Navigation:
Browse pkgsrc
(this page)| 2019-06-12 11:21:42 by Fredrik Pettai | Files touched by this commit (2) |
Log message: fixes PR pkg/54126 |
| 2019-03-12 13:13:08 by Havard Eidnes | Files touched by this commit (2) |
Log message: Update unbound to version 1.9.1 Upstream changes: Features - Add local-zone type inform_redirect, which logs like type inform, and redirects like type redirect. - Perform canonical sort for 0x20 capsforid compare of replies, this sorts rrsets in the authority and additional section before comparison, so that out of order rrsets do not cause failure. - Print query name with ip_ratelimit exceeded log lines. Spaces instead of tabs in that log message. - Print query name and IP address when domain rate limit exceeded. Bug Fixes - Fix #4224: auth_xfr_notify.rpl test broken due to typo - Fix locking for libunbound context setup with broken port config. - Fix case in which query timeout can result in marking delegation as edns_lame_known. - Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf. - improve documentation for tls-service-key and forward-first. - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of conditional section, fixes systemd builds, from Enrico Scholz. - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, still supports the set_id_callback previous API. And for 1.1.0 no locking callbacks are needed. - #8: Fix OpenSSL without ENGINE support compilation. - Wipe TLS session key data from memory on exit. - Fix that log-replies prints the correct name for local-alias names, for names that have a CNAME in local-data configuration. It logs the original query name, not the target of the CNAME. - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. - Fix that qname minimisation does not skip a label when missing nameserver targets need to be fetched. - Fix #4225: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation. - Note default for module-config in man page. - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for cert name matching, from man page. - Fix capsforid canonical sort qsort callback. - Fix pythonmod include and sockaddr_un ifdefs for compile on Windows, and for libunbound. - Fix the error for unknown module in module-config is understandable, and explains it was not compiled in and where to see the list. - In example.conf explain where to put cachedb module in module-config. - In man page and example config explain that most modules have to be listed at the start of module-config. - Fix #4227: pair event del and add for libevent for tcp_req_info. - Fix #4229: Unbound man pages lack information, about access-control order and local zone tags, and elements in views. - Fix #14: contrib/unbound.init: Fix wrong comparison judgment before copying. - Fix for python module on Windows, fix fopen. - Remove memory leak on pythonmod python2 script file init. - Remove swig gcc8 python function cast warnings, they are ignored. - Print correct module that failed when module-config is wrong. |
| 2019-02-12 11:52:28 by Havard Eidnes | Files touched by this commit (2) |
Log message: Apply two fixes from https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4225 * Sometimes qname-minimisation needs to be (temporarily) reverted. * DNS-over-TLS would interact with qname-minimisation and would erroneously echo back the query buffer instead of the answer. Bump PKGREVISION. |
2019-02-05 10:44:57 by Havard Eidnes | Files touched by this commit (2) |  |
Log message: Update unbound to version 1.9.0 Upstream changes: This release contains the DNS Flag Day changes for Unbound. See the reference here, https://dnsflagday.net/ . Or this presentation: https://indico.dns-oarc.net/event/29/contributions/662/attachments/634/1063/EDNS_Flag_Day_-_OARC29.pdf . The EDNS timeouts are not used to fallback to nonEDNS queries. Features - log-tag-queryreply: yes in unbound.conf tags the log-queries and log-replies in the log file for easier log filter maintenance. - ip-ratelimit-factor of 1 allows all traffic through, instead of the previous blocking everything. - Fix #4206: support openssl 1.0.2 for TLS hostname verification, alongside the 1.1.0 and later support that is already there. - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, the patch adds a program used for fuzzing. - streamtcp option -a send queries consecutively and prints answers as they arrive. - out-of-order processing for TCP and TLS. - Add stream-wait-size: 4m config option to limit the maximum memory used by waiting tcp and tls stream replies. This avoids a denial of service where these replies use up all of the memory. - unbound-control stats has mem.streamwait that counts TCP and TLS waiting result buffers. - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites options for unbound.conf. - Patch for TLS session resumption from Manabu Sonoda, enable with tls-session-ticket-keys in unbound.conf. - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. Bug Fixes - Fix that unbound-checkconf does not complains if the config file is not placed inside the chroot. - Refuse to start with no ports. - Remove clang analysis warnings. - Patch for typo in unbound.conf man page. - Fix icon, no ragged edges and nicer resolutions available, for eg. Win 7 and Windows 10 display. - cache-max-ttl also defines upperbound of initial TTL in response. - Fix config parser memory leaks. - Fix for FreeBSD port make with dnscrypt and dnstap enabled. - Fixup openssl 1.0.2 compile - Fix for crash in dns64 module if response is null. - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN, and server tcp fastopen is enabled at compile time. - Document interaction between the tls-upstream option in the server section and forward-tls-upstream option in the forward-zone sections. - Fix syntax in comment of local alias processing. - Fix NSEC3 record that is returned in wildcard replies from auth-zone zones with NSEC3 and wildcards. - Log query name for looping module errors. - For caps-for-id fallback, use the whitelist to avoid timeout starting a fallback sequence for it. - increase mesh max activation count for capsforid long fetches. - Fix for #4219: secondaries not updated after serial change, unbound falls back to AXFR after IXFR gives several timeout failures. - Fix that auth zone after IXFR fallback tries the same master. - Fix for IXFR fallback to reset counter when IXFR does not timeout. - Newer aclocal and libtoolize used for generating configure scripts, aclocal 1.16.1 and libtoolize 2.4.6. - Fix unit test for python 3.7 new keyword 'async'. - clang analysis fixes, assert arc4random buffer in init, no check for already checked delegation pointer in iterator, in testcode check for NULL packet matches, in perf do not copy from NULL start list when growing capacity. Adjust host and file only when present in test header read to please checker. In testcode for unknown macro operand give zero result. Initialise the passed argv array in test code. In test code add EDNS data segment copy only when nonempty. - Patch from Florian Obser fixes some compiler warnings: include mini_event.h to have a prototype for mini_ev_cmp include edns.h to have a prototype for apply_edns_options sldns_wire2str_edns_keepalive_print is only called in the wire2str, module declare it static to get rid of compiler warning: no previous prototype for function infra_find_ip_ratedata() is only called in the infra module, declare it static to get rid of compiler warning: no previous prototype for function do not shadow local variable buf in authzone auth_chunks_delete and az_nsec3_findnode are only called in the authzone module, declare them static to get rid of compiler warning: no previous prototype for function... copy_rrset() is only called in the respip module, declare it static to get rid of compiler warning: no previous prototype for function 'copy_rrset' no need for another variable "r"; gets rid of compiler warning: declaration shadows a local variable in libunbound.c no need for another variable "ns"; gets rid of compiler warning: declaration shadows a local variable in iterator.c - Moved includes and make depend. - updated contrib/fastrpz.patch to cleanly diff. - remove compile warnings from libnettle compile. - output of newer lex 2.6.1 and bison 3.0.5. - Set build system for added call in the libunbound API. - List example config for root zone copy locally hosted with auth-zone as suggested from draft-ietf-dnsop-7706-bis-02. But with updated B root address. - Fixed spelling of tls-ciphers option in example.conf. |
| 2019-01-17 15:19:51 by Havard Eidnes | Files touched by this commit (2) |
Log message: Let unbound grow a "dnstap" option. Bump PKGREVISION. |
| 2018-12-11 18:06:46 by Havard Eidnes | Files touched by this commit (2) |
Log message: Update unbound to version 1.8.3 Upstream changes: Bug Fixes - Fix dns64 allocation in wrong region for returned internal queries. |
| 2018-12-04 13:04:22 by Havard Eidnes | Files touched by this commit (3) | |
Log message: Update unbound to version 1.8.2 Pkgsrc changes: * Re-position configure diff. Upstream changes: Features - Add fast-server-permil and fast-server-num options. - Deprecate low-rtt and low-rtt-permil options. - Change fast-server-num default to 3. - Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options. - Fix #4190: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY. - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem. - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. - Add unbound-control view_local_datas command, like local_datas. Bug Fixes - dnscrypt.c removed sizeof to get array bounds. - Fix testlock code to set noreturn on error routine. - Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings - clang analyze test is used only when assertions are enabled. - Squelch EADDRNOTAVAIL errors when the interface goes away, this omits 'can't assign requested address' errors unless verbosity is set to a high value. - Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default. - iana port update. - Squelch log of failed to tcp initiate after TCP Fastopen failure. - Fix #4192: unbound-control-setup generates keys not readable by group. - check that the dnstap socket file can be opened and exists, print error if not. - Add markdel function to ECS slabhash. - Limit ECS scope returned to client to the scope used for caching. - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4141: More randomness to rrset-roundrobin. - Fix #4132: Openness/closeness of RANGE intervals in rpl files. - remade makefile dependencies. - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. - Scrub NS records from NODATA responses as well. - Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation. - Removed compile warnings in pythonmod sockaddr routines. - With ./configure --with-pyunbound --with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module. - pythonmod logs the python error and traceback on failure. - ignore debug python module for test in doxygen output. - review fixes for python module. - Fix #4209: Crash in libunbound when called from getdns. - auth zone zonefiles can be in a chroot, the chroot directory components are removed before use. - Fix that empty zonefile means the zonefile is not set and not used. - Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order. - Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished. - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page. - stat count SERVFAIL downstream auth-zone queries for expired zones. - Put new logos into windows installer. - Fix windows compile for new rrset roundrobin fix. - Update contrib fastrpz patch for latest release. - Fix chroot auth-zone fix to remove chroot prefix. - windows icon updated. |
