Create /var/lib/unbound with systemd-tmpfiles, move root.key to
/usr/share/unbound and symlink to /var/lib/unbound/root.key to
improve compatibility for immutable os.
- Update to 1.23.1:
Bug Fixes:
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.
- simplify python handling. python2 support is dropped and python3
is built by default. Conditionals for the latter are removed.
- enable EDNS subnet handling
- Update to 1.23.1: (boo#1246625)
Bug Fixes:
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.
- our package was not built with EDNS subnet support up to this
point and therefor was not affected.
- prepare enabling quic support:
currently fails on missing quic support in openssl. aws-lc is
sadly not a drop in replacement for unbound.
- enable TCP Fast Open for the server and client
- remove unused --with-ldns option
- enable cachedb including hiredis support on Tumbleweed
new BuildRequires pkgconfig(libhiredis)
OBS-URL: https://build.opensuse.org/request/show/1298772
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=194
* Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text
on positive replies.
[bsc#1221164]
- Update to 1.19.2:
* Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text
on positive replies.
[bsc#1221164]
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=173
- Update to 1.19.1:
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
- Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
- Update to 1.19.1:
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
- Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
OBS-URL: https://build.opensuse.org/request/show/1152943
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=169
- Update to 1.19.0:
* Features:
- Fix#850: [FR] Ability to use specific database in Redis, with
new redis-logical-db configuration option.
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
requests. This can be helpful for devices that cannot handle
DNSSEC information. But it should not be enabled otherwise, because
that would stop DNSSEC validation. The DNSSEC validation would not
work for Unbound itself, and also not for downstream users. Default
is no. The option is disable-edns-do: no
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes#79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes#79.
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend.
The default is no.
* Bug Fixes:
- Fix for version generation race condition that ignored changes.
- Fix#942: 1.18.0 libunbound DNS regression when built without OpenSSL.
- Fix for WKS call to getservbyname that creates allocation on exit in
unit test by testing numbers first and testing from the services list later.
- Fix autoconf 2.69 warnings in configure.
- Fix#927: unbound 1.18.0 make test error. Fix make test without SHA1.
OBS-URL: https://build.opensuse.org/request/show/1127268
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=167
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
OBS-URL: https://build.opensuse.org/request/show/1109457
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=165
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- openSUSE:Factory libunbound-devel-mini flavor is configured to
sync build counter with unbound package. This means it always
triggers a bootstrap no matter which of the packages got
initially triggered.
I am not sure if this is needed at all, if yes, please accept
this request and forward with an explenation.
If not, just decline it and we will remove the build counter
syncing in factory as well.
This adds the !BcntSyncTag: unbound to the mini spec file
Details:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/6GUU6JUQE72WCWEZCSLQYJLVVTNHBVTE/
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
OBS-URL: https://build.opensuse.org/request/show/1105588
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=61
- Update to 1.17.1:
* Features:
- Expose 'statistics-inhibit-zero' as a configuration option;
the default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the default
value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
* Bug Fixes:
- Merge #768 from fobser: Arithmetic on a pointer to void is a
GNU extension.
- In unit test, print python script name list correctly.
- testcode/dohclient sets log identity to its name.
- Clarify the use of MAX_SENT_COUNT in the iterator code.
- Fix that cachedb does not store failures in the external cache.
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is
closed.
- Fix#775: libunbound: subprocess reap causes parent process
reap to hang.
- iana portlist update.
- Complementary fix for distutils.sysconfig deprecation in
Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
- Fix#779: [doc] Missing documention in ub_resolve_event() for
callback parameter was_ratelimited.
OBS-URL: https://build.opensuse.org/request/show/1067340
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=159
- update to 1.16.2 (boo#1202031 boo#1202033)
* Features
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
* Bug Fixes
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
- Fix verbose EDE error printout.
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
- For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest
cross-compiler versions.
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
And fixup the lock code.
- iana portlist update.
- Update documentation for 'outbound-msg-retry:'.
- Tests for ghost domain fixes.
- update to 1.16.2 (boo#1202031 boo#1202033)
* Features
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
* Bug Fixes
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
OBS-URL: https://build.opensuse.org/request/show/992044
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=57
