| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
News:
https://nlnetlabs.nl/news/2025/Sep/18/unbound-1.24.0-released/
Optimize STRIP_CMD in post-build - single call instead of 6-7.
Use PORTNAME in USE_RC_SUBR instread of hardcoded unbound.
PR: 289693
|
| |
|
|
|
|
|
|
|
| |
Release Notes: https://nlnetlabs.nl/news/2025/Jul/16/unbound-1.23.1-released/
PR: 288276
Reported by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
MFH: 2025Q3
Security: e27ee4fc-cdc9-45a1-8242-09898cdbdc91
|
| |
|
|
|
|
|
|
|
| |
libprotobuf-c.so once again has version info. Force a rebuild of
its consumers.
PR: 282060
MFH: 2025Q3
Sponsored by: <If the change was sponsored by an organization.>
|
| |
|
|
|
|
|
|
|
|
| |
Release notes:
https://www.nlnetlabs.nl/news/2025/Apr/24/unbound-1.23.0-released/
Changelog:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.0
PR: 286341 263838
|
| |
|
|
|
|
|
|
| |
There was a line missing in the Makefile for the port.
This commit correct it and restores DNS over QUIC and HTTPS
PR: 282183
Reported by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
|
| |
|
|
|
|
|
|
| |
Changelog: https://nlnetlabs.nl/news/2024/Oct/17/unbound-1.22.0-released/
Full changelog: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-22-0
PR: 282172
Reported by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
|
| |
|
|
|
|
|
|
| |
- patch for users who use base OpenSSL
PR: 281894, 281804
Security: 2368755b-83f6-11ef-8d2e-a04a5edf46d9
Security: CVE-2024-8508
|
| |
|
|
|
|
|
|
| |
Release announcement:
https://nlnetlabs.nl/news/2024/Aug/15/unbound-1.21.0-released/
PR: 280853
MFH: 2024Q3
|
| |
|
|
|
| |
PR: 278259
Reported by: Andrey Korobkov <alster-vinterdalen.se>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/
Summary of the DNSBomb vulnerability CVE-2024-33655.
The DNSBomb attack, via specially timed DNS queries and answers, can cause a
Denial of Service on resolvers and spoofed targets.
Unbound itself is not vulnerable for DoS, rather it can be used to take part in
a pulsing DoS amplification attack.
PR: 278870
Reported by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2024-33655
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release has a number of bug fixes. The CNAME synthesized for a
DNAME record uses the original TTL, of the DNAME record, and that means
it can be cached for the TTL, instead of 0.
There is a fix that when a message was stored in cache, but one of the
RRsets was not updated due to cache policy, it now restricts the message
TTL if the cache version of the RRset has a shorter TTL. It avoids a
bug where the message is not expired, but its contents is expired.
For dnstap, it logs type DoH and DoT correctly, if that is used for
the message.
The b.root-servers.net address is updated in the default root hints.
When performing retries for failed sends, a retry at a smaller UDP size
is now not performed when that attempt is not actually smaller, and at
defaults, since the flag day changes, it is the same size. This makes
it skip the step, it is useless because there is no reduction in size.
Clients with a valid DNS Cookie will bypass the ratelimit, if one is
set. The value from ip-ratelimit-cookie is used for these queries.
Furthermore there is a fix to make correct EDE Prohibited answers for
access control denials, and a fix for EDNS client subnet scope zero
answers.
For more details, see
https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.3
PR: 277686
Security: c2ad8700-de25-11ee-9190-84a93843eb75
|
| |
|
|
|
|
|
|
|
| |
Release notes at
https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
Security: CVE-2023-50387, CVE-2023-50868
Approved by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
MFH: 2024Q1
|
| |
|
|
| |
Approved by: portmgr (blanket)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog: https://nlnetlabs.nl/news/2023/Nov/08/unbound-1.19.0-released/
Features
* Fix #850: [FR] Ability to use specific database in Redis, with new
redis-logical-db configuration option.
* Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests.
This can be helpful for devices that cannot handle DNSSEC information. But it
should not be enabled otherwise, because that would stop DNSSEC validation.
The DNSSEC validation would not work for Unbound itself, and also not for
downstream users. Default is no. The option is disable-edns-do: no
* Expose the script filename in the Python module environment 'mod_env' instead
of the config_file structure which includes the linked list of scripts in a
multi Python module setup; fixes #79.
* Expose the configured listening and outgoing interfaces, if any, as a list of
strings in the Python 'config_file' class instead of the current Swig object
proxy; fixes #79.
* Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when
no A record exists for synthesis, and minor DNS64 code refactoring for better
readability.
* Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop
cachedb from writing messages to the backend storage. It reads messages when
data is available from the backend. The default is no.
Bug Fixes
* Fix for version generation race condition that ignored changes.
* Fix #942: 1.18.0 libunbound DNS regression when built without
OpenSSL.
* Fix for WKS call to getservbyname that creates allocation on exit in unit test
by testing numbers first and testing from the services list later.
* Fix autoconf 2.69 warnings in configure.
* Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
* Merge #931: Prevent warnings from -Wmissing-prototypes.
* Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
* Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
* Fix to add EDE text when RRs have been removed due to length.
* Fix to set ede match in unit test for rr length removal.
* Fix to print EDE text in readable form in output logs.
* Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian
Obser.
* Fix authority zone answers for obscured DNAMEs and delegations.
* Merge #936: Check for c99 with autoconf versions prior to 2.70.
* Fix to remove two c99 notations.
* Fix rpz tcp-only action with rpz triggers nsdname and nsip.
* Fix misplaced comment.
* Merge #881: Generalise the proxy protocol code.
* Fix #946: Forwarder returns servfail on upstream response noerror no
data.
* Fix edns subnet so that queries with a source prefix of zero cause
the recursor send no edns subnet option to the upstream.
* Fix that printout of EDNS options shows the EDNS cookie option by
name.
* Fix infinite loop when reading multiple lines of input on a broken
remote control socket. Addesses #947 and #948.
* Fix #949: "could not create control compt".
* Fix that cachedb does not warn when serve-expired is disabled about
use of serve-expired-reply-ttl and serve-expired-client-timeout.
* Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
* Better fix for infinite loop when reading multiple lines of input on
a broken remote control socket, by treating a zero byte line the
same as transmission end. Addesses #947 and #948.
* For multi Python module setups, clean previously parsed module
functions in __main__'s dictionary, if any, so that only current
module functions are registered.
* Fix #954: Inconsistent RPZ handling for A record returned along with
CNAME.
* Fixes for the DNS64 patches.
* Update the dns64_lookup.rpl test for the DNS64 fallback patch.
* Merge #955 from buevsan: fix ipset wrong behavior.
* Update testdata/ipset.tdir test for ipset fix.
* Fix to print detailed errors when an SSL IO routine fails via
SSL_get_error.
* Clearer configure text for missing protobuf-c development libraries.
* autoconf.
* Merge #930 from Stuart Henderson: add void to
log_ident_revert_to_default declaration.
* Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
* Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
* Fix SSL compile failure for other missing definitions in
log_crypto_err_io_code_arg.
* Fix compilation without openssl, remove unused function warning.
* Mention flex and bison in README.md when building from repository
source.
PR: 275012
Reported by: jaap@NLnetLabs.nl (maintainer)
|
| |
|
|
|
|
|
|
|
|
| |
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported to upstream
by Florian Obser.
PR: 274352, 274446
Approved by: jaap@NLnetLabs.nl (maintainer)
MFH: 2023Q4
|
| |
|
|
|
|
|
|
| |
ChangeLog: https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0
PR: 273456
Reported by: rcm@rcm.sh
Approved by: jaap@NLnetLabs.nl (maintainer)
|
| |
|
|
|
|
| |
PR: 269337
Reported by: void@f-m.fm
MFH: 2023Q1 (build fix)
|
| |
|
|
|
|
|
| |
The DYNLIB option doesn't change whether unbound itself is dynamically
or statically linked, it enables support for third-party shlibs.