| 2018-10-08 14:26:17 by Havard Eidnes | Files touched by this commit (2) | |
Log message: Update unbound to version 1.8.1 Upstream changes: Features: - Perform TLS SNI indication of the host that is being contacted for DNS over TLS service. It sets the configured tls auth name. This is useful for hosts that apart from the DNS over TLS services also provide other (web) services. Bug Fixes: - More explicitly mention the type of ratelimit when applying ip-ratelimit. - Fix spelling error in header, from getdns commit by Andreas Gelmini. - iana port update. - Fixed unused return value warnings in contrib/fastrpz.patch for asprintf. - Fix to squelch respip warning in unit test, it is printed at higher verbosity settings. - Fix spelling errors. - Fix initialisation in remote.c - Fix seed for random backup code to use explicit zero when wiped. - exit log routine is annotated as noreturn function. - free memory leaks in config strlist and str2list insert functions. - do not move unused argv variable after getopt. - Remove unused if clause in testcode. - in testcode, free async ids, initialise array, and check for null pointer during test of the test. And use exit for return to note irregular program stop. - Free memory leak in config strlist append. - make sure nsec3 comparison salt is initialized. - unit test has clang analysis. - remove unused variable assignment from iterator scrub routine. - check for null in delegation point during iterator refetch in forward zone. - neater pointer cast in libunbound context quit routine. - initialize statistics totals for printout. - in authzone check that node exists before adding rrset. - in unbound-anchor, use readwrite memory BIO. - assertion in autotrust that packed rrset is formed correctly. - Fix memory leak when message parse fails partway through copy. - remove unused udpsize assignment in message encode. - nicer bio free code in unbound-anchor. - annotate exit functions with noreturn in unbound-control. - Fix compile on Mac for unbound, provide explicit_bzero when libc does not have it. - Fix unbound for openssl in FIPS mode, it uses the digests with the EVP call contexts. - Fix that with harden-below-nxdomain and qname minisation enabled some iterator states for nonresponsive domains can get into a state where they waited for an empty list. - Stop UDP to TCP failover after timeouts that causes the ping count to be reset by the TCP time measurement (that exists for TLS), because that causes the UDP part to not be measured as timeout. - Fix #4156: Fix systemd service manager state change notification. - Fix #4149: Add SSL cleanup for tcp timeout. - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname minimisation with a forwarder when connectivity has issues from rejecting responses. |
| 2018-09-10 16:31:48 by Havard Eidnes | Files touched by this commit (2) | |
Log message: Update unbound to version 1.8.0 Upstream changes: Features - unbound-control auth_zone_reload _zone_ option rereads the zonefile. - unbound-control auth_zone_transfer _zone_ option starts the probe sequence for a master to transfer the zone from and transfers when a new zone version is available. - num.queries.tls counter for queries over TLS. - log port number with err_addr logs. - dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record. - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries. - Note RFC8162 support. SMIMEA record type can be read in by the zone record parser. - Patches from Jim Hague (Sinodun) for EDNS KeepAlive. - Add config tcp-idle-timeout (default 30s). This applies to client connections only; the timeout on TCP connections upstream is unaffected. - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options and implement option in client responses. - Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout. - Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h. - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock. - Fix #4142: unbound.service.in: improvements and fixes. Add unit dependency ordering (based on systemd-resolved). Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings about missing privileges during startup). Add 'AF_INET6' to 'RestrictAddressFamilies' (without it IPV6 can't work). From Guido Shanahan. - unbound-checkconf checks if modules exist and prints if they are not compiled in the name of the wrong module. - Patch for stub-no-cache and forward-no-cache options that disable caching for the contents of that stub or forward, for when you want immediate changes visible, from Bjoern A. Zeeb. - Upgraded crosscompile script to include libunbound DLL in the zipfile. - Set libunbound to increase current, because the libunbound change to the event callback function signature. That needs programs, that use it, to recompile against the new header definition. - log-servfail: yes prints log lines that say why queries are returning SERVFAIL to clients. - log-local-actions: yes option for unbound.conf that logs all the local zone actions, a patch from Saksham Manchanda (Secure64). - #4146: num.query.subnet and num.query.subnet_cache counters. - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary. - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. - Added serve-expired-ttl and serve-expired-ttl-reset options. Bug Fixes - Windows example service.conf edited with more windows specific configuration. - #4108: systemd reload hang fix. - Fix usage printout for unbound-host, hostname has to be last argument on BSDs and Windows. - Partial fix for permission denied on IPv6 address on FreeBSD. - Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. - Fix that auth-zone does not start the wait timer without checking if the wait timer has already been started. - #4109: Fix that package config depends on python unconditionally. - Patch, do not export python from pkg-config, from Petr Menšík. - Fix checking for libhiredis printout in configure output. - Fix typo on man page in ip-address description. - Update libunbound/python/examples/dnssec_test.py example code to also set the 20326 trust anchor for the root in the example code. - Better documentation for unblock-lan-zones and insecure-lan-zones config statements. - Fix permission denied printed for auth zone probe random port nrs. - Fix documentation ambiguity for tls-win-cert in tls-upstream and forward-tls-upstream docs. - iana port update. - Fix round robin for failed addresses with prefer-ip6: yes - Note in documentation that the cert name match code needs OpenSSL 1.1.0 or later to be enabled. - Fix to improve systemd socket activation code file descriptor assignment. - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more easily changed to adjust default rtt assumptions. - Fix #4127 unbound -h does not list -p help. - Print error if SSL name verification configured but not available in the ssl library. - Fix that ratelimit and ip-ratelimit are applied after reload of changed config file. - Resize ratelimit and ip-ratelimit caches if changed on reload. - Fix #4129 unbound-control error message with wrong cert permissions is too cryptic. - Fix #4130: print text describing -dd and unbound-checkconf on config file read error at startup, the errors may have been moved away by the startup process. - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared. - Fix use-systemd readiness signalling, only when use-systemd is yes and not in signal handler. - Fix #4135: 64-bit Windows Installer Creates Entries Under The Wrong Registry Key, reported by Brian White. - Fix man page, say that chroot is enabled by default. - Sort out test runs when the build directory isn't the project root directory. - Error if EDNS Keepalive received over UDP. - Correct and expand manual page entries for keepalive and idle timeout. - Implement progressive backoff of TCP idle/keepalive timeout. - Fix 'make depend' to work when build dir is not project root. - Fix #4139: Fix unbound-host leaks memory on ANY. - Fix to remove systemd sockaddr function check, that is not always present. Make socket activation more lenient. But not different when socket activation is not used. - Fix #4136: insufficiency from mismatch of FLEX capability between released tarball and build host. Fix to unconditionally call destroy in daemon.c. - Make capsforid fallback QNAME minimisation aware. - document --enable-subnet in doc/README. - Fix #4144: dns64 module caches wrong (negative) information. - Fix that printout of error for cycle targets is a verbosity 4 printout and does not wrongly print it is a memory error. - Fix segfault in auth-zone read and reorder of RRSIGs. - Fix contrib/fastrpz.patch. - Fix warning on compile without threads. - print servfail info to log as error. - added more servfail printout statements, to the iterator. - Fix classification for QTYPE=CNAME queries when QNAME minimisation is enabled. - Fix only misc failure from log-servfail when val-log-level is not enabled. - Fix lintflags for lint on FreeBSD. - Fix that a local-zone with a local-zone-type that is transparent in a view with view-first, makes queries check for answers from the local-zones defined outside of views. |
| 2018-06-21 17:32:22 by Havard Eidnes | Files touched by this commit (2) |
Log message: Update unbound to version 1.7.3 Upstream changes: Features - #4102 for NSD, but for Unbound. Named unix pipes do not use certificate and key files, access can be restricted with file and directory permissions. The option control-use-cert is no longer used, and ignored if found in unbound.conf. - Rename tls-additional-ports to tls-additional-port, because every line adds one port. Bug Fixes - Don't count CNAME response types received during qname minimisation as query restart. - #4100: Fix stub reprime when it becomes useless. - Fix crash if ratelimit taken into use with unbound-control instead of with unbound.conf. - Patch to fix openwrt for mac os build darwin detection in configure. - #4103: Fix that auth-zone does not insist on SOA record first in file for url downloads. - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. - Fix that control-use-cert: no works for 127.0.0.1 to disable certs. - Fix unbound-checkconf for control-use-cert. - Fix for unbound-control on Windows and set TCP socket parameters more closely. - Fix windows unbound-control no cert bad file descriptor error. |
New packages: