Update unbound to version 1.9.3
Upstream changes:
This release has a number of bug fixes. Added is the ipset module, that
helps add ip-addresses that are looked up in a domain to a firewall
ip-address filter. Also, the python module has restart next, per-query
data and multiple instance support. The unbound -V option has been
added and it prints the build config.
Features:
- PR #28: IPSet module, by Kevin Chou. Created a module to support
the ipset that could add the domain's ip to a list easily.
Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
- Merge PR #6: Python module: support multiple instances
- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
- Merge PR #4: Python module: assign something useful to the
per-query data store 'qdata'
- Introduce `-V` option to print the version number and build options.
Previously reported build options like linked libs and linked modules
are now moved from `-h` to `-V` as well for consistency.
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
Bug Fixes:
- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
- Fix for #24: Fix abort due to scan of auth zone masters using old
address from previous scan.
- Fix to omit RRSIGs from addition to the ipset.
- Fix to make unbound-control with ipset, remove unused variable,
use unsigned type because of comparison, and assign null instead
of compare with it. Remade lex and yacc output.
- make depend
- Added documentation to the ipset files (for doxygen output).
- Fix python dict reference and double free in config.
- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
when do-not-query-localhost is turned on, or at default on,
unbound-checkconf prints a warning if it is found in forward-addr or
stub-addr statements.
- Fix for possible assertion failure when answering respip CNAME from
cache.
- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
call made it impossible to go up the tree when the matching netmask is
too specific.
- Fix #48: Unbound returns additional records on NODATA response,
if minimal-responses is enabled, also the additional for negative
responses is removed.
- Fix #49: Set no renegotiation on the SSL context to stop client
session renegotiation.
- Fix question section mismatch in local zone redirect.
- Add verbose log message when auth zone file is written, at level 4.
- Add hex print of trust anchor pointer to trust anchor file temp
name to make it unique, for libunbound created multiple contexts.
- For #52 #53, second context does not close logfile override.
- Fix #52 #53, fix for example fail program.
- Fix to return after failed auth zone http chunk write.
- Fix to remove unused test for task_probe existance.
- Fix to timeval_add for remaining second in microseconds.
- Check repinfo in worker_handle_request, if null, drop it.
- Generate configlexer with newer flex.
- Fix warning for unused variable for compilation without systemd.
- Fix #59, when compiled with systemd support check that we can properly
communicate with systemd through the `NOTIFY_SOCKET`.
- iana portlist updated.
- Fix autotrust temp file uniqueness windows compile.
- avoid warning about upcast on 32bit systems for autotrust.
- escape commandline contents for -V.
- Fix character buffer size in ub_ctx_hosts.
- Option -V prints if TCP fastopen is available.
- Fix unittest valgrind false positive uninitialised value report,
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
issues an uninitialised value for the token buffer at the str2wire.c
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
straight character comparisons removes the false positive. Also
valgrinds --expensive-definedness-checks=yes can stop this false
positive.
- Please doxygen's parser for "@" occurrence in doxygen comment.
- Fixup contrib/fastrpz.patch
- Remove warning about unknown cast-function-type warning pragma.
- Document limitation of pidfile removal outside of chroot directory.
- Fix log_dns_msg to log irrespective of minimal responses config.
- Fix that pkg-config is setup before --enable-systemd needs it.
2019-08-27 11:25:25 +02:00
|
|
|
# $NetBSD: Makefile,v 1.69 2019/08/27 09:25:25 he Exp $
|
2008-05-27 00:36:56 +02:00
|
|
|
|
Update unbound to version 1.9.3
Upstream changes:
This release has a number of bug fixes. Added is the ipset module, that
helps add ip-addresses that are looked up in a domain to a firewall
ip-address filter. Also, the python module has restart next, per-query
data and multiple instance support. The unbound -V option has been
added and it prints the build config.
Features:
- PR #28: IPSet module, by Kevin Chou. Created a module to support
the ipset that could add the domain's ip to a list easily.
Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
- Merge PR #6: Python module: support multiple instances
- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
- Merge PR #4: Python module: assign something useful to the
per-query data store 'qdata'
- Introduce `-V` option to print the version number and build options.
Previously reported build options like linked libs and linked modules
are now moved from `-h` to `-V` as well for consistency.
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
Bug Fixes:
- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
- Fix for #24: Fix abort due to scan of auth zone masters using old
address from previous scan.
- Fix to omit RRSIGs from addition to the ipset.
- Fix to make unbound-control with ipset, remove unused variable,
use unsigned type because of comparison, and assign null instead
of compare with it. Remade lex and yacc output.
- make depend
- Added documentation to the ipset files (for doxygen output).
- Fix python dict reference and double free in config.
- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
when do-not-query-localhost is turned on, or at default on,
unbound-checkconf prints a warning if it is found in forward-addr or
stub-addr statements.
- Fix for possible assertion failure when answering respip CNAME from
cache.
- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
call made it impossible to go up the tree when the matching netmask is
too specific.
- Fix #48: Unbound returns additional records on NODATA response,
if minimal-responses is enabled, also the additional for negative
responses is removed.
- Fix #49: Set no renegotiation on the SSL context to stop client
session renegotiation.
- Fix question section mismatch in local zone redirect.
- Add verbose log message when auth zone file is written, at level 4.
- Add hex print of trust anchor pointer to trust anchor file temp
name to make it unique, for libunbound created multiple contexts.
- For #52 #53, second context does not close logfile override.
- Fix #52 #53, fix for example fail program.
- Fix to return after failed auth zone http chunk write.
- Fix to remove unused test for task_probe existance.
- Fix to timeval_add for remaining second in microseconds.
- Check repinfo in worker_handle_request, if null, drop it.
- Generate configlexer with newer flex.
- Fix warning for unused variable for compilation without systemd.
- Fix #59, when compiled with systemd support check that we can properly
communicate with systemd through the `NOTIFY_SOCKET`.
- iana portlist updated.
- Fix autotrust temp file uniqueness windows compile.
- avoid warning about upcast on 32bit systems for autotrust.
- escape commandline contents for -V.
- Fix character buffer size in ub_ctx_hosts.
- Option -V prints if TCP fastopen is available.
- Fix unittest valgrind false positive uninitialised value report,
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
issues an uninitialised value for the token buffer at the str2wire.c
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
straight character comparisons removes the false positive. Also
valgrinds --expensive-definedness-checks=yes can stop this false
positive.
- Please doxygen's parser for "@" occurrence in doxygen comment.
- Fixup contrib/fastrpz.patch
- Remove warning about unknown cast-function-type warning pragma.
- Document limitation of pidfile removal outside of chroot directory.
- Fix log_dns_msg to log irrespective of minimal responses config.
- Fix that pkg-config is setup before --enable-systemd needs it.
2019-08-27 11:25:25 +02:00
|
|
|
DISTNAME= unbound-1.9.3
|
2008-05-27 00:36:56 +02:00
|
|
|
CATEGORIES= net
|
Upgrade unbound to version 1.7.2.
Upstream changes:
Features
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
- Qname minimisation default changed to yes.
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
Bug fixes:
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- Fix spelling error in man page and note defaults as no instead of
off.
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
- Fix contrib/libunbound.pc for libssl libcrypto references,
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- in compat/arc4random call getentropy_urandom when getentropy fails
with ENOSYS.
- Fix that fallback for windows port.
- Fix deadlock caused by incoming notify for auth-zone.
2018-06-11 12:06:58 +02:00
|
|
|
MASTER_SITES= http://www.nlnetlabs.nl/downloads/unbound/
|
2008-05-27 00:36:56 +02:00
|
|
|
|
2013-11-24 10:39:44 +01:00
|
|
|
MAINTAINER= pettai@NetBSD.org
|
2008-05-27 00:36:56 +02:00
|
|
|
HOMEPAGE= http://www.unbound.net/
|
|
|
|
|
COMMENT= DNS resolver and recursive server
|
2011-04-20 12:44:46 +02:00
|
|
|
LICENSE= modified-bsd
|
2008-05-27 00:36:56 +02:00
|
|
|
|
2015-03-09 12:59:26 +01:00
|
|
|
BUILD_DEFS+= VARBASE UNBOUND_USER UNBOUND_GROUP
|
|
|
|
|
FILES_SUBST+= UNBOUND_USER=${UNBOUND_USER} UNBOUND_GROUP=${UNBOUND_GROUP}
|
2011-04-20 12:44:46 +02:00
|
|
|
|
2017-07-09 10:09:41 +02:00
|
|
|
USE_LIBTOOL= yes
|
|
|
|
|
CONFIGURE_ARGS+= --enable-allsymbols
|
unbound 1.48:
Features:
* harden-below-nxdomain config option, default off (because very old software
may be incompatible). We could enable it by default in the future.
From draft-vixie-dnsext-resimprove-00.
* typetransparent localzone: does not block other RR types.
* so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes:
* Fix so a changed NS RRset does not get moved name stuck on old server,
for type NS the TTL is not increased.
* Fix prefetch so it does not get stuck on old server for moved names.
* Fix insecure CNAME sequence marked as secure, reported by Bert Hubert.
* faster lruhash get_mem routine.
* [bugzilla: 346 ] remove ITAR scripts from contrib,
the service is discontinued, use the root.
* Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
* algorithm compromise protection using the algorithms signalled in the DS
record. Also, trust anchors, DLV, and RFC5011 receive this, and thus,
if you have multiple algorithms in your trust-anchor-file then it will now
behave different than before. Also, 5011 rollover for algorithms needs to be
double-signature until the old algorithm is revoked.
* squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
* fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
* Fix our 'BDS' license (typo reported by Xavier Belanger).
* [bugzilla: 338 ] print address when socket creation fails.
* Fix storage of EDNS failures in the infra cache.
* silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
* unbound-anchor compiles with openssl 0.9.7.
* Be lenient and accept imgw.pl malformed packet (like BIND).
* the included ldns tarball is updated (to 1.6.8)
* iana portlist updated.
unbound 1.47:
Features:
* unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the validator
(e.g. at system boot time).
* dump_infra and flush_infra commands for unbound-control.
Bug Fixes:
* GOST code enabled by default (RFC 5933).
* Configure detects libev-4.00.
* do not synthesize a CNAME message from cache for qtype DS.
* Use central entropy to seed threads.
* Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
* Fix validation failure for parent and child on same server with an insecure
childzone and a CNAME from parent to child.
* Change of timeout code. No more lost and backoff in blockage. At 12sec timeout
(and at least 2x lost before) one probe per IP is allowed only. At 120sec,
the IP is blocked. After 15min, a 120sec entry has a single retry packet.
* no timeout backoff if meanwhile a query succeeded.
* Configure errors if ldns is not found.
* Windows 7 fix for the installer.
* Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be
noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS
status unknown.
* interface automatic works for some people with ip6 disabled. Therefore the
error check is removed, so they can use the option.
* Fix TCP so it uses a random outgoing-interface.
* Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone
has a secure delegation hosted on the same server did not verify as secure
(it was insecure by mistake).
* Fix alloc_reg_release for longer uptime in out of memory conditions.
* [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16.
* compliance with draft-ietf-dnsop-default-local-zones-14,
removed reverse ipv6 orchid prefix from builtin list.
* Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
* Fix reported validation error in out of memory condition.
* Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
* increased mesh-max-activation from 1000 to 3000 for crazy domains like
_tcp.slb.com with 262 servers.
* [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed.
* openbsd-lint fixes
* [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
* [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
* Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes,
uses m4_bpatsubst now.
* make test (or make check) should be more portable and run the unit test and
testbound scripts. (make longtest has special requirements).
* More pleasant remote control command parsing.
* Fix name of rrset printed that failed validation.
* Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
* Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
* iana portlist updated.
* updated ldns tarball.
2011-03-21 16:04:32 +01:00
|
|
|
CONFIGURE_ARGS+= --with-libexpat=${BUILDLINK_PREFIX.expat}
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --with-libevent=${BUILDLINK_PREFIX.libevent}
|
2019-06-12 11:21:42 +02:00
|
|
|
CONFIGURE_ARGS+= --enable-event-api
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --with-ssl=${BUILDLINK_PREFIX.openssl}
|
2015-03-09 12:59:26 +01:00
|
|
|
CONFIGURE_ARGS+= --with-pidfile=${VARBASE}/run/unbound/unbound.pid
|
2010-11-29 13:41:51 +01:00
|
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASE}
|
2017-07-09 10:09:41 +02:00
|
|
|
GNU_CONFIGURE= yes
|
|
|
|
|
TEST_TARGET= test
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
|
2019-01-17 15:19:51 +01:00
|
|
|
.include "options.mk"
|
|
|
|
|
|
2016-02-25 18:24:13 +01:00
|
|
|
# unbound uses some OpenBSD libc functions such as reallocarray(3).
|
|
|
|
|
# The existing tests just look for the symbol in libc regardless
|
|
|
|
|
# of anything in stdlib.h
|
|
|
|
|
CPPFLAGS.NetBSD+= -D_OPENBSD_SOURCE
|
2016-02-25 17:55:14 +01:00
|
|
|
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
# Add the same logic as for ldns, so sha2/gost is configured automatically
|
2011-08-20 10:12:41 +02:00
|
|
|
CHECK_BUILTIN.openssl= yes
|
|
|
|
|
.include "../../security/openssl/builtin.mk"
|
|
|
|
|
CHECK_BUILTIN.openssl= no
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.include "../../security/openssl/buildlink3.mk"
|
|
|
|
|
|
2017-07-09 10:09:41 +02:00
|
|
|
PLIST_VARS+= sha2 gost
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.if defined(USE_BUILTIN.openssl) && !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
|
|
|
|
|
PLIST_VARS.gost!= \
|
2017-07-09 10:09:41 +02:00
|
|
|
if ${PKG_ADMIN} pmatch 'openssl>=1.0.0' ${BUILTIN_PKG.openssl}; then \
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
${ECHO} "yes"; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} "no"; \
|
|
|
|
|
fi
|
|
|
|
|
PLIST_VARS.sha2!= \
|
2017-07-09 10:09:41 +02:00
|
|
|
if ${PKG_ADMIN} pmatch 'openssl>=0.9.8' ${BUILTIN_PKG.openssl}; then \
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
${ECHO} "yes"; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} "no"; \
|
|
|
|
|
fi
|
|
|
|
|
.else
|
|
|
|
|
PLIST_VARS.gost!= \
|
|
|
|
|
if ${PKG_INFO} -qe 'openssl>=1.0.0'; then \
|
|
|
|
|
${ECHO} yes; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} no; \
|
|
|
|
|
fi
|
|
|
|
|
PLIST_VARS.sha2!= \
|
|
|
|
|
if ${PKG_INFO} -qe 'openssl>=0.9.8'; then \
|
|
|
|
|
${ECHO} yes; \
|
|
|
|
|
else \
|
|
|
|
|
${ECHO} no; \
|
|
|
|
|
fi
|
|
|
|
|
.endif
|
|
|
|
|
.if ${PLIST_VARS.gost} == "yes"
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --enable-gost
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.else
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --disable-gost
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.endif
|
|
|
|
|
.if ${PLIST_VARS.sha2} == "yes"
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --enable-sha2
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.else
|
2017-07-09 10:09:41 +02:00
|
|
|
CONFIGURE_ARGS+= --disable-sha2
|
1.4.12:
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
2011-07-27 06:11:25 +02:00
|
|
|
.endif
|
2008-12-17 19:14:01 +01:00
|
|
|
|
2008-05-27 00:36:56 +02:00
|
|
|
SUBST_CLASSES+= paths
|
|
|
|
|
SUBST_STAGE.paths= post-configure
|
|
|
|
|
SUBST_MESSAGE.paths= Fixing path names
|
|
|
|
|
SUBST_FILES.paths= doc/example.conf doc/*.5 doc/*.8
|
|
|
|
|
SUBST_SED.paths= -e "s|/usr/local|${PREFIX}|"
|
|
|
|
|
|
|
|
|
|
INSTALL_MAKE_FLAGS+= \
|
|
|
|
|
configfile=${PREFIX}/share/examples/unbound/unbound.conf
|
|
|
|
|
|
|
|
|
|
PKG_SYSCONFSUBDIR= unbound
|
|
|
|
|
|
|
|
|
|
CONF_FILES+= share/examples/unbound/unbound.conf \
|
|
|
|
|
${PKG_SYSCONFDIR}/unbound.conf
|
|
|
|
|
|
|
|
|
|
RCD_SCRIPTS= unbound
|
2015-10-21 23:30:14 +02:00
|
|
|
SMF_METHODS= unbound
|
|
|
|
|
SMF_NAME= unbound
|
2008-05-27 00:36:56 +02:00
|
|
|
|
|
|
|
|
UNBOUND_USER?= unbound
|
|
|
|
|
UNBOUND_GROUP?= unbound
|
|
|
|
|
|
|
|
|
|
PKG_GROUPS= ${UNBOUND_GROUP}
|
|
|
|
|
PKG_USERS= ${UNBOUND_USER}:${UNBOUND_GROUP}
|
|
|
|
|
|
2017-07-09 10:09:41 +02:00
|
|
|
.include "../../devel/libevent/buildlink3.mk"
|
unbound 1.48:
Features:
* harden-below-nxdomain config option, default off (because very old software
may be incompatible). We could enable it by default in the future.
From draft-vixie-dnsext-resimprove-00.
* typetransparent localzone: does not block other RR types.
* so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes:
* Fix so a changed NS RRset does not get moved name stuck on old server,
for type NS the TTL is not increased.
* Fix prefetch so it does not get stuck on old server for moved names.
* Fix insecure CNAME sequence marked as secure, reported by Bert Hubert.
* faster lruhash get_mem routine.
* [bugzilla: 346 ] remove ITAR scripts from contrib,
the service is discontinued, use the root.
* Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
* algorithm compromise protection using the algorithms signalled in the DS
record. Also, trust anchors, DLV, and RFC5011 receive this, and thus,
if you have multiple algorithms in your trust-anchor-file then it will now
behave different than before. Also, 5011 rollover for algorithms needs to be
double-signature until the old algorithm is revoked.
* squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
* fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
* Fix our 'BDS' license (typo reported by Xavier Belanger).
* [bugzilla: 338 ] print address when socket creation fails.
* Fix storage of EDNS failures in the infra cache.
* silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
* unbound-anchor compiles with openssl 0.9.7.
* Be lenient and accept imgw.pl malformed packet (like BIND).
* the included ldns tarball is updated (to 1.6.8)
* iana portlist updated.
unbound 1.47:
Features:
* unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the validator
(e.g. at system boot time).
* dump_infra and flush_infra commands for unbound-control.
Bug Fixes:
* GOST code enabled by default (RFC 5933).
* Configure detects libev-4.00.
* do not synthesize a CNAME message from cache for qtype DS.
* Use central entropy to seed threads.
* Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
* Fix validation failure for parent and child on same server with an insecure
childzone and a CNAME from parent to child.
* Change of timeout code. No more lost and backoff in blockage. At 12sec timeout
(and at least 2x lost before) one probe per IP is allowed only. At 120sec,
the IP is blocked. After 15min, a 120sec entry has a single retry packet.
* no timeout backoff if meanwhile a query succeeded.
* Configure errors if ldns is not found.
* Windows 7 fix for the installer.
* Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be
noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS
status unknown.
* interface automatic works for some people with ip6 disabled. Therefore the
error check is removed, so they can use the option.
* Fix TCP so it uses a random outgoing-interface.
* Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone
has a secure delegation hosted on the same server did not verify as secure
(it was insecure by mistake).
* Fix alloc_reg_release for longer uptime in out of memory conditions.
* [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16.
* compliance with draft-ietf-dnsop-default-local-zones-14,
removed reverse ipv6 orchid prefix from builtin list.
* Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
* Fix reported validation error in out of memory condition.
* Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
* increased mesh-max-activation from 1000 to 3000 for crazy domains like
_tcp.slb.com with 262 servers.
* [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed.
* openbsd-lint fixes
* [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
* [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
* Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes,
uses m4_bpatsubst now.
* make test (or make check) should be more portable and run the unit test and
testbound scripts. (make longtest has special requirements).
* More pleasant remote control command parsing.
* Fix name of rrset printed that failed validation.
* Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
* Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
* iana portlist updated.
* updated ldns tarball.
2011-03-21 16:04:32 +01:00
|
|
|
.include "../../textproc/expat/buildlink3.mk"
|
Upgrade unbound to version 1.6.6.
Pkgsrc changes:
* Unbound now needs flex >= 2.6.4 to build, or at least 2.6.3 is a no-go,
so depend on the pkgsrc version which is already 2.6.4.
Upstream changes:
Features:
* unbound-control dump_infra prints port number for address if not 53.
* Fix #1344: RFC6761-reserved domains: test. and invalid.
* Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
* Added stats for queries that have been ratelimited by domain
recursion.
* Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
* Fix #1407: Add ECS options check to unbound-checkconf.
* Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
Bug Fixes:
* fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
* First fix for zero b64 and hex text zone format in sldns.
* Better fixup of dnscrypt_cert_chacha test for different escapes.
* Fix that infra cache host hash does not change after reconfig.
* Fix python example0 return module wait instead of error for pass.
* enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
* Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
* Fix #1331: libunbound segfault in threaded mode when context is
deleted.
* Fix pythonmod link line option flag.
* Fix openssl 1.1.0 load of ssl error strings from ssl init.
* Fix 1332: Bump verbosity of failed chown'ing of the control socket.
* Redirect all localhost names to localhost address for RFC6761.
* Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
* Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
* upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
* annotate case statement fallthrough for gcc 7.1.1.
* flex output from flex 2.6.1.
* snprintf of thread number does not warn about truncated string.
* squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
* remove warning from windows compile.
* Fix compile with libnettle
* Fix DSA configure switch (--disable dsa) for libnettle and libnss.
* Fix #1365: Add Ed25519 support using libnettle.
* Fix #1394: mix of serve-expired and response-ip could cause a crash.
* Remove unused iter_env member (ip6arpa_dname)
* Do not reset rrset.bogus stats when called using stats_noreset.
* Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
* Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
* Fix #1398: make cachedb secret configurable.
* Remove spaces from Makefile.
* Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
* Fix #1402: squelch invalid argument error for fd_set_block on windows.
* Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
* Fix #1415: patch to free dnscrypt environment on reload.
* iana portlist update
* Small fixes for the shared secret cache patch.
* Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
* Fix #1414: fix segfault on parse failure and log_replies.
* zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
* new keys and certs for dnscrypt tests.
* fixup WKS test on buildhost without servicebyname.
* updated contrib/fastrpz.patch to apply with configparser changes.
* Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
* Fix #1424: cachedb:testframe is not thread safe.
* Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
* Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
* Recommend 1472 buffer size in unbound.conf
* Fix #1412: QNAME minimisation strict mode not honored
* Fix #1434: Fix windows openssl 1.1.0 linking.
* Add dns64 for client-subnet in unbound-checkconf.
2017-09-18 15:02:39 +02:00
|
|
|
BUILDLINK_API_DEPENDS.flex+= flex>=2.6.4
|
|
|
|
|
.include "../../devel/flex/buildlink3.mk"
|
2008-05-27 00:36:56 +02:00
|
|
|
.include "../../mk/bsd.pkg.mk"
|