Approved by: maintainer
|
| |
|
|
|
|
| |
PR: 268942
Reported by: me@rcm.sh
Approved by: jaap@NLnetLabs.nl (maintainer)
|
| |
|
|
|
|
|
|
|
| |
The release notes can be found at:
https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1
PR: 268913
Approved by: jaap@NLnetLabs.nl (maintainer)
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
ChangeLog: https://www.nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/
Remove additional MASTER_SITES (certificate error)
PR: 267018
Reported by: jaap@NLnetLabs.nl (maintainer)
Reviewed by: diizzy@
|
| |
|
|
|
|
|
|
|
|
|
| |
ChangeLog: https://nlnetlabs.nl/news/2022/Sep/21/unbound-1.16.3-released/
Fixes Non-Responsive Delegation Attack.
PR: 266654
Reported by: herbert@gojira.at
Approved by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2022-3204
|
| |
|
|
|
|
|
|
|
|
| |
Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.
This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.
Approved by: portmgr (tcberner)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
|
| |
|
|
|
|
|
| |
PR: 265645
Reported by: Jaap Akkerhuis <jaap NLnetLabs nl> (maintainer)
Security: bc43a578-14ec-11ed-856e-d4c9ef517024
MFH: 2022Q3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A big Thank You to the original contributors of these ports:
* Aaron Dalton <aaron@FreeBSD.org>
* Akinori MUSHA aka knu <knu@idaemons.org>
* Alex Samorukov <samm@freebsd.org>
* Alexey Dokuchaev <danfe@FreeBSD.org>
* Allan Jude <allanjude@freebsd.org>
* Amar Takhar <verm@drunkmonk.net>
* Anders Nordby <anders@fix.no>
* Andrew Greenwood <greenwood.andy@gmail.com>
* Anton Berezin <tobez@FreeBSD.org>
* Ashish SHUKLA <ashish@FreeBSD.org>
* Attila Nagy <bra@fsn.hu>
* Bas Kruit <baskruit@bsltwr.dhis.org>
* Bruce M. Simpson <bms@FreeBSD.org>
* Carlos J Puga Medina <cpm@fbsd.es>
* Chris St Denis (<chris@ctgameinfo.com>)
* Clement Laforet <clement@FreeBSD.org>
* Clement Laforet <sheepkiller@cultdeadsheep.org>
* Dan Langille <dvl@FreeBSD.org>
* Dan Pelleg <daniel+mdnsd@pelleg.org>
* Dan Smith <dan@algenta.com>
* David O'Brien (obrien@NUXI.com)
* Dean Hollister <dean@odyssey.apana.org.au>
* Dirk Froemberg <dirk@FreeBSD.org>
* Dmitry Pryadko <d.pryadko@rambler-co.ru>
* Dmitry Sivachenko <mitya@yandex-team.ru>
* Dominik Brettnacher <domi@saargate.de>
* Douglas Thrift <douglas@douglasthrift.net>
* Edwin Groothuis (edwin@mavetju.org)
* Edwin Groothuis <edwin@mavetju.org>
* Emanuel Haupt <ehaupt@FreeBSD.org>
* Emanuel Haupt <ehaupt@critical.ch>
* Eyal Soha <esoha@attbi.com>
* Filip Parag <filip@parag.rs>
* Filippo Natali <filippo.natali@gmail.com>
* Frank Behrens
* Gea-Suan Lin <gslin@gslin.org>
* Geoffroy Desvernay <dgeo@centrale-marseille.fr>
* George Reid <greid@ukug.uk.freebsd.org>
* Goran Mekić <meka@tilda.center>
* Hajimu UMEMOTO <ume@FreeBSD.org>
* Herve Quiroz <hq@FreeBSD.org>
* Hirohisa Yamaguchi <umq@ueo.co.jp>
* Hye-Shik Chang <perky@fallin.lv>
