or blanks and comments. - Fix #663: use after free issue with edns options. - Clarify -v flag manpage entry (#705) - Fix test program dohclient close to use portability routine. - Show the output of the exact .rpl run that failed with 'make test'. - Fix for cached 0 TTL records to not trigger prefetching when serve-expired-client-timeout is set. - Add debug option to the mini_tdir.sh test code. - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. - Allow fallback to the parent side when MAX_TARGET_NX is reached. This will also allow MAX_TARGET_NX more NXDOMAINs. - iana portlist update. - Fix detection of libz on windows compile with static option. - Fix compile warning for windows compile. - Merge PR #706: NXNS fallback. - From #706: Cached NXDOMAIN does not increase the target nx responses. - From #706: Don't generate parent side queries if we already have the lame records in cache. - From #706: When a lame address is the best choice, don't try to generate target queries when the missing targets are all lame. - Merge PR #671 from Petr Men\u0161ík: Disable ED25519 and ED448 in FIPS mode on openssl3. - Merge PR #660 from Petr Men\u0161ík: Sha1 runtime insecure. - For #660: formatting, less verbose logging, add EDE information. - Fix for correct openssl error when adding windows CA certificates to the openssl trust store. - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. - Reintroduce documentation and more EDE support for val_sigcrypt.c::dnskeyset_verify_rrset_sig. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.69 2022/06/02 13:02:38 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.16.1.tar.gz) = faacd2788d5057aacfdd69ee55680ca7429bc544e22b282b0eda0b2e32cff136 SHA512 (unbound-1.16.1.tar.gz) = 71313789a85c5d4e50a7d6ac5c5a830dfd98bf016c48ff4c7283a975da9311149987f94eddbf976fe8aed98cbf4053c678656cf198e5a9680e3a442497e69c38 Size (unbound-1.16.1.tar.gz) = 6201745 bytes @ 1.69 log @Update unbound to version 1.16.0. Pkgsrc changes: * Remove patch now integrated upstream * Updated checksums Upstream changes: This release has EDE support, for extended EDNS error reporting, it fixes unsupported ZONEMD algorithms to load, and has more bug fixes. The EDE errors can be turned on by `ede: yes`, it is default disabled. Validation errors and other errors are then reported. If you also want stale answers for expired responses to have an error code, the option `ede-serve-expired: yes` can be used. Features - Merge PR #604: Add basic support for EDE (RFC8914). Bug Fixes - Fix #412: cache invalidation issue with CNAME+A. - Fix that TCP interface does not use TLS when TLS is also configured. - Fix #624: Unable to stop Unbound in Windows console (does not respond to CTRL+C command). - Fix #618: enabling interface-automatic disables DNS-over-TLS. Adds the option to list interface-automatic-ports. - Remove debug info from #618 fix. - Fix #628: A rpz-passthru action is not ending RPZ zone processing. - Fix for #628: fix rpz-passthru for qname trigger by localzone type. - Fix that address not available is squelched from the logs for udp connect failures. It is visible on verbosity 4 and more. - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with ERR_GET_REASON. - Fix to detect that no IPv6 support means that IPv6 addresses are useless for delegation point lookups. - update Makefile dependencies. - Fix check interface existence for support detection in remote lookup. - Fix #633: Document unix domain socket support for unbound-control. - Fix for #633: updated fix with new text. - Fix edns client subnet to add the option based on the option list, so that it is not state dependent, after the state fix of #605 for double EDNS options. - Fix for edns client subnet option add fix in removal code, from review. - Fix #630: Unify the RPZ log messages. - Merge #623 from rex4539: Fix typos. - Fix pythonmod for change in iter_dp_is_useless function prototype. - Fix compile warnings for printf ll format on mingw compile. - Merge PR #632 from scottrw93: Match cnames in ipset. - Various fixes for #632: variable initialisation, convert the qinfo to str once, accept trailing dot in the local-zone ipset option. - Fix #637: Integer Overflow in sldns_str2period function. - Fix for #637: fix integer overflow checks in sldns_str2period. - Fix configure for python to use sysutils, because distutils is deprecated. It uses sysutils when available, distutils otherwise. - Merge #644: Make `install-lib` make target install the pkg-config file. - Fix to ensure uniform handling of spaces and tabs when parsing RRs. - Fix to describe auth-zone and other configuration at the local-zone configuration option, to allow for more broadly view of the options. - Merge PR #648 from eaglegai: fix -q doesn't work when use with 'unbound-control stats_shm'. - Fix #651: [FR] Better logging for refused queries. - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup. - Fix zonemd check to allow unsupported algorithms to load. If there are only unsupported algorithms, or unsupported schemes, and no failed or successful other ZONEMD records, or malformed or bad ZONEMD records, the unsupported records allow the zone load. - Fix zonemd unsupported algo check. - Fix zonemd unsupported algo check reason to not copy to next record, and check for success for debug printout. - Fix zonemd unsupported algo check to print unsupported reason before zeroing it. - Fix zonemd unsupported algo check to set reason to NULL before the check routine, but after malformed checks, to get the correct NULL output when the digest matches. - Fix #670: SERVFAIL problems with unbound 1.15.0 running on OpenBSD 7.1. - Fix Python build in non-source directory; based on patch by Michael Tokarev. - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to host. - Merge #677: Allow using system certificates not only on Windows, from pemensik. - For #677: Added tls-system-cert to config parser and documentation. - Fix #417: prefetch and ECS causing cache corruption when used together. - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone, by updating unbound-control's documentation. - Fix typos in config_set_option for the 'num-threads' and 'ede-serve-expired' options. - Fix to silence test for ede error output to the console from the test setup script. - Fix ede test to not use default pidfile, and use local interface. - Fix some lint type warnings. - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.68 2022/02/11 09:28:16 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.16.0.tar.gz) = 9ab57da5c00f0d18a4c0d14dc10692f4976d5eca7a8d3c183b901f66b7aed909 SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f Size (unbound-1.16.0.tar.gz) = 6188349 bytes @ 1.69.2.1 log @Pullup ticket #6666 - requested by khorben net/unbound: security update Revisions pulled up: - net/unbound/Makefile 1.93,1.92 - net/unbound/distinfo 1.71,1.70 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: he Date: Mon Aug 1 12:38:46 UTC 2022 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update net/unbound to version 1.16.2. Pkgsrc changes: * none, other than checksums. Upstream changes: Features - Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout. Bug Fixes - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodr�guez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. - Fix verbose EDE error printout. - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. - For windows crosscompile, fix setting the IPV6_MTU socket option equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions. - Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code. - iana portlist update. - Update documentation for 'outbound-msg-retry:'. - Tests for ghost domain fixes. To generate a diff of this commit: cvs rdiff -u -r1.92 -r1.93 pkgsrc/net/unbound/Makefile cvs rdiff -u -r1.70 -r1.71 pkgsrc/net/unbound/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: he Date: Mon Jul 11 15:02:05 UTC 2022 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update net/unbound to version 1.16.1. Pkgsrc changes: * none, other than checksums. Upstream changes: Features - Fix #704: [FR] Statistics counter for number of outgoing UDP queries sent; introduces 'num.query.udpout' to the 'unbound-control stats' command. Bug Fixes - makedist.sh picks up 32bit libssp-0.dll when 32bit compile. - Fix for edns client subnet to respect not looking in its cache when instructed to do so (e.g., prefetch). - Merge PR #688: Rpz url notify issue. - Note in the unbound.conf text that NOTIFY is allowed from the url: addresses for auth and rpz zones. - Remove unused LDNS function check for GOST Engine unloading. - Fix for loading locally stored zones that have lines with blanks or blanks and comments. - Fix #663: use after free issue with edns options. - Clarify -v flag manpage entry (#705) - Fix test program dohclient close to use portability routine. - Show the output of the exact .rpl run that failed with 'make test'. - Fix for cached 0 TTL records to not trigger prefetching when serve-expired-client-timeout is set. - Add debug option to the mini_tdir.sh test code. - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. - Allow fallback to the parent side when MAX_TARGET_NX is reached. This will also allow MAX_TARGET_NX more NXDOMAINs. - iana portlist update. - Fix detection of libz on windows compile with static option. - Fix compile warning for windows compile. - Merge PR #706: NXNS fallback. - From #706: Cached NXDOMAIN does not increase the target nx responses. - From #706: Don't generate parent side queries if we already have the lame records in cache. - From #706: When a lame address is the best choice, don't try to generate target queries when the missing targets are all lame. - Merge PR #671 from Petr Men\u0161�k: Disable ED25519 and ED448 in FIPS mode on openssl3. - Merge PR #660 from Petr Men\u0161�k: Sha1 runtime insecure. - For #660: formatting, less verbose logging, add EDE information. - Fix for correct openssl error when adding windows CA certificates to the openssl trust store. - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. - Reintroduce documentation and more EDE support for val_sigcrypt.c::dnskeyset_verify_rrset_sig. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodr�guez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. To generate a diff of this commit: cvs rdiff -u -r1.91 -r1.92 pkgsrc/net/unbound/Makefile cvs rdiff -u -r1.69 -r1.70 pkgsrc/net/unbound/distinfo @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.69 2022/06/02 13:02:38 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.16.2.tar.gz) = 31ce353b16be4330598b918ca3596f2e5c9c85ca190f69b9c3aaeb5cf18c7602 SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 Size (unbound-1.16.2.tar.gz) = 6204297 bytes @ 1.68 log @Apply fix from https://github.com/NLnetLabs/unbound/commit/5f724da8c57c5a6bf1d589b6651daec2dc39a9d1 Paraphrased: Fix plain DNS-over-TCP so that it doesn't try to use TLS when TLS is also configured elsewhere. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.67 2022/02/10 13:17:53 he Exp $ d3 3 a5 3 BLAKE2s (unbound-1.15.0.tar.gz) = 9faa1c09804bdbf9762ee66ef8a69891290b3421d5438c1962a3770361853a0f SHA512 (unbound-1.15.0.tar.gz) = c5dab305694c14f64e05080700bb52f6e6bf5b76f15e1fde34e35c932cb3ffed0de2c03b570cf4bfe18165cb10e82e67ee9b12c6583295380f88c2c03800cc1f Size (unbound-1.15.0.tar.gz) = 6163470 bytes a6 1 SHA1 (patch-services_listen__dnsport.c) = 06c29e2785f0dfe3719523471a355ee6e2356226 @ 1.67 log @Update unbound to version 1.15.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This release has bug fixes for crashes that happened on heavy network usage. The default for the aggressive-nsec option has changed, it is now enabled. The ratelimit logic had to be reworked for the crash fixes. As a result, there are new options to control the behaviour of ratelimiting. The ratelimit-backoff and ip-ratelimit-backoff options can be used to control how severe the backoff is when the ratelimit is exceeded. The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for NXDOMAIN answers from RPZ. That is used by some clients to detect that the domain is externally blocked. The RPZ option for-downstream can be used like for auth zones, this allows the RPZ zone information to be queried. That can be useful for monitoring scripts. Features - Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to signal that a domain is externally blocked to clients when it is blocked with NXDOMAIN by unsetting RA. - Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone. - Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and ip-ratelimit-backoff configuration options. - Change aggressive-nsec default to yes. Bug Fixes - Fix compile warning for if_nametoindex on windows 64bit. - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow warnings in rpz. - Fix validator debug output about DS support, print correct algorithm. - Add code similar to fix for ldns for tab between strings, for consistency, the test case was not broken. - Allow local-data for classes other than IN to inherit a configured local-zone's type if possible, instead of defaulting to type transparent as per the implicit rule. - Fix to pick up other class local zone information before unlock. - Add missing configure flags for optional features in the documentation. - Fix Unbound capitalization in the documentation. - Fix #591: Unbound-anchor manpage links to non-existent license file. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix to add test for rpz-signal-nxdomain-ra. - Fix #596: only unset RA when NXDOMAIN is signalled. - Fix that RPZ does not set RD flag on replies, it should be copied from the query. - Fix for #596: fix that rpz return message is returned and not just the rcode from the iterator return path. This fixes signal unset RA after a CNAME. - Fix unit tests for rpz now that the AA flag returns successfully from the iterator loop. - Fix for #596: add unit test for nsdname trigger and signal unset RA. - Fix for #596: add unit test for nsip trigger and signal unset RA. - Fix #598: Fix unbound-checkconf fatal error: module conf 'respip dns64 validator iterator' is not known to work. - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip triggered operation. - Merge #600 from pemensik: Change file mode before changing file owner. - Fix prematurely terminated TCP queries when a reply has the same ID. - For #602: Allow the module-config "subnetcache validator cachedb iterator". - Fix EDNS to upstream where the same option could be attached more than once. - Add a region to serviced_query for allocations. - For dnstap, do not wakeupnow right there. Instead zero the timer to force the wakeup callback asap. - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in serviced_udp_callback. - Merge PR #612: TCP race condition. - Test for NSID in SERVFAIL response due to DNSSEC bogus. - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC document. - Fix tls-* and ssl-* documented alternate syntax to also be available through remote-control and unbound-checkconf. - Better cleanup on failed DoT/DoH listening socket creation. - iana portlist update. - Fix review comment for use-after-free when failing to send UDP out. - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA internals. - Merge PR #532 from Shchelk: Fix: buffer overflow bug. - Merge PR #617: Update stub/forward-host notation to accept port and tls-auth-name. - Update stream_ssl.tdir test to also use the new forward-host notation. - Fix header comment for doxygen for authextstrtoaddr. - please clang analyzer for loop in test code. - Fix docker splint test to use more portable uname. - Update contrib/aaaa-filter-iterator.patch with diff for current software version. - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.66 2021/12/17 18:42:54 adam Exp $ d7 1 a7 1 SHA1 (patch-services_listen__dnsport.c) = 11c5b3af93f07da5e1375babea91725055baa08a @ 1.66 log @unbound: updated to 1.14.0 1.14.0 Features Merge 401: RPZ triggers. This add additional RPZ triggers, unbound supports a full set of rpz triggers, and this now includes nsdname, nsip and clientip triggers. Also actions are fully supported, and this now includes the tcp-only action. Merge 519: Support for selective enabling tcp-upstream for stub/forward zones. Merge PR 514, from ziollek: Docker environment for run tests. Support using system-wide crypto policies. Fix that --with-ssl can use "/usr/include/openssl11" to pass the location of a different openssl version. Merged 41 from Moritz Schneider: made outbound-msg-retry configurable. Implement RFC8375: Special-Use Domain 'home.arpa.'. Merge PR 555 from fobser: Allow interface names as scope-id in IPv6 link-local addresses. Bug Fixes Add test tool readzone to .gitignore. Merge 521: Update mini_event.c. Merge 523: fix: free() call more than once with the same pointer. For 519: note stub-tcp-upstream and forward-tcp-upstream in the example configuration file. For 519: yacc and lex. And fix python bindings, and test program unbound-dnstap-socket. For 519: fix comments for doxygen. Fix to print error from unbound-anchor for writing to the key file, also when not verbose. For 514: generate configure. Fix for 431: Squelch permission denied errors for udp connect, and udp send, they are visible at higher verbosity settings. Fix zonemd verification of key that is not in DNS but in the zone and needs a chain of trust. zonemd, fix order of bogus printout string manipulation. Fix to support harden-algo-downgrade for ZONEMD dnssec checks. Merge PR 528 from fobser: Make sldns_str2wire_svcparam_buf() static. Fix 527: not sending quad9 cert to syslog (and may be more). Fix sed script in ssldir split handling. Fix 529: Fix: log_assert does nothing if UNBOUND_DEBUG is undefined. Fix 531: Fix: passed to proc after free. Fix 536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.) to insert into RPZ. Fix the stream wait stream_wait_count_lock and http2 buffer locks setup and desetup from race condition. Fix RPZ locks. Do not unlock zones lock if requested and rpz find zone does not find the zone. Readlock the clientip that is found for ipbased triggers. Unlock the nsdname zone lock when done. Unlock zone and ip in rpz nsip and nsdname callback. Unlock authzone and localzone if clientip found in rpz worker call. Fix compile warning in libunbound for listen desetup routine. Fix asynclook unit test for setup of lockchecks before log. Fix 533: Negative responses get cached even when setting cache-max-negative-ttl: 1 Fix tcp fastopen failure when disabled, try normal connect instead. Fix 538: Fix subnetcache statistics. Small fixes for 41: changelog, conflicts resolved, processQueryResponse takes an iterator env argument like other functions in the iterator, no colon in string for set_option, and some whitespace style, to make it similar to the rest. Fix for 41: change outbound retry to int to fix signed comparison warnings. Fix root_anchor test to check with new icannbundle date. Fix initialisation errors reported by gcc sanitizer. Fix lock debug code for gcc sanitizer reports. Fix more initialisation errors reported by gcc sanitizer. Fix crosscompile on windows to work with openssl 3.0.0 the link with ws2_32 needs -l:libssp.a for __strcpy_chk. Also copy results from lib64 directory if needed. For crosscompile on windows, detect 64bit stackprotector library. Fix crosscompile shell syntax. Fix crosscompile windows to use libssp when it exists. For the windows compile script disable gost. Fix that on windows, use BIO_set_callback_ex instead of deprecated BIO_set_callback. Fix crosscompile script for the shared build flags. Fix to add example.conf note for outbound-msg-retry. Fix chaos replies to have truncation for short message lengths, or long reply strings. Fix to protect custom regional create against small values. Fix 552: Unbound assumes index.html exists on RPZ host. Fix that forward-zone name is documented as the full name of the zone. It is not relative but a fully qualified domain name. Fix analyzer review failure in rpz action override code to not crash on unlocking the local zone lock. Fix to remove unused code from rpz resolve client and action function. Merge 565: unbound.service.in: Disable ProtectKernelTunables again. Fix for 558: fix loop in comm_point->tcp_free when a comm_point is reclaimed more than once during callbacks. Fix for 558: clear the UB_EV_TIMEOUT bit before adding an event. Improve EDNS option handling, now also works for synthesised responses such as local-data and server.id CH TXT responses. Merge PR 570 from rex4539: Fix typos. Fix for 570: regen aclocal.m4, fix configure.ac for spelling. Fix to make python module opt_list use opt_list_in. Fix 574: unbound-checkconf reports fatal error if interface names are used as value for interfaces: Fix 574: Review fixes for it. Fix 576: [FR] UB_* error codes in unbound.h Fix 574: Review fix for spelling. Fix to remove git tracking and ci information from release tarballs. iana portlist update. Merge PR 511 from yan12125: Reduce unnecessary linking. Merge PR 493 from Jaap: Fix generation of libunbound.pc. Merge PR 562 from Willem: Reset keepalive per new tcp session. Merge PR 522 from sibeream: memory management violations fixed. Merge PR 530 from Shchelk: Fix: dereferencing a null pointer. Fix 454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared. Fix 574: Review fixes for size allocation. Fix doc/unbound.doxygen to remove obsolete tag warning. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.65 2021/10/26 11:07:06 nia Exp $ d3 3 a5 3 BLAKE2s (unbound-1.14.0.tar.gz) = 3c10a32890b47ea845b707d42ca47ea56b24afc7f2e453ae29f20e2b868a75ce SHA512 (unbound-1.14.0.tar.gz) = 57f91d898b0a5d42e6a2ff1ccaec474f04dd5ad3c98e7eb7aa8d5eaa23b587f3077cf7eddf4df38f537c6d387028f12c2518ff13b7249aa7a1155cd6532a46b5 Size (unbound-1.14.0.tar.gz) = 6152326 bytes @ 1.65 log @ net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.64 2021/10/07 14:42:59 nia Exp $ d3 3 a5 3 BLAKE2s (unbound-1.13.2.tar.gz) = a13dbc3ec8c76e9846ffb847b02acf2b4c5af27b6cc3275dc9305088dbc6b177 SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a Size (unbound-1.13.2.tar.gz) = 6127915 bytes @ 1.64 log @net: Remove SHA1 hashes for distfiles @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.63 2021/08/27 07:55:36 adam Exp $ d3 1 a3 1 RMD160 (unbound-1.13.2.tar.gz) = c0a9500bfc9d4952c88be44d999d5372a37e7764 @ 1.63 log @unbound: updated to 1.13.2 1.13.2 Features Merge 317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones. Fix: Resolve interface names on control-interface too. Merge 470 from edevil: Allow configuration of persistent TCP connections. Fix 474: always_null and others inside view. Add that log-servfail prints an IP address and more information about one of the last failures for that query. Merge 478: Allow configuration of TCP timeout while waiting for response. Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes. zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone. Merge 486 by fobster: Make VAL_MAX_RESTART_COUNT configurable. Merge 491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https. Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. Bug Fixes Fix for Python 3.9, no longer use deprecated functions of PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now none), PyParser_SimpleParseFile (now Py_CompileString). Merge 420 from dyunwei: DOH not responsing with "http2_query_read_done failure" logged. Fix 422: IPv6 fallback issues when IPv6 is not properly enabled/configured. Fix to make tests work with support indicators set for iterator. Fix build on Python 3.10. Fix doxygen and pydoc warnings. Fix 429: rpz: url: with https: broken (regression in 1.13.1). rpz skip nsec3param records, and nicer log for unsupported actions. Fix 431: Squelch permission denied errors for tcp connect and udp connect from the logs, unless at high verbosity. Fix for zonemd, that nxdomain for the chain of trust is allowed for island zones, it is treated as an insecure zone for verification. Fix for zonemd, that domain-insecure zones work without dnssec. Fix for zonemd, do not reject insecure result from trust anchor validation step in dnssec chain of trust. On startup of unbound it checks if rlimits on memory size look sufficient for the configured cache size, and logs warning if not. Fix function documentation. Fix unit test for added ulimit checks. spelling fix in header. Fix 384: (1) A minor request to improve the log (2) A minor bug in one log message. ipsecmod: Better logging for detecting a cycle when attaching the A/AAAA subquery. Merge 367 : DNSTAP log local address. With code from 365 and fixes 368 : dnstap does not log the DNS message ID for FORWARDER_QUERY. Fix to allow rpz with wildcard that applies to all TLDs at once. Fix for 367: rc_ports don't have ub_sock; skip cleaning up. Fix spurious errors about "Could not generate request: out of memory". The mesh detect cycle routine no longer wrongly stops the check when the calling mesh state is unique. Workaround for 439: prevent loops in the reuse rbtree. Debug output for 411 and 439: printout internal error and details. Fix parse of LOC RR type for decimetres. Fix 441: Minimal NSEC range not accepted for top level domains. Fix for 447: squelch connection refused tcp connection failures from the log, unless verbosity is high. Merge 449 from orbea: build: Add missing linker flags. Comment out nonworking OSX and IOS travis tests, vm fails to start. Fix compile error in listen_dnsport on Android. Fix memory leak reported by asan in rpz SOA record query name. Fix unused-function warning when compiling with --enable-dnscrypt. Fix for 367: fix memory leak when cannot bind to listening port. Reformat pythonmod/pythonmod_utils.