From owner-svn-src-all@freebsd.org Fri Oct 9 11:46:30 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE6779D0185; Fri, 9 Oct 2015 11:46:30 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9781A26C; Fri, 9 Oct 2015 11:46:30 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t99BkTIr033909; Fri, 9 Oct 2015 11:46:29 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t99BkRJB033881; Fri, 9 Oct 2015 11:46:27 GMT (envelope-from des@FreeBSD.org) Message-Id: <201510091146.t99BkRJB033881@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Fri, 9 Oct 2015 11:46:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r289063 - in head/contrib/unbound: . daemon doc iterator libunbound sldns smallapp util util/data validator X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2015 11:46:31 -0000 Author: des Date: Fri Oct 9 11:46:27 2015 New Revision: 289063 URL: https://svnweb.freebsd.org/changeset/base/289063 Log: Upgrade to Unbound 1.5.5. Modified: head/contrib/unbound/Makefile.in head/contrib/unbound/acx_nlnetlabs.m4 head/contrib/unbound/config.h head/contrib/unbound/config.h.in head/contrib/unbound/configure head/contrib/unbound/configure.ac head/contrib/unbound/daemon/daemon.c head/contrib/unbound/daemon/remote.c head/contrib/unbound/doc/Changelog head/contrib/unbound/doc/README head/contrib/unbound/doc/example.conf head/contrib/unbound/doc/example.conf.in head/contrib/unbound/doc/libunbound.3 head/contrib/unbound/doc/libunbound.3.in head/contrib/unbound/doc/unbound-anchor.8 head/contrib/unbound/doc/unbound-anchor.8.in head/contrib/unbound/doc/unbound-checkconf.8 head/contrib/unbound/doc/unbound-checkconf.8.in head/contrib/unbound/doc/unbound-control.8 head/contrib/unbound/doc/unbound-control.8.in head/contrib/unbound/doc/unbound-host.1 head/contrib/unbound/doc/unbound-host.1.in head/contrib/unbound/doc/unbound.8 head/contrib/unbound/doc/unbound.8.in head/contrib/unbound/doc/unbound.conf.5 head/contrib/unbound/doc/unbound.conf.5.in head/contrib/unbound/iterator/iter_hints.c head/contrib/unbound/iterator/iterator.h head/contrib/unbound/libunbound/libunbound.c head/contrib/unbound/sldns/rrdef.h head/contrib/unbound/smallapp/unbound-anchor.c head/contrib/unbound/smallapp/unbound-control.c head/contrib/unbound/util/config_file.c head/contrib/unbound/util/config_file.h head/contrib/unbound/util/configlexer.lex head/contrib/unbound/util/configparser.y head/contrib/unbound/util/data/msgencode.c head/contrib/unbound/util/iana_ports.inc head/contrib/unbound/util/net_help.c head/contrib/unbound/validator/autotrust.c head/contrib/unbound/validator/val_sigcrypt.c head/contrib/unbound/validator/validator.c Directory Properties: head/contrib/unbound/ (props changed) Modified: head/contrib/unbound/Makefile.in ============================================================================== --- head/contrib/unbound/Makefile.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/Makefile.in Fri Oct 9 11:46:27 2015 (r289063) @@ -168,7 +168,7 @@ HOST_OBJ=unbound-host.lo HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@ UBANCHOR_SRC=smallapp/unbound-anchor.c UBANCHOR_OBJ=unbound-anchor.lo -UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \ +UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \ $(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@ TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \ daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \ @@ -1175,7 +1175,7 @@ delayer.lo delayer.o: $(srcdir)/testcode unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \ Modified: head/contrib/unbound/acx_nlnetlabs.m4 ============================================================================== --- head/contrib/unbound/acx_nlnetlabs.m4 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/acx_nlnetlabs.m4 Fri Oct 9 11:46:27 2015 (r289063) @@ -2,7 +2,8 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 27 +# Version 28 +# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. # 2015-03-17 AHX_CONFIG_REALLOCARRAY added # 2013-09-19 FLTO help text improved. # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes @@ -94,6 +95,8 @@ # ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters. # AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED. # ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family +# ACX_CHECK_PIE - add --enable-pie option and check if works +# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it # dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines. @@ -1386,4 +1389,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY], #endif ]) ]) +dnl Check if CC and linker support -fPIE and -pie. +dnl If so, sets them in CFLAGS / LDFLAGS. +AC_DEFUN([ACX_CHECK_PIE], [ + AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)])) + AS_IF([test "x$enable_pie" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports PIE]) + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + +dnl Check if linker supports -Wl,-z,relro,-z,now. +dnl If so, adds it to LDFLAGS. +AC_DEFUN([ACX_CHECK_RELRO_NOW], [ + AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)])) + AS_IF([test "x$enable_relro_now" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now]) + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + dnl End of file Modified: head/contrib/unbound/config.h ============================================================================== --- head/contrib/unbound/config.h Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/config.h Fri Oct 9 11:46:27 2015 (r289063) @@ -83,6 +83,10 @@ `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #define HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS 1 +/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to + 0 if you don't. */ +#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 0 + /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ /* #undef HAVE_DECL_STRLCAT */ @@ -493,7 +497,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.5.4" +#define PACKAGE_STRING "unbound 1.5.5" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -502,7 +506,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.5.4" +#define PACKAGE_VERSION "1.5.5" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -521,7 +525,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,5,4,0 +#define RSRC_PACKAGE_VERSION 1,5,5,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" Modified: head/contrib/unbound/config.h.in ============================================================================== --- head/contrib/unbound/config.h.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/config.h.in Fri Oct 9 11:46:27 2015 (r289063) @@ -82,6 +82,10 @@ `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS +/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to + 0 if you don't. */ +#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO + /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ #undef HAVE_DECL_STRLCAT Modified: head/contrib/unbound/configure ============================================================================== --- head/contrib/unbound/configure Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/configure Fri Oct 9 11:46:27 2015 (r289063) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.5.4. +# Generated by GNU Autoconf 2.69 for unbound 1.5.5. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.5.4' -PACKAGE_STRING='unbound 1.5.4' +PACKAGE_VERSION='1.5.5' +PACKAGE_STRING='unbound 1.5.5' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -804,6 +804,8 @@ with_username enable_checking enable_debug enable_flto +enable_pie +enable_relro_now enable_shared enable_static with_pic @@ -1389,7 +1391,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.5.4 to adapt to many kinds of systems. +\`configure' configures unbound 1.5.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1454,7 +1456,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.5.4:";; + short | recursive ) echo "Configuration of unbound 1.5.5:";; esac cat <<\_ACEOF @@ -1465,6 +1467,10 @@ Optional Features: --enable-checking Enable warnings, asserts, makefile-dependencies --enable-debug same as enable-checking --disable-flto Disable link-time optimization (gcc specific option) + --enable-pie Enable Position-Independent Executable (eg. to fully + benefit from ASLR, small performance penalty) + --enable-relro-now Enable full relocation binding at load-time (RELRO + NOW, to protect GOT and .dtor areas) --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] --enable-fast-install[=PKGS] @@ -1629,7 +1635,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.5.4 +unbound configure 1.5.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2338,7 +2344,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.5.4, which was +It was created by unbound $as_me 1.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2690,11 +2696,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=5 -UNBOUND_VERSION_MICRO=4 +UNBOUND_VERSION_MICRO=5 LIBUNBOUND_CURRENT=5 -LIBUNBOUND_REVISION=7 +LIBUNBOUND_REVISION=8 LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2738,6 +2744,7 @@ LIBUNBOUND_AGE=3 # 1.5.2 had 5:5:3 # 1.5.3 had 5:6:3 # 1.5.4 had 5:7:3 +# 1.5.5 had 5:8:3 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -5879,6 +5886,96 @@ rm -f core conftest.err conftest.