Date: Sun, 30 Jun 2019 14:56:57 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r349557 - in vendor/unbound/dist: . contrib daemon doc iterator libunbound libunbound/python pythonmod respip services services/cache testdata testdata/ssl_req_order.tdir util Message-ID: <201906301456.x5UEuvub037445@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sun Jun 30 14:56:56 2019 New Revision: 349557 URL: https://svnweb.freebsd.org/changeset/base/349557 Log: Vendor import of Unbound 1.9.1. Modified: vendor/unbound/dist/Makefile.in vendor/unbound/dist/config.h.in vendor/unbound/dist/configure vendor/unbound/dist/configure.ac vendor/unbound/dist/contrib/libunbound.so.conf vendor/unbound/dist/contrib/unbound.init vendor/unbound/dist/daemon/daemon.c vendor/unbound/dist/daemon/remote.c vendor/unbound/dist/daemon/worker.c vendor/unbound/dist/doc/Changelog vendor/unbound/dist/doc/README vendor/unbound/dist/doc/example.conf.in vendor/unbound/dist/doc/libunbound.3.in vendor/unbound/dist/doc/unbound-anchor.8.in vendor/unbound/dist/doc/unbound-checkconf.8.in vendor/unbound/dist/doc/unbound-control.8.in vendor/unbound/dist/doc/unbound-host.1.in vendor/unbound/dist/doc/unbound.8.in vendor/unbound/dist/doc/unbound.conf.5.in vendor/unbound/dist/iterator/iter_fwd.c vendor/unbound/dist/iterator/iter_hints.c vendor/unbound/dist/iterator/iter_utils.c vendor/unbound/dist/iterator/iterator.c vendor/unbound/dist/libunbound/libworker.c vendor/unbound/dist/libunbound/python/libunbound.i vendor/unbound/dist/pythonmod/interface.i vendor/unbound/dist/pythonmod/pythonmod.c vendor/unbound/dist/respip/respip.c vendor/unbound/dist/services/cache/infra.c vendor/unbound/dist/services/cache/infra.h vendor/unbound/dist/services/listen_dnsport.c vendor/unbound/dist/services/localzone.c vendor/unbound/dist/services/localzone.h vendor/unbound/dist/services/modstack.c vendor/unbound/dist/services/outside_network.c vendor/unbound/dist/testdata/auth_xfr_notify.rpl vendor/unbound/dist/testdata/iter_ranoaa_lame.rpl vendor/unbound/dist/testdata/iter_reclame_two.rpl vendor/unbound/dist/testdata/ssl_req_order.tdir/ssl_req_order.post vendor/unbound/dist/util/configparser.c vendor/unbound/dist/util/configparser.y vendor/unbound/dist/util/net_help.c vendor/unbound/dist/util/netevent.c Modified: vendor/unbound/dist/Makefile.in ============================================================================== --- vendor/unbound/dist/Makefile.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/Makefile.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1075,8 +1075,7 @@ unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitl $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/util/log.h \ - $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ Modified: vendor/unbound/dist/config.h.in ============================================================================== --- vendor/unbound/dist/config.h.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/config.h.in Sun Jun 30 14:56:56 2019 (r349557) @@ -69,6 +69,9 @@ /* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */ #undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA +/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */ +#undef HAVE_CRYPTO_THREADID_SET_CALLBACK + /* Define to 1 if you have the `ctime_r' function. */ #undef HAVE_CTIME_R Modified: vendor/unbound/dist/configure ============================================================================== --- vendor/unbound/dist/configure Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/configure Sun Jun 30 14:56:56 2019 (r349557) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.9.0. +# Generated by GNU Autoconf 2.69 for unbound 1.9.1. # # Report bugs to <unbound-bugs@nlnetlabs.nl>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.9.0' -PACKAGE_STRING='unbound 1.9.0' +PACKAGE_VERSION='1.9.1' +PACKAGE_STRING='unbound 1.9.1' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -694,9 +694,6 @@ swig SWIG_LIB SWIG PC_PY_DEPENDENCY -PKG_CONFIG_LIBDIR -PKG_CONFIG_PATH -PKG_CONFIG PY_MAJOR_VERSION PYTHON_SITE_PKG PYTHON_LDFLAGS @@ -710,6 +707,9 @@ PTHREAD_CC ax_pthread_config RUNTIME_PATH LIBOBJS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG LT_SYS_LIBRARY_PATH OTOOL64 OTOOL @@ -892,10 +892,10 @@ CPP YACC YFLAGS LT_SYS_LIBRARY_PATH -PYTHON_VERSION PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR +PYTHON_VERSION SYSTEMD_CFLAGS SYSTEMD_LIBS SYSTEMD_DAEMON_CFLAGS @@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.9.