Date: Thu, 03 May 2018 11:13:42 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 227949] [MAINTAINER] dns/unbound upgrade to 1.7.1 Message-ID: <bug-227949-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D227949 Bug ID: 227949 Summary: [MAINTAINER] dns/unbound upgrade to 1.7.1 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #193019 maintainer-approval+ Flags: Created attachment 193019 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D193019&action= =3Dedit patch to update This release has root key sentinel support, default on, from draft draft-ietf-dnsop-kskroll-sentinel. The root key sentinel helps the root key rollover process by providing insight into the distribution of the key material over the resolver population. For that, the resolver gives responses indicating which keys are in use by the resolver. Crypto support for ED448 has been added. ED25519 was already supported in a previous release. The crypto algorithm code is default turned on if support is detected at configure time. The openssl 1.1.1 beta versions have ED448, and also ED25519 support. For DNS over TLS, the tcp length is sent in the same packet as the tcp content, for the TLS connections, providing a speed up. Also TLS authentication can be enabled by specifying the TLS auth name in unbound.conf. An example config for large public cloud dns over tls resolvers is this. server: tls-cert-bundle: "ca-bundle.pem" forward-zone: name: "." forward-addr: "9.9.9.9#dns.quad9.net" forward-addr: "1.1.1.1#cloudflare-dns.com" forward-tls-upstream: yes It is possible to have unbound as a TLS server serve TLS on different ports, with additional-tls-port. Use this to set up dns over tls service on both ports 853 and 443. For fast server selection, there are new options low-rtt and low-rtt-pct. For example set low-rtt-pct: 900 to enable it. These options are experimental at this time. We are interested in user experiences, and are intending to look at the expressiveness that is desired for ease of use and applicability. Also, the "pct" part of low-rtt-pct is technically the wrong term and we intend to replace it with "promille" (likely in a future release, together with user experience feedback changes). There is hiredis support for the cachedb module. Monitoring of the new agrressive NSEC and auth zone root local copy features is possible with statistics counters for agressive NSEC and for auth zone usage. Auth zone supports incoming NOTIFYs, from masters and from allow-notify hosts. Auth zones can be listed from unbound-control with their SOA serial number. Unbound-control set_option and get_option needed different ':' placement, the current release allows with and without ':' syntax. Features - Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=3D3DPATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox). - Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. - ED448 support. - num.query.authzone.up and num.query.authzone.down statistics counters. - Accept both option names with and without colon for get_option and set_option. - low-rtt and low-rtt-pct in unbound.conf enable the server selection of fast servers for some percentage of the time. - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics counters. - allow-notify: config statement for auth-zones. - Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@853#dns.quad9.net or 1.1.1.1@853#cloudflare-dns.com - list_auth_zones unbound-control command. - Added root-key-sentinel support Bug Fixes - Fix #3727: Protocol name is TLS, options have been renamed but documentation is not consistent. - Check IXFR start serial. - Fix typo in documentation. - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually flushed with serve-expired on. - Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. - corrected a minor typo in the changelog. - move htobe64/be64toh portability code to cachedb.c. - iana port update. - Do not use cached NSEC records to generate negative answers for domains under DNSSEC Negative Trust Anchors. - Fix unbound-control get_option aggressive-nsec - Check "result" in dup_all(), by Florian Obser. - Fix #4043: make test fails due to v6 presentation issue in macOS. - Fix unable to resolve after new WLAN connection, due to auth-zone failing with a forwarder set. Now, auth-zone is only used for answers (not referrals) when a forwarder is set. - Combine write of tcp length and tcp query for dns over tls. - nitpick fixes in example.conf. - Fix above stub queries for type NS and useless delegation point. - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3 tls_choose_sigalg routine does not allow the ciphers for the pipe, so use TLSv1.2. - Fix that flush_zone sets prefetch ttl expired, so that with serve-expired enabled it'll start prefetching those entries. - Fix downstream auth zone, only fallback when auth zone fails to answer and fallback is enabled. - Fix for max include depth for authzones. - Fix memory free on fail for $INCLUDE in authzone. - Fix that an internal error to look up the wrong rr type for auth zone gets stopped, before trying to send there. - Fix auth zone target lookup iterator. - Fix auth-zone retry timer to be on schedule with retry timeout, with backoff. Also time a refresh at the zone expiry. - Fix #658: unbound using TLS in a forwarding configuration does not verify the server's certificate (RFC 8310 support). - For addr with #authname and no @port notation, the default is 853. - man page documentation for dns-over-tls forward-addr '#' notation. - removed free from failed parse case. - Fix #4091: Fix that reload of auth-zone does not merge the zonefile with the previous contents. - Delete auth zone when removed from config. - makedist uses bz2 for expat code, instead of tar.gz. - Fix #4092: libunbound: use-caps-for-id lacks colon in config_set_option. - auth zone http download stores exact copy of downloaded file, including comments in the file. - Fix sldns parse failure for CDS alternate delete syntax empty hex. - Attempt for auth zone fix; add of callback in mesh gets from callback does not skip callback of result. - Fix cname classification with qname minimisation enabled. - Fix contrib/fastrpz.patch for this release. - Fix auth https for libev. - Fix memory leak when caching wildcard records for aggressive NSEC use - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-227949-7788>