Log message:
Recursive PKGREVISION bump for OpenSSL API version bump.

Log message:
take over the maintainership

Log message:
Unbound 1.4.21

Features:

* Implement max-udp-size config option, default 4096 with fix#524 for
  nonEDNS0 queries.
* add unbound-control insecure_add and insecure_remove for the administration
  of negative trust anchors.
* install copy of unbound-control.8 man page for unbound-control-setup.
* code improve for minimal responses, small speed increase.
* max include of 100.000 files (depth and globbed at one time).
  This is to preserve system memory in bug cases, or endless cases.
* unbound.h header file has UNBOUND_VERSION_MAJOR define.
* get_option, set_option, unbound-checkconf -o and libunbound getoption() and
  setoption() support cache-min-ttl and cache-max-ttl. Also log-time-ascii,
  python-script, val-sig-skew-min and val-sig-skew-max. log-time-ascii takes
  effect immediately. The others are mostly useful for libunbound users.
* configure --disable-flto option.
* streamtcp man page.
* Make reverse zones easier by documenting the nodefault statements
  commented-out in the example config file.

Bug Fixes:

* committed libunbound version 4:1:2 for binary API updated in 1.4.20
* Fix for 2038, with time_t instead of uint32_t.
* Fix resolve of names that use a mix of public and private addresses.
* [bugzilla: 492 ] Fix endianness detection, revert to older lookup3.c
  detection and put new detect lines after previous tests, to avoid
  regressions but allow new detections to succeed.
  And add detection for machine/endian.h to it.
* Fix queries leaking up for stubs and forwards, if the configured
  nameservers all fail to answer.
* unbound-anchor review: BIO_write can return 0 successfully if it has
  successfully appended a zero length string.
* Fix so that for a configuration line of include: "*.conf" it is not an
  error if there are no files matching the glob pattern.
* own implementation of compat/snprintf.c.
* [bugzilla: 491 ] pick program name (0th argument) as syslog identity.
* Fixup snprintf return value usage, fixed libunbound_get_option.
* Robust checks on dname validity from rdata for dname compare.
* iana portlist update.
* Fix round-robin doesn't work with some Windows clients.
* [bugzilla: 500 ] use on non-initialised values on socket bind failures.
* [bugzilla: 499 ] use-after-free in out-of-memory handling code.
* Explain bogus and secure flags in libunbound more.
* Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply patch to it
  to not fail when -Werror is also specified, from the autoconf-archives.
* Fixup manpage syntax.
* Fix for const string literals in C++ for libunbound.
* Squelch sendto-permission denied errors when the network is not connected,
  to avoid spamming syslog.
* libunbound documentation on how to avoid openssl race conditions.
* [bugzilla: 512 ] NSS returned arrays out of setup function to be statics.
* [bugzilla: 516 ] dnssec lameness detection for answers that are improper.
* [bugzilla: 519 ] ub_ctx_delete may hang in some scenarios (libunbound).
* [bugzilla: 520 ] Errors found by static analysis

Log message:
Bump PKGREVISION of all packages which create users, to pick up change of
sysutils/user_* packages.

Log message:
Unbound 1.4.20

Features:

* add libunbound.ttl at end of result structure, version bump for libunbound.
  Code compiled with 1.4.19 is binary compatible with the 1.4.20 library.
  If code uses the ttl it needs the 1.4.20 version.

Bug Fixes:

* Change of D.ROOT-SERVERS.NET A address in default root hints.
* Fix openssl lock free on exit.
* unbound-anchors checks the emailAddress of the signer of the root.xml file,
  default is dnssec@iana.org. It also checks that the signer has the correct
  key usage for a digital signature.
* printout name of zone with duplicate fwd and hint errors.
* includes and have_ssl fixes for nss.
* detect endianness in lookup3 on BSD.
* iana portlist updated.

Log message:
PKGREVISION bumps for the security/openssl 1.0.1d update.

Log message:
Unbound 1.4.19

Features:

* RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
  The contrib/patch_rsamd5_enable.diff patch enables RSAMD5 validation
  otherwise it is treated as insecure. The MD5 hash is considered weak for
  some purposes, if you want to sign your zone, then RSASHA256 is an
  uncontested hash.
* unbound-control -q option is quiet
* include: directive in config file accepts wildcards.
  Suggested use: include: "/etc/unbound.d/conf.d/*"

Bug Fixes:

* Fix openssl race condition, initializes openssl locks.
* Improved forward-first and stub-first documentation.
* Fix that enables modules to register twice for the same serviced_query,
  without race conditions or administration issues.
* Fix forward-first option where it sets the RD flag wrongly.
* added manpage links for libunbound calls.
* Add documentation to libunbound for default nonuse of resolv.conf.
* Fix timeouts so that when a server has been offline for a while and is
  probed to see it works, it becomes fully available for server selection again.
* Fallback to 1472 and 1232, one fragment size without headers.
* [bugzilla: 465 ] Nicer comments outgoing-port-avoid.
* chdir to / after chroot call (suggested by Camiel Dobbelaar).
* updated contrib/unbound.spec.
* ignore trusted-keys globs that have no files (from Paul Wouters).
* fix text in unbound-anchor man page.
* fix build of pythonmod in objdir.
* make clean and makerealclean remove generated python and docs.
* Fix validation for responses with both CNAME and wildcard expanded CNAME
  records in answer section.
* [bugzilla: 477 ] Fix unbound-anchor segfault if EDNS is blocked.
* Fix unbound-control forward disables configured stubs below it.
* [bugzilla: 481 ] Fix python example0.
* iana portlist updated.

Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Log message:
Unbound 1.4.18

Features:

* implement log-time-ascii on windows.
* --with-libunbound-only build option, only builds the library and not the \ 
daemon and other tools.
* --with-nss build option (for now, --with-libunbound-only), uses libNSS for \ 
crypto operations.
* disable RSAMD5 if in FIPS mode (for openssl and for libnss).
* Add flush_bogus option for unbound-control.

Bug Fixes:

* Fix libunbound report of errors when in background mode.
* fix bogus nodata cname chain not reported as bogus by validator
* [bugzilla: 454 ] Fix for ACX_CHECK_COMPILER_FLAG from configure.ac, if CFLAGS \ 
is specified at configure time then '-g -O2' is not appended to CFLAGS, so that \ 
the user can override them.
* FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
* fix missing break for GOST DS hash function.
* implemented forward_first for the root.
* code review: return value of cache_store can be ignored for better performance \ 
in out of memory conditions.
* patch for unbound_munin_ script to handle arbitrary thread count by Sven Ulland.
* Fix validation of qtype DS queries that result in no data for non-optout NSEC3 \ 
zones.
* fix edns-buffer-size and msg-buffer-size manpage documentation.
* fix error handling of alloc failure during rrsig verification.
* The key-cache bad key ttl is now 60 seconds.
* [bugzilla: 452 ] fix crash on assert in mesh_state_attachment. Fixes DS NS \ 
search to not generate duplicate sub queries.
* silence warning from swig-generated code (md set but not used in swig \ 
initmodule, due to ifdefs in swig-generated code).
* Fix debian-bugs-658021: Please enable hardened build flags.
* update iana ports list

Log message:
Unbound 1.4.17

Features:

* unbound-control forward_add, forward_remove, stub_add, stub_remove can modify \ 
stubs and forwards for running unbound they can also add and remove \ 
domain-insecure for the zone. This is to support reconfiguration of a DNSSEC \ 
validator on a computer that changes networks and has to enable new network \ 
config for the new location.
* new approach to NS fetches for DS lookup that works with cornercases, and is \ 
more robust and considers forwarders.
* contrib/validation-reporter follows rotated log file
* Applied patch for rrset-roundrobin and minimal-responses features (new \ 
options, enable in unbound.conf to use).
* ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older openssl.
* Patch for access to full DNS packet data in unbound python module
* forward-first option. Tries without forward if a query fails. Also stub-first \ 
option that is similar.

Bug Fixes:

* Fix possible uninitialised variable in windows pipe implementation.
* Fix alignment problem in util/random on sparc64/freebsd.
* Fix for accept spinning reported by OpenBSD.
* Fix validation of nodata for DS query in NSEC zones
* [bugzilla: 444 ] Fix that setusercontext was called too late
* [bugzilla: 443 ] Fix --with-chroot-dir not honoured by configure.
* [bugzilla: 442 ] Fix that Makefile depends on pythonmod headers even using \ 
--without-pythonmodule.
* Fix to locate nameservers for DS lookup with NS fetches.
* Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
* flush_infra cleans timeouted servers from the cache too.
* Fix from code review, if EINPROGRESS not defined chain if statement differently.
* [bugzilla: 434 ] Fix windows port to check registry for config file location \ 
for unbound-control.exe, and unbound-checkconf.exe.
* Fix to squelch 'network unreachable' errors from tcp connect in logs, high \ 
verbosity will show them.
* Fix prefetch and sticky NS ghost domain. It picks nameservers that 'would be \ 
valid in the future', and if this makes the NS timeout, it updates that NS by \ 
asking delegation from the parent again. If child NS has longer TTL, that TTL \ 
does not get refreshed from the lookup to the child nameserver.
* RT#2955 Fix for cygwin compilation.
* Slightly smaller critical region in one case in infra cache.
* Fix timeouts to keep track of query type, A, AAAA and other, if another has \ 
caused timeout blacklist, different type can still probe.
unit test fix for nomem_cnametopos.rpl race condition.
* fix memory leak in errorcase for DSA signatures.
* workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
* fix for windows, rename() is not posix compliant on windows.
* iana portlist updated