Accepting request 636218 from home:stroeder:branches:server:dns

- update to 1.8.0: Number of bug fixes, a list of features added and some defaults changed. OBS-URL: https://build.opensuse.org/request/show/636218 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=84
2018-09-18 05:58:24 +00:00 · 2018-09-18 05:58:24 +00:00 · 1b7e9529ed
commit 1b7e9529ed
parent 49ad22bd35
6 changed files with 312 additions and 6 deletions
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@ -1,3 +1,156 @@
+-------------------------------------------------------------------
+Thu Sep 17 17:00:00 UTC 2018 - michael@stroeder.com
+
+- update to 1.8.0:
+  Number of bug fixes, a list of features added and some defaults changed.
+
+Features
+- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
+- unbound-control auth_zone_transfer _zone_ option starts the probe
+  sequence for a master to transfer the zone from and transfers when
+  a new zone version is available.
+- num.queries.tls counter for queries over TLS.
+- log port number with err_addr logs.
+- dns64-ignore-aaaa: config option to list domain names for which the
+  existing AAAA is ignored and dns64 processing is used on the A
+  record.
+- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
+  if DNSSEC is not enabled.  New option -R allows fallback from
+  resolv.conf to direct queries.
+- Note RFC8162 support.  SMIMEA record type can be read in by the
+  zone record parser.
+- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
+- Add config tcp-idle-timeout (default 30s). This applies to
+  client connections only; the timeout on TCP connections upstream
+  is unaffected.
+- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
+  and implement option in client responses.
+- Add delay parameter to streamtcp, -d secs.
+  To be used when testing idle timeout.
+- Expose if a query (or a subquery) was ratelimited (not src IP
+  ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
+  This also introduces a change to 'ub_event_callback_type' in
+  libunbound/unbound-event.h.
+- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
+  This limits the number of simultaneous TCP client connections
+  from a nominated netblock.
+- Fix #4142: unbound.service.in: improvements and fixes.
+  Add unit dependency ordering (based on systemd-resolved).
+  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
+  about missing privileges during startup). Add 'AF_INET6' to
+  'RestrictAddressFamilies' (without it IPV6 can't work). From
+  Guido Shanahan.
+- unbound-checkconf checks if modules exist and prints if they are
+  not compiled in the name of the wrong module.
+- Patch for stub-no-cache and forward-no-cache options that disable
+  caching for the contents of that stub or forward, for when you
+  want immediate changes visible, from Bjoern A. Zeeb.
+- Upgraded crosscompile script to include libunbound DLL in the
+  zipfile.
+- Set libunbound to increase current, because the libunbound change
+  to the event callback function signature.  That needs programs,
+  that use it, to recompile against the new header definition.
+- log-servfail: yes prints log lines that say why queries are
+  returning SERVFAIL to clients.
+- log-local-actions: yes option for unbound.conf that logs all the
+  local zone actions, a patch from Saksham Manchanda (Secure64).
+- #4146: num.query.subnet and num.query.subnet_cache counters.
+- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
+  gives access to reply information for the client's communication
+  point when the callback is called before the mesh state (modules).
+  Changes to C and Python's inplace_callback signatures were also
+  necessary.
+- Set defaults to yes for a number of options to increase speed and
+  resilience of the server.  The so-reuseport, harden-below-nxdomain,
+  and minimal-responses options are enabled by default.  They used
+  to be disabled by default, waiting to make sure they worked.  They
+  are enabled by default now, and can be disabled explicitly by
+  setting them to "no" in the unbound.conf config file.  The reuseport
+  and minimal options increases speed of the server, and should be
+  otherwise harmless.  The harden-below-nxdomain option works well
+  together with the recently default enabled qname minimisation, this
+  causes more fetches to use information from the cache.
+- Added serve-expired-ttl and serve-expired-ttl-reset options.
+
+Bug Fixes
+- Windows example service.conf edited with more windows specific
+  configuration.
+- #4108: systemd reload hang fix.
