Log message:
unbound: updated to 1.14.0

1.14.0

Features

Merge 401: RPZ triggers. This add additional RPZ triggers, unbound supports a \ 
full set of rpz triggers, and this now includes nsdname, nsip and clientip \ 
triggers. Also actions are fully supported, and this now includes the tcp-only \ 
action.
Merge 519: Support for selective enabling tcp-upstream for stub/forward zones.
Merge PR 514, from ziollek: Docker environment for run tests.
Support using system-wide crypto policies.
Fix that --with-ssl can use "/usr/include/openssl11" to pass the \ 
location of a different openssl version.
Merged 41 from Moritz Schneider: made outbound-msg-retry configurable.
Implement RFC8375: Special-Use Domain 'home.arpa.'.
Merge PR 555 from fobser: Allow interface names as scope-id in IPv6 link-local \ 
addresses.

Bug Fixes

Add test tool readzone to .gitignore.
Merge 521: Update mini_event.c.
Merge 523: fix: free() call more than once with the same pointer.
For 519: note stub-tcp-upstream and forward-tcp-upstream in the example \ 
configuration file.
For 519: yacc and lex. And fix python bindings, and test program \ 
unbound-dnstap-socket.
For 519: fix comments for doxygen.
Fix to print error from unbound-anchor for writing to the key file, also when \ 
not verbose.
For 514: generate configure.
Fix for 431: Squelch permission denied errors for udp connect, and udp send, \ 
they are visible at higher verbosity settings.
Fix zonemd verification of key that is not in DNS but in the zone and needs a \ 
chain of trust.
zonemd, fix order of bogus printout string manipulation.
Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
Merge PR 528 from fobser: Make sldns_str2wire_svcparam_buf() static.
Fix 527: not sending quad9 cert to syslog (and may be more).
Fix sed script in ssldir split handling.
Fix 529: Fix: log_assert does nothing if UNBOUND_DEBUG is undefined.
Fix 531: Fix: passed to proc after free.
Fix 536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.) to insert \ 
into RPZ.
Fix the stream wait stream_wait_count_lock and http2 buffer locks setup and \ 
desetup from race condition.
Fix RPZ locks. Do not unlock zones lock if requested and rpz find zone does not \ 
find the zone. Readlock the clientip that is found for ipbased triggers. Unlock \ 
the nsdname zone lock when done. Unlock zone and ip in rpz nsip and nsdname \ 
callback. Unlock authzone and localzone if clientip found in rpz worker call.
Fix compile warning in libunbound for listen desetup routine.
Fix asynclook unit test for setup of lockchecks before log.
Fix 533: Negative responses get cached even when setting cache-max-negative-ttl: 1
Fix tcp fastopen failure when disabled, try normal connect instead.
Fix 538: Fix subnetcache statistics.
Small fixes for 41: changelog, conflicts resolved, processQueryResponse takes an \ 
iterator env argument like other functions in the iterator, no colon in string \ 
for set_option, and some whitespace style, to make it similar to the rest.
Fix for 41: change outbound retry to int to fix signed comparison warnings.
Fix root_anchor test to check with new icannbundle date.
Fix initialisation errors reported by gcc sanitizer.
Fix lock debug code for gcc sanitizer reports.
Fix more initialisation errors reported by gcc sanitizer.
Fix crosscompile on windows to work with openssl 3.0.0 the link with ws2_32 \ 
needs -l:libssp.a for __strcpy_chk. Also copy results from lib64 directory if \ 
needed.
For crosscompile on windows, detect 64bit stackprotector library.
Fix crosscompile shell syntax.
Fix crosscompile windows to use libssp when it exists.
For the windows compile script disable gost.
Fix that on windows, use BIO_set_callback_ex instead of deprecated BIO_set_callback.
Fix crosscompile script for the shared build flags.
Fix to add example.conf note for outbound-msg-retry.
Fix chaos replies to have truncation for short message lengths, or long reply \ 
strings.
Fix to protect custom regional create against small values.
Fix 552: Unbound assumes index.html exists on RPZ host.
Fix that forward-zone name is documented as the full name of the zone. It is not \ 
relative but a fully qualified domain name.
Fix analyzer review failure in rpz action override code to not crash on \ 
unlocking the local zone lock.
Fix to remove unused code from rpz resolve client and action function.
Merge 565: unbound.service.in: Disable ProtectKernelTunables again.
Fix for 558: fix loop in comm_point->tcp_free when a comm_point is reclaimed \ 
more than once during callbacks.
Fix for 558: clear the UB_EV_TIMEOUT bit before adding an event.
Improve EDNS option handling, now also works for synthesised responses such as \ 
local-data and server.id CH TXT responses.
Merge PR 570 from rex4539: Fix typos.
Fix for 570: regen aclocal.m4, fix configure.ac for spelling.
Fix to make python module opt_list use opt_list_in.
Fix 574: unbound-checkconf reports fatal error if interface names are used as \ 
value for interfaces:
Fix 574: Review fixes for it.
Fix 576: [FR] UB_* error codes in unbound.h
Fix 574: Review fix for spelling.
Fix to remove git tracking and ci information from release tarballs.
iana portlist update.
Merge PR 511 from yan12125: Reduce unnecessary linking.
Merge PR 493 from Jaap: Fix generation of libunbound.pc.
Merge PR 562 from Willem: Reset keepalive per new tcp session.
Merge PR 522 from sibeream: memory management violations fixed.
Merge PR 530 from Shchelk: Fix: dereferencing a null pointer.
Fix 454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
Fix 574: Review fixes for size allocation.
Fix doc/unbound.doxygen to remove obsolete tag warning.