* Jaap Akkerhuis <jaap@NLnetLabs.nl>
* James FitzGibbon <jfitz@FreeBSD.org>
* Jase Thew <freebsd@beardz.net>
* Jimmy Bergman jimmy@sigint.se
* Jin-Shan Tseng <tjs@cdpa.nsysu.edu.tw>
* Joe Barbish
* Jov <amutu@amutu.com>
* Jui-Nan Lin <jnlin@freebsd.cs.nctu.edu.tw>
* Karl Dietz (Karl.Dietz@frankfurt.netsurf.de)
* Kirill Ponomarew <ponomarew@oberon.net>
* Koen Martens <gmc@sonologic.nl>
* Konstantin Saurbier <saurbier@math.uni-bielefeld.de>
* Kostya Lukin <lukin@okbmei.msk.su>
* Kris Kennaway <kris@FreeBSD.org>
* Kubilay Kocak <koobs@FreeBSD.org>
* Kurt Jaeger <fbsd-ports@opsec.eu>
* Leo Vandewoestijne <freebsd@dns-lab.com>
* Leo Vandewoestijne <freebsd@dns.company>
* MIHIRA Yoshiro <sanpei@jp.FreeBSD.org>
* Marcin Gondek <drixter@e-utp.net>
* Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
* Mark Felder <feld@FreeBSD.org>
* Mark Linimon <linimon@lonesome.com>
* Mark Pulford <mark@kyne.com.au>
* Martin Matuska <mm@FreeBSD.org>
* Martin Wilke <miwi@FreeBSD.org>
* Matthew Hunt <mph@pobox.com>
* Matthew Seaman
* Michael Cardell Widerkrantz <mc@hack.org>
* Moritz Warning <moritzwarning@web.de>
* Natacha Porte <natbsd@instinctive.eu>
* Neil Blakey-Milner
* Olivier Duchateau
* Paul Chvostek <paul@it.ca>
* Paul Dlug <paul@aps.org>
* Philippe Pepiot <phil@philpep.org>
* Piotr Kubaj <pkubaj@FreeBSD.org>
* Piotr Kubaj <pkubaj@anongoth.pl>
* Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* Rafal Lesniak <fbsd@grid.einherjar.de>
* Roman Shterenzon <roman@xpert.com>
* Rong-En Fan <rafan@FreeBSD.org>
* Roy Marples <roy@marples.name>
* Ryan Steinmetz <rpsfa@rit.edu>
* Ryan Steinmetz <zi@FreeBSD.org>
* Sahil Tandon <sahil@tandon.net>
* Seamus Venasse <svenasse@polaris.ca>
* Sergei Kolobov <sergei@FreeBSD.org>
* Sergei Kolobov <sergei@kolobov.com>
* Sergey Matveychuk <sem@FreeBSD.org>
* Sergey Skvortsov <skv@protey.ru>
* Simon Dick <simond@irrelevant.org>
* Stefan Esser <se@FreeBSD.org>
* Steve Wills <swills@FreeBSD.org>
* Steve Wills <swills@freebsd.org>
* Steven Honson
* Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
* Timothy Beyer <beyert@cs.ucr.edu>
* Waitman Gobble <waitman@waitman.net>
* Wen Heping <wen@FreeBSD.org>
* Wen Heping <wenheping@gmail.com>
* Zane C, Bowers <vvelox@vvelox.net>
* adamw
* alexis
* andrew@ugh.net.au
* bkhl
* clsung
* clsung@dragon2.net
* dglo@ssec.wisc.edu
* dnscheckengine-port@academ.com (Stan Barber)
* fenner
* geniusj@ods.org
* ijliao
* ismail.yenigul@endersys.com.tr
* krion
* mark@foster.cc
* n@nectar.com
* roam@FreeBSD.org
* rodrigc@FreeBSD.org
* rpsfa@rit.edu
* sten@blinkenlights.nl
With hat: portmgr
|
| |
|
|
|
|
|
|
| |
ChangeLog: https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-16-1
PR: 265151
Reported by: jaap@NLnetLabs.nl (maintainer)
MFH: 2022Q3 (bugfixes)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release has EDE support, for extended EDNS error reporting,
it fixes unsupported ZONEMD algorithms to load, and has more bug fixes.
The EDE errors can be turned on by `ede: yes`, it is default disabled.
Validation errors and other errors are then reported. If you also want
stale answers for expired responses to have an error code, the option
`ede-serve-expired: yes` can be used.
On request, the port now also has dnscrypt support default enabled.
PR: 264538
|
| |
|
|
|
|
| |
PR: 262145
Reported by: freebsd@rail.eu.org
Tested by: freebsd@rail.eu.org
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[The Makefile of the port got cleaned up to make portfmt happy]
This release has bug fixes for crashes that happened on heavy network
usage. The default for the aggressive-nsec option has changed, it is now
enabled.
The ratelimit logic had to be reworked for the crash fixes. As a result,
there are new options to control the behaviour of ratelimiting.
The ratelimit-backoff and ip-ratelimit-backoff options can be used to
control how severe the backoff is when the ratelimit is exceeded.
The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
NXDOMAIN answers from RPZ. That is used by some clients to detect that
the domain is externally blocked. The RPZ option for-downstream can be
used like for auth zones, this allows the RPZ zone information to be
queried. That can be useful for monitoring scripts.
Features
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
PR: 261888
|
| |
|
|
|
| |
PR: 260553
Reported by: tech-lists@zyxst.net
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
This release contains bug fixes and a full set of RPZ triggers and
actions that are supported. This works with RPZ zones, configured with
`rpz:`.
It is possible to selectively enable use of TCP for stub zones and
forward zones, without having enable it server wide, by enabling it
with the `stub-tcp-upstream: yes` and `forward-tcp-upstream: yes` options.
The added contrib/Dockerfile.tests from ziollek can be used to setup
a Docker environment to run tests in. The documentation is in the
doc/README.tests file.
If openssl it installed with different versions, you can set the
location as `--with-ssl=/usr/include/openssl11` and it then detects the
use of the lib dir split off in /usr/lib64/openssl11 with regex. This is
useful if to pass to configure if openssl is installed in such a manner.
The option `outbound-msg-retry` can be used to select the number of
retries when a non-positive response is received. It is best left at
default, but when the upstream is known to not need retries, it can be
lowered, because in that case the upstream is performing the retry for
non-positive responses.
The domain `home.arpa.` is set by default as blocked, as per RFC8375. If
you want to use it, unblock it with a local-zone nodefault statement, or
use another type of local-zone to override it with your choice.
In the config it is possible to enter IPv6 scope-id values with
interface names, instead of a number, for link-local addresses.
Features
- Merge #401: RPZ triggers. This add additional RPZ triggers,
unbound supports a full set of rpz triggers, and this now
includes nsdname, nsip and clientip triggers. Also actions
are fully supported, and this now includes the tcp-only action.
- Merge #519: Support for selective enabling tcp-upstream for
stub/forward zones.
- Merge PR #514, from ziollek: Docker environment for run tests.
- Support using system-wide crypto policies.
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
location of a different openssl version.
- Merged #41 from Moritz Schneider: made outbound-msg-retry
configurable.
- Implement RFC8375: Special-Use Domain 'home.arpa.'.
- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
link-local addresses.
Bug Fixes
- Add test tool readzone to .gitignore.
- Merge #521: Update mini_event.c.
- Merge #523: fix: free() call more than once with the same pointer.
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
the example configuration file.
- For #519: yacc and lex. And fix python bindings, and test program
unbound-dnstap-socket.
- For #519: fix comments for doxygen.
- Fix to print error from unbound-anchor for writing to the key
file, also when not verbose.
- For #514: generate configure.
- Fix for #431: Squelch permission denied errors for udp connect,
and udp send, they are visible at higher verbosity settings.
- Fix zonemd verification of key that is not in DNS but in the zone
and needs a chain of trust.
- zonemd, fix order of bogus printout string manipulation.
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
static.
- Fix #527: not sending quad9 cert to syslog (and may be more).
- Fix sed script in ssldir split handling.
- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
undefined.
- Fix #531: Fix: passed to proc after free.
- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
to insert into RPZ.
- Fix the stream wait stream_wait_count_lock and http2 buffer locks
setup and desetup from race condition.
- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
zone does not find the zone. Readlock the clientip that is found
for ipbased triggers. Unlock the nsdname zone lock when done.
Unlock zone and ip in rpz nsip and nsdname callback. Unlock
authzone and localzone if clientip found in rpz worker call.
- Fix compile warning in libunbound for listen desetup routine.
- Fix asynclook unit test for setup of lockchecks before log.
- Fix #533: Negative responses get cached even when setting
cache-max-negative-ttl: 1
- Fix tcp fastopen failure when disabled, try normal connect instead.
- Fix #538: Fix subnetcache statistics.
- Small fixes for #41: changelog, conflicts resolved,
processQueryResponse takes an iterator env argument like other
functions in the iterator, no colon in string for set_option,
and some whitespace style, to make it similar to the rest.
- Fix for #41: change outbound retry to int to fix signed comparison
warnings.
- Fix root_anchor test to check with new icannbundle date.
- Fix initialisation errors reported by gcc sanitizer.
- Fix lock debug code for gcc sanitizer reports.
- Fix more initialisation errors reported by gcc sanitizer.
- Fix crosscompile on windows to work with openssl 3.0.0 the
link with ws2_32 needs -l:libssp.a for __strcpy_chk.
Also copy results from lib64 directory if needed.
- For crosscompile on windows, detect 64bit stackprotector library.
- Fix crosscompile shell syntax.
- Fix crosscompile windows to use libssp when it exists.
- For the windows compile script disable gost.
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
BIO_set_callback.
- Fix crosscompile script for the shared build flags.
- Fix to add example.conf note for outbound-msg-retry.
- Fix chaos replies to have truncation for short message lengths,
or long reply strings.
- Fix to protect custom regional create against small values.
- Fix #552: Unbound assumes index.html exists on RPZ host.
- Fix that forward-zone name is documented as the full name of the
zone. It is not relative but a fully qualified domain name.
- Fix analyzer review failure in rpz action override code to not
crash on unlocking the local zone lock.
- Fix to remove unused code from rpz resolve client and action
function.
- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
reclaimed more than once during callbacks.
- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
- Improve EDNS option handling, now also works for synthesised
responses such as local-data and server.id CH TXT responses.
- Merge PR #570 from rex4539: Fix typos.
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
- Fix to make python module opt_list use opt_list_in.
- Fix #574: unbound-checkconf reports fatal error if interface names
are used as value for interfaces:
- Fix #574: Review fixes for it.
- Fix #576: [FR] UB_* error codes in unbound.h
- Fix #574: Review fix for spelling.
- Fix to remove git tracking and ci information from release tarballs.
- iana portlist update.
- Merge PR #511 from yan12125: Reduce unnecessary linking.
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
- Merge PR #522 from sibeream: memory management violations fixed.
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
- Fix #574: Review fixes for size allocation.
- Fix doc/unbound.doxygen to remove obsolete tag warning.
PR: 260360, 260417
Reported by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added a new option DEP-RSA1024 to enable --with-deprecate-rsa-1024
Changelog:
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
ZONEMD records are checked for zones loaded as auth-zone,
with DNSSEC if available. There is an added option
zonemd-permissive-mode that makes it log but not fail wrong zones.
With zonemd-reject-absence for an auth-zone the presence of a
zonemd can be mandated for specific zones.
