git: cfd10e7accaa - main - dns/unbound: Update to 1.15.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 17 Feb 2022 21:22:11 UTC
The branch main has been updated by driesm:
URL: https://cgit.FreeBSD.org/ports/commit/?id=cfd10e7accaa70a2ca3b7f7954d0dd7aa10a66b9
commit cfd10e7accaa70a2ca3b7f7954d0dd7aa10a66b9
Author: Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2022-02-17 21:13:44 +0000
Commit: Dries Michiels <driesm@FreeBSD.org>
CommitDate: 2022-02-17 21:21:08 +0000
dns/unbound: Update to 1.15.0
[The Makefile of the port got cleaned up to make portfmt happy]
This release has bug fixes for crashes that happened on heavy network
usage. The default for the aggressive-nsec option has changed, it is now
enabled.
The ratelimit logic had to be reworked for the crash fixes. As a result,
there are new options to control the behaviour of ratelimiting.
The ratelimit-backoff and ip-ratelimit-backoff options can be used to
control how severe the backoff is when the ratelimit is exceeded.
The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
NXDOMAIN answers from RPZ. That is used by some clients to detect that
the domain is externally blocked. The RPZ option for-downstream can be
used like for auth zones, this allows the RPZ zone information to be
queried. That can be useful for monitoring scripts.
Features
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
PR: 261888
---
dns/unbound/Makefile | 131 +++++++++++----------
dns/unbound/distinfo | 6 +-
.../files/patch-contrib_aaaa-filter-iterator.patch | 35 ------
dns/unbound/pkg-plist | 2 +-
4 files changed, 70 insertions(+), 104 deletions(-)
diff --git a/dns/unbound/Makefile b/dns/unbound/Makefile
index c5fc08a0b731..32f7aab536b8 100644
--- a/dns/unbound/Makefile
+++ b/dns/unbound/Makefile
@@ -1,7 +1,7 @@
# Created by: Sergey Matveychuk <sem@FreeBSD.org>
PORTNAME= unbound
-DISTVERSION= 1.14.0
+DISTVERSION= 1.15.0
CATEGORIES= dns
MASTER_SITES= https://www.nlnetlabs.nl/downloads/unbound/ \
https://distfiles.crux.guru/
@@ -15,78 +15,79 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
LIB_DEPENDS= libexpat.so:textproc/expat2
USES= autoreconf cpe libtool pkgconfig ssl
-
CPE_VENDOR= nlnetlabs
-GNU_CONFIGURE= yes
-CONFIGURE_ARGS= --with-ssl=${OPENSSLBASE} --with-libexpat=${LOCALBASE}
USE_LDCONFIG= yes
+USE_RC_SUBR= unbound
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS= --with-libexpat=${LOCALBASE} \
+ --with-ssl=${OPENSSLBASE}
TEST_TARGET= test
USERS= ${PORTNAME}
GROUPS= ${PORTNAME}
-USE_RC_SUBR= unbound
+PORTDOCS= CNAME-basedRedirectionDesignNotes.pdf CREDITS Changelog \
+ FEATURES IP-BasedActions.pdf LICENSE README README.DNS64 \
+ README.ipset.md README.svn README.tests TODO \
+ control_proto_spec.txt example.conf ietf67-design-02.odp \
+ ietf67-design-02.pdf requirements.txt
+
+OPTIONS_DEFINE= DEP-RSA1024 DNSCRYPT DNSTAP DOCS DOH ECDSA EVAPI \
+ FILTER_AAAA GOST HIREDIS LIBEVENT MUNIN_PLUGIN PYTHON \
+ SUBNET TFOCL TFOSE THREADS
+OPTIONS_DEFAULT= DOH ECDSA GOST LIBEVENT THREADS
+OPTIONS_SUB= yes
-PORTDOCS= CREDITS Changelog FEATURES LICENSE README \
- README.DNS64 README.ipset.md README.svn README.tests \
- TODO control_proto_spec.txt ietf67-design-02.odp \
- ietf67-design-02.pdf requirements.txt example.conf \
- CNAME-basedRedirectionDesignNotes.pdf IP-BasedActions.pdf
-
-OPTIONS_SUB= yes
-OPTIONS_DEFINE= THREADS PYTHON GOST ECDSA MUNIN_PLUGIN DOCS LIBEVENT \
- FILTER_AAAA DNSTAP DNSCRYPT SUBNET EVAPI TFOCL TFOSE \
- HIREDIS DOH DEP-RSA1024
-OPTIONS_DEFAULT=THREADS ECDSA LIBEVENT GOST DOH
-
-LIBEVENT_DESC= Build against libevent
-GOST_DESC= Enable GOST support (requires OpenSSL >= 1.0)
-ECDSA_DESC= Enable ECDSA (elliptic curve) support (OpenSSL >= 1.0)
-MUNIN_PLUGIN_DESC= Install Munin plugin
-FILTER_AAAA_DESC= Build with AAAA filter functionality (contrib)
-DNSTAP_DESC= Enable dnstap logging support
-DNSCRYPT_DESC= Enable dnscrypt support
-SUBNET_DESC= Enable client subnet support
-EVAPI_DESC= (Experimental) pluggable event based libunbound API support
-TFOCL_DESC= Enable TCP Fast Open for client mode
-TFOSE_DESC= Enable TCP Fast Open for server mode
-HIREDIS_DESC= Enable hiredis support for the cachedb module
-DOH_DESC= Enable DNS-over-HTTPS support
DEP-RSA1024_DESC= Deprecate the use of RSA 1024 keys
+DNSCRYPT_DESC= Enable dnscrypt support
+DNSTAP_DESC= Enable dnstap logging support
+DOH_DESC= Enable DNS-over-HTTPS support
+ECDSA_DESC= Enable ECDSA (elliptic curve) support (OpenSSL >= 1.0)
+EVAPI_DESC= (Experimental) pluggable event based libunbound API support
+FILTER_AAAA_DESC= Build with AAAA filter functionality (contrib)
+GOST_DESC= Enable GOST support (requires OpenSSL >= 1.0)
+HIREDIS_DESC= Enable hiredis support for the cachedb module
+LIBEVENT_DESC= Build against libevent
+MUNIN_PLUGIN_DESC= Install Munin plugin
+SUBNET_DESC= Enable client subnet support
+TFOCL_DESC= Enable TCP Fast Open for client mode
+TFOSE_DESC= Enable TCP Fast Open for server mode
-STRIP_FILES= .libs/libunbound.so unbound-checkconf unbound \
- unbound-control .libs/unbound-host .libs/unbound-anchor
+STRIP_FILES= .libs/libunbound.so unbound-checkconf unbound unbound-control \
+ .libs/unbound-host .libs/unbound-anchor
-DNSTAP_CONFIGURE_ENABLE=dnstap
-DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \
- libprotobuf-c.so:devel/protobuf-c
+DEP-RSA1024_CONFIGURE_ON= --with-deprecate-rsa-1024
+DNSCRYPT_LIB_DEPENDS= libsodium.so:security/libsodium
DNSCRYPT_CONFIGURE_ENABLE= dnscrypt
-DNSCRYPT_LIB_DEPENDS= libsodium.so:security/libsodium
+DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \
+ libprotobuf-c.so:devel/protobuf-c
+DNSTAP_CONFIGURE_ENABLE= dnstap
+DOH_LIB_DEPENDS= libnghttp2.so:www/libnghttp2
+ECDSA_CONFIGURE_ENABLE= ecdsa
+ECDSA_VARS= DEPENDS_ARGS+=WITH_ECDSA=yes
+EVAPI_CONFIGURE_ENABLE= event-api
+GOST_CONFIGURE_ENABLE= gost
+GOST_VARS= DEPENDS_ARGS+=WITH_GOST=yes
+HIREDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis
+HIREDIS_CONFIGURE_ON= --enable-cachedb \
+ --with-libhiredis
+LIBEVENT_LIB_DEPENDS= libevent.so:devel/libevent
+LIBEVENT_CONFIGURE_WITH= libevent
+LIBEVENT_CPPFLAGS+= $$(pkg-config libevent --cflags-only-I)
+LIBEVENT_LDFLAGS+= $$(pkg-config libevent --libs-only-L)
+MUNIN_PLUGIN_SUB_FILES= pkg-message
+PYTHON_BUILD_DEPENDS= swig:devel/swig
+PYTHON_USES= python
+PYTHON_CONFIGURE_ON= --with-pythonmodule=yes \
+ --with-pyunbound=yes \
+ ac_cv_path_SWIG=${LOCALBASE}/bin/swig \
+ LDFLAGS="-L${LOCALBASE}/lib"
+PYTHON_VARS= STRIP_FILES+=.libs/_unbound.so
SUBNET_CONFIGURE_ENABLE= subnet
-EVAPI_CONFIGURE_ENABLE= event-api
-TFOCL_CONFIGURE_ENABLE= tfo-client
-TFOSE_CONFIGURE_ENABLE= tfo-server
-ECDSA_CONFIGURE_ENABLE= ecdsa
-ECDSA_VARS= DEPENDS_ARGS+=WITH_ECDSA=yes
-GOST_CONFIGURE_ENABLE= gost
-GOST_VARS= DEPENDS_ARGS+=WITH_GOST=yes
-LIBEVENT_CONFIGURE_WITH=libevent
-LIBEVENT_CPPFLAGS+= $$(pkg-config libevent --cflags-only-I)
-LIBEVENT_LIB_DEPENDS= libevent.so:devel/libevent
-LIBEVENT_LDFLAGS+= $$(pkg-config libevent --libs-only-L)
-MUNIN_PLUGIN_SUB_FILES= pkg-message
-PYTHON_BUILD_DEPENDS= swig:devel/swig
-PYTHON_CONFIGURE_ON= --with-pyunbound=yes --with-pythonmodule=yes \
- LDFLAGS="-L${LOCALBASE}/lib" \
- ac_cv_path_SWIG=${LOCALBASE}/bin/swig
-PYTHON_USES= python
-PYTHON_VARS= STRIP_FILES+=.libs/_unbound.so
-THREADS_CONFIGURE_WITH= pthreads
-HIREDIS_CONFIGURE_ON= --enable-cachedb --with-libhiredis
-HIREDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis
-DOH_CONFIGURE_ON= --with-libnghttp2
-DOH_LIB_DEPENDS= libnghttp2.so:www/libnghttp2
-DEP-RSA1024_CONFIGURE_ON= --with-deprecate-rsa-1024
+TFOCL_CONFIGURE_ENABLE= tfo-client
+TFOSE_CONFIGURE_ENABLE= tfo-server
+THREADS_CONFIGURE_WITH= pthreads
post-patch:
@${RM} ${WRKSRC}/util/configlexer.c
@@ -100,8 +101,9 @@ post-patch-FILTER_AAAA-on:
post-build:
@for s in ${STRIP_FILES}; do ${STRIP_CMD} ${WRKSRC}/$$s; done
-post-install-PYTHON-on:
- @${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/_unbound.so
+post-install-DOCS-on:
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/doc/|} ${STAGEDIR}${DOCSDIR}
post-install-MUNIN_PLUGIN-on:
@${MKDIR} ${STAGEDIR}${PREFIX}/share/munin/plugins
@@ -112,8 +114,7 @@ post-install-MUNIN_PLUGIN-on:
@${CAT} ${WRKDIR}/pkg-message
@${ECHO_MSG} "============================================================="
-post-install-DOCS-on:
- ${MKDIR} ${STAGEDIR}${DOCSDIR}
- ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/doc/|} ${STAGEDIR}${DOCSDIR}
+post-install-PYTHON-on:
+ @${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/_unbound.so
.include <bsd.port.mk>
diff --git a/dns/unbound/distinfo b/dns/unbound/distinfo
index 4d4f8c97286d..1d08d512c280 100644
--- a/dns/unbound/distinfo
+++ b/dns/unbound/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1639041796
-SHA256 (unbound-1.14.0.tar.gz) = 6ef91cbf02d5299eab39328c0857393de7b4885a2fe7233ddfe3c124ff5a89c8
-SIZE (unbound-1.14.0.tar.gz) = 6152326
+TIMESTAMP = 1644483707
+SHA256 (unbound-1.15.0.tar.gz) = a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f
+SIZE (unbound-1.15.0.tar.gz) = 6163470
diff --git a/dns/unbound/files/patch-contrib_aaaa-filter-iterator.patch b/dns/unbound/files/patch-contrib_aaaa-filter-iterator.patch
deleted file mode 100644
index c3e5fa607c2b..000000000000
--- a/dns/unbound/files/patch-contrib_aaaa-filter-iterator.patch
+++ /dev/null
@@ -1,35 +0,0 @@
---- contrib/aaaa-filter-iterator.patch.orig 2021-12-20 17:00:58 UTC
-+++ contrib/aaaa-filter-iterator.patch
-@@ -109,9 +109,9 @@ index 7bc67da6..e10f547a 100644
- iter_env->supports_ipv6 = cfg->do_ip6;
- iter_env->supports_ipv4 = cfg->do_ip4;
- + iter_env->aaaa_filter = cfg->aaaa_filter;
-+ iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
- return 1;
- }
--
- diff --git a/iterator/iterator.c b/iterator/iterator.c
- index 23b07ea9..ca29b48c 100644
- --- a/iterator/iterator.c
-@@ -387,15 +387,15 @@ index 1d0e8658..f284dd43 100644
- %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
- %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
- %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
--@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
-+@@ -244,6 +244,7 @@ content_server: server_num_threads | server_verbosity | server_port |
- server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
- server_harden_referral_path | server_private_address |
-- server_private_domain | server_extended_statistics |
-+ server_private_domain | server_extended_statistics |
- + server_aaaa_filter |
-- server_local_data_ptr | server_jostle_timeout |
-- server_unwanted_reply_threshold | server_log_time_ascii |
-- server_domain_insecure | server_val_sig_skew_min |
--@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
-+ server_local_data_ptr | server_jostle_timeout |
-+ server_unwanted_reply_threshold | server_log_time_ascii |
-+
-+@@ -1742,6 +1744,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
- yyerror("out of memory");
- }
- ;
diff --git a/dns/unbound/pkg-plist b/dns/unbound/pkg-plist
index a154daac7086..51a13b64bc5f 100644
--- a/dns/unbound/pkg-plist
+++ b/dns/unbound/pkg-plist
@@ -5,7 +5,7 @@ libdata/pkgconfig/libunbound.pc
lib/libunbound.a
lib/libunbound.so
lib/libunbound.so.8
-lib/libunbound.so.8.1.14
+lib/libunbound.so.8.1.15
%%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so
%%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py