Log message:
*: Revbump for protobuf-3.19.0

Fix for: Shared object "libprotobuf.so.29" not found

Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch

Log message:
*: Revbump for protobuf-3.18.0

Fix for: Shared object "libprotobuf.so.28" not found

Log message:
net: Remove SHA1 hashes for distfiles

Log message:
revbump for boost-libs

Log message:
revbump for boost-libs

Log message:
Update unbound to version 1.13.1.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:

This release contains a number of bug fixes.  There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001).  Unbound control has added commands to enable and
disable rpz processing.  Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing.  With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.

Features
- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
  to unbound-control.
- Merge PR #391 from fhriley: Add start_time to reply callbacks so
  modules can compute the response time.
- Fix #397: [Feature request] add new type always_null to local-zone
  similar to always_nxdomain.
- Support for RFC5001: DNS Name Server Identifier (NSID) Option
  with the nsid: option in unbound.conf
- Padding of queries and responses with DNS over TLS as specified in
  RFC7830 and RFC8467.
- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
  original instead of a decrementing TTL ('serve-original-ttl')

Bug Fixes
- Fix #358: Squelch udp connect 'no route to host' errors on low
  verbosity.
- Fix #360: for the additionally reported TCP Fast Open makes TCP
  connections fail, in that case we print a hint that this is
  happening with the error in the logs.
- Fix #356: deadlock when listening tcp.
- Fix unbound-dnstap-socket to not use log routine from interrupt
  handler and not print so frequently when invoked in sequence.
- Fix on windows to ignore connection failure on UDP, unless verbose.
- make depend.
- Fix #371: unbound-control timeout when Unbound is not running.
- Fix to squelch permission denied and other errors from remote host,
  they are logged at higher verbosity but not on low verbosity.
- Merge PR #335 from fobser: Sprinkle in some static to prevent
  missing prototype warnings.
- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
  is a GNU extension.
- Fix missing prototypes in the code.
- Fix error cases when udp-connect is set and send() returns an error
  (modified patch from Xin Li @delphij).
- For #376: Fix that comm point event is not double removed or double
  added to event map.
- iana portlist updated.
- Fix #385: autoconf 2.70 impacts unbound build
- Fix #379: zone loading over HTTP appears to have buffer issues.
- Merge PR #395 from mptre: add missing null check.
- Fix #387: client-subnet-always-forward seems to effectively bypass
  any caching?
- For #391: use struct timeval* start_time for callback information.
- For #391: fix indentation.
- For #391: more double casts in python start time calculation.
- Add comment documentation.
- Fix clang analysis warning.
- Fix so local zone types always_nodata and always_deny can be used
  from the config file.
- Merge #399 from xiangbao227: The lock of lruhash table should
  unlocked after markdel entry.
- Fix for #93: dynlibmodule link fix for Windows.
- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
- Merge #402 from fobser: Implement IPv4-Embedded addresses according
  to RFC6052.
- Fix #404: DNS query with small edns bufsize fail.
- Fix declaration before statement and signed comparison warning in
  dns64.
- Fix TTL of SOA record for negative answers (localzone and
  authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
- Fix compile of unbound-dnstap-socket without dnstap installed.
- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
  static data.
- Ignore cache blacklisting when trying to reply with expired data from
  cache (#394).
- Merge PR #408 from fobser: Prevent a few more yacc clashes.
- Annotate that we ignore the return value of if_indextoname.
- Fix to use correct type for label count in rpz routine.
- Fix empty clause warning in config_file nsid parse.
- Fix to use correct type for label count in ipdnametoaddr rpz routine.
- Fix empty clause warning in edns pass for padding.
- Fix for doxygen 1.8.20 compatibility.
- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
- Fix dynlibmod link on rhel8 for -ldl inclusion.
- Fix windows dependency on libssp.dll because of default stack
  protector in mingw.
- Fix indentation of root anchor for use by windows install script.

Log message:
Update unbound to version 1.13.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:

This version has fixes to connect for UDP sockets, slowing down
potential ICMP side channel leakage.  The fix can be controlled with the
option udp-connect: yes, it is enabled by default.

Additionally CVE-2020-28935 is fixed, this solves a problem where the
pidfile is altered by a symlink, and fails if a symlink is encountered.
See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more
information.

