diff --git a/_multibuild b/_multibuild
new file mode 100644
index 0000000..eb83b06
--- /dev/null
+++ b/_multibuild
@@ -0,0 +1,4 @@
+
+ libunbound-devel-mini
+
+
diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes
index 4c87afa..c77e55a 100644
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@@ -1,3 +1,595 @@
+-------------------------------------------------------------------
+Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.21.0:
+ Security Fixes:
+ * Merge #1073: fix null pointer dereference issue in function
+ ub_ctx_set_fwd.
+ [CVE-2024-43167, bsc#1229068]
+
+ Features:
+ * Fix #1071: [FR] Clear both in-memory and cachedb module cache
+ with `unbound-control flush*` commands.
+ * Fix #144: Port ipset to BSD pf tables.
+ * Add dnstap-sample-rate that logs only 1/N messages, for high
+ volume server environments. Thanks Dan Luther.
+ * Add root key 38696 from 2024 for DNSSEC validation. It is added
+ to the default root keys in unbound-anchor. The content can be
+ inspected with `unbound-anchor -l`.
+ * Merge #1090: Cookie secret file. Adds `cookie-secret-file:
+ "unbound_cookiesecrets.txt"` option to store cookie secrets for
+ EDNS COOKIE secret rollover. The remote control
+ add_cookie_secret, activate_cookie_secret and
+ drop_cookie_secret commands can be used for rollover, the
+ command print_cookie_secrets shows the values in use.
+
+ Bug Fixes:
+ * Fix CAMP issues with global quota. Thanks to Huayi
+ Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
+ group, ETH Zurich.
+ * Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
+ Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
+ (Tel-Aviv University and Reichman University).
+ * Merge #1062: Fix potential overflow bug while parsing port in
+ function cfg_mark_ports.
+ * Fix for #1062: declaration before statement, avoid print of
+ null, and redundant check for array size.
+ * Fix to squelch udp connect errors in the log at low verbosity
+ about invalid argument for IPv6 link local addresses.
+ * Fix when the mesh jostle is exceeded that nameserver targets
+ are marked as resolved, so that the lookup is not stuck on the
+ requestlist.
+ * Add missing common functions to tdir tests.
+ * Merge #1070: Fix rtt assignement for low values of
+ infra-cache-max-rtt.
+ * Merge #1069: Fix unbound-control stdin commands for
+ multi-process Unbounds.
+ * Fix unbound-control commands that read stdin in multi-process
+ operation (local_zones_remove, local_zones, local_datas_remove,
+ local_datas, view_local_datas_remove, view_local_datas). They
+ will be properly distributed to all processes. dump_cache and
+ load_cache are no longer supported in multi-process operation.
+ * Remove testdata/remote-threaded.tdir.
+ testdata/09-unbound-control.tdir now checks both single and
+ multi process/thread operation.
+ * Fix to print a parse error when config is read with no name for
+ a forward-zone, stub-zone or view.
+ * Fix for parse end of forward-zone, stub-zone and view.
+ * Fix for #1064: Fix that cachedb expired messages are considered
+ insecure, and thus can be served to clients when dnssec is
+ enabled.
+ * Fix #1059: Intermittent DNS blocking failure with local-zone
+ and always_nxdomain. Addition of local_zones dynamically via
+ unbound-control was not finding the zone's parent correctly.
+ * Fix #1064: Unbound 1.20 Cachedb broken?
+ * Fix unused variable warning on compilation with no thread
+ support.
+ * unbound-control-setup: check openssl availability before doing
+ anything, patch from Michael Tokarev.
+ * Update patch to remove 'command' shell builtin and update error
+ text.
+ * Fix to enable that SERVFAIL is cached, for a short period, for
+ more cases. In the cases where limits are exceeded.
+ * Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
+ * Merge #1078: Only check old pid if no username.
+ * Fix #1079: tags from tagged rpz zones are no longer honored
+ after upgrade from 1.19.3 to 1.20.0.
+ * Fix for #1079: fix RPZ taglist in iterator callback that no
+ client info is like no taglist intersection.
+ * Fix to squelch connection reset by peer errors from log. And
+ fix that the tcp read errors are labeled as initial for the
+ first calls.
+ * Merge #1080: AddressSanitizer detection in tdir tests and
+ memory leak fixes.
+ * Fix memory leak when reload_keep_cache is used and num-threads
+ changes.
+ * Fix memory leak on exit for unbound-dnstap-socket; creates
+ false negatives during testing.
+ * Fix memory leak in setup of dsa sig.
+ * Fix typos for 'the the' in text.
+ * Fix validation for repeated use of a DNAME record.
+ * Add unit test for validation of repeated use of a DNAME record.
+ * Fix #1091: Build fails with OpenSSL >= 3.0 built with
+ OPENSSL_NO_DEPRECATED.
+ * Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
+ by adding helpful text for the Python interpreter version and
+ allowing the default pkg-config unavailability error message to
+ be shown.
+ * Fix pkg-config availability check in dnstap/dnstap.m4 and
+ systemd.m4.
+ * Explicitly set the RD bit for the mesh query flags when
+ prefetching. These queries have no waiting client but they need
+ to be treated as recursive.
+ * Fix ip-ratelimit-cookie setting, it was not applied.
+ * Fix to remove unused include from the readzone test program.
+ * Fix unused variable warning in do_cache_remove.
+ * Fix compile warning in worker pthread id printout.
+ * Add unit test skip files and bison and flex output to
+ gitignore.
+ * Fix to use modstack_init in zonemd unit test.
+ * Fix to remove unneeded linebreak in fptr_wlist.c.
+ * Fix compile warnings in fptr_wlist.c.
+ * Fix for repeated use of a DNAME record: first overallocate and
+ then move the exact size of the init value to avoid false
+ positive heap overflow reads from address sanitizers.
+ * Fix to print details about the failure to lookup a DNSKEY
+ record when validation fails due to the missing DNSKEY. Also
+ for key prime and DS lookups.
+ * Fix for neater printout for error for missing DS response.
+ * Fix neater printout.
+ * Fix #1099: Unbound core dump on SIGSEGV.
+ * Fix for #1099: Fix to check for deleted RRset when the contents
+ is updated and fetched after it is stored, and also check for a
+ changed RRset.
+ * Don't check for message TTL changes if the RRsets remain the
+ same.
+ * Fix that validation reason failure that uses string print uses
+ separate buffer that is passed, from the scratch validation
+ buffer.
+ * Fixup algo_needs_reason string buffer length.
+ * Fix shadowed error string variable in validator dnskey
+ handling.
+ * Update list of known EDE codes.
+ * For #773: In contrib/unbound.service.in set unbound to start
+ after network-online.target. Also for
+ contrib/unbound_portable.service.in.
+ * Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
+ * For #1103: fix to also drop mesh state reference when a h2
+ reply is dropped.
+ * Add RPZ tag tests in acl_interface.tdir.
+ * For #1102: clearer text for using interface-* options for the
+ loopback interface.
+ * For #1103: fix to also drop mesh state reference when the
+ discard limit is reached, when there is an error making a new
+ recursion state and when the connection is dropped with
+ is_drop.
+ * For #1103: Fix to drop mesh state reference for the http2
+ stream associated with the reply, not the currently active
+ stream. And it does not remove it twice on a mesh_send_reply
+ call. The reply h2_stream is NULL when not in use, for more
+ initialisation.
+ * Fix dnstap wakeup, a running wakeup timer is left to expire and
+ not increased, a timer is started when the dtio thread is
+ sleeping, the timer set disabled when the dtio thread goes to
+ sleep, and after sleep the thread checks to see if there are
+ messages to log immediately.
+ * Merge #1110: Make fallthrough explicit for libworker.c.
+ * For #1110: Test for fallthrough attribute in configure and add
+ fallthrough attribute annotations.
