./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.6.8, Package name: unbound-1.6.8, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS look ups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation.

Required to build:
[devel/flex] [pkgtools/cwrappers]

Master sites:

SHA1: 492737be9647c26ee39d4d198f2755062803b412
RMD160: 69aea28bd7587fef8aab7c3e9aa7d886184a930b
Filesize: 5339.391 KB

Version history: (Expand)

CVS history: (Expand)

   2018-01-19 11:10:03 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update to version 1.6.8:

Bug fixes:
- patch for CVE-2017-15105: vulnerability in the processing of
  wildcard synthesized NSEC records.
   2017-10-10 10:07:08 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.7.

Pkgsrc changes:
 * None.

Upstream changes:

* Set trust-anchor-signaling default to yes
* Fix #1440: [dnscrypt] client nonce cache.
* Fix #1435: Please allow UDP to be disabled separately upstream and

Bug fixes:
* Fix that looping modules always stop the query, and don't pass
* Fix unbound-host to report error for DNSSEC state of failed lookups.
* Spelling fixes, from Josh Soref.
* Fix #1400: allowing use of global cache on ECS-forwarding unless
* use a cachedb answer even if it's "expired" when serve-expired is yes
  (patch from Jinmei Tatuya).
* trigger refetching of the answer in that case (this will bypass
  cachedb lookup)
* allow storing a 0-TTL answer from cachedb in the in-memory message
  cache when serve-expired is yes
* Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
* Log name of looping module
* Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
   (by Danilo G. Baio).
* Fix param unused warning for windows exportsymbol compile.
* Use RCODE from A query on DNS64 synthesized answer.
* Fix trust-anchor-signaling works in libunbound.
* Fix spelling in unbound-control man page.
   2017-09-18 15:02:39 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Upgrade unbound to version 1.6.6.

Pkgsrc changes:
 * Unbound now needs flex >= 2.6.4 to build, or at least 2.6.3 is a no-go,
   so depend on the pkgsrc version which is already 2.6.4.

Upstream changes:

* unbound-control dump_infra prints port number for address if not 53.
* Fix #1344: RFC6761-reserved domains: test. and invalid.
* Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
  With the -p option unbound does not create a pidfile.
* Added stats for queries that have been ratelimited by domain
* Patch to show DNSCrypt status in help output, from Carsten
* Fix #1407: Add ECS options check to unbound-checkconf.
* Fix #1415: [dnscrypt] shared secret cache, patch from
  Manu Bretelle.

Bug Fixes:
* fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
* First fix for zero b64 and hex text zone format in sldns.
* Better fixup of dnscrypt_cert_chacha test for different escapes.
* Fix that infra cache host hash does not change after reconfig.
* Fix python example0 return module wait instead of error for pass.
* enhancement for hardened-tls for DNS over TLS.  Removed duplicated
  security settings.
* Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
* Fix #1331: libunbound segfault in threaded mode when context is
* Fix pythonmod link line option flag.
* Fix openssl 1.1.0 load of ssl error strings from ssl init.
* Fix 1332: Bump verbosity of failed chown'ing of the control socket.
* Redirect all localhost names to localhost address for RFC6761.
* Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
* Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
* upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
* annotate case statement fallthrough for gcc 7.1.1.
* flex output from flex 2.6.1.
* snprintf of thread number does not warn about truncated string.
* squelch TCP fast open error on FreeBSD when kernel has it disabled,
  unless verbosity is high.
* remove warning from windows compile.
* Fix compile with libnettle
* Fix DSA configure switch (--disable dsa) for libnettle and libnss.
* Fix #1365: Add Ed25519 support using libnettle.
* Fix #1394: mix of serve-expired and response-ip could cause a crash.
* Remove unused iter_env member (ip6arpa_dname)
* Do not reset rrset.bogus stats when called using stats_noreset.
* Do not add rrset_bogus and query ratelimiting stats per thread, these
  module stats are global.
* Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
* Fix #1398: make cachedb secret configurable.
* Remove spaces from Makefile.
* Fix issue on macOX 10.10 where TCP fast open is detected but not
  implemented causing TCP to fail. The fix allows fallback to regular
  TCP in this case and is also more robust for cases where connectx()
  fails for some reason.
* Fix #1402: squelch invalid argument error for fd_set_block on windows.
* Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
  allocation failure.
* Fix #1415: patch to free dnscrypt environment on reload.
* iana portlist update
* Small fixes for the shared secret cache patch.
* Fix WKS records on kvm autobuild host, with default protobyname
  entries for udp and tcp.
* Fix #1414: fix segfault on parse failure and log_replies.
* zero qinfo in handle_request, this zeroes local_alias and also the
  qname member.
* new keys and certs for dnscrypt tests.
* fixup WKS test on buildhost without servicebyname.
* updated contrib/fastrpz.patch to apply with configparser changes.
* Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
* Fix #1424: cachedb:testframe is not thread safe.
* Fix #1417: [dnscrypt] shared secret cache counters, and works when
  dnscrypt is not enabled.  And cache size configuration option.
* Fix #1418: [ip ratelimit] initialize slabhash using
* Recommend 1472 buffer size in unbound.conf
* Fix #1412: QNAME minimisation strict mode not honored
* Fix #1434: Fix windows openssl 1.1.0 linking.
* Add dns64 for client-subnet in unbound-checkconf.
   2017-08-21 13:14:18 by Havard Eidnes | Files touched by this commit (2)
Log message:
Upgrade unbound to version 1.6.5.

Upstream changes:
  21 Aug 2017: Wouter
    - Fix install of trust anchor when two anchors are present, makes both
      valid.  Checks hash of DS but not signature of new key.  This fixes
      installs between sep11 and oct11 2017.
    - Tag 1.6.5
   2017-07-09 10:09:41 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:
Changes 1.6.4:

* Implemented trust anchor signaling using key tag query.
* unbound-checkconf -o allows query of dnstap config variables. Also \ 
unbound-control get_option. Also for dnscrypt.
* unbound.h exports the shm stats structures. They use type long long and no \ 
ifdefs, and ub_ before the typenames.
* Implemented opportunistic IPsec support module (ipsecmod).
* Added redirect-bogus.patch to contrib directory.
* Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
* renumbering B-Root's IPv6 address to 2001:500:200::b.
* Fix 1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
* Fix 1277: disable domain ratelimit by setting value to 0.
* Added fastrpz patch to contrib

Bug Fixes:
* Added ECS unit test (from Manu Bretelle).
* ECS documentation fix (from Manu Bretelle).
* Fix 1252: more indentation inconsistencies.
* Fix 1253: unused variable in edns-subnet/addrtree.c:getbit().
* Fix 1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
* iana portlist update
* Based on 1257: check parse limit before t increment in sldns RR string parse \ 
* Fix 1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that \ 
64bit getting installed in C:\Program Files (x86).
* Fix 1259: "--disable-ecdsa" argument overwritten by "ifdef \ 
* iana portlist update
* Added test for leak of stub information.
* Fix sldns wire2str printout of RR type CAA tags.
* Fix sldns int16_data parse.
* Fix sldns parse and printout of TSIG RRs.
* sldns SMIMEA and AVC definitions, same as getdns definitions.
* Fix tcp-mss failure printout text.
* Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect \ 
limited tcp connections. With the option tcp connections can share the same \ 
source port (for different destinations).
* Add 'c' to getopt() in testbound.
* Adjust servfail by iterator to not store in cache when serve-expired is \ 
enabled, to avoid overwriting useful information there.
* Fix queries for nameservers under a stub leaking to the internet.
* document trust-anchor-signaling in example config file.
* updated configure, dependencies and flex output.
* better module memory lookup, fix of unbound-control shm names for module \ 
memory printout of statistics.
* Fix type AVC sldns rrdef.
* Some whitespace fixup.
* Fix 1265: contrib/unbound.service contains hardcoded path.
* Fix 1265 to use /bin/kill.
* Fix 1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and \ 
compatibility with BoringSSL.
* Fix 1268: SIGSEGV after log_reopen.
* exec_prefix is by default equal to prefix.
* printout localzone for duplicate local-zone warnings.
* Fix assertion for low buffer size and big edns payload when worker overrides \ 
* Support for openssl EVP_DigestVerify.
* Fix 1269: inconsistent use of built-in local zones with views.
* Add defaults for new local-zone trees added to views using unbound-control.
* Fix 1273: cachedb.c doesn't compile with -Wextra.
* If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
* Also use global local-zones when there is a matching view that does not have \ 
any local-zone specified.
* Fix fastopen EPIPE fallthrough to perform connect.
* Fix 1274: automatically trim chroot path from dnscrypt key/cert paths (from \ 
Manu Bretelle).
* Fix 1275: cached data in cachedb is never used.
* Fix that unbound-control can set val_clean_additional and val_permissive_mode.
* Add dnscrypt XChaCha20 tests.
* Detect chacha for dnscrypt at configure time.
* dnscrypt unit tests with chacha.
* Added domain name based ECS whitelist.
* Fix 1278: Incomplete wildcard proof.
* Fix 1279: Memory leak on reload when python module is enabled.
* Fix 1280: Unbound fails assert when response from authoritative contains \ 
