./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.6.0, Package name: unbound-1.6.0, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS look ups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation.

Required to build:

Package options: libevent

Master sites:

SHA1: 9b7606b016b447dc837efc108cee94f3fecf4ede
RMD160: 07380cf33d5bb352f1b6fb19bb6411b3bdeb6011
Filesize: 4944.583 KB

Version history: (Expand)

CVS history: (Expand)

   2016-12-23 20:25:45 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
Unbound 1.6.0

- Added generic EDNS code for registering known EDNS option codes,
  bypassing the cache response stage and uniquifying mesh states. Four
  EDNS option lists were added to module_qstate
  (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
  that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
  functions can be called just before replying with local data or Chaos,
  replying from cache, replying with SERVFAIL, replying with a resolved
  query, sending a query to a nameserver. The functions can inspect the
  available data and maybe change response/query related data (i.e. append
  EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
  point to data on the internet.
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity.
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
  functionality in unbound-control (local_zones, local_zones_remove,
  local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.

Bug Fixes:
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
- Fix Nits for 1.5.10.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf
- Fix #1125: unbound could reuse an answer packet incorrectly for
  clients with different EDNS parameters.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
  immediately to ignore datetime, or back to 0 to enable it again. The --
  is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
  manner. Every function on its own, so that other libraries (eg.
  LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
  means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
  the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
  Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
  origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
  subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
  type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
  no encryption over the unix socket.
- hyphen as minus fix.
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code
   2016-10-05 22:28:01 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
-   Create a pkg-config file for libunbound in contrib.
-   TCP Fast open.
-   Finegrained localzone control with define-tag, access-control-tag,
    access-control-tag-action, access-control-tag-data, local-zone-tag, and
    local-zone-override. And added types always_transparent, always_refuse,
    always_nxdomain with that.
-   If more than half of tcp connections are in use, a shorter timeout
    is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
-   [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6
    option to use linux freebind to use 64bits of entropy for every query
    with random local part.
-   For #787: prefer-ip6 option for unbound.conf prefers to send
    upstream queries to ipv6 servers.
-   Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
-   keep debug symbols in windows build.

Bug Fixes:
-   [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref).
-   Fix unbound-anchor.exe file location defaults to Program Files with
    (x86) appended.
-   Fix to not ignore return value of chown() in daemon startup.
-   Better help text from -h.
-   [bugzilla: 773 ] Fix Non-standard Python location build failure with
-   Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
-   Revert fix for NetworkService account on windows due to breakage it
-   Fix that windows install will not overwrite existing service.conf
    file (and ignore gui config choices if it exists).
-   And delete service.conf.shipped on uninstall.
-   In unbound.conf directory: dir immediately changes to that
    directory, so that include: file below that is relative to that
    directory. With chroot, make the directory an absolute path inside chroot.
-   do not delete service.conf on windows uninstall.
-   document directory immediate fix and allow EXECUTABLE syntax in it
    on windows.
-   Fix directory: fix for unbound-checkconf, it restores cwd.
-   Use QTYPE=A for QNAME minimisation.
-   Keep track of number of time-outs when performing QNAME
    minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE
    pair is more than three.
-   [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on
    windows, ignore null delete for wsaevent.
-   Fix spelling in freebind option man page text.
-   Fix windows link of ssl with crypt32.
-   [bugzilla: 779 ] Fix Union casting is non-portable.
-   [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31.
-   [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call.
-   Decrease dp attempts at each QNAME minimisation iteration
-   [bugzilla: 784 ] Fix Build configure assumess that having getpwnam
    means there is endpwent function available.
-   Updated repository with newer flex and bison output.
-   Fix static compile on windows missing gdi32.
-   Fix dynamic link of anchor-update.exe on windows.
-   Fix detect of mingw for MXE package build.
-   Fixes for 64bit windows compile.
-   [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >=
    3.0 and --with-libunbound-only --with-nettle.
-   Fixed unbound.doxygen for 1.8.11.
-   [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux).
-   [bugzilla: 801 ] Fix missing error condition handling in
-   [bugzilla: 802 ] Fix workaround for function parameters that are
    "unused" without log_assert.
-   [bugzilla: 803 ] Fix confusing (and incorrect) code comment in
-   [bugzilla: 806 ] Fix wrong comment removed.
-   use sendmsg instead of sendto for TFO.
-   [bugzilla: 807 ] Fix workaround for possible some "unused" function
    parameters in test code.
-   Note that OPENPGPKEY type is RFC 7929.
-   [bugzilla: 804 ] Fix #804: unbound stops responding after outage.
    Fixes queries that attempt to wait for an empty list of subqueries.
-   Fix for #804: lower num_target_queries for iterator also for failed
-   [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len
    parameter in each iteration in find_tag_datas().
-   [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility.
-   RFC 7958 is now out, updated docs for unbound-anchor.
-   Fix for compile without warnings with openssl 1.1.0.
-   [bugzilla: 826 ] Fix refuse_non_local could result in a broken response.
-   iana portlist update.
-   Fix compile with openssl 1.1.0 with api=1.1.0.
-   [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value
    has an off-by-one typo.
-   Fix incomplete prototypes reported by Dag-Erling Smørgrav.
-   [bugzilla: 828 ] Fix missing type in access-control-tag-action
    redirect results in NXDOMAIN.
-   Take configured minimum TTL into consideration when reducing TTL to
    original TTL from RRSIG.
-   [bugzilla: 831 ] Fix workaround for spurious fread_chk warning
    against petal.c
-   Silenced flex-generated sign-unsigned warning print with gcc
    diagnostic pragma.
-   Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
-   fix potential memory leak in daemon/remote.c and nullpointer
    dereference in validator/autotrust.
-   [bugzilla: 883 ] Fix error for duplicate local zone entry.
-   [bugzilla: 835 ] Fix --disable-dsa with nettle verify.
   2016-06-16 15:50:39 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
Unbound 1.5.9

