summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhe <he@pkgsrc.org>2020-02-20 14:40:46 +0000
committerhe <he@pkgsrc.org>2020-02-20 14:40:46 +0000
commita205a54cc0497674adfa5714f638b4f424763759 (patch)
tree4e5da82fd3f9e2e327390318878a4a3f4618df80
parentfbb8e5d8d479df4a54150fcd3c675ccae5c74a3e (diff)
downloadpkgsrc-a205a54cc0497674adfa5714f638b4f424763759.tar.gz
Update unbound to version 1.10.0.
Pkgsrc changes: * Adjust line numbers in patch. Upstream changes: The 1.10.0 release has RPZ support and serve stale functionality according to draft draft-ietf-dnsop-serve-stale-10. And a number of other, smaller, features, and bug fixes. The DNS Response Policy Zones (RPZ) functionality makes it possible to express DNS response policies in a DNS zone. These zones can be loaded from file or transferred over DNS zone transfers or HTTP. The RPZ functionality in Unbound is implemented as specified in draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Enabling the respip module using `module-config` is required to use RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses are applied in order of configuration. Unbound can get the data from zone transfer, a zonefile or https url, and more options are documented in the man page. A minimal RPZ configuration that will transfer the RPZ zone using AXFR and IXFR can look like: server: module-config: "respip validator iterator" rpz: name: "rpz.example.com" # name of the policy zone master: 192.0.2.0 # address of the name server to transfer from The serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10 is now supported in unbound. This allows unbound to first try and resolve a domain name before replying with expired data from cache. This differs from unbound's initial serve-expired behavior which attempts to reply with expired entries from cache without waiting for the actual resolution to finish. Both behaviors are available and can be configured with the various serve-expired-* configuration options. serve-expired-client-timeout is the option that enables one or the other. The DSA algorithms have been disabled by default, this is because of RFC 8624. There is a crash fix in the parse of text of type WKS, reported by X41 D-Sec. In addition, neg and key caches can be shared with multiple libunbound contexts, a change that assists unwind. The contrib/unbound_portable.service provides a systemd start file for a portable setup. The configure --with-libbsd option allows the use of the bsd compatibility library so that it can use the arc4random from it. The stats in contrib/unbound_munin_ have num.query.tls and num.query.tls.resume added to them. For unbound-control the command view_local_datas_remove is added that removes data from a view. Features: - Merge RPZ support into master. Only QNAME and Response IP triggers are supported. - Added serve-stale functionality as described in draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used to configure the behavior. - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies come with a configurable TTL value (`serve-expired-reply-ttl`). - Merge #135 from Florian Obser: Use passed in neg and key cache if non-NULL. - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds and Frzk. Updates the unbound.service systemd file and adds a portable systemd service file. - Merge PR#154; Allow use of libbsd functions with configure option --with-libbsd. By Robert Edmonds and Steven Chamberlain. - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. - Merge PR#156 from Alexander Berkes; Added unbound-control view_local_datas_remove command. Bug Fixes: - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by Florian Obser - Update mailing list URL. - Fix #140: Document slave not downloading new zonefile upon update. - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. The dl_iterate_phdr() function introduced in newer versions raises compilation errors on solaris 10. - Changes to compat/getentropy_solaris.c for, ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fix 'make test' to work for --disable-sha1 configure option. - Fix out-of-bounds null-byte write in sldns_bget_token_par while parsing type WKS, reported by Luis Merino from X41 D-Sec. - Updated sldns_bget_token_par fix for also space for the zero delimiter after the character. And update for more spare space. - Fix #138: stop binding pidfile inside chroot dir in systemd service file. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Fix unreachable code in ssl set options code. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix auth zone support for NSEC3 records without salt. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file. - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. - iana portlist updated. - Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher. - Merge PR#147; change rfc reference for reserved top level dns names. - Fix #157: undefined reference to `htobe64'. - Fix subnet tests for disabled DSA algorithm by default. - Update contrib/fastrpz.patch for clean diff with current code. - updated .gitignore for added contrib file. - Add build rule for ipset to Makefile - Add getentropy_freebsd.o to Makefile dependencies. - Fix memory leak in error condition remote.c - Fix double free in error condition view.c - Fix memory leak in do_auth_zone_transfer on success - Stop working on socket when socket() call returns an error. - Check malloc return values in TLS session ticket code - Fix fclose on error in TLS session ticket code. - Add assertion to please static analyzer - Fixed stats when replying with cached, cname-aliased records. - Added missing default values for redis cachedb backend. - Fix num_reply_addr counting in mesh and tcp drop due to size after serve_stale commit. - Fix to create and destroy rpz_lock in auth_zones structure. - Fix to lock zone before adding rpz qname trigger. - Fix to lock and release once in mesh_serve_expired_lookup. - Fix to put braces around empty if body when threading is disabled. - Fix num_reply_states and num_detached_states counting with serve_expired_callback. - Cleaner code in mesh_serve_expired_lookup. - Document in unbound.conf manpage that configuration clauses can be repeated in the configuration file. - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale fixes, but it does not compile, conflicts with new rpz code. - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. - Fix compile warning when threads disabled.
-rw-r--r--net/unbound/Makefile4
-rw-r--r--net/unbound/distinfo12
-rw-r--r--net/unbound/patches/patch-configure4
3 files changed, 10 insertions, 10 deletions
diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index 65495c28ad2..fe1632c0adb 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.74 2019/12/12 14:26:38 he Exp $
+# $NetBSD: Makefile,v 1.74.4.1 2020/02/20 14:40:46 he Exp $
-DISTNAME= unbound-1.9.6
+DISTNAME= unbound-1.10.0
CATEGORIES= net
MASTER_SITES= http://www.nlnetlabs.nl/downloads/unbound/
diff --git a/net/unbound/distinfo b/net/unbound/distinfo
index 61bc3e7aa31..e70f750a34e 100644
--- a/net/unbound/distinfo
+++ b/net/unbound/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.56 2019/12/12 14:26:38 he Exp $
+$NetBSD: distinfo,v 1.56.4.1 2020/02/20 14:40:46 he Exp $
-SHA1 (unbound-1.9.6.tar.gz) = b6af3dc87ec3b372f96390c2527140ab8679fc18
-RMD160 (unbound-1.9.6.tar.gz) = 91d58d5eb3e4341ae816612795cc546559914138
-SHA512 (unbound-1.9.6.tar.gz) = 39a60f51da912ed25d247bc1e882b1242d80a63b0c2b3f753d38ed558f3a24691267375136ff6d85e5945a98ca0c4ac87e43e131c97737a355374dde64259951
-Size (unbound-1.9.6.tar.gz) = 5680145 bytes
-SHA1 (patch-configure) = eabd0c478e92ebe37adf143849389e0e792dc77f
+SHA1 (unbound-1.10.0.tar.gz) = 2c175131f7f4c8f6fd2be4a03073d864596d0be6
+RMD160 (unbound-1.10.0.tar.gz) = 10742b2cb66be0965553e8461f1f5abdeb4b4593
+SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59
+Size (unbound-1.10.0.tar.gz) = 5727902 bytes
+SHA1 (patch-configure) = a949bdb26b37950c0301946af4521c9d0e984cf9
diff --git a/net/unbound/patches/patch-configure b/net/unbound/patches/patch-configure
index a500f6b972b..335985d4f38 100644
--- a/net/unbound/patches/patch-configure
+++ b/net/unbound/patches/patch-configure
@@ -1,11 +1,11 @@
-$NetBSD: patch-configure,v 1.3 2018/12/04 12:04:22 he Exp $
+$NetBSD: patch-configure,v 1.3.12.1 2020/02/20 14:40:46 he Exp $
Pretend expat.h is found: it is guaranteed by PkgSrc, but on Darwin it might
be buried inside an SDK; we don't want the SDK path being exposed in CFLAGS.
--- configure.orig 2017-07-09 07:41:42.000000000 +0000
+++ configure
-@@ -19030,7 +19030,7 @@ fi
+@@ -19489,7 +19489,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5
$as_echo_n "checking for libexpat... " >&6; }