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.9.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1505,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.9.0:";; + short | recursive ) echo "Configuration of unbound 1.9.1:";; esac cat <<\_ACEOF @@ -1638,15 +1638,15 @@ Some influential environment variables: default value of `-d' given by some make applications. LT_SYS_LIBRARY_PATH User-defined run-time library search path. - PYTHON_VERSION - The installed Python version to use, for example '2.3'. This - string will be appended to the Python interpreter canonical - name. PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path + PYTHON_VERSION + The installed Python version to use, for example '2.3'. This + string will be appended to the Python interpreter canonical + name. SYSTEMD_CFLAGS C compiler flags for SYSTEMD, overriding pkg-config SYSTEMD_LIBS @@ -1722,7 +1722,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.9.0 +unbound configure 1.9.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.9.0, which was +It was created by unbound $as_me 1.9.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=9 -UNBOUND_VERSION_MICRO=0 +UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2854,7 +2854,8 @@ LIBUNBOUND_AGE=1 # 1.8.1 had 8:1:0 # 1.8.2 had 8:2:0 # 1.8.3 had 8:3:0 -# 1.8.4 had 9:0:1 # add ub_ctx_set_tls +# 1.9.0 had 9:0:1 # add ub_ctx_set_tls +# 1.9.1 had 9:1:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14558,6 +14559,127 @@ CC=$lt_save_CC + + + + + + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi +fi + # Checks for header files. for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h do : @@ -17015,126 +17137,6 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h CPPFLAGS="$PYTHON_CPPFLAGS" fi ub_have_python=yes - - - - - - - -if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. -set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_PKG_CONFIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $PKG_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -PKG_CONFIG=$ac_cv_path_PKG_CONFIG -if test -n "$PKG_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 -$as_echo "$PKG_CONFIG" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$ac_cv_path_PKG_CONFIG"; then - ac_pt_PKG_CONFIG=$PKG_CONFIG - # Extract the first word of "pkg-config", so it can be a program name with args. -set dummy pkg-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $ac_pt_PKG_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG -if test -n "$ac_pt_PKG_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 -$as_echo "$ac_pt_PKG_CONFIG" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - if test "x$ac_pt_PKG_CONFIG" = x; then - PKG_CONFIG="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - PKG_CONFIG=$ac_pt_PKG_CONFIG - fi -else - PKG_CONFIG="$ac_cv_path_PKG_CONFIG" -fi - -fi -if test -n "$PKG_CONFIG"; then - _pkg_min_version=0.9.0 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 -$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } - if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - PKG_CONFIG="" - fi -fi if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5 ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5 @@ -17993,7 +17995,7 @@ fi done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -21148,7 +21150,7 @@ _ACEOF -version=1.9.0 +version=1.9.1 date=`date +'%b %e, %Y'` @@ -21667,7 +21669,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.9.0, which was +This file was extended by unbound $as_me 1.9.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21733,7 +21735,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.9.0 +unbound config.status 1.9.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Modified: vendor/unbound/dist/configure.ac ============================================================================== --- vendor/unbound/dist/configure.ac Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/configure.ac Sun Jun 30 14:56:56 2019 (r349557) @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[9]) -m4_define([VERSION_MICRO],[0]) +m4_define([VERSION_MICRO],[1]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=0 +LIBUNBOUND_REVISION=1 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -85,7 +85,8 @@ LIBUNBOUND_AGE=1 # 1.8.1 had 8:1:0 # 1.8.2 had 8:2:0 # 1.8.3 had 8:3:0 -# 1.8.4 had 9:0:1 # add ub_ctx_set_tls +# 1.9.0 had 9:0:1 # add ub_ctx_set_tls +# 1.9.1 had 9:1:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -382,6 +383,8 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen) AC_CHECK_TOOL(STRIP, strip) ACX_LIBTOOL_C_ONLY +PKG_PROG_PKG_CONFIG + # Checks for header files. AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT]) @@ -641,7 +644,6 @@ if test x_$ub_test_python != x_no; then CPPFLAGS="$PYTHON_CPPFLAGS" fi ub_have_python=yes - PKG_PROG_PKG_CONFIG PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"], [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"], [PC_PY_DEPENDENCY="python"]) @@ -781,7 +783,7 @@ else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback]) # these check_funcs need -lssl BAKLIBS="$LIBS" Modified: vendor/unbound/dist/contrib/libunbound.so.conf ============================================================================== --- vendor/unbound/dist/contrib/libunbound.so.conf Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/contrib/libunbound.so.conf Sun Jun 30 14:56:56 2019 (r349557) @@ -14,6 +14,7 @@ int ub_ctx_set_option(ub_ctx*, string, string); int ub_ctx_get_option(ub_ctx*, string, +string*); int ub_ctx_config(ub_ctx*, string); int ub_ctx_set_fwd(ub_ctx*, string); +int ub_ctx_set_tls(ub_ctx*, bool(int)); int ub_ctx_set_stub(ub_ctx*, string, string, bool(int)); int ub_ctx_resolvconf(ub_ctx*, string); int ub_ctx_hosts(ub_ctx*, string); Modified: vendor/unbound/dist/contrib/unbound.init ============================================================================== --- vendor/unbound/dist/contrib/unbound.init Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/contrib/unbound.init Sun Jun 30 14:56:56 2019 (r349557) @@ -39,13 +39,13 @@ start() { # setup root jail if [ -s /etc/localtime ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; - if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then + if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then cp -fp /etc/localtime ${rootdir}/etc/localtime fi; fi; if [ -s /etc/resolv.conf ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; - if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then + if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf fi; fi; Modified: vendor/unbound/dist/daemon/daemon.c ============================================================================== --- vendor/unbound/dist/daemon/daemon.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/daemon/daemon.c Sun Jun 30 14:56:56 2019 (r349557) @@ -770,7 +770,7 @@ daemon_delete(struct daemon* daemon) # endif # ifdef HAVE_OPENSSL_CONFIG EVP_cleanup(); -# if OPENSSL_VERSION_NUMBER < 0x10100000 +# if (OPENSSL_VERSION_NUMBER < 0x10100000) && !defined(OPENSSL_NO_ENGINE) ENGINE_cleanup(); # endif CONF_modules_free(); Modified: vendor/unbound/dist/daemon/remote.c ============================================================================== --- vendor/unbound/dist/daemon/remote.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/daemon/remote.c Sun Jun 30 14:56:56 2019 (r349557) @@ -1987,7 +1987,7 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int a return NULL; } } else { -#ifndef HAVE_SSL_SET1_HOST +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(auth_name) log_err("no name verification functionality in " "ssl library, ignored name for %s", todo); Modified: vendor/unbound/dist/daemon/worker.c ============================================================================== --- vendor/unbound/dist/daemon/worker.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/daemon/worker.c Sun Jun 30 14:56:56 2019 (r349557) @@ -1171,7 +1171,7 @@ worker_handle_request(struct comm_point* c, void* arg, /* check if this query should be dropped based on source ip rate limiting */ if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, - *worker->env.now)) { + *worker->env.now, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, @@ -1559,8 +1559,17 @@ send_reply_rc: if(worker->env.cfg->log_replies) { struct timeval tv = {0, 0}; - log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen, - tv, 1, c->buffer); + if(qinfo.local_alias && qinfo.local_alias->rrset && + qinfo.local_alias->rrset->rk.dname) { + /* log original qname, before the local alias was + * used to resolve that CNAME to something else */ + qinfo.qname = qinfo.local_alias->rrset->rk.dname; + log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen, + tv, 1, c->buffer); + } else { + log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen, + tv, 1, c->buffer); + } } #ifdef USE_DNSCRYPT if(!dnsc_handle_uncurved_request(repinfo)) { Modified: vendor/unbound/dist/doc/Changelog ============================================================================== --- vendor/unbound/dist/doc/Changelog Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/Changelog Sun Jun 30 14:56:56 2019 (r349557) @@ -1,6 +1,86 @@ -5 February 2019: Wouter - - Fix tls-ciphers spelling in example.conf +1 March 2019: Wouter + - output forwarder log in ssl_req_order test. +28 February 2019: Wouter + - Remove memory leak on pythonmod python2 script file init. + - Remove swig gcc8 python function cast warnings, they are ignored. + - Print correct module that failed when module-config is wrong. + +27 February 2019: Wouter + - Fix #4229: Unbound man pages lack information, about access-control + order and local zone tags, and elements in views. + - Fix #14: contrib/unbound.init: Fix wrong comparison judgment + before copying. + - Fix for python module on Windows, fix fopen. + +25 February 2019: Wouter + - Fix #4227: pair event del and add for libevent for tcp_req_info. + +21 February 2019: Wouter + - Fix the error for unknown module in module-config is understandable, + and explains it was not compiled in and where to see the list. + - In example.conf explain where to put cachedb module in module-config. + - In man page and example config explain that most modules have to + be listed at the start of module-config. + +20 February 2019: Wouter + - Fix pythonmod include and sockaddr_un ifdefs for compile on + Windows, and for libunbound. + +18 February 2019: Wouter + - Print query name with ip_ratelimit exceeded log lines. + - Spaces instead of tabs in that log message. + - Print query name and IP address when domain rate limit exceeded. + +14 February 2019: Wouter + - Fix capsforid canonical sort qsort callback. + +11 February 2019: Wouter + - Note default for module-config in man page. + - Fix recursion lame test for qname minimisation asked queries, + that were not present in the set of prepared answers. + - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for + cert name matching, from man page. + - make depend, with newer gcc, nicer layout. + +7 February 2019: Wouter + - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. + - Fix that qname minimisation does not skip a label when missing + nameserver targets need to be fetched. + - Fix #4225: clients seem to erroneously receive no answer with + DNS-over-TLS and qname-minimisation. + +4 February 2019: Wouter + - Fix that log-replies prints the correct name for local-alias + names, for names that have a CNAME in local-data configuration. + It logs the original query name, not the target of the CNAME. + - Add local-zone type inform_redirect, which logs like type inform, + and redirects like type redirect. + - Perform canonical sort for 0x20 capsforid compare of replies, + this sorts rrsets in the authority and additional section before + comparison, so that out of order rrsets do not cause failure. + +31 January 2019: Wouter + - Set ub_ctx_set_tls call signature in ltrace config file for + libunbound in contrib/libunbound.so.conf. + - improve documentation for tls-service-key and forward-first. + - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of + conditional section, fixes systemd builds, from Enrico Scholz. + - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, + still supports the set_id_callback previous API. And for 1.1.0 + no locking callbacks are needed. + - #8: Fix OpenSSL without ENGINE support compilation. + - Wipe TLS session key data from memory on exit. + +30 January 2019: Ralph + - Fix case in which query timeout can result in marking delegation + as edns_lame_known. + +29 January 2019: Wouter + - Fix spelling of tls-ciphers in example.conf.in. + - Fix #4224: auth_xfr_notify.rpl test broken due to typo + - Fix locking for libunbound context setup with broken port config. + 28 January 2019: Wouter - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. @@ -8,7 +88,9 @@ - List example config for root zone copy locally hosted with auth-zone as suggested from draft-ietf-dnsop-7706-bis-02. But with updated B root address. - - set version to 1.9.0 for release. + - set version to 1.9.0 for release. And this was released with the + spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in + development. 25 January 2019: Wouter - Fix that tcp for auth zone and outgoing does not remove and Modified: vendor/unbound/dist/doc/README ============================================================================== --- vendor/unbound/dist/doc/README Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/README Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -README for Unbound 1.9.0 +README for Unbound 1.9.1 Copyright 2007 NLnet Labs http://unbound.net Modified: vendor/unbound/dist/doc/example.conf.in ============================================================================== --- vendor/unbound/dist/doc/example.conf.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/example.conf.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.9.0. +# See unbound.conf(5) man page, version 1.9.1. # # this is a comment. @@ -475,6 +475,9 @@ server: # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). # module-config: "validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -673,6 +676,7 @@ server: # o typetransparent resolves normally for other types and other names # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address + # o inform_redirect redirects queries and logs client IP address # o always_transparent, always_refuse, always_nxdomain, resolve in # that way but ignore local data for that name # o noview breaks out of that view towards global local-zones. @@ -822,6 +826,8 @@ server: # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. +# It can be at the start, it gets validated results, or just before +# the iterator and process before DNSSEC validation. # o and give a python-script to run. python: # Script file to load @@ -972,7 +978,7 @@ remote-control: # Enable external backend DB as auxiliary cache. Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be -# included in module-config. +# included in module-config, just before the iterator module. # cachedb: # backend: "testframe" # # secret seed string to calculate hashed keys Modified: vendor/unbound/dist/doc/libunbound.3.in ============================================================================== --- vendor/unbound/dist/doc/libunbound.3.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/libunbound.3.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "libunbound" "3" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.9.0 functions. +\- Unbound DNS validating resolver 1.9.1 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP Modified: vendor/unbound/dist/doc/unbound-anchor.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-anchor.8.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound-anchor.8.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound-anchor" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" Modified: vendor/unbound/dist/doc/unbound-checkconf.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-checkconf.8.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound-checkconf.8.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound-checkconf" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" Modified: vendor/unbound/dist/doc/unbound-control.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound-control.8.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound-control.8.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound-control" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" Modified: vendor/unbound/dist/doc/unbound-host.1.in ============================================================================== --- vendor/unbound/dist/doc/unbound-host.1.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound-host.1.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound\-host" "1" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" Modified: vendor/unbound/dist/doc/unbound.8.in ============================================================================== --- vendor/unbound/dist/doc/unbound.8.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound.8.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound" "8" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.9.0. +\- Unbound DNS validating resolver 1.9.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] Modified: vendor/unbound/dist/doc/unbound.conf.5.in ============================================================================== --- vendor/unbound/dist/doc/unbound.conf.5.in Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/doc/unbound.conf.5.in Sun Jun 30 14:56:56 2019 (r349557) @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Feb 5, 2019" "NLnet Labs" "unbound 1.9.0" +.TH "unbound.conf" "5" "Mar 12, 2019" "NLnet Labs" "unbound 1.9.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -458,14 +458,15 @@ Alternate syntax for \fBtls\-upstream\fR. If both are file the last is used. .TP .B tls\-service\-key: \fI<file> -If enabled, the server provides TLS service on its TCP sockets. The clients -have to use tls\-upstream: yes. The file is the private key for the TLS -session. The public certificate is in the tls\-service\-pem file. Default -is "", turned off. Requires a restart (a reload is not enough) if changed, -because the private key is read while root permissions are held and before -chroot (if any). Normal DNS TCP service is not provided and gives errors, -this service is best run with a different \fBport:\fR config or \fI@port\fR -suffixes in the \fBinterface\fR config. +If enabled, the server provides TLS service on the TCP ports marked +implicitly or explicitly for TLS service with tls\-port. The file must +contain the private key for the TLS session, the public certificate is in +the tls\-service\-pem file and it must also be specified if tls\-service\-key +is specified. The default is "", turned off. Enabling or disabling +this service requires a restart (a reload is not enough), because the +key is read while root permissions are held and before chroot (if any). +The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide +normal DNS TCP service. .TP .B ssl\-service\-key: \fI<file> Alternate syntax for \fBtls\-service\-key\fR. @@ -545,6 +546,7 @@ classless network block. The action can be \fIdeny\fR, \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. The most specific netblock match is used, if none match \fIdeny\fR is used. +The order of the access\-control statements therefore does not matter. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -929,6 +931,12 @@ Setting this to "iterator" will result in a non\-valid Setting this to "validator iterator" will turn on DNSSEC validation. The ordering of the modules is important. You must also set trust\-anchors for validation to be useful. +The default is "validator iterator". When the server is built with +EDNS client subnet support the default is "subnetcache validator iterator". +Most modules that need to be listed here have to be listed at the beginning +of the line. The cachedb module has to be listed just before the iterator. +The python module can be listed in different places, it then processes the +output of the module it is just before. .TP .B trust\-anchor\-file: \fI<filename> File with trusted keys for validation. Both DS and DNSKEY entries can appear @@ -1140,7 +1148,7 @@ address space are not validated. This is usually requ Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, transparent, redirect, nodefault, typetransparent, inform, inform_deny, -always_transparent, always_refuse, always_nxdomain, noview, +inform_redirect, always_transparent, always_refuse, always_nxdomain, noview, and are explained below. After that the default settings are listed. Use local\-data: to enter data into the local zone. Answers for local zones are authoritative DNS answers. By default the zones are class IN. @@ -1201,6 +1209,10 @@ looking up infected names are logged, eg. to run antiv The query is dropped, like 'deny', and logged, like 'inform'. Ie. find infected machines without answering the queries. .TP 10 +\h'5'\fIinform_redirect\fR +The query is redirected, like 'redirect', and logged, like 'inform'. +Ie. answer queries with fixed data and also log the machines that ask. +.TP 10 \h'5'\fIalways_transparent\fR Like transparent, but ignores local data and resolves normally. .TP 10 @@ -1356,7 +1368,8 @@ TTL can be inserted like this: "2001:DB8::4 7200 www.e Assign tags to localzones. Tagged localzones will only be applied when the used access-control element has a matching tag. Tags must be defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between -tags. +tags. When there are multiple tags it checks if the intersection of the +list of tags for the query and local\-zone\-tag is non-empty. .TP 5 .B local\-zone\-override: \fI<zone> <IP netblock> <type> Override the localzone type for queries from addresses matching netblock. @@ -1614,13 +1627,11 @@ the '@' and '#', the '@' comes first. At high verbosity it logs the TLS certificate, with TLS enabled. If you leave out the '#' and auth name from the forward\-addr, any name is accepted. The cert must also match a CA from the tls\-cert\-bundle. -The cert name match code needs OpenSSL 1.1.0 or later to be enabled. .TP .B forward\-first: \fI<yes or no> -If enabled, a query is attempted without the forward clause if it fails. -The data could not be retrieved and would have caused SERVFAIL because -the servers are unreachable, instead it is tried without this clause. -The