$ac_obj fi + # Check whether --enable-pie was given. +if test "${enable_pie+set}" = set; then : + enableval=$enable_pie; +fi + + if test "x$enable_pie" = "xyes"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5 +$as_echo_n "checking if $CC supports PIE... " >&6; } + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + fi + rm -f conftest conftest.c conftest.o + +else + LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi + + + # Check whether --enable-relro_now was given. +if test "${enable_relro_now+set}" = set; then : + enableval=$enable_relro_now; +fi + + if test "x$enable_relro_now" = "xyes"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5 +$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; } + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + fi + rm -f conftest conftest.c conftest.o + +else + LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : @@ -16101,7 +16198,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5 fi - PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`" + PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`" # Have Python @@ -16684,7 +16781,7 @@ rm -f core conftest.err conftest.$ac_obj conftest$ac_exeext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5 $as_echo_n "checking for LibreSSL... " >&6; } -if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } @@ -16845,6 +16942,36 @@ fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl _ACEOF +ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" " +$ac_includes_default +#ifdef HAVE_OPENSSL_ERR_H +#include +#endif + +#ifdef HAVE_OPENSSL_RAND_H +#include +#endif + +#ifdef HAVE_OPENSSL_CONF_H +#include +#endif + +#ifdef HAVE_OPENSSL_ENGINE_H +#include +#endif +#include +#include + +" +if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl +_ACEOF fi @@ -18890,7 +19017,7 @@ _ACEOF -version=1.5.4 +version=1.5.5 date=`date +'%b %e, %Y'` @@ -19405,7 +19532,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.5.4, which was +This file was extended by unbound $as_me 1.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19471,7 +19598,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.5.4 +unbound config.status 1.5.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Modified: head/contrib/unbound/configure.ac ============================================================================== --- head/contrib/unbound/configure.ac Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/configure.ac Fri Oct 9 11:46:27 2015 (r289063) @@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[5]) -m4_define([VERSION_MICRO],[4]) +m4_define([VERSION_MICRO],[5]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=5 -LIBUNBOUND_REVISION=7 +LIBUNBOUND_REVISION=8 LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -61,6 +61,7 @@ LIBUNBOUND_AGE=3 # 1.5.2 had 5:5:3 # 1.5.3 had 5:6:3 # 1.5.4 had 5:7:3 +# 1.5.5 had 5:8:3 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -246,6 +247,8 @@ case "$debug_enabled" in ;; esac ACX_CHECK_FLTO +ACX_CHECK_PIE +ACX_CHECK_RELRO_NOW AC_C_INLINE ACX_CHECK_FORMAT_ATTRIBUTE @@ -475,7 +478,7 @@ if test x_$ub_test_python != x_no; then AC_ERROR([Python version >= 2.4.0 is required]) fi - PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`" + [PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"] AC_SUBST(PY_MAJOR_VERSION) # Have Python AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.]) @@ -566,7 +569,7 @@ if test $USE_NSS = "no"; then ACX_WITH_SSL ACX_LIB_SSL AC_MSG_CHECKING([for LibreSSL]) -if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL]) # libressl provides these compat functions, but they may also be @@ -578,7 +581,7 @@ fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode]) -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include Modified: head/contrib/unbound/daemon/daemon.c ============================================================================== --- head/contrib/unbound/daemon/daemon.c Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/daemon/daemon.c Fri Oct 9 11:46:27 2015 (r289063) @@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* dae verbose(VERB_ALGO, "total of %d outgoing ports available", numport); daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); + if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) { + log_warn("cannot reduce num-threads to %d because so-reuseport " + "so continuing with %d threads.", (int)daemon->num, + (int)daemon->num_ports); + daemon->num = (int)daemon->num_ports; + } daemon->workers = (struct worker**)calloc((size_t)daemon->num, sizeof(struct worker*)); if(daemon->cfg->dnstap) { @@ -464,7 +470,7 @@ thread_start(void* arg) #endif #ifdef SO_REUSEPORT if(worker->daemon->cfg->so_reuseport) - port_num = worker->thread_num; + port_num = worker->thread_num % worker->daemon->num_ports; else port_num = 0; #endif Modified: head/contrib/unbound/daemon/remote.c ============================================================================== --- head/contrib/unbound/daemon/remote.c Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/daemon/remote.c Fri Oct 9 11:46:27 2015 (r289063) @@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* goto setup_error; } verbose(VERB_ALGO, "setup