Commit Graph

7257 Commits

Author SHA1 Message Date
mrg 74059485b4 regen for GCC 6.4 (no real change) 2018-02-06 09:36:34 +00:00
mrg dff6d09fe0 port to mips and alpha. 2018-02-06 09:31:56 +00:00
mrg d79d5e15a2 rebuild mknative GCC 6.4 for these targets:
arm armeb earmeb earmhf earmhfeb earmv4eb
	earmv6 earmv6eb earmv6hf earmv6hfeb
	earmv7 earmv7eb earmv7hf earmv7hfeb
	hppa ia64 m68000 m68k
	mips64eb mips64el mipseb mipsel
	powerpc64 sh3eb sh3el vax
2018-02-06 09:18:14 +00:00
christos 69e7f0ccfa put back all the build info in one place (Makefile.inc) 2018-02-06 03:30:18 +00:00
christos d164780ad1 provide 2 configs: one for openssl-1.0 and one for openssl-1.1 since they
chose to configure each function separately.
2018-02-06 03:29:57 +00:00
christos 74a545eecc merge conflicts 2018-02-06 03:05:47 +00:00
christos 0cd9f4ecf4 Unbound 1.6.8
Download: unbound-1.6.8.tar.gz
SHA1 checksum: 492737be9647c26ee39d4d198f2755062803b412
SHA256 checksum: e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49
PGP signature: unbound-1.6.8.tar.gz.asc
Date: 19 Jan, 2018
Bug Fixes
Fix for CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records.
Older versions
Unbound 1.6.7
Download: unbound-1.6.7.tar.gz
SHA1 checksum: 098f8acfc3e9d1cab54f07863e61eabbb67c80dc
SHA256 checksum: 4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f
PGP signature: unbound-1.6.7.tar.gz.asc
Date: 10 Oct, 2017
Features
Set trust-anchor-signaling default to yes
#1440: [dnscrypt] client nonce cache.
#1435: Allow UDP to be disabled separately upstream and downstream.
Bug Fixes
Fix that looping modules always stop the query, and don't pass control.
Fix unbound-host to report error for DNSSEC state of failed lookups.
Spelling fixes, from Josh Soref.
Fix #1400: allowing use of global cache on ECS-forwarding unless always-forward.
use a cachedb answer even if it's "expired" when serve-expired is yes (patch from Jinmei Tatuya).
trigger refetching of the answer in that case (this will bypass cachedb lookup)
allow storing a 0-TTL answer from cachedb in the in-memory message cache when serve-expired is yes
Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
Log name of looping module
Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch (by Danilo G. Baio).
Fix param unused warning for windows exportsymbol compile.
Use RCODE from A query on DNS64 synthesized answer.
Fix trust-anchor-signaling works in libunbound.
Fix spelling in unbound-control man page.
Unbound 1.6.6
Download: unbound-1.6.6.tar.gz
SHA1 checksum: d205c03a402f5d900d5bad3d036849a12804a49e
SHA256 checksum: 972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390
PGP signature: unbound-1.6.6.tar.gz.asc
Date: 18 Sep, 2017
Features
unbound-control dump_infra prints port number for address if not 53.
Fix #1344: RFC6761-reserved domains: test. and invalid.
Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). With the -p option unbound does not create a pidfile.
Added stats for queries that have been ratelimited by domain recursion.
Patch to show DNSCrypt status in help output, from Carsten Strotmann.
Fix #1407: Add ECS options check to unbound-checkconf.
Fix #1415: [dnscrypt] shared secret cache, patch from Manu Bretelle.
Bug Fixes
fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
First fix for zero b64 and hex text zone format in sldns.
Better fixup of dnscrypt_cert_chacha test for different escapes.
Fix that infra cache host hash does not change after reconfig.
Fix python example0 return module wait instead of error for pass.
enhancement for hardened-tls for DNS over TLS. Removed duplicated security settings.
Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned on.
Fix #1331: libunbound segfault in threaded mode when context is deleted.
Fix pythonmod link line option flag.
Fix openssl 1.1.0 load of ssl error strings from ssl init.
Fix 1332: Bump verbosity of failed chown'ing of the control socket.
Redirect all localhost names to localhost address for RFC6761.
Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), config.sub(2016-09-05).
annotate case statement fallthrough for gcc 7.1.1.
flex output from flex 2.6.1.
snprintf of thread number does not warn about truncated string.
squelch TCP fast open error on FreeBSD when kernel has it disabled, unless verbosity is high.
remove warning from windows compile.
Fix compile with libnettle
Fix DSA configure switch (--disable dsa) for libnettle and libnss.
Fix #1365: Add Ed25519 support using libnettle.
Fix #1394: mix of serve-expired and response-ip could cause a crash.
Remove unused iter_env member (ip6arpa_dname)
Do not reset rrset.bogus stats when called using stats_noreset.
Do not add rrset_bogus and query ratelimiting stats per thread, these module stats are global.
Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
Fix #1398: make cachedb secret configurable.
Remove spaces from Makefile.
Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason.
Fix #1402: squelch invalid argument error for fd_set_block on windows.
Fix to reclaim tcp handler when it is closed due to dnscrypt buffer allocation failure.
Fix #1415: patch to free dnscrypt environment on reload.
iana portlist update
Small fixes for the shared secret cache patch.
Fix WKS records on kvm autobuild host, with default protobyname entries for udp and tcp.
Fix #1414: fix segfault on parse failure and log_replies.
zero qinfo in handle_request, this zeroes local_alias and also the qname member.
new keys and certs for dnscrypt tests.
fixup WKS test on buildhost without servicebyname.
updated contrib/fastrpz.patch to apply with configparser changes.
Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
Fix #1424: cachedb:testframe is not thread safe.
Fix #1417: [dnscrypt] shared secret cache counters, and works when dnscrypt is not enabled. And cache size configuration option.
Fix #1418: [ip ratelimit] initialize slabhash using ip-ratelimit-slabs.
Recommend 1472 buffer size in unbound.conf
Fix #1412: QNAME minimisation strict mode not honored
Fix #1434: Fix windows openssl 1.1.0 linking.
Add dns64 for client-subnet in unbound-checkconf.
Unbound 1.6.5
Download: unbound-1.6.5.tar.gz
SHA1 checksum: ecb260b94d139d84fae2bff80f9701f53a329e26
SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
PGP signature: unbound-1.6.5.tar.gz.asc
Date: 21 Aug, 2017
Bug Fixes
Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes the root.key file if created when unbound is installed between sep11 and oct11 2017.
Unbound 1.6.4
Download: unbound-1.6.4.tar.gz
SHA1 checksum: 836ecc48518b9159f600a738c276423ef1f95021
SHA256 checksum: df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed
PGP signature: unbound-1.6.4.tar.gz.asc
Date: 27 Jun, 2017
Features
Implemented trust anchor signaling using key tag query.
unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt.
unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames.
Implemented opportunistic IPsec support module (ipsecmod).
Added redirect-bogus.patch to contrib directory.
Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
renumbering B-Root's IPv6 address to 2001:500:200::b.
Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
Fix #1277: disable domain ratelimit by setting value to 0.
Added fastrpz patch to contrib
Bug Fixes
Added ECS unit test (from Manu Bretelle).
ECS documentation fix (from Manu Bretelle).
Fix #1252: more indentation inconsistencies.
Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
iana portlist update
Based on #1257: check parse limit before t increment in sldns RR string parse routine.
Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86).
Fix #1259: "--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
iana portlist update
Added test for leak of stub information.
Fix sldns wire2str printout of RR type CAA tags.
Fix sldns int16_data parse.
Fix sldns parse and printout of TSIG RRs.
sldns SMIMEA and AVC definitions, same as getdns definitions.
Fix tcp-mss failure printout text.
Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations).
Add 'c' to getopt() in testbound.
Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there.
Fix queries for nameservers under a stub leaking to the internet.
document trust-anchor-signaling in example config file.
updated configure, dependencies and flex output.
better module memory lookup, fix of unbound-control shm names for module memory printout of statistics.
Fix type AVC sldns rrdef.
Some whitespace fixup.
Fix #1265: contrib/unbound.service contains hardcoded path.
Fix #1265 to use /bin/kill.
Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL.
Fix #1268: SIGSEGV after log_reopen.
exec_prefix is by default equal to prefix.
printout localzone for duplicate local-zone warnings.
Fix assertion for low buffer size and big edns payload when worker overrides udpsize.
Support for openssl EVP_DigestVerify.
Fix #1269: inconsistent use of built-in local zones with views.
Add defaults for new local-zone trees added to views using unbound-control.
Fix #1273: cachedb.c doesn't compile with -Wextra.
If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
Also use global local-zones when there is a matching view that does not have any local-zone specified.
Fix fastopen EPIPE fallthrough to perform connect.
Fix #1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle).
Fix #1275: cached data in cachedb is never used.
Fix that unbound-control can set val_clean_additional and val_permissive_mode.
Add dnscrypt XChaCha20 tests.
Detect chacha for dnscrypt at configure time.
dnscrypt unit tests with chacha.
Added domain name based ECS whitelist.
Fix #1278: Incomplete wildcard proof.
Fix #1279: Memory leak on reload when python module is enabled.
Fix #1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.
More fixes in depth for buffer checks in 0x20 qname checks.
Fix stub zone queries leaking to the internet for harden-referral-path ns checks.
Fix query for refetch_glue of stub leaking to internet.
Fix #1301: memory leak in respip and tests.
Free callback in edns-subnetmod on exit and restart.
Fix memory leak in sldns_buffer_new_frm_data.
Fix memory leak in dnscrypt config read.
Fix dnscrypt chacha cert support ifdefs.
Fix dnscrypt chacha cert unit test escapes in grep.
Fix to unlock view in view test.
Fix warning in pythonmod under clang compiler.
Fix lintian typo.
Fix #1316: heap read buffer overflow in parse_edns_options.
Unbound 1.6.3
Download: unbound-1.6.3.tar.gz
SHA1 checksum: 4477627c31e8728058565f3bae3a12a1544d8a9c
SHA256 checksum: 4c7e655c1d0d2d133fdeb81bc1ab3aa5c155700f66c9f5fb53fa6a5c3ea9845f
PGP signature: unbound-1.6.3.tar.gz.asc
Date: 13 Jun, 2017
Bug Fixes
Fix #1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.
Unbound 1.6.2
Download: unbound-1.6.2.tar.gz
SHA1 checksum: de370b1ac8e260db9c4c1504453752713dd8818f
SHA256 checksum: 1a323d72c32180b7141c9e6ebf199fc68a0208dfebad4640cd2c4c27235e3b9c
PGP signature: unbound-1.6.2.tar.gz.asc
Date: 24 Apr, 2017
Features
Add trustanchor.unbound CH TXT that gets a response with a number of TXT RRs with a string like "example.com. 2345 1234" with the trust anchors and their keytags.
Patch for view functionality for local-data-ptr from Björn Ketelaars.
Response actions based on IP address from Jinmei Tatuya (Infoblox).
Patch from Luiz Fernando Softov for Stats Shared Memory.
unbound-control stats_shm command prints stats using shared memory, which uses less cpu.
--disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and DS records. NSEC3 is not disabled.
#1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then enabled in the config file from Manu Bretelle.
Merge EDNS Client subnet implementation from feature branch into main branch, using new EDNS processing framework.
harden-algo-downgrade: no also makes unbound more lenient about digest algorithms in DS records.
Bug Fixes
sldns has ED25519 and ED448 algorithm number and name for display.
sldns updated for vfixed and buffer resize indication from getdns.
iana portlist update
Fix #1224: Fix that defaults should not fall back to "Program Files (x86) if Unbound is 64bit by default on windows.
Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to redirect.
make depend, autoconf, doxygen and lint fixed up.
include sys/time.h for new shm code on NetBSD.
Fix #1227: Fix that Unbound control allows weak ciphersuits.
Fix #1226: provide official 32bit binary for windows.
For #1227: if we have sha256, set the cipher list to have no known vulns.
Fix testpkts.c, check if DO bit is set, not only if there is an OPT record.
Fix #1229: Systemd service sandboxing in contrib/unbound.service.
Fix #1230: swig version 2.0.1 is required for pythonmod, with 1.3.40 it crashes when running repeatly unbound-control reload.
fix enum conversion warnings
fake-sha1 test option; print warning if used. To make unit tests.
unbound-control list local zone and data commands listed in the help output.
Fix #1234: shortening DNAME loop produces duplicate DNAME records in ANSWER section.
testbound understands Deckard MATCH rcode question answer commands.
Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead of YXDOMAIN + query loop, reported by Petr Spacek.
Fix that SHM is not inited if not enabled.
Fix that looped DNAMEs do not cause unbound to spend effort.
trustanchor tags are sorted. reusable routine to fetch taglist.
Fix #1237 - Wrong resolving in chain, for norec queries that get SERVFAIL returned.
make depend, autoconf, remove warnings about statement before var.
lru_demote and lruhash_insert_or_retrieve functions for getdns.
fixup for lruhash (whitespace and header file comment).
dnscrypt tests.
Fix doxygen for dnscrypt files.
Fix #1238: segmentation fault when adding through the remote interface a per-view local zone to a view with no previous (configured) local zones.
Fix #1229: Systemd service sandboxing, options in wrong sections.
Fix #1239: configure fails to find python distutils if python prints warning.
Fix to prevent non-referal query from being cached as referal when the no_cache_store flag was set.
Remove (now unused) event2 include from dnscrypt code.
Fix #1217: Add metrics to unbound-control interface showing crypted, cert request, plaintext and malformed queries (from Manu Bretelle).
Do not add current time twice to TTL before ECS cache store.
Do not touch rrset cache after ECS cache message generation.
Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
Fix #1244: document that use of chroot requires trust anchor file to be under chroot.
Small fixup for documentation.
Fix respip for braces when locks arent used.
Fix pythonmod for cb changes.
Generalise inplace callback (de)registration
(de)register inplace callbacks for module id
No unbound-control set_option for ECS options
Deprecated client-subnet-opcode config option
Introduced client-subnet-always-forward config option
Changed max-client-subnet-ipv6 default to 56 (as in RFC)
Removed extern ECS config options
module_restart_next now calls clear on all following modules
Also create ECS module qstate on module_event_pass event
remove malloc from inplace_cb_register
Unlock view in respip unit test
Some whitespace fixup.
Remove ECS option after REFUSED answer.
Fix small memory leak in edns_opt_copy_alloc.
Respip dereference after NULL check.
Zero initialize addrtree allocation.
Use correct identifier for SHM destroy.
Display ECS module memory usage.
Fix #1247: unbound does not shorten source prefix length when forwarding ECS.
Properly check for allocation failure in local_data_find_tag_datas.
Fix #1249: unbound doesn't return FORMERR to bogus ECS.
Set SHM ECS memory usage to 0 when module not loaded.
subnet mem value is available in shm, also when not enabled, to make the struct easier to memmap by other applications, independent of the configuration of unbound.
Fix #1250: inconsistent indentation in services/listen_dnsport.c.
Unbound 1.6.1
Download: unbound-1.6.1.tar.gz
SHA1 checksum: 41369fcfd37844b02b7293b37ec78e69f0db34c7
SHA256 checksum: 42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
PGP signature: unbound-1.6.1.tar.gz.asc
Date: 21 Feb, 2017
Features
configure --enable-systemd and lets unbound use systemd sockets if you enable use-systemd: yes in unbound.conf. Also there are contrib/unbound.socket and contrib/unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
[bugzilla: 1187 ]
Source IP rate limiting, patch from Larissa Feng.
[bugzilla: 1184 ]
Log DNS replies. This includes the same logging information that DNS queries and response code and response size, patch from Larissa Feng.
Include root trust anchor id 20326 in unbound-anchor.
64bit is default for windows builds.
Bug Fixes
[bugzilla: 1176 ]
Fix stack size too small for Alpine Linux.
Fix unbound-control and ipv6 only.
[bugzilla: 1182 ]
Fix Resource leak (socket), at startup.
[bugzilla: 1178 ]
Fix attempt to fix setup error at end, pop result values at end of install.
iana portlist update
Fix inet_ntop and inet_pton warnings in windows compile.
[bugzilla: 1191 ]
Fix remove comment about view deletion.
[bugzilla: 1188 ]
Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
[bugzilla: 1190 ]
Fix to not echo back EDNS options in local-zone error response.
[bugzilla: 1194 ]
Fix if cross build fails when $host isn't `uname` for getentropy.
Fix reload chdir failure when also chrooted to that directory.
Fix to return formerr for queries for meta-types, to avoid packet amplification if this meta-type is sent on to upstream.
[bugzilla: 1201 ]
Fix missing unlock in answer_from_cache error condition.
[bugzilla: 1202 ]
Fix code comment that packed_rrset_data is not always 'packed'.
Fix to also block meta types 128 through to 248 with formerr.
[bugzilla: 1206 ]
Fix that some view-related commands are missing from 'unbound-control -h'
Fix to rename ub_callback_t to ub_callback_type, because POSIX reserves _t typedefs.
Fix to rename internally used types from _t to _type, because _t type names are reserved by POSIX.
Increase MAX_MODULE to 16.
[bugzilla: 1211 ]
Fix can't enable interface-automatic if no IPv6 with more helpful error message.
fix root_anchor test for updated icannbundle.pem lower certificates.
Fix compile on solaris of the fix to use $host detect.
Fix for type name change and fix warning on windows compile.
Fix pythonmod for typedef changes.
Fix dnstap for warning of set but not used.
Fix autoconf of systemd check for lack of pkg-config.
Unbound 1.6.0
Download: unbound-1.6.0.tar.gz
SHA1 checksum: 9b7606b016b447dc837efc108cee94f3fecf4ede
SHA256 checksum: 6b7db874e6debda742fee8869d722e5a17faf1086e93c911b8564532aeeffab7
PGP signature: unbound-1.6.0.tar.gz.asc
Date: 15 Dec, 2016
Features
Added generic EDNS code for registering known EDNS option codes, bypassing the cache response stage and uniquifying mesh states. Four EDNS option lists were added to module_qstate (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
Added two flags to module_qstate (no_cache_lookup, no_cache_store) that control the modules' cache interactions.
Added code for registering inplace callback functions. The registered functions can be called just before replying with local data or Chaos, replying from cache, replying with SERVFAIL, replying with a resolved query, sending a query to a nameserver. The functions can inspect the available data and maybe change response/query related data (i.e. append EDNS options).
Updated Python module for the above.
Updated Python documentation.
Added views functionality.
Added qname-minimisation-strict config option.
Patch that resolves CNAMEs entered in local-data conf statements that point to data on the internet, from Jinmei Tatuya (Infoblox).
serve-expired config option: serve expired responses with TTL 0.
.gitattributes line for githubs code language display.
log-identity: config option to set sys log identity, patch from "Robin H. Johnson" (robbat2@gentoo.org).
Added stub-ssl-upstream and forward-ssl-upstream options.
Added local-zones and local-data bulk addition and removal functionality in unbound-control (local_zones, local_zones_remove, local_datas and local_datas_remove).
Bug Fixes
Fix #836: unbound could echo back EDNS options in an error response.
Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
Fix #839: Memory grows unexpectedly with large RPZ files.
Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
Fix #841: big local-zone's make it consume large amounts of memory.
Fix dnstap relaying "random" messages instead of resolver/forwarder responses, from Nikolay Edigaryev.
Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
Fix #1117: spelling errors, from Robert Edmonds.
iana portlist update.
fix memoryleak logfile when in debug mode.
Re-fix #839 from view commit overwrite.
Fixup const void cast warning.
Removed patch comments from acllist.c and msgencode.c
Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from Jinmei Tatuya (Infoblox).
Fix #1125: unbound could reuse an answer packet incorrectly for clients with different EDNS parameters, from Jinmei Tatuya.
Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
Added Requires line to libunbound.pc
Fix #1130: whitespace in example.conf.in more consistent.
suppress compile warning in lex files.
init lzt variable, for older gcc compiler warnings.
fix --enable-dsa to work, instead of copying ecdsa enable.
Fix DNSSEC validation of query type ANY with DNAME answers.
Fixup query_info local_alias init.
Ported tests for local_cname unit test to testbound framework.
g.root-servers.net has AAAA address.
Fix #1134: unbound-control set_option -- val-override-date: -1 works immediately to ignore datetime, or back to 0 to enable it again. The -- is to ignore the '-1' as an option flag.
Patch for server.num.zero_ttl stats for count of expired replies, from Pavel Odintsov.
Fix failure to build on arm64 with no sbrk.
Set OpenSSL security level to 0 when using aNULL ciphers.
configure detects ssl security level API function in the autoconf manner. Every function on its own, so that other libraries (eg. LibreSSL) can develop their API without hindrance.
Fix #1154: segfault when reading config with duplicate zones.
Note that for harden-below-nxdomain the nxdomain must be secure, this means nsec3 with optout is insufficient.
Fix #1155: test status code of unbound-control in 04-checkconf, not the status code from the tee command.
Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing Underneath" for the harden-below-nxdomain option.
patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data.
Fix NSEC ENT wildcard check. Matching wildcard does not have to be a subdomain of the NSEC owner.
QNAME minimisation uses QTYPE=A, therefore always check cache for this type in harden-below-nxdomain functionality.
Added unit test for QNAME minimisation + harden below nxdomain synergy.
Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket.
hyphen as minus fix, by Andreas Schulze
Fix #1170: document that 'inform' local-zone uses local-data.
Fix #1173: differ local-zone type deny from unset tag_actions element.
Add DSA support for OpenSSL 1.1.0
Fix remote control without cert for LibreSSL
Fix downcast warnings from visual studio in sldns code.
Unbound 1.5.10
Download: unbound-1.5.10.tar.gz
SHA1 checksum: 6102849c400db3a4195b1f16df8f312568a6ec57
SHA256 checksum: a39b8b4fcca2a2b35a2daa53fe35150cc3f09038dc9acede09c912fc248a9486
PGP signature: unbound-1.5.10.tar.gz.asc
Date: 27 Sep, 2016
Features
Create a pkg-config file for libunbound in contrib.
TCP Fast open patch from Sara Dickinson.
Finegrained localzone control with define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override. And added types always_transparent, always_refuse, always_nxdomain with that.
If more than half of tcp connections are in use, a shorter timeout is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
[bugzilla: 787 ]
Fix #787: outgoing-interface netblock/64 ipv6 option to use linux freebind to use 64bits of entropy for every query with random local part.
For #787: prefer-ip6 option for unbound.conf prefers to send upstream queries to ipv6 servers.
Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
keep debug symbols in windows build.
Bug Fixes
[bugzilla: 778 ]
Fix unbound 1.5.9: -h segfault (null deref).
Fix unbound-anchor.exe file location defaults to Program Files with (x86) appended.
Fix to not ignore return value of chown() in daemon startup.
Better help text from -h (from Ray Griffith).
[bugzilla: 773 ]
Fix Non-standard Python location build failure with pyunbound.
Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
Revert fix for NetworkService account on windows due to breakage it causes.
Fix that windows install will not overwrite existing service.conf file (and ignore gui config choices if it exists).
And delete service.conf.shipped on uninstall.
In unbound.conf directory: dir immediately changes to that directory, so that include: file below that is relative to that directory. With chroot, make the directory an absolute path inside chroot.
do not delete service.conf on windows uninstall.
document directory immediate fix and allow EXECUTABLE syntax in it on windows.
Fix directory: fix for unbound-checkconf, it restores cwd.
Use QTYPE=A for QNAME minimisation.
Keep track of number of time-outs when performing QNAME minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE pair is more than three.
[bugzilla: 775 ]
Fix unbound-host and unbound-anchor crash on windows, ignore null delete for wsaevent.
Fix spelling in freebind option man page text.
Fix windows link of ssl with crypt32.
[bugzilla: 779 ]
Fix Union casting is non-portable.
[bugzilla: 780 ]
Fix MAP_ANON not defined in HP-UX 11.31.
[bugzilla: 781 ]
Fix prealloc() is an HP-UX system library call.
Decrease dp attempts at each QNAME minimisation iteration
[bugzilla: 784 ]
Fix Build configure assumess that having getpwnam means there is endpwent function available.
Updated repository with newer flex and bison output.
Fix static compile on windows missing gdi32.
Fix dynamic link of anchor-update.exe on windows.
Fix detect of mingw for MXE package build.
Fixes for 64bit windows compile.
[bugzilla: 788 ]
Fix for nettle 3.0: Failed to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle.
Fixed unbound.doxygen for 1.8.11.
[bugzilla: 798 ]
Fix Client-side TCP fast open fails (Linux).
[bugzilla: 801 ]
Fix missing error condition handling in daemon_create_workers().
[bugzilla: 802 ]
Fix workaround for function parameters that are "unused" without log_assert.
[bugzilla: 803 ]
Fix confusing (and incorrect) code comment in daemon_cleanup().
[bugzilla: 806 ]
Fix wrong comment removed.
use sendmsg instead of sendto for TFO.
[bugzilla: 807 ]
Fix workaround for possible some "unused" function parameters in test code, from Jinmei Tatuya.
Note that OPENPGPKEY type is RFC 7929.
[bugzilla: 804 ]
Fix #804: unbound stops responding after outage. Fixes queries that attempt to wait for an empty list of subqueries.
Fix for #804: lower num_target_queries for iterator also for failed lookups.
[bugzilla: 820 ]
Fix set sldns_str2wire_rr_buf() dual meaning len parameter in each iteration in find_tag_datas().
[bugzilla: 777 ]
Fix OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior.
RFC 7958 is now out, updated docs for unbound-anchor.
Fix for compile without warnings with openssl 1.1.0.
[bugzilla: 826 ]
Fix refuse_non_local could result in a broken response.
iana portlist update.
Fix compile with openssl 1.1.0 with api=1.1.0.
[bugzilla: 829 ]
Fix doc of sldns_wire2str_rdata_buf() return value has an off-by-one typo, from Jinmei Tatuya (Infoblox).
Fix incomplete prototypes reported by Dag-Erling Smørgrav.
[bugzilla: 828 ]
Fix missing type in access-control-tag-action redirect results in NXDOMAIN.
Take configured minimum TTL into consideration when reducing TTL to original TTL from RRSIG.
[bugzilla: 831 ]
Fix workaround for spurious fread_chk warning against petal.c
Silenced flex-generated sign-unsigned warning print with gcc diagnostic pragma.
Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
fix potential memory leak in daemon/remote.c and nullpointer dereference in validator/autotrust.
[bugzilla: 883 ]
Fix error for duplicate local zone entry.
[bugzilla: 835 ]
Fix --disable-dsa with nettle verify.
2018-02-06 02:39:25 +00:00
christos fbfb70ad60 merge conflicts 2018-02-06 01:57:23 +00:00
christos 648e71e52f OpenLDAP 2.4.45 Release (2017/06/01)
Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533, ITS#8634)
	Fixed libldap to fail ldap_result if the handle is already bad (ITS#8585)
	Fixed libldap to expose error if user specified CA doesn't exist (ITS#8529)
	Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)
	Fixed libldap GnuTLS use after free (ITS#8385)
	Fixed libldap SASL initialization (ITS#8648)
	Fixed slapd bconfig rDN escape handling (ITS#8574)
	Fixed slapd segfault with invalid hostname (ITS#8631)
	Fixed slapd sasl SEGV rebind in same session (ITS#8568)
	Fixed slapd syncrepl filter handling (ITS#8413)
	Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432)
	Fixed slapd callback struct so older modules without writewait should function.
                    Custom modules may need to be updated for sc_writewait callback (ITS#8435)
	Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS#8576)
	Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794)
	Fixed slapd-mdb double free with size zero paged result (ITS#8655)
	Fixed slapd-meta uninitialized diagnostic message (ITS#8442)
	Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423)
	Fixed slapo-accesslog with multiple modifications to the same attribute (ITS#6545)
	Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428)
	Fixed slapo-sssvlv double free (ITS#8592)
	Fixed slapo-unique with empty modifications (ITS#8266)
	Build Environment
		Added test065 for proxyauthz (ITS#8571)
		Fix test008 to be portable (ITS#8414)
		Fix test064 to wait for slapd to start (ITS#8644)
		Fix its4336 regression test (ITS#8534)
		Fix its4337 regression test (ITS#8535)
		Fix regression tests to execute on all backends (ITS#8539)
	Contrib
		Added slapo-autogroup(5) man page (ITS#8569)
		Added passwd missing conversion scripts for apr1 (ITS#6826)
		Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435)
		Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525)
	Documentation
		admin24 fixed tls_cipher_suite bindconf option (ITS#8099)
		admin24 fixed typo cn=config to be slapd.d (ITS#8449)
		admin24 fixed slapo-syncprov information to be curent (ITS#8253)
		admin24 fixed typo in access control docs (ITS#7341, ITS#8391)
		admin24 fixed minor typo in tuning guide (ITS#8499)
		admin24 fixed information about the limits option (ITS#7700)
		admin24 fixed missing options for syncrepl configuration (ITS#7700)
		admin24 fixed accesslog documentation to note it should not be replicated (ITS#8344)
		Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS#7177)
		Fixed ldapsearch(1) information on the V[V] flag behavior (ITS#7177, ITS#6339)
		Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538)
		Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS#8635)
		Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS#8123)
		Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565)
		Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS#8613)
		Fixed slapo-syncprov(5) documentation to be current (ITS#8253)
		Fixed slapadd(8) manpage to note slapd-mdb (ITS#8215)
		Fixed various minor grammar issues in the man pages (ITS#8544)
		Fixed various typos (ITS#8587)
2018-02-06 01:53:05 +00:00
mrg 6b182040a5 missing in previous:
mknative gcc 6.4 and powerpc / earmv4.
2018-02-05 22:11:42 +00:00
mrg 9dd74e3a6c mknative gcc 6.4 and powerpc / earmv4. earmv4 seems to work.
powerpc not properly tested yet, but builds.
2018-02-05 22:06:44 +00:00
mrg 85028157d6 - enable powerpc and arm support.
- port GetPcSpBp() to netbsd/powerpc* and netbsd/arm.
2018-02-05 22:04:54 +00:00
christos 95741dd42e undo previous. 2018-02-05 12:13:54 +00:00
martin cf29848b33 Adapt the version hack for openssl provided inline functions: openssl 1.0.2k
already provides the colliding definitions.
2018-02-05 10:46:19 +00:00
martin cd829b9d79 Try to fix the build: OpenSSL 1.0.2k already has the EVP inline functions. 2018-02-05 10:26:06 +00:00
mrg b8a26bd00d more mknative-gcc 6.5 for sparc, sparc64 and amd64. 2018-02-05 06:13:33 +00:00
christos e7011cce36 optval is int not long 2018-02-04 20:38:41 +00:00
mrg b3953390c8 regen mknative-gcc 6.4 and amd64. 2018-02-04 20:22:42 +00:00
mrg 51502cf62d updates for GCC 6.4:
- remove many _DIAGASSERT() checks against not NULL for functions
  with arguments with nonnull attributes.  (probably more to come,
  the set between x86 and sparc us disjoint.)

- port libsanitizer's GetPcSpBp() to sparc, sparc64 and amd64.
2018-02-04 20:22:17 +00:00
mrg 9f0e9a55d9 make libbackend.a build and fix the libcommon.a sources list.
now all the gcc parts link.
2018-02-04 10:16:07 +00:00
mrg 41868f0d0a partial work-in-progress to build GCC 6.4 natively:
- use -std=gnu++98 by default.
- add build support for new GCC generators, etc.
- regen i386 mknative files.
2018-02-04 09:22:03 +00:00
mrg b9c2640a34 fix GCC 6.4 issues (finally a couple that aren't actual bugs,
but only weird code?):

amd's amfs_program_exec() has a missing {} issue.

flex's check_options() has odd inconsistent identation that
trips the new ident checker.

ntpd's oncore_check_leap_sec() and oncore_set_traim() have
missing {} issues.

sntp's optionLoadNested() an identation weirdness that
trips the new ident checker.

vi's cl_attr() has a wrong {} issue, and its vs_paint() has
an identation weirdness that trips the new ident checker.
2018-02-04 09:15:44 +00:00
maya 7c604edb4c Merge pkg_install-20171030
Bump version to 20171030 for netpgpverify fixes.
Add zsh to default_acceptable_licenses.
Undef bootstrap hack.

Fix OpenSSL 1.1.0 build
OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
Use X509_check_ca rather than a custom and nearly identical implementation.
This is available since OpenSSL 0.9.8 (even in RHEL5).
This is also done because we cannot implement it identically under
OpenSSL 1.1.0 due to missing getters.
Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
1.1.0 getter returning a different code on this case.
Use getter for xkusage in the non-zero test case.
Provide fallback definitions for getters.

PR pkg/52298, PR pkg/52648
2018-02-04 09:00:51 +00:00
maya 34c9ee37a0 Import pkg_install-20171030 2018-02-04 08:20:39 +00:00
mrg 07967fb18a apply __attribute__((__used__)) for rcsid, etc. 2018-02-04 08:19:42 +00:00
christos bdb24028e2 split out the child runner. 2018-02-04 03:37:59 +00:00
christos 0c048d5af5 switch everyone to openssl.old 2018-02-04 03:19:51 +00:00
mrg d3af2a8373 ATF needs C++98 for now, and GCC 6.4 defaults to C++11.
fix a problem -Werror=misleading-indentation found but has zero
effect on the running code.
2018-02-04 01:41:05 +00:00
mrg 3d95d37864 mknative-gcc for alpha, earm, i386, mips64eb, powerpc, sparc,
sparc64, and x86-64.  tree does not fully build yet, however.
2018-02-04 01:17:40 +00:00
mrg 600075ca82 updates for GCC 6.4. 2018-02-04 01:16:32 +00:00
mrg 1df0d34461 fixes to build the sanitizer files. not tested, but builds. 2018-02-04 01:14:42 +00:00
mrg af3c0cd56d updates for GCC 6.4: add gcc-6 specific headers, combine some
all-gcc files, bump the shlib versions on new libs.
2018-02-03 21:27:45 +00:00
mrg c57c37fb6b updates for GCC 6.4.0:
- we install version specific headers into gcc-6.
- add missing include path for i386/cpuinfo.c.
- fix compile time warnings in libobjc/encoding.c
- adjust c++98/compatibility.cc to use a visible header
- Makefile.hacks gains a hack for x86 and insn-constants.h.  (should
  try to figure out how to build this earlier.)
- libgomp missing priority_queue.c (switch to mknative pulling it out?).
- build a libstdc++ version file and use it.
- fix the handling of -std= to default the same as normal builds.
2018-02-03 19:27:15 +00:00
mrg bc903b6f5b install into gcc-6 subdir. 2018-02-02 20:57:53 +00:00
mrg f313166862 updates to make it at least build in tools/gcc:
- fix -fdelete-null-pointer-checks default (needs more inspection)
- revert unnecessary local changes in gcc.h, system.h and freebsd-spec.h
- fix local changes to invoke.texi
- update man and info pages
- fix a typo in unwind-seh.c
2018-02-02 20:45:19 +00:00
mrg cdbfa754b1 merge GCC 6.4.0. sanitizer stuff is probably busted, but most
other changes merged easily.

docs need to be regenerated with modern versions still.
2018-02-02 03:41:02 +00:00
mrg f9a78e0e88 import GCC 6.4.0. see this url for details which are too large to
include here:

   http://gcc.gnu.org/gcc-6/changes.html

the main visible changes appear to be:

- The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98.
- The C and C++ compilers now support attributes on enumerators.
- Diagnostics can now contain "fix-it hints"
- more warnings (some added to -Wall)
2018-02-02 01:58:35 +00:00
mrg 6d188dd0d7 convert HAVE_GCC handling to modern GCC release numbering:
- HAVE_GCC=5 is now the default (vs. HAVE_GCC=53 we've been using for
  GCC 5.4 and GCC 5.5.)
- remove some more GCC 4.8 code.  we don't support GCC 4 here.
- adjust set lists to gcc=5 from gcc=53.

add some basic HAVE_GCC=6 handling (totally unused so far.)
2018-02-02 01:02:39 +00:00
kamil 6c8e913a6f Install GCC (gcc) headers for Sanitizers
Sync this code with gcc.old.

PR 52265 by Kamil Rytarowski

Proposed and accepted on tech-toolchain@.

Sponsored by <The NetBSD Foundation>
2018-02-01 21:10:46 +00:00
kamil 413e439cd5 Install GCC (gcc.old/) headers for Sanitizers
Install:
 - allocator_interface.h
 - asan_interface.h
 - common_interface_defs.h
 - tsan_interface_atomic.h

Into:
 - /usr/include/gcc-5/sanitizer

Note headers in a comment headers for introduction in future:
 - dfsan_interface.h
 - lsan_interface.h
 - msan_interface.h

Skip a file that will never be relevant on NetBSD:
 - linux_syscall_hooks.h

PR 52265 by Kamil Rytarowski

Proposed and accepted on tech-toolchain@.

Sponsored by <The NetBSD Foundation>
2018-02-01 20:50:22 +00:00
christos af5b018293 add a diff for smtpd 2018-02-01 03:32:31 +00:00
christos ab311767f7 give one more reply to the client before we potentially block it. 2018-02-01 03:32:00 +00:00
christos 214a024004 Add support for blacklistd. 2018-02-01 03:29:41 +00:00
roy d20bb8f953 Sync 2018-01-29 11:13:06 +00:00
roy 10383d8fc1 Import dhcpcd-7.0.1 with the following changes:
*  hooks: remove use of local builtin for better portability
*  dhcpcd: don't log errors working out carrier for departed interfaces
*  ipv4: allow configuration of static broadcast address
*  if: don't set MTU during interface discovery
*  if: don't activate non matching interfaces to commandline ones
*  eloop-bench: fix hangs when using a large number of cycles
*  dhcp: don't bind when we've just probed an address to inform
2018-01-29 11:11:22 +00:00
kre 8aab451628 Merge tzdata2018c 2018-01-24 13:52:47 +00:00
kre 35c0382b5f Import tzdata2018c from ftp://ftp.iana.org/tz/releases/tzdata2018c.tar.gz
Summary of changes in tzdata2018c (2018-01-22 23:00:44 -0800):
Summary of changes in tzdata2018b (2018-01-17 23:24:48 -0800):
Summary of changes in tzdata2018a (2018-01-12 22:29:21 -0800):

	2018a and 2018b were (kind of) released, but never announced.
	Some "issues" were found with them that caused the relatively
	quick updates...

	The updates are from the previous version (2017c) to the
	current one (2018c) - that 2018a & 2018b intervened is best
	forgotten... (changes in 2018a that were corrected (2018b) or
	reverted (2018c) are not mentioned).

  Briefly:

     Sao Tome and Principe (An island nation off west coast of Equatorial Africa)
     switched from +00 to +01.

     Brazil's DST will now start on November's first Sunday.

     Use Debian-style installation locations, instead of 4.3BSD-style.
	(this does not affect NetBSD, we do not use the tzdata Makefile)

  Changes to past and future time stamps

    Sao Tome and Principe switched from +00 to +01 on 2018-01-01 at
    01:00.  (Thanks to Steffen Thorsen and Michael Deckers.)

  Changes to future time stamps

    Starting in 2018 southern Brazil will begin DST on November's
    first Sunday instead of October's third Sunday.  (Thanks to
    Steffen Thorsen.)

  Changes to past time stamps

    Japanese DST transitions (1948-1951) were Sundays at 00:00, not
    Saturdays or Sundays at 02:00.  (Thanks to Takayuki Nikai.)

    A discrepancy of 4 s in timestamps before 1931 in South Sudan has
    been corrected.  The 'backzone' and 'zone.tab' files did not agree
    with the 'africa' and 'zone1970.tab' files.  (Problem reported by
    Michael Deckers.)

    The abbreviation invented for Bolivia Summer Time (1931-2) is now
    BST instead of BOST, to be more consistent with the convention
    used for Latvian Summer Time (1918-9) and for British Summer Time.
2018-01-24 13:51:56 +00:00
skrll ac34435581 Remove port-acorn26
OK core@
2018-01-24 09:04:40 +00:00
christos 177e5524a5 make lint compile again. 2018-01-17 06:10:27 +00:00
christos 19e9df2ac8 remove Documents before import. 2018-01-14 22:51:12 +00:00