Date: Fri, 21 Aug 2020 11:59:32 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 248808] dns/unbound: Update to version 1.11.0 Message-ID: <bug-248808-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248808 Bug ID: 248808 Summary: dns/unbound: Update to version 1.11.0 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/projects/unbound/download/#unboun d-1-11-0 OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #217418 maintainer-approval+ Flags: Created attachment 217418 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D217418&action= =3Dedit Patch to update Port changes: Aligned the rc script with the one in the base system to avoid surprises to the user. (see the discussion in PR #247305) Changelog for unbound: This release contains a number of bug fixes. Also new features are introduced. The configure --with-dynlibmodule enables dynamic library support that can have code modules function like the python library scripts. It allows to load multiple dynlib instances. The new `include-toplevel: <file or wildcard>` configuration option allows to include a directory with config files where every config file does not modify the config section for the later files so that the include order is idempotent. This makes it much easier to drop files into a config snippet directory in etc and manage that set of config files, without for example one config file starting a stub section and creating parse errors in another config file with server options. The `rrset-roundrobin` option is now default to yes. This is more in line with what users expect. The KSK-2010 has been removed from our default key set output. The option `prefer-ip4` can be used to prefer ip4 over ip6 when reputation for the ip6 netblock is shared with other users. There is also a dnstap implementation inside Unbound. This removes the dependency on the libfstrm library. The protobuf library is still used. The fstrm protocol code resides in `dnstap/dnstap_fstrm.h` and `dnstap/dnstap_fstrm.c`. This contains a brief definition of what unbound needs. The `make unbound-dnstap-socket` builds a debug tool, unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and print information. Commandline options control it. Unbound can reconnect if the unix domain socket file socket is closed. This uses exponential backoff after which it uses a one second timer to throttle cpu down. There is also support to use TCP and TLS for connecting to the log server. There are new config options to turn them on, in the `dnstap` section in the man page and example config file. `dnstap-ip` with IP address of server for TCP or TLS use. `dnstap-tls` to turn on TLS. And `dnstap-tls-server-name`, `dnstap-tls-cert-bundle`, `dnstap-tls-client-key-file` and `dnstap-tls-client-cert-file` to configure the certificates for server authentication and client authentication, or leave at `""` to not use that. With `dnstap-bidirectional` the frame streams can be set to bidirectional or unidirectional connection mode. Features - Merge #225 from akhait: KSK-2010 has been revoked. It removes the KSK-2010 from the default list in unbound-anchor, now that the revocation period is over. KSK-2017 is the only trust anchor in the shipped default now. - Merge PR #93: Add dynamic library support. - Introduce 'include-toplevel:' configuration option. - Change default value for 'rrset-roundrobin' to yes. - Add SNI support on more TLS connections (fixes #193). - Add SNI support to unbound-anchor. - Merge PR #164: Framestreams, this branch implements dnstap connectivity in unbound. This has a number of new features. - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for using ipv4 filters, because the hosts ip6 netblock /64 is not owned by one operator, and thus reputation is shared. Bug Fixes - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for different openssl versions. - Merge PR #166: Fix typo in unbound.service.in, by glitsj16. - Fix #169: Fix warning for daemon/remote.c output may be truncated from snprintf. - Fix #170: Fix gcc undefined sanitizer signed integer overflow warning in signature expiry RFC1982 serial number arithmetic. - Fix more undefined sanitizer issues, in respip copy_rrset null dname, and in the client_info_compare routine for null memcmp. - Merge PR #171: Add additional compilers and platforms to Travis testing, by noloader. - Merge PR #173: updated makedist.sh for config.guess and config.sub and sha256 digest for gpg, by noloader. - Merge PR #172: Add IBM s390x arch for testing, by noloader. - Fix #177: dnstap does not build on macOS. - Fix compiler warning in dns64/dns64.c - Merge PR #174: Add Android to Travis testing, by noloader. - Move android build scripts to contrib/ and allow android tests to fail. - Fix #175, Merge PR #176: fix link error when OpenSSL is configured with no-engine, thanks noloader. - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01). - Merge PR #180 from noloader: Avoid calling exit in Travis script. - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android. - Update README-Travis.md (from