head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC4:1.1.1.3.12.1 netbsd-11-0-RC3:1.1.1.3.12.1 netbsd-11-0-RC2:1.1.1.3.12.1 netbsd-11-0-RC1:1.1.1.3.12.1 unbound-1-24-2:1.1.1.4 unbound-1-23-1:1.1.1.4 perseant-exfatfs-base-20250801:1.1.1.3 netbsd-11:1.1.1.3.0.12 netbsd-11-base:1.1.1.3 netbsd-10-1-RELEASE:1.1.1.3 perseant-exfatfs-base-20240630:1.1.1.3 perseant-exfatfs:1.1.1.3.0.10 perseant-exfatfs-base:1.1.1.3 netbsd-8-3-RELEASE:1.1.1.1 netbsd-9-4-RELEASE:1.1.1.2.2.1 netbsd-10-0-RELEASE:1.1.1.3 netbsd-10-0-RC6:1.1.1.3 netbsd-10-0-RC5:1.1.1.3 unbound-1-19-1:1.1.1.3 netbsd-10-0-RC4:1.1.1.3 netbsd-10-0-RC3:1.1.1.3 netbsd-10-0-RC2:1.1.1.3 netbsd-10-0-RC1:1.1.1.3 netbsd-10:1.1.1.3.0.8 netbsd-10-base:1.1.1.3 unbound-1-16-3:1.1.1.3 netbsd-9-3-RELEASE:1.1.1.2.2.1 cjep_sun2x-base1:1.1.1.3 cjep_sun2x:1.1.1.3.0.6 cjep_sun2x-base:1.1.1.3 cjep_staticlib_x-base1:1.1.1.3 netbsd-9-2-RELEASE:1.1.1.2.2.1 cjep_staticlib_x:1.1.1.3.0.4 cjep_staticlib_x-base:1.1.1.3 unbound-1-13-1:1.1.1.3 netbsd-9-1-RELEASE:1.1.1.2.2.1 phil-wifi-20200421:1.1.1.3 phil-wifi-20200411:1.1.1.3 is-mlppp:1.1.1.3.0.2 is-mlppp-base:1.1.1.3 phil-wifi-20200406:1.1.1.3 netbsd-8-2-RELEASE:1.1.1.1 netbsd-9-0-RELEASE:1.1.1.2.2.1 netbsd-9-0-RC2:1.1.1.2.2.1 unbound-1-9-6:1.1.1.3 netbsd-9-0-RC1:1.1.1.2 phil-wifi-20191119:1.1.1.2 netbsd-9:1.1.1.2.0.2 netbsd-9-base:1.1.1.2 phil-wifi-20190609:1.1.1.2 netbsd-8-1-RELEASE:1.1.1.1 unbound-1-9-1:1.1.1.2 netbsd-8-1-RC1:1.1.1.1 pgoyette-compat-merge-20190127:1.1.1.1 pgoyette-compat-20190127:1.1.1.1 pgoyette-compat-20190118:1.1.1.1 pgoyette-compat-1226:1.1.1.1 pgoyette-compat-1126:1.1.1.1 pgoyette-compat-1020:1.1.1.1 pgoyette-compat-0930:1.1.1.1 pgoyette-compat-0906:1.1.1.1 unbound-1-7-3:1.1.1.1 pgoyette-compat-0728:1.1.1.1 netbsd-8-0-RELEASE:1.1.1.1 phil-wifi:1.1.1.1.0.16 phil-wifi-base:1.1.1.1 pgoyette-compat-0625:1.1.1.1 netbsd-8-0-RC2:1.1.1.1 pgoyette-compat-0521:1.1.1.1 pgoyette-compat-0502:1.1.1.1 pgoyette-compat-0422:1.1.1.1 netbsd-8-0-RC1:1.1.1.1 pgoyette-compat-0415:1.1.1.1 pgoyette-compat-0407:1.1.1.1 pgoyette-compat-0330:1.1.1.1 pgoyette-compat-0322:1.1.1.1 pgoyette-compat-0315:1.1.1.1 pgoyette-compat:1.1.1.1.0.14 pgoyette-compat-base:1.1.1.1 unbound-1-6-8:1.1.1.1 matt-nb8-mediatek:1.1.1.1.0.12 matt-nb8-mediatek-base:1.1.1.1 perseant-stdc-iso10646:1.1.1.1.0.10 perseant-stdc-iso10646-base:1.1.1.1 netbsd-8:1.1.1.1.0.8 netbsd-8-base:1.1.1.1 prg-localcount2-base3:1.1.1.1 prg-localcount2-base2:1.1.1.1 prg-localcount2-base1:1.1.1.1 prg-localcount2:1.1.1.1.0.6 prg-localcount2-base:1.1.1.1 pgoyette-localcount-20170426:1.1.1.1 bouyer-socketcan-base1:1.1.1.1 pgoyette-localcount-20170320:1.1.1.1 bouyer-socketcan:1.1.1.1.0.4 bouyer-socketcan-base:1.1.1.1 pgoyette-localcount-20170107:1.1.1.1 pgoyette-localcount-20161104:1.1.1.1 pgoyette-localcount:1.1.1.1.0.2 localcount-20160914:1.1.1.1 unbound-1-5-9:1.1.1.1 NLNETLABS:1.1.1; locks; strict; comment @# @; 1.1 date 2016.08.20.11.09.29; author christos; state Exp; branches 1.1.1.1; next ; commitid TgCvoOC8yQxac2jz; 1.1.1.1 date 2016.08.20.11.09.29; author christos; state Exp; branches 1.1.1.1.2.1 1.1.1.1.16.1; next 1.1.1.2; commitid TgCvoOC8yQxac2jz; 1.1.1.2 date 2019.05.25.21.18.03; author christos; state Exp; branches 1.1.1.2.2.1; next 1.1.1.3; commitid N8Uz34hJGvap9DoB; 1.1.1.3 date 2019.12.15.15.28.43; author christos; state Exp; branches 1.1.1.3.12.1; next 1.1.1.4; commitid NCYfiiT7bQUbFOOB; 1.1.1.4 date 2025.09.06.14.24.23; author christos; state Exp; branches; next ; commitid zLlksX9d7yHc3F9G; 1.1.1.1.2.1 date 2016.08.20.11.09.29; author pgoyette; state dead; branches; next 1.1.1.1.2.2; commitid 0FvUzdNwg07UHcmz; 1.1.1.1.2.2 date 2016.09.14.03.04.07; author pgoyette; state Exp; branches; next ; commitid 0FvUzdNwg07UHcmz; 1.1.1.1.16.1 date 2019.06.10.21.51.40; author christos; state Exp; branches; next 1.1.1.1.16.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.1.16.2 date 2020.04.08.14.04.15; author martin; state Exp; branches; next ; commitid Qli2aW9E74UFuA3C; 1.1.1.2.2.1 date 2020.01.05.09.51.46; author martin; state Exp; branches; next ; commitid 2CiUer1HYuOh8uRB; 1.1.1.3.12.1 date 2026.01.23.16.15.17; author martin; state Exp; branches; next ; commitid 0mBclk78g8USdxrG; desc @@ 1.1 log @Initial revision @ text @#!/bin/sh # # unbound This shell script takes care of starting and stopping # unbound (DNS server). # # chkconfig: - 14 86 # description: unbound is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. ### BEGIN INIT INFO # Provides: $named unbound # Required-Start: $network $local_fs # Required-Stop: $network $local_fs # Should-Start: $syslog # Should-Stop: $syslog # Short-Description: unbound recursive Domain Name Server. # Description: unbound is a Domain Name Server (DNS) # that is used to resolve host names to IP addresses. ### END INIT INFO # Source function library. . /etc/rc.d/init.d/functions exec="/usr/sbin/unbound" prog="unbound" config="/var/unbound/unbound.conf" pidfile="/var/unbound/unbound.pid" rootdir="/var/unbound" [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog lockfile=/var/lock/subsys/$prog start() { [ -x $exec ] || exit 5 [ -f $config ] || exit 6 echo -n $"Starting $prog: " # setup root jail if [ -s /etc/localtime ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then cp -fp /etc/localtime ${rootdir}/etc/localtime fi; fi; if [ -s /etc/resolv.conf ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf fi; fi; if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; [ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1; fi; if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; [ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1; fi; # if not running, start it up here daemon $exec retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " # stop it here, often "killproc $prog" killproc -p $pidfile $prog retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then umount ${rootdir}/dev/log >/dev/null 2>&1 fi; if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then umount ${rootdir}/dev/random >/dev/null 2>&1 fi; return $retval } restart() { stop start } reload() { kill -HUP `cat $pidfile` } force_reload() { restart } rh_status() { # run checks to determine if the service is running or use generic status status -p $pidfile $prog } rh_status_q() { rh_status -p $pidfile >/dev/null 2>&1 } case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart) $1 ;; reload) rh_status_q || exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" exit 2 esac exit $? @ 1.1.1.1 log @Import unbound 1.5.9 @ text @@ 1.1.1.1.16.1 log @Sync with HEAD @ text @d42 1 a42 1 if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then d48 1 a48 1 if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then @ 1.1.1.1.16.2 log @Merge changes from current as of 20200406 @ text @d57 1 a57 1 if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then d59 2 a60 2 [ -e ${rootdir}/dev/urandom ] || touch ${rootdir}/dev/urandom mount --bind -n /dev/urandom ${rootdir}/dev/urandom >/dev/null 2>&1; d81 2 a82 2 if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then umount ${rootdir}/dev/urandom >/dev/null 2>&1 @ 1.1.1.2 log @Import 1.9.1: 1 March 2019: Wouter - output forwarder log in ssl_req_order test. 28 February 2019: Wouter - Remove memory leak on pythonmod python2 script file init. - Remove swig gcc8 python function cast warnings, they are ignored. - Print correct module that failed when module-config is wrong. 27 February 2019: Wouter - Fix #4229: Unbound man pages lack information, about access-control order and local zone tags, and elements in views. - Fix #14: contrib/unbound.init: Fix wrong comparison judgment before copying. - Fix for python module on Windows, fix fopen. 25 February 2019: Wouter - Fix #4227: pair event del and add for libevent for tcp_req_info. 21 February 2019: Wouter - Fix the error for unknown module in module-config is understandable, and explains it was not compiled in and where to see the list. - In example.conf explain where to put cachedb module in module-config. - In man page and example config explain that most modules have to be listed at the start of module-config. 20 February 2019: Wouter - Fix pythonmod include and sockaddr_un ifdefs for compile on Windows, and for libunbound. 18 February 2019: Wouter - Print query name with ip_ratelimit exceeded log lines. - Spaces instead of tabs in that log message. - Print query name and IP address when domain rate limit exceeded. 14 February 2019: Wouter - Fix capsforid canonical sort qsort callback. 11 February 2019: Wouter - Note default for module-config in man page. - Fix recursion lame test for qname minimisation asked queries, that were not present in the set of prepared answers. - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for cert name matching, from man page. - make depend, with newer gcc, nicer layout. 7 February 2019: Wouter - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. - Fix that qname minimisation does not skip a label when missing nameserver targets need to be fetched. - Fix #4225: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation. 4 February 2019: Wouter - Fix that log-replies prints the correct name for local-alias names, for names that have a CNAME in local-data configuration. It logs the original query name, not the target of the CNAME. - Add local-zone type inform_redirect, which logs like type inform, and redirects like type redirect. - Perform canonical sort for 0x20 capsforid compare of replies, this sorts rrsets in the authority and additional section before comparison, so that out of order rrsets do not cause failure. 31 January 2019: Wouter - Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf. - improve documentation for tls-service-key and forward-first. - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of conditional section, fixes systemd builds, from Enrico Scholz. - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, still supports the set_id_callback previous API. And for 1.1.0 no locking callbacks are needed. - #8: Fix OpenSSL without ENGINE support compilation. - Wipe TLS session key data from memory on exit. 30 January 2019: Ralph - Fix case in which query timeout can result in marking delegation as edns_lame_known. 29 January 2019: Wouter - Fix spelling of tls-ciphers in example.conf.in. - Fix #4224: auth_xfr_notify.rpl test broken due to typo - Fix locking for libunbound context setup with broken port config. 28 January 2019: Wouter - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. - Set build system for added call in the libunbound API. - List example config for root zone copy locally hosted with auth-zone as suggested from draft-ietf-dnsop-7706-bis-02. But with updated B root address. - set version to 1.9.0 for release. And this was released with the spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in development. 25 January 2019: Wouter - Fix that tcp for auth zone and outgoing does not remove and then gets the ssl read again applied to the deleted commpoint. - updated contrib/fastrpz.patch to cleanly diff. - no lock when threads disabled in tcp request buffer count. - remove compile warnings from libnettle compile. - output of newer lex 2.6.1 and bison 3.0.5. 24 January 2019: Wouter - Newer aclocal and libtoolize used for generating configure scripts, aclocal 1.16.1 and libtoolize 2.4.6. - Fix unit test for python 3.7 new keyword 'async'. - clang analysis fixes, assert arc4random buffer in init, no check for already checked delegation pointer in iterator, in testcode check for NULL packet matches, in perf do not copy from NULL start list when growing capacity. Adjust host and file only when present in test header read to please checker. In testcode for unknown macro operand give zero result. Initialise the passed argv array in test code. In test code add EDNS data segment copy only when nonempty. - Patch from Florian Obser fixes some compiler warnings: include mini_event.h to have a prototype for mini_ev_cmp include edns.h to have a prototype for apply_edns_options sldns_wire2str_edns_keepalive_print is only called in the wire2str, module declare it static to get rid of compiler warning: no previous prototype for function infra_find_ip_ratedata() is only called in the infra module, declare it static to get rid of compiler warning: no previous prototype for function do not shadow local variable buf in authzone auth_chunks_delete and az_nsec3_findnode are only called in the authzone module, declare them static to get rid of compiler warning: no previous prototype for function... copy_rrset() is only called in the respip module, declare it static to get rid of compiler warning: no previous prototype for function 'copy_rrset' no need for another variable "r"; gets rid of compiler warning: declaration shadows a local variable in libunbound.c no need for another variable "ns"; gets rid of compiler warning: declaration shadows a local variable in iterator.c - Moved includes and make depend. 23 January 2019: Wouter - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites options for unbound.conf. - Fixes for the patch, and man page entry. - Fix configure to detect SSL_CTX_set_ciphersuites, for better library compatibility when compiling. - Patch for TLS session resumption from Manabu Sonoda, enable with tls-session-ticket-keys in unbound.conf. - Fixes for patch (includes, declarations, warnings). Free at end and keep config options in order read from file to keep the first one as the first one. - Fix for IXFR fallback to reset counter when IXFR does not timeout. 22 January 2019: Wouter - Fix space calculation for tcp req buffer size. - Doc for stream-wait-size and unit test. - unbound-control stats has mem.streamwait that counts TCP and TLS waiting result buffers. - Fix for #4219: secondaries not updated after serial change, unbound falls back to AXFR after IXFR gives several timeout failures. - Fix that auth zone after IXFR fallback tries the same master. 21 January 2019: Wouter - Fix tcp idle timeout test, for difference in the tcp reply code. - Unit test for tcp request reorder and timeouts. - Unit tests for ssl out of order processing. - Fix that multiple dns fragments can be carried in one TLS frame. - Add stream-wait-size: 4m config option to limit the maximum memory used by waiting tcp and tls stream replies. This avoids a denial of service where these replies use up all of the memory. 17 January 2019: Wouter - For caps-for-id fallback, use the whitelist to avoid timeout starting a fallback sequence for it. - increase mesh max activation count for capsforid long fetches. 16 January 2019: Ralph - Get ready for the DNS flag day: remove EDNS lame procedure, do not re-query without EDNS after timeout. 15 January 2019: Wouter - In the out of order processing, reset byte count for (potential) partial read. - Review fixes in out of order processing. 14 January 2019: Wouter - streamtcp option -a send queries consecutively and prints answers as they arrive. - Fix for out of order processing administration quit cleanup. - unit test for tcp out of order processing. 11 January 2019: Wouter - Initial commit for out-of-order processing for TCP and TLS. 9 January 2019: Wouter - Log query name for looping module errors. 8 January 2019: Wouter - Fix syntax in comment of local alias processing. - Fix NSEC3 record that is returned in wildcard replies from auth-zone zones with NSEC3 and wildcards. 7 January 2019: Wouter - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN, and server tcp fastopen is enabled at compile time. - Document interaction between the tls-upstream option in the server section and forward-tls-upstream option in the forward-zone sections. - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, the patch adds a program used for fuzzing. 12 December 2018: Wouter - Fix for crash in dns64 module if response is null. 10 December 2018: Wouter - Fix config parser memory leaks. - ip-ratelimit-factor of 1 allows all traffic through, instead of the previous blocking everything. - Fix for FreeBSD port make with dnscrypt and dnstap enabled. - Fix #4206: support openssl 1.0.2 for TLS hostname verification, alongside the 1.1.0 and later support that is already there. - Fixup openssl 1.0.2 compile 6 December 2018: Wouter - Fix dns64 allocation in wrong region for returned internal queries. 3 December 2018: Wouter - Fix icon, no ragged edges and nicer resolutions available, for eg. Win 7 and Windows 10 display. - cache-max-ttl also defines upperbound of initial TTL in response. 30 November 2018: Wouter - Patch for typo in unbound.conf man page. - log-tag-queryreply: yes in unbound.conf tags the log-queries and log-replies in the log file for easier log filter maintenance. 29 November 2018: Wouter - iana portlist updated. - Fix chroot auth-zone fix to remove chroot prefix. - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon updated. Trunk contains 1.8.3 in development. Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec. Trunk then became 1.8.4 in development. - Fix that unbound-checkconf does not complains if the config file is not placed inside the chroot. - Refuse to start with no ports. - Remove clang analysis warnings. 28 November 2018: Wouter - Fix leak in chroot fix for auth-zone. - Fix clang analysis for outside directory build test. 27 November 2018: Wouter - Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished. - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page. - stat count SERVFAIL downstream auth-zone queries for expired zones. - Put new logos into windows installer. - Fix windows compile for new rrset roundrobin fix. - Update contrib fastrpz patch for latest release. 26 November 2018: Wouter - Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order. - Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - Add unbound-control view_local_datas command, like local_datas. - Fix that unbound-control can send file for view_local_datas. 22 November 2018: Wouter - With ./configure --with-pyunbound --with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module. - pythonmod logs the python error and traceback on failure. - ignore debug python module for test in doxygen output. - review fixes for python module. - Fix #4209: Crash in libunbound when called from getdns. - auth zone zonefiles can be in a chroot, the chroot directory components are removed before use. - Fix that empty zonefile means the zonefile is not set and not used. - make depend. 21 November 2018: Wouter - Scrub NS records from NODATA responses as well. 20 November 2018: Wouter - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. - Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation. - Removed compile warnings in pythonmod sockaddr routines. 19 November 2018: Wouter - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. 6 November 2018: Ralph - Bugfix min-client-subnet-ipv6 25 October 2018: Ralph - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. 25 October 2018: Wouter - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4190: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY. - Fix #4141: More randomness to rrset-roundrobin. - Fix #4132: Openness/closeness of RANGE intervals in rpl files. - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem. - remade makefile dependencies. - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. 24 October 2018: Ralph - Add markdel function to ECS slabhash. - Limit ECS scope returned to client to the scope used for caching. - Make lint like previous #4154 fix. 22 October 2018: Wouter - Fix #4192: unbound-control-setup generates keys not readable by group. - check that the dnstap socket file can be opened and exists, print error if not. - Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options. 22 October 2018: Ralph - Change fast-server-num default to 3. 8 October 2018: Ralph - Add fast-server-permil and fast-server-num options. - Deprecate low-rtt and low-rtt-permil options. 8 October 2018: Wouter - Squelch log of failed to tcp initiate after TCP Fastopen failure. 5 October 2018: Wouter - Squelch EADDRNOTAVAIL errors when the interface goes away, this omits 'can't assign requested address' errors unless verbosity is set to a high value. - Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default. - iana port update. 2 October 2018: Wouter - updated contrib/fastrpz.patch to apply for this version - dnscrypt.c removed sizeof to get array bounds. - Fix testlock code to set noreturn on error routine. - Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings - clang analyze test is used only when assertions are enabled. 1 October 2018: Wouter - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with fastrpz.patch fix included. Trunk has 1.8.2 in development. 27 September 2018: Wouter - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname minimisation with a forwarder when connectivity has issues from rejecting responses. 25 September 2018: Wouter - Perform TLS SNI indication of the host that is being contacted for DNS over TLS service. It sets the configured tls auth name. This is useful for hosts that apart from the DNS over TLS services also provide other (web) services. - Fix #4149: Add SSL cleanup for tcp timeout. 17 September 2018: Wouter - Fix compile on Mac for unbound, provide explicit_bzero when libc does not have it. - Fix unbound for openssl in FIPS mode, it uses the digests with the EVP call contexts. - Fix that with harden-below-nxdomain and qname minisation enabled some iterator states for nonresponsive domains can get into a state where they waited for an empty list. - Stop UDP to TCP failover after timeouts that causes the ping count to be reset by the TCP time measurement (that exists for TLS), because that causes the UDP part to not be measured as timeout. - Fix #4156: Fix systemd service manager state change notification. 13 September 2018: Wouter - Fix seed for random backup code to use explicit zero when wiped. - exit log routine is annotated as noreturn function. - free memory leaks in config strlist and str2list insert functions. - do not move unused argv variable after getopt. - Remove unused if clause in testcode. - in testcode, free async ids, initialise array, and check for null pointer during test of the test. And use exit for return to note irregular program stop. - Free memory leak in config strlist append. - make sure nsec3 comparison salt is initialized. - unit test has clang analysis. - remove unused variable assignment from iterator scrub routine. - check for null in delegation point during iterator refetch in forward zone. - neater pointer cast in libunbound context quit routine. - initialize statistics totals for printout. - in authzone check that node exists before adding rrset. - in unbound-anchor, use readwrite memory BIO. - assertion in autotrust that packed rrset is formed correctly. - Fix memory leak when message parse fails partway through copy. - remove unused udpsize assignment in message encode. - nicer bio free code in unbound-anchor. - annotate exit functions with noreturn in unbound-control. 11 September 2018: Wouter - Fixed unused return value warnings in contrib/fastrpz.patch for asprintf. - Fix to squelch respip warning in unit test, it is printed at higher verbosity settings. - Fix spelling errors. - Fix initialisation in remote.c 10 September 2018: Wouter - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply). - iana port update. 5 September 2018: Wouter - Fix spelling error in header, from getdns commit by Andreas Gelmini. 4 September 2018: Ralph - More explicitly mention the type of ratelimit when applying ip-ratelimit. 4 September 2018: Wouter - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018. 31 August 2018: Wouter - Disable minimal-responses in subnet unit tests. 30 August 2018: Wouter - Fix that a local-zone with a local-zone-type that is transparent in a view with view-first, makes queries check for answers from the local-zones defined outside of views. 28 August 2018: Ralph - Disable minimal-responses in ipsecmod unit tests. - Added serve-expired-ttl and serve-expired-ttl-reset options. 27 August 2018: Wouter - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. - next release is called 1.8.0. - Fix lintflags for lint on FreeBSD. 22 August 2018: George - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary. 21 August 2018: Wouter - log-local-actions: yes option for unbound.conf that logs all the local zone actions, a patch from Saksham Manchanda (Secure64). - #4146: num.query.subnet and num.query.subnet_cache counters. - Fix only misc failure from log-servfail when val-log-level is not enabled. 17 August 2018: Ralph - Fix classification for QTYPE=CNAME queries when QNAME minimisation is enabled. 17 August 2018: Wouter - Set libunbound to increase current, because the libunbound change to the event callback function signature. That needs programs, that use it, to recompile against the new header definition. - print servfail info to log as error. - added more servfail printout statements, to the iterator. - log-servfail: yes prints log lines that say why queries are returning SERVFAIL to clients. 16 August 2018: Wouter - Fix warning on compile without threads. - Fix contrib/fastrpz.patch. 15 August 2018: Wouter - Fix segfault in auth-zone read and reorder of RRSIGs. 14 August 2018: Wouter - Fix that printout of error for cycle targets is a verbosity 4 printout and does not wrongly print it is a memory error. - Upgraded crosscompile script to include libunbound DLL in the zipfile. 10 August 2018: Wouter - Fix #4144: dns64 module caches wrong (negative) information. 9 August 2018: Wouter - unbound-checkconf checks if modules exist and prints if they are not compiled in the name of the wrong module. - document --enable-subnet in doc/README. - Patch for stub-no-cache and forward-no-cache options that disable caching for the contents of that stub or forward, for when you want immediate changes visible, from Bjoern A. Zeeb. 7 August 2018: Ralph - Make capsforid fallback QNAME minimisation aware. 7 August 2018: Wouter - Fix #4142: unbound.service.in: improvements and fixes. Add unit dependency ordering (based on systemd-resolved). Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings about missing privileges during startup). Add 'AF_INET6' to 'RestrictAddressFamilies' (without it IPV6 can't work). From Guido Shanahan. - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock. - make depend, yacc, lex, doc, headers. And log the limit exceeded message only on high verbosity, so as to not spam the logs when it is busy. 6 August 2018: Wouter - Fix for #4136: Fix to unconditionally call destroy in daemon.c. 3 August 2018: George - Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h. - Tidy pylib tests. 3 August 2018: Wouter - Revert previous change for #4136: because it introduces build problems. - New fix for #4136: This one ignores lex without without yylex_destroy. 1 August 2018: Wouter - Fix to remove systemd sockaddr function check, that is not always present. Make socket activation more lenient. But not different when socket activation is not used. - iana port list update. 31 July 2018: Wouter - Patches from Jim Hague (Sinodun) for EDNS KeepAlive. - Sort out test runs when the build directory isn't the project root directory. - Add config tcp-idle-timeout (default 30s). This applies to client connections only; the timeout on TCP connections upstream is unaffected. - Error if EDNS Keepalive received over UDP. - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options and implement option in client responses. - Correct and expand manual page entries for keepalive and idle timeout. - Implement progressive backoff of TCP idle/keepalive timeout. - Fix 'make depend' to work when build dir is not project root. - Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout. - From Wouter: make depend, the dependencies in the patches did not apply cleanly. Also remade yacc and lex. - Fix mesh.c incompatible pointer pass. - Please doxygen so it passes. - Fix #4139: Fix unbound-host leaks memory on ANY. 30 July 2018: Wouter - Fix #4136: insufficiency from mismatch of FLEX capability between released tarball and build host. 27 July 2018: Wouter - Fix man page, say that chroot is enabled by default. 26 July 2018: Wouter - Fix #4135: 64-bit Windows Installer Creates Entries Under The Wrong Registry Key, reported by Brian White. 23 July 2018: Wouter - Fix use-systemd readiness signalling, only when use-systemd is yes and not in signal handler. 20 July 2018: Wouter - Fix #4130: print text describing -dd and unbound-checkconf on config file read error at startup, the errors may have been moved away by the startup process. - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared. 19 July 2018: Wouter - Fix #4129 unbound-control error message with wrong cert permissions is too cryptic. 17 July 2018: Wouter - Fix #4127 unbound -h does not list -p help. - Print error if SSL name verification configured but not available in the ssl library. - Fix that ratelimit and ip-ratelimit are applied after reload of changed config file. - Resize ratelimit and ip-ratelimit caches if changed on reload. 16 July 2018: Wouter - Fix qname minimisation NXDOMAIN validation lookup failures causing error_supers assertion fails. - Squelch can't bind socket errors with Permission denied unless verbosity is 4 or higher, for UDP outgoing sockets. 12 July 2018: Wouter - Fix to improve systemd socket activation code file descriptor assignment. - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more easily changed to adjust default rtt assumptions. 10 July 2018: Wouter - Note in documentation that the cert name match code needs OpenSSL 1.1.0 or later to be enabled. 6 July 2018: Wouter - Fix documentation ambiguity for tls-win-cert in tls-upstream and forward-tls-upstream docs. - iana port update. - Note RFC8162 support. SMIMEA record type can be read in by the zone record parser. - Fix round robin for failed addresses with prefer-ip6: yes 4 July 2018: Wouter - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries. 3 July 2018: Wouter - Better documentation for unblock-lan-zones and insecure-lan-zones config statements. - Fix permission denied printed for auth zone probe random port nrs. 2 July 2018: Wouter - Fix checking for libhiredis printout in configure output. - Fix typo on man page in ip-address description. - Update libunbound/python/examples/dnssec_test.py example code to also set the 20326 trust anchor for the root in the example code. 29 June 2018: Wouter - dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record. 28 June 2018: Wouter - num.queries.tls counter for queries over TLS. - log port number with err_addr logs. 27 June 2018: Wouter - #4109: Fix that package config depends on python unconditionally. - Patch, do not export python from pkg-config, from Petr Menšík. 26 June 2018: Wouter - Partial fix for permission denied on IPv6 address on FreeBSD. - Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. - Fix that auth-zone does not start the wait timer without checking if the wait timer has already been started. 21 June 2018: Wouter - #4108: systemd reload hang fix. - Fix usage printout for unbound-host, hostname has to be last argument on BSDs and Windows. @ text @d42 1 a42 1 if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then d48 1 a48 1 if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then @ 1.1.1.2.2.1 log @Pull up the following, requested by christos in ticket #604: external/bsd/unbound/dist/ipset/ipset.c up to 1.1.1.1 external/bsd/unbound/dist/ipset/ipset.h up to 1.1.1.1 external/bsd/unbound/dist/compat/getentropy_freebsd.c up to 1.1.1.1 external/bsd/unbound/dist/contrib/drop-tld.diff up to 1.1.1.1 external/bsd/unbound/dist/contrib/unbound-fuzzers.tar.bz2 up to 1.1.1.1 external/bsd/unbound/dist/doc/README.ipset.md up to 1.1.1.1 external/bsd/unbound/dist/pythonmod/examples/avahi-resolver.py up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_nsec3_ent.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/fwd_minimal.rpl up to 1.1.1.1 external/bsd/unbound/dist/.travis.yml up to 1.1.1.1 external/bsd/unbound/dist/README.md up to 1.1.1.1 external/bsd/unbound/dist/.gitattributes delete external/bsd/unbound/dist/.gitignore delete external/bsd/unbound/dist/Makefile.in up to 1.1.1.5 external/bsd/unbound/dist/aclocal.m4 up to 1.1.1.4 external/bsd/unbound/dist/config.guess up to 1.4 external/bsd/unbound/dist/config.h.in up to 1.1.1.5 external/bsd/unbound/dist/config.sub up to 1.4 external/bsd/unbound/dist/configure up to 1.1.1.5 external/bsd/unbound/dist/configure.ac up to 1.1.1.5 external/bsd/unbound/dist/install-sh up to 1.1.1.3 external/bsd/unbound/dist/cachedb/cachedb.c up to 1.1.1.5 external/bsd/unbound/dist/compat/getentropy_linux.c up to 1.1.1.3 external/bsd/unbound/dist/compat/getentropy_osx.c up to 1.1.1.2 external/bsd/unbound/dist/compat/getentropy_solaris.c up to 1.1.1.2 external/bsd/unbound/dist/compat/getentropy_win.c up to 1.1.1.2 external/bsd/unbound/dist/compat/malloc.c up to 1.1.1.2 external/bsd/unbound/dist/compat/sha512.c up to 1.1.1.3 external/bsd/unbound/dist/compat/snprintf.c up to 1.1.1.2 external/bsd/unbound/dist/contrib/README up to 1.1.1.5 external/bsd/unbound/dist/contrib/create_unbound_ad_servers.sh up to 1.1.1.2 external/bsd/unbound/dist/contrib/fastrpz.patch up to 1.1.1.4 external/bsd/unbound/dist/contrib/unbound.init up to 1.1.1.3 external/bsd/unbound/dist/contrib/unbound.init_fedora up to 1.1.1.2 external/bsd/unbound/dist/contrib/unbound.service.in up to 1.1.1.3 external/bsd/unbound/dist/daemon/daemon.c up to 1.1.1.5 external/bsd/unbound/dist/daemon/remote.c up to 1.1.1.5 external/bsd/unbound/dist/daemon/stats.c up to 1.1.1.5 external/bsd/unbound/dist/daemon/unbound.c up to 1.1.1.5 external/bsd/unbound/dist/daemon/worker.c up to 1.1.1.5 external/bsd/unbound/dist/dns64/dns64.c up to 1.1.1.4 external/bsd/unbound/dist/dnscrypt/dnscrypt.c up to 1.1.1.4 external/bsd/unbound/dist/doc/Changelog up to 1.1.1.5 external/bsd/unbound/dist/doc/README up to 1.1.1.5 external/bsd/unbound/dist/doc/TODO up to 1.1.1.2 external/bsd/unbound/dist/doc/example.conf.in up to 1.1.1.5 external/bsd/unbound/dist/doc/libunbound.3.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound-anchor.8.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound-checkconf.8.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound-control.8.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound-host.1.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound.8.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound.conf.5.in up to 1.1.1.5 external/bsd/unbound/dist/doc/unbound.doxygen up to 1.1.1.4 external/bsd/unbound/dist/edns-subnet/subnetmod.c up to 1.1.1.4 external/bsd/unbound/dist/ipsecmod/ipsecmod.c up to 1.1.1.3 external/bsd/unbound/dist/iterator/iter_scrub.c up to 1.1.1.5 external/bsd/unbound/dist/iterator/iter_utils.c up to 1.1.1.5 external/bsd/unbound/dist/iterator/iter_utils.h up to 1.1.1.5 external/bsd/unbound/dist/iterator/iterator.c up to 1.1.1.5 external/bsd/unbound/dist/libunbound/context.c up to 1.1.1.5 external/bsd/unbound/dist/libunbound/context.h up to 1.1.1.4 external/bsd/unbound/dist/libunbound/libunbound.c up to 1.1.1.5 external/bsd/unbound/dist/libunbound/libworker.c up to 1.1.1.5 external/bsd/unbound/dist/libunbound/python/libunbound.i up to 1.1.1.3 external/bsd/unbound/dist/pythonmod/interface.i up to 1.1.1.5 external/bsd/unbound/dist/pythonmod/pythonmod.c up to 1.1.1.4 external/bsd/unbound/dist/pythonmod/doc/examples/example0-1.py up to 1.1.1.3 external/bsd/unbound/dist/pythonmod/doc/examples/example0.rst up to 1.1.1.3 external/bsd/unbound/dist/pythonmod/examples/calc.py up to 1.1.1.2 external/bsd/unbound/dist/pythonmod/examples/edns.py up to 1.1.1.2 external/bsd/unbound/dist/pythonmod/examples/inplace_callbacks.py up to 1.1.1.3 external/bsd/unbound/dist/respip/respip.c up to 1.1.1.3 external/bsd/unbound/dist/services/authzone.c up to 1.1.1.4 external/bsd/unbound/dist/services/authzone.h up to 1.1.1.4 external/bsd/unbound/dist/services/listen_dnsport.c up to 1.1.1.5 external/bsd/unbound/dist/services/localzone.c up to 1.1.1.5 external/bsd/unbound/dist/services/mesh.c up to 1.1.1.5 external/bsd/unbound/dist/services/modstack.c up to 1.1.1.4 external/bsd/unbound/dist/services/outside_network.c up to 1.1.1.5 external/bsd/unbound/dist/services/outside_network.h up to 1.1.1.5 external/bsd/unbound/dist/services/cache/dns.c up to 1.1.1.5 external/bsd/unbound/dist/sldns/parse.c up to 1.1.1.3 external/bsd/unbound/dist/sldns/rrdef.c up to 1.1.1.4 external/bsd/unbound/dist/sldns/sbuffer.c up to 1.1.1.3 external/bsd/unbound/dist/sldns/sbuffer.h up to 1.1.1.4 external/bsd/unbound/dist/sldns/str2wire.c up to 1.1.1.4 external/bsd/unbound/dist/sldns/wire2str.c up to 1.1.1.5 external/bsd/unbound/dist/sldns/wire2str.h up to 1.1.1.4 external/bsd/unbound/dist/smallapp/unbound-anchor.c up to 1.1.1.4 external/bsd/unbound/dist/smallapp/unbound-checkconf.c up to 1.1.1.5 external/bsd/unbound/dist/smallapp/unbound-control.c up to 1.1.1.5 external/bsd/unbound/dist/smallapp/unbound-host.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/asynclook.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/delayer.c up to 1.1.1.3 external/bsd/unbound/dist/testcode/fake_event.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/memstats.c up to 1.1.1.3 external/bsd/unbound/dist/testcode/mini_tdir.sh up to 1.1.1.2 external/bsd/unbound/dist/testcode/perf.c up to 1.1.1.4 external/bsd/unbound/dist/testcode/petal.c up to 1.1.1.4 external/bsd/unbound/dist/testcode/streamtcp.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/testbound.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/testpkts.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/unitmain.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/unitmsgparse.c up to 1.1.1.3 external/bsd/unbound/dist/testcode/unitregional.c up to 1.1.1.2 external/bsd/unbound/dist/testdata/auth_nsec3_wild.rpl up to 1.1.1.2 external/bsd/unbound/dist/util/alloc.c up to 1.1.1.4 external/bsd/unbound/dist/util/config_file.c up to 1.1.1.5 external/bsd/unbound/dist/util/config_file.h up to 1.1.1.5 external/bsd/unbound/dist/util/configlexer.c up to 1.1.1.5 external/bsd/unbound/dist/util/configlexer.lex up to 1.1.1.5 external/bsd/unbound/dist/util/configparser.c up to 1.1.1.5 external/bsd/unbound/dist/util/configparser.h up to 1.1.1.5 external/bsd/unbound/dist/util/configparser.y up to 1.1.1.5 external/bsd/unbound/dist/util/fptr_wlist.c up to 1.1.1.5 external/bsd/unbound/dist/util/iana_ports.inc up to 1.1.1.5 external/bsd/unbound/dist/util/log.c up to 1.1.1.5 external/bsd/unbound/dist/util/mini_event.c up to 1.3 external/bsd/unbound/dist/util/net_help.c up to 1.1.1.5 external/bsd/unbound/dist/util/net_help.h up to 1.1.1.5 external/bsd/unbound/dist/util/netevent.c up to 1.3 external/bsd/unbound/dist/util/random.c up to 1.1.1.2 external/bsd/unbound/dist/util/random.h up to 1.1.1.2 external/bsd/unbound/dist/util/regional.c up to 1.1.1.2 external/bsd/unbound/dist/util/ub_event.c up to 1.1.1.4 external/bsd/unbound/dist/util/ub_event_pluggable.c up to 1.1.1.3 external/bsd/unbound/dist/util/winsock_event.c up to 1.1.1.3 external/bsd/unbound/dist/util/data/dname.c up to 1.1.1.4 external/bsd/unbound/dist/util/data/msgencode.c up to 1.1.1.4 external/bsd/unbound/dist/util/data/msgencode.h up to 1.1.1.2 external/bsd/unbound/dist/util/data/msgparse.c up to 1.1.1.4 external/bsd/unbound/dist/util/data/msgreply.c up to 1.1.1.5 external/bsd/unbound/dist/util/data/msgreply.h up to 1.1.1.5 external/bsd/unbound/dist/util/shm_side/shm_main.c up to 1.1.1.2 external/bsd/unbound/dist/util/storage/lookup3.c up to 1.1.1.3 external/bsd/unbound/dist/validator/autotrust.c up to 1.1.1.4 external/bsd/unbound/dist/validator/val_anchor.c up to 1.1.1.4 external/bsd/unbound/dist/validator/val_secalgo.c up to 1.1.1.5 external/bsd/unbound/dist/validator/val_sigcrypt.c up to 1.1.1.4 external/bsd/unbound/dist/validator/validator.c up to 1.1.1.5 external/bsd/unbound/include/config.h up to 1.7 doc/3RDPARTY (manually edited) Import unbound 1.9.6: 6 December 2019: Wouter - Fix ipsecmod compile. - Fix Makefile.in for ipset module compile, from Adi Prasaja. 5 December 2019: Wouter - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1 replacements for unbound-fuzzme.c that gets created after applying the contrib/unbound-fuzzme.patch. They are contributed by Eric Sesterhenn from X41 D-Sec. - tag for 1.9.6rc1. 4 December 2019: Wouter - Fix lock type for memory purify log lock deletion. - Fix testbound for alloccheck runs, memory purify and lock checks. - update contrib/fastrpz.patch to apply more cleanly. - Fix Make Test Fails when Configured With --enable-alloc-nonregional, reported by X41 D-Sec. 3 December 2019: Wouter - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - Fix text around serial arithmatic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. - Fix similar code in auth_zone synth cname to add the extra checks. - Fix Assert Causing DoS in dname_pkt_copy(), reported by X41 D-Sec. - Fix OOB Read in sldns_wire2str_dname_scan(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_str2wire_str_buf(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_b64_pton(), fixed by check in sldns_str2wire_int16_data_buf(), reported by X41 D-Sec. - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(), reported by X41 D-Sec. - Fix Out of Bound Write Compressed Names in rdata_copy(), reported by X41 D-Sec. - Fix Hang in sldns_wire2str_pkt_scan(), reported by X41 D-Sec. This further lowers the max to 256. - Fix snprintf() supports the n-specifier, reported by X41 D-Sec. - Fix Bad Indentation, in dnscrypt.c, reported by X41 D-Sec. - Fix Client NONCE Generation used for Server NONCE, reported by X41 D-Sec. - Fix compile error in dnscrypt. - Fix _vfixed not Used, removed from sbuffer code, reported by X41 D-Sec. - Fix Hardcoded Constant, reported by X41 D-Sec. - make depend 2 December 2019: Wouter - Merge pull request #122 from he32: In tcp_callback_writer(), don't disable time-out when changing to read. 22 November 2019: George - Fix compiler warnings. 22 November 2019: Wouter - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec. - Add make distclean that removes everything configure produced, and make maintainer-clean that removes bison and flex output. 20 November 2019: Wouter - Fix Out of Bounds Read in rrinternal_get_owner(), reported by X41 D-Sec. - Fix Race Condition in autr_tp_create(), reported by X41 D-Sec. - Fix Shared Memory World Writeable, reported by X41 D-Sec. - Adjust unbound-control to make stats_shm a read only operation. - Fix Weak Entropy Used For Nettle, reported by X41 D-Sec. - Fix Randomness Error not Handled Properly, reported by X41 D-Sec. - Fix Out-of-Bounds Read in dname_valid(), reported by X41 D-Sec. - Fix Config Injection in create_unbound_ad_servers.sh, reported by X41 D-Sec. - Fix Local Memory Leak in cachedb_init(), reported by X41 D-Sec. - Fix Integer Underflow in Regional Allocator, reported by X41 D-Sec. - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD. - Synchronize compat/getentropy_win.c with version 1.5 from OpenBSD, no changes but makes the file, comments, identical. - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD. - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD. - Changes to compat/getentropy files for, no link to openssl if using nettle, and hence config.h for HAVE_NETTLE variable. compat definition of MAP_ANON, for older systems. ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec. - Fix compile with --enable-alloc-checks, reported by X41 D-Sec. - Fix Terminating Quotes not Written, reported by X41 D-Sec. - Fix Useless memset() in validator, reported by X41 D-Sec. - Fix Unrequired Checks, reported by X41 D-Sec. - Fix Enum Name not Used, reported by X41 D-Sec. - Fix NULL Pointer Dereference via Control Port, reported by X41 D-Sec. - Fix Bad Randomness in Seed, reported by X41 D-Sec. - Fix python examples/calc.py for eval, reported by X41 D-Sec. - Fix comments for doxygen in dns64. 19 November 2019: Wouter - Fix CVE-2019-18934, shell execution in ipsecmod. - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development. - Fix authzone printout buffer length check. - Fixes to please lint checks. - Fix Integer Overflow in Regional Allocator, reported by X41 D-Sec. - Fix Unchecked NULL Pointer in dns64_inform_super() and ipsecmod_new(), reported by X41 D-Sec. - Fix Out-of-bounds Read in rr_comment_dnskey(), reported by X41 D-Sec. - Fix Integer Overflows in Size Calculations, reported by X41 D-Sec. - Fix Integer Overflow to Buffer Overflow in sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec. - Fix Out of Bounds Read in sldns_str2wire_dname(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_bget_token_par(), reported by X41 D-Sec. 18 November 2019: Wouter - In unbound-host use separate variable for get_option to please code checkers. - update to bison output of 3.4.1 in code repository. - Provide a prototype for compat malloc to remove compile warning. - Portable grep usage for reuseport configure test. - Check return type of HMAC_Init_ex for openssl 0.9.8. - gitignore .source tempfile used for compatible make. 13 November 2019: Wouter - iana portlist updated. - contrib/fastrpz.patch updated to apply for current code. - fixes for splint cleanliness, long vs int in SSL set_mode. 11 November 2019: Wouter - Fix #109: check number of arguments for stdin-pipes in unbound-control and fail if too many arguments. - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD. 24 October 2019: Wouter - Fix #99: Memory leak in ub_ctx (event_base will never be freed). 23 October 2019: George - Add new configure option `--enable-fully-static` to enable full static build if requested; in relation to #91. 23 October 2019: Wouter - Merge #97: manpage: Add missing word on unbound.conf, from Erethon. 22 October 2019: Wouter - drop-tld.diff: adds option drop-tld: yesno that drops 2 label queries, to stop random floods. Apply with patch -p1 < contrib/drop-tld.diff and compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. 7 October 2019: Wouter - Add doxygen comments to unbound-anchor source address code, in #86. 3 October 2019: Wouter - Merge #90 from vcunat: fix build with nettle-3.5. - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866. - Continue with development of 1.9.5. - Merge #86 from psquarejho: Added -b source address option to smallapp/unbound-anchor.c, from Lukas Wunner. 26 September 2019: Wouter - Merge #87 from hardfalcon: Fix contrib/unbound.service.in, Drop CAP_KILL, use + prefix for ExecReload= instead. 25 September 2019: Wouter - The unbound.conf includes are sorted ascending, for include statements with a '*' from glob. 23 September 2019: Wouter - Merge #85 for #84 from sam-lunt: Add kill capability to systemd service file to fix that systemctl reload fails. 20 September 2019: Wouter - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service. - Merge #81 from Maryse47: Consistently use /dev/urandom instead of /dev/random in scripts and docs. - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork into the background. 19 September 2019: Wouter - Fix #78: Memory leak in outside_network.c. - Merge pull request #76 from Maryse47: Improvements and fixes for systemd unbound.service. - oss-fuzz badge on README.md. - Fix fix for #78 to also free service callback struct. - Fix for oss-fuzz build warning. - Fix wrong response ttl for prepended short CNAME ttls, this would create a wrong zero_ttl response count with serve-expired enabled. - Merge #80 from stasic: Improve wording in man page. 11 September 2019: Wouter - Use explicit bzero for wiping clear buffer of hash in cachedb, reported by Eric Sesterhenn from X41 D-Sec. 9 September 2019: Wouter - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default LOG_DAEMON (as before) can set the syslog facility that the server uses to log messages. 4 September 2019: Wouter - Fix #71: fix openssl error squelch commit compilation error. 3 September 2019: Wouter - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors. 2 September 2019: Wouter - ipset module #28: log that an address is added, when verbosity high. - ipset: refactor long routine into three smaller ones. - updated Makefile dependencies. 23 August 2019: Wouter - Fix contrib/fastrpz.patch asprintf return value checks. 22 August 2019: Wouter - Fix that pkg-config is setup before --enable-systemd needs it. - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release. Master is 1.9.4 in development. 21 August 2019: Wouter - Fix log_dns_msg to log irrespective of minimal responses config. 19 August 2019: Ralph - Document limitation of pidfile removal outside of chroot directory. 16 August 2019: Wouter - Fix unittest valgrind false positive uninitialised value report, where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 issues an uninitialised value for the token buffer at the str2wire.c rrinternal_get_owner() strcmp with the '@@' value. Rewritten to use straight character comparisons removes the false positive. Also valgrinds --expensive-definedness-checks=yes can stop this false positive. - Please doxygen's parser for "@@" occurrence in doxygen comment. - Fixup contrib/fastrpz.patch - Remove warning about unknown cast-function-type warning pragma. 15 August 2019: Wouter - iana portlist updated. - Fix autotrust temp file uniqueness windows compile. - avoid warning about upcast on 32bit systems for autotrust. - escape commandline contents for -V. - Fix character buffer size in ub_ctx_hosts. - 1.9.3rc1 release candidate tag. - Option -V prints if TCP fastopen is available. 14 August 2019: George - Fix #59, when compiled with systemd support check that we can properly communicate with systemd through the `NOTIFY_SOCKET`. 14 August 2019: Wouter - Generate configlexer with newer flex. - Fix warning for unused variable for compilation without systemd. 12 August 2019: George - Introduce `-V` option to print the version number and build options. Previously reported build options like linked libs and linked modules are now moved from `-h` to `-V` as well for consistency. - PACKAGE_BUGREPORT now also includes link to GitHub issues. 1 August 2019: Wouter - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - Fix to remove unused test for task_probe existance. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. 29 July 2019: Wouter - Add verbose log message when auth zone file is written, at level 4. - Add hex print of trust anchor pointer to trust anchor file temp name to make it unique, for libunbound created multiple contexts. 23 July 2019: Wouter - Fix question section mismatch in local zone redirect. 19 July 2019: Wouter - Fix #49: Set no renegotiation on the SSL context to stop client session renegotiation. 12 July 2019: Wouter - Fix #48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed. 9 July 2019: Ralph - Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific. 5 July 2019: Ralph - Fix for possible assertion failure when answering respip CNAME from cache. 25 June 2019: Wouter - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. 24 June 2019: Wouter - Fix memleak in unit test, reported from the clang 8.0 static analyzer. 18 June 2019: Wouter - PR #28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset. - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - make depend - Added documentation to the ipset files (for doxygen output). - Merge PR #6: Python module: support multiple instances - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT - Merge PR #4: Python module: assign something useful to the per-query data store 'qdata' - Fix python dict reference and double free in config. 17 June 2019: Wouter - Master contains version 1.9.3 in development. - Fix #39: In libunbound, leftover logfile is close()d unpredictably. - Fix for #24: Fix abort due to scan of auth zone masters using old address from previous scan. 12 June 2019: Wouter - Fix another spoolbuf storage code point, in prefetch. - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release on 17 June 2019. 11 June 2019: Wouter - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - 1.9.2rc2 release candidate tag. 6 June 2019: Wouter - 1.9.2rc1 release candidate tag. 4 June 2019: Wouter - iana portlist updated. 29 May 2019: Wouter - Fix to guard _OPENBSD_SOURCE from redefinition. 28 May 2019: Wouter - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. - gitignore config.h.in~. 27 May 2019: Wouter - Fix double file close in tcp pipelined response code. 24 May 2019: Wouter - Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end. 20 May 2019: Wouter - Note that so-reuseport at extreme load is better turned off, otherwise queries are not distributed evenly, on Linux 4.4.x. 16 May 2019: Wouter - Fix #31: swig 4.0 and python module. 13 May 2019: Wouter - Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values for diagnosing network connectivity issues. - Attempt to fix malformed tcp response. 9 May 2019: Wouter - Revert fix for oss-fuzz, error is in that build script that unconditionally includes .o files detected by configure, also when the machine architecture uses different LIBOBJS files. 8 May 2019: Wouter - Attempt to fix build failure in oss-fuzz because of reallocarray. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648. Does not omit compile flags from commandline. 7 May 2019: Wouter - Fix edns-subnet locks, in error cases the lock was not unlocked. - Fix doxygen output error on readme markdown vignettes. 6 May 2019: Wouter - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64. - Fix #30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security checkable, and is better for security. It is fixed to be slower, but not read outside of the array. 2 May 2019: Wouter - contrib/fastrpz.patch updated for code changes, and with git diff. - Fix .gitignore, add pythonmod and dnstap generated files. And unit test generated files, and generated doc files. 1 May 2019: Wouter - Update makedist for git. - Nicer travis output for clang analysis. - PR #16: XoT support, AXFR over TLS, turn it on with master: # in unbound.conf. This uses TLS to download the AXFR (or IXFR). 25 April 2019: Wouter - Fix wrong query name in local zone redirect answers with a CNAME, the copy of the local alias is in unpacked form. 18 April 2019: Ralph - Scrub RRs from answer section when reusing NXDOMAIN message for subdomain answers. - For harden-below-nxdomain: do not consider a name to be non-exitent when message contains a CNAME record. 18 April 2019: Wouter - travis build file. 16 April 2019: Wouter - Better braces in if statement in TCP fastopen code. - iana portlist updated. 15 April 2019: Wouter - Fix tls write event for read state change to re-call SSL_write and not resume the TLS handshake. 11 April 2019: George - Update python documentation for init_standard(). - Typos. 11 April 2019: Wouter - Fix that auth zone uses correct network type for sockets for SOA serial probes. This fixes that probes fail because earlier probe addresses are unreachable. - Fix that auth zone fails over to next master for timeout in tcp. - Squelch SSL read and write connection reset by peer and broken pipe messages. Verbosity 2 and higher enables them. 8 April 2019: Wouter - Fix to use event_assign with libevent for thread-safety. - verbose information about auth zone lookup process, also lookup start, timeout and fail. - Fix #17: Add python module example from Jan Janak, that is a plugin for the Unbound DNS resolver to resolve DNS records in multicast DNS [RFC 6762] via Avahi. The plugin communicates with Avahi via DBus. The comment section at the beginning of the file contains detailed documentation. - Fix to wipe ssl ticket keys from memory with explicit_bzero, if available. 5 April 2019: Wouter - Fix to reinit event structure for accepted TCP (and TLS) sockets. 4 April 2019: Wouter - Fix spelling error in log output for event method. 3 April 2019: Wouter - Move goto label in answer_from_cache to the end of the function where it is more visible. - Fix auth-zone NSEC3 response for wildcard nodata answers, include the closest encloser in the answer. 2 April 2019: Wouter - Fix auth-zone NSEC3 response for empty nonterminals with exact match nsec3 records. - Fix for out of bounds integers, thanks to OSTIF audit. It is in allocation debug code. - Fix for auth zone nsec3 ent fix for wildcard nodata. 25 March 2019: Wouter - Fix that tls-session-ticket-keys: "" on its own in unbound.conf disables the tls session ticker key calls into the OpenSSL API. - Fix crash if tls-servic-pem not filled in when necessary. 21 March 2019: Wouter - Fix #4240: Fix whitespace cleanup in example.conf. 19 March 2019: Wouter - add type CAA to libpyunbound (accessing libunbound from python). 18 March 2019: Wouter - Add log message, at verbosity 4, that says the query is encrypted with TLS, if that is enabled for the query. - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482. 7 March 2019: Wouter - Fix for #4233: guard use of NDEBUG, so that it can be passed in CFLAGS into configure. @ text @d57 1 a57 1 if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then d59 2 a60 2 [ -e ${rootdir}/dev/urandom ] || touch ${rootdir}/dev/urandom mount --bind -n /dev/urandom ${rootdir}/dev/urandom >/dev/null 2>&1; d81 2 a82 2 if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then umount ${rootdir}/dev/urandom >/dev/null 2>&1 @ 1.1.1.3 log @Import unbound 1.9.6: 6 December 2019: Wouter - Fix ipsecmod compile. - Fix Makefile.in for ipset module compile, from Adi Prasaja. 5 December 2019: Wouter - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1 replacements for unbound-fuzzme.c that gets created after applying the contrib/unbound-fuzzme.patch. They are contributed by Eric Sesterhenn from X41 D-Sec. - tag for 1.9.6rc1. 4 December 2019: Wouter - Fix lock type for memory purify log lock deletion. - Fix testbound for alloccheck runs, memory purify and lock checks. - update contrib/fastrpz.patch to apply more cleanly. - Fix Make Test Fails when Configured With --enable-alloc-nonregional, reported by X41 D-Sec. 3 December 2019: Wouter - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - Fix text around serial arithmatic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. - Fix similar code in auth_zone synth cname to add the extra checks. - Fix Assert Causing DoS in dname_pkt_copy(), reported by X41 D-Sec. - Fix OOB Read in sldns_wire2str_dname_scan(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_str2wire_str_buf(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_b64_pton(), fixed by check in sldns_str2wire_int16_data_buf(), reported by X41 D-Sec. - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(), reported by X41 D-Sec. - Fix Out of Bound Write Compressed Names in rdata_copy(), reported by X41 D-Sec. - Fix Hang in sldns_wire2str_pkt_scan(), reported by X41 D-Sec. This further lowers the max to 256. - Fix snprintf() supports the n-specifier, reported by X41 D-Sec. - Fix Bad Indentation, in dnscrypt.c, reported by X41 D-Sec. - Fix Client NONCE Generation used for Server NONCE, reported by X41 D-Sec. - Fix compile error in dnscrypt. - Fix _vfixed not Used, removed from sbuffer code, reported by X41 D-Sec. - Fix Hardcoded Constant, reported by X41 D-Sec. - make depend 2 December 2019: Wouter - Merge pull request #122 from he32: In tcp_callback_writer(), don't disable time-out when changing to read. 22 November 2019: George - Fix compiler warnings. 22 November 2019: Wouter - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec. - Add make distclean that removes everything configure produced, and make maintainer-clean that removes bison and flex output. 20 November 2019: Wouter - Fix Out of Bounds Read in rrinternal_get_owner(), reported by X41 D-Sec. - Fix Race Condition in autr_tp_create(), reported by X41 D-Sec. - Fix Shared Memory World Writeable, reported by X41 D-Sec. - Adjust unbound-control to make stats_shm a read only operation. - Fix Weak Entropy Used For Nettle, reported by X41 D-Sec. - Fix Randomness Error not Handled Properly, reported by X41 D-Sec. - Fix Out-of-Bounds Read in dname_valid(), reported by X41 D-Sec. - Fix Config Injection in create_unbound_ad_servers.sh, reported by X41 D-Sec. - Fix Local Memory Leak in cachedb_init(), reported by X41 D-Sec. - Fix Integer Underflow in Regional Allocator, reported by X41 D-Sec. - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD. - Synchronize compat/getentropy_win.c with version 1.5 from OpenBSD, no changes but makes the file, comments, identical. - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD. - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD. - Changes to compat/getentropy files for, no link to openssl if using nettle, and hence config.h for HAVE_NETTLE variable. compat definition of MAP_ANON, for older systems. ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion for older systems. - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec. - Fix compile with --enable-alloc-checks, reported by X41 D-Sec. - Fix Terminating Quotes not Written, reported by X41 D-Sec. - Fix Useless memset() in validator, reported by X41 D-Sec. - Fix Unrequired Checks, reported by X41 D-Sec. - Fix Enum Name not Used, reported by X41 D-Sec. - Fix NULL Pointer Dereference via Control Port, reported by X41 D-Sec. - Fix Bad Randomness in Seed, reported by X41 D-Sec. - Fix python examples/calc.py for eval, reported by X41 D-Sec. - Fix comments for doxygen in dns64. 19 November 2019: Wouter - Fix CVE-2019-18934, shell execution in ipsecmod. - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development. - Fix authzone printout buffer length check. - Fixes to please lint checks. - Fix Integer Overflow in Regional Allocator, reported by X41 D-Sec. - Fix Unchecked NULL Pointer in dns64_inform_super() and ipsecmod_new(), reported by X41 D-Sec. - Fix Out-of-bounds Read in rr_comment_dnskey(), reported by X41 D-Sec. - Fix Integer Overflows in Size Calculations, reported by X41 D-Sec. - Fix Integer Overflow to Buffer Overflow in sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec. - Fix Out of Bounds Read in sldns_str2wire_dname(), reported by X41 D-Sec. - Fix Out of Bounds Write in sldns_bget_token_par(), reported by X41 D-Sec. 18 November 2019: Wouter - In unbound-host use separate variable for get_option to please code checkers. - update to bison output of 3.4.1 in code repository. - Provide a prototype for compat malloc to remove compile warning. - Portable grep usage for reuseport configure test. - Check return type of HMAC_Init_ex for openssl 0.9.8. - gitignore .source tempfile used for compatible make. 13 November 2019: Wouter - iana portlist updated. - contrib/fastrpz.patch updated to apply for current code. - fixes for splint cleanliness, long vs int in SSL set_mode. 11 November 2019: Wouter - Fix #109: check number of arguments for stdin-pipes in unbound-control and fail if too many arguments. - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD. 24 October 2019: Wouter - Fix #99: Memory leak in ub_ctx (event_base will never be freed). 23 October 2019: George - Add new configure option `--enable-fully-static` to enable full static build if requested; in relation to #91. 23 October 2019: Wouter - Merge #97: manpage: Add missing word on unbound.conf, from Erethon. 22 October 2019: Wouter - drop-tld.diff: adds option drop-tld: yesno that drops 2 label queries, to stop random floods. Apply with patch -p1 < contrib/drop-tld.diff and compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. 7 October 2019: Wouter - Add doxygen comments to unbound-anchor source address code, in #86. 3 October 2019: Wouter - Merge #90 from vcunat: fix build with nettle-3.5. - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866. - Continue with development of 1.9.5. - Merge #86 from psquarejho: Added -b source address option to smallapp/unbound-anchor.c, from Lukas Wunner. 26 September 2019: Wouter - Merge #87 from hardfalcon: Fix contrib/unbound.service.in, Drop CAP_KILL, use + prefix for ExecReload= instead. 25 September 2019: Wouter - The unbound.conf includes are sorted ascending, for include statements with a '*' from glob. 23 September 2019: Wouter - Merge #85 for #84 from sam-lunt: Add kill capability to systemd service file to fix that systemctl reload fails. 20 September 2019: Wouter - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service. - Merge #81 from Maryse47: Consistently use /dev/urandom instead of /dev/random in scripts and docs. - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork into the background. 19 September 2019: Wouter - Fix #78: Memory leak in outside_network.c. - Merge pull request #76 from Maryse47: Improvements and fixes for systemd unbound.service. - oss-fuzz badge on README.md. - Fix fix for #78 to also free service callback struct. - Fix for oss-fuzz build warning. - Fix wrong response ttl for prepended short CNAME ttls, this would create a wrong zero_ttl response count with serve-expired enabled. - Merge #80 from stasic: Improve wording in man page. 11 September 2019: Wouter - Use explicit bzero for wiping clear buffer of hash in cachedb, reported by Eric Sesterhenn from X41 D-Sec. 9 September 2019: Wouter - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default LOG_DAEMON (as before) can set the syslog facility that the server uses to log messages. 4 September 2019: Wouter - Fix #71: fix openssl error squelch commit compilation error. 3 September 2019: Wouter - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors. 2 September 2019: Wouter - ipset module #28: log that an address is added, when verbosity high. - ipset: refactor long routine into three smaller ones. - updated Makefile dependencies. 23 August 2019: Wouter - Fix contrib/fastrpz.patch asprintf return value checks. 22 August 2019: Wouter - Fix that pkg-config is setup before --enable-systemd needs it. - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release. Master is 1.9.4 in development. 21 August 2019: Wouter - Fix log_dns_msg to log irrespective of minimal responses config. 19 August 2019: Ralph - Document limitation of pidfile removal outside of chroot directory. 16 August 2019: Wouter - Fix unittest valgrind false positive uninitialised value report, where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 issues an uninitialised value for the token buffer at the str2wire.c rrinternal_get_owner() strcmp with the '@@' value. Rewritten to use straight character comparisons removes the false positive. Also valgrinds --expensive-definedness-checks=yes can stop this false positive. - Please doxygen's parser for "@@" occurrence in doxygen comment. - Fixup contrib/fastrpz.patch - Remove warning about unknown cast-function-type warning pragma. 15 August 2019: Wouter - iana portlist updated. - Fix autotrust temp file uniqueness windows compile. - avoid warning about upcast on 32bit systems for autotrust. - escape commandline contents for -V. - Fix character buffer size in ub_ctx_hosts. - 1.9.3rc1 release candidate tag. - Option -V prints if TCP fastopen is available. 14 August 2019: George - Fix #59, when compiled with systemd support check that we can properly communicate with systemd through the `NOTIFY_SOCKET`. 14 August 2019: Wouter - Generate configlexer with newer flex. - Fix warning for unused variable for compilation without systemd. 12 August 2019: George - Introduce `-V` option to print the version number and build options. Previously reported build options like linked libs and linked modules are now moved from `-h` to `-V` as well for consistency. - PACKAGE_BUGREPORT now also includes link to GitHub issues. 1 August 2019: Wouter - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - Fix to remove unused test for task_probe existance. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. 29 July 2019: Wouter - Add verbose log message when auth zone file is written, at level 4. - Add hex print of trust anchor pointer to trust anchor file temp name to make it unique, for libunbound created multiple contexts. 23 July 2019: Wouter - Fix question section mismatch in local zone redirect. 19 July 2019: Wouter - Fix #49: Set no renegotiation on the SSL context to stop client session renegotiation. 12 July 2019: Wouter - Fix #48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed. 9 July 2019: Ralph - Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific. 5 July 2019: Ralph - Fix for possible assertion failure when answering respip CNAME from cache. 25 June 2019: Wouter - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. 24 June 2019: Wouter - Fix memleak in unit test, reported from the clang 8.0 static analyzer. 18 June 2019: Wouter - PR #28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset. - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - make depend - Added documentation to the ipset files (for doxygen output). - Merge PR #6: Python module: support multiple instances - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT - Merge PR #4: Python module: assign something useful to the per-query data store 'qdata' - Fix python dict reference and double free in config. 17 June 2019: Wouter - Master contains version 1.9.3 in development. - Fix #39: In libunbound, leftover logfile is close()d unpredictably. - Fix for #24: Fix abort due to scan of auth zone masters using old address from previous scan. 12 June 2019: Wouter - Fix another spoolbuf storage code point, in prefetch. - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release on 17 June 2019. 11 June 2019: Wouter - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - 1.9.2rc2 release candidate tag. 6 June 2019: Wouter - 1.9.2rc1 release candidate tag. 4 June 2019: Wouter - iana portlist updated. 29 May 2019: Wouter - Fix to guard _OPENBSD_SOURCE from redefinition. 28 May 2019: Wouter - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. - gitignore config.h.in~. 27 May 2019: Wouter - Fix double file close in tcp pipelined response code. 24 May 2019: Wouter - Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end. 20 May 2019: Wouter - Note that so-reuseport at extreme load is better turned off, otherwise queries are not distributed evenly, on Linux 4.4.x. 16 May 2019: Wouter - Fix #31: swig 4.0 and python module. 13 May 2019: Wouter - Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values for diagnosing network connectivity issues. - Attempt to fix malformed tcp response. 9 May 2019: Wouter - Revert fix for oss-fuzz, error is in that build script that unconditionally includes .o files detected by configure, also when the machine architecture uses different LIBOBJS files. 8 May 2019: Wouter - Attempt to fix build failure in oss-fuzz because of reallocarray. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648. Does not omit compile flags from commandline. 7 May 2019: Wouter - Fix edns-subnet locks, in error cases the lock was not unlocked. - Fix doxygen output error on readme markdown vignettes. 6 May 2019: Wouter - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64. - Fix #30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security checkable, and is better for security. It is fixed to be slower, but not read outside of the array. 2 May 2019: Wouter - contrib/fastrpz.patch updated for code changes, and with git diff. - Fix .gitignore, add pythonmod and dnstap generated files. And unit test generated files, and generated doc files. 1 May 2019: Wouter - Update makedist for git. - Nicer travis output for clang analysis. - PR #16: XoT support, AXFR over TLS, turn it on with master: # in unbound.conf. This uses TLS to download the AXFR (or IXFR). 25 April 2019: Wouter - Fix wrong query name in local zone redirect answers with a CNAME, the copy of the local alias is in unpacked form. 18 April 2019: Ralph - Scrub RRs from answer section when reusing NXDOMAIN message for subdomain answers. - For harden-below-nxdomain: do not consider a name to be non-exitent when message contains a CNAME record. 18 April 2019: Wouter - travis build file. 16 April 2019: Wouter - Better braces in if statement in TCP fastopen code. - iana portlist updated. 15 April 2019: Wouter - Fix tls write event for read state change to re-call SSL_write and not resume the TLS handshake. 11 April 2019: George - Update python documentation for init_standard(). - Typos. 11 April 2019: Wouter - Fix that auth zone uses correct network type for sockets for SOA serial probes. This fixes that probes fail because earlier probe addresses are unreachable. - Fix that auth zone fails over to next master for timeout in tcp. - Squelch SSL read and write connection reset by peer and broken pipe messages. Verbosity 2 and higher enables them. 8 April 2019: Wouter - Fix to use event_assign with libevent for thread-safety. - verbose information about auth zone lookup process, also lookup start, timeout and fail. - Fix #17: Add python module example from Jan Janak, that is a plugin for the Unbound DNS resolver to resolve DNS records in multicast DNS [RFC 6762] via Avahi. The plugin communicates with Avahi via DBus. The comment section at the beginning of the file contains detailed documentation. - Fix to wipe ssl ticket keys from memory with explicit_bzero, if available. 5 April 2019: Wouter - Fix to reinit event structure for accepted TCP (and TLS) sockets. 4 April 2019: Wouter - Fix spelling error in log output for event method. 3 April 2019: Wouter - Move goto label in answer_from_cache to the end of the function where it is more visible. - Fix auth-zone NSEC3 response for wildcard nodata answers, include the closest encloser in the answer. 2 April 2019: Wouter - Fix auth-zone NSEC3 response for empty nonterminals with exact match nsec3 records. - Fix for out of bounds integers, thanks to OSTIF audit. It is in allocation debug code. - Fix for auth zone nsec3 ent fix for wildcard nodata. 25 March 2019: Wouter - Fix that tls-session-ticket-keys: "" on its own in unbound.conf disables the tls session ticker key calls into the OpenSSL API. - Fix crash if tls-servic-pem not filled in when necessary. 21 March 2019: Wouter - Fix #4240: Fix whitespace cleanup in example.conf. 19 March 2019: Wouter - add type CAA to libpyunbound (accessing libunbound from python). 18 March 2019: Wouter - Add log message, at verbosity 4, that says the query is encrypted with TLS, if that is enabled for the query. - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482. 7 March 2019: Wouter - Fix for #4233: guard use of NDEBUG, so that it can be passed in CFLAGS into configure. @ text @d57 1 a57 1 if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then d59 2 a60 2 [ -e ${rootdir}/dev/urandom ] || touch ${rootdir}/dev/urandom mount --bind -n /dev/urandom ${rootdir}/dev/urandom >/dev/null 2>&1; d81 2 a82 2 if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/urandom' /proc/mounts; then umount ${rootdir}/dev/urandom >/dev/null 2>&1 @ 1.1.1.3.12.1 log @Pull up following revision(s) (requested by gutteridge in ticket #162): distrib/sets/lists/debug/shl.mi: revision 1.385 distrib/sets/lists/base/shl.mi: revision 1.1027 external/bsd/unbound/dist/doc/README.man up to 1.1.1.1 external/bsd/unbound/dist/doc/libunbound.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound-anchor.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound-checkconf.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound-control.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound-host.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound.conf.rst up to 1.1.1.1 external/bsd/unbound/dist/doc/unbound.rst up to 1.1.1.1 external/bsd/unbound/dist/testcode/doqclient.c up to 1.1.1.2 external/bsd/unbound/dist/testcode/unitdoq.c up to 1.1.1.1 external/bsd/unbound/dist/testcode/unitinfra.c up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/view_local_data up to 1.1.1.1 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/view_local_data_remove up to 1.1.1.1 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values_discard_wait_limit.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/acl_interface.tdir/rpz-nx.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/acl_interface.tdir/rpz-one.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/acl_interface.tdir/rpz-two.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_expired.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_expired_client_timeout.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_expired_reply_ttl.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cached_size.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_subnet_change.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_subnet_expired.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_subnet_toecs_timeout.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/cachedb_val_expired.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/dns64_prefetch_cache.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/dns_error_reporting.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/fwd_name_lookup.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_dname_ttl.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_fwdstubauth.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_ghost_grandchild_delegation.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_max_global_quota.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_unverified_glue.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_unverified_glue_fallback.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/local_cnameother.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_clientip_override.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_cname_handle.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_cname_tag.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_nsdname_override.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_nsip_override.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_passthru_clientip.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_qtype_cname.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_val_block.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rrset_use_cached.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_val_bogus.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_ttl_reset.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/serve_expired_val_bogus.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.nsd.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/auth_tls.ub.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/example.com.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/nsd_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/nsd_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/unbound_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls.tdir/unbound_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_scopezero_noedns.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/ttl_max_negative.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/ttl_min_negative.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_cnameqtype_qmin.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_dname_twice.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_dnameqtype.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_dnameqtype_qmin.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_failure_dnskey.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/val_negcache_ttl.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/val_negcache_ttl_prefetch.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.nsd.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/auth_tls_failcert.ub.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/example.com.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/nsd_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/nsd_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/unbound_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_tls_failcert.tdir/unbound_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/cookie_file.tdir/cookie_file.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/cookie_file.tdir/cookie_file.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/cookie_file.tdir/cookie_file.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/cookie_file.tdir/cookie_file.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/cookie_file.tdir/cookie_file.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_nsec3_ent_with_out_of_zone_data.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/doq_downstream.testns up to 1.1.1.1 external/bsd/unbound/dist/testdata/doq_downstream.tdir/unbound_server.key up to 1.1.1.2 external/bsd/unbound/dist/testdata/doq_downstream.tdir/unbound_server.pem up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_fwdfirstequaltcp.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/auth1.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/auth2.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.conf2 up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.ns1 up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.ns2 up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_fwd.tdir/fast_reload_fwd.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/auth.nlnetlabs.nl.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/fast_reload_most_options.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/fast_reload_most_options.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/fast_reload_most_options.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/fast_reload_most_options.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/fast_reload_most_options.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_most_options.tdir/rpz.nlnetlabs.nl.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_thread.tdir/fast_reload_thread.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_thread.tdir/fast_reload_thread.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_thread.tdir/fast_reload_thread.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_thread.tdir/fast_reload_thread.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/fast_reload_thread.tdir/fast_reload_thread.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/log_servfail.tdir/log_servfail.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/log_servfail.tdir/log_servfail.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/log_servfail.tdir/log_servfail.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/log_servfail.tdir/log_servfail.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/log_servfail.tdir/log_servfail.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/after.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/before.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis_replica.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis_replica.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis_replica.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis_replica.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/redis_replica.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/unbound_control.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/unbound_control.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/unbound_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_replica.tdir/unbound_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/example.org.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz.example.com.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz_reload.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz_reload.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz_reload.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz_reload.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_reload.tdir/rpz_reload.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/auth_nsec3_wild_with_out_of_zone_data.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_minimise_chain.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/iter_scrub_promiscuous.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/rpz_cname_wild.rpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_noecs_mult.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_noecs_refused.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_noecs_support.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_scopezero_global.crpl up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/after.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/before.zone up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis_reconnect_interval.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis_reconnect_interval.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis_reconnect_interval.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis_reconnect_interval.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/redis_reconnect_interval.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/unbound_control.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/unbound_control.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/unbound_server.key up to 1.1.1.1 external/bsd/unbound/dist/testdata/redis_reconnect_interval.tdir/unbound_server.pem up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.conf up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.dsc up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.post up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.pre up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.test up to 1.1.1.1 external/bsd/unbound/dist/testdata/subnet_cache_lookup.tdir/subnet_cache_lookup.testns up to 1.1.1.1 external/bsd/unbound/dist/ax_build_date_epoch.m4 up to 1.1.1.1 external/bsd/unbound/dist/ax_pkg_swig.m4 up to 1.1.1.1 external/bsd/unbound/dist/ac_pkg_swig.m4 delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/bad_control.key delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/bad_control.pem delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/bad_server.key delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/bad_server.pem delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.conf delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.dsc delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.post delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.pre delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.test delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/remote-threaded.testns delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/unbound_control.key delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/unbound_control.pem delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/unbound_server.key delete external/bsd/unbound/dist/testdata/remote-threaded.tdir/unbound_server.pem delete external/bsd/unbound/dist/Makefile.in up to 1.1.1.10 external/bsd/unbound/dist/aclocal.m4 up to 1.1.1.6 external/bsd/unbound/dist/acx_nlnetlabs.m4 up to 1.1.1.6 external/bsd/unbound/dist/acx_python.m4 up to 1.1.1.6 external/bsd/unbound/dist/ax_pthread.m4 up to 1.1.1.2 external/bsd/unbound/dist/config.guess up to 1.9 external/bsd/unbound/dist/config.h.in up to 1.1.1.10 external/bsd/unbound/dist/config.sub up to 1.8 external/bsd/unbound/dist/configure up to 1.1.1.10 external/bsd/unbound/dist/configure.ac up to 1.1.1.10 external/bsd/unbound/dist/install-sh up to 1.1.1.5 external/bsd/unbound/dist/ltmain.sh up to 1.1.1.3 external/bsd/unbound/dist/systemd.m4 up to 1.1.1.2 external/bsd/unbound/dist/cachedb/cachedb.c up to 1.1.1.9 external/bsd/unbound/dist/cachedb/cachedb.h up to 1.1.1.4 external/bsd/unbound/dist/cachedb/redis.c up to 1.1.1.5 external/bsd/unbound/dist/compat/fake-rfc2553.c up to 1.1.1.2 external/bsd/unbound/dist/compat/malloc.c up to 1.1.1.3 external/bsd/unbound/dist/contrib/aaaa-filter-iterator.patch up to 1.1.1.7 external/bsd/unbound/dist/contrib/rc_d_unbound up to 1.1.1.2 external/bsd/unbound/dist/contrib/unbound.init up to 1.1.1.4 external/bsd/unbound/dist/contrib/unbound.init_fedora up to 1.1.1.3 external/bsd/unbound/dist/contrib/unbound.init_yocto up to 1.1.1.2 external/bsd/unbound/dist/contrib/unbound.service.in up to 1.1.1.8 external/bsd/unbound/dist/contrib/unbound_portable.service.in up to 1.1.1.2 external/bsd/unbound/dist/contrib/android/install_expat.sh up to 1.1.1.2 external/bsd/unbound/dist/contrib/ios/install_expat.sh up to 1.1.1.2 external/bsd/unbound/dist/daemon/acl_list.c up to 1.1.1.7 external/bsd/unbound/dist/daemon/acl_list.h up to 1.1.1.6 external/bsd/unbound/dist/daemon/cachedump.c up to 1.1.1.8 external/bsd/unbound/dist/daemon/daemon.c up to 1.1.1.9 external/bsd/unbound/dist/daemon/daemon.h up to 1.1.1.6 external/bsd/unbound/dist/daemon/remote.c up to 1.1.1.10 external/bsd/unbound/dist/daemon/remote.h up to 1.1.1.5 external/bsd/unbound/dist/daemon/stats.c up to 1.1.1.10 external/bsd/unbound/dist/daemon/unbound.c up to 1.1.1.9 external/bsd/unbound/dist/daemon/worker.c up to 1.1.1.10 external/bsd/unbound/dist/daemon/worker.h up to 1.1.1.4 external/bsd/unbound/dist/dns64/dns64.c up to 1.1.1.9 external/bsd/unbound/dist/dnstap/dnstap.c up to 1.1.1.8 external/bsd/unbound/dist/dnstap/dnstap.h up to 1.1.1.5 external/bsd/unbound/dist/dnstap/dnstap.m4 up to 1.1.1.5 external/bsd/unbound/dist/dnstap/dnstap.proto up to 1.1.1.4 external/bsd/unbound/dist/dnstap/dtstream.c up to 1.1.1.5 external/bsd/unbound/dist/dnstap/unbound-dnstap-socket.c up to 1.1.1.4 external/bsd/unbound/dist/doc/Changelog up to 1.1.1.10 external/bsd/unbound/dist/doc/README up to 1.1.1.10 external/bsd/unbound/dist/doc/example.conf.in up to 1.1.1.10 external/bsd/unbound/dist/doc/libunbound.3.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound-anchor.8.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound-checkconf.8.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound-control.8.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound-host.1.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound.8.