Bug 227949

Summary: [MAINTAINER] dns/unbound upgrade to 1.7.1
Product: Ports & Packages Reporter: Jaap Akkerhuis <jaap>
Component: Individual Port(s)Assignee: Martin Wilke <miwi>
Status: Closed FIXED    
Severity: Affects Many People CC: krion, miwi, portmaster
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Description Flags
patch to update jaap: maintainer-approval+

Description Jaap Akkerhuis 2018-05-03 11:13:42 UTC
Created attachment 193019 [details]
patch to update

This release has root key sentinel support, default on, from draft
draft-ietf-dnsop-kskroll-sentinel.  The root key sentinel helps the root
key rollover process by providing insight into the distribution of the
key material over the resolver population.  For that, the resolver gives
responses indicating which keys are in use by the resolver.

Crypto support for ED448 has been added.  ED25519 was already supported
in a previous release.  The crypto algorithm code is default turned on
if support is detected at configure time.  The openssl 1.1.1 beta
versions have ED448, and also ED25519 support.

For DNS over TLS, the tcp length is sent in the same packet as the tcp
content, for the TLS connections, providing a speed up.  Also TLS
authentication can be enabled by specifying the TLS auth name in
unbound.conf.  An example config for large public cloud dns over tls
resolvers is this.
  tls-cert-bundle: "ca-bundle.pem"
  name: "."
  forward-addr: ""
  forward-addr: ""
  forward-tls-upstream: yes

It is possible to have unbound as a TLS server serve TLS on different
ports, with additional-tls-port.  Use this to set up dns over tls
service on both ports r853 and 443.

For fast server selection, there are new options low-rtt and
low-rtt-pct.  For example set low-rtt-pct: 900 to enable it.
These options are experimental at this time.  We are interested in
user experiences, and are intending to look at the expressiveness that
is desired for ease of use and applicability. Also, the "pct" part of
low-rtt-pct is technically the wrong term and we intend to replace it
with "promille" (likely in a future release, together with user
experience feedback changes).
There is hiredis support for the cachedb module.
Monitoring of the new agrressive NSEC and auth zone root local copy
features is possible with statistics counters for agressive NSEC and for
auth zone usage.  Auth zone supports incoming NOTIFYs, from masters and
from allow-notify hosts.  Auth zones can be listed from unbound-control
with their SOA serial number.
Unbound-control set_option and get_option needed different ':'
placement, the current release allows with and without ':' syntax.
- Add --with-libhiredis, unbound support for a new cachedb
  backend that uses a Redis server as the storage.  This
  implementation depends on the hiredis client library
  And unbound should be built with both --enable-cachedb and
  --with-libhiredis[=3DPATH] (where $PATH/include/hiredis/hiredis.h
  should exist).  Patch from Jinmei Tatuya (Infoblox).
- Create additional tls service interfaces by opening them on other
  portnumbers and listing the portnumbers as additional-tls-port: nr.
- ED448 support.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Accept both option names with and without colon for get_option
  and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
  of fast servers for some percentage of the time.
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
  statistics counters.
- allow-notify: config statement for auth-zones.
- Can set tls authentication with forward-addr: IP#tls.auth.name
  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
  such as forward-addr: or
- list_auth_zones unbound-control command.
- Added root-key-sentinel support

Bug Fixes
- Fix #3727: Protocol name is TLS, options have been renamed but
  documentation is not consistent.
- Check IXFR start serial.
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
  flushed with serve-expired on.
- Fix #3817: core dump happens in libunbound delete, when queued
  servfail hits deleted message queue.
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
- iana port update.
- Do not use cached NSEC records to generate negative answers for
  domains under DNSSEC Negative Trust Anchors.
- Fix unbound-control get_option aggressive-nsec
- Check "result" in dup_all(), by Florian Obser.
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
  failing with a forwarder set.  Now, auth-zone is only used for
  answers (not referrals) when a forwarder is set.
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
  tls_choose_sigalg routine does not allow the ciphers for the pipe,
  so use TLSv1.2.
- Fix that flush_zone sets prefetch ttl expired, so that with
  serve-expired enabled it'll start prefetching those entries.
- Fix downstream auth zone, only fallback when auth zone fails to
  answer and fallback is enabled.
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
  auth zone gets stopped, before trying to send there.
- Fix auth zone target lookup iterator.
- Fix auth-zone retry timer to be on schedule with retry timeout,
  with backoff.  Also time a refresh at the zone expiry.
- Fix #658: unbound using TLS in a forwarding configuration does not
  verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
  with the previous contents.
- Delete auth zone when removed from config.
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
- auth zone http download stores exact copy of downloaded file,
  including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
  callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
- Fix memory leak when caching wildcard records for aggressive NSEC use
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.
Comment 1 commit-hook freebsd_committer 2018-05-10 14:50:38 UTC
A commit references this bug:

Author: miwi
Date: Thu May 10 14:50:20 UTC 2018
New revision: 469556
URL: https://svnweb.freebsd.org/changeset/ports/469556

  - Update to 2.5.9
  - Update WWW

  PR:	227949
  Submitted by:	maintainer
  Sponsored by:     iXsystems Inc.

Comment 2 Chris Hutchinson 2018-10-17 01:44:54 UTC
Perhaps I should start a new pr(1).
But this pr references a bug that was supposed to be fixed:

- Fix unbound-control get_option aggressive-nsec

However, walking up the commits from 1.70, to 1.73
unbound-control stats always returns:

# unbound-control stats
unbound.conf:22: error: unknown keyword 'aggressive-nsec'
unbound.conf:22: error: stray ':'
unbound.conf:22: error: unknown keyword 'yes'
read unbound.conf failed: 3 errors in configuration file
[1539739636] unbound-control[76861:0] fatal error: could not read config file

when unbound.conf(5) contains:

aggressive-nsec: yes
aggressive-nsec yes

Any hopes of ever getting this fixed on FreeBSD?
I don't see any more evidence of this error in any of the other
commit messages, or pr(1)'s other than this.

Thank you!

P.S. happens on both 11 && 12 @ 1.70-1.73
Comment 3 Jaap Akkerhuis 2018-10-17 07:25:25 UTC
(In reply to Chris Hutchinson from comment #2)

It seems you have configuration file which is not supported by the version you use.
Upgrade to a later version (1.8.1 is the latest).

And yes, consider a new pr rather adding to an old closed issue.