- Fix: Resolve interface names on control-interface too.
- Merge #470 from edevil: Allow configuration of persistent TCP
connections.
- Fix #474: always_null and others inside view.
- Add that log-servfail prints an IP address and more information
about one of the last failures for that query.
- Merge #478: Allow configuration of TCP timeout while waiting for
response.
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
- Move the NSEC3 max iterations count in line with the 150 value
used by BIND, Knot and PowerDNS. This sets the default value
for it in the configuration to 150 for all key sizes.
- zonemd-check: yesno option, default no, enables the processing
of ZONEMD records for that zone.
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
- Merge PR #491: Add SVCB and HTTPS types and handling according to
draft-ietf-dnsop-svcb-https.
- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
PR: 257809
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Changes: https://nlnetlabs.nl/news/2021/Feb/09/unbound-1.13.1-released/
PR: 253376
Submitted by: Jaap Akkerhuis <jaap AT NLnetLabs DOT nl> (maintainer)
Notes:
svn path=/head/; revision=564806
|
| |
|
|
|
|
|
|
|
|
|
| |
PR: 251821
Submitted by: delphij
Approved by: Jaap Akkerhuis (maintainer)
Obtained from: https://github.com/NLnetLabs/unbound/issues/376
MFH: 2020Q4
Notes:
svn path=/head/; revision=558269
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Sort options and port_docs while here
PR: 251563
Submitted by: Jaap Akkerhuis <jaap nlnetlabs nl> (maintainer)
Approved by: maintainer (implicit)
MFH: 2020Q4
Security: 388ebb5b-3c95-11eb-929d-d4c9ef517024
Notes:
svn path=/head/; revision=557836
|
| |
|
|
|
|
|
|
|
| |
PR: 250199
Submitted by: maintainer
Sponsored by: Rubicon Communications, LLC (Netgate)
Notes:
svn path=/head/; revision=552135
|
| |
|
|
|
|
|
|
| |
PR: 248808
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Notes:
svn path=/head/; revision=545599
|
| |
|
|
|
|
|
| |
PR: 246648
Notes:
svn path=/head/; revision=541850
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Do not silence installation message
- Update dependent ports:
- Fix build with swig 4.0.1
- Update *_DEPENDS
- Remove BINARY_ALIAS
Changes: http://www.swig.org/news.php
PR: 246613
Exp-run by: antoine
Notes:
svn path=/head/; revision=539491
|
| |
|
|
|
|
|
|
|
|
| |
PR: 246569
Submitted by: Jaap Akkerhuis (maintainer)
MFH: 2020Q2
Security: CVE-2020-12662, CVE-2020-12663
Notes:
svn path=/head/; revision=535884
|
| |
|
|
|
|
|
|
|
| |
PR: 244244
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Relnotes: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244244#c0
Notes:
svn path=/head/; revision=526776
|
| |
|
|
|
|
|
|
| |
PR: 242603
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=520238
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module
PR: 242075
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
MFH: 2019Q4
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=518229
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changes: https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog
PR: 241033
Reported by: C <cm@appliedprivacy.net>
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security: 108a4be3-e612-11e9-9963-5f1753e0aca0
MFH: 2019Q4
Notes:
svn path=/head/; revision=513730
|
| |
|
|
|
|
|
|
|
|
| |
Whil here, improve rc script
PR: 240163
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Notes:
svn path=/head/; revision=510824
|
| |
|
|
| |
Notes:
svn path=/head/; revision=508835
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Changes: https://github.com/libevent/libevent/releases/tag/release-2.1.11-stable
ABI: https://abi-laboratory.pro/tracker/timeline/libevent/
PR: 239599
Reported by: GitHub (watch releases)
Approved by: zeising (maintainer)
MFH: 2019Q3 (maybe security, partially restores 2.1.8 ABI)
Differential Revision: https://reviews.freebsd.org/D21133
Notes:
svn path=/head/; revision=507877
|