SSL certificates"); - if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) { log_err("Error for server-cert-file: %s", s_cert); - log_crypto_err("Error in SSL_CTX use_certificate_file"); + log_crypto_err("Error in SSL_CTX use_certificate_chain_file"); goto setup_error; } if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) { @@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* log_crypto_err("Error in SSL_CTX check_private_key"); goto setup_error; } +#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO + if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) { + log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); + } +#elif defined(USE_ECDSA) + if(1) { + EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); + if (!ecdh) { + log_crypto_err("could not find p256, not enabling ECDHE"); + } else { + if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) { + log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); + } + EC_KEY_free (ecdh); + } + } +#endif if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) { log_crypto_err("Error setting up SSL_CTX verify locations"); setup_error: @@ -1242,8 +1259,6 @@ struct del_info { size_t len; /** labels */ int labs; - /** now */ - time_t now; /** time to invalidate to */ time_t expired; /** number of rrsets removed */ @@ -1272,7 +1287,7 @@ infra_del_host(struct lruhash_entry* e, d->timeout_AAAA = 0; d->timeout_other = 0; rtt_init(&d->rtt); - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -1301,7 +1316,6 @@ do_flush_infra(SSL* ssl, struct worker* inf.name = 0; inf.len = 0; inf.labs = 0; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1332,7 +1346,7 @@ zone_del_rrset(struct lruhash_entry* e, if(dname_subdomain_c(k->rk.dname, inf->name)) { struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -1348,7 +1362,7 @@ zone_del_msg(struct lruhash_entry* e, vo struct msgreply_entry* k = (struct msgreply_entry*)e->key; if(dname_subdomain_c(k->key.qname, inf->name)) { struct reply_info* d = (struct reply_info*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_msgs++; } @@ -1364,7 +1378,7 @@ zone_del_kcache(struct lruhash_entry* e, struct key_entry_key* k = (struct key_entry_key*)e->key; if(dname_subdomain_c(k->name, inf->name)) { struct key_entry_data* d = (struct key_entry_data*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -1387,7 +1401,6 @@ do_flush_zone(SSL* ssl, struct worker* w inf.name = nm; inf.len = nmlen; inf.labs = nmlabs; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1457,7 +1470,6 @@ do_flush_bogus(SSL* ssl, struct worker* struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1533,7 +1545,6 @@ do_flush_negative(SSL* ssl, struct worke struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1683,6 +1694,7 @@ parse_delegpt(SSL* ssl, char* args, uint } } } + dp->has_parent_side_NS = 1; return dp; } @@ -2265,11 +2277,17 @@ do_list_local_data(SSL* ssl, struct work for(i=0; icount + d->rrsig_count; i++) { if(!packed_rr_to_string(p->rrset, i, 0, s, slen)) { - if(!ssl_printf(ssl, "BADRR\n")) + if(!ssl_printf(ssl, "BADRR\n")) { + lock_rw_unlock(&z->lock); + lock_rw_unlock(&zones->lock); return; + } } - if(!ssl_printf(ssl, "%s\n", s)) + if(!ssl_printf(ssl, "%s\n", s)) { + lock_rw_unlock(&z->lock); + lock_rw_unlock(&zones->lock); return; + } } } } Modified: head/contrib/unbound/doc/Changelog ============================================================================== --- head/contrib/unbound/doc/Changelog Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/Changelog Fri Oct 9 11:46:27 2015 (r289063) @@ -1,3 +1,92 @@ +28 September 2015: Wouter + - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution + failures. + - tag for 1.5.5rc1 release. + - makedist.sh: pgp sig echo commands. + +25 September 2015: Wouter + - Fix unbound-control flush that does not succeed in removing data. + +22 September 2015: Wouter + - Fix config globbed include chroot treatment, this fixes reload of + globs (patch from Dag-Erling Smørgrav). + - iana portlist update. + - Fix #702: New IPs for for h.root-servers.net. + - Remove confusion comment from canonical_compare() function. + - Fix #705: ub_ctx_set_fwd() return value mishandled on windows. + - testbound selftest also works in non-debug mode. + - Fix minor error in unbound.conf.5.in + - Fix unbound.conf(5) access-control description for precedence + and default. + +31 August 2015: Wouter + - changed windows setup compression to be more transparent. + +28 August 2015: Wouter + - Fix #697: Get PY_MAJOR_VERSION failure at configure for python + 2.4 to 2.6. + - Feature #699: --enable-pie option to that builds PIE binary. + - Feature #700: --enable-relro-now option that enables full read-only + relocation. + +24 August 2015: Wouter + - Fix deadlock for local data add and zone add when unbound-control + list_local_data printout is interrupted. + - iana portlist update. + - Change default of harden-algo-downgrade to off. This is lenient + for algorithm rollover. + +13 August 2015: Wouter + - 5011 implementation does not insist on all algorithms, when + harden-algo-downgrade is turned off. + - Reap the child process that libunbound spawns. + +11 August 2015: Wouter + - Fix #694: configure script does not detect LibreSSL 2.2.2 + +4 August 2015: Wouter + - Document that local-zone nodefault matches exactly and transparent + can be used to release a subzone. + +3 August 2015: Wouter + - Document in the manual more text about configuring locally served + zones. + - Fix 5011 anchor update timer after reload. + - Fix mktime in unbound-anchor not using UTC. + +30 July 2015: Wouter + - please afl-gcc (llvm) for uninitialised variable warning. + - Added permit-small-holddown config to debug fast 5011 rollover. + +24 July 2015: Wouter + - Fix #690: Reload fails when so-reuseport is yes after changing + num-threads. + - iana portlist update. + +21 July 2015: Wouter + - Fix configure to detect SSL_CTX_set_ecdh_auto. + - iana portlist update. + +20 July 2015: Wouter + - Enable ECDHE for servers. Where available, use + SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to + enable ECDHE. Otherwise, manually offer curve p256. + Client connections should automatically use ECDHE when available. + (thanks Daniel Kahn Gillmor) + +18 July 2015: Willem + - Allow certificate chain files to allow for intermediate certificates. + (thanks Daniel Kahn Gillmor) + +13 July 2015: Wouter + - makedist produces sha1 and sha256 files for created binaries too. + +9 July 2015: Wouter + - 1.5.4 release tag + - trunk has 1.5.5 in development. + - Fix #681: Setting forwarders with unbound-control forward + implicitly turns on forward-first. + 29 June 2015: Wouter - iana portlist update. - Fix alloc with log for allocation size checks. Modified: head/contrib/unbound/doc/README ============================================================================== --- head/contrib/unbound/doc/README Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/README Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -README for Unbound 1.5.4 +README for Unbound 1.5.5 Copyright 2007 NLnet Labs http://unbound.net Modified: head/contrib/unbound/doc/example.conf ============================================================================== --- head/contrib/unbound/doc/example.conf Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/example.conf Fri Oct 9 11:46:27 2015 (r289063) @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.4. +# See unbound.conf(5) man page, version 1.5.5. # # this is a comment. @@ -294,7 +294,7 @@ server: # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm # to validate the zone. - # harden-algo-downgrade: yes + # harden-algo-downgrade: no # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -444,6 +444,9 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover + # permit-small-holddown: no + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -623,6 +626,8 @@ remote-control: # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 Modified: head/contrib/unbound/doc/example.conf.in ============================================================================== --- head/contrib/unbound/doc/example.conf.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/example.conf.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.4. +# See unbound.conf(5) man page, version 1.5.5. # # this is a comment. @@ -294,7 +294,7 @@ server: # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm # to validate the zone. - # harden-algo-downgrade: yes + # harden-algo-downgrade: no # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -444,6 +444,9 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover + # permit-small-holddown: no + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -623,6 +626,8 @@ remote-control: # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 Modified: head/contrib/unbound/doc/libunbound.3 ============================================================================== --- head/contrib/unbound/doc/libunbound.3 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/libunbound.3 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.5.4 functions. +\- Unbound DNS validating resolver 1.5.5 functions. .SH "SYNOPSIS" .B #include .LP Modified: head/contrib/unbound/doc/libunbound.3.in ============================================================================== --- head/contrib/unbound/doc/libunbound.3.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/libunbound.3.