+ * Fix compile when the compiler does not support the noreturn
+ attribute.
+ * Fix to have empty definition when not supported for weak
+ attribute.
+ * Fix uninitialized variable warning in create_tcp_accept_sock.
+ * Fix link of dnstap without openssl.
+ * Fix link of unbound-dnstap-socket without openssl.
+ * Fix #1106: ratelimit-below-domain logs the wrong FROM address.
+ * Cleanup ede.tdir test.
+ * For #935 and #1104, clarify RPZ order and semantics.
+ * Fix to document parameters of auth_zone_verify_zonemd_with_key.
+ * Fix for #1114: Fix that cache fill for forward-host names is
+ performed, so that with nonzero target-fetch-policy it fetches
+ forwarder addresses and uses them from cache. Also updated that
+ delegation point cache fill routines use CDflag for AAAA
+ message lookups, so that its negative lookup stops a recursion
+ since the cache uses the bit for disambiguation for dns64 but
+ the recursion uses CDflag for the AAAA target lookups, so the
+ check correctly stops a useless recursion by its cache lookup.
+ * Fix dnstap test program, cleans up to have clean memory on
+ exit, for tap_data_free, does not delete NULL items. Also it
+ does not try to free the tail, specifically in the free of the
+ list since that picked up the next item in the list for its
+ loop causing invalid free. Added internal unit test to
+ unbound-dnstap-socket for that.
+ * Fix that the worker mem report with alloc stats does not
+ attempt to print memory use of forwards and hints if they have
+ been deleted already.
+ * Fix that alloc stats has strdup checks, it stops debuggers from
+ complaining about mismatch at free time.
+ * Fix testbound for alloc stats strdup in util/alloc.c.
+ * Fix that alloc stats for forwards and hints are printed, and
+ when alloc stats is enabled, the unit test for unbound control
+ waits for reloads to complete.
+ * Fix that for windows the module startup is called and sets up
+ the module-config.
+ * Fix spelling for the cache-min-negative-ttl entry in the
+ example.conf.
+
+-------------------------------------------------------------------
+Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.20.0:
+ Features:
+ * The config for discard-timeout, wait-limit, wait-limit-cookie,
+ wait-limit-netblock and wait-limit-cookie-netblock was added,
+ for the fix to the DNSBomb issue.
+ * Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
+ * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
+ updates config.guess(2024-01-01) and config.sub(2024-01-01),
+ verified with upstream.
+ * Implement cachedb-check-when-serve-expired: yes option, default
+ is enabled. When serve expired is enabled with cachedb, it
+ first checks cachedb before serving the expired response.
+ * Fix GH#876: [FR] can unbound-checkconf be silenced when
+ configuration is valid?
+
+ Bug Fixes:
+ * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+ Xiang Li from the Network and Information Security Lab of
+ Tsinghua University for reporting it.
+ * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
+ deprecation warnings and updates with newer defaults.
+ * Remove unused portion from iter_dname_ttl unit test.
+ * Fix validator classification of qtype DNAME for positive and
+ redirection answers, and fix validator signature routine for
+ dealing with the synthesized CNAME for a DNAME without
+ previously encountering it and also for when the qtype is
+ DNAME.
+ * Fix qname minimisation for reply with a DNAME for qtype CNAME
+ that answers it.
+ * Fix doc test so it ignores but outputs unsupported doxygen
+ options.
+ * Fix GH#1021 Inconsistent Behavior with Changing
+ rpz-cname-override and doing a unbound-control reload.
+ * Merge GH#1028: Clearer documentation for tcp-idle-timeout and
+ edns-tcp-keepalive-timeout.
+ * Fix GH#1029: rpz trigger clientip and action rpz-passthru not
+ working as expected.
+ * Fix rpz that the rpz override is taken in case of clientip
+ triggers. Fix that the clientip passthru action is logged. Fix
+ that the clientip localdata action is logged. Fix rpz override
+ action cname for the clientip trigger.
+ * Fix to unify codepath for local alias for rpz cname action
+ override.
+ * Fix rpz for cname override action after nsdname and nsip
+ triggers.
+ * Fix that addrinfo is not kept around but copied and freed, so
+ that log-destaddr uses a copy of the information, much like NSD
+ does.
+ * Merge GH#1030: Persist the openssl and expat directories for
+ repeated Windows builds.
+ * Fix that rpz CNAME content is limited to the max number of
+ cnames.
+ * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
+ sets the reply query_info values, that is better for debug
+ logging.
+ * Fix rpz that copies the cname override completely to the temp
+ region, so there are no references to the rpz region.
+ * Add rpz unit test for nsip action override.
+ * Fix rpz for qtype CNAME after nameserver trigger.
+ * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
+ that clientip and nsip can give a CNAME.
+ * Fix localdata and rpz localdata to match CNAME only if no
+ direct type match is available.
+ * Merge GH#831 from Pierre4012: Improve Windows NSIS installer
+ script (setup.nsi).
+ * For GH#831: Format text, use exclamation icon and explicit label
+ names.
+ * Fix name of unit test for subnet cache response.
+ * Fix GH#1032: The size of subnet_msg_cache calculation mistake
+ cause memory usage increased beyond expectations.
+ * Fix for GH#1032, add safeguard to make table space positive.
+ * Fix comment in lruhash space function.
+ * Fix to add unit test for lruhash space that exercises the
+ routines.
+ * Fix that when the server truncates the pidfile, it does not
+ follow symbolic links.
+ * Fix that the server does not chown the pidfile.
+ * Fix GH#1034: DoT forward-zone via unbound-control.
+ * Fix for crypto related failures to have a better error string.
+ * Fix GH#1035: Potential Bug while parsing port from the
+ "stub-host" string; also affected forward-zones and
+ remote-control host directives.
+ * Fix GH#369: dnstap showing extra responses; for client responses
+ right from the cache when replying with expired data or
+ prefetching.
+ * Fix GH#1040: fix heap-buffer-overflow issue in function
+ cfg_mark_ports of file util/config_file.c.
+ * For GH#1040: adjust error text and disallow negative ports in
+ other parts of cfg_mark_ports.
+ * Fix comment syntax for view function views_find_view.
+ * Fix GH#595: unbound-anchor cannot deal with full disk; it will
+ now first write out to a temp file before replacing the
+ original one, like Unbound already does for
+ auto-trust-anchor-file.
+ * Fixup compile without cachedb.
+ * Add test for cachedb serve expired.
+ * Extended test for cachedb serve expired.
+ * Fix makefile dependencies for fake_event.c.
+ * Fix cachedb for serve-expired with serve-expired-reply-ttl.
+ * Fix to not reply serve expired unless enabled for cachedb.
+ * Fix cachedb for serve-expired with
+ serve-expired-client-timeout.
+ * Fixup unit test for cachedb server expired client timeout with
+ a check if response if from upstream or from cachedb.
+ * Fixup cachedb to not refetch when serve-expired-client-timeout
+ is used.
+ * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
+ Python 3.8
+ * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
+ * Fix configure, autoconf for GH#1048.
+ * Add checklock feature verbose_locking to trace locks and
+ unlocks.
+ * Fix edns subnet to sort rrset references when storing messages
+ in the cache. This fixes a race condition in the rrset locks.
+ * Merge GH#1053: Remove child delegations from cache when
+ grandchild delegations are returned from parent.
+ * Fix ci workflow for macos for moved install locations.
+ * Fix configure flto check error, by finding grep for it.
+ * Merge GH#1041: Stub and Forward unshare. This has one structure
+ for them and fixes GH#1038: fatal error: Could not initialize
+ thread / error: reading root hints.
+ * Fix to disable fragmentation on systems with IP_DONTFRAG, with
+ a nonzero value for the socket option argument.
+ * Fix doc unit test for out of directory build.
