./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.9.2, Package name: unbound-1.9.2, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS look ups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation.


Required to build:
[devel/flex] [pkgtools/cwrappers]

Master sites:

SHA1: 9a7ac3163df57a26b1cfb89844993d95fabee359
RMD160: 63411e761d70b5ce7c5e939dceebd8e7d4818c94
Filesize: 5543.354 KB

Version history: (Expand)


CVS history: (Expand)


   2019-06-17 11:49:08 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.9.2

Upstream changes:

Features
- add type CAA to libpyunbound (accessing libunbound from python).
- Fix #17: Add python module example from Jan Janak, that is a
  plugin for the Unbound DNS resolver to resolve DNS records in
  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
  with Avahi via DBus. The comment section at the beginning of
  the file contains detailed documentation.
- travis build file.
- PR #16: XoT support, AXFR over TLS, turn it on with
  master: <ip>#<authname> in unbound.conf.  This uses TLS to
  download the AXFR (or IXFR).

Bug Fixes
- Fix for #4233: guard use of NDEBUG, so that it can be passed in
  CFLAGS into configure.
- Add log message, at verbosity 4, that says the query is encrypted
  with TLS, if that is enabled for the query.
- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
- Fix #4240: Fix whitespace cleanup in example.conf.
- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
  disables the tls session ticker key calls into the OpenSSL API.
- Fix crash if tls-servic-pem not filled in when necessary.
- Fix auth-zone NSEC3 response for empty nonterminals with exact
  match nsec3 records.
- Fix for out of bounds integers, thanks to OSTIF audit.  It is in
  allocation debug code.
- Fix for auth zone nsec3 ent fix for wildcard nodata.
- Move goto label in answer_from_cache to the end of the function
  where it is more visible.
- Fix auth-zone NSEC3 response for wildcard nodata answers,
  include the closest encloser in the answer.
- Fix spelling error in log output for event method.
- Fix to reinit event structure for accepted TCP (and TLS) sockets.
- Fix to use event_assign with libevent for thread-safety.
- verbose information about auth zone lookup process, also lookup
  start, timeout and fail.
- Fix to wipe ssl ticket keys from memory with explicit_bzero,
  if available.
- Fix that auth zone uses correct network type for sockets for
  SOA serial probes.  This fixes that probes fail because earlier
  probe addresses are unreachable.
- Fix that auth zone fails over to next master for timeout in tcp.
- Squelch SSL read and write connection reset by peer and broken pipe
  messages.  Verbosity 2 and higher enables them.
- Update python documentation for init_standard().
- Typos.
- Fix tls write event for read state change to re-call SSL_write and
  not resume the TLS handshake.
- Better braces in if statement in TCP fastopen code.
- iana portlist updated.
- Scrub RRs from answer section when reusing NXDOMAIN message for
  subdomain answers.
- For harden-below-nxdomain: do not consider a name to be non-exitent
  when message contains a CNAME record.
- Fix wrong query name in local zone redirect answers with a CNAME,
  the copy of the local alias is in unpacked form.
- contrib/fastrpz.patch updated for code changes, and with git diff.
- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
- Fix #30: AddressSanitizer finding in lookup3.c.  This sets the
  hash function to use a slower but better auditable code that does
  not read beyond array boundaries.  This makes code better security
  checkable, and is better for security.  It is fixed to be slower,
  but not read outside of the array.
- Fix edns-subnet locks, in error cases the lock was not unlocked.
- Fix doxygen output error on readme markdown vignettes.
- Squelch log messages from tcp send about connection reset by peer.
  They can be enabled with verbosity at higher values for diagnosing
  network connectivity issues.
- Attempt to fix malformed tcp response.
- Fix #31: swig 4.0 and python module.
- Note that so-reuseport at extreme load is better turned off,
  otherwise queries are not distributed evenly, on Linux 4.4.x.
- Fix that spoolbuf is not used to store tcp pipelined response
  between mesh send and callback end.
- Fix double file close in tcp pipelined response code.
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
- Fix to guard _OPENBSD_SOURCE from redefinition.
- Fix that fixes the Fix that spoolbuf is not used to store tcp
  pipelined response between mesh send and callback end, this fixes
  error cases that did not use the correct spoolbuf.
- Fix that fixes the Fix that spoolbuf is not used to store tcp
  pipelined response between mesh send and callback end, this fixes
  error cases that did not use the correct spoolbuf.
- Fix another spoolbuf storage code point, in prefetch.
   2019-06-12 12:04:05 by Thomas Klausner | Files touched by this commit (1) | Package updated
Log message:
unbound: bump PKGREVISION for previous

