Log message:
Update net/unbound to version 1.18.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
This release adds DNS cookies downstream, support to respond with EDE
error codes from cache, NAT64 support, and the capability to use a
socket queue timeout to discard old packets, and other features and bug
fixes.

The downstream DNS server cookies are from RFC7873 and RFC9018, it
is turned on with `answer-cookie: yes`. It generates a random cookie
secret, but for anycast setups the cookie secret can be configured with
`cookie-secret: "128bithex"` with the same value as the other instances.
Non cookie traffic can be disallowed with the `allow_cookie` acl option
for access-control. Queries with valid cookie bypass the ordinary
ratelimit, but a ratelimit can be configured for cookie queries
with `ip-ratelimit-cookie: 100`. The statistics has counters for
`query_cookie_valid` and `query_cookie_client` and
`query_cookie_invalid`.

When queries come in with CD flag, a DNSSEC validation EDE can be
returned, with information regarding a failure. EDE error information
is also stored in the cache with the query responses. There is also EDE
error information stored for the cachedb and the subnetcache.

There is NAT64 support, that is enabled with `do-nat64: yes`. The
NAT64 prefix can be configured too, if not the default
`nat64-prefix: 64:ff9b::0/96`. This is useful for an IPv6 only
host where Unbound is running, so that Unbound can use NAT64 to
connect to IPv4 servers.

The new default for the maximum UDP response size is 1232, with
`max-udp-size: 1232`. This is similar to other resolvers. The new
default is smaller and that makes it harder to get large responses.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.

There is a new option `harden-unknown-additional: yes`. This removes
unknown records from the authority and additional section. This stops
unknown records from being copied from the upstream to the downstream
client, potentially exposing those clients to the extra records. Default
is no, because it could hamper future protocol developments that want to
add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

With the `sock-queue-timeout: 3` option kernel timestamps are turned on
for UDP queries, and old packets are dropped. Queries that have waited
in the socket buffer for a long time are then discarded, and is useful
if the host was not running for a while. The statistics has
`num.queries_timed_out` and `query.queue_time_us.max` counters.

The local-zone type `block_a` is for when queries to IPv4 have to be
stopped to force IPv6 usage. It stops type A queries with nodata, and
transparently allows other queries.

The redis server can be contacted over a unix socket with
`redis-server-path: "/var/lib/redis/redis-server.sock"`. The redis
server password can be configured with
`redis-server-password: "password"`.

The number of hashtable collisions is logged in the statistics counters
`msg.cache.max_collisions` and `rrset.cache.max_collisions`. It can be
used to monitor for mistakes where the wrong or same hash value occurs
too frequently.

The repository does not have the bison and flex generated output in it,
so these tools are necessary to compile from a checkout, the tarball
distribution contains pregenerated files and can use either those files
or bison and flex tools on the compile system.

If kernel timestamps are enabled, with the sock-queue-timeout option,
they are also used to set the time for dnstap logs.

There is a yocto compatible init script available in the contrib
directory of the source code, `unbound.init_yocto`.
The number of cachedb hits from cache is output in `num.query.cachedb`.
There is support for the dohpath parameter for the SVCB record type.
Prefetch is supported for subnet cache entries.
Detection of the python paths on the system has been expanded.

Compared to the release candidate rc1, this release has an extra fix to
fix a compile issue on NetBSD.

Features
- Merge #826: #dd a metric about the maximum number of collisions in
  lrushah.
- Set max-udp-size default to 1232. This is the same default value as
  the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.
- Add harden-unknown-additional option. It removes
  unknown records from the authority section and additional section.
  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
- Merge #819: Added new static zone type block_a to suppress all A
  queries for specific zones.
- Fix #835: [FR] Ability to use Redis unix sockets.
- Fix #833: [FR] Ability to set the Redis password.
- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
  sock-queue-timeout option that drops packets that have been in the
  socket queue for too long. Added statistics num.queries_timed_out
  and query.queue_time_us.max that track the socket queue timeouts.
- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
- Fix #888: [FR] Use kernel timestamps for dnstap.
- Merge #903: contrib: add yocto compatible init script.
- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
  a new statistical counter.
- Merge #739: Add SVCB dohpath support.
- Merge #802: add validation EDEs to queries where the CD bit is set.
- Merge #664 from tilan7763: Add prefetch support for subnet cache
  entries.
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
  and subnetcache.
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
  RFC9018. Create server cookies for clients that send client cookies.
  This needs to be explicitly turned on in the config file with:
  `answer-cookie: yes`. A `cookie-secret:` can be configured for
  anycast setups. Without one, a random cookie secret is generated.
  The acl option `allow_cookie` allows queries with either a valid
  cookie or over a stateful transport. The statistics output has
  `queries_cookie_valid` and `queries_cookie_client` and
  `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
  value determines a rate limit for queries with cookies, if desired.