+ * Fix cachedb with serve-expired-client-timeout disabled. The
+ edns subnet module deletes global cache and cachedb cache when
+ it stores a result, and serve-expired is enabled, so that the
+ global reply, that is older than the ecs reply, does not return
+ after the ecs reply expires.
+ * Add unit tests for cachedb and subnet cache expired data.
+ * Man page entry for unbound-checkconf -q.
+ * Cleanup unnecessary strdup calls for EDE strings.
+ * Fix doxygen comment for errinf_to_str_bogus.
+
+-------------------------------------------------------------------
+Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.19.3:
+ * Features:
+ - Merge PR #973: Use the origin (DNAME) TTL for synthesized
+ CNAMEs as per RFC 6672.
+ * Bug Fixes
+ - Fix unit test parse of origin syntax.
+ - Use 127.0.0.1 explicitly in tests to avoid delays and errors
+ on newer systems.
+ - Fix #964: config.h.in~ backup file in release tar balls.
+ - Merge #968: Replace the obsolescent fgrep with grep -F in
+ tests.
+ - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
+ - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
+ - Fix dnstap that assertion failed on logging other than UDP
+ and TCP traffic. It lists it as TCP traffic.
+ - Fix to sync the tests script file common.sh.
+ - iana portlist update.
+ - Updated IPv4 and IPv6 address for b.root-servers.net in root
+ hints.
+ - Update test script file common.sh.
+ - Fix tests to use new common.sh functions, wait_logfile and
+ kill_from_pidfile.
+ - Fix #974: doc: default number of outgoing ports without
+ libevent.
+ - Merge #975: Fixed some syntax errors in rpl files.
+ - Fix root_zonemd unit test, it checks that the root ZONEMD
+ verifies, now that the root has a valid ZONEMD.
+ - Update example.conf with cookie options.
+ - Merge #980: DoH: reject non-h2 early. To fix #979: Improve
+ errors for non-HTTP/2 DoH clients.
+ - Merge #985: Add DoH and DoT to dnstap message.
+ - Fix #983: Sha1 runtime insecure change was incomplete.
+ - Remove unneeded newlines and improve indentation in remote
+ control code.
+ - Merge #987: skip edns frag retry if advertised udp payload
+ size is not smaller.
+ - Fix unit test for #987 change in udp1xxx retry packet send.
+ - Merge #988: Fix NLnetLabs#981: dump_cache truncates large
+ records.
+ - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
+ - Fix to link with libssp for libcrypto and getaddrinfo check
+ for only header. Also update crosscompile to remove ssp for
+ 32bit.
+ - Merge #993: Update b.root-servers.net also in example config
+ file.
+ - Update workflow for ports to use newer openssl on windows
+ compile.
+ - Fix warning for windres on resource files due to
+ redefinition.
+ - Fix for #997: Print details for SSL certificate failure.
+ - Update error printout for duplicate trust anchors to include
+ the trust anchor name (relates to #920).
+ - Update message TTL when using cached RRSETs. It could result
+ in non-expired messages with expired RRSETs (non-usable
+ messages by Unbound).
+ - Merge #999: Search for protobuf-c with pkg-config.
+ - Fix #1006: Can't find protobuf-c package since #999.
+ - Fix documentation for access-control in the unbound.conf man
+ page.
+ - Merge #1010: Mention REFUSED has the TC bit set with
+ unmatched allow_cookie acl in the manpage. It also fixes the
+ code to match the documentation about clients with a valid
+ cookie that bypass the ratelimit regardless of the
+ allow_cookie acl.
+ - Document the suspend argument for process_ds_response().
+ - Move github workflows to use checkoutv4.
+ - Fix edns subnet replies for scope zero answers to not get
+ stored in the global cache, and in cachedb, when the upstream
+ replies without an EDNS record.
+ - Fix for #1022: Fix ede prohibited in access control refused
+ answers.
+ - Fix unbound-control-setup.cmd to use 3072 bits so that
+ certificates are long enough for newer OpenSSL versions.
+ - Fix TTL of synthesized CNAME when a DNAME is used from cache.
+ - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+ like unbound-control-setup.sh has.
+
+-------------------------------------------------------------------
+Fri Mar 8 10:15:41 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.19.2:
+ * Bug Fixes:
+ - Fix CVE-2024-1931, Denial of service when trimming EDE text
+ on positive replies.
+ [bsc#1221164]
+
+-------------------------------------------------------------------
+Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal
+
+- Update to 1.19.1:
+ * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
+ - Fix CVE-2023-50387, DNSSEC verification complexity can be
+ exploited to exhaust CPU resources and stall DNS resolvers.
+ - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
+
+-------------------------------------------------------------------
+Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried
+
+- as we use --disable-explicit-port-randomisation, also disable
+ outgoing-port-permit and outgoing-port-avoid in config file to
+ suppress the related unbound-checkconf warnings on every start
+
+-------------------------------------------------------------------
+Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal
+
+- Update to 1.19.0:
+ * Features:
+ - Fix #850: [FR] Ability to use specific database in Redis, with
+ new redis-logical-db configuration option.
+ - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
+ requests. This can be helpful for devices that cannot handle
+ DNSSEC information. But it should not be enabled otherwise, because
+ that would stop DNSSEC validation. The DNSSEC validation would not
+ work for Unbound itself, and also not for downstream users. Default
+ is no. The option is disable-edns-do: no
+ - Expose the script filename in the Python module environment 'mod_env'
+ instead of the config_file structure which includes the linked list
+ of scripts in a multi Python module setup; fixes #79.
+ - Expose the configured listening and outgoing interfaces, if any, as
+ a list of strings in the Python 'config_file' class instead of the
+ current Swig object proxy; fixes #79.
+ - Mailing list patches from Daniel Gröber for DNS64 fallback to plain
+ AAAA when no A record exists for synthesis, and minor DNS64 code
+ refactoring for better readability.
+ - Merge #951: Cachedb no store. The cachedb-no-store: yes option is
+ used to stop cachedb from writing messages to the backend storage.
+ It reads messages when data is available from the backend.
+ The default is no.
+ * Bug Fixes:
+ - Fix for version generation race condition that ignored changes.
+ - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
+ - Fix for WKS call to getservbyname that creates allocation on exit in
+ unit test by testing numbers first and testing from the services list later.
+ - Fix autoconf 2.69 warnings in configure.
+ - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
+ - Merge #931: Prevent warnings from -Wmissing-prototypes.
+ - Fix to scrub resource records of type A and AAAA that have an
+ inappropriate size. They are removed from responses.
+ - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
+ - Fix to add EDE text when RRs have been removed due to length.
+ - Fix to set ede match in unit test for rr length removal.
+ - Fix to print EDE text in readable form in output logs.
+ - Fix send of udp retries when ENOBUFS is returned. It stops looping
+ and also waits for the condition to go away. Reported by Florian Obser.
+ - Fix authority zone answers for obscured DNAMEs and delegations.
+ - Merge #936: Check for c99 with autoconf versions prior to 2.70.
+ - Fix to remove two c99 notations.
+ - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
+ - Fix misplaced comment.
+ - Merge #881: Generalise the proxy protocol code.
+ - Fix #946: Forwarder returns servfail on upstream response noerror no data.
+ - Fix edns subnet so that queries with a source prefix of zero cause the
+ recursor send no edns subnet option to the upstream.
+ - Fix that printout of EDNS options shows the EDNS cookie option by name.
+ - Fix infinite loop when reading multiple lines of input on a broken remote
+ control socket. Addesses #947 and #948.
+ - Fix #949: "could not create control compt".
+ - Fix that cachedb does not warn when serve-expired is disabled about use
+ of serve-expired-reply-ttl and serve-expired-client-timeout.
+ - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
+ - Better fix for infinite loop when reading multiple lines of input on a
+ broken remote control socket, by treating a zero byte line the same as
+ transmission end. Addesses #947 and #948.
+ - For multi Python module setups, clean previously parsed module functions
+ in __main__'s dictionary, if any, so that only current module functions
+ are registered.
+ - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
+ - Fixes for the DNS64 patches.
+ - Update the dns64_lookup.rpl test for the DNS64 fallback patch.
+ - Merge #955 from buevsan: fix ipset wrong behavior.
+ - Update testdata/ipset.tdir test for ipset fix.
+ - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
+ - Clearer configure text for missing protobuf-c development libraries.
+ - autoconf.
+ - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
+ declaration.
+ - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
+ dukeartem to also fix the udp_ancil with dnscrypt.
+ - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
+ - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
+ - Fix compilation without openssl, remove unused function warning.
+ - Mention flex and bison in README.md when building from repository source.
+
+-------------------------------------------------------------------
+Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal
+
+- Update to 1.18.0:
+ * Features:
+ - Аdd a metric about the maximum number of collisions in lrushah.
+ - Set max-udp-size default to 1232. This is the same default value
+ as the default value for edns-buffer-size. It restricts client
+ edns buffer size choices, and makes unbound behave similar to
+ other DNS resolvers.
+ - Add harden-unknown-additional option. It removes unknown records
+ from the authority section and additional section.
+ - Added new static zone type block_a to suppress all A queries for
+ specific zones.
+ - [FR] Ability to use Redis unix sockets.
+ - [FR] Ability to set the Redis password.
+ - Features/dropqueuedpackets, with sock-queue-timeout option that
+ drops packets that have been in the socket queue for too long.
+ Added statistics num.queries_timed_out and query.queue_time_us.max
+ that track the socket queue timeouts.
+ - 'eqvinox' Lamparter: NAT64 support.
+ - [FR] Use kernel timestamps for dnstap.
+ - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
+ statistical counter.
+ - Add SVCB dohpath support.
+ - Add validation EDEs to queries where the CD bit is set.
+ - Add prefetch support for subnet cache entries.
+ - Add EDE (RFC8914) caching.
+ - Add support for EDE caching in cachedb and subnetcache.
+ - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
+ cookies for clients that send client cookies. This needs to be explicitly
+ turned on in the config file with: `answer-cookie: yes`.
+ * Bug Fixes
+ - Response change to NODATA for some ANY queries since 1.12.
+ - Fix not following cleared RD flags potentially enables
+ amplification DDoS attacks.
+ - Set default for harden-unknown-additional to no. So that it
+ does not hamper future protocol developments.
+ - Fix to ignore entirely empty responses, and try at another authority.
+ This turns completely empty responses, a type of noerror/nodata into
+ a servfail, but they do not conform to RFC2308, and the retry can fetch
+ improved content.
+ - Allow TTL refresh of expired error responses.
+ - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
+ - Fix unbound-dnstap-socket test program to reply the finish frame over
+ a TLS connection correctly.
+ - Fix: reserved identifier violation
+ - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
+ without tls-cert-bundle
+ - Extra consistency check to make sure that when TLS is requested,
+ either we set up a TLS connection or we return an error.
+ - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
+ - Fix: Bad interaction with 0 TTL records and serve-expired
+ - Fix RPZ IP responses with trigger rpz-drop on cache entries.
+ - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
+ - Fix dereference of NULL variable warning in mesh_do_callback.
+ - Fix ip_ratelimit test to work with dig that enables DNS cookies.
+ - Fix for iter_dec_attempts that could cause a hang, part of capsforid
+ and qname minimisation, depending on the settings.
+ - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
+ - Fix stat_values test to work with dig that enables DNS cookies.
+ - unbound.service: Main process exited, code=killed, status=11/SEGV.
+ Fixes cachedb configuration handling.
+ - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
+
+-------------------------------------------------------------------
+Thu May 4 13:57:54 UTC 2023 - Frederic Crozat
+
+- Add _multibuild to define additional spec files as additional
+ flavors.
+ Eliminates the need for source package links in OBS.
+
-------------------------------------------------------------------
Thu Feb 23 09:15:48 UTC 2023 - Pedro Monreal
diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec
index 350c22b..5d88751 100644
--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@@ -1,7 +1,7 @@
#
# spec file for package libunbound-devel-mini
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,8 @@
%bcond_without hardened_build
#
Name: libunbound-devel-mini
-Version: 1.17.1
+Version: 1.21.0
+#!BcntSyncTag: unbound
Release: 0
Summary: Just a devel package for build loops
License: BSD-3-Clause
diff --git a/unbound-1.17.1.tar.gz b/unbound-1.17.1.tar.gz
deleted file mode 100644
index 95dfed0..0000000
--- a/unbound-1.17.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ee4085cecce12584e600f3d814a28fa822dfaacec1f94c84bfd67f8a5571a5f4
-size 6244773
diff --git a/unbound-1.17.1.tar.gz.asc b/unbound-1.17.1.tar.gz.asc
deleted file mode 100644
index 96b89b9..0000000
--- a/unbound-1.17.1.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmO/wmUACgkQn28cLX4E
-X40EBxAApOIAHQGYxRcnMWgqB+hN2YR+M/CcOz19UiQ/KrG8f+ji9mUfIUsUTQsa
-Oat/TuWPqQ4gCXocX4Dc4+LE0bebHVJkg4TQniEIjYOWja/6uBOfav14GBfJsq+m
-3A9IBdOGYTAR5mGfTs1cxJfWAbX3U+oroKwn5zPh+wCRR0CoY8sEumZu7Tzb4yUx
-OPhlj1Qzz/NkSi+0RkwogJy2hHdXVvHYUtTDKheFye/GeGa+trRnu8mCKpuyw6N9
-dnQ7oXlCds8JW7YgaBf4qh1pH6VO18CTo7KG3yKiEeRb+HRRmr7KKQUOlefjcct+
-QKOFhSPnVYhfvaPYEQiqVQ92ae7/wBT6cQzOMXRbY+NQjr/QfeF3QWTMRFrz3kHn
-ZccpvcsjOR3wRDGQkcaa8ta40soEkzD+XRPK4oxB9D/Z5FOVoR/WTX9DZVm7PJ5+
-SGHFBGOddICBWao1h01KCSyQ7nxNi1lLIRndj+AKtQAW/kO8hKh4YYKHAlI0dRQD
-MLitcrQOU1pJha+hhb/87BihtXlevUVO45ctCLLooSCrVG8cca8p3jwvJoPPwdCp
-1MBVZv8STPAO//4XoZkAtTcgnaUle/ro/1DFmAK/IhDyU4KP6l3uvcUvsk3Xpk1O
-AzazgiqVuIYXQ98cTh0QzAGUuFAWNFqWSF2mj+poNv0RnL/J14U=
-=xZw4
------END PGP SIGNATURE-----
diff --git a/unbound-1.21.0.tar.gz b/unbound-1.21.0.tar.gz
new file mode 100644
index 0000000..77cc61a
--- /dev/null
+++ b/unbound-1.21.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e7dca7d6b0f81bdfa6fa64ebf1053b5a999a5ae9278a87ef182425067ea14521
+size 6575675
diff --git a/unbound-1.21.0.tar.gz.asc b/unbound-1.21.0.tar.gz.asc
new file mode 100644
index 0000000..d2426af
--- /dev/null
+++ b/unbound-1.21.0.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAma9sjoACgkQn28cLX4E
+X43OQhAApRqRpVAILKhqBjf2ilKLqEFgCxyT4cXiMVBTMtlx9/bTxec/JeXVdO7h
+nA4oFb7HwRPkOJnTfwk7kWk8SFBoGv+lb2YVdgSgaftqgFR3dmoyACIf9QqyFUuO
+kLiIpNer6f1rRmGs850t+XE9YS+Adn3jPi6r5vnuXekoXjY8h18cSRSlWL42At2j
+V7NpCbRUshwCP71PS1AVE1SHtHsxD5yCrCzuMDTZIroCiAPu4k0JkqKri7ie4cqf
+rjvqsVN7fngXj3bLShJcjcnBRxMoEMJ5ubY7d9SZBm8kvREy1ILAmlwejhhcZzC7
+Yc14v+wreaEYte1KmVwtgFDwvwbJqho2OwRJgPmUVVyJ8F15ESsl5ahgZJhZ893o
+BCbapmEMJEPsIzITbvJg+WOwpFZQp6VZu+NQqd12WTanZuIwnp54Q/YQo0RqTfK4
+qyMLKFmKXmaKNmgqtXcs2Bn6NVeDZpO/f0B1/fDkUot4xSGHWIEQGK/u5DHbemyS
+/3DaTvUQVLke9E3pDDP6J5qvc7tRZK6qQ4GXwkc7FFocHzos54aCusyUQw22K7k4
+MEOwlQBqcof5UeLRkGVhianOsxzFGIiNC/LNI4pJlKT13u20YiBpweNJBC+jMIJI
+Ohz4vCE74OgT3M74I+dmKzEk6Xvor0id7eKsLpbiJuaof+j4oUQ=
+=1ZET
+-----END PGP SIGNATURE-----
diff --git a/unbound.changes b/unbound.changes
index 8bedaf7..8cca2ec 100644
--- a/unbound.changes
+++ b/unbound.changes
@@ -1,3 +1,619 @@
+-------------------------------------------------------------------
+Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.21.0:
+ Security Fixes:
+ * Merge #1073: fix null pointer dereference issue in function
+ ub_ctx_set_fwd.