- generic edns option parse and store code.
- Updated L root IPv6 address.
- User defined pluggable event API for libunbound
- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for binding
  to an IP address while the interface or address is down.
- OpenSSL 1.1.0 portability, --disable-dsa configure option.
- disable-dnssec-lame-check config option.

Bug Fixes:
- [bugzilla: 745 ] Fix unbound.py - idn2dname throws UnicodeError when idnname \ 
contains trailing dot.
- configure tests for the weak attribute support by the compiler.
- [bugzilla: 747 ] Fix assert in outnet_serviced_query_stop.
- Updated configure and ltmain.sh.
- Fixup of compile fix for pluggable event API.
- Fixup backend2str for libev.
- Fix libev usage of dispatch return value.
- No side effects in tolower() call, in case it is a macro.
- Fix warnings in ifdef corner case, older or unknown libevent.
- Fix ip-transparent for ipv6 on FreeBSD.
- Fix ip-transparent for tcp on freebsd.
- [bugzilla: 746 ] Fix unbound sets CD bit on all forwards.
  If no trust anchors, it'll not set CD bit when forwarding to another server.
  If a trust anchor, no CD bit on the first attempt to a forwarder,
  but CD bit thereafter on repeated attempts to get DNSSEC.
- Limit number of QNAME minimisation iterations.
- Validate QNAME minimised NXDOMAIN responses.
- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in \ 
- Fix compile of getentropy_linux for SLES11 servicepack 4.
- Fix dnstap-log-resolver-response-messages.
- Fix test for openssl to use HMAC_Update for 1.1.0.
- ERR_remove_state deprecated since openssl 1.0.0.
- OPENSSL_config is deprecated, removing.
- Document permit-small-holddown for 5011 debug.
- [bugzilla: 749 ] Fix unbound-checkconf gets SIGSEGV when use against a \ 
malformatted conf file.
- [bugzilla: 753 ] Fix document dump_requestlist is for first thread.
- Fix some malformed reponses to edns queries get fallback to nonedns.
- [bugzilla: 759 ] Fix 0x20 capsforid no longer checks type PTR, for \ 
compatibility with cisco dns guard. This lowers false positives.
- Fix sldns with static checking fixes copied from getdns.
- Fix memory leak in out-of-memory conditions of local zone add.
- [bugzilla: 761 ] Fix DNSSEC LAME false positive resolving nic.club.
- [bugzilla: 766 ] Fix dns64 should synthesize results on timeout/errors.
- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC signed zones.
- [bugzilla: 767 ] Fix Reference to an expired Internet-Draft in \ 
harden-below-nxdomain documentation.
- remove memory leak from lame-check patch.
- [bugzilla: 770 ] Fix Small subgroup attack on DH used in unix pipe on \ 
localhost if unbound control uses a unix local named pipe.
- Document write permission to directory of trust anchor needed.
- [bugzilla: 768 ] Fix Unbound Service Sometimes Can Not Shutdown Completely, \ 
WER Report Shown Up. Close handle before closing WSA.
- Fix time in case answer comes from cache in ub_resolve_event().
- Fix windows service to be created run with limited rights, as a network \ 
service account.
- [bugzilla: 752 ] Fix retry resource temporarily unavailable on control pipe.
- iana ports fetched via https.
- iana portlist update.
   2016-06-08 12:16:57 by Jonathan Perkin | Files touched by this commit (89)
Log message:
Remove the stability entity, it has no meaning outside of an official context.
   2016-06-08 11:46:05 by Jonathan Perkin | Files touched by this commit (47)
Log message:
Change the service_bundle name to "export" to reduce diffs between the
original manifest.xml file and the output from "svccfg export".
   2016-03-09 06:24:38 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
Unbound 1.5.8

-   ip-transparent option for FreeBSD with IP_BINDANY socket option.
-   insecure-lan-zones: yesno config option.
-   RR Type CSYNC support RFC 7477, in debug printout and config input.
-   RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
-   [bugzilla: 731 ] tcp-mss, outgoing-tcp-mss options for unbound.conf
-   Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
    by default, and can be unblocked with "nodefault" localzone config.
-   ub_ctx_set_stub() function for libunbound to config stub zones.

Bug Fixes:
-   Fix that NSEC3 negative cache is used when there is no salt.
-   sorted ubsyms.def file with exported libunbound functions.
-   Print understandable debug log when unusable DS record is seen.
-   load gost algorithm if digest is seen before key algorithm.
-   Fix that "make install" fails due to "text file busy" error.
-   Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
-   wait for sendto to drain socket buffers when they are full.
-   Neater cmdline_verbose increment patch from Edgar Pettijohn.
-   Made NetBSD sendmsg test nonfatal, in case of false positives.
-   [bugzilla: 741 ] Fix: log message for dnstap socket connection is
    more clear.
-   [bugzilla: 734 ] Fix: chown the pidfile if it resides inside the
-   Fix cmsg alignment for argument to sendmsg on NetBSD.
-   Fix that unbound complains about unimplemented IP_PKTINFO for
    sendmsg on NetBSD (for interface-automatic).
-   [bugzilla: 738 ] Fix: Swig should not be invoked with CPPFLAGS.
-   Squelch 'cannot assign requested address' log messages unless
    verbosity is high, it was spammed after network down.
-   Fix to simplify empty string checking.
-   [bugzilla: 734 ] Fix: Do not log an error when the PID file cannot
    be chown'ed.
-   Fix test if -pthreads unused to use better grep for portability.
-   Fix mingw crosscompile for recent mingw.
-   Update aclocal, autoconf output with new versions (1.15, 2.4.6).
-   Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
    for Linux glibc 2.20.
-   Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
    source code, so it applies cleanly again. Removed unused variable
-   [bugzilla: 729 ] Fix: omit use of escape sequences in echo since
    they are not portable (unbound-control-setup).
-   remove NULL-checks before free, patch from Michael McConville.
-   updated ax_pthread.m4 to version 21 with clang support, this removes
    a warning from compilation.
-   OSX portability, detect if sbrk is deprecated.
-   OSX clang, stop -pthread unused during link stage warnings.
-   OSX clang new flto check.
-   iana portlist update.
   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.
   2016-02-25 18:24:13 by Roy Marples | Files touched by this commit (1)
Log message: