Created attachment 197912 [details]
Patch to upgrade

This release of Unbound contains a number of bug fixes.  A memory leak
in the TLS lookup code is fixed.  Leaked requests in the requestlist are
fixed.  Lookup failure due to qname minimisation and a lack of IPv6 with
connectivity issues is fixed.

TLS upstream servers are signalled with SNI with the name that is
configured.  This allows hosting servers by name on the destination.

Also Unbound is fixed from calling disallowed routines, by using EVP
code, for FIPS OpenSSL.


Features:
- Perform TLS SNI indication of the host that is being contacted
  for DNS over TLS service.  It sets the configured tls auth name.
  This is useful for hosts that apart from the DNS over TLS services
  also provide other (web) services.

Bug Fixes:
- More explicitly mention the type of ratelimit when applying
  ip-ratelimit.
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
- iana port update.
- Fixed unused return value warnings in contrib/fastrpz.patch for
  asprintf.
- Fix to squelch respip warning in unit test, it is printed at
  higher verbosity settings.
- Fix spelling errors.
- Fix initialisation in remote.c
- Fix seed for random backup code to use explicit zero when wiped.
- exit log routine is annotated as noreturn function.
- free memory leaks in config strlist and str2list insert functions.
- do not move unused argv variable after getopt.
- Remove unused if clause in testcode.
- in testcode, free async ids, initialise array, and check for null
  pointer during test of the test.  And use exit for return to note
  irregular program stop.
- Free memory leak in config strlist append.
- make sure nsec3 comparison salt is initialized.
- unit test has clang analysis.
- remove unused variable assignment from iterator scrub routine.
- check for null in delegation point during iterator refetch
  in forward zone.
- neater pointer cast in libunbound context quit routine.
- initialize statistics totals for printout.
- in authzone check that node exists before adding rrset.
- in unbound-anchor, use readwrite memory BIO.
- assertion in autotrust that packed rrset is formed correctly.
- Fix memory leak when message parse fails partway through copy.
- remove unused udpsize assignment in message encode.
- nicer bio free code in unbound-anchor.
- annotate exit functions with noreturn in unbound-control.
- Fix compile on Mac for unbound, provide explicit_bzero when libc
  does not have it.
- Fix unbound for openssl in FIPS mode, it uses the digests with
  the EVP call contexts.
- Fix that with harden-below-nxdomain and qname minisation enabled
  some iterator states for nonresponsive domains can get into a
  state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
  to be reset by the TCP time measurement (that exists for TLS),
  because that causes the UDP part to not be measured as timeout.
- Fix #4156: Fix systemd service manager state change notification.
- Fix #4149: Add SSL cleanup for tcp timeout.
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
  qname minimisation with a forwarder when connectivity has issues
  from rejecting responses.
- fastrpz.patch fixed.