+- Fix usage printout for unbound-host, hostname has to be last
+  argument on BSDs and Windows.
+- Partial fix for permission denied on IPv6 address on FreeBSD.
+- Fix that auth-zone master reply with current SOA serial does not
+  stop scan of masters for an updated zone.
+- Fix that auth-zone does not start the wait timer without checking
+  if the wait timer has already been started.
+- #4109: Fix that package config depends on python unconditionally.
+- Patch, do not export python from pkg-config, from Petr Menšík.
+- Fix checking for libhiredis printout in configure output.
+- Fix typo on man page in ip-address description.
+- Update libunbound/python/examples/dnssec_test.py example code to
+  also set the 20326 trust anchor for the root in the example code.
+- Better documentation for unblock-lan-zones and insecure-lan-zones
+  config statements.
+- Fix permission denied printed for auth zone probe random port nrs.
+- Fix documentation ambiguity for tls-win-cert in tls-upstream and
+  forward-tls-upstream docs.
+- iana port update.
+- Fix round robin for failed addresses with prefer-ip6: yes
+- Note in documentation that the cert name match code needs
+  OpenSSL 1.1.0 or later to be enabled.
+- Fix to improve systemd socket activation code file descriptor
+  assignment.
+- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
+  easily changed to adjust default rtt assumptions.
+- Fix #4127 unbound -h does not list -p help.
+- Print error if SSL name verification configured but not available
+  in the ssl library.
+- Fix that ratelimit and ip-ratelimit are applied after reload of
+  changed config file.
+- Resize ratelimit and ip-ratelimit caches if changed on reload.
+- Fix #4129 unbound-control error message with wrong cert permissions
+  is too cryptic.
+- Fix #4130: print text describing -dd and unbound-checkconf on
+  config file read error at startup, the errors may have been moved
+  away by the startup process.
+- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
+- Fix use-systemd readiness signalling, only when use-systemd is yes
+  and not in signal handler.
+- Fix #4135: 64-bit Windows Installer Creates Entries Under The
+  Wrong Registry Key, reported by Brian White.
+- Fix man page, say that chroot is enabled by default.
+- Sort out test runs when the build directory isn't the project
+  root directory.
+- Error if EDNS Keepalive received over UDP.
+- Correct and expand manual page entries for keepalive and idle timeout.
+- Implement progressive backoff of TCP idle/keepalive timeout.
+- Fix 'make depend' to work when build dir is not project root.
+- Fix #4139: Fix unbound-host leaks memory on ANY.
+- Fix to remove systemd sockaddr function check, that is not
+  always present.  Make socket activation more lenient.  But not
+  different when socket activation is not used.
+- Fix #4136: insufficiency from mismatch of FLEX capability between
+  released tarball and build host.  Fix to unconditionally call
+  destroy in daemon.c.
+- Make capsforid fallback QNAME minimisation aware.
+- document --enable-subnet in doc/README.
+- Fix #4144: dns64 module caches wrong (negative) information.
+- Fix that printout of error for cycle targets is a verbosity 4
+  printout and does not wrongly print it is a memory error.
+- Fix segfault in auth-zone read and reorder of RRSIGs.
+- Fix contrib/fastrpz.patch.
+- Fix warning on compile without threads.
+- print servfail info to log as error.
+- added more servfail printout statements, to the iterator.
+- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
+  enabled.
+- Fix only misc failure from log-servfail when val-log-level is not
+  enabled.
+- Fix lintflags for lint on FreeBSD.
+- Fix that a local-zone with a local-zone-type that is transparent
+  in a view with view-first, makes queries check for answers from the
+  local-zones defined outside of views.
