./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.7.3, Package name: unbound-1.7.3, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS look ups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation.

Required to build:
[devel/flex] [pkgtools/cwrappers]

Master sites:

SHA1: 106789bdca173d033d769c67be3441b47611612a
RMD160: 85b95d63684ed11e15031e7ff61f5d8c08442283
Filesize: 5440.043 KB

Version history: (Expand)

CVS history: (Expand)

   2018-06-21 17:32:22 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.7.3

Upstream changes:

- #4102 for NSD, but for Unbound.  Named unix pipes do not use
  certificate and key files, access can be restricted with file and
  directory permissions.  The option control-use-cert is no longer
  used, and ignored if found in unbound.conf.
- Rename tls-additional-ports to tls-additional-port, because every
  line adds one port.

Bug Fixes
- Don't count CNAME response types received during qname minimisation
  as query restart.
- #4100: Fix stub reprime when it becomes useless.
- Fix crash if ratelimit taken into use with unbound-control
  instead of with unbound.conf.
- Patch to fix openwrt for mac os build darwin detection in configure.
- #4103: Fix that auth-zone does not insist on SOA record first in
  file for url downloads.
- Fix that first control-interface determines if TLS is used.  Warn
  when IP address interfaces are used without TLS.
- Fix that control-use-cert: no works for to disable certs.
- Fix unbound-checkconf for control-use-cert.
- Fix for unbound-control on Windows and set TCP socket parameters
  more closely.
- Fix windows unbound-control no cert bad file descriptor error.
   2018-06-11 12:06:58 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Upgrade unbound to version 1.7.2.

Upstream changes:

- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
- Qname minimisation default changed to yes.
- Use accept4 to speed up incoming TCP (and TLS) connections,
  available on Linux, FreeBSD and OpenBSD.
- tls-win-cert option that adds the system certificate store for
  authenticating DNS-over-TLS connections.  It can be used instead
  of the tls-cert-bundle option, or with it to add certificates.
- Patch from Syzdek: Add ability to ignore RD bit and treat all
  requests as if the RD bit is set.
- Rename additional-tls-port to tls-additional-ports.
  The older name is accepted for backwards compatibility.

Bug fixes:
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.
- Fix spelling error in man page and note defaults as no instead of
- Fix that unbound-control reload frees the rrset keys and returns
  the memory pages to the system.
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
- Fix contrib/libunbound.pc for libssl libcrypto references,
  from https://bugs.freebsd.org/bugzilla/show_ … ?id=226914
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
  inside libunbound), when ssl upstream or a cert-bundle is configured.
- For TCP and TLS connections that don't establish, perform address
  update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- in compat/arc4random call getentropy_urandom when getentropy fails
  with ENOSYS.
- Fix that fallback for windows port.
- Fix deadlock caused by incoming notify for auth-zone.
   2018-05-07 09:13:28 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Upgrade unbound to version 1.7.1.

Upstream changes:

- Add --with-libhiredis, unbound support for a new cachedb
  backend that uses a Redis server as the storage.  This
  implementation depends on the hiredis client library
  And unbound should be built with both --enable-cachedb and
  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
  should exist).  Patch from Jinmei Tatuya (Infoblox).
- Create additional tls service interfaces by opening them on other
  portnumbers and listing the portnumbers as additional-tls-port: nr.
- ED448 support.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Accept both option names with and without colon for get_option
  and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
  of fast servers for some percentage of the time.
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
  statistics counters.
- allow-notify: config statement for auth-zones.
- Can set tls authentication with forward-addr: IP#tls.auth.name
  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
  such as forward-addr: or
- list_auth_zones unbound-control command.
- Added root-key-sentinel support