{c,h}. Travis enable all tests again. Clang analyzer only a couple times, when there is a difference. homebrew updates disabled, so it does not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure. travis, analyzer disabled on test without debug, that does not run anway. Turn off failing tests except one. Update iOS test to xcode image 12.2. Fix deprecation test to work for iOS TVOS and WatchOS, it uses CFLAGS and CPPFLAGS and also checks if the item is unavailable. Travis, fix script to fail when tasks fail. Travis, fix warning in ubsan compile. Fix configure Targetconfiditionals.h header check, to use compile. Fix that cachedb does not produce empty object files when disabled. Fix 429: Also fix end of transfer for http download of auth zones. Disable the use of stack-protector for cross compiled 32-bit windows builds; relates to 444. Fix stack-protector change to not override other CFLAGS options. Clean makedist.sh. Merge 460 from orbea: build: Link with the libtool archive. Fix to stop IPv6 PMTU discovery. Fix for 411: Depth protect for crash on deleted element timeout. rebuild configure to set EXTRALINK to libunbound.la for 460. Fix permission denied sendto log, squelch the log messages unless high verbosity is set. Fix (increase) verbosity level for iterator error log in processQueryTargets(). Fix that nxdomain synthesis does not happen above the stub or forward definition. Fix documentation comment for files previously residing in checkconf/. Remove unused functions worker_handle_reply and libworker_handle_reply. Merge 466 from FGasper: Support OpenSSLs that lack SSL_get0_alpn_selected. Fix 468: OpenSSL 1.0.1 can no longer build Unbound. Further fix for 468: detect SSL_CTX_set_alpn_protos for build with OpenSSL 1.0.1. Fix that testcode dohclient has OpenSSL initialisation calls. Fix compiler warning for signed/unsigned comparison for max_reuse_tcp_queries. Fix 481: Fix comment in configuration file. Fix to squelch tcp socket bind failures when the interface is gone. Rerun flex and bison. Fix for 367: only attempt to get the interface for queries that are no longer on the tcp_waiting_list. Add more logging for out-of-memory cases. Fix 485: Unbound occasionally reports broken stats. Remove case fallthrough from deprecate-rsa-1024 code. Merge 487: ifdef RLIMIT_AS in recently added check. Fix that auth-zone zonefiles use last TTL if no TTL is specified. Fix 489: Compile using MSYS2 MinGW 64-bit. Fix for 411, 439, 469: Reset the DNS message ID when moving queries between TCP streams. Refactor for uniform way to produce random DNS message IDs. Test code has -q option for quiet output. Fix 492: module-config respip missing in unbound.conf.5.in man page. Merges 494 from he32. For 492: Fix font highlighting for the man page on emacs. Merge 496 from banburybill: Use build system endianness if available, otherwise try to work it out. Fix test for zonemd-check option. Merge 448 from shoeper: Update unbound-control.8.in, fix rpz_disable typo. Fix 425: Document auth-zone supports communication with DNS primary on nondefault port. Fix unused variable warning when compiling with --enable-dnstap. Generated lexer and parser for 486; updated example.conf. Fix 413 (based on patch by k-ronny): unbound: does not compile on macOS 11.1-x86_64 host. Use host_os instead of target_os in configure for Darwin8 build. Fix 500: SPEC file in version 1.13.1 references version 1.4; unable to build RPM from source. Fix contrib/unbound.spec, fixed url and comment. Fix configure nonblocking test and onmingw test to use host. Merge 440 by kimheino: Various fixes to contrib/unbound_munin_ file. Fix a number of warnings reported by the gcc analyzer. Fix 495: Documentation or implementation of "verbosity" option. Fix 503: DNS over HTTPS response truncated. Fix warnings reported by the gcc analyzer. Add analyzer and port compile github workflow. Fix up permissions on rpl data file in tests. Fix testbound newline treatment in moment_read and tempfile write. Fix configure grep for reuseport default for failure. Fix compat ctime_r return value Fix configure does not require pkg-config if not needed. Fix unit test in the ctime_r calls for autotrust and in testbound. Fix auth zone download on windows to unlink before rename. Fix 506: Python Module Seems to Leak Memory if it Experiences an Unhandled Exception. Fix Wunused-result compile warnings. Fix compiler warnings for 491. Fix clang-analysis warnings for testcode/readzone.c. Merge 510 from ndptech: Don't call a function which hasn't been defined. Fix for 510: in depth, use ifdefs for windows api event calls. Fix spelling in doc/unbound.doxygen comment. Fix spelling in localzone.h comment. Fix unbound-control local_data and local_datas to print detailed syntax errors. review fix to remove duplicate error printout. Insert header into testcode/readzone.c, it was missing. Fix from lint for ignored return value. Fix for older parsers for function call in serve expired get cached. Fix that ldns_zone_new_frm_fp_l counts the line number for an empty line after a comment. Merge 512: unbound.service.in: upgrade hardening to latest standards. Fix readzone unknown type print for memory resize. Merge 513: Stream reuse, attempt to fix 411, 439, 469. This introduces a couple of fixes for the stream reuse functionality that could result in broken internal structures. Fix 515: Compilation against openssl 3.0.0 beta2 is failing to build unbound. For 515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and SSL_get_peer_certificate. Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. Move RSA and DSA to use OpenSSL 3.0.0 API. Move ECDSA functions to use OpenSSL 3.0.0 API. iana portlist update. Fix verbose printout failure in tcp reuse unit test. Merge 517 from dyunwei: 420 breaks the mesh reply list function that need to reuse the dns answer. Annotate assertion into error printout; we think it may be an error, but the situation looks harmless. Fix sign comparison warning on FreeBSD. Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed. Merge 415 from sibeream: Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports. (New --enable-linux-ip-local-port-range configuration option) Bump MAX_RESTART_COUNT to 11 from 8; in relation to 438. This allows longer CNAME chains in Unbound. In unit test use openssl set security level to allow keys in test. Fix static analysis warnings about localzone locks that are unused. Fix missing locks in zonemd unit test. Fix readzone compile under debug config. Fix out of sourcedir run of zonemd unit tests. Fix libnettle zonemd unit test. Fix unit test zonemd_reload for use in run_vm. Fix 520: Unbound 1.13.2rc1 fails to build python module. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.62 2021/02/09 08:32:17 he Exp $ a2 1 SHA1 (unbound-1.13.2.tar.gz) = b10eb3c6ac294a568001be993e7826d8cb2d857a @ 1.62 log @Update unbound to version 1.13.1. Pkgsrc changes: * none, other than checksums. Upstream changes: This release contains a number of bug fixes. There is added support for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID option (RFC 5001). Unbound control has added commands to enable and disable rpz processing. Reply callbacks have a start time passed to them that can be used to calculate time, these are callbacks for response processing. With the option serve-original-ttl the TTL served in responses is the original, not counted down, value, for when in front of authority service. Features - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands to unbound-control. - Merge PR #391 from fhriley: Add start_time to reply callbacks so modules can compute the response time. - Fix #397: [Feature request] add new type always_null to local-zone similar to always_nxdomain. - Support for RFC5001: DNS Name Server Identifier (NSID) Option with the nsid: option in unbound.conf - Padding of queries and responses with DNS over TLS as specified in RFC7830 and RFC8467. - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the original instead of a decrementing TTL ('serve-original-ttl') Bug Fixes - Fix #358: Squelch udp connect 'no route to host' errors on low verbosity. - Fix #360: for the additionally reported TCP Fast Open makes TCP connections fail, in that case we print a hint that this is happening with the error in the logs. - Fix #356: deadlock when listening tcp. - Fix unbound-dnstap-socket to not use log routine from interrupt handler and not print so frequently when invoked in sequence. - Fix on windows to ignore connection failure on UDP, unless verbose. - make depend. - Fix #371: unbound-control timeout when Unbound is not running. - Fix to squelch permission denied and other errors from remote host, they are logged at higher verbosity but not on low verbosity. - Merge PR #335 from fobser: Sprinkle in some static to prevent missing prototype warnings. - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void is a GNU extension. - Fix missing prototypes in the code. - Fix error cases when udp-connect is set and send() returns an error (modified patch from Xin Li @@delphij). - For #376: Fix that comm point event is not double removed or double added to event map. - iana portlist updated. - Fix #385: autoconf 2.70 impacts unbound build - Fix #379: zone loading over HTTP appears to have buffer issues. - Merge PR #395 from mptre: add missing null check. - Fix #387: client-subnet-always-forward seems to effectively bypass any caching? - For #391: use struct timeval* start_time for callback information. - For #391: fix indentation. - For #391: more double casts in python start time calculation. - Add comment documentation. - Fix clang analysis warning. - Fix so local zone types always_nodata and always_deny can be used from the config file. - Merge #399 from xiangbao227: The lock of lruhash table should unlocked after markdel entry. - Fix for #93: dynlibmodule link fix for Windows. - Fix for #93: dynlibmodule import library is named libunbound.dll.a. - Merge #402 from fobser: Implement IPv4-Embedded addresses according to RFC6052. - Fix #404: DNS query with small edns bufsize fail. - Fix declaration before statement and signed comparison warning in dns64. - Fix TTL of SOA record for negative answers (localzone and authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM. - Fix compile of unbound-dnstap-socket without dnstap installed. - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor static data. - Ignore cache blacklisting when trying to reply with expired data from cache (#394). - Merge PR #408 from fobser: Prevent a few more yacc clashes. - Annotate that we ignore the return value of if_indextoname. - Fix to use correct type for label count in rpz routine. - Fix empty clause warning in config_file nsid parse. - Fix to use correct type for label count in ipdnametoaddr rpz routine. - Fix empty clause warning in edns pass for padding. - Fix for doxygen 1.8.20 compatibility. - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411. - Fix dynlibmod link on rhel8 for -ldl inclusion. - Fix windows dependency on libssp.dll because of default stack protector in mingw. - Fix indentation of root anchor for use by windows install script. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.61 2020/12/04 15:03:12 he Exp $ d3 4 a6 4 SHA1 (unbound-1.13.1.tar.gz) = 561522b06943f6d1c33bd78132db1f7020fc4fd1 RMD160 (unbound-1.13.1.tar.gz) = b6877d52a1de3407b59a004716736e1847f555a1 SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c Size (unbound-1.13.1.tar.gz) = 5976957 bytes @ 1.61 log @Update unbound to version 1.13.0. Pkgsrc changes: * none, other than checksums. Upstream changes: This version has fixes to connect for UDP sockets, slowing down potential ICMP side channel leakage. The fix can be controlled with the option udp-connect: yes, it is enabled by default. Additionally CVE-2020-28935 is fixed, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered. See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more information. New features are upstream TCP and TLS query reuse, where a channel is reused for several queries. And http-notls-downstream: yesno for unencrypted DoH, useful for back end support servers. The option infra-keep-probing can be used to probe hosts that are down more frequently. The options edns-client-string and edns-client-string-opcode can be used to add an EDNS option with the specified string in queries towards servers, with the servers specified by IP address. It replaces the edns-client-tag option. The released version equals the 1.13.0rc4 with an added fix for stream reuse and tcp fast open. Features - Pass the comm_reply information to the inplace_cb_reply* functions during the mesh state and update the documentation on that. - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support. This adds the option http-notls-downstream: yesno to change that, and the dohclient test code has the -n option. - Merge PR #228 : infra-keep-probing option to probe hosts that are down. Add infra-keep-probing: yes option. Hosts that are down are probed more frequently. With the option turned on, it probes about every 120 seconds, eventually after exponential backoff, and that keeps that way. If traffic keeps up for the domain. It probes with one at a time, eg. one query is allowed to probe, other queries within that 120 second interval are turned away. - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with edns-client-string option. - Merge PR #283 : Stream reuse. This implements upstream stream reuse for performing several queries over the same TCP or TLS channel. - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. Option to toggle udp-connect, default is enabled. Bug Fixes - Fix #319: potential memory leak on config failure, in rpz config. - Fix dnstap socket and the chroot not applied properly to the dnstap socket path. - Fix warning in libnss compile, nss_buf2dsa is not used without DSA. - Fix #323: unbound testsuite fails on mock build in systemd-nspawn if systemd support is build. - Fix for python reply callback to see mesh state reply_list member, it only removes it briefly for the commpoint call so that it does not drop it and attempt to modify the reply list during reply. - Fix that if there are on reply callbacks, those are called per reply and a new message created if that was modified by the call. - Free up auth zone parse region after use for lookup of host - Merge PR #326 from netblue30: DoH: implement content-length header field. - DoH content length, simplify code, remove declaration after statement and fix cast warning. - Fix that if there are reply callbacks for the given rcode, those are called per reply and a new message created if that was modified by the call. - Fix that the out of order TCP processing does not limit the number of outstanding queries over a connection. - Fix python documentation warning on functions.rst inplace_cb_reply. - Log ip address when http session recv fails, eg. due to tls fail. - Fix to set the tcp handler event toggle flag back to default when the handler structure is reused. - Clean the fix for out of order TCP processing limits on number of queries. It was tested to work. - Fix that http settings have colon in set_option, for http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size, and http-nodelay. - Fix memory leak of https port string when reading config. - local-zone regional allocations outside of chunk - Merge PR #324 from James Renken: Add modern X.509v3 extensions to unbound-control TLS certificates. - Fix for PR #324 to attach the x509v3 extensions to the client certificate. - Fix #327: net/if.h check fails on some darwin versions; contribution by Joshua Root. - Fix #320: potential memory corruption due to size miscomputation upton custom region alloc init. - Fix #333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. - Fix that minimal-responses does not remove addresses from a priming query response. - In man page note that tls-cert-bundle is read before permission drop and chroot. - Fix #341: fixing a possible memory leak. - Fix memory leak after fix for possible memory leak failure. - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' undeclared. - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere with chown of pidfile. - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2. - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error: failed to list interfaces: getifaddrs: Address family not supported by protocol. - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket address families. - iana portlist updated. - Fix crash when TLS connection is closed prematurely, when reuse tree comparison is not properly identical to insertion. - Fix padding of struct regional for 32bit systems. - with udp-connect ignore connection refused with UDP timeouts. - Fix udp-connect on FreeBSD, do send calls on connected UDP socket. - Better fix for reuse tree comparison for is-tls sockets. Where the tree key identity is preserved after cleanup of the TLS state. - Fix memory leak for edns client tag opcode config element. - Attempt fix for libevent state in tcp reuse cases after a packet is written. - Fix readagain and writeagain callback functions for comm point cleanup. - Fix to omit UDP receive errors from log, if verbosity low. These happen because of udp-connect. - For #352: contrib/metrics.awk for Prometheus style metrics output. - Fix that after failed read, the readagain cannot activate. - Clear readagain upon decommission of pending tcp structure. - Fix compile warning for type cast in http2_submit_dns_response. - Fix when use free buffer to initialize rbtree for stream reuse. - Fix compile warnings for windows. - Fix compile warnings in rpz initialization. - Fix contrib/metrics.awk for FreeBSD awk compatibility. - Fix assertion failure on double callback when iterator loses interest in query at head of line that then has the tcp stream not kept for reuse. - Fix stream reuse and tcp fast open. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.60 2020/11/13 17:05:39 jperkin Exp $ d3 4 a6 4 SHA1 (unbound-1.13.0.tar.gz) = f38a10b1f302cb41787c68d98e9b89f0e7dce613 RMD160 (unbound-1.13.0.tar.gz) = cd40f23f7bbf084e97134d134a1a56c448eea50c SHA512 (unbound-1.13.0.tar.gz) = d4f3c5a7df5d46f8b1ee32b61e68bdc0d63030820d236ecc51bc3ac356d15248acb9a5e0b6009e1936b03b751e8dd05a071a95ab239fdbbbb308442a59642ad5 Size (unbound-1.13.0.tar.gz) = 5950063 bytes @ 1.60 log @unbound: Include limits.h for SSIZE_MAX. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.59 2020/10/08 07:30:39 he Exp $ d3 4 a6 4 SHA1 (unbound-1.12.0.tar.gz) = 68009078d5f5025c95a8c9fe20b9e84335d53e2d RMD160 (unbound-1.12.0.tar.gz) = 9a7e7e93ae21ac76567bfb457dd2111531fc395e SHA512 (unbound-1.12.0.tar.gz) = 90d99bc65e9ba62e50a7809dbf1e98889d0fc9fd50cf3cc99b726c67bcaeda0c2bc176d09f84771adb9796833b595591462f96e949d6969a47d6898d8fae3479 Size (unbound-1.12.0.tar.gz) = 5918399 bytes @ 1.59 log @Update net/unbound to version 1.12.0. Pkgsrc changes: * Add option for doh (DNS-over-HTTPS), default enabled. Upstream changes: This release contains the DNS Flag Day 2020 changes. This sets the default EDNS buffer size to 1232, that should reduce fragmentation. https://dnsflagday.net/2020/ There is inclusive language in the configuration. There is caps-exempt, ipsecmod-allow and primary server options for auth-zones. The older terms are accepted to keep configuration working. DNS-over-HTTPS is supported in this release. The DoH is enabled when Unbound is compiled with the nghttp2 library, with configure --with-libnghttp2. Then have an interface on the https port, that can be configured with the https-port option. Also have a cert and key available with the tls-service-key and tls-service-pem options. Further settings can be configured for the http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size and http-nodelay options. The max streams sets the maximum concurrent streams, the buffer size options the number of bytes in buffers, and the nodelay option can turn on TCP_NODELAY for DNS-over-HTTPS service. In the statistics the memory used is reported in mem.http.query_buffer and mem.http.response_buffer. The number of queries is reported in num.query.https, they are also included in the tcp and tls counts because https uses TLS and TCP. The DLV options and code to handle DLV lookups have been removed from the code base. The DLV repository is empty nowadays, it has been decommissioned. There is a new feature where it is possible to use interface names to bind to the IP addresses on that interface. It pulls in the addresses at the start of the server, if the addresses change, use the existing freebind and other socket options to register for addresses before they appear, or the interface-automatic option that copies them from queries to answers with ancillary data. There is a new option for the edns-tag draft specification. It can be enabled if you need the tentative implementation to add those tags to outgoing messages. Features - DNS Flag Day 2020: change edns-buffer-size default to 1232. - Merge PR #255: DNS-over-HTTPS support. - Use inclusive language in configuration - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound. The DLV has been decommisioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. - Similar to NSD PR#113, implement that interface names can be used, eg. something like interface: eth0 is resolved at server start and uses the IP addresses for that named interface. - Merge PR #272: Add EDNS client tag functionality. - Add edns-client-tag-opcode option Bug Fixes - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf - Merge PR #269, Fix python module len() implementations, by Torbjörn Lönnemark - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on March 2020, by and0x000. - Fix doxygen comment for no ssl for tls session ticket key callback routine. - Fix mini_event.h on OpenBSD cannot find fd_set. - Improve error log message when inserting rpz RR. - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as definedness, by Felipe Gasper. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix #287: doc typo: "Additionaly". - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available, by Vít#zslav #í#ek. - Create and init edns tags data for libunbound. - Fix stats double count issue (#289). - Fix that dnstap reconnects do not spam the log with the repeated attempts. Attempts on the timer are only logged on high verbosity, if they produce a connection failure error. - Fix to apply chroot to dnstap-socket-path, if chroot is enabled. - Change configure to use EVP_sha256 instead of HMAC_Update for openssl-3.0.0. - Update documentation in python example code. - Review fix interface, doxygen and assign null in case of error free. - Merge PR #293: Add missing prototype. Also refactor to use the new shorthand function to clean up the code. - Refactor to use sock_strerr shorthand function. - Fix #296: systemd nss-lookup.target is reached before unbound can successfully answer queries. Changed contrib/unbound.service.in. - Fix num.expired statistics output. - Remove x file mode on ipset/ipset.c and h files. - Spelling fix. - Introduce test for statistics. - Fix that prefer-ip4 and prefer-ip6 can be get and set with unbound-control, with libunbound and the unbound-checkconf option output function. - Merge PR #311 by luismerino: Dynlibmod leak. - Error message is logged for dynlibmod malloc failures. - iana portlist updated. - Fix #304: dnstap logging not recovering after dnstap process restarts - Fix edns-client-tags get_option typo - Fix #305: dnstap logging significantly affects unbound performance (regression in 1.11). - Fix #305: only wake up thread when threshold reached. - Fix to ifdef fptr wlist item for dnstap. - Fix memory leak of edns tags at libunbound context delete. - Fix double loopexit for unbound-dnstap-socket after sigterm. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.58 2020/05/19 08:39:31 he Exp $ d8 1 @ 1.58 log @Update unbound to version 1.10.1. Pkgsrc changes: * None. Upstream changes: This release fixes CVE-2020-12662 and CVE-2020-12663. Bug Fixes: - CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. - CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.57 2020/02/20 20:39:07 he Exp $ d3 4 a6 4 SHA1 (unbound-1.10.1.tar.gz) = 9932931d495248b4e45d278b4679efae29238772 RMD160 (unbound-1.10.1.tar.gz) = 0863b910a0d6dcc4eb38f31a455c439592cec2bc SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 Size (unbound-1.10.1.tar.gz) = 5729334 bytes @ 1.57 log @Update unbound to version 1.10.0. (This time on the main CVS branch...) Pkgsrc changes: * Adjust line numbers in patch. Upstream changes: The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes. The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Enabling the respip module using `module-config` is required to use RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like: server: module-config: "respip validator iterator" rpz: name: "rpz.example.com" # name of the policy zone master: 192.0.2.0 # address of the name server to transfer from The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other. The DSA algorithms have been disabled by default, this is because of RFC 8624. There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec. In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view. Features: - Merge RPZ support into master. Only QNAME and Response IP triggers are supported. - Added serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used to configure the behavior. - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies come with a configurable TTL value (`serve-expired-reply-ttl`). - Merge #135 from Florian Obser: Use passed in neg and key cache if non-NULL. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. Bug Fixes: - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by Florian Obser - Update mailing list URL. - Fix #140: Document slave not downloading new zonefile upon update. - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. The dl_iterate_phdr() function introduced in newer versions raises compilation errors on solaris 10. - Changes to compat/getentropy_solaris.c for, ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fix 'make test' to work for --disable-sha1 configure option. - Fix out-of-bounds null-byte write in sldns_bget_token_par while parsing type WKS, reported by Luis Merino from X41 D-Sec. - Updated sldns_bget_token_par fix for also space for the zero delimiter after the character. And update for more spare space. - Fix #138: stop binding pidfile inside chroot dir in systemd service file. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Fix unreachable code in ssl set options code. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix auth zone support for NSEC3 records without salt. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file. - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - iana portlist updated. - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. - Merge PR#147; change rfc reference for reserved top level dns names. - Fix #157: undefined reference to `htobe64'. - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. - updated .gitignore for added contrib file. - Add build rule for ipset to Makefile - Add getentropy_freebsd.o to Makefile dependencies. - Fix memory leak in error condition remote.c - Fix double free in error condition view.c - Fix memory leak in do_auth_zone_transfer on success - Stop working on socket when socket() call returns an error. - Check malloc return values in TLS session ticket code - Fix fclose on error in TLS session ticket code. - Add assertion to please static analyzer - Fixed stats when replying with cached, cname-aliased records. - Added missing default values for redis cachedb backend. - Fix num_reply_addr counting in mesh and tcp drop due to size after serve_stale commit. - Fix to create and destroy rpz_lock in auth_zones structure. - Fix to lock zone before adding rpz qname trigger. - Fix to lock and release once in mesh_serve_expired_lookup. - Fix to put braces around empty if body when threading is disabled. - Fix num_reply_states and num_detached_states counting with serve_expired_callback. - Cleaner code in mesh_serve_expired_lookup. - Document in unbound.conf manpage that configuration clauses can be repeated in the configuration file. - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale fixes, but it does not compile, conflicts with new rpz code. - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. - Fix compile warning when threads disabled. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.56 2019/12/12 14:26:38 he Exp $ d3 4 a6 4 SHA1 (unbound-1.10.0.tar.gz) = 2c175131f7f4c8f6fd2be4a03073d864596d0be6 RMD160 (unbound-1.10.0.tar.gz) = 10742b2cb66be0965553e8461f1f5abdeb4b4593 SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59 Size (unbound-1.10.0.tar.gz) = 5727902 bytes @ 1.57.2.1 log @Pullup ticket #6204 - requested by he net/unbound: security fix Revisions pulled up: - net/unbound/Makefile 1.78 - net/unbound/distinfo 1.58 --- Module Name: pkgsrc Committed By: he Date: Tue May 19 08:39:31 UTC 2020 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update unbound to version 1.10.1. Pkgsrc changes: * None. Upstream changes: This release fixes CVE-2020-12662 and CVE-2020-12663. Bug Fixes: - CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. - CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive. @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (unbound-1.10.1.tar.gz) = 9932931d495248b4e45d278b4679efae29238772 RMD160 (unbound-1.10.1.tar.gz) = 0863b910a0d6dcc4eb38f31a455c439592cec2bc SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 Size (unbound-1.10.1.tar.gz) = 5729334 bytes @ 1.56 log @Update unbound to version 1.9.6 Pkgsrc changes: * Remove now integrated patch. Upstream changes: This release contains a number of security related fixes, contributed by X41 D-Sec. They have conducted a security audit of Unbound, funded by OSTIF. The previous CVEs fixed in 1.9.4 and 1.9.5 were the most important ones, less important fixes and side findings for more robust code have been included in this release, alongside a normal number of bug fixes. The sort order for included config snippets is now ascending by name, it previously was reversed due to an oversight. Most config snippets do not depend on the order as they add a stub or forward zone or some server: section config entries. Features: - The unbound.conf includes are sorted ascending, for include statements with a '*' from glob. - drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label queries, to stop random floods. Apply with patch -p1 < contrib/drop-tld.diff and compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. - Add new configure option `--enable-fully-static` to enable full static build if requested; in relation to #91. - Add make distclean that removes everything configure produced, and make maintainer-clean that removes bison and flex output. - unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that are 1:1 replacements for unbound-fuzzme.c that gets created after applying the contrib/unbound-fuzzme.patch. They are contributed by Eric Sesterhenn from X41 D-Sec. Bug Fixes: - Fix that pkg-config is setup before --enable-systemd needs it. - Fix contrib/fastrpz.patch asprintf return value checks. - ipset module #28: log that an address is added, when verbosity high. - ipset: refactor long routine into three smaller ones. - updated Makefile dependencies. - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors. - Fix #71: fix openssl error squelch commit compilation error. - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default LOG_DAEMON (as before) can set the syslog facility that the server uses to log messages. - Use explicit bzero for wiping clear buffer of hash in cachedb, reported by Eric Sesterhenn from X41 D-Sec. - Fix #78: Memory leak in outside_network.c. - Merge pull request #76 from Maryse47: Improvements and fixes for systemd unbound.service. - oss-fuzz badge on README.md. - Fix fix for #78 to also free service callback struct. - Fix for oss-fuzz build warning. - Fix wrong response ttl for prepended short CNAME ttls, this would create a wrong zero_ttl response count with serve-expired enabled. - Merge #80 from stasic: Improve wording in man page. - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service. - Merge #81 from Maryse47: Consistently use /dev/urandom instead of /dev/random in scripts and docs. - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork into the background. - Merge #85 for #84 from sam-lunt: Add kill capability to systemd service file to fix that systemctl reload fails. - Merge #87 from hardfalcon: Fix contrib/unbound.service.in, Drop CAP_KILL, use + prefix for ExecReload= instead. - Merge #90 from vcunat: fix build with nettle-3.5. - Fix for CVE-2019-16866. That fix is also in 1.9.4. - Merge #86 from psquarejho: Added -b source address option to smallapp/unbound-anchor.c, from Lukas Wunner. - Add doxygen comments to unbound-anchor source address code, in #86. - Merge #97: manpage: Add missing word on unbound.conf, from Erethon. - Fix #99: Memory leak in ub_ctx (event_base will never be freed). - Fix #109: check number of arguments for stdin-pipes in unbound-control and fail if too many arguments. - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD. - iana portlist updated. - contrib/fastrpz.patch updated to apply for current code. - fixes for splint cleanliness, long vs int in SSL set_mode. - In unbound-host use separate variable for get_option to please code checkers. - update to bison output of 3.4.1 in code repository. - Provide a prototype for compat malloc to remove compile warning. - Portable grep usage for reuseport configure test. - Check return type of HMAC_Init_ex for openssl 0.9.8. - gitignore .source tempfile used for compatible make. - Fix for CVE-2019-18934, shell execution in ipsecmod. This fix is also in 1.9.5. - Fix authzone printout buffer length check. - Fixes to please lint checks. - Fix Integer Overflow in Regional Allocator, reported by X41 D-Sec. - Fix Unchecked NULL Pointer in dns64_inform_super() and ipsecmod_new(), reported by X41 D-Sec. - Fix Out-of-bounds Read in rr_comment_dnskey(), reported by X41 D-Sec. - Fix Integer Overflows in Size Calculations, reported by X41 D-Sec. - Fix Integer Overflow to Buffer Overflow in sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec. - Fix Out of Bounds Read in sldns_str2wire_dname(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_bget_token_par(), reported by X41 D-Sec. - Fix Out of Bounds Read in rrinternal_get_owner(), reported by X41 D-Sec. - Fix Race Condition in autr_tp_create(), reported by X41 D-Sec. - Fix Shared Memory World Writeable, reported by X41 D-Sec. - Adjust unbound-control to make stats_shm a read only operation. - Fix Weak Entropy Used For Nettle, reported by X41 D-Sec. - Fix Randomness Error not Handled Properly, reported by X41 D-Sec. - Fix Out-of-Bounds Read in dname_valid(), reported by X41 D-Sec. - Fix Config Injection in create_unbound_ad_servers.sh, reported by X41 D-Sec. - Fix Local Memory Leak in cachedb_init(), reported by X41 D-Sec. - Fix Integer Underflow in Regional Allocator, reported by X41 D-Sec. - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD. - Synchronize compat/getentropy_win.c with version 1.5 from OpenBSD, no changes but makes the file, comments, identical. - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD. - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD. - Changes to compat/getentropy files for, no link to openssl if using nettle, and hence config.h for HAVE_NETTLE variable. compat definition of MAP_ANON, for older systems. ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec. - Fix compile with --enable-alloc-checks, reported by X41 D-Sec. - Fix Terminating Quotes not Written, reported by X41 D-Sec. - Fix Useless memset() in validator, reported by X41 D-Sec. - Fix Unrequired Checks, reported by X41 D-Sec. - Fix Enum Name not Used, reported by X41 D-Sec. - Fix NULL Pointer Dereference via Control Port, reported by X41 D-Sec. - Fix Bad Randomness in Seed, reported by X41 D-Sec. - Fix python examples/calc.py for eval, reported by X41 D-Sec. - Fix comments for doxygen in dns64. - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec. - Fix compiler warnings. - Merge pull request #122 from he32: In tcp_callback_writer(), don't disable time-out when changing to read. - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - Fix text around serial arithmatic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. - Fix similar code in auth_zone synth cname to add the extra checks. - Fix Assert Causing DoS in dname_pkt_copy(), reported by X41 D-Sec. - Fix OOB Read in sldns_wire2str_dname_scan(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_str2wire_str_buf(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_b64_pton(), fixed by check in sldns_str2wire_int16_data_buf(), reported by X41 D-Sec. - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(), reported by X41 D-Sec. - Fix Out of Bound Write Compressed Names in rdata_copy(), reported by X41 D-Sec. - Fix Hang in sldns_wire2str_pkt_scan(), reported by X41 D-Sec. This further lowers the max to 256. - Fix snprintf() supports the n-specifier, reported by X41 D-Sec. - Fix Bad Indentation, in dnscrypt.c, reported by X41 D-Sec. - Fix Client NONCE Generation used for Server NONCE, reported by X41 D-Sec. - Fix compile error in dnscrypt. - Fix _vfixed not Used, removed from sbuffer code, reported by X41 D-Sec. - Fix Hardcoded Constant, reported by X41 D-Sec. - make depend - Fix lock type for memory purify log lock deletion. - Fix testbound for alloccheck runs, memory purify and lock checks. - update contrib/fastrpz.patch to apply more cleanly. - Fix Make Test Fails when Configured With --enable-alloc-nonregional, reported by X41 D-Sec. - Fix ipsecmod compile - Fix Makefile.in for ipset module compile, from Adi Prasaja. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.55 2019/12/03 08:08:58 he Exp $ d3 5 a7 5 SHA1 (unbound-1.9.6.tar.gz) = b6af3dc87ec3b372f96390c2527140ab8679fc18 RMD160 (unbound-1.9.6.tar.gz) = 91d58d5eb3e4341ae816612795cc546559914138 SHA512 (unbound-1.9.6.tar.gz) = 39a60f51da912ed25d247bc1e882b1242d80a63b0c2b3f753d38ed558f3a24691267375136ff6d85e5945a98ca0c4ac87e43e131c97737a355374dde64259951 Size (unbound-1.9.6.tar.gz) = 5680145 bytes SHA1 (patch-configure) = eabd0c478e92ebe37adf143849389e0e792dc77f @ 1.56.4.1 log @Update unbound to version 1.10.0. Pkgsrc changes: * Adjust line numbers in patch. Upstream changes: The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes. The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Enabling the respip module using `module-config` is required to use RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like: server: module-config: "respip validator iterator" rpz: name: "rpz.example.com" # name of the policy zone master: 192.0.2.0 # address of the name server to transfer from The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other. The DSA algorithms have been disabled by default, this is because of RFC 8624. There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec. In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view. Features: - Merge RPZ support into master. Only QNAME and Response IP triggers are supported. - Added serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used to configure the behavior. - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies come with a configurable TTL value (`serve-expired-reply-ttl`). - Merge #135 from Florian Obser: Use passed in neg and key cache if non-NULL. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. Bug Fixes: - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by Florian Obser - Update mailing list URL. - Fix #140: Document slave not downloading new zonefile upon update. - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. The dl_iterate_phdr() function introduced in newer versions raises compilation errors on solaris 10. - Changes to compat/getentropy_solaris.c for, ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fix 'make test' to work for --disable-sha1 configure option. - Fix out-of-bounds null-byte write in sldns_bget_token_par while parsing type WKS, reported by Luis Merino from X41 D-Sec. - Updated sldns_bget_token_par fix for also space for the zero delimiter after the character. And update for more spare space. - Fix #138: stop binding pidfile inside chroot dir in systemd service file. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Fix unreachable code in ssl set options code. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix auth zone support for NSEC3 records without salt. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file. - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - iana portlist updated. - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. - Merge PR#147; change rfc reference for reserved top level dns names. - Fix #157: undefined reference to `htobe64'. - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. - updated .gitignore for added contrib file. - Add build rule for ipset to Makefile - Add getentropy_freebsd.o to Makefile dependencies. - Fix memory leak in error condition remote.c - Fix double free in error condition view.c - Fix memory leak in do_auth_zone_transfer on success - Stop working on socket when socket() call returns an error. - Check malloc return values in TLS session ticket code - Fix fclose on error in TLS session ticket code. - Add assertion to please static analyzer - Fixed stats when replying with cached, cname-aliased records. - Added missing default values for redis cachedb backend. - Fix num_reply_addr counting in mesh and tcp drop due to size after serve_stale commit. - Fix to create and destroy rpz_lock in auth_zones structure. - Fix to lock zone before adding rpz qname trigger. - Fix to lock and release once in mesh_serve_expired_lookup. - Fix to put braces around empty if body when threading is disabled. - Fix num_reply_states and num_detached_states counting with serve_expired_callback. - Cleaner code in mesh_serve_expired_lookup. - Document in unbound.conf manpage that configuration clauses can be repeated in the configuration file. - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale fixes, but it does not compile, conflicts with new rpz code. - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. - Fix compile warning when threads disabled. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.56 2019/12/12 14:26:38 he Exp $ d3 5 a7 5 SHA1 (unbound-1.10.0.tar.gz) = 2c175131f7f4c8f6fd2be4a03073d864596d0be6 RMD160 (unbound-1.10.0.tar.gz) = 10742b2cb66be0965553e8461f1f5abdeb4b4593 SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59 Size (unbound-1.10.0.tar.gz) = 5727902 bytes SHA1 (patch-configure) = a949bdb26b37950c0301946af4521c9d0e984cf9 @ 1.56.4.2 log @Sorry, the 1.10.0 update was mistakenly committed to pkgsrc-2019Q4 branch, reverted. Thanks to leot@@ for alerting me. @ text @d3 5 a7 5 SHA1 (unbound-1.9.6.tar.gz) = b6af3dc87ec3b372f96390c2527140ab8679fc18 RMD160 (unbound-1.9.6.tar.gz) = 91d58d5eb3e4341ae816612795cc546559914138 SHA512 (unbound-1.9.6.tar.gz) = 39a60f51da912ed25d247bc1e882b1242d80a63b0c2b3f753d38ed558f3a24691267375136ff6d85e5945a98ca0c4ac87e43e131c97737a355374dde64259951 Size (unbound-1.9.6.tar.gz) = 5680145 bytes SHA1 (patch-configure) = eabd0c478e92ebe37adf143849389e0e792dc77f @ 1.55 log @Apply a fix from upstream: https://github.com/NLnetLabs/unbound/pull/122 which fixes https://github.com/NLnetLabs/unbound/issues/125 Briefly: TCP socket timeouts would effectively be disabled after the exchange of the initial DNS query/response. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.54 2019/11/19 10:10:44 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.5.tar.gz) = e5a417fe46e5f2911b91e5ec6bbedc2ed14d9d0b RMD160 (unbound-1.9.5.tar.gz) = a49319ccc743709687792a57f1796acfa22e791e SHA512 (unbound-1.9.5.tar.gz) = 0b198b49165b25c93899ca41fead67c479e5b6fd255f7e2af6930f4b9898c73d8a72caf376fce9a2a33199d0764db58388371c3fdbd442999ddfdb0b8b5394ea Size (unbound-1.9.5.tar.gz) = 5686689 bytes a7 1 SHA1 (patch-util_netevent.c) = 3fba509f23d74fce18e45ffe1fcdb97ad609be46 @ 1.54 log @Update unbound to version 1.9.5 Pkgsrc changes: * None. Upstream changes: Bug Fixes: - Fix CVE-2019-18934. A vulnerability might cause shell code execution with use of the "ipsecmod" feature under specific conditions. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.53 2019/10/03 09:44:38 he Exp $ d8 1 @ 1.53 log @Update unbound to version 1.9.4 Pkgsrc changes: * None. Upstream changes: Bug Fixes: - Fix CVE-2019-16866. An error in parsing NOTIFY queries may cause unbound to continue processing malformed queries and may ultimately result in a pointer de-reference in un-initialized memory, causing a crash of unbound. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.52 2019/08/27 09:25:25 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.4.tar.gz) = 364724dc2fe73cb7b45feeabdbfdff02271c5df7 RMD160 (unbound-1.9.4.tar.gz) = b566322d636513c89940b8ab18b787d739586ff6 SHA512 (unbound-1.9.4.tar.gz) = 44021014c944fc01a1f5f9afd77145f5554a3282cc2bfd54526fc4f88346f497c847ddb72bafa155d7e6e5dd02b6bb031836ead4408977d4e4b5b3290dffea9c Size (unbound-1.9.4.tar.gz) = 5686242 bytes @ 1.52 log @Update unbound to version 1.9.3 Upstream changes: This release has a number of bug fixes. Added is the ipset module, that helps add ip-addresses that are looked up in a domain to a firewall ip-address filter. Also, the python module has restart next, per-query data and multiple instance support. The unbound -V option has been added and it prints the build config. Features: - PR #28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Merge PR #6: Python module: support multiple instances - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT - Merge PR #4: Python module: assign something useful to the per-query data store 'qdata' - Introduce `-V` option to print the version number and build options. Previously reported build options like linked libs and linked modules are now moved from `-h` to `-V` as well for consistency. - PACKAGE_BUGREPORT now also includes link to GitHub issues. Bug Fixes: - Fix #39: In libunbound, leftover logfile is close()d unpredictably. - Fix for #24: Fix abort due to scan of auth zone masters using old address from previous scan. - Fix to omit RRSIGs from addition to the ipset. - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - make depend - Added documentation to the ipset files (for doxygen output). - Fix python dict reference and double free in config. - Fix memleak in unit test, reported from the clang 8.0 static analyzer. - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. - Fix for possible assertion failure when answering respip CNAME from cache. - Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific. - Fix #48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed. - Fix #49: Set no renegotiation on the SSL context to stop client session renegotiation. - Fix question section mismatch in local zone redirect. - Add verbose log message when auth zone file is written, at level 4. - Add hex print of trust anchor pointer to trust anchor file temp name to make it unique, for libunbound created multiple contexts. - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - Fix to remove unused test for task_probe existance. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. - Generate configlexer with newer flex. - Fix warning for unused variable for compilation without systemd. - Fix #59, when compiled with systemd support check that we can properly communicate with systemd through the `NOTIFY_SOCKET`. - iana portlist updated. - Fix autotrust temp file uniqueness windows compile. - avoid warning about upcast on 32bit systems for autotrust. - escape commandline contents for -V. - Fix character buffer size in ub_ctx_hosts. - Option -V prints if TCP fastopen is available. - Fix unittest valgrind false positive uninitialised value report, where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 issues an uninitialised value for the token buffer at the str2wire.c rrinternal_get_owner() strcmp with the '@@' value. Rewritten to use straight character comparisons removes the false positive. Also valgrinds --expensive-definedness-checks=yes can stop this false positive. - Please doxygen's parser for "@@" occurrence in doxygen comment. - Fixup contrib/fastrpz.patch - Remove warning about unknown cast-function-type warning pragma. - Document limitation of pidfile removal outside of chroot directory. - Fix log_dns_msg to log irrespective of minimal responses config. - Fix that pkg-config is setup before --enable-systemd needs it. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.51 2019/06/17 09:49:08 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.3.tar.gz) = cc3081c042511468177e36897f0c7f0a155493fa RMD160 (unbound-1.9.3.tar.gz) = 2c589c79cf7ab5aa50b28f61d5f4e2ff62543af5 SHA512 (unbound-1.9.3.tar.gz) = 21e14dc1577adbe502a262d7fbe9aae0cd389cd9c0b822246beadf00f0ee875e268eeb3ce820433cbb01495d6b182c334b34b63b1bc33b08589a230810ccfe90 Size (unbound-1.9.3.tar.gz) = 5686017 bytes @ 1.52.2.1 log @Pullup ticket #6062 - requested by he net/unbound: security fix Revisions pulled up: - net/unbound/Makefile 1.70 - net/unbound/distinfo 1.53 --- Module Name: pkgsrc Committed By: he Date: Thu Oct 3 09:44:38 UTC 2019 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update unbound to version 1.9.4 Pkgsrc changes: * None. Upstream changes: Bug Fixes: - Fix CVE-2019-16866. An error in parsing NOTIFY queries may cause unbound to continue processing malformed queries and may ultimately result in a pointer de-reference in un-initialized memory, causing a crash of unbound. @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (unbound-1.9.4.tar.gz) = 364724dc2fe73cb7b45feeabdbfdff02271c5df7 RMD160 (unbound-1.9.4.tar.gz) = b566322d636513c89940b8ab18b787d739586ff6 SHA512 (unbound-1.9.4.tar.gz) = 44021014c944fc01a1f5f9afd77145f5554a3282cc2bfd54526fc4f88346f497c847ddb72bafa155d7e6e5dd02b6bb031836ead4408977d4e4b5b3290dffea9c Size (unbound-1.9.4.tar.gz) = 5686242 bytes @ 1.52.2.2 log @Pullup ticket #6093 - requested by he net/unbound: security fix Revisions pulled up: - net/unbound/Makefile 1.72 - net/unbound/distinfo 1.54 --- Module Name: pkgsrc Committed By: he Date: Tue Nov 19 10:10:44 UTC 2019 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update unbound to version 1.9.5 Pkgsrc changes: * None. Upstream changes: Bug Fixes: - Fix CVE-2019-18934. A vulnerability might cause shell code execution with use of the "ipsecmod" feature under specific conditions. @ text @d3 4 a6 4 SHA1 (unbound-1.9.5.tar.gz) = e5a417fe46e5f2911b91e5ec6bbedc2ed14d9d0b RMD160 (unbound-1.9.5.tar.gz) = a49319ccc743709687792a57f1796acfa22e791e SHA512 (unbound-1.9.5.tar.gz) = 0b198b49165b25c93899ca41fead67c479e5b6fd255f7e2af6930f4b9898c73d8a72caf376fce9a2a33199d0764db58388371c3fdbd442999ddfdb0b8b5394ea Size (unbound-1.9.5.tar.gz) = 5686689 bytes @ 1.51 log @Update unbound to version 1.9.2 Upstream changes: Features - add type CAA to libpyunbound (accessing libunbound from python). - Fix #17: Add python module example from Jan Janak, that is a plugin for the Unbound DNS resolver to resolve DNS records in multicast DNS [RFC 6762] via Avahi. The plugin communicates with Avahi via DBus. The comment section at the beginning of the file contains detailed documentation. - travis build file. - PR #16: XoT support, AXFR over TLS, turn it on with master: # in unbound.conf. This uses TLS to download the AXFR (or IXFR). Bug Fixes - Fix for #4233: guard use of NDEBUG, so that it can be passed in CFLAGS into configure. - Add log message, at verbosity 4, that says the query is encrypted with TLS, if that is enabled for the query. - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482. - Fix #4240: Fix whitespace cleanup in example.conf. - Fix that tls-session-ticket-keys: "" on its own in unbound.conf disables the tls session ticker key calls into the OpenSSL API. - Fix crash if tls-servic-pem not filled in when necessary. - Fix auth-zone NSEC3 response for empty nonterminals with exact match nsec3 records. - Fix for out of bounds integers, thanks to OSTIF audit. It is in allocation debug code. - Fix for auth zone nsec3 ent fix for wildcard nodata. - Move goto label in answer_from_cache to the end of the function where it is more visible. - Fix auth-zone NSEC3 response for wildcard nodata answers, include the closest encloser in the answer. - Fix spelling error in log output for event method. - Fix to reinit event structure for accepted TCP (and TLS) sockets. - Fix to use event_assign with libevent for thread-safety. - verbose information about auth zone lookup process, also lookup start, timeout and fail. - Fix to wipe ssl ticket keys from memory with explicit_bzero, if available. - Fix that auth zone uses correct network type for sockets for SOA serial probes. This fixes that probes fail because earlier probe addresses are unreachable. - Fix that auth zone fails over to next master for timeout in tcp. - Squelch SSL read and write connection reset by peer and broken pipe messages. Verbosity 2 and higher enables them. - Update python documentation for init_standard(). - Typos. - Fix tls write event for read state change to re-call SSL_write and not resume the TLS handshake. - Better braces in if statement in TCP fastopen code. - iana portlist updated. - Scrub RRs from answer section when reusing NXDOMAIN message for subdomain answers. - For harden-below-nxdomain: do not consider a name to be non-exitent when message contains a CNAME record. - Fix wrong query name in local zone redirect answers with a CNAME, the copy of the local alias is in unpacked form. - contrib/fastrpz.patch updated for code changes, and with git diff. - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64. - Fix #30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security checkable, and is better for security. It is fixed to be slower, but not read outside of the array. - Fix edns-subnet locks, in error cases the lock was not unlocked. - Fix doxygen output error on readme markdown vignettes. - Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values for diagnosing network connectivity issues. - Attempt to fix malformed tcp response. - Fix #31: swig 4.0 and python module. - Note that so-reuseport at extreme load is better turned off, otherwise queries are not distributed evenly, on Linux 4.4.x. - Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end. - Fix double file close in tcp pipelined response code. - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. - Fix to guard _OPENBSD_SOURCE from redefinition. - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - Fix another spoolbuf storage code point, in prefetch. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.50 2019/03/12 12:13:08 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.2.tar.gz) = 9a7ac3163df57a26b1cfb89844993d95fabee359 RMD160 (unbound-1.9.2.tar.gz) = 63411e761d70b5ce7c5e939dceebd8e7d4818c94 SHA512 (unbound-1.9.2.tar.gz) = 118f0e53ee2d5cfb53ce1f792ca680cc01b5825bf81575e36bd3b24f3bdbe14e6631401bf1bf85eb2ac2a3fa0ee2ee3eb6a28b245d06d48d9975ce4cc260f764 Size (unbound-1.9.2.tar.gz) = 5676395 bytes @ 1.50 log @Update unbound to version 1.9.1 Upstream changes: Features - Add local-zone type inform_redirect, which logs like type inform, and redirects like type redirect. - Perform canonical sort for 0x20 capsforid compare of replies, this sorts rrsets in the authority and additional section before comparison, so that out of order rrsets do not cause failure. - Print query name with ip_ratelimit exceeded log lines. Spaces instead of tabs in that log message. - Print query name and IP address when domain rate limit exceeded. Bug Fixes - Fix #4224: auth_xfr_notify.rpl test broken due to typo - Fix locking for libunbound context setup with broken port config. - Fix case in which query timeout can result in marking delegation as edns_lame_known. - Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf. - improve documentation for tls-service-key and forward-first. - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of conditional section, fixes systemd builds, from Enrico Scholz. - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, still supports the set_id_callback previous API. And for 1.1.0 no locking callbacks are needed. - #8: Fix OpenSSL without ENGINE support compilation. - Wipe TLS session key data from memory on exit. - Fix that log-replies prints the correct name for local-alias names, for names that have a CNAME in local-data configuration. It logs the original query name, not the target of the CNAME. - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. - Fix that qname minimisation does not skip a label when missing nameserver targets need to be fetched. - Fix #4225: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation. - Note default for module-config in man page. - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for cert name matching, from man page. - Fix capsforid canonical sort qsort callback. - Fix pythonmod include and sockaddr_un ifdefs for compile on Windows, and for libunbound. - Fix the error for unknown module in module-config is understandable, and explains it was not compiled in and where to see the list. - In example.conf explain where to put cachedb module in module-config. - In man page and example config explain that most modules have to be listed at the start of module-config. - Fix #4227: pair event del and add for libevent for tcp_req_info. - Fix #4229: Unbound man pages lack information, about access-control order and local zone tags, and elements in views. - Fix #14: contrib/unbound.init: Fix wrong comparison judgment before copying. - Fix for python module on Windows, fix fopen. - Remove memory leak on pythonmod python2 script file init. - Remove swig gcc8 python function cast warnings, they are ignored. - Print correct module that failed when module-config is wrong. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.49 2019/02/12 10:52:28 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.1.tar.gz) = 89ed8e97cdcdd957e676eba0f8fa5e5f987b2f1f RMD160 (unbound-1.9.1.tar.gz) = a3bfefff28c59442ce10ff636e1f401cb51f85b1 SHA512 (unbound-1.9.1.tar.gz) = 5dfac7ce3892f73109fdfe0f81863643b1f4c10cee2d4e2d1a28132f1b9ea4d4f89242e4e6348fdadf998f1c75d53577cbf4f719e98faa1342fc3c5de2e8903d Size (unbound-1.9.1.tar.gz) = 5665254 bytes @ 1.49 log @Apply two fixes from https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4225 * Sometimes qname-minimisation needs to be (temporarily) reverted. * DNS-over-TLS would interact with qname-minimisation and would erroneously echo back the query buffer instead of the answer. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.48 2019/02/05 09:44:57 he Exp $ d3 4 a6 4 SHA1 (unbound-1.9.0.tar.gz) = a81e548852ba5cdd355a1f494a37b8a77481ec5b RMD160 (unbound-1.9.0.tar.gz) = ec91cd023707ca163e776e518dcb46b22f55d3b3 SHA512 (unbound-1.9.0.tar.gz) = 7dfa8e078507fc24a2d0938eea590389453bacfcac023f1a41af19350ea1f7b87d0c82d7eead121a11068921292a96865e177274ff27ed8b8868445f80f7baf6 Size (unbound-1.9.0.tar.gz) = 5662176 bytes a7 2 SHA1 (patch-iterator_iterator.c) = c2fb74a56c4cb0ffa2e0bb0ad8178037a2ff8148 SHA1 (patch-services_listen__dnsport.c) = 91ae9b15f571794deec8cca4b62019fbf1030288 @ 1.48 log @Update unbound to version 1.9.0 Upstream changes: This release contains the DNS Flag Day changes for Unbound. See the reference here, https://dnsflagday.net/ . Or this presentation: https://indico.dns-oarc.net/event/29/contributions/662/attachments/634/1063/EDNS_Flag_Day_-_OARC29.pdf . The EDNS timeouts are not used to fallback to nonEDNS queries. Features - log-tag-queryreply: yes in unbound.conf tags the log-queries and log-replies in the log file for easier log filter maintenance. - ip-ratelimit-factor of 1 allows all traffic through, instead of the previous blocking everything. - Fix #4206: support openssl 1.0.2 for TLS hostname verification, alongside the 1.1.0 and later support that is already there. - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, the patch adds a program used for fuzzing. - streamtcp option -a send queries consecutively and prints answers as they arrive. - out-of-order processing for TCP and TLS. - Add stream-wait-size: 4m config option to limit the maximum memory used by waiting tcp and tls stream replies. This avoids a denial of service where these replies use up all of the memory. - unbound-control stats has mem.streamwait that counts TCP and TLS waiting result buffers. - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites options for unbound.conf. - Patch for TLS session resumption from Manabu Sonoda, enable with tls-session-ticket-keys in unbound.conf. - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. Bug Fixes - Fix that unbound-checkconf does not complains if the config file is not placed inside the chroot. - Refuse to start with no ports. - Remove clang analysis warnings. - Patch for typo in unbound.conf man page. - Fix icon, no ragged edges and nicer resolutions available, for eg. Win 7 and Windows 10 display. - cache-max-ttl also defines upperbound of initial TTL in response. - Fix config parser memory leaks. - Fix for FreeBSD port make with dnscrypt and dnstap enabled. - Fixup openssl 1.0.2 compile - Fix for crash in dns64 module if response is null. - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN, and server tcp fastopen is enabled at compile time. - Document interaction between the tls-upstream option in the server section and forward-tls-upstream option in the forward-zone sections. - Fix syntax in comment of local alias processing. - Fix NSEC3 record that is returned in wildcard replies from auth-zone zones with NSEC3 and wildcards. - Log query name for looping module errors. - For caps-for-id fallback, use the whitelist to avoid timeout starting a fallback sequence for it. - increase mesh max activation count for capsforid long fetches. - Fix for #4219: secondaries not updated after serial change, unbound falls back to AXFR after IXFR gives several timeout failures. - Fix that auth zone after IXFR fallback tries the same master. - Fix for IXFR fallback to reset counter when IXFR does not timeout. - Newer aclocal and libtoolize used for generating configure scripts, aclocal 1.16.1 and libtoolize 2.4.6. - Fix unit test for python 3.7 new keyword 'async'. - clang analysis fixes, assert arc4random buffer in init, no check for already checked delegation pointer in iterator, in testcode check for NULL packet matches, in perf do not copy from NULL start list when growing capacity. Adjust host and file only when present in test header read to please checker. In testcode for unknown macro operand give zero result. Initialise the passed argv array in test code. In test code add EDNS data segment copy only when nonempty. - Patch from Florian Obser fixes some compiler warnings: include mini_event.h to have a prototype for mini_ev_cmp include edns.h to have a prototype for apply_edns_options sldns_wire2str_edns_keepalive_print is only called in the wire2str, module declare it static to get rid of compiler warning: no previous prototype for function infra_find_ip_ratedata() is only called in the infra module, declare it static to get rid of compiler warning: no previous prototype for function do not shadow local variable buf in authzone auth_chunks_delete and az_nsec3_findnode are only called in the authzone module, declare them static to get rid of compiler warning: no previous prototype for function... copy_rrset() is only called in the respip module, declare it static to get rid of compiler warning: no previous prototype for function 'copy_rrset' no need for another variable "r"; gets rid of compiler warning: declaration shadows a local variable in libunbound.c no need for another variable "ns"; gets rid of compiler warning: declaration shadows a local variable in iterator.c - Moved includes and make depend. - updated contrib/fastrpz.patch to cleanly diff. - remove compile warnings from libnettle compile. - output of newer lex 2.6.1 and bison 3.0.5. - Set build system for added call in the libunbound API. - List example config for root zone copy locally hosted with auth-zone as suggested from draft-ietf-dnsop-7706-bis-02. But with updated B root address. - Fixed spelling of tls-ciphers option in example.conf. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.47 2018/12/11 17:06:46 he Exp $ d8 2 @ 1.47 log @Update unbound to version 1.8.3 Upstream changes: Bug Fixes - Fix dns64 allocation in wrong region for returned internal queries. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.46 2018/12/04 12:04:22 he Exp $ d3 4 a6 4 SHA1 (unbound-1.8.3.tar.gz) = 4971428b2c26a5c8229a50243a0b4b9a244b4c7a RMD160 (unbound-1.8.3.tar.gz) = fe0dc21e6404791d737aa68dfe8fec647797c9ed SHA512 (unbound-1.8.3.tar.gz) = 545486ccce288a6ef1937d82653a43a11dbd3aec7b8d0036e7fd107e537cdfc935def9db9178c2eb418d6f4b0849a242a0be1dea966f3e9e0145aa7266e483ad Size (unbound-1.8.3.tar.gz) = 5629180 bytes @ 1.46 log @Update unbound to version 1.8.2 Pkgsrc changes: * Re-position configure diff. Upstream changes: Features - Add fast-server-permil and fast-server-num options. - Deprecate low-rtt and low-rtt-permil options. - Change fast-server-num default to 3. - Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options. - Fix #4190: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY. - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem. - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. - Add unbound-control view_local_datas command, like local_datas. Bug Fixes - dnscrypt.c removed sizeof to get array bounds. - Fix testlock code to set noreturn on error routine. - Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings - clang analyze test is used only when assertions are enabled. - Squelch EADDRNOTAVAIL errors when the interface goes away, this omits 'can't assign requested address' errors unless verbosity is set to a high value. - Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default. - iana port update. - Squelch log of failed to tcp initiate after TCP Fastopen failure. - Fix #4192: unbound-control-setup generates keys not readable by group. - check that the dnstap socket file can be opened and exists, print error if not. - Add markdel function to ECS slabhash. - Limit ECS scope returned to client to the scope used for caching. - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4141: More randomness to rrset-roundrobin. - Fix #4132: Openness/closeness of RANGE intervals in rpl files. - remade makefile dependencies. - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. - Scrub NS records from NODATA responses as well. - Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation. - Removed compile warnings in pythonmod sockaddr routines. - With ./configure --with-pyunbound --with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module. - pythonmod logs the python error and traceback on failure. - ignore debug python module for test in doxygen output. - review fixes for python module. - Fix #4209: Crash in libunbound when called from getdns. - auth zone zonefiles can be in a chroot, the chroot directory components are removed before use. - Fix that empty zonefile means the zonefile is not set and not used. - Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order. - Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished. - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page. - stat count SERVFAIL downstream auth-zone queries for expired zones. - Put new logos into windows installer. - Fix windows compile for new rrset roundrobin fix. - Update contrib fastrpz patch for latest release. - Fix chroot auth-zone fix to remove chroot prefix. - windows icon updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.45 2018/10/08 12:26:17 he Exp $ d3 4 a6 4 SHA1 (unbound-1.8.2.tar.gz) = ccd3a208dd6f9623065f182e9aec4da73ea9b1ad RMD160 (unbound-1.8.2.tar.gz) = 38966ced5cf6266cb346d1649c6635fdcfdd03e5 SHA512 (unbound-1.8.2.tar.gz) = a775c799d41ede3c2df82a5cf4d419ec1d037d84c9bb7f2f4216727afc1e3d82c991d1a1ee99baf315530c094a416004e836312ba1ee2b7b17a4a60454878cb5 Size (unbound-1.8.2.tar.gz) = 5628920 bytes @ 1.45 log @Update unbound to version 1.8.1 Upstream changes: Features: - Perform TLS SNI indication of the host that is being contacted for DNS over TLS service. It sets the configured tls auth name. This is useful for hosts that apart from the DNS over TLS services also provide other (web) services. Bug Fixes: - More explicitly mention the type of ratelimit when applying ip-ratelimit. - Fix spelling error in header, from getdns commit by Andreas Gelmini. - iana port update. - Fixed unused return value warnings in contrib/fastrpz.patch for asprintf. - Fix to squelch respip warning in unit test, it is printed at higher verbosity settings. - Fix spelling errors. - Fix initialisation in remote.c - Fix seed for random backup code to use explicit zero when wiped. - exit log routine is annotated as noreturn function. - free memory leaks in config strlist and str2list insert functions. - do not move unused argv variable after getopt. - Remove unused if clause in testcode. - in testcode, free async ids, initialise array, and check for null pointer during test of the test. And use exit for return to note irregular program stop. - Free memory leak in config strlist append. - make sure nsec3 comparison salt is initialized. - unit test has clang analysis. - remove unused variable assignment from iterator scrub routine. - check for null in delegation point during iterator refetch in forward zone. - neater pointer cast in libunbound context quit routine. - initialize statistics totals for printout. - in authzone check that node exists before adding rrset. - in unbound-anchor, use readwrite memory BIO. - assertion in autotrust that packed rrset is formed correctly. - Fix memory leak when message parse fails partway through copy. - remove unused udpsize assignment in message encode. - nicer bio free code in unbound-anchor. - annotate exit functions with noreturn in unbound-control. - Fix compile on Mac for unbound, provide explicit_bzero when libc does not have it. - Fix unbound for openssl in FIPS mode, it uses the digests with the EVP call contexts. - Fix that with harden-below-nxdomain and qname minisation enabled some iterator states for nonresponsive domains can get into a state where they waited for an empty list. - Stop UDP to TCP failover after timeouts that causes the ping count to be reset by the TCP time measurement (that exists for TLS), because that causes the UDP part to not be measured as timeout. - Fix #4156: Fix systemd service manager state change notification. - Fix #4149: Add SSL cleanup for tcp timeout. - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname minimisation with a forwarder when connectivity has issues from rejecting responses. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.44 2018/09/10 14:31:48 he Exp $ d3 5 a7 5 SHA1 (unbound-1.8.1.tar.gz) = 63849ece517e06b2a3c2e6917d522682da794f87 RMD160 (unbound-1.8.1.tar.gz) = 415447310f1db78146c43c639d84598f5bb07e10 SHA512 (unbound-1.8.1.tar.gz) = 1872a980e06258d28d2bc7f69a4c56fc07e03e4c9856161e89abc28527fff5812a47ea9927fd362bca690e3a87b95046ac96c8beeccaeb8596458f140c33b217 Size (unbound-1.8.1.tar.gz) = 5610191 bytes SHA1 (patch-configure) = 769ad52b9ab93bc8e48d2ffe8fef5b4b61070eba @ 1.44 log @Update unbound to version 1.8.0 Upstream changes: Features - unbound-control auth_zone_reload _zone_ option rereads the zonefile. - unbound-control auth_zone_transfer _zone_ option starts the probe sequence for a master to transfer the zone from and transfers when a new zone version is available. - num.queries.tls counter for queries over TLS. - log port number with err_addr logs. - dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record. - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries. - Note RFC8162 support. SMIMEA record type can be read in by the zone record parser. - Patches from Jim Hague (Sinodun) for EDNS KeepAlive. - Add config tcp-idle-timeout (default 30s). This applies to client connections only; the timeout on TCP connections upstream is unaffected. - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options and implement option in client responses. - Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout. - Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h. - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock. - Fix #4142: unbound.service.in: improvements and fixes. Add unit dependency ordering (based on systemd-resolved). Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings about missing privileges during startup). Add 'AF_INET6' to 'RestrictAddressFamilies' (without it IPV6 can't work). From Guido Shanahan. - unbound-checkconf checks if modules exist and prints if they are not compiled in the name of the wrong module. - Patch for stub-no-cache and forward-no-cache options that disable caching for the contents of that stub or forward, for when you want immediate changes visible, from Bjoern A. Zeeb. - Upgraded crosscompile script to include libunbound DLL in the zipfile. - Set libunbound to increase current, because the libunbound change to the event callback function signature. That needs programs, that use it, to recompile against the new header definition. - log-servfail: yes prints log lines that say why queries are returning SERVFAIL to clients. - log-local-actions: yes option for unbound.conf that logs all the local zone actions, a patch from Saksham Manchanda (Secure64). - #4146: num.query.subnet and num.query.subnet_cache counters. - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary. - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. - Added serve-expired-ttl and serve-expired-ttl-reset options. Bug Fixes - Windows example service.conf edited with more windows specific configuration. - #4108: systemd reload hang fix. - Fix usage printout for unbound-host, hostname has to be last argument on BSDs and Windows. - Partial fix for permission denied on IPv6 address on FreeBSD. - Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. - Fix that auth-zone does not start the wait timer without checking if the wait timer has already been started. - #4109: Fix that package config depends on python unconditionally. - Patch, do not export python from pkg-config, from Petr Menšík. - Fix checking for libhiredis printout in configure output. - Fix typo on man page in ip-address description. - Update libunbound/python/examples/dnssec_test.py example code to also set the 20326 trust anchor for the root in the example code. - Better documentation for unblock-lan-zones and insecure-lan-zones config statements. - Fix permission denied printed for auth zone probe random port nrs. - Fix documentation ambiguity for tls-win-cert in tls-upstream and forward-tls-upstream docs. - iana port update. - Fix round robin for failed addresses with prefer-ip6: yes - Note in documentation that the cert name match code needs OpenSSL 1.1.0 or later to be enabled. - Fix to improve systemd socket activation code file descriptor assignment. - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more easily changed to adjust default rtt assumptions. - Fix #4127 unbound -h does not list -p help. - Print error if SSL name verification configured but not available in the ssl library. - Fix that ratelimit and ip-ratelimit are applied after reload of changed config file. - Resize ratelimit and ip-ratelimit caches if changed on reload. - Fix #4129 unbound-control error message with wrong cert permissions is too cryptic. - Fix #4130: print text describing -dd and unbound-checkconf on config file read error at startup, the errors may have been moved away by the startup process. - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared. - Fix use-systemd readiness signalling, only when use-systemd is yes and not in signal handler. - Fix #4135: 64-bit Windows Installer Creates Entries Under The Wrong Registry Key, reported by Brian White. - Fix man page, say that chroot is enabled by default. - Sort out test runs when the build directory isn't the project root directory. - Error if EDNS Keepalive received over UDP. - Correct and expand manual page entries for keepalive and idle timeout. - Implement progressive backoff of TCP idle/keepalive timeout. - Fix 'make depend' to work when build dir is not project root. - Fix #4139: Fix unbound-host leaks memory on ANY. - Fix to remove systemd sockaddr function check, that is not always present. Make socket activation more lenient. But not different when socket activation is not used. - Fix #4136: insufficiency from mismatch of FLEX capability between released tarball and build host. Fix to unconditionally call destroy in daemon.c. - Make capsforid fallback QNAME minimisation aware. - document --enable-subnet in doc/README. - Fix #4144: dns64 module caches wrong (negative) information. - Fix that printout of error for cycle targets is a verbosity 4 printout and does not wrongly print it is a memory error. - Fix segfault in auth-zone read and reorder of RRSIGs. - Fix contrib/fastrpz.patch. - Fix warning on compile without threads. - print servfail info to log as error. - added more servfail printout statements, to the iterator. - Fix classification for QTYPE=CNAME queries when QNAME minimisation is enabled. - Fix only misc failure from log-servfail when val-log-level is not enabled. - Fix lintflags for lint on FreeBSD. - Fix that a local-zone with a local-zone-type that is transparent in a view with view-first, makes queries check for answers from the local-zones defined outside of views. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.43 2018/06/21 15:32:22 he Exp $ d3 4 a6 4 SHA1 (unbound-1.8.0.tar.gz) = 52b5b4169b9adaa24cc668976b9dffcc025120d6 RMD160 (unbound-1.8.0.tar.gz) = 2ab5ea1f6495d358f2a3642e2589d7530d79687d SHA512 (unbound-1.8.0.tar.gz) = 6c46f5b86b5bd98a7b549b660173d487e59e65385cebd7bc29429b4fee69f2b490651a409c57b072b9b604fa98e289fa82eeecfea8779900038c25b28a6bd064 Size (unbound-1.8.0.tar.gz) = 5609213 bytes @ 1.43 log @Update unbound to version 1.7.3 Upstream changes: Features - #4102 for NSD, but for Unbound. Named unix pipes do not use certificate and key files, access can be restricted with file and directory permissions. The option control-use-cert is no longer used, and ignored if found in unbound.conf. - Rename tls-additional-ports to tls-additional-port, because every line adds one port. Bug Fixes - Don't count CNAME response types received during qname minimisation as query restart. - #4100: Fix stub reprime when it becomes useless. - Fix crash if ratelimit taken into use with unbound-control instead of with unbound.conf. - Patch to fix openwrt for mac os build darwin detection in configure. - #4103: Fix that auth-zone does not insist on SOA record first in file for url downloads. - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. - Fix that control-use-cert: no works for 127.0.0.1 to disable certs. - Fix unbound-checkconf for control-use-cert. - Fix for unbound-control on Windows and set TCP socket parameters more closely. - Fix windows unbound-control no cert bad file descriptor error. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.42 2018/06/11 10:06:58 he Exp $ d3 4 a6 4 SHA1 (unbound-1.7.3.tar.gz) = 106789bdca173d033d769c67be3441b47611612a RMD160 (unbound-1.7.3.tar.gz) = 85b95d63684ed11e15031e7ff61f5d8c08442283 SHA512 (unbound-1.7.3.tar.gz) = 34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a Size (unbound-1.7.3.tar.gz) = 5570604 bytes @ 1.42 log @Upgrade unbound to version 1.7.2. Upstream changes: Features - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand. - Qname minimisation default changed to yes. - Use accept4 to speed up incoming TCP (and TLS) connections, available on Linux, FreeBSD and OpenBSD. - tls-win-cert option that adds the system certificate store for authenticating DNS-over-TLS connections. It can be used instead of the tls-cert-bundle option, or with it to add certificates. - Patch from Syzdek: Add ability to ignore RD bit and treat all requests as if the RD bit is set. - Rename additional-tls-port to tls-additional-ports. The older name is accepted for backwards compatibility. Bug fixes: - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. - Fix spelling error in man page and note defaults as no instead of off. - Fix that unbound-control reload frees the rrset keys and returns the memory pages to the system. - Fix fail to reject dead peers in forward-zone, with ssl-upstream. - Fix that configure --with-libhiredis also turns on cachedb. - Fix gcc 8 buffer warning in testcode. - Fix function type cast warning in libunbound context callback type. - Fix windows to not have sticky TLS events for TCP. - Fix read of DNS over TLS length and data in one read call. - Fix mesh state assertion failure due to callback removal. - Fix contrib/libunbound.pc for libssl libcrypto references, from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914 - Fix that libunbound can do DNS-over-TLS, when configured. - Fix that windows unbound service can use DNS-over-TLS. - unbound-host initializes ssl (for potential DNS-over-TLS usage inside libunbound), when ssl upstream or a cert-bundle is configured. - For TCP and TLS connections that don't establish, perform address update in infra cache, so future selections can exclude them. - Fix that tcp sticky events are removed for closed fd on windows. - Fix close events for tcp only. - Fix windows tcp and tls spin on events. - Add routine from getdns to add windows cert store to the SSL_CTX. - in compat/arc4random call getentropy_urandom when getentropy fails with ENOSYS. - Fix that fallback for windows port. - Fix deadlock caused by incoming notify for auth-zone. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.41 2018/05/07 07:13:28 he Exp $ d3 4 a6 4 SHA1 (unbound-1.7.2.tar.gz) = 09030d0812458ebe84efae7c837f01d92b16adef RMD160 (unbound-1.7.2.tar.gz) = 3d1f533b5c0c3bcc2ff705e73f018da485be0ab9 SHA512 (unbound-1.7.2.tar.gz) = a5b0794b15d72a89bd6090f6febca3199e8c66f779c5da7f07dfbacc17bd62f340a3392b9086d39f28f7ab5942aba24810347fbf0e1ea22c5641d2b00fb29387 Size (unbound-1.7.2.tar.gz) = 5570654 bytes @ 1.41 log @Upgrade unbound to version 1.7.1. Upstream changes: Features - Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox). - Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. - ED448 support. - num.query.authzone.up and num.query.authzone.down statistics counters. - Accept both option names with and without colon for get_option and set_option. - low-rtt and low-rtt-pct in unbound.conf enable the server selection of fast servers for some percentage of the time. - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics counters. - allow-notify: config statement for auth-zones. - Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@@853#dns.quad9.net or 1.1.1.1@@853#cloudflare-dns.com - list_auth_zones unbound-control command. - Added root-key-sentinel support Bug Fixes - Fix #3727: Protocol name is TLS, options have been renamed but documentation is not consistent. - Check IXFR start serial. - Fix typo in documentation. - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually flushed with serve-expired on. - Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. - corrected a minor typo in the changelog. - move htobe64/be64toh portability code to cachedb.c. - iana port update. - Do not use cached NSEC records to generate negative answers for domains under DNSSEC Negative Trust Anchors. - Fix unbound-control get_option aggressive-nsec - Check "result" in dup_all(), by Florian Obser. - Fix #4043: make test fails due to v6 presentation issue in macOS. - Fix unable to resolve after new WLAN connection, due to auth-zone failing with a forwarder set. Now, auth-zone is only used for answers (not referrals) when a forwarder is set. - Combine write of tcp length and tcp query for dns over tls. - nitpick fixes in example.conf. - Fix above stub queries for type NS and useless delegation point. - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3 tls_choose_sigalg routine does not allow the ciphers for the pipe, so use TLSv1.2. - Fix that flush_zone sets prefetch ttl expired, so that with serve-expired enabled it'll start prefetching those entries. - Fix downstream auth zone, only fallback when auth zone fails to answer and fallback is enabled. - Fix for max include depth for authzones. - Fix memory free on fail for $INCLUDE in authzone. - Fix that an internal error to look up the wrong rr type for auth zone gets stopped, before trying to send there. - Fix auth zone target lookup iterator. - Fix auth-zone retry timer to be on schedule with retry timeout, with backoff. Also time a refresh at the zone expiry. - Fix #658: unbound using TLS in a forwarding configuration does not verify the server's certificate (RFC 8310 support). - For addr with #authname and no @@port notation, the default is 853. - man page documentation for dns-over-tls forward-addr '#' notation. - removed free from failed parse case. - Fix #4091: Fix that reload of auth-zone does not merge the zonefile with the previous contents. - Delete auth zone when removed from config. - makedist uses bz2 for expat code, instead of tar.gz. - Fix #4092: libunbound: use-caps-for-id lacks colon in config_set_option. - auth zone http download stores exact copy of downloaded file, including comments in the file. - Fix sldns parse failure for CDS alternate delete syntax empty hex. - Attempt for auth zone fix; add of callback in mesh gets from callback does not skip callback of result. - Fix cname classification with qname minimisation enabled. - Fix contrib/fastrpz.patch for this release. - Fix auth https for libev. - Fix memory leak when caching wildcard records for aggressive NSEC use - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.40 2018/03/15 10:22:49 he Exp $ d3 4 a6 4 SHA1 (unbound-1.7.1.tar.gz) = b853b746fa1f89ecce160850ab163ef78f67eea5 RMD160 (unbound-1.7.1.tar.gz) = fd9ee1d94d475a84997d16e2e939c661d297fa6b SHA512 (unbound-1.7.1.tar.gz) = 99a68abf1f60f6ea80cf2973906df44da9c577d8cac969824af1ce9ca385a2e84dd684937480da87cb73c7dc41ad5c00b0013ec74103eadb8fd7dc6f98a89255 Size (unbound-1.7.1.tar.gz) = 5565938 bytes @ 1.40 log @Upgrade unbound to version 1.7.0. Pkgsrc changes: * Add libunbound.pc to PLIST. Upstream changes: Features - auth-zone provides a way to configure RFC7706 from unbound.conf, eg. with auth-zone: name: "." for-downstream: no for-upstream: yes fallback-enabled: yes and masters or a zonefile with data. - Aggressive use of NSEC implementation. Use cached NSEC records to generate NXDOMAIN, NODATA and positive wildcard answers. - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is also recognized and means the same. Also for tls-port, tls-service-key, tls-service-pem, stub-tls-upstream and forward-tls-upstream. - [dnscrypt] introduce dnscrypt-provider-cert-rotated option, from Manu Bretelle. This option allows handling multiple cert/key pairs while only distributing some of them. In order to reliably match a client magic with a given key without strong assumption as to how those were generated, we need both key and cert. Likewise, in order to know which ES version should be used. On the other hand, when rotating a cert, it can be desirable to only serve the new cert but still be able to handle clients that are still using the old certs's public key. The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not publish the cert as part of the DNS's provider_name's TXT answer. - Update B root ipv4 address. - make ip-transparent option work on OpenBSD. - Fix #2801: Install libunbound.pc. - ltrace.conf file for libunbound in contrib. - Fix #3598: Fix swig build issue on rhel6 based system. configure --disable-swig-version-check stops the swig version check. Bug Fixes - Fix #1749: With harden-referral-path: performance drops, due to circular dependency in NS and DS lookups. - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert duplicates - Better documentation for cache-max-negative-ttl. - Fixed libunbound manual typo. - Fix #1949: [dnscrypt] make provider name mismatch more obvious. - Fix #2031: Double included headers - Document that errno is left informative on libunbound config read fail. - iana port update. - Fix #1913: ub_ctx_config is under circumstances thread-safe. - Fix #2362: TLS1.3/openssl-1.1.1 not working. - Fix #2034 - Autoconf and -flto. - Fix #2141 - for libsodium detect lack of entropy in chroot, print a message and exit. - Fix #2492: Documentation libunbound. - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is set for stub zone. It no longer searches for DNSSEC information. - Fix #3299 - forward CNAME daisy chain is not working - Fix link failure on OmniOS. - Check whether --with-libunbound-only is set when using --with-nettle or --with-nss. - Fix qname-minimisation documentation (A QTYPE, not NS) - Fix that DS queries with referral replies are answered straight away, without a repeat query picking the DS from cache. The correct reply should have been an answer, the reply is fixed by the scrubber to have the answer in the answer section. - Fix that expiration date checks don't fail with clang -O2. - Fix queries being leaked above stub when refetching glue. - Copy query and correctly set flags on REFUSED answers when cache snooping is not allowed. - make depend: code dependencies updated in Makefile. - Fix #3397: Fix that cachedb could return a partial CNAME chain. - Fix #3397: Fix that when the cache contains an unsigned DNAME in the middle of a cname chain, a result without the DNAME could be returned. - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file for startup scripts to get the full pathname(s) of anchor file(s). - Print fatal errors about remote control setup before log init, so that it is printed to console. - Use NSEC with longest ce to prove wildcard absence. - Only use *.ce to prove wildcard absence, no longer names. - Fix unfreed locks in log and arc4random at exit of unbound. - Fix lock race condition in dns cache dname synthesis. - Fix #3451: dnstap not building when you have a separate build dir. And removed protoc warning, set dnstap.proto syntax to proto2. - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test) - Unit test for auth zone https url download. - tls-cert-bundle option in unbound.conf enables TLS authentication. - Fixes for clang static analyzer, the missing ; in edns-subnet/addrtree.c after the assert made clang analyzer produce a failure to analyze it. - Fix #3505: Documentation for default local zones references wrong RFC. - Fix #3494: local-zone noview can be used to break out of the view to the global local zone contents, for queries for that zone. - Fix for more maintainable code in localzone. - more robust cachedump rrset routine. - Save wildcard RRset from answer with original owner for use in aggressive NSEC. - Fixup contrib/fastrpz.patch so that it applies. - Fix compile without threads, and remove unused variable. - Fix compile with staticexe and python module. - Fix nettle compile. - Fix to check define of DSA for when openssl is without deprecated. - iana port update. - Fix #3582: Squelch address already in use log when reuseaddr option causes same port to be used twice for tcp connections. - Reverted fix for #3512, this may not be the best way forward; although it could be changed at a later time, to stay similar to other implementations. - Fix for windows compile. - Fixed contrib/fastrpz.patch, even though this already applied cleanly for me, now also for others. - patch to log creates keytag queries, from A. Schulze. - patch suggested by Debian lintian: allow to -> allow one to, from A. Schulze. - Attempt to remove warning about trailing whitespace. - Added documentation for aggressive-nsec: yes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.39 2018/01/19 10:10:03 he Exp $ d3 5 a7 5 SHA1 (unbound-1.7.0.tar.gz) = d90b09315c75ad2843b868785b3d12a2c4f27b28 RMD160 (unbound-1.7.0.tar.gz) = abc59d2b8b52bab5784fe56ccb8b7ed10e8830fe SHA512 (unbound-1.7.0.tar.gz) = 49b07643da2a89d8ceedce1295f550f74a76f4f11c2df54df55e9c42f03bad1b133789c7b36fb3c4f37d6b331ac302ecfd1249e8ebaaa4333beda8fa250b61d9 Size (unbound-1.7.0.tar.gz) = 5538228 bytes SHA1 (patch-configure) = 30874b8337e4ef0e436bb52f4af92a43b810f7bb @ 1.39 log @Update to version 1.6.8: Bug fixes: - patch for CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.38 2017/10/10 08:07:08 he Exp $ d3 4 a6 4 SHA1 (unbound-1.6.8.tar.gz) = 492737be9647c26ee39d4d198f2755062803b412 RMD160 (unbound-1.6.8.tar.gz) = 69aea28bd7587fef8aab7c3e9aa7d886184a930b SHA512 (unbound-1.6.8.tar.gz) = 653d88d5dbc8cf25f7261e4a9869b6591843c7ff27b5d63f979a94505daafbbb61e05d46bedd2d01230355d5f08dd9fe14ed04c5c7340f3f27581b61ad6edfa3 Size (unbound-1.6.8.tar.gz) = 5467536 bytes @ 1.38 log @Upgrade unbound to version 1.6.7. Pkgsrc changes: * None. Upstream changes: Features: * Set trust-anchor-signaling default to yes * Fix #1440: [dnscrypt] client nonce cache. * Fix #1435: Please allow UDP to be disabled separately upstream and downstream. Bug fixes: * Fix that looping modules always stop the query, and don't pass control. * Fix unbound-host to report error for DNSSEC state of failed lookups. * Spelling fixes, from Josh Soref. * Fix #1400: allowing use of global cache on ECS-forwarding unless always-forward. * use a cachedb answer even if it's "expired" when serve-expired is yes (patch from Jinmei Tatuya). * trigger refetching of the answer in that case (this will bypass cachedb lookup) * allow storing a 0-TTL answer from cachedb in the in-memory message cache when serve-expired is yes * Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff. * Log name of looping module * Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch (by Danilo G. Baio). * Fix param unused warning for windows exportsymbol compile. * Use RCODE from A query on DNS64 synthesized answer. * Fix trust-anchor-signaling works in libunbound. * Fix spelling in unbound-control man page. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.37 2017/09/18 13:02:39 he Exp $ d3 4 a6 4 SHA1 (unbound-1.6.7.tar.gz) = 098f8acfc3e9d1cab54f07863e61eabbb67c80dc RMD160 (unbound-1.6.7.tar.gz) = ddac5bbb7cbfc366438bf35c9a88922a9e1ea17f SHA512 (unbound-1.6.7.tar.gz) = 6e3d1a057081252183343d0d1b8ace742ab15e8f5244e61287340f49289d7449bed93fbfdaa3194c0e99ca23948f4b33038f75af5c5b26c938004d06fc3031e0 Size (unbound-1.6.7.tar.gz) = 5466931 bytes @ 1.38.2.1 log @Pullup ticket #5699 - requested by taca net/unbound: security update Revisions pulled up: - net/unbound/Makefile 1.53 - net/unbound/distinfo 1.39 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: he Date: Fri Jan 19 10:10:03 UTC 2018 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update to version 1.6.8: Bug fixes: - patch for CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 pkgsrc/net/unbound/Makefile cvs rdiff -u -r1.38 -r1.39 pkgsrc/net/unbound/distinfo @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (unbound-1.6.8.tar.gz) = 492737be9647c26ee39d4d198f2755062803b412 RMD160 (unbound-1.6.8.tar.gz) = 69aea28bd7587fef8aab7c3e9aa7d886184a930b SHA512 (unbound-1.6.8.tar.gz) = 653d88d5dbc8cf25f7261e4a9869b6591843c7ff27b5d63f979a94505daafbbb61e05d46bedd2d01230355d5f08dd9fe14ed04c5c7340f3f27581b61ad6edfa3 Size (unbound-1.6.8.tar.gz) = 5467536 bytes @ 1.37 log @Upgrade unbound to version 1.6.6. Pkgsrc changes: * Unbound now needs flex >= 2.6.4 to build, or at least 2.6.3 is a no-go, so depend on the pkgsrc version which is already 2.6.4. Upstream changes: Features: * unbound-control dump_infra prints port number for address if not 53. * Fix #1344: RFC6761-reserved domains: test. and invalid. * Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). With the -p option unbound does not create a pidfile. * Added stats for queries that have been ratelimited by domain recursion. * Patch to show DNSCrypt status in help output, from Carsten Strotmann. * Fix #1407: Add ECS options check to unbound-checkconf. * Fix #1415: [dnscrypt] shared secret cache, patch from Manu Bretelle. Bug Fixes: * fixup of dnscrypt_cert_chacha test (from Manu Bretelle). * First fix for zero b64 and hex text zone format in sldns. * Better fixup of dnscrypt_cert_chacha test for different escapes. * Fix that infra cache host hash does not change after reconfig. * Fix python example0 return module wait instead of error for pass. * enhancement for hardened-tls for DNS over TLS. Removed duplicated security settings. * Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned on. * Fix #1331: libunbound segfault in threaded mode when context is deleted. * Fix pythonmod link line option flag. * Fix openssl 1.1.0 load of ssl error strings from ssl init. * Fix 1332: Bump verbosity of failed chown'ing of the control socket. * Redirect all localhost names to localhost address for RFC6761. * Fix #1350: make cachedb backend configurable (from JINMEI Tatuya). * Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg. * upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), config.sub(2016-09-05). * annotate case statement fallthrough for gcc 7.1.1. * flex output from flex 2.6.1. * snprintf of thread number does not warn about truncated string. * squelch TCP fast open error on FreeBSD when kernel has it disabled, unless verbosity is high. * remove warning from windows compile. * Fix compile with libnettle * Fix DSA configure switch (--disable dsa) for libnettle and libnss. * Fix #1365: Add Ed25519 support using libnettle. * Fix #1394: mix of serve-expired and response-ip could cause a crash. * Remove unused iter_env member (ip6arpa_dname) * Do not reset rrset.bogus stats when called using stats_noreset. * Do not add rrset_bogus and query ratelimiting stats per thread, these module stats are global. * Fix #1397: Recursive DS lookups for AS112 zones names should recurse. * Fix #1398: make cachedb secret configurable. * Remove spaces from Makefile. * Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason. * Fix #1402: squelch invalid argument error for fd_set_block on windows. * Fix to reclaim tcp handler when it is closed due to dnscrypt buffer allocation failure. * Fix #1415: patch to free dnscrypt environment on reload. * iana portlist update * Small fixes for the shared secret cache patch. * Fix WKS records on kvm autobuild host, with default protobyname entries for udp and tcp. * Fix #1414: fix segfault on parse failure and log_replies. * zero qinfo in handle_request, this zeroes local_alias and also the qname member. * new keys and certs for dnscrypt tests. * fixup WKS test on buildhost without servicebyname. * updated contrib/fastrpz.patch to apply with configparser changes. * Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. * Fix #1424: cachedb:testframe is not thread safe. * Fix #1417: [dnscrypt] shared secret cache counters, and works when dnscrypt is not enabled. And cache size configuration option. * Fix #1418: [ip ratelimit] initialize slabhash using ip-ratelimit-slabs. * Recommend 1472 buffer size in unbound.conf * Fix #1412: QNAME minimisation strict mode not honored * Fix #1434: Fix windows openssl 1.1.0 linking. * Add dns64 for client-subnet in unbound-checkconf. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.36 2017/08/21 11:14:18 he Exp $ d3 4 a6 4 SHA1 (unbound-1.6.6.tar.gz) = d205c03a402f5d900d5bad3d036849a12804a49e RMD160 (unbound-1.6.6.tar.gz) = bccaf45d1a7e138b5077e1303f9d5879d9c29efb SHA512 (unbound-1.6.6.tar.gz) = 910fd0956b8828d3db0511a85bf6ab6c4c3982f17c70ccb7123d1de1650d24c2906bc29ac4ea83fd7d95d8af29e2cbc88df666f365e51296f552292ef9753016 Size (unbound-1.6.6.tar.gz) = 5460482 bytes @ 1.36 log @Upgrade unbound to version 1.6.5. Upstream changes: 21 Aug 2017: Wouter - Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017. - Tag 1.6.5 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.35 2017/07/09 08:09:41 adam Exp $ d3 4 a6 4 SHA1 (unbound-1.6.5.tar.gz) = ecb260b94d139d84fae2bff80f9701f53a329e26 RMD160 (unbound-1.6.5.tar.gz) = d214256ce7b5e8e7be0e523654536cd8acfd469b SHA512 (unbound-1.6.5.tar.gz) = 7a3fa54ca0c210ff3d45cdf22c8861f67e46c23133afeeaf85126c70d68515b931a61c82c44eea73318e1ab4e2c7cf0dc0650599ff4145804f51435579c5682c Size (unbound-1.6.5.tar.gz) = 5477400 bytes @ 1.35 log @Changes 1.6.4: Features: * Implemented trust anchor signaling using key tag query. * unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt. * unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames. * Implemented opportunistic IPsec support module (ipsecmod). * Added redirect-bogus.patch to contrib directory. * Support for the ED25519 algorithm with openssl (from openssl 1.1.1). * renumbering B-Root's IPv6 address to 2001:500:200::b. * Fix 1276: [dnscrypt] add XChaCha20-Poly1305 cipher. * Fix 1277: disable domain ratelimit by setting value to 0. * Added fastrpz patch to contrib Bug Fixes: * Added ECS unit test (from Manu Bretelle). * ECS documentation fix (from Manu Bretelle). * Fix 1252: more indentation inconsistencies. * Fix 1253: unused variable in edns-subnet/addrtree.c:getbit(). * Fix 1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). * iana portlist update * Based on 1257: check parse limit before t increment in sldns RR string parse routine. * Fix 1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86). * Fix 1259: "--disable-ecdsa" argument overwritten by "ifdef SHA256_DIGEST_LENGTH@@daemon/remote.c". * iana portlist update * Added test for leak of stub information. * Fix sldns wire2str printout of RR type CAA tags. * Fix sldns int16_data parse. * Fix sldns parse and printout of TSIG RRs. * sldns SMIMEA and AVC definitions, same as getdns definitions. * Fix tcp-mss failure printout text. * Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations). * Add 'c' to getopt() in testbound. * Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there. * Fix queries for nameservers under a stub leaking to the internet. * document trust-anchor-signaling in example config file. * updated configure, dependencies and flex output. * better module memory lookup, fix of unbound-control shm names for module memory printout of statistics. * Fix type AVC sldns rrdef. * Some whitespace fixup. * Fix 1265: contrib/unbound.service contains hardcoded path. * Fix 1265 to use /bin/kill. * Fix 1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL. * Fix 1268: SIGSEGV after log_reopen. * exec_prefix is by default equal to prefix. * printout localzone for duplicate local-zone warnings. * Fix assertion for low buffer size and big edns payload when worker overrides udpsize. * Support for openssl EVP_DigestVerify. * Fix 1269: inconsistent use of built-in local zones with views. * Add defaults for new local-zone trees added to views using unbound-control. * Fix 1273: cachedb.c doesn't compile with -Wextra. * If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. * Also use global local-zones when there is a matching view that does not have any local-zone specified. * Fix fastopen EPIPE fallthrough to perform connect. * Fix 1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle). * Fix 1275: cached data in cachedb is never used. * Fix that unbound-control can set val_clean_additional and val_permissive_mode. * Add dnscrypt XChaCha20 tests. * Detect chacha for dnscrypt at configure time. * dnscrypt unit tests with chacha. * Added domain name based ECS whitelist. * Fix 1278: Incomplete wildcard proof. * Fix 1279: Memory leak on reload when python module is enabled. * Fix 1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly. * More fixes in depth for buffer checks in 0x20 qname checks. * Fix stub zone queries leaking to the internet for harden-referral-path ns checks. * Fix query for refetch_glue of stub leaking to internet. * Fix 1301: memory leak in respip and tests. * Free callback in edns-subnetmod on exit and restart. * Fix memory leak in sldns_buffer_new_frm_data. * Fix memory leak in dnscrypt config read. * Fix dnscrypt chacha cert support ifdefs. * Fix dnscrypt chacha cert unit test escapes in grep. * Fix to unlock view in view test. * Fix warning in pythonmod under clang compiler. * Fix lintian typo. * Fix 1316: heap read buffer overflow in parse_edns_options. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.34 2016/12/23 19:25:45 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.6.4.tar.gz) = 836ecc48518b9159f600a738c276423ef1f95021 RMD160 (unbound-1.6.4.tar.gz) = cec85c40373525e525b773c01104ff432c9523d9 SHA512 (unbound-1.6.4.tar.gz) = 1abf50552c97b304884f07372f9fb05f9f30354647cf5299192deac81fa28a41d89d84ee092baef644a6069d0f545d36e7e814c9b8f83f21a7a53572d9a91907 Size (unbound-1.6.4.tar.gz) = 5477897 bytes @ 1.34 log @Unbound 1.6.0 ============= Features: --------- - Added generic EDNS code for registering known EDNS option codes, bypassing the cache response stage and uniquifying mesh states. Four EDNS option lists were added to module_qstate (module_qstate.edns_opts_*) to store EDNS options from/to front/back side. - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that control the modules' cache interactions. - Added code for registering inplace callback functions. The registered functions can be called just before replying with local data or Chaos, replying from cache, replying with SERVFAIL, replying with a resolved query, sending a query to a nameserver. The functions can inspect the available data and maybe change response/query related data (i.e. append EDNS options). - Updated Python module for the above. - Updated Python documentation. - Added views functionality. - Added qname-minimisation-strict config option. - Patch that resolves CNAMEs entered in local-data conf statements that point to data on the internet. - serve-expired config option: serve expired responses with TTL 0. - .gitattributes line for githubs code language display. - log-identity: config option to set sys log identity. - Added stub-ssl-upstream and forward-ssl-upstream options. - Added local-zones and local-data bulk addition and removal functionality in unbound-control (local_zones, local_zones_remove, local_datas and local_datas_remove). - g.root-servers.net has AAAA address. Bug Fixes: ---------- - Fix #836: unbound could echo back EDNS options in an error response. - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX. - Fix #839: Memory grows unexpectedly with large RPZ files. - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile. - Fix #841: big local-zone's make it consume large amounts of memory. - Fix dnstap relaying "random" messages instead of resolver/forwarder responses. - Fix Nits for 1.5.10. - Fix #1117: spelling errors, from Robert Edmonds. - iana portlist update. - fix memoryleak logfile when in debug mode. - Re-fix #839 from view commit overwrite. - Fixup const void cast warning. - Removed patch comments from acllist.c and msgencode.c - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf - Fix #1125: unbound could reuse an answer packet incorrectly for clients with different EDNS parameters. - Fix #1118: libunbound.pc sets strange Libs, Libs.private values. - Added Requires line to libunbound.pc - Fix #1130: whitespace in example.conf.in more consistent. - suppress compile warning in lex files. - init lzt variable, for older gcc compiler warnings. - fix --enable-dsa to work, instead of copying ecdsa enable. - Fix DNSSEC validation of query type ANY with DNAME answers. - Fixup query_info local_alias init. - Ported tests for local_cname unit test to testbound framework. - Fix #1134: unbound-control set_option -- val-override-date: -1 works immediately to ignore datetime, or back to 0 to enable it again. The -- is to ignore the '-1' as an option flag. - Patch for server.num.zero_ttl stats for count of expired replies. - Fix failure to build on arm64 with no sbrk. - Set OpenSSL security level to 0 when using aNULL ciphers. - configure detects ssl security level API function in the autoconf manner. Every function on its own, so that other libraries (eg. LibreSSL) can develop their API without hindrance. - Fix #1154: segfault when reading config with duplicate zones. - Note that for harden-below-nxdomain the nxdomain must be secure, this means nsec3 with optout is insufficient. - Fix #1155: test status code of unbound-control in 04-checkconf, not the status code from the tee command. - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing Underneath" for the harden-below-nxdomain option. - patch from Dag-Erling Smorgrav that removes code that relies on sbrk(). - Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data. - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a subdomain of the NSEC owner. - QNAME minimisation uses QTYPE=A, therefore always check cache for this type in harden-below-nxdomain functionality. - Added unit test for QNAME minimisation + harden below nxdomain synergy. - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket. - hyphen as minus fix. - Fix #1170: document that 'inform' local-zone uses local-data. - Fix #1173: differ local-zone type deny from unset tag_actions element. - Add DSA support for OpenSSL 1.1.0 - Fix remote control without cert for LibreSSL - Fix downcast warnings from visual studio in sldns code @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.33 2016/10/05 20:28:01 pettai Exp $ d3 5 a7 4 SHA1 (unbound-1.6.0.tar.gz) = 9b7606b016b447dc837efc108cee94f3fecf4ede RMD160 (unbound-1.6.0.tar.gz) = 07380cf33d5bb352f1b6fb19bb6411b3bdeb6011 SHA512 (unbound-1.6.0.tar.gz) = c92adee98ef759d033ac39784796e936e292f0671a42ad455411b82a9ba552744e4a0de432ee4ac05609dc0b429b70d5ce8169c20d3d65f4acf5afc5e02822ac Size (unbound-1.6.0.tar.gz) = 5063253 bytes @ 1.33 log @Features - Create a pkg-config file for libunbound in contrib. - TCP Fast open. - Finegrained localzone control with define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override. And added types always_transparent, always_refuse, always_nxdomain with that. - If more than half of tcp connections are in use, a shorter timeout is used (200 msec, vs 2 minutes) to pressure tcp for new connects. - [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6 option to use linux freebind to use 64bits of entropy for every query with random local part. - For #787: prefer-ip6 option for unbound.conf prefers to send upstream queries to ipv6 servers. - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e. - keep debug symbols in windows build. Bug Fixes: ---------- - [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref). - Fix unbound-anchor.exe file location defaults to Program Files with (x86) appended. - Fix to not ignore return value of chown() in daemon startup. - Better help text from -h. - [bugzilla: 773 ] Fix Non-standard Python location build failure with pyunbound. - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. - Revert fix for NetworkService account on windows due to breakage it causes. - Fix that windows install will not overwrite existing service.conf file (and ignore gui config choices if it exists). - And delete service.conf.shipped on uninstall. - In unbound.conf directory: dir immediately changes to that directory, so that include: file below that is relative to that directory. With chroot, make the directory an absolute path inside chroot. - do not delete service.conf on windows uninstall. - document directory immediate fix and allow EXECUTABLE syntax in it on windows. - Fix directory: fix for unbound-checkconf, it restores cwd. - Use QTYPE=A for QNAME minimisation. - Keep track of number of time-outs when performing QNAME minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE pair is more than three. - [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on windows, ignore null delete for wsaevent. - Fix spelling in freebind option man page text. - Fix windows link of ssl with crypt32. - [bugzilla: 779 ] Fix Union casting is non-portable. - [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31. - [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call. - Decrease dp attempts at each QNAME minimisation iteration - [bugzilla: 784 ] Fix Build configure assumess that having getpwnam means there is endpwent function available. - Updated repository with newer flex and bison output. - Fix static compile on windows missing gdi32. - Fix dynamic link of anchor-update.exe on windows. - Fix detect of mingw for MXE package build. - Fixes for 64bit windows compile. - [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle. - Fixed unbound.doxygen for 1.8.11. - [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux). - [bugzilla: 801 ] Fix missing error condition handling in daemon_create_workers(). - [bugzilla: 802 ] Fix workaround for function parameters that are "unused" without log_assert. - [bugzilla: 803 ] Fix confusing (and incorrect) code comment in daemon_cleanup(). - [bugzilla: 806 ] Fix wrong comment removed. - use sendmsg instead of sendto for TFO. - [bugzilla: 807 ] Fix workaround for possible some "unused" function parameters in test code. - Note that OPENPGPKEY type is RFC 7929. - [bugzilla: 804 ] Fix #804: unbound stops responding after outage. Fixes queries that attempt to wait for an empty list of subqueries. - Fix for #804: lower num_target_queries for iterator also for failed lookups. - [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len parameter in each iteration in find_tag_datas(). - [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility. - RFC 7958 is now out, updated docs for unbound-anchor. - Fix for compile without warnings with openssl 1.1.0. - [bugzilla: 826 ] Fix refuse_non_local could result in a broken response. - iana portlist update. - Fix compile with openssl 1.1.0 with api=1.1.0. - [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value has an off-by-one typo. - Fix incomplete prototypes reported by Dag-Erling Smørgrav. - [bugzilla: 828 ] Fix missing type in access-control-tag-action redirect results in NXDOMAIN. - Take configured minimum TTL into consideration when reducing TTL to original TTL from RRSIG. - [bugzilla: 831 ] Fix workaround for spurious fread_chk warning against petal.c - Silenced flex-generated sign-unsigned warning print with gcc diagnostic pragma. - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len. - fix potential memory leak in daemon/remote.c and nullpointer dereference in validator/autotrust. - [bugzilla: 883 ] Fix error for duplicate local zone entry. - [bugzilla: 835 ] Fix --disable-dsa with nettle verify. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.32 2016/06/16 13:50:39 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.5.10.tar.gz) = 6102849c400db3a4195b1f16df8f312568a6ec57 RMD160 (unbound-1.5.10.tar.gz) = 0907f1501acc5ce943a038f671ef0e7d358b0695 SHA512 (unbound-1.5.10.tar.gz) = 1c413886a12d4b626e03e076da6b9ccbcc8fd4769649fef8895eca74199bc22aec33c026e777524e8fe0327045a194f79b52282fe40674a9fb15cac58c4493f6 Size (unbound-1.5.10.tar.gz) = 4941299 bytes @ 1.32 log @Unbound 1.5.9 ============= Features: --------- - generic edns option parse and store code. - Updated L root IPv6 address. - User defined pluggable event API for libunbound - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for binding to an IP address while the interface or address is down. - OpenSSL 1.1.0 portability, --disable-dsa configure option. - disable-dnssec-lame-check config option. Bug Fixes: ---------- - [bugzilla: 745 ] Fix unbound.py - idn2dname throws UnicodeError when idnname contains trailing dot. - configure tests for the weak attribute support by the compiler. - [bugzilla: 747 ] Fix assert in outnet_serviced_query_stop. - Updated configure and ltmain.sh. - Fixup of compile fix for pluggable event API. - Fixup backend2str for libev. - Fix libev usage of dispatch return value. - No side effects in tolower() call, in case it is a macro. - Fix warnings in ifdef corner case, older or unknown libevent. - Fix ip-transparent for ipv6 on FreeBSD. - Fix ip-transparent for tcp on freebsd. - [bugzilla: 746 ] Fix unbound sets CD bit on all forwards. If no trust anchors, it'll not set CD bit when forwarding to another server. If a trust anchor, no CD bit on the first attempt to a forwarder, but CD bit thereafter on repeated attempts to get DNSSEC. - Limit number of QNAME minimisation iterations. - Validate QNAME minimised NXDOMAIN responses. - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in harden-below-nxdomain. - Fix compile of getentropy_linux for SLES11 servicepack 4. - Fix dnstap-log-resolver-response-messages. - Fix test for openssl to use HMAC_Update for 1.1.0. - ERR_remove_state deprecated since openssl 1.0.0. - OPENSSL_config is deprecated, removing. - Document permit-small-holddown for 5011 debug. - [bugzilla: 749 ] Fix unbound-checkconf gets SIGSEGV when use against a malformatted conf file. - [bugzilla: 753 ] Fix document dump_requestlist is for first thread. - Fix some malformed reponses to edns queries get fallback to nonedns. - [bugzilla: 759 ] Fix 0x20 capsforid no longer checks type PTR, for compatibility with cisco dns guard. This lowers false positives. - Fix sldns with static checking fixes copied from getdns. - Fix memory leak in out-of-memory conditions of local zone add. - [bugzilla: 761 ] Fix DNSSEC LAME false positive resolving nic.club. - [bugzilla: 766 ] Fix dns64 should synthesize results on timeout/errors. - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC signed zones. - [bugzilla: 767 ] Fix Reference to an expired Internet-Draft in harden-below-nxdomain documentation. - remove memory leak from lame-check patch. - [bugzilla: 770 ] Fix Small subgroup attack on DH used in unix pipe on localhost if unbound control uses a unix local named pipe. - Document write permission to directory of trust anchor needed. - [bugzilla: 768 ] Fix Unbound Service Sometimes Can Not Shutdown Completely, WER Report Shown Up. Close handle before closing WSA. - Fix time in case answer comes from cache in ub_resolve_event(). - Fix windows service to be created run with limited rights, as a network service account. - [bugzilla: 752 ] Fix retry resource temporarily unavailable on control pipe. - iana ports fetched via https. - iana portlist update. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.31 2016/03/09 05:24:38 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.5.9.tar.gz) = 4882c52aac0abcd72a86ac5d06e9cd39576620ce RMD160 (unbound-1.5.9.tar.gz) = 4fb82f0e132e422a5d2481517348f1e1802bf23d SHA512 (unbound-1.5.9.tar.gz) = a0f43a22d2c357b78482e5049fd77b100966964d861536169bd79379c02b96651e52c47f3f5001ac8e1ca474d41f784395adb44b61157487723f9f15287c97f4 Size (unbound-1.5.9.tar.gz) = 4924965 bytes @ 1.31 log @Unbound 1.5.8 ============= Features: --------- - ip-transparent option for FreeBSD with IP_BINDANY socket option. - insecure-lan-zones: yesno config option. - RR Type CSYNC support RFC 7477, in debug printout and config input. - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07). - [bugzilla: 731 ] tcp-mss, outgoing-tcp-mss options for unbound.conf - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked by default, and can be unblocked with "nodefault" localzone config. - ub_ctx_set_stub() function for libunbound to config stub zones. Bug Fixes: ---------- - Fix that NSEC3 negative cache is used when there is no salt. - sorted ubsyms.def file with exported libunbound functions. - Print understandable debug log when unusable DS record is seen. - load gost algorithm if digest is seen before key algorithm. - Fix that "make install" fails due to "text file busy" error. - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error. - wait for sendto to drain socket buffers when they are full. - Neater cmdline_verbose increment patch from Edgar Pettijohn. - Made NetBSD sendmsg test nonfatal, in case of false positives. - [bugzilla: 741 ] Fix: log message for dnstap socket connection is more clear. - [bugzilla: 734 ] Fix: chown the pidfile if it resides inside the chroot. - Fix cmsg alignment for argument to sendmsg on NetBSD. - Fix that unbound complains about unimplemented IP_PKTINFO for sendmsg on NetBSD (for interface-automatic). - [bugzilla: 738 ] Fix: Swig should not be invoked with CPPFLAGS. - Squelch 'cannot assign requested address' log messages unless verbosity is high, it was spammed after network down. - Fix to simplify empty string checking. - [bugzilla: 734 ] Fix: Do not log an error when the PID file cannot be chown'ed. - Fix test if -pthreads unused to use better grep for portability. - Fix mingw crosscompile for recent mingw. - Update aclocal, autoconf output with new versions (1.15, 2.4.6). - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined, for Linux glibc 2.20. - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the source code, so it applies cleanly again. Removed unused variable warnings. - [bugzilla: 729 ] Fix: omit use of escape sequences in echo since they are not portable (unbound-control-setup). - remove NULL-checks before free, patch from Michael McConville. - updated ax_pthread.m4 to version 21 with clang support, this removes a warning from compilation. - OSX portability, detect if sbrk is deprecated. - OSX clang, stop -pthread unused during link stage warnings. - OSX clang new flto check. - iana portlist update. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.30 2015/12/12 23:50:06 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.5.8.tar.gz) = 1391888d2e3395d766545cd3dbdf0f1879c48080 RMD160 (unbound-1.5.8.tar.gz) = e0a2fa814a27ef84a9387e9f856c0c317375b113 SHA512 (unbound-1.5.8.tar.gz) = 0c296a2e5489fae0fdf0ca2ea11ed72f00498c8499f38f308ff32078665d980a2d5a80ee0e106273dc13a146611a238553857c5f301fe9622072382c06b8434a Size (unbound-1.5.8.tar.gz) = 4895649 bytes @ 1.30 log @Unbound 1.5.7 ============= Features: - Fix #594. libunbound: optionally use libnettle for crypto. Added --with-nettle for use with --with-libunbound-only. - Implemented qname minimisation Bug Fixes: - Fix #712: unbound-anchor appears to not fsync root.key. - Fix #714: Document config to block private-address for IPv4 mapped IPv6 addresses. - portability, replace snprintf if return value broken - portability fixes. - detect libexpat without xml_StopParser function. - isblank() compat implementation. - patch from Doug Hogan for SSL_OP_NO_SSLvx options. - Fix #716: nodata proof with empty non-terminals and wildcards. - Fix #718: Fix unbound-control-setup with support for env without HEREDOC bash support. - ACX_SSL_CHECKS no longer adds -ldl needlessly. - Change example.conf: ftp.internic.net to https://www.internic.net - Fix for lenient accept of reverse order DNAME and CNAME. - spelling fixes from Igor Sobrado Delgado. - Fix that malformed EDNS query gets a response without malformed EDNS. - Added assert on rrset cache correctness. - Fix #720: add windows scripts to zip bundle, and fix unbound-control-setup windows batch file. - Fix for #724: conf syntax to read files from run dir (on Windows). And fix PCA prompt for unbound-service-install.exe. And add Changelog to windows binary dist. - .gitignore for git users. - iana portlist update. - Removed unneeded whitespace from example.conf. - Do not minimise forwarded requests. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.29 2015/10/22 18:14:40 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.5.7.tar.gz) = 6306fec537f507a41b9c3a7e16e4aa1c10532510 RMD160 (unbound-1.5.7.tar.gz) = f5cdda4b439f9b16cf1da62ca796c664cd53998b SHA512 (unbound-1.5.7.tar.gz) = 7fc000364139519ed837ef9883f2e8a684b5ac19f2d3343626ab0a4c3459a7c3ccf2c79e9d992d82b123c6a38245fc286994365b427145d218e0b3c645c4dc4f Size (unbound-1.5.7.tar.gz) = 4859573 bytes @ 1.29 log @Unbound 1.5.6 ============= Features: * Default for ssl-port is port 853, the temporary port assignment for secure domain name system traffic. If you used to rely on the older default of port 443, you have to put a clause in unbound.conf for that. The new value is likely going to be the standardised port number for this traffic. * ANY responses include DNAME records if present, as per Evan Hunt's remark in dnsop. Bug Fixes: * Fix segfault in the dns64 module in the formaterror error path. * Fix manpage to suggest using SIGTERM to terminate the server. * iana portlist update. Unbound 1.5.5 ============= Features: * Change default of harden-algo-downgrade to off. This is lenient for algorithm rollover. * Added permit-small-holddown config to debug fast 5011 rollover. * Allow certificate chain files to allow for intermediate certificates. * Enable ECDHE for servers. Where available, use SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to enable ECDHE. Otherwise, manually offer curve p256. Client connections should automatically use ECDHE when available. * [bugzilla: 699 ] Feature --enable-pie option to that builds PIE binary. * [bugzilla: 700 ] Feature --enable-relro-now option that enables full read-only relocation. * [bugzilla: 702 ] New IPs for for h.root-servers.net. Bug Fixes: * [bugzilla: 681 ] Fix setting forwarders with unbound-control forward implicitly turns on forward-first. * [bugzilla: 690 ] Fix that reload fails when so-reuseport is yes after changing num-threads. * please afl-gcc (llvm) for uninitialised variable warning. * Fix mktime in unbound-anchor not using UTC. * Fix 5011 anchor update timer after reload. * 5011 implementation does not insist on all algorithms, when harden-algo-downgrade is turned off. * Document in the manual more text about configuring locally served zones. * Document that local-zone nodefault matches exactly and transparent can be used to release a subzone. * [bugzilla: 694 ] Fix that configure script does not detect LibreSSL 2.2.2 * Fix deadlock for local data add and zone add when unbound-control list_local_data printout is interrupted. * [bugzilla: 697 ] Fix get PY_MAJOR_VERSION failure at configure for python 2.4 to 2.6. * changed windows setup compression to be more transparent. * Fix config globbed include chroot treatment, this fixes reload of globs. * [bugzilla: 705 ] Fix ub_ctx_set_fwd() return value mishandled on windows. * Fix minor error in unbound.conf.5.in. * Fix unbound.conf(5) access-control description for precedence and default. * Fix unbound-control flush that does not succeed in removing data. * MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution failures. * iana portlist update. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.28 2015/07/15 18:09:05 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.5.6.tar.gz) = b1e521669d6e5a3c1baf8b71dad070e38887162b RMD160 (unbound-1.5.6.tar.gz) = bb333953b2aafd65525712cc4fa64f502af48817 SHA512 (unbound-1.5.6.tar.gz) = 2477e3f00b8f5a3a4661ff20b0bc0d1d56c8a65cc6ab9f1308ae86f41c67a998af68d3ac5ba6c9c22a25a251f0410eaf9fee82911bcb3a3e82ffb6383e28dcf7 Size (unbound-1.5.6.tar.gz) = 4849569 bytes @ 1.28 log @Unbound 1.5.4 Features: - [bugzilla: 644 ] harden-algo-downgrade option, if turned off, fixes the reported excessive validation failure when multiple algorithms are present. If set to 'no', it allows the weakest algorithm to validate the zone. - stats reports tcp usage, of incoming-num-tcp buffers. - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal scripts. - Add ip-transparent config option for bind to non-local addresses. - Synthesize ANY responses from cache. Does not search exhaustively, but MX,A,AAAA,SOA,NS also CNAME. - unbound-control list_insecure command shows the negative trust anchors currently configured. - ratelimit feature, ratelimit: 1000, can be used to turn it on. It ratelimits recursion effort per zone. For particular names you can configure exceptions in unbound.conf. - Ratelimit does not apply to prefetched queries, and ratelimit-factor is default 10. Repeated normal queries get resolved and with prefetch stay in the cache. - unbound-control ratelimit_list lists high rate domains. - caps-whitelist in unbound.conf allows whitelist of loadbalancers that cannot work with caps-for-id or its fallback. - RFC 7553 RR type URI support, is now enabled by default. - cache-max-negative-ttl config option, default 3600. - Add local-zone type inform_deny, that logs query and drops answer. Bug Fixes: - Unbound exits with a fatal error when the auto-trust-anchor-file fails to be writable. This is seconds after startup. You can load a readonly auto-trust-anchor-file with trust-anchor-file. The file has to be writable to notice the trust anchor change, without it, a trust anchor change will be unnoticed and the system will then become inoperable. - DLV is going to be decommissioned. Advice to stop using it, and put text in the example configuration and man page to that effect. - Patch from Brad Smith that syncs compat/getentropy_linux with OpenBSD's version (2015-03-04). - 0x20 fallback improved: servfail responses do not count as missing comparisons (except if all responses are errors), inability to find nameservers does not fail equality comparisons, many nameservers does not try to compare more than max-sent-count, parse failures start 0x20 fallback procedure. - store caps_response with best response in case downgrade response happens to be the last one. - Document that incoming-num-tcp increase is good for large servers. - Fix lintian warning in unbound-checkconf man page. - Updated default keylength in unbound-control-setup to 3k. - Fixup compile on cygwin, more portable openssl thread id. - Use reallocarray for integer overflow protection. - Fixed to add integer overflow checks on allocation (defense in depth). - Fix segfault on user not found at startup. - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated CRYPTO_set_id_callback. - If unknown trust anchor algorithm, and libressl is used, error message encourages upgrade of the libressl package. - rename ldns subdirectory to sldns to avoid name collision. - [bugzilla: 660 ] Fix interface-automatic broken in the presence of asymmetric routing. - Libunbound skips dos-line-endings from etc/hosts. - Fix crash in dnstap: Do not try to log TCP responses after timeout. - Fix that get_option for cache-sizes does not print double newline. - [bugzilla: 663 ] Fix that ssl handshake fails when using unix socket because dh size is too small. - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas Hozza); Use print_function also for Python2. libunbound examples: produce sorted output. libunbound-Python: libldns is not used anymore. Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. - Fix leaked dns64prefix configuration string. - Removed contrib/unbound_unixsock.diff, because it has been integrated, use control-interface: /path in unbound.conf. - Change syntax of particular validator error to be easier for machine parse, swap rrset and ip adres info so it looks like: validation failure : signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> - Fix that unparseable error responses are ratelimited. - SOA negative TTL is capped at minimumttl in its rdata section. - [bugzilla: 674 ] Do not free pointers given by getenv. - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked incorrectly and was therefore always synthesized. And fix DNAME responses from cache that failed internal chain test. - iana portlist update. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.27 2015/03/19 22:37:06 pettai Exp $ d3 4 a6 3 SHA1 (unbound-1.5.4.tar.gz) = ce0abc1563baa776a0f2c21516ffc13e6bff7d0f RMD160 (unbound-1.5.4.tar.gz) = 0d77e595ae80191d382b44c89365ef9054f374df Size (unbound-1.5.4.tar.gz) = 4844273 bytes @ 1.27 log @Unbound 1.5.3 Bug Fixes: * [bugzilla: 647 ] Fix #647 crash in 1.5.2 because pwd.db no longer accessible after reload. * [bugzilla: 645 ] Fix #645 Portability to Solaris 10, use AF_LOCAL. * [bugzilla: 646 ] Fix #646 Portability to Solaris, -lrt for getentropy_solaris. * Use the getrandom syscall introduced in Linux 3.17 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.26 2015/02/21 10:53:40 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.5.3.tar.gz) = 9ae0d8270df4591559d54ee4d61c550526521ca3 RMD160 (unbound-1.5.3.tar.gz) = 37c7b000aee6ca260467b83168f4dd13b1bffc4f Size (unbound-1.5.3.tar.gz) = 4821300 bytes @ 1.26 log @Unbound 1.5.2 Features: * local-zone: example.com inform makes unbound log a message with client IP for queries in that zone. Eg. for finding infected hosts. * patch from Stephane Lapie that adds to the python API, that exposes struct delegpt, and adds the find_delegation function. * Updated contrib warmup.cmd/sh to support two modes - load from pre-defined list of domains or (with filename as argument) load from user-specified list of domains, and updated contrib unbound_cache.sh/cmd to support loading/save/reload cache to/from default path or (with secondary argument) arbitrary path/filename * patch for remote control over local sockets. Use control-interface: /path/sock and control-use-cert: no. * unbound-checkconf -f prints chroot with pidfile path. * infra-cache-min-rtt patch from Florian Riehm, for expected long uplink roundtrip times. Bug Fixes: * config.guess and config.sub update from libtoolize. * getauxval test for ppc64 linux compatibility. * make strip works for unbound-host and unbound-anchor. * print query name when max target count is exceeded. * patch from Stuart Henderson that fixes DESTDIR in unbound-control-setup for installs where config is not in the prefix location. * [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing IP_MTU_DISCOVER OMIT option. * Patch to contrib/unbound_munin_ that uses type ABSOLUTE. Allows munin.conf: [idleserver.example.net] unbound_munin_hits.graph_period minute * Fix pyunbound ord call, portable for python 2 and 3. * Fix unintended use of gcc extension for incomplete enum types, compile with pedantic c99 compliance. * Fix pyunbound byte string representation for python3. * Fix 0x20 capsforid fallback to omit gratuitous NS and additional section changes. * Fix validation failure in case upstream forwarder (ISC BIND) does not have the same trust anchors and decides to insert unsigned NS record in authority section. * Fix scrubber with harden-glue turned off to reject NS (and other not-address) records. * iana portlist update. * [bugzilla: 643 ] Fix doc/example.conf.in: unnecessary whitespace. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.25 2014/12/11 14:26:16 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.5.2.tar.gz) = 91c805af3fc702eb98ec2679a586cacd05fc4268 RMD160 (unbound-1.5.2.tar.gz) = 7993ce1d6b9cfafa94611142732368e30575ef48 Size (unbound-1.5.2.tar.gz) = 4822523 bytes @ 1.25 log @Unbound 1.5.1 Features: Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter, added to contrib/aaaa-filter-iterator.patch. Bug Fixes: * Fix that CD flag disables DNS64 processing, returning the DNSSEC signed AAAA denial. * Fix compat/getentropy_win.c check if CryptGenRandom works and no immediate exit on windows. * Fix crash on multiple thread random usage on systems without arc4random. * Fix log at high verbosity and memory allocation failure. * Fix libunbound undefined symbol errors for main. * Patch from Robert Edmonds to build pyunbound python module differently. No versioninfo, with -shared and without $(LIBS). * Patch from Robert Edmonds fixes hyphens in unbound-anchor man page. * Removed 'increased limit open files' log message that is written to console. It is only written on verbosity 4 and higher. This keeps system bootup console cleaner. * Patch from James Raftery, always print stats for rcodes 0..5. * [bugzilla: 627 ] Fix SSL_CTX_load_verify_locations return code not properly checked. * Fix makefile for build from noexec source tree. * Add include to getentropy_linux.c, fixing debian build. * [bugzilla: 632 ] Fix that unbound fails to build on AArch64, protects getentropy compat code from calling sysctl if it is has been removed. * Fix CVE-2014-8602: denial of service by making resolver chase endless series of delegations. Unbound 1.5.0 Features: Alot of new features... (See http://www.unbound.net/download.html) Bug Fixes: Alot of bug fixes... (See http://www.unbound.net/download.html) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.24 2014/12/09 10:11:27 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.5.1.tar.gz) = 5606c2246e7394bce88cc4f16edbd6b964237ea2 RMD160 (unbound-1.5.1.tar.gz) = 665fc334d323e71d0244eb1659f8011690788c52 Size (unbound-1.5.1.tar.gz) = 4805176 bytes @ 1.24 log @Add fix for CVE-2014-8602 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.23 2014/03/12 16:16:00 pettai Exp $ d3 3 a5 6 SHA1 (patch_cve_2014_8602.diff) = 0763e20cdea3063cbbfae67662b9f240b15ed09e RMD160 (patch_cve_2014_8602.diff) = e983db14db36e4c310aa84b037e08d183d334c42 Size (patch_cve_2014_8602.diff) = 4836 bytes SHA1 (unbound-1.4.22.tar.gz) = a56e31e2f3a2fefa3caaad9200dd943d174ca81e RMD160 (unbound-1.4.22.tar.gz) = e9b4ded75308ac2f2ed9ae6783e29411428626fc Size (unbound-1.4.22.tar.gz) = 4735801 bytes @ 1.23 log @Unbound 1.4.22 Features: * separate ldns into core ldns inside ldns/ subdirectory. No more configure --with-ldns is needed and unbound does not rely on libldns. * Accept ip-address: as an alternative for interface: for consistency with nsd.conf syntax. * Fix ref#536: acl_deny_non_local and refuse_non_local added. * so-reuseport: yesno option to distribute queries evenly over threads on Linux (Thanks Robert Edmonds). Reuseport is attempted, then fallback to without on failure. * delay-close: msec option that delays closing ports for which the UDP reply has timed out. Keeps the port open, only accepts the correct reply. This correct reply is not used, but the port is open so that no port-denied ICMPs are generated. Bug Fixes: * Fix #528: if very high logging (4 or more) segfault on allow_snoop. * Fix #531: Set SO_REUSEADDR so that the wildcard interface and a more specific interface port 53 can be used at the same time, and one of the daemons is unbound. * if configured --with-libunbound-only fix make install. * Patch from Neel Goyal to fix callback in libunbound. * Patch from Neel Goyal to fix async id assignment if callback is called by libunbound in the mesh attach. * Fix bug#537: compile python plugin without ldns library. * Windows port, adjust %lld to %I64d, and warning in win_event.c. * Fix #544: Fixed +i causes segfault when running with module conf "iterator". * Fix #547: no trustanchor written if filesystem full, fclose checked. * unbound-event.h is installed if you configure --enable-event-api. It contains low-level library calls, that use libevent's event_base and a wireformat return packet in a buffer to perform async resolution in the client's eventloop. * speed up unbound, by reducing lock contention on localzones.lock. * Fix parse (in ldns) of quoted parenthesized text strings. * Detect libevent2 install automatically by configure and fixup link with lib/event2 subdir. * Fix #551: License change "Regents" to "Copyright holder", matching the BSD license on opensource.org. * Fix parse of #553(NSD) string in sldns, quotes without spaces. * Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is received. This is okay according 4035, but not after revising existence in 4592. NSEC empty non-terminals exist and thus the RCODE should have been NOERROR. If this occurs, and the RRsets are secure, we set the RCODE to NOERROR and the security status of the response is also considered secure. * iana portlist updated. * Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes because of spelling.. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2013/11/17 22:57:38 pettai Exp $ d3 3 @ 1.23.6.1 log @Pullup ticket #4568 - requested by pettai net/unbound: security patch Revisions pulled up: - net/unbound/Makefile 1.32 - net/unbound/distinfo 1.24 --- Module Name: pkgsrc Committed By: pettai Date: Tue Dec 9 10:11:27 UTC 2014 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Add fix for CVE-2014-8602 @ text @d1 1 a1 1 $NetBSD$ a2 3 SHA1 (patch_cve_2014_8602.diff) = 0763e20cdea3063cbbfae67662b9f240b15ed09e RMD160 (patch_cve_2014_8602.diff) = e983db14db36e4c310aa84b037e08d183d334c42 Size (patch_cve_2014_8602.diff) = 4836 bytes @ 1.22 log @Unbound 1.4.21 Features: * Implement max-udp-size config option, default 4096 with fix#524 for nonEDNS0 queries. * add unbound-control insecure_add and insecure_remove for the administration of negative trust anchors. * install copy of unbound-control.8 man page for unbound-control-setup. * code improve for minimal responses, small speed increase. * max include of 100.000 files (depth and globbed at one time). This is to preserve system memory in bug cases, or endless cases. * unbound.h header file has UNBOUND_VERSION_MAJOR define. * get_option, set_option, unbound-checkconf -o and libunbound getoption() and setoption() support cache-min-ttl and cache-max-ttl. Also log-time-ascii, python-script, val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect immediately. The others are mostly useful for libunbound users. * configure --disable-flto option. * streamtcp man page. * Make reverse zones easier by documenting the nodefault statements commented-out in the example config file. Bug Fixes: * committed libunbound version 4:1:2 for binary API updated in 1.4.20 * Fix for 2038, with time_t instead of uint32_t. * Fix resolve of names that use a mix of public and private addresses. * [bugzilla: 492 ] Fix endianness detection, revert to older lookup3.c detection and put new detect lines after previous tests, to avoid regressions but allow new detections to succeed. And add detection for machine/endian.h to it. * Fix queries leaking up for stubs and forwards, if the configured nameservers all fail to answer. * unbound-anchor review: BIO_write can return 0 successfully if it has successfully appended a zero length string. * Fix so that for a configuration line of include: "*.conf" it is not an error if there are no files matching the glob pattern. * own implementation of compat/snprintf.c. * [bugzilla: 491 ] pick program name (0th argument) as syslog identity. * Fixup snprintf return value usage, fixed libunbound_get_option. * Robust checks on dname validity from rdata for dname compare. * iana portlist update. * Fix round-robin doesn't work with some Windows clients. * [bugzilla: 500 ] use on non-initialised values on socket bind failures. * [bugzilla: 499 ] use-after-free in out-of-memory handling code. * Explain bogus and secure flags in libunbound more. * Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply patch to it to not fail when -Werror is also specified, from the autoconf-archives. * Fixup manpage syntax. * Fix for const string literals in C++ for libunbound. * Squelch sendto-permission denied errors when the network is not connected, to avoid spamming syslog. * libunbound documentation on how to avoid openssl race conditions. * [bugzilla: 512 ] NSS returned arrays out of setup function to be statics. * [bugzilla: 516 ] dnssec lameness detection for answers that are improper. * [bugzilla: 519 ] ub_ctx_delete may hang in some scenarios (libunbound). * [bugzilla: 520 ] Errors found by static analysis @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.21 2013/04/01 22:34:41 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.21.tar.gz) = 3ef4ea626e5284368d48ab618fe2207d43f2cee1 RMD160 (unbound-1.4.21.tar.gz) = 7a72e1db33131380f04ae504f0009ef0d33b88f3 Size (unbound-1.4.21.tar.gz) = 3624553 bytes @ 1.21 log @Unbound 1.4.20 Features: * add libunbound.ttl at end of result structure, version bump for libunbound. Code compiled with 1.4.19 is binary compatible with the 1.4.20 library. If code uses the ttl it needs the 1.4.20 version. Bug Fixes: * Change of D.ROOT-SERVERS.NET A address in default root hints. * Fix openssl lock free on exit. * unbound-anchors checks the emailAddress of the signer of the root.xml file, default is dnssec@@iana.org. It also checks that the signer has the correct key usage for a digital signature. * printout name of zone with duplicate fwd and hint errors. * includes and have_ssl fixes for nss. * detect endianness in lookup3 on BSD. * iana portlist updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2012/12/25 08:54:26 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.20.tar.gz) = 1752976533be2a4f0c9cdbab9d2cbb67d4f27c43 RMD160 (unbound-1.4.20.tar.gz) = 8852e6dd24823e0043e3c8ff8139e56715729bc3 Size (unbound-1.4.20.tar.gz) = 3613963 bytes @ 1.20 log @Unbound 1.4.19 Features: * RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled. The contrib/patch_rsamd5_enable.diff patch enables RSAMD5 validation otherwise it is treated as insecure. The MD5 hash is considered weak for some purposes, if you want to sign your zone, then RSASHA256 is an uncontested hash. * unbound-control -q option is quiet * include: directive in config file accepts wildcards. Suggested use: include: "/etc/unbound.d/conf.d/*" Bug Fixes: * Fix openssl race condition, initializes openssl locks. * Improved forward-first and stub-first documentation. * Fix that enables modules to register twice for the same serviced_query, without race conditions or administration issues. * Fix forward-first option where it sets the RD flag wrongly. * added manpage links for libunbound calls. * Add documentation to libunbound for default nonuse of resolv.conf. * Fix timeouts so that when a server has been offline for a while and is probed to see it works, it becomes fully available for server selection again. * Fallback to 1472 and 1232, one fragment size without headers. * [bugzilla: 465 ] Nicer comments outgoing-port-avoid. * chdir to / after chroot call (suggested by Camiel Dobbelaar). * updated contrib/unbound.spec. * ignore trusted-keys globs that have no files (from Paul Wouters). * fix text in unbound-anchor man page. * fix build of pythonmod in objdir. * make clean and makerealclean remove generated python and docs. * Fix validation for responses with both CNAME and wildcard expanded CNAME records in answer section. * [bugzilla: 477 ] Fix unbound-anchor segfault if EDNS is blocked. * Fix unbound-control forward disables configured stubs below it. * [bugzilla: 481 ] Fix python example0. * iana portlist updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2012/08/13 14:00:03 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.19.tar.gz) = ccf0d465fc0045d59ceca11ecde688edebd28ec1 RMD160 (unbound-1.4.19.tar.gz) = 8353a8886273706efe68dbc6517af27c8d6436ac Size (unbound-1.4.19.tar.gz) = 3601992 bytes @ 1.19 log @Unbound 1.4.18 Features: * implement log-time-ascii on windows. * --with-libunbound-only build option, only builds the library and not the daemon and other tools. * --with-nss build option (for now, --with-libunbound-only), uses libNSS for crypto operations. * disable RSAMD5 if in FIPS mode (for openssl and for libnss). * Add flush_bogus option for unbound-control. Bug Fixes: * Fix libunbound report of errors when in background mode. * fix bogus nodata cname chain not reported as bogus by validator * [bugzilla: 454 ] Fix for ACX_CHECK_COMPILER_FLAG from configure.ac, if CFLAGS is specified at configure time then '-g -O2' is not appended to CFLAGS, so that the user can override them. * FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes. * fix missing break for GOST DS hash function. * implemented forward_first for the root. * code review: return value of cache_store can be ignored for better performance in out of memory conditions. * patch for unbound_munin_ script to handle arbitrary thread count by Sven Ulland. * Fix validation of qtype DS queries that result in no data for non-optout NSEC3 zones. * fix edns-buffer-size and msg-buffer-size manpage documentation. * fix error handling of alloc failure during rrsig verification. * The key-cache bad key ttl is now 60 seconds. * [bugzilla: 452 ] fix crash on assert in mesh_state_attachment. Fixes DS NS search to not generate duplicate sub queries. * silence warning from swig-generated code (md set but not used in swig initmodule, due to ifdefs in swig-generated code). * Fix debian-bugs-658021: Please enable hardened build flags. * update iana ports list @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2012/06/08 21:52:00 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.18.tar.gz) = b64b4c9f7981df4e7589ebb770a31352a09db3fb RMD160 (unbound-1.4.18.tar.gz) = 0aefcd5ee7d2b46645078e32fe3e9f83504d8af2 Size (unbound-1.4.18.tar.gz) = 3592485 bytes @ 1.18 log @Unbound 1.4.17 Features: * unbound-control forward_add, forward_remove, stub_add, stub_remove can modify stubs and forwards for running unbound they can also add and remove domain-insecure for the zone. This is to support reconfiguration of a DNSSEC validator on a computer that changes networks and has to enable new network config for the new location. * new approach to NS fetches for DS lookup that works with cornercases, and is more robust and considers forwarders. * contrib/validation-reporter follows rotated log file * Applied patch for rrset-roundrobin and minimal-responses features (new options, enable in unbound.conf to use). * ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older openssl. * Patch for access to full DNS packet data in unbound python module * forward-first option. Tries without forward if a query fails. Also stub-first option that is similar. Bug Fixes: * Fix possible uninitialised variable in windows pipe implementation. * Fix alignment problem in util/random on sparc64/freebsd. * Fix for accept spinning reported by OpenBSD. * Fix validation of nodata for DS query in NSEC zones * [bugzilla: 444 ] Fix that setusercontext was called too late * [bugzilla: 443 ] Fix --with-chroot-dir not honoured by configure. * [bugzilla: 442 ] Fix that Makefile depends on pythonmod headers even using --without-pythonmodule. * Fix to locate nameservers for DS lookup with NS fetches. * Applied line-buffer patch from Augie Schwer to validation.reporter.sh. * flush_infra cleans timeouted servers from the cache too. * Fix from code review, if EINPROGRESS not defined chain if statement differently. * [bugzilla: 434 ] Fix windows port to check registry for config file location for unbound-control.exe, and unbound-checkconf.exe. * Fix to squelch 'network unreachable' errors from tcp connect in logs, high verbosity will show them. * Fix prefetch and sticky NS ghost domain. It picks nameservers that 'would be valid in the future', and if this makes the NS timeout, it updates that NS by asking delegation from the parent again. If child NS has longer TTL, that TTL does not get refreshed from the lookup to the child nameserver. * RT#2955 Fix for cygwin compilation. * Slightly smaller critical region in one case in infra cache. * Fix timeouts to keep track of query type, A, AAAA and other, if another has caused timeout blacklist, different type can still probe. unit test fix for nomem_cnametopos.rpl race condition. * fix memory leak in errorcase for DSA signatures. * workaround for openssl 0.9.8 ecdsa sha2 and evp problem. * fix for windows, rename() is not posix compliant on windows. * iana portlist updated @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2012/02/28 20:05:05 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.17.tar.gz) = fea4d812c03af4737ef671ac30b7b7400d346516 RMD160 (unbound-1.4.17.tar.gz) = 0530d051bf7ecb0233375d0620ca320c02683373 Size (unbound-1.4.17.tar.gz) = 3585122 bytes @ 1.17 log @Unbound 1.4.16 Features: * applied patch to support outgoing-interface with ub_ctx_set_option. Bug Fixes: * Fix validation failures (like: validation failure xx: no NSEC3 closest encloser from yy for DS zz. while building chain of trust, because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata for an NSEC3. Now it does not change rdata, and fixes TTL. * Fix version-number in libtool to be version-info so it produces libunbound.so.2 like it should. * Fixes for port to OpenIndiana OS with gcc 4.6. * Fix to write key files completely to a temporary file, and if that succeeds, replace the real key file. So failures leave a useful file. Unbound 1.4.15 Bug Fixes: * Fix for memory leak (about 20 bytes when a tcp or udp send operation towards authority servers failed, takes about 50.000 such failures to leak one Mb, such failures are also usually logged). * Fix to randomize hash function, based on 28c3 congress. * [bugzilla: 425 ] unbound reports wrong TTL in reply, it reports a TTL that would be permissible by the RFCs but it is not the TTL in the cache. * [bugzilla: 429 ] add ub_version() call to libunbound. API version increase, with (binary) backwards compatibility for the previous version. * Fix bug where canonical_compare of RRSIG did not downcase the signer-name. This is mostly harmless because RRSIGs do not have to be sorted in canonical order, usually. * uninitialised variable in reprobe for rtt blocked domains fixed. * iana portlist updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2011/12/20 14:02:02 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.16.tar.gz) = 68ed8737b1a6e3f9a67812f7e962fd6740494c1e RMD160 (unbound-1.4.16.tar.gz) = 5da0ddeb315fb1aa5ea7a388b3e4bef251f03536 Size (unbound-1.4.16.tar.gz) = 3562989 bytes @ 1.16 log @Unbound 1.4.14: Features: * Makefile changed for BSD make compatibility. * dns over ssl support as a client, ssl-upstream yes turns it on. It performs an SSL transaction for every DNS query. * dns over ssl support as a server, ssl-service-pem and ssl-service-key files can be given and then TCP queries are serviced wrapped in SSL. * lame-ttl and lame-size options no longer exist, it is integrated with the host info. They are ignored (with verbose warning) if encountered to keep the config file backwards compatible. * TCP-upstream calculates tcp-ping so server selection works if there are alternatives. * Unbound probes at EDNS1480 if there an EDNS0 timeout. Bug Fixes: * Fix for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence http://www.unbound.net/downloads/CVE-2011-4528.txt * Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes SERVFAILs. Also fixed for UDP (but less likely). * Fix quartile time estimate, it was too low. * Fix double free in unbound-host. * fix -flto detection on Lion for llvm-gcc. * [bugzilla: 416 ] Infra cache stores information about ping and lameness per