New features are upstream TCP and TLS query reuse, where a channel is
reused for several queries.  And http-notls-downstream: yesno for
unencrypted DoH, useful for back end support servers.  The option
infra-keep-probing can be used to probe hosts that are down more
frequently.

The options edns-client-string and edns-client-string-opcode can be used
to add an EDNS option with the specified string in queries towards
servers, with the servers specified by IP address.  It replaces the
edns-client-tag option.

The released version equals the 1.13.0rc4 with an added fix for stream
reuse and tcp fast open.

Features
- Pass the comm_reply information to the inplace_cb_reply* functions
  during the mesh state and update the documentation on that.
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
  This adds the option http-notls-downstream: yesno to change that,
  and the dohclient test code has the -n option.
- Merge PR #228 : infra-keep-probing option to probe hosts that are
  down.  Add infra-keep-probing: yes option. Hosts that are down are
  probed more frequently.
  With the option turned on, it probes about every 120 seconds,
  eventually after exponential backoff, and that keeps that way. If
  traffic keeps up for the domain. It probes with one at a time, eg.
  one query is allowed to probe, other queries within that 120 second
  interval are turned away.
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
  edns-client-string option.
- Merge PR #283 : Stream reuse.  This implements upstream stream
  reuse for performing several queries over the same TCP or TLS
  channel.
- Fix to connect() to UDP destinations, default turned on,
  this lowers vulnerability to ICMP side channels.
  Option to toggle udp-connect, default is enabled.

Bug Fixes
- Fix #319: potential memory leak on config failure, in rpz config.
- Fix dnstap socket and the chroot not applied properly to the dnstap
  socket path.
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
  if systemd support is build.
- Fix for python reply callback to see mesh state reply_list member,
  it only removes it briefly for the commpoint call so that it does
  not drop it and attempt to modify the reply list during reply.
- Fix that if there are on reply callbacks, those are called per
  reply and a new message created if that was modified by the call.
- Free up auth zone parse region after use for lookup of host
- Merge PR #326 from netblue30: DoH: implement content-length
  header field.
- DoH content length, simplify code, remove declaration after
  statement and fix cast warning.
- Fix that if there are reply callbacks for the given rcode, those
  are called per reply and a new message created if that was modified
  by the call.
- Fix that the out of order TCP processing does not limit the
  number of outstanding queries over a connection.
- Fix python documentation warning on functions.rst inplace_cb_reply.
- Log ip address when http session recv fails, eg. due to tls fail.
- Fix to set the tcp handler event toggle flag back to default when
  the handler structure is reused.
- Clean the fix for out of order TCP processing limits on number
  of queries.  It was tested to work.
- Fix that http settings have colon in set_option, for
  http-endpoint, http-max-streams, http-query-buffer-size,
  http-response-buffer-size, and http-nodelay.
- Fix memory leak of https port string when reading config.
- local-zone regional allocations outside of chunk
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
  unbound-control TLS certificates.
- Fix for PR #324 to attach the x509v3 extensions to the client
  certificate.
- Fix #327: net/if.h check fails on some darwin versions; contribution
  by Joshua Root.
- Fix #320: potential memory corruption due to size miscomputation upton
  custom region alloc init.
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
  Python Mod.
- Fix that minimal-responses does not remove addresses from a priming
  query response.
- In man page note that tls-cert-bundle is read before permission
  drop and chroot.
- Fix #341: fixing a possible memory leak.
- Fix memory leak after fix for possible memory leak failure.
- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
  undeclared.
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
  with chown of pidfile.
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
  failed to list interfaces: getifaddrs: Address family not
  supported by protocol.
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
  address families.
- iana portlist updated.
- Fix crash when TLS connection is closed prematurely, when
  reuse tree comparison is not properly identical to insertion.
- Fix padding of struct regional for 32bit systems.
- with udp-connect ignore connection refused with UDP timeouts.
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
- Better fix for reuse tree comparison for is-tls sockets.  Where
  the tree key identity is preserved after cleanup of the TLS state.
- Fix memory leak for edns client tag opcode config element.
- Attempt fix for libevent state in tcp reuse cases after a packet
  is written.
- Fix readagain and writeagain callback functions for comm point
  cleanup.
- Fix to omit UDP receive errors from log, if verbosity low.
  These happen because of udp-connect.
- For #352: contrib/metrics.awk for Prometheus style metrics output.
- Fix that after failed read, the readagain cannot activate.
- Clear readagain upon decommission of pending tcp structure.
- Fix compile warning for type cast in http2_submit_dns_response.
- Fix when use free buffer to initialize rbtree for stream reuse.
- Fix compile warnings for windows.
- Fix compile warnings in rpz initialization.
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
- Fix assertion failure on double callback when iterator loses
  interest in query at head of line that then has the tcp stream
  not kept for reuse.
- Fix stream reuse and tcp fast open.

Log message:
unbound: Include limits.h for SSIZE_MAX.