./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.7.1, Package name: unbound-1.7.1, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS look ups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation.

Required to build:
[devel/flex] [pkgtools/cwrappers]

Master sites:

SHA1: b853b746fa1f89ecce160850ab163ef78f67eea5
RMD160: fd9ee1d94d475a84997d16e2e939c661d297fa6b
Filesize: 5435.486 KB

Version history: (Expand)

CVS history: (Expand)

   2018-05-07 09:13:28 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Upgrade unbound to version 1.7.1.

Upstream changes:

- Add --with-libhiredis, unbound support for a new cachedb
  backend that uses a Redis server as the storage.  This
  implementation depends on the hiredis client library
  And unbound should be built with both --enable-cachedb and
  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
  should exist).  Patch from Jinmei Tatuya (Infoblox).
- Create additional tls service interfaces by opening them on other
  portnumbers and listing the portnumbers as additional-tls-port: nr.
- ED448 support.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Accept both option names with and without colon for get_option
  and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
  of fast servers for some percentage of the time.
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
  statistics counters.
- allow-notify: config statement for auth-zones.
- Can set tls authentication with forward-addr: IP#tls.auth.name
  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
  such as forward-addr: or
- list_auth_zones unbound-control command.
- Added root-key-sentinel support

Bug Fixes
- Fix #3727: Protocol name is TLS, options have been renamed but
  documentation is not consistent.
- Check IXFR start serial.
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
  flushed with serve-expired on.
- Fix #3817: core dump happens in libunbound delete, when queued
  servfail hits deleted message queue.
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
- iana port update.
- Do not use cached NSEC records to generate negative answers for
  domains under DNSSEC Negative Trust Anchors.
- Fix unbound-control get_option aggressive-nsec
- Check "result" in dup_all(), by Florian Obser.
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
  failing with a forwarder set.  Now, auth-zone is only used for
  answers (not referrals) when a forwarder is set.
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
  tls_choose_sigalg routine does not allow the ciphers for the pipe,
  so use TLSv1.2.
- Fix that flush_zone sets prefetch ttl expired, so that with
  serve-expired enabled it'll start prefetching those entries.
- Fix downstream auth zone, only fallback when auth zone fails to
  answer and fallback is enabled.
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
  auth zone gets stopped, before trying to send there.
- Fix auth zone target lookup iterator.
- Fix auth-zone retry timer to be on schedule with retry timeout,
  with backoff.  Also time a refresh at the zone expiry.
- Fix #658: unbound using TLS in a forwarding configuration does not
  verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
  with the previous contents.
- Delete auth zone when removed from config.
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
- auth zone http download stores exact copy of downloaded file,
  including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
  callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
- Fix memory leak when caching wildcard records for aggressive NSEC use
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.
   2018-03-15 11:22:49 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Upgrade unbound to version 1.7.0.

Pkgsrc changes:
 * Add libunbound.pc to PLIST.

Upstream changes:

- auth-zone provides a way to configure RFC7706 from unbound.conf,
  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
  generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
  also recognized and means the same.  Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
  This option allows handling multiple cert/key pairs while only
  distributing some of them.
  In order to reliably match a client magic with a given key without
  strong assumption as to how those were generated, we need both key and
  cert. Likewise, in order to know which ES version should be used.
  On the other hand, when rotating a cert, it can be desirable to only
  serve the new cert but still be able to handle clients that are still
  using the old certs's public key.
  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
  publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix #3598: Fix swig build issue on rhel6 based system.
  configure --disable-swig-version-check stops the swig version check.

Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
  circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
  a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
  set for stub zone.  It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
  or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
  away, without a repeat query picking the DS from cache.
  The correct reply should have been an answer, the reply is fixed
  by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
  snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
  the middle of a cname chain, a result without the DNAME could
  be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
  for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
  so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
  And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
  edns-subnet/addrtree.c after the assert made clang analyzer
  produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
  wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
  to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
  aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
  causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
  although it could be changed at a later time, to stay similar to
  other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.
   2018-01-19 11:10:03 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update to version 1.6.8:

Bug fixes:
- patch for CVE-2017-15105: vulnerability in the processing of
  wildcard synthesized NSEC records.
   2017-10-10 10:07:08 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.7.

Pkgsrc changes:
 * None.

Upstream changes:

* Set trust-anchor-signaling default to yes
* Fix #1440: [dnscrypt] client nonce cache.
* Fix #1435: Please allow UDP to be disabled separately upstream and

Bug fixes:
* Fix that looping modules always stop the query, and don't pass
* Fix unbound-host to report error for DNSSEC state of failed lookups.
* Spelling fixes, from Josh Soref.
* Fix #1400: allowing use of global cache on ECS-forwarding unless
* use a cachedb answer even if it's "expired" when serve-expired is yes
  (patch from Jinmei Tatuya).
* trigger refetching of the answer in that case (this will bypass
  cachedb lookup)
* allow storing a 0-TTL answer from cachedb in the in-memory message
  cache when serve-expired is yes
* Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
* Log name of looping module
* Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
   (by Danilo G. Baio).
* Fix param unused warning for windows exportsymbol compile.
* Use RCODE from A query on DNS64 synthesized answer.
* Fix trust-anchor-signaling works in libunbound.
* Fix spelling in unbound-control man page.
   2017-09-18 15:02:39 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Upgrade unbound to version 1.6.6.

Pkgsrc changes:
 * Unbound now needs flex >= 2.6.4 to build, or at least 2.6.3 is a no-go,
   so depend on the pkgsrc version which is already 2.6.4.

Upstream changes:

* unbound-control dump_infra prints port number for address if not 53.
* Fix #1344: RFC6761-reserved domains: test. and invalid.
* Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
  With the -p option unbound does not create a pidfile.
* Added stats for queries that have been ratelimited by domain
* Patch to show DNSCrypt status in help output, from Carsten
* Fix #1407: Add ECS options check to unbound-checkconf.
* Fix #1415: [dnscrypt] shared secret cache, patch from
  Manu Bretelle.

Bug Fixes:
* fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
* First fix for zero b64 and hex text zone format in sldns.
* Better fixup of dnscrypt_cert_chacha test for different escapes.
* Fix that infra cache host hash does not change after reconfig.
* Fix python example0 return module wait instead of error for pass.
* enhancement for hardened-tls for DNS over TLS.  Removed duplicated
  security settings.
* Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
* Fix #1331: libunbound segfault in threaded mode when context is
* Fix pythonmod link line option flag.
* Fix openssl 1.1.0 load of ssl error strings from ssl init.
* Fix 1332: Bump verbosity of failed chown'ing of the control socket.
* Redirect all localhost names to localhost address for RFC6761.
* Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
* Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
* upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
* annotate case statement fallthrough for gcc 7.1.1.
* flex output from flex 2.6.1.
* snprintf of thread number does not warn about truncated string.
* squelch TCP fast open error on FreeBSD when kernel has it disabled,
  unless verbosity is high.
* remove warning from windows compile.
* Fix compile with libnettle
* Fix DSA configure switch (--disable dsa) for libnettle and libnss.
* Fix #1365: Add Ed25519 support using libnettle.
* Fix #1394: mix of serve-expired and response-ip could cause a crash.
* Remove unused iter_env member (ip6arpa_dname)
* Do not reset rrset.bogus stats when called using stats_noreset.
* Do not add rrset_bogus and query ratelimiting stats per thread, these
  module stats are global.
* Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
* Fix #1398: make cachedb secret configurable.
* Remove spaces from Makefile.
* Fix issue on macOX 10.10 where TCP fast open is detected but not
  implemented causing TCP to fail. The fix allows fallback to regular
  TCP in this case and is also more robust for cases where connectx()
  fails for some reason.
* Fix #1402: squelch invalid argument error for fd_set_block on windows.
* Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
  allocation failure.
* Fix #1415: patch to free dnscrypt environment on reload.
* iana portlist update
* Small fixes for the shared secret cache patch.
* Fix WKS records on kvm autobuild host, with default protobyname
  entries for udp and tcp.
* Fix #1414: fix segfault on parse failure and log_replies.
* zero qinfo in handle_request, this zeroes local_alias and also the
  qname member.
* new keys and certs for dnscrypt tests.
* fixup WKS test on buildhost without servicebyname.
* updated contrib/fastrpz.patch to apply with configparser changes.
* Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
* Fix #1424: cachedb:testframe is not thread safe.
* Fix #1417: [dnscrypt] shared secret cache counters, and works when
  dnscrypt is not enabled.  And cache size configuration option.
* Fix #1418: [ip ratelimit] initialize slabhash using
* Recommend 1472 buffer size in unbound.conf
* Fix #1412: QNAME minimisation strict mode not honored
* Fix #1434: Fix windows openssl 1.1.0 linking.
* Add dns64 for client-subnet in unbound-checkconf.
   2017-08-21 13:14:18 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.5.

Upstream changes:
  21 Aug 2017: Wouter
    - Fix install of trust anchor when two anchors are present, makes both
      valid.  Checks hash of DS but not signature of new key.  This fixes
      installs between sep11 and oct11 2017.
    - Tag 1.6.5
   2017-07-09 10:09:41 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:
Changes 1.6.4:

* Implemented trust anchor signaling using key tag query.
* unbound-checkconf -o allows query of dnstap config variables. Also \ 
unbound-control get_option. Also for dnscrypt.
* unbound.h exports the shm stats structures. They use type long long and no \ 
ifdefs, and ub_ before the typenames.
* Implemented opportunistic IPsec support module (ipsecmod).
* Added redirect-bogus.patch to contrib directory.
* Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
* renumbering B-Root's IPv6 address to 2001:500:200::b.
* Fix 1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
* Fix 1277: disable domain ratelimit by setting value to 0.
* Added fastrpz patch to contrib

Bug Fixes:
* Added ECS unit test (from Manu Bretelle).
* ECS documentation fix (from Manu Bretelle).
* Fix 1252: more indentation inconsistencies.
* Fix 1253: unused variable in edns-subnet/addrtree.c:getbit().
* Fix 1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
* iana portlist update
* Based on 1257: check parse limit before t increment in sldns RR string parse \ 
* Fix 1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that \ 
64bit getting installed in C:\Program Files (x86).
* Fix 1259: "--disable-ecdsa" argument overwritten by "ifdef \ 
* iana portlist update
* Added test for leak of stub information.
* Fix sldns wire2str printout of RR type CAA tags.
* Fix sldns int16_data parse.
* Fix sldns parse and printout of TSIG RRs.
* sldns SMIMEA and AVC definitions, same as getdns definitions.
* Fix tcp-mss failure printout text.
* Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect \ 
limited tcp connections. With the option tcp connections can share the same \ 
source port (for different destinations).
* Add 'c' to getopt() in testbound.
* Adjust servfail by iterator to not store in cache when serve-expired is \ 
enabled, to avoid overwriting useful information there.
* Fix queries for nameservers under a stub leaking to the internet.
* document trust-anchor-signaling in example config file.
* updated configure, dependencies and flex output.
* better module memory lookup, fix of unbound-control shm names for module \ 
memory printout of statistics.
* Fix type AVC sldns rrdef.
* Some whitespace fixup.
* Fix 1265: contrib/unbound.service contains hardcoded path.
* Fix 1265 to use /bin/kill.
* Fix 1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and \ 
compatibility with BoringSSL.
* Fix 1268: SIGSEGV after log_reopen.
* exec_prefix is by default equal to prefix.
* printout localzone for duplicate local-zone warnings.
* Fix assertion for low buffer size and big edns payload when worker overrides \ 
* Support for openssl EVP_DigestVerify.
* Fix 1269: inconsistent use of built-in local zones with views.
* Add defaults for new local-zone trees added to views using unbound-control.
* Fix 1273: cachedb.c doesn't compile with -Wextra.
* If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
* Also use global local-zones when there is a matching view that does not have \ 
any local-zone specified.
* Fix fastopen EPIPE fallthrough to perform connect.
* Fix 1274: automatically trim chroot path from dnscrypt key/cert paths (from \ 
Manu Bretelle).
* Fix 1275: cached data in cachedb is never used.
* Fix that unbound-control can set val_clean_additional and val_permissive_mode.
* Add dnscrypt XChaCha20 tests.
* Detect chacha for dnscrypt at configure time.
* dnscrypt unit tests with chacha.
* Added domain name based ECS whitelist.
* Fix 1278: Incomplete wildcard proof.
* Fix 1279: Memory leak on reload when python module is enabled.
* Fix 1280: Unbound fails assert when response from authoritative contains \ 
malformed qname. When 0x20 caps-for-id is enabled, when assertions are not \ 
enabled the malformed qname is handled correctly.
* More fixes in depth for buffer checks in 0x20 qname checks.
* Fix stub zone queries leaking to the internet for harden-referral-path ns checks.
* Fix query for refetch_glue of stub leaking to internet.
* Fix 1301: memory leak in respip and tests.
* Free callback in edns-subnetmod on exit and restart.
* Fix memory leak in sldns_buffer_new_frm_data.
* Fix memory leak in dnscrypt config read.
* Fix dnscrypt chacha cert support ifdefs.
* Fix dnscrypt chacha cert unit test escapes in grep.
* Fix to unlock view in view test.
* Fix warning in pythonmod under clang compiler.
* Fix lintian typo.
* Fix 1316: heap read buffer overflow in parse_edns_options.
   2017-06-22 12:56:09 by Niclas Rosenvik | Files touched by this commit (1)
Log message:
Add buildlink3.mk since it installs libraries usable by third parties.
Requested by Aleksej Lebedev on pkgsrc-users.