Bug 250199 - dns/unbound: Update Unbound: to version 1.12.0
Summary: dns/unbound: Update Unbound: to version 1.12.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Renato Botelho
URL: https://www.nlnetlabs.nl/projects/unb...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-08 13:39 UTC by Jaap Akkerhuis
Modified: 2020-12-12 16:58 UTC (History)
1 user (show)

See Also:


Attachments
Patch to update (2.11 KB, patch)
2020-10-08 13:39 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2020-10-08 13:39:19 UTC
Created attachment 218609 [details]
Patch to update

This release contains the DNS Flag Day 2020 changes.  This sets the
default EDNS buffer size to 1232, that should reduce fragmentation.
https://dnsflagday.net/2020/

There is inclusive language in the configuration.  There is caps-exempt,
ipsecmod-allow and primary server options for auth-zones.  The older
terms are accepted to keep configuration working.

DNS-over-HTTPS is supported in this release.  The DoH is enabled when
Unbound is compiled with the nghttp2 library, with configure
--with-libnghttp2.  Then have an interface on the https port, that can
be configured with the https-port option.  Also have a cert and key
available with the tls-service-key and tls-service-pem options.  Further
settings can be configured for the http-endpoint, http-max-streams,
http-query-buffer-size, http-response-buffer-size and http-nodelay
options.  The max streams sets the maximum concurrent streams, the
buffer size options the number of bytes in buffers, and the nodelay
option can turn on TCP_NODELAY for DNS-over-HTTPS service.  In the
statistics the memory used is reported in mem.http.query_buffer and
mem.http.response_buffer.  The number of queries is reported in
num.query.https, they are also included in the tcp and tls counts
because https uses TLS and TCP.

The DLV options and code to handle DLV lookups have been removed from
the code base.  The DLV repository is empty nowadays, it has been
decommissioned.

There is a new feature where it is possible to use interface names to
bind to the IP addresses on that interface.  It pulls in the addresses
at the start of the server, if the addresses change, use the existing
freebind and other socket options to register for addresses before they
appear, or the interface-automatic option that copies them from queries
to answers with ancillary data.

There is a new option for the edns-tag draft specification.  It can be
enabled if you need the tentative implementation to add those tags to
outgoing messages.

Features
- DNS Flag Day 2020: change edns-buffer-size default to 1232.
- Merge PR #255: DNS-over-HTTPS support.
- Use inclusive language in configuration
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
  was advise to stop using it.  The current code base does not contain
  DLV code any more.  The use of dlv options displays a warning.
- Similar to NSD PR#113, implement that interface names can be used,
  eg. something like interface: eth0 is resolved at server start and
  uses the IP addresses for that named interface.
- Merge PR #272: Add EDNS client tag functionality.
- Add edns-client-tag-opcode option

Bug Fixes
- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
- Merge PR #269, Fix python module len() implementations, by Torbjörn
  Lönnemark
- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
  March 2020, by and0x000.
- Fix doxygen comment for no ssl for tls session ticket key callback
  routine.
- Fix mini_event.h on OpenBSD cannot find fd_set.
- Improve error log message when inserting rpz RR.
- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
  definedness, by Felipe Gasper.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
  apply cleanly to the current coderepo for the current code version.
- Fix #287: doc typo: "Additionaly".
- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
  by Vítězslav Čížek.
- Create and init edns tags data for libunbound.
- Fix stats double count issue (#289).
- Fix that dnstap reconnects do not spam the log with the repeated
  attempts.  Attempts on the timer are only logged on high verbosity,
  if they produce a connection failure error.
- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
- Change configure to use EVP_sha256 instead of HMAC_Update for
  openssl-3.0.0.
- Update documentation in python example code.
- Review fix interface, doxygen and assign null in case of error free.
- Merge PR #293: Add missing prototype.  Also refactor to use the new
  shorthand function to clean up the code.
- Refactor to use sock_strerr shorthand function.
- Fix #296: systemd nss-lookup.target is reached before unbound can
  successfully answer queries. Changed contrib/unbound.service.in.
- Fix num.expired statistics output.
- Remove x file mode on ipset/ipset.c and h files.
- Spelling fix.
- Introduce test for statistics.
- Fix that prefer-ip4 and prefer-ip6 can be get and set with
  unbound-control, with libunbound and the unbound-checkconf option
  output function.
- Merge PR #311 by luismerino: Dynlibmod leak.
- Error message is logged for dynlibmod malloc failures.
- iana portlist updated.
- Fix #304: dnstap logging not recovering after dnstap process restarts
- Fix edns-client-tags get_option typo
- Fix #305: dnstap logging significantly affects unbound performance
  (regression in 1.11).
- Fix #305: only wake up thread when threshold reached.
- Fix to ifdef fptr wlist item for dnstap.
- Fix memory leak of edns tags at libunbound context delete.
- Fix double loopexit for unbound-dnstap-socket after sigterm.
Comment 1 commit-hook freebsd_committer freebsd_triage 2020-10-12 15:33:59 UTC
A commit references this bug:

Author: garga
Date: Mon Oct 12 15:33:46 UTC 2020
New revision: 552135
URL: https://svnweb.freebsd.org/changeset/ports/552135

Log:
  dns/unbound: Update to 1.12.0

  PR:		250199
  Submitted by:	maintainer
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
  head/dns/unbound/Makefile
  head/dns/unbound/distinfo
  head/dns/unbound/pkg-plist
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-12-12 16:58:56 UTC
A commit references this bug:

Author: brnrd
Date: Sat Dec 12 16:58:25 UTC 2020
New revision: 557837
URL: https://svnweb.freebsd.org/changeset/ports/557837

Log:
  MFH: r552135 r557836

   * Don't change default options on 2020Q4

  dns/unbound: Update to 1.12.0

  PR:		250199
  Submitted by:	maintainer
  Sponsored by:	Rubicon Communications, LLC (Netgate)

  dns/unbound: Security update to 1.13.0

   * Sort options and port_docs while here

  PR:		251563
  Submitted by:	Jaap Akkerhuis <jaap nlnetlabs nl> (maintainer)
  Approved by:	maintainer (implicit)
  Security:	388ebb5b-3c95-11eb-929d-d4c9ef517024

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/dns/unbound/Makefile
  branches/2020Q4/dns/unbound/distinfo
  branches/2020Q4/dns/unbound/pkg-plist