malformed qname. When 0x20 caps-for-id is enabled, when assertions are not \ 
enabled the malformed qname is handled correctly.
* More fixes in depth for buffer checks in 0x20 qname checks.
* Fix stub zone queries leaking to the internet for harden-referral-path ns checks.
* Fix query for refetch_glue of stub leaking to internet.
* Fix 1301: memory leak in respip and tests.
* Free callback in edns-subnetmod on exit and restart.
* Fix memory leak in sldns_buffer_new_frm_data.
* Fix memory leak in dnscrypt config read.
* Fix dnscrypt chacha cert support ifdefs.
* Fix dnscrypt chacha cert unit test escapes in grep.
* Fix to unlock view in view test.
* Fix warning in pythonmod under clang compiler.
* Fix lintian typo.
* Fix 1316: heap read buffer overflow in parse_edns_options.
   2017-06-22 12:56:09 by Niclas Rosenvik | Files touched by this commit (1)
Log message:
Add buildlink3.mk since it installs libraries usable by third parties.
Requested by Aleksej Lebedev on pkgsrc-users.
   2016-12-23 20:25:45 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
Unbound 1.6.0

- Added generic EDNS code for registering known EDNS option codes,
  bypassing the cache response stage and uniquifying mesh states. Four
  EDNS option lists were added to module_qstate
  (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
  that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
  functions can be called just before replying with local data or Chaos,
  replying from cache, replying with SERVFAIL, replying with a resolved
  query, sending a query to a nameserver. The functions can inspect the
  available data and maybe change response/query related data (i.e. append
  EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
  point to data on the internet.
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity.
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
  functionality in unbound-control (local_zones, local_zones_remove,
  local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.

Bug Fixes:
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
- Fix Nits for 1.5.10.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf
- Fix #1125: unbound could reuse an answer packet incorrectly for
  clients with different EDNS parameters.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
  immediately to ignore datetime, or back to 0 to enable it again. The --
  is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
  manner. Every function on its own, so that other libraries (eg.
  LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
  means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
  the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
  Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
  origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
  subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
  type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
  no encryption over the unix socket.
- hyphen as minus fix.
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code
   2016-10-05 22:28:01 by Fredrik Pettai | Files touched by this commit (2) | Package updated
Log message:
-   Create a pkg-config file for libunbound in contrib.
-   TCP Fast open.
-   Finegrained localzone control with define-tag, access-control-tag,
    access-control-tag-action, access-control-tag-data, local-zone-tag, and
    local-zone-override. And added types always_transparent, always_refuse,
    always_nxdomain with that.
-   If more than half of tcp connections are in use, a shorter timeout
    is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
-   [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6
    option to use linux freebind to use 64bits of entropy for every query
    with random local part.
-   For #787: prefer-ip6 option for unbound.conf prefers to send
    upstream queries to ipv6 servers.
-   Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
-   keep debug symbols in windows build.