default is no. +If a forwarded query is met with a SERVFAIL error, and this option is +enabled, unbound will fall back to normal recursive resolution for this +query as if no query forwarding had been specified. The default is "no". .TP .B forward\-tls\-upstream: \fI<yes or no> Enabled or disable whether the queries to this forwarder use TLS for transport. @@ -1715,7 +1726,9 @@ data (eg. from the master servers). There may be multiple .B view: clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. View can be mapped to requests by specifying the +\fBlocal\-data\fR elements. Views can also contain view\-first, +response\-ip, response\-ip\-data and local\-data\-ptr elements. +View can be mapped to requests by specifying the view name in an \fBaccess\-control\-view\fR element. Options from matching views will override global options. Global options will be used if no matching view is found, or when the matching view does not have the option specified. Modified: vendor/unbound/dist/iterator/iter_fwd.c ============================================================================== --- vendor/unbound/dist/iterator/iter_fwd.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/iterator/iter_fwd.c Sun Jun 30 14:56:56 2019 (r349557) @@ -239,7 +239,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* s->name, p->str); return 0; } -#ifndef HAVE_SSL_SET1_HOST +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(tls_auth_name) log_err("no name verification functionality in " "ssl library, ignored name for %s", p->str); Modified: vendor/unbound/dist/iterator/iter_hints.c ============================================================================== --- vendor/unbound/dist/iterator/iter_hints.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/iterator/iter_hints.c Sun Jun 30 14:56:56 2019 (r349557) @@ -252,7 +252,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* s->name, p->str); return 0; } -#ifndef HAVE_SSL_SET1_HOST +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(auth_name) log_err("no name verification functionality in " "ssl library, ignored name for %s", p->str); Modified: vendor/unbound/dist/iterator/iter_utils.c ============================================================================== --- vendor/unbound/dist/iterator/iter_utils.c Sun Jun 30 14:46:15 2019 (r349556) +++ vendor/unbound/dist/iterator/iter_utils.c Sun Jun 30 14:56:56 2019 (r349557) @@ -882,10 +882,35 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_ return 1; } +/** compare rrsets and sort canonically. Compares rrset name, type, class. + * return 0 if equal, +1 if x > y, and -1 if x < y. + */ +static int +rrset_canonical_sort_cmp(const void* x, const void* y) +{ + struct ub_packed_rrset_key* rrx = *(struct ub_packed_rrset_key**)x; + struct ub_packed_rrset_key* rry = *(struct ub_packed_rrset_key**)y; + int r = dname_canonical_compare(rrx->rk.dname, rry->rk.dname); + if(r != 0) + return r; + if(rrx->rk.type != rry->rk.type) { + if(ntohs(rrx->rk.type) > ntohs(rry->rk.type)) + return 1; + else return -1; + } + if(rrx->rk.rrset_class != rry->rk.rrset_class) { + if(ntohs(rrx->rk.rrset_class) > ntohs(rry->rk.rrset_class)) + return 1; + else return -1; + } + return 0; +} + int reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region) { size_t i; + struct ub_packed_rrset_key** sorted_p, **sorted_q; if(p->flags != q->flags || p->qdcount != q->qdcount || /* do not check TTL, this may differ */ @@ -899,16 +924,43 @@ reply_equal(struct reply_info* p, struct reply_info* q p->ar_numrrsets != q->ar_numrrsets || p->rrset_count != q->rrset_count) return 0; + /* sort the rrsets in the authority and additional sections before + * compare, the query and answer sections are ordered in the sequence + * they should have (eg. one after the other for aliases). */ + sorted_p = (struct ub_packed_rrset_key**)regional_alloc_init( + region, p->rrsets, sizeof(*sorted_p)*p->rrset_count); + if(!sorted_p) return 0; + log_assert(p->an_numrrsets + p->ns_numrrsets + p->ar_numrrsets <= + p->rrset_count); + qsort(sorted_p + p->an_numrrsets, p->ns_numrrsets, + sizeof(*sorted_p), rrset_canonical_sort_cmp); + qsort(sorted_p + p->an_numrrsets + p->ns_numrrsets, p->ar_numrrsets, + sizeof(*sorted_p), rrset_canonical_sort_cmp); + + sorted_q = (struct ub_packed_rrset_key**)regional_alloc_init( + region, q->rrsets, sizeof(*sorted_q)*q->rrset_count); + if(!sorted_q) { + regional_free_all(region); + return 0; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906301456.x5UEuvub037445>