Bug Fixes
- Fix #823: Response change to NODATA for some ANY queries since
  1.12, tested on 1.16.1.
- Fix python module install path detection.
- Fix python version detection in configure.
- Improve documentation for #826, describe the large collisions amount.
- Fix not following cleared RD flags potentially enables amplification
  DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
  Tsinghua University. The fix stops query loops, by refusing to send
  RD=0 queries to a forwarder, they still get answered from cache.
- Set default for harden-unknown-additional to no. So that it does
  not hamper future protocol developments.
- Fix test for new default.
- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
- Add duration variable for speed_local.test.
- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
- Fix to ignore entirely empty responses, and try at another authority.
  This turns completely empty responses, a type of noerror/nodata into
  a servfail, but they do not conform to RFC2308, and the retry can
  fetch improved content.
- Fix unit tests for spurious empty messages.
- Fix consistency of unit test without roundrobin answers for the
  cnametooptout unit test.
- Fix to git ignore the library symbol file that configure can create.
- Allow TTL refresh of expired error responses.
- Add testcase for refreshing expired error responses.
- Clean up iterator/iterator.c::error_response_cache() and allow for
  better interaction with serve-expired, prefetch and cached error
  responses.
- Fix #825: Unexpected behavior with client-subnet-always-forward
  and serve-expired
- Fix for #852: Completion of error handling.
- Fix unbound-dnstap-socket test program to reply the finish frame
  over a TLS connection correctly.
- Fix ssl.h include brackets, instead of quotes.
- Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
  to ignore the unexpected eof while reading in openssl >= 3.
- iana portlist update.
- Fix issue #851: reserved identifier violation
- Fix issue #676: Unencrypted query is sent when
  forward-tls-upstream: yes is used without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
  either we set up a TLS connection or we return an error.
- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
  CNAME record.
- Fix for #870: Add test case for the qname minimisation and CNAME.
- Fix build badge, from failing travis link to github ci action link.
- Merge #875: change obsolete txt URL in unbound-anchor.c to point
  to RFC 7958, and Fix #874.
- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
  Fault on OpenBSD.
- Fix for #882: small changes, date updated in Copyright for
  util/timeval_func.c and util/timeval_func.h. Man page entries and
  example entry.
- Fix for #882: document variable to stop doxygen warning.
- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
  they are dropped.
- For #722: minor fixes, formatting, refactoring.
- Fix #885: Error: util/configlexer.c: No such file or directory,
  adds error messages explaining to install flex and bison.
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- Fix doxygen in addr_to_nat64 header definition.
- Fix warning in windows compile, in set_recvtimestamp.
- Fix to print debug log for ancillary data with correct IP address.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix to remove unused variables from RPZ clientip data structure.
- Fix unbound-dnstap-socket printout when no query is present.
- Fix unbound-dnstap-socket time fraction conversion for printout.
- Merge #896: Fix: #895: pythonmodule: add all site-packages
  directories to sys.path.
- Fix #895: python + sysconfig gives ANOTHER path comparing to
  distutils.
- Fix for uncertain unit test for doh buffer size events.
- Properly handle all return values of worker_check_request during
  early EDE code.
- Do not check the incoming request more than once.
- Fix for issue #887 (Timeouts to forward servers on BSD based
  system with ASLR)
- Probably fixes #516 (Stream reuse does not work on Windows) as well
- Remove warning about unknown cast-function-type warning pragma.
- Fix python modules with multiple scripts, by incrementing reference
  counts.
- More fixes for reference counting for python module and clean up
  failure code.
- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
  which causes memory leaks.
- Fix #906: warning: `Py_SetProgramName' is deprecated.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Code cleanup for sldns_str2wire_svcparam_key_lookup.
- For #802: Cleanup comments and add RCODE check for CD bit test case.
- Skip the 00-lint test. splint is not maintained; it either does not
  work or produces false positives. Static analysis is handled in the
  clang test.
- For #664: Easier code flow for subnetcache prefetching.
- For #664: Add testcase.
- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
  differentiate from the new subnet prefetch support.
- Merge #880 from chipitsine: services/authzone.c: remove redundant
  check.
- More clear description of the different auth-zone behaviors on the
  man page.
- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
  CLASSXX representation.
- For #909: Fix return values.
- Merge #901 from Sergei Trofimovich: config: improve handling of
  unknown modules.
- For #909: Fix RR class comparison.
- Merge #857 from eaglegai: fix potential memory leaks when errors
  happen.
- For #857: fix mixed declarations and code.
- Merge #118 from mibere: Changed verbosity level for Redis init &
  deinit.
- Merge #390 from Frank Riley: Add missing callbacks to the python
  module.
- Cleaner failure code for callback functions in interface.i.
- Merge #889 from borisVanhoof: Free memory in error case + remove
  unused function.
- For #889: use netcat-openbsd instead of netcat-traditional.
- For #889: Account for num_detached_states before possible
  mesh_state_delete when erroring out.
- Fix unused variable compile warning for kernel timestamps in
  netevent.c
- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
  when there isn't enough space.
- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
  altogether) before giving up on attaching EDE options.
- More braces and formatting for Fix for EDNS EDE size calculation to
  avoid future bugs.
- Fix to use the now cached EDE, if any, for CD_bit queries.
- Fix for EDNS EDE size calculation.
- Move a cache reply callback in worker.c closer to the cache reply
  generation.
- Fix regional_alloc_init for potential unaligned source of the copy.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of
  capsforid and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- Debug Windows ci workflow.
- Fix windows ci workflow to install bison and flex.
- Fix for #925: unbound.service: Main process exited, code=killed,
  status=11/SEGV. Fixes cachedb configuration handling.
- Fix #923: processQueryResponse() THROWAWAY should be mindful of
  fail_reply.
- Fix unit test for unbound-control to work when threads are disabled,
  and fix cache dump check.
- Fix compile error on NetBSD in util/netevent.h.