+ [CVE-2024-43167, bsc#1229068]
+
+ Features:
+ * Fix #1071: [FR] Clear both in-memory and cachedb module cache
+ with `unbound-control flush*` commands.
+ * Fix #144: Port ipset to BSD pf tables.
+ * Add dnstap-sample-rate that logs only 1/N messages, for high
+ volume server environments. Thanks Dan Luther.
+ * Add root key 38696 from 2024 for DNSSEC validation. It is added
+ to the default root keys in unbound-anchor. The content can be
+ inspected with `unbound-anchor -l`.
+ * Merge #1090: Cookie secret file. Adds `cookie-secret-file:
+ "unbound_cookiesecrets.txt"` option to store cookie secrets for
+ EDNS COOKIE secret rollover. The remote control
+ add_cookie_secret, activate_cookie_secret and
+ drop_cookie_secret commands can be used for rollover, the
+ command print_cookie_secrets shows the values in use.
+
+ Bug Fixes:
+ * Fix CAMP issues with global quota. Thanks to Huayi
+ Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
+ group, ETH Zurich.
+ * Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
+ Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
+ (Tel-Aviv University and Reichman University).
+ * Merge #1062: Fix potential overflow bug while parsing port in
+ function cfg_mark_ports.
+ * Fix for #1062: declaration before statement, avoid print of
+ null, and redundant check for array size.
+ * Fix to squelch udp connect errors in the log at low verbosity
+ about invalid argument for IPv6 link local addresses.
+ * Fix when the mesh jostle is exceeded that nameserver targets
+ are marked as resolved, so that the lookup is not stuck on the
+ requestlist.
+ * Add missing common functions to tdir tests.
+ * Merge #1070: Fix rtt assignement for low values of
+ infra-cache-max-rtt.
+ * Merge #1069: Fix unbound-control stdin commands for
+ multi-process Unbounds.
+ * Fix unbound-control commands that read stdin in multi-process
+ operation (local_zones_remove, local_zones, local_datas_remove,
+ local_datas, view_local_datas_remove, view_local_datas). They
+ will be properly distributed to all processes. dump_cache and
+ load_cache are no longer supported in multi-process operation.
+ * Remove testdata/remote-threaded.tdir.
+ testdata/09-unbound-control.tdir now checks both single and
+ multi process/thread operation.
+ * Fix to print a parse error when config is read with no name for
+ a forward-zone, stub-zone or view.
+ * Fix for parse end of forward-zone, stub-zone and view.
+ * Fix for #1064: Fix that cachedb expired messages are considered
+ insecure, and thus can be served to clients when dnssec is
+ enabled.
+ * Fix #1059: Intermittent DNS blocking failure with local-zone
+ and always_nxdomain. Addition of local_zones dynamically via
+ unbound-control was not finding the zone's parent correctly.
+ * Fix #1064: Unbound 1.20 Cachedb broken?
+ * Fix unused variable warning on compilation with no thread
+ support.
+ * unbound-control-setup: check openssl availability before doing
+ anything, patch from Michael Tokarev.
+ * Update patch to remove 'command' shell builtin and update error
+ text.
+ * Fix to enable that SERVFAIL is cached, for a short period, for
+ more cases. In the cases where limits are exceeded.
+ * Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
+ * Merge #1078: Only check old pid if no username.
+ * Fix #1079: tags from tagged rpz zones are no longer honored
+ after upgrade from 1.19.3 to 1.20.0.
+ * Fix for #1079: fix RPZ taglist in iterator callback that no
+ client info is like no taglist intersection.
+ * Fix to squelch connection reset by peer errors from log. And
+ fix that the tcp read errors are labeled as initial for the
+ first calls.
+ * Merge #1080: AddressSanitizer detection in tdir tests and
+ memory leak fixes.
+ * Fix memory leak when reload_keep_cache is used and num-threads
+ changes.
+ * Fix memory leak on exit for unbound-dnstap-socket; creates
+ false negatives during testing.
+ * Fix memory leak in setup of dsa sig.
+ * Fix typos for 'the the' in text.
+ * Fix validation for repeated use of a DNAME record.
+ * Add unit test for validation of repeated use of a DNAME record.
+ * Fix #1091: Build fails with OpenSSL >= 3.0 built with
+ OPENSSL_NO_DEPRECATED.
+ * Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
+ by adding helpful text for the Python interpreter version and
+ allowing the default pkg-config unavailability error message to
+ be shown.
+ * Fix pkg-config availability check in dnstap/dnstap.m4 and
+ systemd.m4.
+ * Explicitly set the RD bit for the mesh query flags when
+ prefetching. These queries have no waiting client but they need
+ to be treated as recursive.
+ * Fix ip-ratelimit-cookie setting, it was not applied.
+ * Fix to remove unused include from the readzone test program.
+ * Fix unused variable warning in do_cache_remove.
+ * Fix compile warning in worker pthread id printout.
+ * Add unit test skip files and bison and flex output to
+ gitignore.
+ * Fix to use modstack_init in zonemd unit test.
+ * Fix to remove unneeded linebreak in fptr_wlist.c.
+ * Fix compile warnings in fptr_wlist.c.
+ * Fix for repeated use of a DNAME record: first overallocate and
+ then move the exact size of the init value to avoid false
+ positive heap overflow reads from address sanitizers.
+ * Fix to print details about the failure to lookup a DNSKEY
+ record when validation fails due to the missing DNSKEY. Also
+ for key prime and DS lookups.
+ * Fix for neater printout for error for missing DS response.
+ * Fix neater printout.
+ * Fix #1099: Unbound core dump on SIGSEGV.
+ * Fix for #1099: Fix to check for deleted RRset when the contents
+ is updated and fetched after it is stored, and also check for a
+ changed RRset.
+ * Don't check for message TTL changes if the RRsets remain the
+ same.
+ * Fix that validation reason failure that uses string print uses
+ separate buffer that is passed, from the scratch validation
+ buffer.
+ * Fixup algo_needs_reason string buffer length.
+ * Fix shadowed error string variable in validator dnskey
+ handling.
+ * Update list of known EDE codes.
+ * For #773: In contrib/unbound.service.in set unbound to start
+ after network-online.target. Also for
+ contrib/unbound_portable.service.in.
+ * Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
+ * For #1103: fix to also drop mesh state reference when a h2
+ reply is dropped.
+ * Add RPZ tag tests in acl_interface.tdir.
+ * For #1102: clearer text for using interface-* options for the
+ loopback interface.
+ * For #1103: fix to also drop mesh state reference when the
+ discard limit is reached, when there is an error making a new
+ recursion state and when the connection is dropped with
+ is_drop.
+ * For #1103: Fix to drop mesh state reference for the http2
+ stream associated with the reply, not the currently active
+ stream. And it does not remove it twice on a mesh_send_reply
+ call. The reply h2_stream is NULL when not in use, for more
+ initialisation.
+ * Fix dnstap wakeup, a running wakeup timer is left to expire and
+ not increased, a timer is started when the dtio thread is
+ sleeping, the timer set disabled when the dtio thread goes to
+ sleep, and after sleep the thread checks to see if there are
+ messages to log immediately.
+ * Merge #1110: Make fallthrough explicit for libworker.c.
+ * For #1110: Test for fallthrough attribute in configure and add
+ fallthrough attribute annotations.
+ * Fix compile when the compiler does not support the noreturn
+ attribute.
+ * Fix to have empty definition when not supported for weak
+ attribute.
+ * Fix uninitialized variable warning in create_tcp_accept_sock.
+ * Fix link of dnstap without openssl.
+ * Fix link of unbound-dnstap-socket without openssl.
+ * Fix #1106: ratelimit-below-domain logs the wrong FROM address.
+ * Cleanup ede.tdir test.
+ * For #935 and #1104, clarify RPZ order and semantics.
+ * Fix to document parameters of auth_zone_verify_zonemd_with_key.
+ * Fix for #1114: Fix that cache fill for forward-host names is
+ performed, so that with nonzero target-fetch-policy it fetches
+ forwarder addresses and uses them from cache. Also updated that
+ delegation point cache fill routines use CDflag for AAAA
+ message lookups, so that its negative lookup stops a recursion
+ since the cache uses the bit for disambiguation for dns64 but
+ the recursion uses CDflag for the AAAA target lookups, so the
+ check correctly stops a useless recursion by its cache lookup.
+ * Fix dnstap test program, cleans up to have clean memory on
+ exit, for tap_data_free, does not delete NULL items. Also it
+ does not try to free the tail, specifically in the free of the
+ list since that picked up the next item in the list for its
+ loop causing invalid free. Added internal unit test to
+ unbound-dnstap-socket for that.
+ * Fix that the worker mem report with alloc stats does not
+ attempt to print memory use of forwards and hints if they have
+ been deleted already.
+ * Fix that alloc stats has strdup checks, it stops debuggers from
+ complaining about mismatch at free time.
+ * Fix testbound for alloc stats strdup in util/alloc.c.
+ * Fix that alloc stats for forwards and hints are printed, and
+ when alloc stats is enabled, the unit test for unbound control
+ waits for reloads to complete.
+ * Fix that for windows the module startup is called and sets up
+ the module-config.
+ * Fix spelling for the cache-min-negative-ttl entry in the
+ example.conf.
+
+-------------------------------------------------------------------
+Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.20.0:
+ Features:
+ * The config for discard-timeout, wait-limit, wait-limit-cookie,
+ wait-limit-netblock and wait-limit-cookie-netblock was added,
+ for the fix to the DNSBomb issue.
+ * Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
+ * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
+ updates config.guess(2024-01-01) and config.sub(2024-01-01),
+ verified with upstream.
+ * Implement cachedb-check-when-serve-expired: yes option, default
+ is enabled. When serve expired is enabled with cachedb, it
+ first checks cachedb before serving the expired response.
+ * Fix GH#876: [FR] can unbound-checkconf be silenced when
+ configuration is valid?
+
+ Bug Fixes:
+ * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+ Xiang Li from the Network and Information Security Lab of
+ Tsinghua University for reporting it.
+ * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
+ deprecation warnings and updates with newer defaults.
+ * Remove unused portion from iter_dname_ttl unit test.
+ * Fix validator classification of qtype DNAME for positive and
+ redirection answers, and fix validator signature routine for
+ dealing with the synthesized CNAME for a DNAME without
+ previously encountering it and also for when the qtype is
+ DNAME.
+ * Fix qname minimisation for reply with a DNAME for qtype CNAME
+ that answers it.
+ * Fix doc test so it ignores but outputs unsupported doxygen
+ options.
+ * Fix GH#1021 Inconsistent Behavior with Changing
+ rpz-cname-override and doing a unbound-control reload.
+ * Merge GH#1028: Clearer documentation for tcp-idle-timeout and
+ edns-tcp-keepalive-timeout.
+ * Fix GH#1029: rpz trigger clientip and action rpz-passthru not
+ working as expected.
+ * Fix rpz that the rpz override is taken in case of clientip
+ triggers. Fix that the clientip passthru action is logged. Fix
+ that the clientip localdata action is logged. Fix rpz override
+ action cname for the clientip trigger.
+ * Fix to unify codepath for local alias for rpz cname action
+ override.
+ * Fix rpz for cname override action after nsdname and nsip
+ triggers.
+ * Fix that addrinfo is not kept around but copied and freed, so
+ that log-destaddr uses a copy of the information, much like NSD
+ does.
+ * Merge GH#1030: Persist the openssl and expat directories for
+ repeated Windows builds.
+ * Fix that rpz CNAME content is limited to the max number of
+ cnames.
+ * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
+ sets the reply query_info values, that is better for debug
+ logging.
+ * Fix rpz that copies the cname override completely to the temp
+ region, so there are no references to the rpz region.
+ * Add rpz unit test for nsip action override.
+ * Fix rpz for qtype CNAME after nameserver trigger.
+ * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
+ that clientip and nsip can give a CNAME.
+ * Fix localdata and rpz localdata to match CNAME only if no
+ direct type match is available.
+ * Merge GH#831 from Pierre4012: Improve Windows NSIS installer
+ script (setup.nsi).
+ * For GH#831: Format text, use exclamation icon and explicit label
+ names.
+ * Fix name of unit test for subnet cache response.
+ * Fix GH#1032: The size of subnet_msg_cache calculation mistake
+ cause memory usage increased beyond expectations.
+ * Fix for GH#1032, add safeguard to make table space positive.
+ * Fix comment in lruhash space function.
+ * Fix to add unit test for lruhash space that exercises the
+ routines.
+ * Fix that when the server truncates the pidfile, it does not
+ follow symbolic links.
+ * Fix that the server does not chown the pidfile.
+ * Fix GH#1034: DoT forward-zone via unbound-control.
+ * Fix for crypto related failures to have a better error string.
+ * Fix GH#1035: Potential Bug while parsing port from the
+ "stub-host" string; also affected forward-zones and
+ remote-control host directives.
+ * Fix GH#369: dnstap showing extra responses; for client responses
+ right from the cache when replying with expired data or
+ prefetching.
+ * Fix GH#1040: fix heap-buffer-overflow issue in function
+ cfg_mark_ports of file util/config_file.c.
+ * For GH#1040: adjust error text and disallow negative ports in
+ other parts of cfg_mark_ports.
+ * Fix comment syntax for view function views_find_view.
+ * Fix GH#595: unbound-anchor cannot deal with full disk; it will
+ now first write out to a temp file before replacing the
+ original one, like Unbound already does for
+ auto-trust-anchor-file.
+ * Fixup compile without cachedb.
+ * Add test for cachedb serve expired.
+ * Extended test for cachedb serve expired.
+ * Fix makefile dependencies for fake_event.c.
+ * Fix cachedb for serve-expired with serve-expired-reply-ttl.
+ * Fix to not reply serve expired unless enabled for cachedb.
+ * Fix cachedb for serve-expired with
+ serve-expired-client-timeout.
+ * Fixup unit test for cachedb server expired client timeout with
+ a check if response if from upstream or from cachedb.
+ * Fixup cachedb to not refetch when serve-expired-client-timeout
+ is used.
+ * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
+ Python 3.8
+ * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
+ * Fix configure, autoconf for GH#1048.
+ * Add checklock feature verbose_locking to trace locks and
+ unlocks.
+ * Fix edns subnet to sort rrset references when storing messages
+ in the cache. This fixes a race condition in the rrset locks.
+ * Merge GH#1053: Remove child delegations from cache when
+ grandchild delegations are returned from parent.
+ * Fix ci workflow for macos for moved install locations.
+ * Fix configure flto check error, by finding grep for it.
+ * Merge GH#1041: Stub and Forward unshare. This has one structure
+ for them and fixes GH#1038: fatal error: Could not initialize
+ thread / error: reading root hints.
+ * Fix to disable fragmentation on systems with IP_DONTFRAG, with
+ a nonzero value for the socket option argument.
+ * Fix doc unit test for out of directory build.
+ * Fix cachedb with serve-expired-client-timeout disabled. The
+ edns subnet module deletes global cache and cachedb cache when
+ it stores a result, and serve-expired is enabled, so that the
+ global reply, that is older than the ecs reply, does not return
+ after the ecs reply expires.
+ * Add unit tests for cachedb and subnet cache expired data.
+ * Man page entry for unbound-checkconf -q.
+ * Cleanup unnecessary strdup calls for EDE strings.
+ * Fix doxygen comment for errinf_to_str_bogus.
+
+-------------------------------------------------------------------
+Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.19.3:
+ * Features:
+ - Merge PR #973: Use the origin (DNAME) TTL for synthesized
+ CNAMEs as per RFC 6672.
+ * Bug Fixes
+ - Fix unit test parse of origin syntax.
+ - Use 127.0.0.1 explicitly in tests to avoid delays and errors
+ on newer systems.
+ - Fix #964: config.h.in~ backup file in release tar balls.
+ - Merge #968: Replace the obsolescent fgrep with grep -F in
+ tests.
+ - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
+ - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
+ - Fix dnstap that assertion failed on logging other than UDP
+ and TCP traffic. It lists it as TCP traffic.
+ - Fix to sync the tests script file common.sh.
+ - iana portlist update.
+ - Updated IPv4 and IPv6 address for b.root-servers.net in root
+ hints.
+ - Update test script file common.sh.
+ - Fix tests to use new common.sh functions, wait_logfile and
+ kill_from_pidfile.
+ - Fix #974: doc: default number of outgoing ports without
+ libevent.
+ - Merge #975: Fixed some syntax errors in rpl files.
+ - Fix root_zonemd unit test, it checks that the root ZONEMD
+ verifies, now that the root has a valid ZONEMD.
+ - Update example.conf with cookie options.
+ - Merge #980: DoH: reject non-h2 early. To fix #979: Improve
+ errors for non-HTTP/2 DoH clients.
+ - Merge #985: Add DoH and DoT to dnstap message.
+ - Fix #983: Sha1 runtime insecure change was incomplete.
+ - Remove unneeded newlines and improve indentation in remote
+ control code.
+ - Merge #987: skip edns frag retry if advertised udp payload
+ size is not smaller.
+ - Fix unit test for #987 change in udp1xxx retry packet send.
+ - Merge #988: Fix NLnetLabs#981: dump_cache truncates large
+ records.
+ - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
+ - Fix to link with libssp for libcrypto and getaddrinfo check
+ for only header. Also update crosscompile to remove ssp for
+ 32bit.
+ - Merge #993: Update b.root-servers.net also in example config
+ file.
+ - Update workflow for ports to use newer openssl on windows
+ compile.
+ - Fix warning for windres on resource files due to
+ redefinition.
+ - Fix for #997: Print details for SSL certificate failure.
+ - Update error printout for duplicate trust anchors to include
+ the trust anchor name (relates to #920).
+ - Update message TTL when using cached RRSETs. It could result
+ in non-expired messages with expired RRSETs (non-usable
+ messages by Unbound).
+ - Merge #999: Search for protobuf-c with pkg-config.
+ - Fix #1006: Can't find protobuf-c package since #999.
+ - Fix documentation for access-control in the unbound.conf man
+ page.
+ - Merge #1010: Mention REFUSED has the TC bit set with
+ unmatched allow_cookie acl in the manpage. It also fixes the
+ code to match the documentation about clients with a valid
+ cookie that bypass the ratelimit regardless of the
+ allow_cookie acl.
+ - Document the suspend argument for process_ds_response().
+ - Move github workflows to use checkoutv4.
+ - Fix edns subnet replies for scope zero answers to not get
+ stored in the global cache, and in cachedb, when the upstream
+ replies without an EDNS record.
+ - Fix for #1022: Fix ede prohibited in access control refused
+ answers.
+ - Fix unbound-control-setup.cmd to use 3072 bits so that
+ certificates are long enough for newer OpenSSL versions.
+ - Fix TTL of synthesized CNAME when a DNAME is used from cache.
+ - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+ like unbound-control-setup.sh has.
+
+-------------------------------------------------------------------
+Fri Mar 8 10:12:30 UTC 2024 - Jorik Cronenberg
+
+- Update to 1.19.2:
+ * Bug Fixes:
+ - Fix CVE-2024-1931, Denial of service when trimming EDE text
+ on positive replies.
+ [bsc#1221164]
+
+-------------------------------------------------------------------
+Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal
+
+- Update to 1.19.1:
+ * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
+ - Fix CVE-2023-50387, DNSSEC verification complexity can be
+ exploited to exhaust CPU resources and stall DNS resolvers.
+ - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
+
+-------------------------------------------------------------------
+Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried
+
+- as we use --disable-explicit-port-randomisation, also disable
+ outgoing-port-permit and outgoing-port-avoid in config file to
+ suppress the related unbound-checkconf warnings on every start
+
+-------------------------------------------------------------------
+Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz
+
+- Use prefixes instead of sudo in unbound.service (boo#1215628)
+
+-------------------------------------------------------------------
+Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal
+
+- Update to 1.19.0:
+ * Features:
+ - Fix #850: [FR] Ability to use specific database in Redis, with
+ new redis-logical-db configuration option.
+ - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
+ requests. This can be helpful for devices that cannot handle
+ DNSSEC information. But it should not be enabled otherwise, because
+ that would stop DNSSEC validation. The DNSSEC validation would not
+ work for Unbound itself, and also not for downstream users. Default
+ is no. The option is disable-edns-do: no
+ - Expose the script filename in the Python module environment 'mod_env'
+ instead of the config_file structure which includes the linked list
+ of scripts in a multi Python module setup; fixes #79.
+ - Expose the configured listening and outgoing interfaces, if any, as
+ a list of strings in the Python 'config_file' class instead of the
+ current Swig object proxy; fixes #79.
+ - Mailing list patches from Daniel Gröber for DNS64 fallback to plain
+ AAAA when no A record exists for synthesis, and minor DNS64 code
+ refactoring for better readability.
+ - Merge #951: Cachedb no store. The cachedb-no-store: yes option is
+ used to stop cachedb from writing messages to the backend storage.
+ It reads messages when data is available from the backend.
+ The default is no.
+ * Bug Fixes:
+ - Fix for version generation race condition that ignored changes.
+ - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
+ - Fix for WKS call to getservbyname that creates allocation on exit in
+ unit test by testing numbers first and testing from the services list later.
+ - Fix autoconf 2.69 warnings in configure.
+ - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
+ - Merge #931: Prevent warnings from -Wmissing-prototypes.