a new file is installed -> PLIST change -> bump
   2019-06-12 11:21:42 by Fredrik Pettai | Files touched by this commit (2)
Log message:
fixes PR pkg/54126
   2019-03-12 13:13:08 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.9.1

Upstream changes:

Features
- Add local-zone type inform_redirect, which logs like type inform,
  and redirects like type redirect.
- Perform canonical sort for 0x20 capsforid compare of replies,
  this sorts rrsets in the authority and additional section before
  comparison, so that out of order rrsets do not cause failure.
- Print query name with ip_ratelimit exceeded log lines.
  Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.

Bug Fixes
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
- Fix locking for libunbound context setup with broken port config.
- Fix case in which query timeout can result in marking delegation
  as edns_lame_known.
- Set ub_ctx_set_tls call signature in ltrace config file for
  libunbound in contrib/libunbound.so.conf.
- improve documentation for tls-service-key and forward-first.
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
  conditional section, fixes systemd builds, from Enrico Scholz.
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
  still supports the set_id_callback previous API.  And for 1.1.0
  no locking callbacks are needed.
- #8: Fix OpenSSL without ENGINE support compilation.
- Wipe TLS session key data from memory on exit.
- Fix that log-replies prints the correct name for local-alias
  names, for names that have a CNAME in local-data configuration.
  It logs the original query name, not the target of the CNAME.
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
- Fix that qname minimisation does not skip a label when missing
  nameserver targets need to be fetched.
- Fix #4225: clients seem to erroneously receive no answer with
  DNS-over-TLS and qname-minimisation.
- Note default for module-config in man page.
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
  cert name matching, from man page.
- Fix capsforid canonical sort qsort callback.
- Fix pythonmod include and sockaddr_un ifdefs for compile on
  Windows, and for libunbound.
- Fix the error for unknown module in module-config is understandable,
  and explains it was not compiled in and where to see the list.
- In example.conf explain where to put cachedb module in module-config.
- In man page and example config explain that most modules have to
  be listed at the start of module-config.
- Fix #4227: pair event del and add for libevent for tcp_req_info.
- Fix #4229: Unbound man pages lack information, about access-control
  order and local zone tags, and elements in views.
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
  before copying.
- Fix for python module on Windows, fix fopen.
- Remove memory leak on pythonmod python2 script file init.
- Remove swig gcc8 python function cast warnings, they are ignored.
- Print correct module that failed when module-config is wrong.
   2019-02-12 11:52:28 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Apply two fixes from
https://www.nlnetlabs.nl/bugs-script/sh … gi?id=4225

 * Sometimes qname-minimisation needs to be (temporarily) reverted.
 * DNS-over-TLS would interact with qname-minimisation and would erroneously
   echo back the query buffer instead of the answer.

Bump PKGREVISION.
   2019-02-05 10:44:57 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.9.0

Upstream changes:

This release contains the DNS Flag Day changes for Unbound.  See the
reference here, https://dnsflagday.net/ .   Or this presentation:
https://indico.dns-oarc.net/event/29/co … OARC29.pdf
.  The EDNS timeouts are not used to fallback to nonEDNS queries.

Features
- log-tag-queryreply: yes in unbound.conf tags the log-queries and
  log-replies in the log file for easier log filter maintenance.
- ip-ratelimit-factor of 1 allows all traffic through, instead of the
  previous blocking everything.
- Fix #4206: support openssl 1.0.2 for TLS hostname verification,
  alongside the 1.1.0 and later support that is already there.
- Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
  the patch adds a program used for fuzzing.
- streamtcp option -a send queries consecutively and prints answers
  as they arrive.
- out-of-order processing for TCP and TLS.
- Add stream-wait-size: 4m config option to limit the maximum
  memory used by waiting tcp and tls stream replies.  This avoids
  a denial of service where these replies use up all of the memory.
- unbound-control stats has mem.streamwait that counts TCP and TLS
  waiting result buffers.
- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
  options for unbound.conf.
- Patch for TLS session resumption from Manabu Sonoda,
  enable with tls-session-ticket-keys in unbound.conf.
- ub_ctx_set_tls call for libunbound that enables DoT for the machines
  set with ub_ctx_set_fwd.  Patch from Florian Obser.