Log message:
revbump after textproc/icu update

Log message:
unbound: updated to 1.17.1

1.17.1

Features

Expose 'statistics-inhibit-zero' as a configuration option; the default value \ 
retains Unbound's behavior.
Expose 'max-sent-count' as a configuration option; the default value retains \ 
Unbound's behavior.
Merge 461 from Christian Allred: Add max-query-restarts option. Exposes an \ 
internal configuration but the default value retains Unbound's behavior.
Merge 569 from JINMEI Tatuya: add keep-cache option to 'unbound-control reload' \ 
to keep caches.

Bug Fixes

Merge 768 from fobser: Arithmetic on a pointer to void is a GNU extension.
In unit test, print python script name list correctly.
testcode/dohclient sets log identity to its name.
Clarify the use of MAX_SENT_COUNT in the iterator code.
Fix that cachedb does not store failures in the external cache.
Merge 767 from jonathangray: consistently use IPv4/IPv6 in unbound.conf.5.
Fix to ignore tcp events for closed comm points.
Fix to make sure to not read again after a tcp comm point is closed.
Fix 775: libunbound: subprocess reap causes parent process reap to hang.
iana portlist update.
Complementary fix for distutils.sysconfig deprecation in Python 3.10 to commit \ 
62c5039ab9da42713e006e840b7578e01d66e7f2.
Fix 779: [doc] Missing documention in ub_resolve_event() for callback parameter \ 
was_ratelimited.
Ignore expired error responses.
Merge 720 from jonathangray: fix use after free when WSACreateEvent() fails.
Fix for the ignore of tcp events for closed comm points, preserve the use after \ 
free protection features.
Fix 782: Segmentation fault in stats.c:404.
Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
Clear documentation for interactivity between the subnet module and the \ 
serve-expired and prefetch configuration options.
Fix 773: When used with systemd-networkd, unbound does not start until \ 
systemd-networkd-wait-online.service times out.
Merge 808: Wrap Makefile script's directory variables in quotes.
Fix to wrap Makefile scripts directory in quotes for uninstall.
Fix windows compile for libunbound subprocess reap comm point closes.
Update github workflows to use checkout v3.
Fix wildcard in hyperlocal zone service degradation, reported by Sergey Kacheev.

Log message:
Update net/unbound to version 1.17.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
This release has new interface acl configuration options. These
allow access-control actions, per interface. Also tags, and views
can be configured per interface, queries over the interface are
answered with these tags and views. It is configured with the
options `interface-action`, `interface-tag`, `interface-tag-action`,
`interface-tag-data` and `interface-view`. If there is also an
access-control setting for the query, this overrides the interface
settings for that query.

The PROXYv2 protocol is supported. It can be configured with the
`proxy-protocol-port: portno` option. It is used to convey the
IP addresses of clients that connect via a proxy to Unbound.

There are also fixes for a number of bugs. In some cases a
blocking wait on a socket could happen, and this has been
fixed. If the upstream sends a TC flag, erroneously, the reply
is ignored and retried. When under load, with the new
NRDelegation fixes from the previous release, there are
mitigations to continue target discovery. There is also a fix
for possible loops in the tcp reuse code.

The release version differs from the RC1, there is a bugfix
for the proxy protocol for tcp read when no proxied addresses
are provided.

Features
- Merge #753: ACL per interface. (New interface-* configuration
  options).
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
  configuration option).

Bug Fixes
- Fix #728: alloc_reg_obtain() core dump. Stop double
  alloc_reg_release when serviced_create fails.
- Fix edns subnet so that scope 0 answers only match sourcemask 0
  queries for answers from cache if from a query with sourcemask 0.
- Fix unittest for edns subnet change.
- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
  to unsupported IPV6_USER_MTU socket option being set.
- Fix ratelimit inconsistency, for ip-ratelimits the value is the
  amount allowed, like for ratelimits.
- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
  errors.
- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
  per 10 seconds. Also log accept failures when no slow down is used.
- Fix to avoid process wide fcntl calls mixed with nonblocking
  operations after a blocked write.
- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
  operations, so that instruction reordering does not cause mistakenly
  blocking socket operations.
- Fix to wait for blocked write on UDP sockets, with a timeout if it
  takes too long the packet is dropped.
- Fix for wait for udp send to stop when packet is successfully sent.
- Fix #741: systemd socket activation fails on IPv6.
- Fix to update config tests to fix checking if nonblocking sockets
  work on OpenBSD.
- Slow down log frequency of write wait failures.
- Fix to set out of file descriptor warning to operational verbosity.
- Fix to log a verbose message at operational notice level if a
  thread is not responding, to stats requests. It is logged with
  thread identifiers.
- Remove include that was there for debug purposes.
- Fix to check pthread_t size after pthread has been detected.
- Convert tdir tests to use the new skip_test functionality.
- Remove unused testcode/mini_tpkg.sh file.
- Better output for skipped tdir tests.
- Fix doxygen warning in respip.h.
- Fix to remove erroneous TC flag from TCP upstream.
- Fix test tdir skip report printout.
- Fix windows compile, the identifier interface is defined in headers.
- Fix to close errno block in comm_point_tcp_handle_read outside of
  ifdef.
- Fix static analysis report to remove dead code from the
  rpz_callback_from_iterator_module function.
- Fix to clean up after the acl_interface unit test.
- Merge #764: Leniency for target discovery when under load (for
  NRDelegation changes).
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
- Fix string comparison in mini_tdir.sh.
- Make ede.tdir test more predictable by using static data.
- Fix checkconf test for dnscrypt and proxy port.
- Fix dnscrypt compile for proxy protocol code changes.
- Fix to stop responses with TC flag from resulting in partial
  responses. It retries to fetch the data elsewhere, or fails the
  query and in depth fix removes the TC flag from the cached item.
- Fix proxy length debug output printout typecasts.
- Fix to stop possible loops in the tcp reuse code (write_wait list
  and tcp_wait list). Based on analysis and patch from Prad Seniappan
  and Karthik Umashankar.
- Fix PROXYv2 header read for TCP connections when no proxied addresses
  are provided.

Log message:
Update net/unbound to version 1.16.3.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.

Log message:
Update unbound to version 1.16.0.

Pkgsrc changes:
 * Remove patch now integrated upstream
 * Updated checksums

Upstream changes:

This release has EDE support, for extended EDNS error reporting,
it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.

The EDE errors can be turned on by `ede: yes`, it is default disabled.
Validation errors and other errors are then reported. If you also want
stale answers for expired responses to have an error code, the option
`ede-serve-expired: yes` can be used.

Features
- Merge PR #604: Add basic support for EDE (RFC8914).

Bug Fixes
- Fix #412: cache invalidation issue with CNAME+A.
- Fix that TCP interface does not use TLS when TLS is also configured.
- Fix #624: Unable to stop Unbound in Windows console (does not
  respond to CTRL+C command).
- Fix #618: enabling interface-automatic disables DNS-over-TLS.
  Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
- Fix that address not available is squelched from the logs for
  udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
  ERR_GET_REASON.
- Fix to detect that no IPv6 support means that IPv6 addresses are
  useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
- Fix #633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
  so that it is not state dependent, after the state fix of #605 for
  double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
- Fix #630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
- Fix pythonmod for change in iter_dp_is_useless function prototype.
- Fix compile warnings for printf ll format on mingw compile.
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
  to str once, accept trailing dot in the local-zone ipset option.
- Fix #637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
- Fix configure for python to use sysutils, because distutils is
  deprecated. It uses sysutils when available, distutils otherwise.
- Merge #644: Make `install-lib` make target install the pkg-config
  file.
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
- Fix to describe auth-zone and other configuration at the local-zone
  configuration option, to allow for more broadly view of the options.
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
  'unbound-control stats_shm'.
- Fix #651: [FR] Better logging for refused queries.
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
- Fix zonemd check to allow unsupported algorithms to load.
  If there are only unsupported algorithms, or unsupported schemes,
  and no failed or successful other ZONEMD records, or malformed
  or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
  and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
  zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
  check routine, but after malformed checks, to get the correct NULL
  output when the digest matches.
- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
  OpenBSD 7.1.
- Fix Python build in non-source directory; based on patch by
  Michael Tokarev.
- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
  host.
- Merge #677: Allow using system certificates not only on Windows,
  from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
- Fix #417: prefetch and ECS causing cache corruption when used
  together.
- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
  by updating unbound-control's documentation.
- Fix typos in config_set_option for the 'num-threads' and
  'ede-serve-expired' options.
- Fix to silence test for ede error output to the console from the
  test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
  (and possibly other distributions)

Log message:
revbump for devel/protobuf

Log message:
Apply fix from
https://github.com/NLnetLabs/unbound/commit/5f724da8c57c5a6bf1d589b6651daec2dc39a9d1
Paraphrased:
Fix plain DNS-over-TCP so that it doesn't try to use TLS when
TLS is also configured elsewhere.

Bump PKGREVISION.

Log message:
Update unbound to version 1.15.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:

This release has bug fixes for crashes that happened on heavy network
usage. The default for the aggressive-nsec option has changed, it is now
enabled.

The ratelimit logic had to be reworked for the crash fixes. As a result,
there are new options to control the behaviour of ratelimiting.
The ratelimit-backoff and ip-ratelimit-backoff options can be used to
control how severe the backoff is when the ratelimit is exceeded.

The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
NXDOMAIN answers from RPZ. That is used by some clients to detect that
the domain is externally blocked. The RPZ option for-downstream can be
used like for auth zones, this allows the RPZ zone information to be
queried. That can be useful for monitoring scripts.

Features
- Fix #596: unset the RA bit when a query is blocked by an unbound
  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
  signal that a domain is externally blocked to clients when it
  is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
  authoritatively answered for, so the RPZ zone contents can be
  checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
  ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.

Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
  warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
  consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
  local-zone's type if possible, instead of defaulting to type
  transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
  documentation.
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
  apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
  from the query.
- Fix for #596: fix that rpz return message is returned and not just
  the rcode from the iterator return path. This fixes signal unset RA
  after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
  the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
  'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
  triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
  owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
  iterator".
- Fix EDNS to upstream where the same option could be attached
  more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
  force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
  serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
  document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
  through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
  internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
  tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
  notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
  software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.

Log message:
unbound: updated to 1.14.0

1.14.0

Features

Merge 401: RPZ triggers. This add additional RPZ triggers, unbound supports a \ 
full set of rpz triggers, and this now includes nsdname, nsip and clientip \ 
triggers. Also actions are fully supported, and this now includes the tcp-only \ 
action.
Merge 519: Support for selective enabling tcp-upstream for stub/forward zones.
Merge PR 514, from ziollek: Docker environment for run tests.
Support using system-wide crypto policies.
Fix that --with-ssl can use "/usr/include/openssl11" to pass the \ 
location of a different openssl version.
Merged 41 from Moritz Schneider: made outbound-msg-retry configurable.
Implement RFC8375: Special-Use Domain 'home.arpa.'.
Merge PR 555 from fobser: Allow interface names as scope-id in IPv6 link-local \ 
addresses.

