Unbound 1.6.0
=============
Features:
---------
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS option lists were added to module_qstate
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet.
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity.
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.
Bug Fixes:
----------
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses.
- Fix Nits for 1.5.10.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again. The --
is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
no encryption over the unix socket.
- hyphen as minus fix.
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code
2016-12-23 20:25:45 +01:00
|
|
|
# $NetBSD: Makefile,v 1.48 2016/12/23 19:25:45 pettai Exp $
|
2008-05-27 00:36:56 +02:00
|
|
|
|
Unbound 1.6.0
=============
Features:
---------
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS option lists were added to module_qstate
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet.
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity.
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.
Bug Fixes:
----------
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses.
- Fix Nits for 1.5.10.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again. The --
is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
no encryption over the unix socket.
- hyphen as minus fix.
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code
2016-12-23 20:25:45 +01:00
|
|
|
DISTNAME= unbound-1.6.0
|
2008-05-27 00:36:56 +02:00
|
|
|
CATEGORIES= net
|
|
|
|
|
MASTER_SITES= http://www.unbound.net/downloads/
|
|
|
|
|
|
2013-11-24 10:39:44 +01:00
|
|
|
MAINTAINER= pettai@NetBSD.org
|
2008-05-27 00:36:56 +02:00
|
|
|
HOMEPAGE= http://www.unbound.net/
|
|
|
|
|
COMMENT= DNS resolver and recursive server
|
2011-04-20 12:44:46 +02:00
|
|
|
LICENSE= modified-bsd
|
2008-05-27 00:36:56 +02:00
|
|
|
|
2015-03-09 12:59:26 +01:00
|
|
|
BUILD_DEFS+= VARBASE UNBOUND_USER UNBOUND_GROUP
|
|
|
|
|
FILES_SUBST+= UNBOUND_USER=${UNBOUND_USER} UNBOUND_GROUP=${UNBOUND_GROUP}
|
2011-04-20 12:44:46 +02:00
|
|
|
|
2008-05-27 00:36:56 +02:00
|
|
|
GNU_CONFIGURE= yes
|
|
|
|
|
USE_LIBTOOL= yes
|
|
|
|
|
|
unbound 1.48:
Features:
* harden-below-nxdomain config option, default off (because very old software
may be incompatible). We could enable it by default in the future.
From draft-vixie-dnsext-resimprove-00.
* typetransparent localzone: does not block other RR types.
* so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes:
* Fix so a changed NS RRset does not get moved name stuck on old server,
for type NS the TTL is not increased.
* Fix prefetch so it does not get stuck on old server for moved names.
* Fix insecure CNAME sequence marked as secure, reported by Bert Hubert.
* faster lruhash get_mem routine.
* [bugzilla: 346 ] remove ITAR scripts from contrib,
the service is discontinued, use the root.
* Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
* algorithm compromise protection using the algorithms signalled in the DS
record. Also, trust anchors, DLV, and RFC5011 receive this, and thus,
if you have multiple algorithms in your trust-anchor-file then it will now
behave different than before. Also, 5011 rollover for algorithms needs to be
double-signature until the old algorithm is revoked.
* squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
* fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
* Fix our 'BDS' license (typo reported by Xavier Belanger).
* [bugzilla: 338 ] print address when socket creation fails.
* Fix storage of EDNS failures in the infra cache.
* silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
* unbound-anchor compiles with openssl 0.9.7.
* Be lenient and accept imgw.pl malformed packet (like BIND).
* the included ldns tarball is updated (to 1.6.8)
* iana portlist updated.
unbound 1.47:
Features:
* unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the validator
(e.g. at system boot time).
* dump_infra and flush_infra commands for unbound-control.
Bug Fixes:
* GOST code enabled by default (RFC 5933).
* Configure detects libev-4.00.
* do not synthesize a CNAME message from cache for qtype DS.
* Use central entropy to seed threads.
* Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
* Fix validation failure for parent and child on same server with an insecure
childzone and a CNAME from parent to child.
* Change of timeout code. No more lost and backoff in blockage. At 12sec timeout
(and at least 2x lost before) one probe per IP is allowed only. At 120sec,
the IP is blocked. After 15min, a 120sec entry has a single retry packet.
* no timeout backoff if meanwhile a query succeeded.
* Configure errors if ldns is not found.
* Windows 7 fix for the installer.
* Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be
noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS
status unknown.
* interface automatic works for some people with ip6 disabled. Therefore the
error check is removed, so they can use the option.
* Fix TCP so it uses a random outgoing-interface.
* Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone
has a secure delegation hosted on the same server did not verify as secure
(it was insecure by mistake).
* Fix alloc_reg_release for longer uptime in out of memory conditions.
* [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16.
* compliance with draft-ietf-dnsop-default-local-zones-14,
removed reverse ipv6 orchid prefix from builtin list.
* Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
* Fix reported validation error in out of memory condition.
* Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
* increased mesh-max-activation from 1000 to 3000 for crazy domains like
_tcp.slb.com with 262 servers.
* [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed.
* openbsd-lint fixes
* [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
* [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
* Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes,
uses m4_bpatsubst now.
* make test (or make check) should be more portable and run the unit test and
testbound scripts. (make longtest has special requirements).
* More pleasant remote control command parsing.
* Fix name of rrset printed that failed validation.
* Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
* Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
* iana portlist updated.
* updated ldns tarball.
2011-03-21 16:04:32 +01:00
|
|
|
CONFIGURE_ARGS+= --with-libexpat=${BUILDLINK_PREFIX.expat}
|
2015-03-09 12:59:26 +01:00
|
|
|
CONFIGURE_ARGS+= --with-pidfile=${VARBASE}/run/unbound/unbound.pid
|
2010-11-29 13:41:51 +01:00
|
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASE}
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
CONFIGURE_ARGS+= --enable-allsymbols
|
|
|
|
|
|
2016-02-25 18:24:13 +01:00
|
|
|
# unbound uses some OpenBSD libc functions such as reallocarray(3).
|
|
|
|
|
# The existing tests just look for the symbol in libc regardless
|
|
|
|
|
# of anything in stdlib.h
|
|
|
|
|
CPPFLAGS.NetBSD+= -D_OPENBSD_SOURCE
|
2016-02-25 17:55:14 +01:00
|
|
|
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
# Add the same logic as for ldns, so sha2/gost is configured automatically
|
2011-08-20 10:12:41 +02:00
|
|
|
CHECK_BUILTIN.openssl= yes
|
|
|
|
|
.include "../../security/openssl/builtin.mk"
|
|
|
|
|
CHECK_BUILTIN.openssl= no
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.include "../../security/openssl/buildlink3.mk"
|
|
|
|
|
|
|
|
|
|
PLIST_VARS+= sha2 gost
|
|
|
|
|
.if defined(USE_BUILTIN.openssl) && !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
|
|
|
|
|
PLIST_VARS.gost!= \
|
|
|
|
|
if ${PKG_ADMIN} pmatch 'openssl>=1.0.0' ${BUILTIN_PKG.openssl:Q}; then \
|
|
|
|
|
${ECHO} "yes"; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} "no"; \
|
|
|
|
|
fi
|
|
|
|
|
PLIST_VARS.sha2!= \
|
|
|
|
|
if ${PKG_ADMIN} pmatch 'openssl>=0.9.8' ${BUILTIN_PKG.openssl:Q}; then \
|
|
|
|
|
${ECHO} "yes"; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} "no"; \
|
|
|
|
|
fi
|
|
|
|
|
.else
|
|
|
|
|
PLIST_VARS.gost!= \
|
|
|
|
|
if ${PKG_INFO} -qe 'openssl>=1.0.0'; then \
|
|
|
|
|
${ECHO} yes; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} no; \
|
|
|
|
|
fi
|
|
|
|
|
PLIST_VARS.sha2!= \
|
|
|
|
|
if ${PKG_INFO} -qe 'openssl>=0.9.8'; then \
|
|
|
|
|
${ECHO} yes; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} no; \
|
|
|
|
|
fi
|
|
|
|
|
.endif
|
|
|
|
|
.if ${PLIST_VARS.gost} == "yes"
|
|
|
|
|
CONFIGURE_ARGS+= --enable-gost
|
|
|
|
|
.else
|
|
|
|
|
CONFIGURE_ARGS+= --disable-gost
|
|
|
|
|
.endif
|
|
|
|
|
.if ${PLIST_VARS.sha2} == "yes"
|
|
|
|
|
CONFIGURE_ARGS+= --enable-sha2
|
|
|
|
|
.else
|
|
|
|
|
CONFIGURE_ARGS+= --disable-sha2
|
|
|
|
|
.endif
|
2008-12-17 19:14:01 +01:00
|
|
|
|
2008-05-27 00:36:56 +02:00
|
|
|
SUBST_CLASSES+= paths
|
|
|
|
|
SUBST_STAGE.paths= post-configure
|
|
|
|
|
SUBST_MESSAGE.paths= Fixing path names
|
|
|
|
|
SUBST_FILES.paths= doc/example.conf doc/*.5 doc/*.8
|
|
|
|
|
SUBST_SED.paths= -e "s|/usr/local|${PREFIX}|"
|
|
|
|
|
|
|
|
|
|
INSTALL_MAKE_FLAGS+= \
|
|
|
|
|
configfile=${PREFIX}/share/examples/unbound/unbound.conf
|
|
|
|
|
|
|
|
|
|
PKG_SYSCONFSUBDIR= unbound
|
|
|
|
|
|
|
|
|
|
CONF_FILES+= share/examples/unbound/unbound.conf \
|
|
|
|
|
${PKG_SYSCONFDIR}/unbound.conf
|
|
|
|
|
|
|
|
|
|
RCD_SCRIPTS= unbound
|
2015-10-21 23:30:14 +02:00
|
|
|
SMF_METHODS= unbound
|
|
|
|
|
SMF_NAME= unbound
|
2008-05-27 00:36:56 +02:00
|
|
|
|
|
|
|
|
UNBOUND_USER?= unbound
|
|
|
|
|
UNBOUND_GROUP?= unbound
|
|
|
|
|
|
|
|
|
|
PKG_GROUPS= ${UNBOUND_GROUP}
|
|
|
|
|
PKG_USERS= ${UNBOUND_USER}:${UNBOUND_GROUP}
|
|
|
|
|
|
2011-04-20 12:44:46 +02:00
|
|
|
.include "options.mk"
|
|
|
|
|
|
unbound 1.48:
Features:
* harden-below-nxdomain config option, default off (because very old software
may be incompatible). We could enable it by default in the future.