Bug Fixes
- Fix that unbound-checkconf does not complains if the config file
  is not placed inside the chroot.
- Refuse to start with no ports.
- Remove clang analysis warnings.
- Patch for typo in unbound.conf man page.
- Fix icon, no ragged edges and nicer resolutions available, for eg.
  Win 7 and Windows 10 display.
- cache-max-ttl also defines upperbound of initial TTL in response.
- Fix config parser memory leaks.
- Fix for FreeBSD port make with dnscrypt and dnstap enabled.
- Fixup openssl 1.0.2 compile
- Fix for crash in dns64 module if response is null.
- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
  and server tcp fastopen is enabled at compile time.
- Document interaction between the tls-upstream option in the server
  section and forward-tls-upstream option in the forward-zone sections.
- Fix syntax in comment of local alias processing.
- Fix NSEC3 record that is returned in wildcard replies from
  auth-zone zones with NSEC3 and wildcards.
- Log query name for looping module errors.
- For caps-for-id fallback, use the whitelist to avoid timeout
  starting a fallback sequence for it.
- increase mesh max activation count for capsforid long fetches.
- Fix for #4219: secondaries not updated after serial change, unbound
  falls back to AXFR after IXFR gives several timeout failures.
- Fix that auth zone after IXFR fallback tries the same master.
- Fix for IXFR fallback to reset counter when IXFR does not timeout.
- Newer aclocal and libtoolize used for generating configure scripts,
  aclocal 1.16.1 and libtoolize 2.4.6.
- Fix unit test for python 3.7 new keyword 'async'.
- clang analysis fixes, assert arc4random buffer in init,
  no check for already checked delegation pointer in iterator,
  in testcode check for NULL packet matches, in perf do not copy
  from NULL start list when growing capacity.  Adjust host and file
  only when present in test header read to please checker.  In
  testcode for unknown macro operand give zero result. Initialise the
  passed argv array in test code.  In test code add EDNS data
  segment copy only when nonempty.
- Patch from Florian Obser fixes some compiler warnings:
  include mini_event.h to have a prototype for mini_ev_cmp
  include edns.h to have a prototype for apply_edns_options
  sldns_wire2str_edns_keepalive_print is only called in the wire2str,
  module declare it static to get rid of compiler warning:
  no previous prototype for function
  infra_find_ip_ratedata() is only called in the infra module,
  declare it static to get rid of compiler warning:
  no previous prototype for function
  do not shadow local variable buf in authzone
  auth_chunks_delete and az_nsec3_findnode are only called in the
  authzone module, declare them static to get rid of compiler warning:
  no previous prototype for function...
  copy_rrset() is only called in the respip module, declare it
  static to get rid of compiler warning:
  no previous prototype for function 'copy_rrset'
  no need for another variable "r"; gets rid of compiler warning:
  declaration shadows a local variable in libunbound.c
  no need for another variable "ns"; gets rid of compiler warning:
  declaration shadows a local variable in iterator.c
- Moved includes and make depend.
- updated contrib/fastrpz.patch to cleanly diff.
- remove compile warnings from libnettle compile.
- output of newer lex 2.6.1 and bison 3.0.5.
- Set build system for added call in the libunbound API.
- List example config for root zone copy locally hosted with auth-zone
  as suggested from draft-ietf-dnsop-7706-bis-02.  But with updated
  B root address.
- Fixed spelling of tls-ciphers option in example.conf.
   2019-01-17 15:19:51 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Let unbound grow a "dnstap" option.
Bump PKGREVISION.
   2018-12-11 18:06:46 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.8.3

Upstream changes:

Bug Fixes
- Fix dns64 allocation in wrong region for returned internal queries.