Bug Fixes

Add test tool readzone to .gitignore.
Merge 521: Update mini_event.c.
Merge 523: fix: free() call more than once with the same pointer.
For 519: note stub-tcp-upstream and forward-tcp-upstream in the example \ 
configuration file.
For 519: yacc and lex. And fix python bindings, and test program \ 
unbound-dnstap-socket.
For 519: fix comments for doxygen.
Fix to print error from unbound-anchor for writing to the key file, also when \ 
not verbose.
For 514: generate configure.
Fix for 431: Squelch permission denied errors for udp connect, and udp send, \ 
they are visible at higher verbosity settings.
Fix zonemd verification of key that is not in DNS but in the zone and needs a \ 
chain of trust.
zonemd, fix order of bogus printout string manipulation.
Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
Merge PR 528 from fobser: Make sldns_str2wire_svcparam_buf() static.
Fix 527: not sending quad9 cert to syslog (and may be more).
Fix sed script in ssldir split handling.
Fix 529: Fix: log_assert does nothing if UNBOUND_DEBUG is undefined.
Fix 531: Fix: passed to proc after free.
Fix 536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.) to insert \ 
into RPZ.
Fix the stream wait stream_wait_count_lock and http2 buffer locks setup and \ 
desetup from race condition.
Fix RPZ locks. Do not unlock zones lock if requested and rpz find zone does not \ 
find the zone. Readlock the clientip that is found for ipbased triggers. Unlock \ 
the nsdname zone lock when done. Unlock zone and ip in rpz nsip and nsdname \ 
callback. Unlock authzone and localzone if clientip found in rpz worker call.
Fix compile warning in libunbound for listen desetup routine.
Fix asynclook unit test for setup of lockchecks before log.
Fix 533: Negative responses get cached even when setting cache-max-negative-ttl: 1
Fix tcp fastopen failure when disabled, try normal connect instead.
Fix 538: Fix subnetcache statistics.
Small fixes for 41: changelog, conflicts resolved, processQueryResponse takes an \ 
iterator env argument like other functions in the iterator, no colon in string \ 
for set_option, and some whitespace style, to make it similar to the rest.
Fix for 41: change outbound retry to int to fix signed comparison warnings.
Fix root_anchor test to check with new icannbundle date.
Fix initialisation errors reported by gcc sanitizer.
Fix lock debug code for gcc sanitizer reports.
Fix more initialisation errors reported by gcc sanitizer.
Fix crosscompile on windows to work with openssl 3.0.0 the link with ws2_32 \ 
needs -l:libssp.a for __strcpy_chk. Also copy results from lib64 directory if \ 
needed.
For crosscompile on windows, detect 64bit stackprotector library.
Fix crosscompile shell syntax.
Fix crosscompile windows to use libssp when it exists.
For the windows compile script disable gost.
Fix that on windows, use BIO_set_callback_ex instead of deprecated BIO_set_callback.
Fix crosscompile script for the shared build flags.
Fix to add example.conf note for outbound-msg-retry.
Fix chaos replies to have truncation for short message lengths, or long reply \ 
strings.
Fix to protect custom regional create against small values.
Fix 552: Unbound assumes index.html exists on RPZ host.
Fix that forward-zone name is documented as the full name of the zone. It is not \ 
relative but a fully qualified domain name.
Fix analyzer review failure in rpz action override code to not crash on \ 
unlocking the local zone lock.
Fix to remove unused code from rpz resolve client and action function.
Merge 565: unbound.service.in: Disable ProtectKernelTunables again.
Fix for 558: fix loop in comm_point->tcp_free when a comm_point is reclaimed \ 
more than once during callbacks.
Fix for 558: clear the UB_EV_TIMEOUT bit before adding an event.
Improve EDNS option handling, now also works for synthesised responses such as \ 
local-data and server.id CH TXT responses.
Merge PR 570 from rex4539: Fix typos.
Fix for 570: regen aclocal.m4, fix configure.ac for spelling.
Fix to make python module opt_list use opt_list_in.
Fix 574: unbound-checkconf reports fatal error if interface names are used as \ 
value for interfaces:
Fix 574: Review fixes for it.
Fix 576: [FR] UB_* error codes in unbound.h
Fix 574: Review fix for spelling.
Fix to remove git tracking and ci information from release tarballs.
iana portlist update.
Merge PR 511 from yan12125: Reduce unnecessary linking.
Merge PR 493 from Jaap: Fix generation of libunbound.pc.
Merge PR 562 from Willem: Reset keepalive per new tcp session.
Merge PR 522 from sibeream: memory management violations fixed.
Merge PR 530 from Shchelk: Fix: dereferencing a null pointer.
Fix 454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
Fix 574: Review fixes for size allocation.
Fix doc/unbound.doxygen to remove obsolete tag warning.