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound.conf.5.in up to 1.1.1.10 external/bsd/unbound/dist/doc/unbound.doxygen up to 1.1.1.7 external/bsd/unbound/dist/dynlibmod/dynlibmod.c up to 1.1.1.3 external/bsd/unbound/dist/edns-subnet/addrtree.h up to 1.1.1.4 external/bsd/unbound/dist/edns-subnet/subnetmod.c up to 1.1.1.9 external/bsd/unbound/dist/edns-subnet/subnetmod.h up to 1.1.1.7 external/bsd/unbound/dist/ipsecmod/ipsecmod.c up to 1.1.1.5 external/bsd/unbound/dist/ipset/ipset.c up to 1.1.1.4 external/bsd/unbound/dist/ipset/ipset.h up to 1.1.1.2 external/bsd/unbound/dist/iterator/iter_delegpt.c up to 1.1.1.7 external/bsd/unbound/dist/iterator/iter_delegpt.h up to 1.1.1.8 external/bsd/unbound/dist/iterator/iter_fwd.c up to 1.1.1.7 external/bsd/unbound/dist/iterator/iter_fwd.h up to 1.1.1.3 external/bsd/unbound/dist/iterator/iter_hints.c up to 1.1.1.7 external/bsd/unbound/dist/iterator/iter_hints.h up to 1.1.1.3 external/bsd/unbound/dist/iterator/iter_scrub.c up to 1.1.1.10 external/bsd/unbound/dist/iterator/iter_utils.c up to 1.1.1.9 external/bsd/unbound/dist/iterator/iter_utils.h up to 1.1.1.8 external/bsd/unbound/dist/iterator/iterator.c up to 1.1.1.10 external/bsd/unbound/dist/iterator/iterator.h up to 1.1.1.8 external/bsd/unbound/dist/libunbound/context.c up to 1.1.1.9 external/bsd/unbound/dist/libunbound/libunbound.c up to 1.1.1.9 external/bsd/unbound/dist/libunbound/libworker.c up to 1.1.1.10 external/bsd/unbound/dist/libunbound/unbound.h up to 1.7 external/bsd/unbound/dist/libunbound/python/examples/dnssec_test.py up to 1.1.1.3 external/bsd/unbound/dist/pythonmod/interface.i up to 1.1.1.9 external/bsd/unbound/dist/pythonmod/pythonmod.c up to 1.1.1.7 external/bsd/unbound/dist/pythonmod/pythonmod_utils.c up to 1.1.1.6 external/bsd/unbound/dist/pythonmod/doc/modules/config.rst up to 1.1.1.4 external/bsd/unbound/dist/pythonmod/examples/log.py up to 1.1.1.3 external/bsd/unbound/dist/respip/respip.c up to 1.1.1.7 external/bsd/unbound/dist/respip/respip.h up to 1.1.1.6 external/bsd/unbound/dist/services/authzone.c up to 1.5 external/bsd/unbound/dist/services/authzone.h up to 1.1.1.8 external/bsd/unbound/dist/services/listen_dnsport.c up to 1.1.1.10 external/bsd/unbound/dist/services/listen_dnsport.h up to 1.1.1.8 external/bsd/unbound/dist/services/localzone.c up to 1.1.1.9 external/bsd/unbound/dist/services/localzone.h up to 1.1.1.8 external/bsd/unbound/dist/services/mesh.c up to 1.1.1.10 external/bsd/unbound/dist/services/mesh.h up to 1.1.1.8 external/bsd/unbound/dist/services/modstack.c up to 1.1.1.9 external/bsd/unbound/dist/services/modstack.h up to 1.1.1.4 external/bsd/unbound/dist/services/outside_network.c up to 1.1.1.10 external/bsd/unbound/dist/services/outside_network.h up to 1.1.1.9 external/bsd/unbound/dist/services/rpz.c up to 1.1.1.5 external/bsd/unbound/dist/services/rpz.h up to 1.1.1.4 external/bsd/unbound/dist/services/view.c up to 1.1.1.4 external/bsd/unbound/dist/services/view.h up to 1.1.1.2 external/bsd/unbound/dist/services/cache/dns.c up to 1.1.1.9 external/bsd/unbound/dist/services/cache/dns.h up to 1.1.1.8 external/bsd/unbound/dist/services/cache/infra.c up to 1.1.1.8 external/bsd/unbound/dist/services/cache/infra.h up to 1.1.1.7 external/bsd/unbound/dist/services/cache/rrset.c up to 1.1.1.7 external/bsd/unbound/dist/services/cache/rrset.h up to 1.1.1.5 external/bsd/unbound/dist/sldns/keyraw.c up to 1.1.1.6 external/bsd/unbound/dist/sldns/parse.h up to 1.1.1.4 external/bsd/unbound/dist/sldns/parseutil.c up to 1.1.1.5 external/bsd/unbound/dist/sldns/rrdef.c up to 1.1.1.7 external/bsd/unbound/dist/sldns/rrdef.h up to 1.1.1.7 external/bsd/unbound/dist/sldns/str2wire.c up to 1.1.1.9 external/bsd/unbound/dist/sldns/str2wire.h up to 1.1.1.6 external/bsd/unbound/dist/sldns/wire2str.c up to 1.1.1.8 external/bsd/unbound/dist/sldns/wire2str.h up to 1.1.1.8 external/bsd/unbound/dist/smallapp/unbound-anchor.c up to 1.1.1.9 external/bsd/unbound/dist/smallapp/unbound-checkconf.c up to 1.1.1.10 external/bsd/unbound/dist/smallapp/unbound-control-setup.sh.in up to 1.1.1.4 external/bsd/unbound/dist/smallapp/unbound-control.c up to 1.1.1.10 external/bsd/unbound/dist/smallapp/unbound-host.c up to 1.1.1.8 external/bsd/unbound/dist/smallapp/worker_cb.c up to 1.1.1.7 external/bsd/unbound/dist/testcode/checklocks.c up to 1.1.1.4 external/bsd/unbound/dist/testcode/checklocks.h up to 1.1.1.3 external/bsd/unbound/dist/testcode/do-tests.sh up to 1.1.1.6 external/bsd/unbound/dist/testcode/dohclient.c up to 1.1.1.4 external/bsd/unbound/dist/testcode/fake_event.c up to 1.1.1.10 external/bsd/unbound/dist/testcode/mini_tdir.sh up to 1.1.1.5 external/bsd/unbound/dist/testcode/perf.c up to 1.1.1.8 external/bsd/unbound/dist/testcode/petal.c up to 1.1.1.8 external/bsd/unbound/dist/testcode/readzone.c up to 1.1.1.2 external/bsd/unbound/dist/testcode/replay.c up to 1.1.1.8 external/bsd/unbound/dist/testcode/replay.h up to 1.1.1.7 external/bsd/unbound/dist/testcode/streamtcp.c up to 1.1.1.9 external/bsd/unbound/dist/testcode/testbound.c up to 1.1.1.9 external/bsd/unbound/dist/testcode/testpkts.c up to 1.1.1.10 external/bsd/unbound/dist/testcode/unitauth.c up to 1.1.1.7 external/bsd/unbound/dist/testcode/unitdname.c up to 1.1.1.4 external/bsd/unbound/dist/testcode/unitldns.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/unitmain.c up to 1.1.1.10 external/bsd/unbound/dist/testcode/unitmain.h up to 1.1.1.4 external/bsd/unbound/dist/testcode/unitneg.c up to 1.1.1.5 external/bsd/unbound/dist/testcode/unitverify.c up to 1.1.1.8 external/bsd/unbound/dist/testcode/unitzonemd.c up to 1.1.1.3 external/bsd/unbound/dist/testdata/autotrust_init.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/autotrust_init_ds.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/autotrust_init_sigs.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/autotrust_init_zsk.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/black_data.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/black_prime.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/cachedb_servfail_cname.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/common.sh up to 1.1.1.5 external/bsd/unbound/dist/testdata/disable_edns_do.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/dns64_lookup.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/domain_insec_ds.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/fetch_glue.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/fetch_glue_cname.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/fwd_0ttlservfail.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_cached.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_minimal.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/ipsecmod_bogus_ipseckey.crpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/ipsecmod_enabled.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/ipsecmod_ignore_bogus_ipseckey.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/ipsecmod_max_ttl.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/ipsecmod_strict.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/ipsecmod_whitelist.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_class_any.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_cname_minimise_nx.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_cycle_noh.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_dname_insec.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_dname_yx.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_domain_sale.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_domain_sale_nschange.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_emptydp.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/iter_emptydp_for_glue.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/iter_failreply.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_fwdfirst.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_fwdfirstequal.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_fwdstub.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_fwdstubroot.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_ghost_sub.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_ghost_timewindow.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_got6only.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_hint_lame.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_lame_noaa.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_lame_nosoa.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_mod.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_ns_badip.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_ns_spoof.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_nxns_fallback.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_nxns_parentside.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/iter_pc_a.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_pc_aaaa.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_pcdiff.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_pcdirect.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_pcname.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_pcnamech.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_pcnamechrec.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_pcnamerec.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_pcttl.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_prefetch.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_prefetch_change.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_prefetch_change2.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_prefetch_childns.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_prefetch_fail.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_prefetch_ns.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_primenoglue.rpl up to 1.1.1.7 external/bsd/unbound/dist/testdata/iter_privaddr.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_ranoaa_lame.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_reclame_one.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_reclame_two.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_recurse.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_resolve.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_resolve_minimised.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_resolve_minimised_nx.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_resolve_minimised_refused.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_resolve_minimised_timeout.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_scrub_cname_an.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/iter_scrub_dname_insec.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/iter_scrub_dname_rev.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/iter_scrub_dname_sec.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/iter_scrub_rr_length.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_soamin.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_stub_noroot.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_stubfirst.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/iter_timeout_ra_aaaa.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/local_cname.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/rpz_nsdname.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/rrset_rettl.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/rrset_untrusted.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/rrset_updated.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_0ttl_nodata.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_0ttl_nxdomain.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_0ttl_servfail.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_cached_servfail.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_cached_servfail_refresh.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_client_timeout.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_no_prefetch.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_client_timeout_servfail.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_reply_ttl.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_expired_ttl.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/serve_expired_ttl_client_timeout.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/serve_expired_zerottl.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/serve_original_ttl.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/subnet_cached.crpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/subnet_cached_servfail.crpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/subnet_global_prefetch.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/subnet_global_prefetch_always_forward.crpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/subnet_global_prefetch_expired.crpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/subnet_global_prefetch_with_client_ecs.crpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/subnet_max_source.crpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/subnet_prefetch.crpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/subnet_val_positive.crpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/subnet_val_positive_client.crpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/test_ldnsrr.4 up to 1.1.1.2 external/bsd/unbound/dist/testdata/test_ldnsrr.5 up to 1.1.1.4 external/bsd/unbound/dist/testdata/test_ldnsrr.c3 up to 1.1.1.2 external/bsd/unbound/dist/testdata/test_ldnsrr.c4 up to 1.1.1.2 external/bsd/unbound/dist/testdata/test_ldnsrr.c5 up to 1.1.1.4 external/bsd/unbound/dist/testdata/trust_cname_chain.rpl up to 1.1.1.3 external/bsd/unbound/dist/testdata/ttl_max.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/ttl_min.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_adbit.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_adcopy.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_cnameqtype.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_cnametocnamewctoposwc.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_cnametodnametocnametopos.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_dnametopos.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_dnametoposwc.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_ds_afterprime.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_faildnskey_ok.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_keyprefetch_verify.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_noadwhennodo.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_nsec3_b3_optout.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_nsec3_b3_optout_negcache.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_nsec3_b4_wild.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_nsec3_cnametocnamewctoposwc.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_positive.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_positive_wc.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/val_qds_badanc.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_qds_oneanc.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_qds_twoanc.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_refer_unsignadd.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_referd.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_referglue.rpl up to 1.1.1.6 external/bsd/unbound/dist/testdata/val_rrsig.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_scrub_rr_length.rpl up to 1.1.1.2 external/bsd/unbound/dist/testdata/val_spurious_ns.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_stub_noroot.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_ta_algo_dnskey.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_ta_algo_dnskey_dp.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_ta_algo_missing_dp.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_twocname.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_unalgo_anchor.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/val_wild_pos.rpl up to 1.1.1.5 external/bsd/unbound/dist/testdata/views.rpl up to 1.1.1.4 external/bsd/unbound/dist/testdata/zonemd.example_a5.zone up to 1.1.1.2 external/bsd/unbound/dist/testdata/01-doc.tdir/01-doc.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/02-unittest.tdir/02-unittest.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/07-confroot.tdir/07-confroot.pre up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/09-unbound-control.conf up to 1.1.1.3 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/09-unbound-control.pre up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/09-unbound-control.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/09-unbound-control.testns up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/local_data up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/local_data_remove up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/local_zones up to 1.1.1.2 external/bsd/unbound/dist/testdata/09-unbound-control.tdir/local_zones_remove up to 1.1.1.2 external/bsd/unbound/dist/testdata/acl_interface.tdir/acl_interface.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/acl_interface.tdir/acl_interface.pre up to 1.1.1.2 external/bsd/unbound/dist/testdata/acl_interface.tdir/acl_interface.test.scenario up to 1.1.1.2 external/bsd/unbound/dist/testdata/auth_axfr.tdir/auth_axfr.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/auth_https.tdir/auth_https.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/blanks_cached_zone.tdir/blanks_cached_zone.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/blanks_https.tdir/blanks_https.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_no_store.tdir/cachedb_no_store.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/cachedb_no_store.tdir/cachedb_no_store.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/dnstap.tdir/dnstap.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/dnstap.tdir/dnstap.post up to 1.1.1.3 external/bsd/unbound/dist/testdata/dnstap.tdir/dnstap.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/dnstap.tdir/dnstap.testns up to 1.1.1.2 external/bsd/unbound/dist/testdata/doh_downstream.tdir/doh_downstream.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/doh_downstream_post.tdir/doh_downstream_post.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/ede.tdir/ede-auth.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/ede.tdir/ede.conf up to 1.1.1.3 external/bsd/unbound/dist/testdata/ede.tdir/ede.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_ancil.tdir/fwd_ancil.post up to 1.1.1.4 external/bsd/unbound/dist/testdata/fwd_ancil.tdir/fwd_ancil.pre up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_ancil.tdir/fwd_ancil.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_bogus.tdir/fwd_bogus.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_capsid.tdir/fwd_capsid.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_capsid_white.tdir/fwd_capsid_white.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf up to 1.1.1.4 external/bsd/unbound/dist/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_edns_probe.tdir/fwd_edns_probe.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_malformed.tdir/fwd_malformed.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_no_edns.tdir/fwd_no_edns.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_oneport.tdir/fwd_oneport.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_oneport.tdir/fwd_oneport.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/fwd_tcp.tdir/fwd_tcp.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_three.tdir/fwd_three.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_three.tdir/fwd_three.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_three_service.tdir/fwd_three_service.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_three_service.tdir/fwd_three_service.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_three_service.tdir/fwd_three_service.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_udp.tdir/fwd_udp.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_udptmout.tdir/fwd_udptmout.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_udptmout.tdir/fwd_udptmout.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_waitudp.tdir/fwd_waitudp.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_waitudp.tdir/fwd_waitudp.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/fwd_zero.tdir/fwd_zero.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/http_user_agent.tdir/http_user_agent.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/ipset.tdir/ipset.pre up to 1.1.1.3 external/bsd/unbound/dist/testdata/local_nodefault.tdir/local_nodefault.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/local_norec.tdir/local_norec.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/local_nosnoop.tdir/local_nosnoop.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/padding.tdir/padding.post up to 1.1.1.3 external/bsd/unbound/dist/testdata/padding.tdir/padding.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/pymod.tdir/pymod.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/pymod_thread.tdir/pymod_thread.test up to 1.1.1.3 external/bsd/unbound/dist/testdata/ratelimit.tdir/ratelimit.testns up to 1.1.1.3 external/bsd/unbound/dist/testdata/root_anchor.tdir/root_anchor.pre up to 1.1.1.2 external/bsd/unbound/dist/testdata/root_hints.tdir/root_hints.pre up to 1.1.1.2 external/bsd/unbound/dist/testdata/root_zonemd.tdir/root_zonemd.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/ssl_req_order.tdir/ssl_req_order.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/stat_timer.tdir/stat_timer.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values.conf up to 1.1.1.4 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values.pre up to 1.1.1.3 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values.test up to 1.1.1.5 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values.testns up to 1.1.1.4 external/bsd/unbound/dist/testdata/stat_values.tdir/stat_values_cachedb.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/stub_auth_tc.tdir/stub_auth_tc.test up to 1.1.1.2 external/bsd/unbound/dist/testdata/tcp_req_order.tdir/tcp_req_order.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/tcp_reuse.tdir/tcp_reuse.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf up to 1.1.1.2 external/bsd/unbound/dist/testdata/tls_reuse.tdir/tls_reuse.post up to 1.1.1.2 external/bsd/unbound/dist/testdata/zonemd_reload.tdir/zonemd_reload.test up to 1.1.1.2 external/bsd/unbound/dist/util/alloc.c up to 1.1.1.5 external/bsd/unbound/dist/util/config_file.c up to 1.1.1.10 external/bsd/unbound/dist/util/config_file.h up to 1.1.1.10 external/bsd/unbound/dist/util/configlexer.c up to 1.1.1.10 external/bsd/unbound/dist/util/configlexer.lex up to 1.1.1.10 external/bsd/unbound/dist/util/configparser.c up to 1.1.1.10 external/bsd/unbound/dist/util/configparser.h up to 1.1.1.10 external/bsd/unbound/dist/util/configparser.y up to 1.1.1.10 external/bsd/unbound/dist/util/edns.c up to 1.1.1.5 external/bsd/unbound/dist/util/edns.h up to 1.1.1.5 external/bsd/unbound/dist/util/fptr_wlist.c up to 1.1.1.9 external/bsd/unbound/dist/util/fptr_wlist.h up to 1.1.1.6 external/bsd/unbound/dist/util/iana_ports.inc up to 1.1.1.10 external/bsd/unbound/dist/util/locks.h up to 1.1.1.3 external/bsd/unbound/dist/util/log.c up to 1.1.1.8 external/bsd/unbound/dist/util/log.h up to 1.1.1.5 external/bsd/unbound/dist/util/mini_event.c up to 1.6 external/bsd/unbound/dist/util/module.c up to 1.1.1.6 external/bsd/unbound/dist/util/module.h up to 1.1.1.8 external/bsd/unbound/dist/util/net_help.c up to 1.1.1.10 external/bsd/unbound/dist/util/net_help.h up to 1.1.1.9 external/bsd/unbound/dist/util/netevent.c up to 1.8 external/bsd/unbound/dist/util/netevent.h up to 1.1.1.9 external/bsd/unbound/dist/util/proxy_protocol.c up to 1.1.1.2 external/bsd/unbound/dist/util/random.c up to 1.1.1.4 external/bsd/unbound/dist/util/siphash.c up to 1.1.1.2 external/bsd/unbound/dist/util/tcp_conn_limit.c up to 1.1.1.2 external/bsd/unbound/dist/util/tcp_conn_limit.h up to 1.1.1.2 external/bsd/unbound/dist/util/tube.c up to 1.1.1.6 external/bsd/unbound/dist/util/ub_event.c up to 1.1.1.7 external/bsd/unbound/dist/util/data/dname.c up to 1.1.1.7 external/bsd/unbound/dist/util/data/dname.h up to 1.1.1.7 external/bsd/unbound/dist/util/data/msgencode.c up to 1.1.1.9 external/bsd/unbound/dist/util/data/msgencode.h up to 1.1.1.4 external/bsd/unbound/dist/util/data/msgparse.c up to 1.1.1.8 external/bsd/unbound/dist/util/data/msgparse.h up to 1.1.1.8 external/bsd/unbound/dist/util/data/msgreply.c up to 1.1.1.10 external/bsd/unbound/dist/util/data/msgreply.h up to 1.1.1.10 external/bsd/unbound/dist/util/data/packed_rrset.c up to 1.1.1.5 external/bsd/unbound/dist/util/data/packed_rrset.h up to 1.1.1.6 external/bsd/unbound/dist/util/shm_side/shm_main.c up to 1.1.1.5 external/bsd/unbound/dist/util/storage/dnstree.c up to 1.1.1.5 external/bsd/unbound/dist/util/storage/lookup3.c up to 1.1.1.5 external/bsd/unbound/dist/util/storage/lruhash.c up to 1.1.1.5 external/bsd/unbound/dist/util/storage/lruhash.h up to 1.1.1.4 external/bsd/unbound/dist/util/storage/slabhash.c up to 1.1.1.5 external/bsd/unbound/dist/util/storage/slabhash.h up to 1.1.1.5 external/bsd/unbound/dist/validator/autotrust.c up to 1.1.1.8 external/bsd/unbound/dist/validator/val_anchor.c up to 1.1.1.8 external/bsd/unbound/dist/validator/val_anchor.h up to 1.1.1.6 external/bsd/unbound/dist/validator/val_neg.c up to 1.1.1.7 external/bsd/unbound/dist/validator/val_neg.h up to 1.1.1.5 external/bsd/unbound/dist/validator/val_nsec.c up to 1.1.1.7 external/bsd/unbound/dist/validator/val_nsec.h up to 1.1.1.5 external/bsd/unbound/dist/validator/val_nsec3.c up to 1.1.1.6 external/bsd/unbound/dist/validator/val_nsec3.h up to 1.1.1.5 external/bsd/unbound/dist/validator/val_secalgo.c up to 1.1.1.8 external/bsd/unbound/dist/validator/val_sigcrypt.c up to 1.1.1.9 external/bsd/unbound/dist/validator/val_sigcrypt.h up to 1.1.1.5 external/bsd/unbound/dist/validator/val_utils.c up to 1.1.1.6 external/bsd/unbound/dist/validator/val_utils.h up to 1.1.1.6 external/bsd/unbound/dist/validator/validator.c up to 1.1.1.10 external/bsd/unbound/dist/validator/validator.h up to 1.1.1.7 external/bsd/unbound/dist/winrc/rsrc_anchorupd.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_svcinst.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_svcuninst.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_unbound.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_unbound_anchor.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_unbound_checkconf.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_unbound_control.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/rsrc_unbound_host.rc up to 1.1.1.2 external/bsd/unbound/dist/winrc/setup.nsi up to 1.1.1.4 external/bsd/unbound/dist/winrc/unbound-control-setup.cmd up to 1.1.1.3 external/bsd/unbound/dist/winrc/win_svc.c up to 1.1.1.5 external/bsd/unbound/include/config.h up to 1.14 external/bsd/unbound/lib/libunbound/shlib_version up to 1.8 external/bsd/unbound/lib/libunbound/unbound.expsym up to 1.3 Import Unbound 1.24.2 (fixes CVE-2025-11411). @ text @a77 1 [ $retval -eq 0 ] && rm -f $pidfile @ 1.1.1.4 log @Import unbound-1.23.1 (previous was 1.19.1) Unbound 1.23.1 July 16, 2025 This security release fixes the Rebirthday Attack CVE-2025-5994. This re-opens up resolvers to a birthday paradox, for EDNS client subnet servers that respond with non-ECS answers. It only affects Unbound when compiled with --enable-subnet, and subnetmod is enabled with config options that send ECS information to upstream servers. The CVE is described here https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt We would like to thank Xiang Li (AOSP Lab, Nankai University) for discovering and responsibly disclosing the vulnerability. Bug Fixes: Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University. Unbound 1.23.0 Apr 24, 2025 This release features changed defaults, fast reload, redis replica, DNS Error Reporting, and bug fixes. The fast reload is a feature that is listed as experimental. With unbound-control fast_reload the server can read the new config in a thread, and when done only briefly pauses the server to update the settings. This uses double memory, for like zones from disk or config that is loaded. It only pauses the server, for like less than a second, so DNS service is not interrupted by the reload of config. A lot of config items can be changed, but not all. It has options to print more information, or memory usage, and there is a list of config options in the man page. The redis replica support allows for a redis backend to use a redis replica. The read commands are sent to the redis replica host, while the write commands are sent to the redis server. So with several replicas there can be more readers that all write to the redis server. With DNS error reporting, RFC9567, enabled with dns-error-reporting: yes, this uses the error reporting agent to send failure reports to. The number of error reporting queries is output in the statistics as num.dns_error_reports. Some defaults are changed in this release. The resolver.arpa. and service.arpa. zones are added to the default locally served zones, this can be disabled with a nodefault local zone. The default for max-global-quota has changed to 200, after operational feedback. The defaults from RFC8767 are used by serve-expired-client-timeout on 1800 milliseconds and serve-expired-ttl on 86400 seconds. If Unbound is compiled with edns subnet, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet needs to be enabled, module-config: "subnetcache validator iterator" should be explicitly set as configuration in the server: section. If edns subnet is enabled, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet is in use, also module-config: "subnetcache validator iterator" should be set as configuration in the server: section. The RC2 has fixes for building on Solaris and portability to Windows, and fixes a memory leak for DoH. Features Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. Add resolver.arpa and service.arpa to the default locally served zones. Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. Bug Fixes Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. Fix #1163: Typos in unbound.conf documentation. Merge #1159: Stats for discard-timeout and wait-limit. Add test case for #1159. Some clean up for stat_values.test. Merge #1170 from Melroy van den Berg, Fix chroot manpage description. Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows. Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features. Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule. Fix SETEX check during Redis (re)initialization. Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses. Fix to log redis timeout error string on failure. More descriptive text for 'harden-algo-downgrade'. Complete fix for max-global-quota to 200. Fix #1183: the data being used is released in method nsec3_hash_test_entry. Fix for #1183: release nsec3 hashes per test file. Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries. Fix comparison to help static analyzer. For #1175, update serve-expired tests. Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. Merge #1197: dname_str() fixes. Merge #1198: Fix log-servfail with serve expired and no useful cache contents. Safeguard alias loop while looking in the cache for expired answers. Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop. Fix typo in log_servfail.tdir test. Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion. Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. Fix #1213: Misleading error message on default access control causing refuse. Merge #1221: Consider auth zones when checking for forwarders. Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN. Create the quic SSL listening context only when needed. Fix compile of interface check code when dnscrypt or quic is disabled. Fix encoding of RR type ATMA. Fix to check length in ATMA string to wire. Merge #1229: check before use daemon->shm_info. Use the same interface listening port discovery code for all needed protocols. Port to string only when needed before getaddrinfo(). Do not open unencrypted channels next to encrypted ones on the same port. Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. Merge #1220 from Petr Men#ík, Add unbound members group access to control key. Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache. Fix static analysis report about unhandled EOF on error conditions when reading anchor key files. Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt values. Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache). Merge #1243: Do not shadow tm on line 236. Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. Fix representation of types GPOS and RESINFO, add rdf type for unquoted str. Fix #1251: WSAPoll first argument cannot be NULL. Fix for windows compile create ssl contexts. Fix print of RR type NSAP-PTR, it is an unquoted string. Fix #1253: Cache entries fail to be removed from Redis cachedb backend with unbound-control flush* +c. Fix for #1253: Fix for redis cachedb backend to expect an integer reply for the EXPIRE command. Fix #1254: send failed: Socket is not connected and remote address is 0.0.0.0 port 53. Fix #1255: Multiple pinnings to vulnerable copies of libexpat. For #1255, for ios use an older expat version that does not require C++11 language features. For #1255, for ios disable building tests that require C++11. For #1255, for ios try the latest expat version again. Fix unit test dname log printout typecast. Fix for ci test, expat is installed on the osx image. iana portlist update. Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir. Fix escape more characters when printing an RR type with an unquoted string. Enable the auth_tls.tdir and auth_tls_failcert.tdir tests. Fix unbound-control test so it counts the new flush_negative output, also answers the _ta probe from testns and prints command output and skip a thread specific test when no threads are available. Fix that ub_event has the facility to deal with callbacks for fast reload, doq, windows-stop and dnstap. Fix fast reload test to check if pid exists before acting on it. Merge #1262 from markyang92, fix build with 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c. For #1262, ifdef is no longer needed. Fix #1263: Exempt loopback addresses from wait-limit. Fix wait-limit-netblock and wait-limit-cookie-netblock config parse to allow two arguments. Fix ub_event and include dnstap and win_svc headers. Fix test for stat_values for wait limit default... Unbound 1.22.0 Oct 17, 2024 This release has an option to harden against unverified glue, it is enabled with harden-unverified-glue: yes. It was contributed by Karthik Umashankar from Microsoft. This protects Unbound against bad glue, that is out of zone, by performing a lookup for it. Because it uses the original information as a last resort if nothing works, it should not give lookup failures, and add protection. There are options to configure the scrubbing for NS records and the CNAME scrubbing and the max global quota lookup limit from previous security fix releases. They can be configured with the options iter-scrub-ns, iter-scrub-cname and max-global-quota. For redis use, with cachedb, it is possible to specify the timeout for the initial connection separately from the timeout for commands. With the options redis-command-timeout: 20 and redis-connect-timeout: 200 they can be set separately, for a longer connect attempt, but a short command timeout to keep resolution faster. It is possible to log with ISO8601 format with log-time-iso: yes this also logs time in milliseconds. Useful if the server writes to file, syslog may have its own format. DNS over QUIC is support is added, if compiled with libngtcp2 and with the openssl+quic that it uses. Use --with-libngtcp2 for that, and enable it with quic-port: 853. There is a post about it on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to appear after the release]. Features Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options. Merge patch to fix for glue that is outside of zone, with harden-unverified-glue, from Karthik Umashankar (Microsoft). Enabling this option protects the Unbound resolver against bad glue, that is unverified out of zone glue, by resolving them. It uses the records as last resort if there is no other working glue. Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified, the redis-timeout value is used. Fix #1144: [FR] log timestamps in ISO8601 format with timezone. This adds the option log-time-iso: yes that logs in ISO8601 format. Merge #871: DNS over QUIC. This adds quic-port: 853 and quic-size: 8m that enable dnsoverquic, and the counters num.query.quic and mem.quic in the statistics output. The feature needs to be enabled by compiling with libngtcp2, with --with-libngtcp2=path and libngtcp2 needs openssl+quic, pass that with --with-ssl=path to compile unbound as well. Bug Fixes Fix #1126: unbound-control-setup hangs while testing for openssl presence starting from version 1.21.0. Add cross platform freebsd, openbsd and netbsd to github ci. Fix for char signedness warnings on NetBSD. Fix #1127: error: "memory exhausted" when defining more than 9994 local-zones. Fix documentation for cache_fill_missing function. Fix #1130: Loads of logs: "validation failure: key for validation . is marked as invalid because of a previous" for non-DNSSEC signed zone. Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. Fix that stub-zone and forward-zone clauses do not exhaust memory for long content. Unit test for auth zone transfer TLS, and TLS failure. Fix to print port number in logs for auth zone transfer activities. Merge #1132: b.root renumbering. Fix for #1132, adjusted unit test for change in the test file. Fix for #1132, comment about adjusted copy of reference check. Merge #1135: Add new IANA trust anchor. Fix config file read for dnstap-sample-rate. Fix alloc-size and calloc-transposed-args compiler warnings. Fix comment to not trigger doxygen unknown command. Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). Add unit test for ttl limit for aggressive nsec. Fix and add comments in testdata/val_negcache_ttl.rpl. Merge #1140: Fix spelling mistake in comments. Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled. Fix dns64 with prefetch that the prefetch is stored in cache. Attempt to further fix doh_downstream_buffer_size.tdir flakiness. More clear text for prefetch and minimal-responses in the unbound.conf man page. Merge #1143: Fix cache update when serve expired is used. Expired records are favored over resolution and validation failures when serve-expired is used. Fix negative cache NSEC3 parameter compares for zero length NSEC3 salt. Fix unbound dnstap socket test program analyzer warnings about unused variable assignments and variable initialization. Fix #1149: unbound-control-setup hangs sometimes depending on the openssl version. Fix #1128: Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream. Fix to limit NSEC TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after a CNAME with short TTL. Fix for dnstap compile of doqclient with doq disabled. Fix cookie_file test sporadic fails for time change during the test. Fix add reallocarray to alloc stats unit test, and disable override of strdup in unbound-host, and the result of config get option is freed properly. Fix to disable detection of quic configured ports when quic is not compiled in. Fix harden-unverified-glue for AAAA cache_fill_missing lookups. Fix contrib/aaaa-filter-iterator.patch for change in call signature for cache_fill_missing. Fix to display warning if quic-port is set but dnsoverquic is not enabled when compiled. Fix dnsoverquic to extend the number of streams when one is closed. Fix for dnstap with dnscrypt and dnstap without dnsoverquic. Fix for dnsoverquic and dnstap to use the correct dnstap environment. Unbound 1.21.1 Oct 4, 2024 This security release fixes CVE-2024-8508. A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic. We would like to thank Toshifumi Sakaguchi for discovering and responsibly disclosing the vulnerability. Bug Fixes: Fix CVE-2024-8508, unbounded name compression could lead to denial of service. Unbound 1.21.0 Aug 15, 2024 This release has a fix for the CAMP and CacheFlush issues. They have a low severity for Unbound, since it does not affect Unbound so much. The Compositional Amplification (CAMP) type of attacks can lead to DoS attacks against DNS servers. In Unbound legitimate client requests to the resolvers under typical workload are not directly affected by CAMP attacks. However we introduce a global quota for 128 outgoing packets per query (and it's subqueries) that is never reset to prevent the combination of CAMP with other amplification attacks in the future. We would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to evict cached data by utilizing rogue zones and a steady rogue stream to a resolver. Based on the zone, the stream, the configured cache size and the legitimate traffic, Unbound could experience a degradation of service if a useful entry is evicted and Unbound needs to resolve again. As a mitigation to the NSCacheFlush attack Unbound is setting a limit of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University) for discovering and notifying us about the issue. Other fixes in this release are bug fixes. Also the unbound control commands that flush the cache can clear both the memory and cachedb module cache. The ipset module can use BSD pf tables. The new option dnstap-sample-rate: 100 can be used to log 1/N messages, for use in high volume server environments where the log server does not keep up. The new DNSSEC key for the root, 38696 from 2024 has been added. It is added to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Older versions of Unbound can keep up with the root key with auto-trust-anchor-file that has RFC5011 key rollover. Also unbound-anchor can fetch the keys from the website with a certificate if needed. For cookie secrets, it is possible to perform rollover. The file with cookie secret in use and the staging secret is configured with cookie-secret-file. With the remote control the rollover can be performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret and print_cookie_secrets can be used for that. Compared to the RC1, the release has a fix for module loading on Windows, and a spelling correction. Features Fix #1071: [FR] Clear both in-memory and cachedb module cache with unbound-control flush* commands. Fix #144: Port ipset to BSD pf tables. Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Merge #1090: Cookie secret file. Adds cookie-secret-file: "unbound_cookiesecrets.txt" option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Bug Fixes Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich. Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University). Merge #1062: Fix potential overflow bug while parsing port in function cfg_mark_ports. Fix for #1062: declaration before statement, avoid print of null, and redundant check for array size. Fix to squelch udp connect errors in the log at low verbosity about invalid argument for IPv6 link local addresses. Fix when the mesh jostle is exceeded that nameserver targets are marked as resolved, so that the lookup is not stuck on the requestlist. Add missing common functions to tdir tests. Merge #1070: Fix rtt assignement for low values of infra-cache-max-rtt. Merge #1069: Fix unbound-control stdin commands for multi-process Unbounds. Fix unbound-control commands that read stdin in multi-process operation (local_zones_remove, local_zones, local_datas_remove, local_datas, view_local_datas_remove, view_local_datas). They will be properly distributed to all processes. dump_cache and load_cache are no longer supported in multi-process operation. Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir now checks both single and multi process/thread operation. Merge #1073: fix null pointer dereference issue in function ub_ctx_set_fwd. Fix to print a parse error when config is read with no name for a forward-zone, stub-zone or view. Fix for parse end of forward-zone, stub-zone and view. Fix for #1064: Fix that cachedb expired messages are considered insecure, and thus can be served to clients when dnssec is enabled. Fix #1059: Intermittent DNS blocking failure with local-zone and always_nxdomain. Addition of local_zones dynamically via unbound-control was not finding the zone's parent correctly. Fix #1064: Unbound 1.20 Cachedb broken? Fix unused variable warning on compilation with no thread support. unbound-control-setup: check openssl availability before doing anything, patch from Michael Tokarev. Update patch to remove 'command' shell builtin and update error text. Fix to enable that SERVFAIL is cached, for a short period, for more cases. In the cases where limits are exceeded. Fix spelling of tcp-idle-timeout docs, from Michael Tokarev. Merge #1078: Only check old pid if no username. Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. Fix for #1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection. Fix to squelch connection reset by peer errors from log. And fix that the tcp read errors are labeled as initial for the first calls. Merge #1080: AddressSanitizer detection in tdir tests and memory leak fixes. Fix memory leak when reload_keep_cache is used and num-threads changes. Fix memory leak on exit for unbound-dnstap-socket; creates false negatives during testing. Fix memory leak in setup of dsa sig. Fix typos for 'the the' in text. Fix validation for repeated use of a DNAME record. Add unit test for validation of repeated use of a DNAME record. Fix #1091: Build fails with OpenSSL >= 3.0 built with OPENSSL_NO_DEPRECATED. Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by adding helpful text for the Python interpreter version and allowing the default pkg-config unavailability error message to be shown. Fix pkg-config availability check in dnstap/dnstap.m4 and systemd.m4. Explicitly set the RD bit for the mesh query flags when prefetching. These queries have no waiting client but they need to be treated as recursive. Fix ip-ratelimit-cookie setting, it was not applied. Fix to remove unused include from the readzone test program. Fix unused variable warning in do_cache_remove. Fix compile warning in worker pthread id printout. Add unit test skip files and bison and flex output to gitignore. Fix to use modstack_init in zonemd unit test. Fix to remove unneeded linebreak in fptr_wlist.c. Fix compile warnings in fptr_wlist.c. Fix for repeated use of a DNAME record: first overallocate and then move the exact size of the init value to avoid false positive heap overflow reads from address sanitizers. Fix to print details about the failure to lookup a DNSKEY record when validation fails due to the missing DNSKEY. Also for key prime and DS lookups. Fix for neater printout for error for missing DS response. Fix neater printout. Fix #1099: Unbound core dump on SIGSEGV. Fix for #1099: Fix to check for deleted RRset when the contents is updated and fetched after it is stored, and also check for a changed RRset. Don't check for message TTL changes if the RRsets remain the same. Fix that validation reason failure that uses string print uses separate buffer that is passed, from the scratch validation buffer. Fixup algo_needs_reason string buffer length. Fix shadowed error string variable in validator dnskey handling. Update list of known EDE codes. For #773: In contrib/unbound.service.in set unbound to start after network-online.target. Also for contrib/unbound_portable.service.in. Fix #1103: unbound 1.20.0 segmentation fault with nghttp2. For #1103: fix to also drop mesh state reference when a h2 reply is dropped. Add RPZ tag tests in acl_interface.tdir. For #1102: clearer text for using interface-* options for the loopback interface. For #1103: fix to also drop mesh state reference when the discard limit is reached, when there is an error making a new recursion state and when the connection is dropped with is_drop. For #1103: Fix to drop mesh state reference for the http2 stream associated with the reply, not the currently active stream. And it does not remove it twice on a mesh_send_reply call. The reply h2_stream is NULL when not in use, for more initialisation. Fix dnstap wakeup, a running wakeup timer is left to expire and not increased, a timer is started when the dtio thread is sleeping, the timer set disabled when the dtio thread goes to sleep, and after sleep the thread checks to see if there are messages to log immediately. Merge #1110: Make fallthrough explicit for libworker.c. For #1110: Test for fallthrough attribute in configure and add fallthrough attribute an... Unbound 1.20.0 May 8, 2024 This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite. The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses. The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default. The -q option for unbound-checkconf can be added to silence it when there are no errors. The DNSBomb vulnerability CVE-2024-33655. == Summary The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets. Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack. Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Affected products Unbound up to and including 1.19.3. == Description The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses. From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience: discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts. wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits. wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies. The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Acknowledgements We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack. Features The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge #1027: Introduce 'cache-min-negative-ttl' option. Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. Remove unused portion from iter_dname_ttl unit test. Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. Fix doc test so it ignores but outputs unsupported doxygen options. Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected. Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. Fix to unify codepath for local alias for rpz cname action override. Fix rpz for cname override action after nsdname and nsip triggers. Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. Merge #1030: Persist the openssl and expat directories for repeated Windows builds. Fix that rpz CNAME content is limited to the max number of cnames. Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. Add rpz unit test for nsip action override. Fix rpz for qtype CNAME after nameserver trigger. Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. Fix localdata and rpz localdata to match CNAME only if no direct type match is available. Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). For #831: Format text, use exclamation icon and explicit label names. Fix name of unit test for subnet cache response. Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. Fix for #1032, add safeguard to make table space positive. Fix comment in lruhash space function. Fix to add unit test for lruhash space that exercises the routines. Fix that when the server truncates the pidfile, it does not follow symbolic links. Fix that the server does not chown the pidfile. Fix #1034: DoT forward-zone via unbound-control. Fix for crypto related failures to have a better error string. Fix #1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. For #1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. Fix comment syntax for view function views_find_view. Fix #595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. Fixup compile without cachedb. Add test for cachedb serve expired. Extended test for cachedb serve expired. Fix makefile dependencies for fake_event.c. Fix cachedb for serve-expired with serve-expired-reply-ttl. Fix to not reply serve expired unless enabled for cachedb. Fix cachedb for serve-expired with serve-expired-client-timeout. Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. Fixup cachedb to not refetch when serve-expired-client-timeout is used. Merge #1049 from Petr Men#ík: Py_NoSiteFlag is not needed since Python 3.8 Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4. Fix configure, autoconf for #1048. Add checklock feature verbose_locking to trace locks and unlocks. Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. Merge #1053: Remove child delegations from cache when grandchild delegation... Unbound 1.19.3 Mar 14, 2024 This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0. There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired. For dnstap, it logs type DoH and DoT correctly, if that is used for the message. The b.root-servers.net address is updated in the default root hints. When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size. Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries. Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers. Features: Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. Bug Fixes: Fix unit test parse of origin syntax. Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. Fix #964: config.h.in~ backup file in release tar balls. Merge #968: Replace the obsolescent fgrep with grep -F in tests. Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. Fix to sync the tests script file common.sh. iana portlist update. Updated IPv4 and IPv6 address for b.root-servers.net in root hints. Update test script file common.sh. Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. Fix #974: doc: default number of outgoing ports without libevent. Merge #975: Fixed some syntax errors in rpl files. Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. Update example.conf with cookie options. Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. Merge #985: Add DoH and DoT to dnstap message. Fix #983: Sha1 runtime insecure change was incomplete. Remove unneeded newlines and improve indentation in remote control code. Merge #987: skip edns frag retry if advertised udp payload size is not smaller. Fix unit test for #987 change in udp1xxx retry packet send. Merge #988: Fix #981: dump_cache truncates large records. Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. Merge #993: Update b.root-servers.net also in example config file. Update workflow for ports to use newer openssl on windows compile. Fix warning for windres on resource files due to redefinition. Fix for #997: Print details for SSL certificate failure. Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). Merge #999: Search for protobuf-c with pkg-config. Fix #1006: Can't find protobuf-c package since #999. Fix documentation for access-control in the unbound.conf man page. Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. Document the suspend argument for process_ds_response(). Move github workflows to use checkoutv4. Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. Fix for #1022: Fix ede prohibited in access control refused answers. Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. Fix TTL of synthesized CNAME when a DNAME is used from cache. Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. Unbound 1.19.2 Mar 7, 2024 This security release fixes CVE-2024-1931. NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely. We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability. Bug Fixes: Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. @ text @a77 1 [ $retval -eq 0 ] && rm -f $pidfile @ 1.1.1.1.2.1 log @file unbound.init was added on branch pgoyette-localcount on 2016-09-14 03:04:07 +0000 @ text @d1 139 @ 1.1.1.1.2.2 log @Sync with HEAD @ text @a0 139 #!/bin/sh # # unbound This shell script takes care of starting and stopping # unbound (DNS server). # # chkconfig: - 14 86 # description: unbound is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. ### BEGIN INIT INFO # Provides: $named unbound # Required-Start: $network $local_fs # Required-Stop: $network $local_fs # Should-Start: $syslog # Should-Stop: $syslog # Short-Description: unbound recursive Domain Name Server. # Description: unbound is a Domain Name Server (DNS) # that is used to resolve host names to IP addresses. ### END INIT INFO # Source function library. . /etc/rc.d/init.d/functions exec="/usr/sbin/unbound" prog="unbound" config="/var/unbound/unbound.conf" pidfile="/var/unbound/unbound.pid" rootdir="/var/unbound" [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog lockfile=/var/lock/subsys/$prog start() { [ -x $exec ] || exit 5 [ -f $config ] || exit 6 echo -n $"Starting $prog: " # setup root jail if [ -s /etc/localtime ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then cp -fp /etc/localtime ${rootdir}/etc/localtime fi; fi; if [ -s /etc/resolv.conf ]; then [ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ; if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf fi; fi; if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; [ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1; fi; if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then [ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ; [ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1; fi; # if not running, start it up here daemon $exec retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " # stop it here, often "killproc $prog" killproc -p $pidfile $prog retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then umount ${rootdir}/dev/log >/dev/null 2>&1 fi; if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then umount ${rootdir}/dev/random >/dev/null 2>&1 fi; return $retval } restart() { stop start } reload() { kill -HUP `cat $pidfile` } force_reload() { restart } rh_status() { # run checks to determine if the service is running or use generic status status -p $pidfile $prog } rh_status_q() { rh_status -p $pidfile >/dev/null 2>&1 } case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart) $1 ;; reload) rh_status_q || exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" exit 2 esac exit $? @