Bug Fixes
- Fix #3727: Protocol name is TLS, options have been renamed but
  documentation is not consistent.
- Check IXFR start serial.
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
  flushed with serve-expired on.
- Fix #3817: core dump happens in libunbound delete, when queued
  servfail hits deleted message queue.
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
- iana port update.
- Do not use cached NSEC records to generate negative answers for
  domains under DNSSEC Negative Trust Anchors.
- Fix unbound-control get_option aggressive-nsec
- Check "result" in dup_all(), by Florian Obser.
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
  failing with a forwarder set.  Now, auth-zone is only used for
  answers (not referrals) when a forwarder is set.
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
  tls_choose_sigalg routine does not allow the ciphers for the pipe,
  so use TLSv1.2.
- Fix that flush_zone sets prefetch ttl expired, so that with
  serve-expired enabled it'll start prefetching those entries.
- Fix downstream auth zone, only fallback when auth zone fails to
  answer and fallback is enabled.
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
  auth zone gets stopped, before trying to send there.
- Fix auth zone target lookup iterator.
- Fix auth-zone retry timer to be on schedule with retry timeout,
  with backoff.  Also time a refresh at the zone expiry.
- Fix #658: unbound using TLS in a forwarding configuration does not
  verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
  with the previous contents.
- Delete auth zone when removed from config.
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
- auth zone http download stores exact copy of downloaded file,
  including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
  callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
- Fix memory leak when caching wildcard records for aggressive NSEC use
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.
   2018-03-15 11:22:49 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Upgrade unbound to version 1.7.0.

Pkgsrc changes:
 * Add libunbound.pc to PLIST.

Upstream changes:

- auth-zone provides a way to configure RFC7706 from unbound.conf,
  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
  generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
  also recognized and means the same.  Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
  This option allows handling multiple cert/key pairs while only
  distributing some of them.
  In order to reliably match a client magic with a given key without
  strong assumption as to how those were generated, we need both key and
  cert. Likewise, in order to know which ES version should be used.
  On the other hand, when rotating a cert, it can be desirable to only
  serve the new cert but still be able to handle clients that are still
  using the old certs's public key.
  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
  publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix #3598: Fix swig build issue on rhel6 based system.
  configure --disable-swig-version-check stops the swig version check.

Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
  circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
  a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
  set for stub zone.  It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
  or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
  away, without a repeat query picking the DS from cache.
  The correct reply should have been an answer, the reply is fixed
  by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
  snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
  the middle of a cname chain, a result without the DNAME could
  be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
  for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
  so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
  And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
  edns-subnet/addrtree.c after the assert made clang analyzer
  produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
  wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
  to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
  aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
  causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
  although it could be changed at a later time, to stay similar to
  other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.
   2018-01-19 11:10:03 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update to version 1.6.8:

Bug fixes:
- patch for CVE-2017-15105: vulnerability in the processing of
  wildcard synthesized NSEC records.
   2017-10-10 10:07:08 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.7.

Pkgsrc changes:
 * None.

Upstream changes:

* Set trust-anchor-signaling default to yes
* Fix #1440: [dnscrypt] client nonce cache.
* Fix #1435: Please allow UDP to be disabled separately upstream and

Bug fixes:
* Fix that looping modules always stop the query, and don't pass
* Fix unbound-host to report error for DNSSEC state of failed lookups.
* Spelling fixes, from Josh Soref.
* Fix #1400: allowing use of global cache on ECS-forwarding unless
* use a cachedb answer even if it's "expired" when serve-expired is yes
  (patch from Jinmei Tatuya).
* trigger refetching of the answer in that case (this will bypass
  cachedb lookup)
* allow storing a 0-TTL answer from cachedb in the in-memory message
  cache when serve-expired is yes
* Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
* Log name of looping module
* Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
   (by Danilo G. Baio).
* Fix param unused warning for windows exportsymbol compile.
* Use RCODE from A query on DNS64 synthesized answer.
* Fix trust-anchor-signaling works in libunbound.
* Fix spelling in unbound-control man page.
   2017-09-18 15:02:39 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Upgrade unbound to version 1.6.6.

Pkgsrc changes:
 * Unbound now needs flex >= 2.6.4 to build, or at least 2.6.3 is a no-go,
   so depend on the pkgsrc version which is already 2.6.4.

Upstream changes:

* unbound-control dump_infra prints port number for address if not 53.
* Fix #1344: RFC6761-reserved domains: test. and invalid.
* Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
  With the -p option unbound does not create a pidfile.
* Added stats for queries that have been ratelimited by domain
* Patch to show DNSCrypt status in help output, from Carsten
* Fix #1407: Add ECS options check to unbound-checkconf.
* Fix #1415: [dnscrypt] shared secret cache, patch from
  Manu Bretelle.

Bug Fixes:
* fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
* First fix for zero b64 and hex text zone format in sldns.
* Better fixup of dnscrypt_cert_chacha test for different escapes.
* Fix that infra cache host hash does not change after reconfig.
* Fix python example0 return module wait instead of error for pass.
* enhancement for hardened-tls for DNS over TLS.  Removed duplicated
  security settings.
* Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
* Fix #1331: libunbound segfault in threaded mode when context is
* Fix pythonmod link line option flag.
* Fix openssl 1.1.0 load of ssl error strings from ssl init.
* Fix 1332: Bump verbosity of failed chown'ing of the control socket.
* Redirect all localhost names to localhost address for RFC6761.
* Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
* Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
* upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
* annotate case statement fallthrough for gcc 7.1.1.
* flex output from flex 2.6.1.
* snprintf of thread number does not warn about truncated string.
* squelch TCP fast open error on FreeBSD when kernel has it disabled,
  unless verbosity is high.
* remove warning from windows compile.
* Fix compile with libnettle
* Fix DSA configure switch (--disable dsa) for libnettle and libnss.
* Fix #1365: Add Ed25519 support using libnettle.
* Fix #1394: mix of serve-expired and response-ip could cause a crash.
* Remove unused iter_env member (ip6arpa_dname)
* Do not reset rrset.bogus stats when called using stats_noreset.
* Do not add rrset_bogus and query ratelimiting stats per thread, these
  module stats are global.
* Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
* Fix #1398: make cachedb secret configurable.
* Remove spaces from Makefile.
* Fix issue on macOX 10.10 where TCP fast open is detected but not
  implemented causing TCP to fail. The fix allows fallback to regular
  TCP in this case and is also more robust for cases where connectx()
  fails for some reason.
* Fix #1402: squelch invalid argument error for fd_set_block on windows.
* Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
  allocation failure.
* Fix #1415: patch to free dnscrypt environment on reload.
* iana portlist update
* Small fixes for the shared secret cache patch.
* Fix WKS records on kvm autobuild host, with default protobyname
  entries for udp and tcp.
* Fix #1414: fix segfault on parse failure and log_replies.
* zero qinfo in handle_request, this zeroes local_alias and also the
  qname member.
* new keys and certs for dnscrypt tests.
* fixup WKS test on buildhost without servicebyname.
* updated contrib/fastrpz.patch to apply with configparser changes.
* Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
* Fix #1424: cachedb:testframe is not thread safe.
* Fix #1417: [dnscrypt] shared secret cache counters, and works when
  dnscrypt is not enabled.  And cache size configuration option.
* Fix #1418: [ip ratelimit] initialize slabhash using
* Recommend 1472 buffer size in unbound.conf
* Fix #1412: QNAME minimisation strict mode not honored
* Fix #1434: Fix windows openssl 1.1.0 linking.
* Add dns64 for client-subnet in unbound-checkconf.
   2017-08-21 13:14:18 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.5.

Upstream changes:
  21 Aug 2017: Wouter
    - Fix install of trust anchor when two anchors are present, makes both
      valid.  Checks hash of DS but not signature of new key.  This fixes
      installs between sep11 and oct11 2017.
    - Tag 1.6.5