Log message:
net/unbound: update to version 1.23.0.

Pkgsrc changes:
 * Remove patch now integrated upstream (fix for #1264)
 * Adjust checksums

Upstream changes:

Features
- Increase the default of max-global-quota to 200 from 128 after
  operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
- Fix #1175: serve-expired does not adhere to secure-by-default
  principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
- For #1175, the default value of serve-expired-ttl is set to 86400
  (1 day) as suggested by RFC8767.
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
- Add resolver.arpa and service.arpa to the default locally served
  zones.
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
  It reads changed config in a thread, then only briefly pauses the
  service threads, that keep running. DNS service is only interrupted
  briefly, less than a second.
- Merge #1019: Redis read-only replica support.
  Introduces new 'redis-replica-*' options for the Redis cache backend.
- Merge #902: DNS Error Reporting (RFC 9567). Introduces new
  configuration option 'dns-error-reporting' and new statistics for
  'num.dns_error_reports'.

Bug Fixes
- Fix #1154: Tag Incorrectly Applying for Other Interfaces
  Using the Same IP. This fix is not for 1.22.0.
- Fix #1163: Typos in unbound.conf documentation.
- Merge #1159: Stats for discard-timeout and wait-limit.
- Add test case for #1159.
- Some clean up for stat_values.test.
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
- Fix redis that during a reload it does not fail if the redis
  server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
- Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
- Fix SETEX check during Redis (re)initialization.
- Fix for the serve expired DNSSEC information fix, it would not allow
  current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
- Fix to log redis timeout error string on failure.
- More descriptive text for 'harden-algo-downgrade'.
- Complete fix for max-global-quota to 200.
- Fix #1183: the data being used is released in method
  nsec3_hash_test_entry.
- Fix for #1183: release nsec3 hashes per test file.
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
- Fix comparison to help static analyzer.
- For #1175, update serve-expired tests.
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
- Merge #1198: Fix log-servfail with serve expired and no useful cache
  contents.
- Safeguard alias loop while looking in the cache for expired answers.
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
- Fix typo in log_servfail.tdir test.
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
- Fix #1213: Misleading error message on default access control causing
  refuse.
- Merge #1221: Consider auth zones when checking for forwarders.
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
- Create the quic SSL listening context only when needed.
- Fix compile of interface check code when dnscrypt or quic is
  disabled.
- Fix encoding of RR type ATMA.
- Fix to check length in ATMA string to wire.
- Merge #1229: check before use daemon->shm_info.
- Use the same interface listening port discovery code for all needed
  protocols.
- Port to string only when needed before getaddrinfo().
- Do not open unencrypted channels next to encrypted ones on the same
  port.
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
- Merge #1220 from Petr Menšík, Add unbound members group
  access to control key.
- Make the default value of module-config "validator iterator"
  regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
- Fix #986: Resolving sas.com with dnssec-validation fails though
  signed delegations seem to be (mostly) correct.
- Consider reconfigurations when calculating the still_useful_timeout
  for servers in the infrastructure cache.
- Fix static analysis report about unhandled EOF on error conditions
  when reading anchor key files.
- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
  values.
- Fix hash calculation for cachedb to ignore case. Previously, cached
  records there were only relevant for same case queries (if not
  already in Unbound's internal cache).
- Merge #1243: Do not shadow tm on line 236.
- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
  Add --help output description for the SOURCE_DATE_EPOCH variable.
- Fix 'unbound-control flush_negative' when reporting removed data;
  reported by David 'eqvinox' Lamparter.
- Fix representation of types GPOS and RESINFO, add rdf type for
  unquoted str.
- Fix #1251: WSAPoll first argument cannot be NULL.
- Fix for windows compile create ssl contexts.
- Fix print of RR type NSAP-PTR, it is an unquoted string.
- Fix #1253: Cache entries fail to be removed from Redis cachedb
  backend with unbound-control flush* +c.
- Fix for #1253: Fix for redis cachedb backend to expect an integer
  reply for the EXPIRE command.
- Fix #1254: `send failed: Socket is not connected` and
  `remote address is 0.0.0.0 port 53`.
- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
- For #1255, for ios use an older expat version that does not require
  C++11 language features.
- For #1255, for ios disable building tests that require C++11.
- For #1255, for ios try the latest expat version again.
- Fix unit test dname log printout typecast.
- Fix for ci test, expat is installed on the osx image.
- iana portlist update.
- Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
- Fix escape more characters when printing an RR type with an unquoted
  string.
- Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
- Fix unbound-control test so it counts the new flush_negative output,
  also answers the _ta probe from testns and prints command output
  and skip a thread specific test when no threads are available.
- Fix that ub_event has the facility to deal with callbacks for
  fast reload, doq, windows-stop and dnstap.
- Fix fast reload test to check if pid exists before acting on it.
- Merge #1262 from markyang92, fix build with
  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
- For #1262, ifdef is no longer needed.
- Fix #1263: Exempt loopback addresses from wait-limit.
- Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
  to allow two arguments.
- Fix ub_event and include dnstap and win_svc headers.
- Fix test for stat_values for wait limit defaults for localhost.
- Fix parameter unused warning in net_help.c.
- Fix mesh_copy_client_info to omit null contents from copy.
- Fix comment name in the rpz nsdname test.
- Fix nettle compile for warnings and ticket keys.
- Fix redis_replica test for unused option defaults and log printout.
- Fix test to speed up common.sh script kill_pid.
- Fix to update common.sh for speed of kill_pid.
- Update to the manpage for the fast_reload part.
- Fix fast_reload to print chroot with config file name.
- Fix to detect if atomic_store links in configure.
- Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
- Fix for print of connection type in log-replies for dot and doh.
- Merge #1265: Fix WSAPoll.

Log message:
*: recursive bump for icu 77 and libxml2 2.14

Log message:
net/unbound: add a patch to plug memory leak when exposed to DoH traffic.

This is a fix for the memory leak reported in
  https://github.com/NLnetLabs/unbound/issues/1264
and the patch is from
  \ 
https://github.com/NLnetLabs/unbound/commit/4f06e658d1a10a2782a475e76cb0c4d308e08f7c

This will possibly/hopefully be part of the upcoming 1.23.0 release.

Bump PKGREVISION.

Log message:
Set default user, group and syslog facility for nsd and unbound in
mk/defaults/mk.conf for documentation.

Thanks, wiz@

Log message:
Allow to set the syslog facility for the build -- this should really
be a config file option.

While here, pkglint.

Log message:
*: recursive bump for abseil 20250127.0

Log message:
revbump after devel/protobuf update

Log message:
*: recursive bump for icu 76 shlib major version bump