From draft-vixie-dnsext-resimprove-00.
* typetransparent localzone: does not block other RR types.
* so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes:
* Fix so a changed NS RRset does not get moved name stuck on old server,
for type NS the TTL is not increased.
* Fix prefetch so it does not get stuck on old server for moved names.
* Fix insecure CNAME sequence marked as secure, reported by Bert Hubert.
* faster lruhash get_mem routine.
* [bugzilla: 346 ] remove ITAR scripts from contrib,
the service is discontinued, use the root.
* Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
* algorithm compromise protection using the algorithms signalled in the DS
record. Also, trust anchors, DLV, and RFC5011 receive this, and thus,
if you have multiple algorithms in your trust-anchor-file then it will now
behave different than before. Also, 5011 rollover for algorithms needs to be
double-signature until the old algorithm is revoked.
* squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
* fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
* Fix our 'BDS' license (typo reported by Xavier Belanger).
* [bugzilla: 338 ] print address when socket creation fails.
* Fix storage of EDNS failures in the infra cache.
* silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
* unbound-anchor compiles with openssl 0.9.7.
* Be lenient and accept imgw.pl malformed packet (like BIND).
* the included ldns tarball is updated (to 1.6.8)
* iana portlist updated.
unbound 1.47:
Features:
* unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the validator
(e.g. at system boot time).
* dump_infra and flush_infra commands for unbound-control.
Bug Fixes:
* GOST code enabled by default (RFC 5933).
* Configure detects libev-4.00.
* do not synthesize a CNAME message from cache for qtype DS.
* Use central entropy to seed threads.
* Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
* Fix validation failure for parent and child on same server with an insecure
childzone and a CNAME from parent to child.
* Change of timeout code. No more lost and backoff in blockage. At 12sec timeout
(and at least 2x lost before) one probe per IP is allowed only. At 120sec,
the IP is blocked. After 15min, a 120sec entry has a single retry packet.
* no timeout backoff if meanwhile a query succeeded.
* Configure errors if ldns is not found.
* Windows 7 fix for the installer.
* Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be
noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS
status unknown.
* interface automatic works for some people with ip6 disabled. Therefore the
error check is removed, so they can use the option.
* Fix TCP so it uses a random outgoing-interface.
* Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone
has a secure delegation hosted on the same server did not verify as secure
(it was insecure by mistake).
* Fix alloc_reg_release for longer uptime in out of memory conditions.
* [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16.
* compliance with draft-ietf-dnsop-default-local-zones-14,
removed reverse ipv6 orchid prefix from builtin list.
* Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
* Fix reported validation error in out of memory condition.
* Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
* increased mesh-max-activation from 1000 to 3000 for crazy domains like
_tcp.slb.com with 262 servers.
* [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed.
* openbsd-lint fixes
* [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
* [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
* Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes,
uses m4_bpatsubst now.
* make test (or make check) should be more portable and run the unit test and
testbound scripts. (make longtest has special requirements).
* More pleasant remote control command parsing.
* Fix name of rrset printed that failed validation.
* Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
* Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
* iana portlist updated.
* updated ldns tarball.
2011-03-21 16:04:32 +01:00
|
|
|
.include "../../textproc/expat/buildlink3.mk"
|
2008-05-27 00:36:56 +02:00
|
|
|
.include "../../mk/bsd.pkg.mk"
|
