Subject: CVS commit: pkgsrc/net/unbound
From: Fredrik Pettai
Date: 2015-07-15 20:09:05
Message id: 20150715180905.4D9ED98@cvs.netbsd.org

Log Message:
Unbound 1.5.4

Features:
-   [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
    fixes the reported excessive validation failure when multiple
    algorithms are present. If set to 'no', it allows the weakest
    algorithm to validate the zone.
-   stats reports tcp usage, of incoming-num-tcp buffers.
-   contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
    scripts.
-   Add ip-transparent config option for bind to non-local addresses.
-   Synthesize ANY responses from cache. Does not search exhaustively,
    but MX,A,AAAA,SOA,NS also CNAME.
-   unbound-control list_insecure command shows the negative trust
    anchors currently configured.
-   ratelimit feature, ratelimit: 1000, can be used to turn it on. It
    ratelimits recursion effort per zone. For particular names you can
    configure exceptions in unbound.conf.
-   Ratelimit does not apply to prefetched queries, and
    ratelimit-factor is default 10. Repeated normal queries get resolved
    and with prefetch stay in the cache.
-   unbound-control ratelimit_list lists high rate domains.
-   caps-whitelist in unbound.conf allows whitelist of loadbalancers
    that cannot work with caps-for-id or its fallback.
-   RFC 7553 RR type URI support, is now enabled by default.
-   cache-max-negative-ttl config option, default 3600.
-   Add local-zone type inform_deny, that logs query and drops answer.

Bug Fixes:
-   Unbound exits with a fatal error when the auto-trust-anchor-file
    fails to be writable. This is seconds after startup. You can load a
    readonly auto-trust-anchor-file with trust-anchor-file. The file has
    to be writable to notice the trust anchor change, without it, a trust
    anchor change will be unnoticed and the system will then become
    inoperable.
-   DLV is going to be decommissioned. Advice to stop using it, and
    put text in the example configuration and man page to that effect.
-   Patch from Brad Smith that syncs compat/getentropy_linux with
    OpenBSD's version (2015-03-04).
-   0x20 fallback improved: servfail responses do not count as missing
    comparisons (except if all responses are errors), inability to find
    nameservers does not fail equality comparisons, many nameservers does
    not try to compare more than max-sent-count, parse failures start 0x20
    fallback procedure.
-   store caps_response with best response in case downgrade response
    happens to be the last one.
-   Document that incoming-num-tcp increase is good for large servers.
-   Fix lintian warning in unbound-checkconf man page.
-   Updated default keylength in unbound-control-setup to 3k.
-   Fixup compile on cygwin, more portable openssl thread id.
-   Use reallocarray for integer overflow protection.
-   Fixed to add integer overflow checks on allocation (defense in depth).
-   Fix segfault on user not found at startup.
-   [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
    CRYPTO_set_id_callback.
-   If unknown trust anchor algorithm, and libressl is used, error
    message encourages upgrade of the libressl package.
-   rename ldns subdirectory to sldns to avoid name collision.
-   [bugzilla: 660 ] Fix interface-automatic broken in the presence of
    asymmetric routing.
-   Libunbound skips dos-line-endings from etc/hosts.
-   Fix crash in dnstap: Do not try to log TCP responses after timeout.
-   Fix that get_option for cache-sizes does not print double newline.
-   [bugzilla: 663 ] Fix that ssl handshake fails when using unix
    socket because dh size is too small.
-   [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
    Hozza); Use print_function also for Python2. libunbound examples:
    produce sorted output. libunbound-Python: libldns is not used anymore.
    Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
-   Fix leaked dns64prefix configuration string.
-   Removed contrib/unbound_unixsock.diff, because it has been
    integrated, use control-interface: /path in unbound.conf.
-   Change syntax of particular validator error to be easier for
    machine parse, swap rrset and ip adres info so it looks like:
    validation failure <www.example.nl. TXT IN>: signature crypto failed
    from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
-   Fix that unparseable error responses are ratelimited.
-   SOA negative TTL is capped at minimumttl in its rdata section.
-   [bugzilla: 674 ] Do not free pointers given by getenv.
-   [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
    incorrectly and was therefore always synthesized.
    And fix DNAME responses from cache that failed internal chain test.
-   iana portlist update.

Files:
RevisionActionfile
1.37modifypkgsrc/net/unbound/Makefile
1.28modifypkgsrc/net/unbound/distinfo