17:37 Fernando Apesteguía (fernape)  Author: Jaap Akkerhuis

dns/unbound: Update to 1.17.0

ChangeLog: https://www.nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/

Remove additional MASTER_SITES (certificate error)

PR:		267018
Reported by:	jaap@NLnetLabs.nl (maintainer)
Reviewed by:	diizzy@

    7b0d6de

14:31 Mathieu Arnold (mat) 

all: Remove all other $FreeBSD keywords.

    135fdee

14:17 lwhsu 

dns/unbound: Update to 1.11.0

PR:		248808
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)

 

16:31 swills 

dns/unbound: update to 1.9.3

Whil here, improve rc script

PR:		240163
Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)

 

19:28 brnrd 

dns/unbound: Fix errors when unbound_conf is set

PR:		228390
Approved by:	maintainer <jaap NLnetLabs nl>

MFH:		2018Q2

 

17:00 pi 

dns/unbound: upgrade 1.6.8 -> 1.7.0

Features
- auth-zone provides a way to configure RFC7706 from unbound.conf,
  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
  generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
  also recognized and means the same.  Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
  forward-tls-upstream.
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
  This option allows handling multiple cert/key pairs while only
  distributing some of them.
  In order to reliably match a client magic with a given key without
  strong assumption as to how those were generated, we need both key and
  cert. Likewise, in order to know which ES version should be used.
  On the other hand, when rotating a cert, it can be desirable to only
  serve the new cert but still be able to handle clients that are still
  using the old certs's public key.
  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
  publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix #3598: Fix swig build issue on rhel6 based system.
  configure --disable-swig-version-check stops the swig version check.

Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
  circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
  duplicates
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
  fail.
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
  a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
  set for stub zone.  It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
  or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
  away, without a repeat query picking the DS from cache.
  The correct reply should have been an answer, the reply is fixed
  by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
  snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
  the middle of a cname chain, a result without the DNAME could
  be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
  for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
  so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
  And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
  edns-subnet/addrtree.c after the assert made clang analyzer
  produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
  wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
  to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
  aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
  causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
  although it could be changed at a later time, to stay similar to
  other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.

PR:		226822
Submitted by:	jaap@NLnetLabs.nl (maintainer)

 

10:16 brnrd 

dns/unbound: Fix rc-script with config in flags

 - Adds new option unbound_config

PR:		225360
Submitted by:	jaap@NLnetLabs.nl
Approved by:	jaap@NLnetLabs.nl (maintainer)

 

01:48 wen 

- Update to 1.6.1

PR:		217614
Submitted by:	jaap@NLnetLabs.nl(maintainer)

 

08:27 sem 

- Run unbound even when unbound-anchors fails
- Remove trailing space

PR:		ports/189818
Submitted by:	zi

 

19:43 sem 

- Really fix unbound_anchorflags
- New LIB_DEPENDS format
- Strip binaries

 

15:27 sem 

- Fix unbound_anchorflags in RC script

 

15:51 zi 

- Add STAGE support
- Fix build with custom LOCALBASE/PREFIX
- Add ability to specify flags to unbound-anchor via unbound_anchorflags in
rc.conf (useful for when /etc/resolv.conf only contains 127.0.0.1)
- Bump PORTREVISION

PR:		ports/187239
Submitted by:	zi@
Approved by:	sem@ (maintainer)

 

21:07 sem 

- Hide output of check config command

PR:		ports/186195
Submitted by:	Nick Hibma <nick@anywi.com>

 

01:08 sem 

- Run unbound-checkconf on startup

Submitted by:	Anton Yuzhaninov <citrin at citrin.ru>

 

13:44 sem 

- Update to 1.4.15
  * Fixed a little memory leak
  * Couple other bugs fixed
- Run unbound-checkconf before start.

17:23 sem 

- Run unbound-anchor with unbound user. It solves a permissions problem.

14:40 sem 

- Run unbound-anchor before unbound to obtain a trust anchor for DNSSEC.

Requested by:   des

08:57 dougb 

In the rc.d scripts, change assignments to rcvar to use the
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().

In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.

00:15 dougb 

Begin the process of deprecating sysutils/rc_subr by
s#. %%RC_SUBR%%#. /etc/rc.subr#

14:30 sem 

- Forgot to set : ${unbound_enable:-"NO"}
- Allow user to set a pid file location with unbound_pidfile="..."

PR:             ports/142793 (based on)
Submitted by:   Keith Gaughan <k at stereochro.me>

11:33 sem 

- unbound runned in chroot by default. it brings us a problem with
  pid file. place it to PREFIX/etc/unbound as an author do.

07:35 sem 

- New port: dns/unbound

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.

Goals:
    * A validating recursive DNS resolver.
    * Code diversity in the DNS resolver monoculture.
    * Drop-in replacement for BIND apart from config.
    * DNSSEC support.
    * Fully RFC compliant.
    * High performance
          o even with validation.
    * Used as

(Only the first 15 lines of the commit message are shown above )