+
 -------------------------------------------------------------------
 Thu Jun 21 09:19:02 UTC 2018 - michael@stroeder.com

--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -24,7 +24,7 @@

 #
 Name:           libunbound-devel-mini
-Version:        1.7.3
+Version:        1.8.0
 Release:        0
 #
 #
--- a/unbound-1.7.3.tar.gz
+++ b/unbound-1.7.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c11de115d928a6b48b2165e0214402a7a7da313cd479203a7ce7a8b62cba602d
-size 5570604
--- a/unbound-1.8.0.tar.gz
+++ b/unbound-1.8.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:78f79d6d3b643fdcd74a14fc76542250da886c82f82bc55b51e189663d61b83f
+size 5609213
--- a/unbound.changes
+++ b/unbound.changes
@ -1,3 +1,156 @@
+-------------------------------------------------------------------
+Thu Sep 17 17:00:00 UTC 2018 - michael@stroeder.com
+
+- update to 1.8.0:
+  Number of bug fixes, a list of features added and some defaults changed.
+
+Features
+- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
+- unbound-control auth_zone_transfer _zone_ option starts the probe
+  sequence for a master to transfer the zone from and transfers when
+  a new zone version is available.
+- num.queries.tls counter for queries over TLS.
+- log port number with err_addr logs.
+- dns64-ignore-aaaa: config option to list domain names for which the
+  existing AAAA is ignored and dns64 processing is used on the A
+  record.
+- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
+  if DNSSEC is not enabled.  New option -R allows fallback from
+  resolv.conf to direct queries.
+- Note RFC8162 support.  SMIMEA record type can be read in by the
+  zone record parser.
+- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
+- Add config tcp-idle-timeout (default 30s). This applies to
+  client connections only; the timeout on TCP connections upstream
+  is unaffected.
+- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
+  and implement option in client responses.
+- Add delay parameter to streamtcp, -d secs.
+  To be used when testing idle timeout.
+- Expose if a query (or a subquery) was ratelimited (not src IP
+  ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
+  This also introduces a change to 'ub_event_callback_type' in
+  libunbound/unbound-event.h.
+- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
+  This limits the number of simultaneous TCP client connections
+  from a nominated netblock.
+- Fix #4142: unbound.service.in: improvements and fixes.
+  Add unit dependency ordering (based on systemd-resolved).
+  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
+  about missing privileges during startup). Add 'AF_INET6' to
+  'RestrictAddressFamilies' (without it IPV6 can't work). From
+  Guido Shanahan.
+- unbound-checkconf checks if modules exist and prints if they are
+  not compiled in the name of the wrong module.
+- Patch for stub-no-cache and forward-no-cache options that disable
+  caching for the contents of that stub or forward, for when you
+  want immediate changes visible, from Bjoern A. Zeeb.
+- Upgraded crosscompile script to include libunbound DLL in the
+  zipfile.
+- Set libunbound to increase current, because the libunbound change
+  to the event callback function signature.  That needs programs,
+  that use it, to recompile against the new header definition.
+- log-servfail: yes prints log lines that say why queries are
+  returning SERVFAIL to clients.
+- log-local-actions: yes option for unbound.conf that logs all the
+  local zone actions, a patch from Saksham Manchanda (Secure64).
+- #4146: num.query.subnet and num.query.subnet_cache counters.
+- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
+  gives access to reply information for the client's communication
+  point when the callback is called before the mesh state (modules).
+  Changes to C and Python's inplace_callback signatures were also
+  necessary.
+- Set defaults to yes for a number of options to increase speed and
+  resilience of the server.  The so-reuseport, harden-below-nxdomain,
+  and minimal-responses options are enabled by default.  They used
+  to be disabled by default, waiting to make sure they worked.  They
+  are enabled by default now, and can be disabled explicitly by
+  setting them to "no" in the unbound.conf config file.  The reuseport
+  and minimal options increases speed of the server, and should be
+  otherwise harmless.  The harden-below-nxdomain option works well
+  together with the recently default enabled qname minimisation, this
+  causes more fetches to use information from the cache.
+- Added serve-expired-ttl and serve-expired-ttl-reset options.
+
+Bug Fixes
+- Windows example service.conf edited with more windows specific
+  configuration.
+- #4108: systemd reload hang fix.
+- Fix usage printout for unbound-host, hostname has to be last
+  argument on BSDs and Windows.
+- Partial fix for permission denied on IPv6 address on FreeBSD.
+- Fix that auth-zone master reply with current SOA serial does not
+  stop scan of masters for an updated zone.
+- Fix that auth-zone does not start the wait timer without checking
+  if the wait timer has already been started.
+- #4109: Fix that package config depends on python unconditionally.
+- Patch, do not export python from pkg-config, from Petr Menšík.
+- Fix checking for libhiredis printout in configure output.
+- Fix typo on man page in ip-address description.
+- Update libunbound/python/examples/dnssec_test.py example code to
+  also set the 20326 trust anchor for the root in the example code.
+- Better documentation for unblock-lan-zones and insecure-lan-zones
+  config statements.
+- Fix permission denied printed for auth zone probe random port nrs.
+- Fix documentation ambiguity for tls-win-cert in tls-upstream and
+  forward-tls-upstream docs.
+- iana port update.
+- Fix round robin for failed addresses with prefer-ip6: yes
+- Note in documentation that the cert name match code needs
+  OpenSSL 1.1.0 or later to be enabled.
+- Fix to improve systemd socket activation code file descriptor
+  assignment.
+- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
+  easily changed to adjust default rtt assumptions.
+- Fix #4127 unbound -h does not list -p help.
+- Print error if SSL name verification configured but not available
+  in the ssl library.
+- Fix that ratelimit and ip-ratelimit are applied after reload of
+  changed config file.
+- Resize ratelimit and ip-ratelimit caches if changed on reload.
+- Fix #4129 unbound-control error message with wrong cert permissions
+  is too cryptic.
+- Fix #4130: print text describing -dd and unbound-checkconf on
+  config file read error at startup, the errors may have been moved
+  away by the startup process.
+- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
+- Fix use-systemd readiness signalling, only when use-systemd is yes
+  and not in signal handler.
+- Fix #4135: 64-bit Windows Installer Creates Entries Under The
+  Wrong Registry Key, reported by Brian White.
+- Fix man page, say that chroot is enabled by default.
+- Sort out test runs when the build directory isn't the project
+  root directory.
+- Error if EDNS Keepalive received over UDP.
+- Correct and expand manual page entries for keepalive and idle timeout.
+- Implement progressive backoff of TCP idle/keepalive timeout.
+- Fix 'make depend' to work when build dir is not project root.
+- Fix #4139: Fix unbound-host leaks memory on ANY.
+- Fix to remove systemd sockaddr function check, that is not
+  always present.  Make socket activation more lenient.  But not
+  different when socket activation is not used.
+- Fix #4136: insufficiency from mismatch of FLEX capability between
+  released tarball and build host.  Fix to unconditionally call
+  destroy in daemon.c.
+- Make capsforid fallback QNAME minimisation aware.
+- document --enable-subnet in doc/README.
+- Fix #4144: dns64 module caches wrong (negative) information.
+- Fix that printout of error for cycle targets is a verbosity 4
+  printout and does not wrongly print it is a memory error.
+- Fix segfault in auth-zone read and reorder of RRSIGs.
+- Fix contrib/fastrpz.patch.
+- Fix warning on compile without threads.
+- print servfail info to log as error.
+- added more servfail printout statements, to the iterator.
+- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
+  enabled.
+- Fix only misc failure from log-servfail when val-log-level is not
+  enabled.
+- Fix lintflags for lint on FreeBSD.
+- Fix that a local-zone with a local-zone-type that is transparent
+  in a view with view-first, makes queries check for answers from the
+  local-zones defined outside of views.
+
 -------------------------------------------------------------------
 Thu Jun 21 09:19:02 UTC 2018 - michael@stroeder.com

--- a/unbound.spec
+++ b/unbound.spec
@ -58,7 +58,7 @@
 %endif

 Name:           unbound
-Version:        1.7.3
+Version:        1.8.0
 Release:        0
 #
 #