PR #179), by Jeffrey Walton. - Fix PR #182 from noloader: Add iOS testing to Travis. - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by noloader - Fix #188: unbound-control.c:882:6: error: 'execlp' is unavailable: not available on tvOS. - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete type, by noloader. - Add check to make sure RPZ records are subdomains of configured zone origin. - Fix #192: In the unbound-checkconf tool, the module config of dns64 subnetcache respip validator iterator is whitelisted, it was reported it seems to work. - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton. - Fix #158: open tls-session-ticket-keys as binary, for Windows. By Daisuke HIGASHI. - Merge PR#134, Allow the kernel to provide random source ports. By Florian Obser. - Log warning when using outgoing-port-permit and outgoing-port-avoid while explicit port randomisation is disabled. - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton. - Fix .travis.yml error, missing 'env' option. - Merge PR #197 from fobser: Make log_ident_revert_to_default() a proper prototype. - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's only used in this file. - Fix compile on Solaris for unbound-checkconf. - Fix compile of test tools without protobuf. - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP tag for outgoing packets. - Travis fix for ios by omitting tools from install. - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings. - Fix RPZ concurrency issue when using auth_zone_reload. - Make unbound-control error returned on missing domain name more user friendly. - Merge PR #203 from noloader: Update README-Travis.md with current procedures. - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and :: - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful transports. - Merge PR #206: Redis TTL, by Talkabout. - More documentation for redis-expire-records option. - Keep track of number of timeouts. Use this counter to determine if capsforid fallback should be started. - Merge PR #214 from gearnode: unbound-control-setup recreate certificates. With the -r option the certificates are created again, without it, only the files that do not exist are created. - Fix #220: auth-zone section in config may lead to segfault. - Fix help return code in unbound-control-setup script. - Fix for posix shell syntax for trap in nsd-control-setup. - Fix for posix shell syntax for trap in run_msg.sh test script. - Add doxygen documentation for DSCP. - Fix #222: --enable-rpath, fails to rpath python lib. - Fix for count of reply states in the mesh. - Remove unneeded was_mesh_reply check. - Explicitly use 'rrset-roundrobin: no' for test cases. - Cache ECS answers with longest scope of CNAME chain. - windows compile warnings removal for ip dscp option code. - Fix for integer overflow when printing RDF_TYPE_TIME. - Update contrib/aaaa-filter-iterator.patch for the recent generate_sub_request() change and to apply cleanly. - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use "Requires:". - Mention tls name possible when tls is enabled for stub-addr in the man page. - Fix default explanation in man page for qname-minimisation-strict. - Fix display of event loop method with libev. - iana portlist updated. - Move reply list clean for serve expired mesh callback to after the reply is sent, so that script callbacks have reply_info. - Also move reply list clean for mesh callbacks to the scrip callback can see the reply_info. - Fix for mesh accounting if the reply list already empty to begin with. - Fix for mesh accounting when rpz decides to drop a reply with a tcp stream waiting for it. - Review fix for number of detached states due to use of variable after end of loop. - Fix tcp req info drop due to size call into mesh accounting removal of mesh state during mesh send reply. - Fix #259: Fix unbound-checkconf does not check view existence. unbound-checkconf checks access-control-view, access-control-tags, access-control-tag-actions and access-control-tag-datas. - Fix offset of error printout for access-control-tag-datas. - Fix add missing DSA header, for compilation without deprecated OpenSSL APIs. - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL 3.0.0-alpha4. - Longer keys for the test set, this avoids weak crypto errors. - Add bidirectional frame streams support. - Fix check conf test for referencing installation paths. - Fix unused variable warning for clang analyzer. - Merge PR #234 - Ensure proper alignment of cmsg buffers by J=C3=A9r=C3=A9= mie Courr=C3=A8ges-Anglas. - Fix PR #234 log_assert sizeof to use union buffer. - Fix libnettle compile for session ticket key callback function changes. - Fix lock dependency cycle in rpz zone config setup. - Fix streamtcp to print packet data to stdout. This makes the stdout and stderr not mix together lines, when parsing its output. - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes due to added libdynmod, but it does not compile, it conflicts with new rpz code. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248808-7788>