Created attachment 227161 [details] unbound-1.13.2.diff This version fixes some crashes we were experiencing on pfSense Changelog: https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.2
(In reply to Renato Botelho from comment #0) This release has is more then just a bug fix, there are also new features. One off them (deprecate-rsa-1024) required a new option for the port (see also the list below.) Therefore I replaced the patch with a new one. - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones. - Fix: Resolve interface names on control-interface too. - Merge #470 from edevil: Allow configuration of persistent TCP connections. - Fix #474: always_null and others inside view. - Add that log-servfail prints an IP address and more information about one of the last failures for that query. - Merge #478: Allow configuration of TCP timeout while waiting for response. - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. - Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes. - zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone. - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable. - Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https. - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
Created attachment 227242 [details] patch to upgrade Patch to upgrade
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=42ac7e7f9340538fe67de858198323991d326087 commit 42ac7e7f9340538fe67de858198323991d326087 Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2021-08-16 23:18:01 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2021-08-16 23:18:01 +0000 dns/unbound: Update to 1.13.2 Added a new option DEP-RSA1024 to enable --with-deprecate-rsa-1024 Changelog: - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones. - Fix: Resolve interface names on control-interface too. - Merge #470 from edevil: Allow configuration of persistent TCP connections. - Fix #474: always_null and others inside view. - Add that log-servfail prints an IP address and more information about one of the last failures for that query. - Merge #478: Allow configuration of TCP timeout while waiting for response. - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. - Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes. - zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone. - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable. - Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https. - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. PR: 257809 Sponsored by: Rubicon Communications, LLC ("Netgate") dns/unbound/Makefile | 8 +++++--- dns/unbound/distinfo | 6 +++--- dns/unbound/pkg-plist | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-)
A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5b9f5579bb15ac30b4c617ac441263c6f20e7575 commit 5b9f5579bb15ac30b4c617ac441263c6f20e7575 Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2021-08-16 23:18:01 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2021-08-16 23:22:50 +0000 dns/unbound: Update to 1.13.2 Added a new option DEP-RSA1024 to enable --with-deprecate-rsa-1024 Changelog: - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones. - Fix: Resolve interface names on control-interface too. - Merge #470 from edevil: Allow configuration of persistent TCP connections. - Fix #474: always_null and others inside view. - Add that log-servfail prints an IP address and more information about one of the last failures for that query. - Merge #478: Allow configuration of TCP timeout while waiting for response. - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. - Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes. - zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone. - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable. - Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https. - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. PR: 257809 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 42ac7e7f9340538fe67de858198323991d326087) dns/unbound/Makefile | 8 +++++--- dns/unbound/distinfo | 6 +++--- dns/unbound/pkg-plist | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-)