Bug 282172 - dns/unbound: Update to 1.22.0
Summary: dns/unbound: Update to 1.22.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Rodrigo Osorio
URL: https://nlnetlabs.nl/news/2024/Oct/17...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-18 11:23 UTC by Jaap Akkerhuis
Modified: 2024-10-19 18:10 UTC (History)
2 users (show)

See Also:

Attachments
Patch to upgrade (4.10 KB, patch)
2024-10-18 11:23 UTC, Jaap Akkerhuis 		jaap: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2024-10-18 11:23:35 UTC 
Created attachment 254329 [details]
Patch to upgrade

Release Notes

We are pleased to announce the release of version 1.22.0 of the Unbound recursive DNS resolver.

This release has an option to harden against unverified glue, it is enabled with harden-unverified-glue: yes. It was contributed by Karthik Umashankar from Microsoft. This protects Unbound against bad glue, that is out of zone, by performing a lookup for it. Because it uses the original information as a last resort if nothing works, it should not give lookup failures and add protection.

There are options to configure the scrubbing for NS records and the CNAME scrubbing and the max global quota lookup limit from previous security fix releases. They can be configured with the options iter-scrub-ns, iter-scrub-cname and max-global-quota.

For redis use, with cachedb, it is possible to specify the timeout for the initial connection separately from the timeout for commands. With the options redis-command-timeout: 20 and redis-connect-timeout: 200 they can be set separately, for a longer connect attempt, but a short command timeout to keep resolution faster.

It is possible to log with ISO8601 format with log-time-iso: yes this also logs time in milliseconds. Useful if the server writes to file, syslog may have its own format.

DNS over QUIC is support is added, if compiled with libngtcp2 and with the openssl+quic that it uses. Use --with-libngtcp2 for that, and enable it with quic-port: 853. There is a post about it on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to appear after the release].

For a full list of changes, see https://nlnetlabs.nl/projects/unbound/download#unbound-1-22-0.
Comment 1 commit-hook freebsd_committer freebsd_triage 2024-10-18 13:20:49 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d258c3602afd47841b285e0ac11de3bf09181d05

commit d258c3602afd47841b285e0ac11de3bf09181d05
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2024-10-18 13:08:53 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2024-10-18 13:18:00 +0000

    dns/unbound: update to 1.22.0

    Changelog: https://nlnetlabs.nl/news/2024/Oct/17/unbound-1.22.0-released/
    Full changelog: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-22-0

    PR:             282172
    Reported by:    Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)

 dns/unbound/Makefile                                         | 12 +++++-------
 dns/unbound/distinfo                                         |  6 +++---
 .../files/patch-smallapp_unbound-control-setup.sh.in (gone)  | 11 -----------
 dns/unbound/pkg-plist                                        |  2 +-
 4 files changed, 9 insertions(+), 22 deletions(-)
Comment 2 Rodrigo Osorio freebsd_committer freebsd_triage 2024-10-18 13:21:25 UTC 
Committed, thanks
Comment 3 Herbert J. Skuhra 2024-10-19 18:10:48 UTC 
Why is DOH no longer optional?