+ - Fix to scrub resource records of type A and AAAA that have an
+ inappropriate size. They are removed from responses.
+ - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
+ - Fix to add EDE text when RRs have been removed due to length.
+ - Fix to set ede match in unit test for rr length removal.
+ - Fix to print EDE text in readable form in output logs.
+ - Fix send of udp retries when ENOBUFS is returned. It stops looping
+ and also waits for the condition to go away. Reported by Florian Obser.
+ - Fix authority zone answers for obscured DNAMEs and delegations.
+ - Merge #936: Check for c99 with autoconf versions prior to 2.70.
+ - Fix to remove two c99 notations.
+ - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
+ - Fix misplaced comment.
+ - Merge #881: Generalise the proxy protocol code.
+ - Fix #946: Forwarder returns servfail on upstream response noerror no data.
+ - Fix edns subnet so that queries with a source prefix of zero cause the
+ recursor send no edns subnet option to the upstream.
+ - Fix that printout of EDNS options shows the EDNS cookie option by name.
+ - Fix infinite loop when reading multiple lines of input on a broken remote
+ control socket. Addesses #947 and #948.
+ - Fix #949: "could not create control compt".
+ - Fix that cachedb does not warn when serve-expired is disabled about use
+ of serve-expired-reply-ttl and serve-expired-client-timeout.
+ - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
+ - Better fix for infinite loop when reading multiple lines of input on a
+ broken remote control socket, by treating a zero byte line the same as
+ transmission end. Addesses #947 and #948.
+ - For multi Python module setups, clean previously parsed module functions
+ in __main__'s dictionary, if any, so that only current module functions
+ are registered.
+ - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
+ - Fixes for the DNS64 patches.
+ - Update the dns64_lookup.rpl test for the DNS64 fallback patch.
+ - Merge #955 from buevsan: fix ipset wrong behavior.
+ - Update testdata/ipset.tdir test for ipset fix.
+ - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
+ - Clearer configure text for missing protobuf-c development libraries.
+ - autoconf.
+ - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
+ declaration.
+ - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
+ dukeartem to also fix the udp_ancil with dnscrypt.
+ - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
+ - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
+ - Fix compilation without openssl, remove unused function warning.
+ - Mention flex and bison in README.md when building from repository source.
+
+-------------------------------------------------------------------
+Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal
+
+- Update to 1.18.0:
+ * Features:
+ - Аdd a metric about the maximum number of collisions in lrushah.
+ - Set max-udp-size default to 1232. This is the same default value
+ as the default value for edns-buffer-size. It restricts client
+ edns buffer size choices, and makes unbound behave similar to
+ other DNS resolvers.
+ - Add harden-unknown-additional option. It removes unknown records
+ from the authority section and additional section.
+ - Added new static zone type block_a to suppress all A queries for
+ specific zones.
+ - [FR] Ability to use Redis unix sockets.
+ - [FR] Ability to set the Redis password.
+ - Features/dropqueuedpackets, with sock-queue-timeout option that
+ drops packets that have been in the socket queue for too long.
+ Added statistics num.queries_timed_out and query.queue_time_us.max
+ that track the socket queue timeouts.
+ - 'eqvinox' Lamparter: NAT64 support.
+ - [FR] Use kernel timestamps for dnstap.
+ - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
+ statistical counter.
+ - Add SVCB dohpath support.
+ - Add validation EDEs to queries where the CD bit is set.
+ - Add prefetch support for subnet cache entries.
+ - Add EDE (RFC8914) caching.
+ - Add support for EDE caching in cachedb and subnetcache.
+ - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
+ cookies for clients that send client cookies. This needs to be explicitly
+ turned on in the config file with: `answer-cookie: yes`.
+ * Bug Fixes
+ - Response change to NODATA for some ANY queries since 1.12.
+ - Fix not following cleared RD flags potentially enables
+ amplification DDoS attacks.
+ - Set default for harden-unknown-additional to no. So that it
+ does not hamper future protocol developments.
+ - Fix to ignore entirely empty responses, and try at another authority.
+ This turns completely empty responses, a type of noerror/nodata into
+ a servfail, but they do not conform to RFC2308, and the retry can fetch
+ improved content.
+ - Allow TTL refresh of expired error responses.
+ - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
+ - Fix unbound-dnstap-socket test program to reply the finish frame over
+ a TLS connection correctly.
+ - Fix: reserved identifier violation
+ - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
+ without tls-cert-bundle
+ - Extra consistency check to make sure that when TLS is requested,
+ either we set up a TLS connection or we return an error.
+ - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
+ - Fix: Bad interaction with 0 TTL records and serve-expired
+ - Fix RPZ IP responses with trigger rpz-drop on cache entries.
+ - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
+ - Fix dereference of NULL variable warning in mesh_do_callback.
+ - Fix ip_ratelimit test to work with dig that enables DNS cookies.
+ - Fix for iter_dec_attempts that could cause a hang, part of capsforid
+ and qname minimisation, depending on the settings.
+ - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
+ - Fix stat_values test to work with dig that enables DNS cookies.
+ - unbound.service: Main process exited, code=killed, status=11/SEGV.
+ Fixes cachedb configuration handling.
+ - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
+
+-------------------------------------------------------------------
+Thu Aug 24 10:07:02 UTC 2023 - Marcus Rueckert
+
+- openSUSE:Factory libunbound-devel-mini flavor is configured to
+ sync build counter with unbound package. This means it always
+ triggers a bootstrap no matter which of the packages got
+ initially triggered.
+
+ I am not sure if this is needed at all, if yes, please accept
+ this request and forward with an explenation.
+
+ If not, just decline it and we will remove the build counter
+ syncing in factory as well.
+
+ This adds the !BcntSyncTag: unbound to the mini spec file
+
+ Details:
+ https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/6GUU6JUQE72WCWEZCSLQYJLVVTNHBVTE/
+
+-------------------------------------------------------------------
+Thu May 4 13:57:54 UTC 2023 - Frederic Crozat
+
+- Add _multibuild to define additional spec files as additional
+ flavors.
+ Eliminates the need for source package links in OBS.
+
-------------------------------------------------------------------
Thu Feb 23 09:15:48 UTC 2023 - Pedro Monreal
diff --git a/unbound.conf b/unbound.conf
index 89e3829..1579a1c 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -70,19 +70,6 @@ server:
# port range that can be open simultaneously.
# outgoing-range: 4096
- # permit unbound to use this port number or port range for
- # making outgoing queries, using an outgoing interface.
- # Only ephemeral ports are allowed by SElinux
- outgoing-port-permit: 32768-65535
-
- # deny unbound the use this of port number or port range for
- # making outgoing queries, using an outgoing interface.
- # Use this to make sure unbound does not grab a UDP port that some
- # other server on this computer needs. The default is to avoid
- # IANA-assigned port numbers.
- # Our SElinux policy does not allow non-ephemeral ports to be used
- outgoing-port-avoid: 0-32767
-
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
diff --git a/unbound.service b/unbound.service
index 8ccb407..00b6c9c 100644
--- a/unbound.service
+++ b/unbound.service
@@ -9,11 +9,13 @@ Wants=nss-lookup.target
[Service]
Type=simple
+User=unbound
+Group=unbound
EnvironmentFile=-/etc/sysconfig/unbound
#ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
-ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
+ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
[Install]
WantedBy=multi-user.target
diff --git a/unbound.spec b/unbound.spec
index 8a5641f..ecf1ac9 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -1,7 +1,7 @@
#
# spec file for package unbound
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -33,7 +33,7 @@
%define piddir /run
Name: unbound
-Version: 1.17.1
+Version: 1.21.0
Release: 0
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}
@@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.
%build
%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
+
export CFLAGS="%{optflags}"
export CXXFLAGS="%{optflags}"