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.5.4 functions. +\- Unbound DNS validating resolver 1.5.5 functions. .SH "SYNOPSIS" .B #include .LP Modified: head/contrib/unbound/doc/unbound-anchor.8 ============================================================================== --- head/contrib/unbound/doc/unbound-anchor.8 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-anchor.8 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" Modified: head/contrib/unbound/doc/unbound-anchor.8.in ============================================================================== --- head/contrib/unbound/doc/unbound-anchor.8.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-anchor.8.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" Modified: head/contrib/unbound/doc/unbound-checkconf.8 ============================================================================== --- head/contrib/unbound/doc/unbound-checkconf.8 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-checkconf.8 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" Modified: head/contrib/unbound/doc/unbound-checkconf.8.in ============================================================================== --- head/contrib/unbound/doc/unbound-checkconf.8.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-checkconf.8.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" Modified: head/contrib/unbound/doc/unbound-control.8 ============================================================================== --- head/contrib/unbound/doc/unbound-control.8 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-control.8 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-control.8 -- unbound remote control manual .\" Modified: head/contrib/unbound/doc/unbound-control.8.in ============================================================================== --- head/contrib/unbound/doc/unbound-control.8.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-control.8.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-control.8 -- unbound remote control manual .\" Modified: head/contrib/unbound/doc/unbound-host.1 ============================================================================== --- head/contrib/unbound/doc/unbound-host.1 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-host.1 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" Modified: head/contrib/unbound/doc/unbound-host.1.in ============================================================================== --- head/contrib/unbound/doc/unbound-host.1.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound-host.1.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" Modified: head/contrib/unbound/doc/unbound.8 ============================================================================== --- head/contrib/unbound/doc/unbound.8 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound.8 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.5.4. +\- Unbound DNS validating resolver 1.5.5. .SH "SYNOPSIS" .B unbound .RB [ \-h ] Modified: head/contrib/unbound/doc/unbound.8.in ============================================================================== --- head/contrib/unbound/doc/unbound.8.in Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound.8.in Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.5.4. +\- Unbound DNS validating resolver 1.5.5. .SH "SYNOPSIS" .B unbound .RB [ \-h ] Modified: head/contrib/unbound/doc/unbound.conf.5 ============================================================================== --- head/contrib/unbound/doc/unbound.conf.5 Fri Oct 9 11:30:27 2015 (r289062) +++ head/contrib/unbound/doc/unbound.conf.5 Fri Oct 9 11:46:27 2015 (r289063) @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4" +.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -296,7 +296,7 @@ trust (very large) TTL values. .TP .B cache\-min\-ttl: \fI Time to live minimum for RRsets and messages in the cache. Default is 0. -If the the minimum kicks in, the data is cached for longer than the domain +If the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as @@ -373,6 +373,7 @@ a daemon. Default is yes. The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. +The most specific netblock match is used, if none match \fIdeny\fR is used. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -567,7 +568,7 @@ to increase the max depth that is checke .B harden\-algo\-downgrade: \fI Harden against algorithm downgrade when multiple algorithms are advertised in the DS record. If no, allows the weakest algorithm to -validate the zone. Default is yes. Zone signers must produce zones +validate the zone. Default is no. Zone signers must produce zones that allow this feature to work, but sometimes they do not, and turning this option off avoids that validation failure. .TP @@ -801,6 +802,10 @@ mechanism work with zones that perform r The default is 366 days. The value 0 does not remove missing anchors, as per the RFC. .TP *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***