From nobody Fri Feb 11 14:29:55 2022 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D92EF19C3716 for ; Fri, 11 Feb 2022 14:29:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JwGGq4v4Fz4c3Z for ; Fri, 11 Feb 2022 14:29:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 84B2115BA4 for ; Fri, 11 Feb 2022 14:29:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21BETt8M022730 for ; Fri, 11 Feb 2022 14:29:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21BETtxs022729 for ports-bugs@FreeBSD.org; Fri, 11 Feb 2022 14:29:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 261888] dns/unbound: Update to 1.15.0 Date: Fri, 11 Feb 2022 14:29:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jaap@NLnetLabs.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644589795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jC8D3lW4y4//TBihErJnEY9aq9FfNg1j1XL4/Oe8gjg=; b=rbCasrSUfPXPSGf5Q07psWN7OOtat1EWNHWPjxFMF8QNVPOHc+raWSLkIRqyQS27/tWDO6 +y9g1quVf9e5tofgj39qIklhLYH7JelcejSX9zo865EZ04f+GxablTOqdd4kWN7K9u2iJQ VP+Xvr7BXYpJ4gn5jBz+/4FJ8dF0/b3Q8SVP6JAf7FYSycmuiGnMZGviluQVNdSuUtg9uR PV2Ics3RV7UbhBAVTD5VF8M8ickPWpkFTlP1iOPfqbirCNLrhd60A+EVe0FS0e/AfnUdkF lNyWHG8GNDve356IRy+le3wcAgplQjSokizLWwFVoSmCTCeJGVqdF/FIqxitug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644589795; a=rsa-sha256; cv=none; b=hc7vgjB4uqBtZediR8xjPwnFzkf8lRsgRMDO8cSwemv90X505e/aAGF6MOu29yLoYAB092 0WnEncK1cI3qlw8DLSzTxcn/DP9KCsj/Vq5xPSDPJ5OCSRiQF6SLMnc/0FlmrtA25yggub ZJdDv15Q8/pWOxD7TyToY0gTThyS4XeKnwm918xdFF6rUL5o965dcJtH5NtC3B9D6FGMK6 A/oyJfgP/590PbfF1xJsU8nPxP4zXu3h6804aaeMSedxN+zIFnJPvCnb0UbmB5IgjQs6ka 4MiB+kcEUrSyFQoRlixIIvBkpYHYSIz9B7u00cvfUYQwAxbAdV9Qa6DzrkCdcA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D261888 Bug ID: 261888 Summary: dns/unbound: Update to 1.15.0 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/news/2022/Feb/10/unbound-1.15.0-r eleased/ OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #231755 maintainer-approval+ Flags: Created attachment 231755 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D231755&action= =3Dedit patch to upgrade [The Makefile of the port got cleaned up to make portfmt happy] This release has bug fixes for crashes that happened on heavy network usage. The default for the aggressive-nsec option has changed, it is now enabled. The ratelimit logic had to be reworked for the crash fixes. As a result, there are new options to control the behaviour of ratelimiting. The ratelimit-backoff and ip-ratelimit-backoff options can be used to control how severe the backoff is when the ratelimit is exceeded. The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for NXDOMAIN answers from RPZ. That is used by some clients to detect that the domain is externally blocked. The RPZ option for-downstream can be used like for auth zones, this allows the RPZ zone information to be queried. That can be useful for monitoring scripts. Features - Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to signal that a domain is externally blocked to clients when it is blocked with NXDOMAIN by unsetting RA. - Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone. - Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and ip-ratelimit-backoff configuration options. - Change aggressive-nsec default to yes. Bug Fixes - Fix compile warning for if_nametoindex on windows 64bit. - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow warnings in rpz. - Fix validator debug output about DS support, print correct algorithm. - Add code similar to fix for ldns for tab between strings, for consistency, the test case was not broken. - Allow local-data for classes other than IN to inherit a configured local-zone's type if possible, instead of defaulting to type transparent as per the implicit rule. - Fix to pick up other class local zone information before unlock. - Add missing configure flags for optional features in the documentation. - Fix Unbound capitalization in the documentation. - Fix #591: Unbound-anchor manpage links to non-existent license file. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix to add test for rpz-signal-nxdomain-ra. - Fix #596: only unset RA when NXDOMAIN is signalled. - Fix that RPZ does not set RD flag on replies, it should be copied from the query. - Fix for #596: fix that rpz return message is returned and not just the rcode from the iterator return path. This fixes signal unset RA after a CNAME. - Fix unit tests for rpz now that the AA flag returns successfully from the iterator loop. - Fix for #596: add unit test for nsdname trigger and signal unset RA. - Fix for #596: add unit test for nsip trigger and signal unset RA. - Fix #598: Fix unbound-checkconf fatal error: module conf 'respip dns64 validator iterator' is not known to work. - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip triggered operation. - Merge #600 from pemensik: Change file mode before changing file owner. - Fix prematurely terminated TCP queries when a reply has the same ID. - For #602: Allow the module-config "subnetcache validator cachedb iterator". - Fix EDNS to upstream where the same option could be attached more than once. - Add a region to serviced_query for allocations. - For dnstap, do not wakeupnow right there. Instead zero the timer to force the wakeup callback asap. - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in serviced_udp_callback. - Merge PR #612: TCP race condition. - Test for NSID in SERVFAIL response due to DNSSEC bogus. - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC document. - Fix tls-* and ssl-* documented alternate syntax to also be available through remote-control and unbound-checkconf. - Better cleanup on failed DoT/DoH listening socket creation. - iana portlist update. - Fix review comment for use-after-free when failing to send UDP out. - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA internals. - Merge PR #532 from Shchelk: Fix: buffer overflow bug. - Merge PR #617: Update stub/forward-host notation to accept port and tls-auth-name. - Update stream_ssl.tdir test to also use the new forward-host notation. - Fix header comment for doxygen for authextstrtoaddr. - please clang analyzer for loop in test code. - Fix docker splint test to use more portable uname. - Update contrib/aaaa-filter-iterator.patch with diff for current software version. - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. --=20 You are receiving this mail because: You are the assignee for the bug.=