./net/unbound, DNS resolver and recursive server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.16.3, Package name: unbound-1.16.3, Maintainer: pettai

Unbound is an implementation of a DNS resolver. It provides a library
similiar to libresolv that can be used for synchronous and asynchronous
DNS lookups. It also provides a caching-only (recursive) DNS server.

Unbound has full support for IPv6 and DNSSEC validation,
DNS-over-TLS and DNS-over-HTTPS.

Required to run:
[security/openssl] [devel/libevent]

Required to build:
[devel/flex] [pkgtools/cwrappers]

Package options: doh

Master sites:

Filesize: 6058.916 KB

Version history: (Expand)

CVS history: (Expand)

   2022-09-21 13:30:24 by Havard Eidnes | Files touched by this commit (2)
Log message:
Update net/unbound to version 1.16.3.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
   2022-06-02 15:02:38 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update unbound to version 1.16.0.

Pkgsrc changes:
 * Remove patch now integrated upstream
 * Updated checksums

Upstream changes:

This release has EDE support, for extended EDNS error reporting,
it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.

The EDE errors can be turned on by `ede: yes`, it is default disabled.
Validation errors and other errors are then reported. If you also want
stale answers for expired responses to have an error code, the option
`ede-serve-expired: yes` can be used.

- Merge PR #604: Add basic support for EDE (RFC8914).

Bug Fixes
- Fix #412: cache invalidation issue with CNAME+A.
- Fix that TCP interface does not use TLS when TLS is also configured.
- Fix #624: Unable to stop Unbound in Windows console (does not
  respond to CTRL+C command).
- Fix #618: enabling interface-automatic disables DNS-over-TLS.
  Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
- Fix that address not available is squelched from the logs for
  udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
- Fix to detect that no IPv6 support means that IPv6 addresses are
  useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
- Fix #633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
  so that it is not state dependent, after the state fix of #605 for
  double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
- Fix #630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
- Fix pythonmod for change in iter_dp_is_useless function prototype.
- Fix compile warnings for printf ll format on mingw compile.
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
  to str once, accept trailing dot in the local-zone ipset option.
- Fix #637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
- Fix configure for python to use sysutils, because distutils is
  deprecated. It uses sysutils when available, distutils otherwise.
- Merge #644: Make `install-lib` make target install the pkg-config
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
- Fix to describe auth-zone and other configuration at the local-zone
  configuration option, to allow for more broadly view of the options.
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
  'unbound-control stats_shm'.
- Fix #651: [FR] Better logging for refused queries.
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
- Fix zonemd check to allow unsupported algorithms to load.
  If there are only unsupported algorithms, or unsupported schemes,
  and no failed or successful other ZONEMD records, or malformed
  or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
  and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
  zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
  check routine, but after malformed checks, to get the correct NULL
  output when the digest matches.
- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
  OpenBSD 7.1.
- Fix Python build in non-source directory; based on patch by
  Michael Tokarev.
- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
- Merge #677: Allow using system certificates not only on Windows,
  from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
- Fix #417: prefetch and ECS causing cache corruption when used
- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
  by updating unbound-control's documentation.
- Fix typos in config_set_option for the 'num-threads' and
  'ede-serve-expired' options.
- Fix to silence test for ede error output to the console from the
  test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
  (and possibly other distributions)
   2022-04-03 20:50:21 by Adam Ciarcinski | Files touched by this commit (51)
Log message:
revbump for devel/protobuf
   2022-02-11 10:28:16 by Havard Eidnes | Files touched by this commit (3)
Log message:
Apply fix from
Fix plain DNS-over-TCP so that it doesn't try to use TLS when
TLS is also configured elsewhere.

   2022-02-10 14:17:53 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update unbound to version 1.15.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:

This release has bug fixes for crashes that happened on heavy network
usage. The default for the aggressive-nsec option has changed, it is now

The ratelimit logic had to be reworked for the crash fixes. As a result,
there are new options to control the behaviour of ratelimiting.
The ratelimit-backoff and ip-ratelimit-backoff options can be used to
control how severe the backoff is when the ratelimit is exceeded.

The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
NXDOMAIN answers from RPZ. That is used by some clients to detect that
the domain is externally blocked. The RPZ option for-downstream can be
used like for auth zones, this allows the RPZ zone information to be
queried. That can be useful for monitoring scripts.

- Fix #596: unset the RA bit when a query is blocked by an unbound
  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
  signal that a domain is externally blocked to clients when it
  is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
  authoritatively answered for, so the RPZ zone contents can be
  checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
  ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.

Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
  warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
  consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
  local-zone's type if possible, instead of defaulting to type
  transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
  apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
  from the query.
- Fix for #596: fix that rpz return message is returned and not just
  the rcode from the iterator return path. This fixes signal unset RA
  after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
  the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
  'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
  triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
- Fix EDNS to upstream where the same option could be attached
  more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
  force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
- Fix tls-* and ssl-* documented alternate syntax to also be available
  through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
- Update stream_ssl.tdir test to also use the new forward-host
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
  software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
   2021-12-17 19:42:54 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
unbound: updated to 1.14.0