Bug Fixes:
-   [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref).
-   Fix unbound-anchor.exe file location defaults to Program Files with
    (x86) appended.
-   Fix to not ignore return value of chown() in daemon startup.
-   Better help text from -h.
-   [bugzilla: 773 ] Fix Non-standard Python location build failure with
-   Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
-   Revert fix for NetworkService account on windows due to breakage it
-   Fix that windows install will not overwrite existing service.conf
    file (and ignore gui config choices if it exists).
-   And delete service.conf.shipped on uninstall.
-   In unbound.conf directory: dir immediately changes to that
    directory, so that include: file below that is relative to that
    directory. With chroot, make the directory an absolute path inside chroot.
-   do not delete service.conf on windows uninstall.
-   document directory immediate fix and allow EXECUTABLE syntax in it
    on windows.
-   Fix directory: fix for unbound-checkconf, it restores cwd.
-   Use QTYPE=A for QNAME minimisation.
-   Keep track of number of time-outs when performing QNAME
    minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE
    pair is more than three.
-   [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on
    windows, ignore null delete for wsaevent.
-   Fix spelling in freebind option man page text.
-   Fix windows link of ssl with crypt32.
-   [bugzilla: 779 ] Fix Union casting is non-portable.
-   [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31.
-   [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call.
-   Decrease dp attempts at each QNAME minimisation iteration
-   [bugzilla: 784 ] Fix Build configure assumess that having getpwnam
    means there is endpwent function available.
-   Updated repository with newer flex and bison output.
-   Fix static compile on windows missing gdi32.
-   Fix dynamic link of anchor-update.exe on windows.
-   Fix detect of mingw for MXE package build.
-   Fixes for 64bit windows compile.
-   [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >=
    3.0 and --with-libunbound-only --with-nettle.
-   Fixed unbound.doxygen for 1.8.11.
-   [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux).
-   [bugzilla: 801 ] Fix missing error condition handling in
-   [bugzilla: 802 ] Fix workaround for function parameters that are
    "unused" without log_assert.
-   [bugzilla: 803 ] Fix confusing (and incorrect) code comment in
-   [bugzilla: 806 ] Fix wrong comment removed.
-   use sendmsg instead of sendto for TFO.
-   [bugzilla: 807 ] Fix workaround for possible some "unused" function
    parameters in test code.
-   Note that OPENPGPKEY type is RFC 7929.
-   [bugzilla: 804 ] Fix #804: unbound stops responding after outage.
    Fixes queries that attempt to wait for an empty list of subqueries.
-   Fix for #804: lower num_target_queries for iterator also for failed
-   [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len
    parameter in each iteration in find_tag_datas().
-   [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility.
-   RFC 7958 is now out, updated docs for unbound-anchor.
-   Fix for compile without warnings with openssl 1.1.0.
-   [bugzilla: 826 ] Fix refuse_non_local could result in a broken response.
-   iana portlist update.
-   Fix compile with openssl 1.1.0 with api=1.1.0.
-   [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value
    has an off-by-one typo.
-   Fix incomplete prototypes reported by Dag-Erling Smørgrav.
-   [bugzilla: 828 ] Fix missing type in access-control-tag-action
    redirect results in NXDOMAIN.
-   Take configured minimum TTL into consideration when reducing TTL to
    original TTL from RRSIG.
-   [bugzilla: 831 ] Fix workaround for spurious fread_chk warning
    against petal.c
-   Silenced flex-generated sign-unsigned warning print with gcc
    diagnostic pragma.
-   Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
-   fix potential memory leak in daemon/remote.c and nullpointer
    dereference in validator/autotrust.
-   [bugzilla: 883 ] Fix error for duplicate local zone entry.
-   [bugzilla: 835 ] Fix --disable-dsa with nettle verify.