Bug 228889 - [MAINTAINER] dns/unbound upgrade to 1.7.2
Summary: [MAINTAINER] dns/unbound upgrade to 1.7.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Steve Wills
Depends on:
Reported: 2018-06-11 12:20 UTC by Jaap Akkerhuis
Modified: 2018-06-14 23:23 UTC (History)
0 users

See Also:

patch to upgrade (1.30 KB, patch)
2018-06-11 12:20 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2018-06-11 12:20:48 UTC
Created attachment 194164 [details]
patch to upgrade

This release fixes bugs in DNS-over-TLS for windows, and adds the option
for windows users to use the CA certificates from the Windows cert
stores, tls-win-cert: yes in unbound.conf.

The code has been updated with a speed up that improves performance for
large numbers of incoming TCP and TLS connections.

There is an option to allow to ignore an unset RD bit for access control
subnets and always allow recursion to the request.

Windows unbound 1.7.2 download links, 64 and then 32bit:
And .asc pgp signatures.

- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
- Qname minimisation default changed to yes.
- Use accept4 to speed up incoming TCP (and TLS) connections,
  available on Linux, FreeBSD and OpenBSD.
- tls-win-cert option that adds the system certificate store for
  authenticating DNS-over-TLS connections.  It can be used instead
  of the tls-cert-bundle option, or with it to add certificates.
- Patch from Syzdek: Add ability to ignore RD bit and treat all
  requests as if the RD bit is set.
- Rename additional-tls-port to tls-additional-ports.
  The older name is accepted for backwards compatibility.

Bug fixes:
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.
- Fix spelling error in man page and note defaults as no instead of
- Fix that unbound-control reload frees the rrset keys and returns
  the memory pages to the system.
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
- Fix contrib/libunbound.pc for libssl libcrypto references,
  from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
  inside libunbound), when ssl upstream or a cert-bundle is configured.
- For TCP and TLS connections that don't establish, perform address
  update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- in compat/arc4random call getentropy_urandom when getentropy fails
  with ENOSYS.
- Fix that fallback for windows port.
- Fix deadlock caused by incoming notify for auth-zone.
Comment 1 commit-hook freebsd_committer 2018-06-14 23:22:44 UTC
A commit references this bug:

Author: swills
Date: Thu Jun 14 23:22:22 UTC 2018
New revision: 472412
URL: https://svnweb.freebsd.org/changeset/ports/472412

  dns/unbound: upgrade to 1.7.2

  PR:		228889
  Submitted by:	jaap@NLnetLabs.nl (maintainer)

Comment 2 Steve Wills freebsd_committer 2018-06-14 23:23:29 UTC
Committed, thanks!