IP, zone. * [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com with a fix for the server selection for choosing out of a (particular) list of bad choices. * Fix make_new_space function so that the incoming query is not overwritten if a jostled out query causes a waiting query to be resumed that then fails and sends an error message. * fix unbound-anchor for broken strptime on OSX lion, detected in configure. * Detect if GOST really works, openssl1.0 on OSX fails. * Implement ipv6%interface notation for scope_id usage. * better documentation for inform_super. * Fix for out-of-memory condition in libunbound. * Fix --enable-allsymbols, it depended on link specifics of the target platform, or fptr_wlist assertion failures could occur. * updated contrib/unbound_munin_ to family=auto so that it works with munin-node-configure automatically. * Fix classification of NS set in answer section, where there is a parent-child server, and the answer has the AA flag for dir.slb.com. * [bugzilla: 408 ] accept patch from Steve Snyder that comments out unused functions in lookup3.c. * fix various compiler warnings. * max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch if sentcount > 3, stop query if sentcount > 16. Count is reset when referral or CNAME happens. This makes unbound better at managing large NS sets, they are explored when there is continued interest (in the form of queries). * remove uninit warning from cachedump code. * Fix parse error on negative SOA RRSIGs if badly ordered in the packet. * fix infra cache comparison. * Fix to constrain signer_name to be a parent of the lookupname. * robust checks for next-closer NSEC3s. * iana portlist updated. (Ok'ed by wiz@@) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2011/09/17 22:46:50 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.14.tar.gz) = 1435029abe63d0106213acb9f173b885183cf1d7 RMD160 (unbound-1.4.14.tar.gz) = 136aff9812eebace73c26b608f6411bd048215cc Size (unbound-1.4.14.tar.gz) = 3546634 bytes @ 1.15 log @Unbound 1.4.13: Features: * Note that Unbound implements RFC6303 (since version 1.4.7). tcp-upstream yes/no option (works with set_option) for tunnels. * The format of answers to the qtype ANY with a CNAME have changed, so that there can be proper validated DNSSEC answers for them. This is for queries with qtype ANY where the domain name has a CNAME. Now an answer is returned, where before it resulted in SERVFAIL due to validation failure. When DNSSEC validation is disabled, the contents of the response have changed: the CNAME is not followed, and the correct contents of the RRsets at the initial name are included (where previously only partial contents of the initial names could have been included but the CNAME was followed). The qtype ANY is a query for debug where the resolver is to fill in relevant data that happens to be at hand from the cache. Bug Fixes: * Fix validation of qtype ANY responses with CNAMEs. Unbound responds with the RR types that are available at the name for qtype ANY and validates those RR types. It does not test for completeness (i.e. with NSEC or NSEC3 query), and it does not follow the CNAME or DNAME to another name (with even more data for the already large response) * Documented the options that work with control set_option command. * Fix that internally, CNAMEs with NXDOMAIN have that as rcode. * Fix validation of . DS query. * Fix wildcard expansion no-data reply under an optout NSEC3 zone is validated as insecure. * Fix python site-packages path to /usr/lib64. * fix memory and fd leak after out-of-memory condition. * contrib. patch fixes load of python modules. * contrib. patch that fixes a memory leak in the unbound python module, in string conversions. * Fix num-threads 0 does not segfault. * Fix autoconf 2.68 warnings * iana portlist updated @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2011/07/27 04:11:25 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.13.tar.gz) = 834ccfd1cb41a44f53b33f8338a8f9cc68febaf7 RMD160 (unbound-1.4.13.tar.gz) = f55623935e3772056a4ef10ff03cbb8805b30f1a Size (unbound-1.4.13.tar.gz) = 3511677 bytes @ 1.14 log @1.4.12: Bug Fixes: * removed ldns-src tarball inside the unbound tarball. * [bugzilla: 395 ] fix that id bits of other query may leak out under conditions * fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use. * fix that the listening socket is not closed when too many remote control connections are made at the same time. * version number in example config file. * fix that --enable-static-exe does not complain about it unknown. * iana portlist updated 1.4.11: Features: * log-queries: yesno option, default is no, prints querylog. * ignore-cd-flag: yesno to provide dnssec to legacy servers. * Use -flto compiler flag for link time optimization, if supported. * unbound-control has version number in the header, and uses port number registered with IANA, 8953. Bug Fixes: * Fix Makefile for U in environment, since wrong U is more common than deansification necessity. * defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure. * [bugzilla: 386 ] --enable-allsymbols option links all binaries to libunbound and reduces install size significantly. * Fix TTL of SOA so negative TTL is separately cached from normal TTL. * configure created with newer autoconf 2.66. * [bugzilla: 378 ] Fix that configure checks for ldns_get_random presence. * queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators. * val-override-date: -1 ignores dates entirely, for NTP usage. * harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec. * statistics-interval prints the number of jostled queries to log. * IPv6 service address for d.root-servers.net (2001:500:2D::D). * updated ldns tarball to 1.6.10rc2 snapshot * iana portlist updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2011/06/19 16:15:57 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.12.tar.gz) = c46c05d1fa2402a59c10f51864fd4c62d10a472f RMD160 (unbound-1.4.12.tar.gz) = 2e3a35f1e72046c9701cd3f51a8a2f58881a03d3 Size (unbound-1.4.12.tar.gz) = 3506466 bytes @ 1.13 log @1.4.10: Bug Fixes: * Fix assertion failure when unbound generates an empty error reply in response to a query, CVE-2011-1922 VU#531342. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2011/04/20 10:44:46 pettai Exp $ d3 3 a5 4 SHA1 (unbound-1.4.10.tar.gz) = ac9ab61a51e147ade69ca8b043fee2ed76336a62 RMD160 (unbound-1.4.10.tar.gz) = 7102613a43e566d542ca6b571094a8fef3b901e0 Size (unbound-1.4.10.tar.gz) = 4476504 bytes SHA1 (patch-ac) = 2ad1a444a425e8583c1212faa4479f0d65061bff @ 1.12 log @1.4.9: Bug Fixes: * Added explicit note on unbound-anchor usage: Please note usage of unbound-anchor root anchor is at your own risk and under the terms of our LICENSE (see that file in the source). * Fix remove private address does not throw away entire response. [bugzilla: 361 ] * Fix, time.elapsed variable not reset with stats_noreset. * Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout. * give config parse error for multiple names on a stub or forward zone. * updated ldns tarball to 1.6.9(snapshot). * iana portlist updated. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2011/03/21 15:04:32 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.9.tar.gz) = f2ac7b4ef1d1b330e2dd5e2eedeb6fd2bbad8478 RMD160 (unbound-1.4.9.tar.gz) = 9c34c55f776f4506afb775c8f44df84a64854073 Size (unbound-1.4.9.tar.gz) = 4470329 bytes @ 1.11 log @unbound 1.48: Features: * harden-below-nxdomain config option, default off (because very old software may be incompatible). We could enable it by default in the future. From draft-vixie-dnsext-resimprove-00. * typetransparent localzone: does not block other RR types. * so-sndbuf option for very busy servers, a bit like so-rcvbuf. Bug Fixes: * Fix so a changed NS RRset does not get moved name stuck on old server, for type NS the TTL is not increased. * Fix prefetch so it does not get stuck on old server for moved names. * Fix insecure CNAME sequence marked as secure, reported by Bert Hubert. * faster lruhash get_mem routine. * [bugzilla: 346 ] remove ITAR scripts from contrib, the service is discontinued, use the root. * Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept. * algorithm compromise protection using the algorithms signalled in the DS record. Also, trust anchors, DLV, and RFC5011 receive this, and thus, if you have multiple algorithms in your trust-anchor-file then it will now behave different than before. Also, 5011 rollover for algorithms needs to be double-signature until the old algorithm is revoked. * squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them) * fix validation in this case: CNAME to nodata for co-hosted opt-in NSEC3 insecure delegation, was bogus, fixed to be insecure. * Fix our 'BDS' license (typo reported by Xavier Belanger). * [bugzilla: 338 ] print address when socket creation fails. * Fix storage of EDNS failures in the infra cache. * silence 'tcp connect: broken pipe' and 'net down' at low verbosity. * unbound-anchor compiles with openssl 0.9.7. * Be lenient and accept imgw.pl malformed packet (like BIND). * the included ldns tarball is updated (to 1.6.8) * iana portlist updated. unbound 1.47: Features: * unbound-anchor app, unbound requires libexpat (xml parser library). It creates or updates a root.key file. Use it before you start the validator (e.g. at system boot time). * dump_infra and flush_infra commands for unbound-control. Bug Fixes: * GOST code enabled by default (RFC 5933). * Configure detects libev-4.00. * do not synthesize a CNAME message from cache for qtype DS. * Use central entropy to seed threads. * Change the rtt used to probe EDNS-timeout hosts to 1000 msec. * Fix validation failure for parent and child on same server with an insecure childzone and a CNAME from parent to child. * Change of timeout code. No more lost and backoff in blockage. At 12sec timeout (and at least 2x lost before) one probe per IP is allowed only. At 120sec, the IP is blocked. After 15min, a 120sec entry has a single retry packet. * no timeout backoff if meanwhile a query succeeded. * Configure errors if ldns is not found. * Windows 7 fix for the installer. * Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS status unknown. * interface automatic works for some people with ip6 disabled. Therefore the error check is removed, so they can use the option. * Fix TCP so it uses a random outgoing-interface. * Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone has a secure delegation hosted on the same server did not verify as secure (it was insecure by mistake). * Fix alloc_reg_release for longer uptime in out of memory conditions. * [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16. * compliance with draft-ietf-dnsop-default-local-zones-14, removed reverse ipv6 orchid prefix from builtin list. * Algorithm rollover operational reality intrudes, for trust-anchor and 5011-store, if one key matches it's good enough. * Fix reported validation error in out of memory condition. * Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. * increased mesh-max-activation from 1000 to 3000 for crazy domains like _tcp.slb.com with 262 servers. * [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed. * openbsd-lint fixes * [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20. Delegpt structures checked for duplicates always. No more nameserver lookups generated when depth is full anyway. * [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris. Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use sun-cc, but some systems need different flags. * Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes, uses m4_bpatsubst now. * make test (or make check) should be more portable and run the unit test and testbound scripts. (make longtest has special requirements). * More pleasant remote control command parsing. * Fix name of rrset printed that failed validation. * Return NXDOMAIN after chain of CNAMEs ends at name-not-found. * Fix validation in case a trust anchor enters into a zone with unsupported algorithms. * iana portlist updated. * updated ldns tarball. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2010/08/30 18:16:45 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.8.tar.gz) = 557a9c10de9a83f88cd7c66d44488f1cb65de4fa RMD160 (unbound-1.4.8.tar.gz) = 08082658e4b7f0e82e7e3feae1acea42e1956fb4 Size (unbound-1.4.8.tar.gz) = 4474063 bytes @ 1.10 log @unbound 1.4.6: Features: * Builtin root hints contain AAAA for I.ROOT-SERVERS.NET. * unbound.h has extern "C" statement for easier include in c++. * added feature to print configure date, target and options with -h. * added feature to print event backend system details with -h. * (ports and works on Minix 3.1.7). On Minix, add /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake. * GOST enabled if SSL is recent and ldns has GOST enabled too. Bug Fixes: * Fix TCPreply on systems with no writev, if just 1 byte could be sent. * Fix to use one pointer less for iterator query state store_parent_NS. * Max referral count from 30 to 130, because 128 one character domains is valid DNS. * added documentation for the histogram printout to syslog. * Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong. * updated ldns tarball. * iana portlist updated. * Unbound reports libev or libevent correctly in logs in verbose mode. * Fix handling of corner case reply from lame server, follows rfc2308. * Fix jostle list bug found by Vince (luoce at cnnic), it caused the qps in overload situations to be about 5 qps for the class of shortly serviced queries. * Fix the max number of reply-address count to be applied for duplicate queries, and not for new query list entries. * Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex must be signed with all algorithms from the DS rrset at the parent. * Fix validation of qtype DNSKEY when a key-cache entry exists but no rr-cache entry is used (it expired or prefetch), it then goes back up to the DS or trust-anchor to validate the DNSKEY. * log if a server is skipped because it is on the donotquery list, at verbosity 4, to enable diagnosis why no queries to 127.0.0.1. * failure to chown the pidfile is not fatal any more. * Neat function prototypes, unshadowed local declarations. * Fix integer underflow in prefetch ttl creation from cache. This fixes a potential negative prefetch ttl. * Changed the defaults for num-queries-per-thread/outgoing-range. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2010/07/26 19:09:19 pettai Exp $ d3 4 a6 4 SHA1 (unbound-1.4.6.tar.gz) = b0d7c58f173c5c80cc81345f6766555f96bde20d RMD160 (unbound-1.4.6.tar.gz) = d5d8cd19096aa8c0624ecfb8f57ce0276ab5c1d4 Size (unbound-1.4.6.tar.gz) = 4384085 bytes SHA1 (patch-ac) = f2294c6216b4f1ee1c1fe07a9949aea2bb8dc485 @ 1.9 log @unbound-1.4.5: Features: * unbound-control get_option domain-insecure shows config file items. * Autotrust anchor file can be initialized with a ZSK key as well (if the domain's DNSKEY set is signed with that ZSK). * Conforms to draft-ietf-dnsop-default-local-zones-13. Added default reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa, 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa. * Contribution from Migiel de Vos (Surfnet): nagios patch for unbound-host, in contrib/ (in the source tarball). Makes unbound-host suitable for monitoring dnssec(-chain) status. * GOST disabled-by-default, the algorithm number is allocated but the RFC is still has to pass AUTH48 at the IETF. Bug Fixes: * Fix validation failure for qtype ANY caused by a RRSIG parse failure. The validator error message was 'no signatures from ...'. * Squelch log message: sendto failed permission denied for 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2). * Fix fetch from blacklisted dnssec lame servers as last resort. The server's IP address is then given in validator errors as well. * Fix local-zone type redirect that did not use the query name for the answer rrset. * Compile fix using Sun Studio 12 compiler on Solaris 5.9, use CPPFLAGS during configure process. * Fix if libev is installed on the base system (not libevent), detect it from the event.h header file and link with -lev. * Fix configlexer.lex gets config.h, and configyyrename.h added by make, no more double include. * More strict scrubber (Thanks to George Barwood for the idea): NS set must be pertinent to the query. * [bugzilla: 307 ] In 0x20 backoff fix fallback so the number of outstanding queries does not become -1 and block the request. Fixed handling of recursion-lame in combination with 0x20 fallback. Fix so RRsets are compared canonicalized and sorted if the immediate comparison fails, this makes the 0x20 option work around round-robin sites. * Fix retry sequence if prime hints are recursion-lame. * Fix so harden-referral-path does not result in failures due to max-depth. You can increase the max-depth by adding numbers (' 0') after the target-fetch-policy, this increases the depth to which is checked. * Fix detection of GOST support in ldns (reported by Chris Smith). * Fix for dnssec lameness detection to use the key cache. * infra cache entries that are expired are wiped clean. Previously it was possible to not expire host data (if accessed often). * Fix dnssec-missing detection that was turned off by server selection. * [bugzilla: 308 ] Fix spelling error in variable name in parser and lexer. * Fix various compiler warnings from the clang llvm compiler. * Fix comments in iter_utils:dp_is_useless. * EDNS timeout code will not fire if EDNS status already known. * EDNS failure not stored if EDNS status known to work. * Parent-child disagreement approach altered. Older fixes are removed in place of a more exhaustive search for misconfigured data available via the parent of a delegation. This is designed to be throttled by cache entries, with TTL from the parent if possible. Additionally the loop-counter is used. It also tests for NS RRset differences between parent and child. The fetch of misconfigured data should be more reliable and thorough. It should work reliably even with no or only partial data in cache. Data received from the child (as always) is deemed more authoritative than information received from the delegation parent. The search for misconfigured data is not performed normally. * Fix AD flag handling, it could in some cases mistakenly copy the AD flag from upstream servers. * Ignore Z flag in incoming messages too. * alloc_special_obtain out of memory is not a fatal error any more, enabling unbound to continue longer in out of memory conditions. * Parentside names are dispreferred but not said to be dnssec-lame. * Fix parentside and querytargets modulestate, for dump_requestlist. * unbound-control-setup makes keys -rw-r--- so not all users permitted. * libtoolize 2.2.6b, autoconf 2.65 applied to configure. * Fix compile warning if compiled without threads. * iana portlist updated. * included ldns tarball updated. * Fix bug where a long loop could be entered, now cycle detection has a loop-counter and maximum search amount. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2010/05/06 09:38:24 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.5.tar.gz) = c1f227b95448cdfd0006d6d00b3d4354500d7564 RMD160 (unbound-1.4.5.tar.gz) = 908d80acf0dfe4592922988e5ca73bdbab8d26a9 Size (unbound-1.4.5.tar.gz) = 4317925 bytes @ 1.8 log @unbound-1.4.3: Features: * Experimental ECC-GOST algorithm support. * unbound-host disables use-syslog from config file. * Include less in config.h and include per code file for ldns, ssl. Bug Fixes: * [bugzilla: 305 ] (regarding pkt_dname_tolower). * Fix chain of trust with CNAME, for the DS processing proof. * Fix validation of queries with wildcard names (*.example). * Fix EDNS probe for .de DNSSEC testbed failure (backoff). * unbound control flushed items are not counted when flushed again. * iana portlist updated. * [bugzilla: 301 ] (regarding unbound-checkconf). * Fixed random numbers for port, interface and server selection. * Refer to the listing in unbound-control man page in the extended \ statistics entry in the unbound.conf man page. * Fix interface-automatic for OpenBSD: msg.controllen was too small. * check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO. * for NSEC3 check if signatures are cached. * Reordered configure checks so fork and -lnsl -lsocket checks are earlier. * ldns tarball updated. * Fix python use when multithreaded. * Fix solaris python compile. * spelling fix in validation error involving cnames. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2010/03/16 13:51:50 joerg Exp $ d3 4 a6 4 SHA1 (unbound-1.4.4.tar.gz) = 2cb4c34ece87e43c9acc8da85d2ea1c8ea1ffe66 RMD160 (unbound-1.4.4.tar.gz) = 581ae8953d5624e0c2b59af94740c4d024882abe Size (unbound-1.4.4.tar.gz) = 4300711 bytes SHA1 (patch-ac) = 90f1bc56afecd6973b4ffee9ab66ae639b7863a4 @ 1.7 log @unbound-1.4.3: - Fix a memory alignment issue, that can be triggered remote on (some) 64bit systems - Fix daemonize on Solaris 10 to correctly detach from terminal - Extend unbound-control with new functions - Better VERB_DETAIL output - Improve latency of DNSSEC requeries by optionally prefetching the key earlier in the validation process - Prefetch option for popular queries before they expire - Fix re-query pattern on invalid DNSKEY or DS records to reduce traffic to a few packets / zone instead of a few packets / record @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2010/03/08 19:56:20 pettai Exp $ d3 3 a5 3 SHA1 (unbound-1.4.3.tar.gz) = 4b4b979683993452359eccf4f60cf9404600da9d RMD160 (unbound-1.4.3.tar.gz) = 6fd7403c13afa683d2dad2e9cfd66ef32a12e4ee Size (unbound-1.4.3.tar.gz) = 4283735 bytes @ 1.6 log @Updated to unbound-1.4.1. +~40 features and bugfixes. The changelog is too long to paste it here, but you can find it at http://www.unbound.net/download.html @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2009/10/19 17:03:33 joerg Exp $ d3 3 a5 3 SHA1 (unbound-1.4.1.tar.gz) = a7bfcc057e4d242bfced847f587a71f8eaa236d7 RMD160 (unbound-1.4.1.tar.gz) = 2f9b1ad943347305a47a9003f520c7bbe6cd6de6 Size (unbound-1.4.1.tar.gz) = 4191123 bytes @ 1.5 log @Update to unbound-1.3.4: - Fixed bug where NSEC3 signature was not checked. This meant that a DS could be spoofed away by a carefully crafted packet. A downgrade attack on existing secure delegations. - updated iana port list. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2009/08/23 14:17:39 hasso Exp $ d3 4 a6 4 SHA1 (unbound-1.3.4.tar.gz) = 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07 RMD160 (unbound-1.3.4.tar.gz) = ae3a920b2e5f6a31527a83e75a04ade43bfc733e Size (unbound-1.3.4.tar.gz) = 4039725 bytes SHA1 (patch-ac) = 5c4ea2a3c09b0fadd254c223d04e40d00697bc95 @ 1.4 log @Update to 1.3.3. Upstream changelog is too long to paste it here, you can read it from http://www.unbound.net/download.html. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2008/12/17 18:14:01 joerg Exp $ d3 3 a5 3 SHA1 (unbound-1.3.3.tar.gz) = 4124d3b70a38d72a1ad47bf2a9e5aee9498ae439 RMD160 (unbound-1.3.3.tar.gz) = 3d5b3e321c7b5fdb660da94bac1d2f93b16a166c Size (unbound-1.3.3.tar.gz) = 4036248 bytes @ 1.4.2.1 log @Pullup ticket #2914 - requested by joerg unbound: security update Revisions pulled up: - net/unbound/Makefile 1.5 - net/unbound/distinfo 1.5 --- Module Name: pkgsrc Committed By: joerg Date: Mon Oct 19 17:03:33 UTC 2009 Modified Files: pkgsrc/net/unbound: Makefile distinfo Log Message: Update to unbound-1.3.4: - Fixed bug where NSEC3 signature was not checked. This meant that a DS could be spoofed away by a carefully crafted packet. A downgrade attack on existing secure delegations. - updated iana port list. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (unbound-1.3.4.tar.gz) = 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07 RMD160 (unbound-1.3.4.tar.gz) = ae3a920b2e5f6a31527a83e75a04ade43bfc733e Size (unbound-1.3.4.tar.gz) = 4039725 bytes @ 1.3 log @Update to unbound-1.1.1: - improve chroot handling - even stricter validation - support for blocking DNS rebinding attacks - DLV support - bugfixes The package now uses the normal net/ldns package instead of the local copy. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2008/10/09 01:31:35 joerg Exp $ d3 4 a6 4 SHA1 (unbound-1.1.1.tar.gz) = 8c80e892232a05459923826f266afb770d3f7d73 RMD160 (unbound-1.1.1.tar.gz) = 08299a2f31a2a01c2d5819f63abc231015074af3 Size (unbound-1.1.1.tar.gz) = 3754958 bytes SHA1 (patch-ac) = 49d727258b41a3f7eafbed70173b24a3fd3a3e5e @ 1.2 log @Update to unbound-1.0.2. Beside some minor bugfixes, this brings even stricter filtering to defeat some additional DNS attacks and support for source address randomisation and optional capitalisation support. The former can be configured when multiple public IPs are present, the latter is considered experimental as a small number of servers doesn't support it. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1.1.1 2008/05/26 22:36:56 joerg Exp $ d3 4 a6 4 SHA1 (unbound-1.0.2.tar.gz) = 93faa7b76cf7681b8c7b0c5187aaf84c36b6670b RMD160 (unbound-1.0.2.tar.gz) = 1e942505468f6ae4061b208914e9b7feed6ecff1 Size (unbound-1.0.2.tar.gz) = 3597275 bytes SHA1 (patch-ac) = 05e1b84d9093ea6b2a5648117522fc288c611ba9 @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2007/11/30 21:44:29 joerg Exp $ d3 4 a6 6 SHA1 (unbound-1.0.0.tar.gz) = a837407d866f0918547c6122f8f654c219b4b51f RMD160 (unbound-1.0.0.tar.gz) = a08aff793c115f2fe285c6d1557bcca98e0c4dba Size (unbound-1.0.0.tar.gz) = 3554571 bytes SHA1 (patch-aa) = eb2e923f1970a0fafad44885619a0ea28a0aa155 SHA1 (patch-ab) = baa658962ffa72efd11507f391f5ee4543266bc4 SHA1 (patch-ac) = 11664d40b93f8cfb15f96e010b243f9909e5de5a @ 1.1.1.1 log @Import unbound-1.0.0, a DNS recursor library and daemon from the guys that brought us NSD. @ text @@