Merge 401: RPZ triggers. This add additional RPZ triggers, unbound supports a \ 
full set of rpz triggers, and this now includes nsdname, nsip and clientip \ 
triggers. Also actions are fully supported, and this now includes the tcp-only \ 
Merge 519: Support for selective enabling tcp-upstream for stub/forward zones.
Merge PR 514, from ziollek: Docker environment for run tests.
Support using system-wide crypto policies.
Fix that --with-ssl can use "/usr/include/openssl11" to pass the \ 
location of a different openssl version.
Merged 41 from Moritz Schneider: made outbound-msg-retry configurable.
Implement RFC8375: Special-Use Domain 'home.arpa.'.
Merge PR 555 from fobser: Allow interface names as scope-id in IPv6 link-local \ 

Bug Fixes

Add test tool readzone to .gitignore.
Merge 521: Update mini_event.c.
Merge 523: fix: free() call more than once with the same pointer.
For 519: note stub-tcp-upstream and forward-tcp-upstream in the example \ 
configuration file.
For 519: yacc and lex. And fix python bindings, and test program \ 
For 519: fix comments for doxygen.
Fix to print error from unbound-anchor for writing to the key file, also when \ 
not verbose.
For 514: generate configure.
Fix for 431: Squelch permission denied errors for udp connect, and udp send, \ 
they are visible at higher verbosity settings.
Fix zonemd verification of key that is not in DNS but in the zone and needs a \ 
chain of trust.
zonemd, fix order of bogus printout string manipulation.
Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
Merge PR 528 from fobser: Make sldns_str2wire_svcparam_buf() static.
Fix 527: not sending quad9 cert to syslog (and may be more).
Fix sed script in ssldir split handling.
Fix 529: Fix: log_assert does nothing if UNBOUND_DEBUG is undefined.
Fix 531: Fix: passed to proc after free.
Fix 536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.) to insert \ 
into RPZ.
Fix the stream wait stream_wait_count_lock and http2 buffer locks setup and \ 
desetup from race condition.
Fix RPZ locks. Do not unlock zones lock if requested and rpz find zone does not \ 
find the zone. Readlock the clientip that is found for ipbased triggers. Unlock \ 
the nsdname zone lock when done. Unlock zone and ip in rpz nsip and nsdname \ 
callback. Unlock authzone and localzone if clientip found in rpz worker call.
Fix compile warning in libunbound for listen desetup routine.
Fix asynclook unit test for setup of lockchecks before log.
Fix 533: Negative responses get cached even when setting cache-max-negative-ttl: 1
Fix tcp fastopen failure when disabled, try normal connect instead.
Fix 538: Fix subnetcache statistics.
Small fixes for 41: changelog, conflicts resolved, processQueryResponse takes an \ 
iterator env argument like other functions in the iterator, no colon in string \ 
for set_option, and some whitespace style, to make it similar to the rest.
Fix for 41: change outbound retry to int to fix signed comparison warnings.
Fix root_anchor test to check with new icannbundle date.
Fix initialisation errors reported by gcc sanitizer.
Fix lock debug code for gcc sanitizer reports.
Fix more initialisation errors reported by gcc sanitizer.
Fix crosscompile on windows to work with openssl 3.0.0 the link with ws2_32 \ 
needs -l:libssp.a for __strcpy_chk. Also copy results from lib64 directory if \ 
For crosscompile on windows, detect 64bit stackprotector library.
Fix crosscompile shell syntax.
Fix crosscompile windows to use libssp when it exists.
For the windows compile script disable gost.
Fix that on windows, use BIO_set_callback_ex instead of deprecated BIO_set_callback.
Fix crosscompile script for the shared build flags.
Fix to add example.conf note for outbound-msg-retry.
Fix chaos replies to have truncation for short message lengths, or long reply \ 
Fix to protect custom regional create against small values.
Fix 552: Unbound assumes index.html exists on RPZ host.
Fix that forward-zone name is documented as the full name of the zone. It is not \ 
relative but a fully qualified domain name.
Fix analyzer review failure in rpz action override code to not crash on \ 
unlocking the local zone lock.
Fix to remove unused code from rpz resolve client and action function.
Merge 565: unbound.service.in: Disable ProtectKernelTunables again.
Fix for 558: fix loop in comm_point->tcp_free when a comm_point is reclaimed \ 
more than once during callbacks.
Fix for 558: clear the UB_EV_TIMEOUT bit before adding an event.
Improve EDNS option handling, now also works for synthesised responses such as \ 
local-data and server.id CH TXT responses.
Merge PR 570 from rex4539: Fix typos.
Fix for 570: regen aclocal.m4, fix configure.ac for spelling.
Fix to make python module opt_list use opt_list_in.
Fix 574: unbound-checkconf reports fatal error if interface names are used as \ 
value for interfaces:
Fix 574: Review fixes for it.
Fix 576: [FR] UB_* error codes in unbound.h
Fix 574: Review fix for spelling.
Fix to remove git tracking and ci information from release tarballs.
iana portlist update.
Merge PR 511 from yan12125: Reduce unnecessary linking.
Merge PR 493 from Jaap: Fix generation of libunbound.pc.
Merge PR 562 from Willem: Reset keepalive per new tcp session.
Merge PR 522 from sibeream: memory management violations fixed.
Merge PR 530 from Shchelk: Fix: dereferencing a null pointer.
Fix 454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
Fix 574: Review fixes for size allocation.
Fix doc/unbound.doxygen to remove obsolete tag warning.
   2021-11-11 13:02:51 by Kimmo Suominen | Files touched by this commit (53)
Log message:
*: Revbump for protobuf-3.19.0

Fix for: Shared object "libprotobuf.so.29" not found
   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):


The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch