Accepting request 599800 from server:dns

update to 1.7.0

OBS-URL: https://build.opensuse.org/request/show/599800
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=23

libunbound-devel-mini.changes

@@ -1,3 +1,126 @@
+-------------------------------------------------------------------
+Sun Apr 22 19:26:03 UTC 2018 - michael@stroeder.com
+
+- Commented configuration directive dlv-anchor-file: in unbound.conf
+  (see bsc#1055060). The DLV key file is deliberately still
+  shipped in the package so users could easily re-enable this.
+
+-------------------------------------------------------------------
+Wed Apr  4 11:54:01 UTC 2018 - michael@stroeder.com
+
+- update to 1.7.0
+
+Features
+- auth-zone provides a way to configure RFC7706 from unbound.conf,
+  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
+  fallback-enabled: yes and masters or a zonefile with data.
+- Aggressive use of NSEC implementation. Use cached NSEC records to
+  generate NXDOMAIN, NODATA and positive wildcard answers.
+- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
+  also recognized and means the same.  Also for tls-port,
+  tls-service-key, tls-service-pem, stub-tls-upstream and
+  forward-tls-upstream.
+- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
+  from Manu Bretelle.
+  This option allows handling multiple cert/key pairs while only
+  distributing some of them.
+  In order to reliably match a client magic with a given key without
+  strong assumption as to how those were generated, we need both key and
+  cert. Likewise, in order to know which ES version should be used.
+  On the other hand, when rotating a cert, it can be desirable to only
+  serve the new cert but still be able to handle clients that are still
+  using the old certs's public key.
+  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
+  publish the cert as part of the DNS's provider_name's TXT answer.
+- Update B root ipv4 address.
+- make ip-transparent option work on OpenBSD.
+- Fix #2801: Install libunbound.pc.
+- ltrace.conf file for libunbound in contrib.
+- Fix #3598: Fix swig build issue on rhel6 based system.
+  configure --disable-swig-version-check stops the swig version check.
+
+Bug Fixes
+- Fix #1749: With harden-referral-path: performance drops, due to
+  circular dependency in NS and DS lookups.
+- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
+  duplicates
+- Better documentation for cache-max-negative-ttl.
+- Fixed libunbound manual typo.
+- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
+- Fix #2031: Double included headers
+- Document that errno is left informative on libunbound config read
+  fail.
+- iana port update.
+- Fix #1913: ub_ctx_config is under circumstances thread-safe.
+- Fix #2362: TLS1.3/openssl-1.1.1 not working.
+- Fix #2034 - Autoconf and -flto.
+- Fix #2141 - for libsodium detect lack of entropy in chroot, print
+  a message and exit.
+- Fix #2492: Documentation libunbound.
+- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
+  set for stub zone.  It no longer searches for DNSSEC information.
+- Fix #3299 - forward CNAME daisy chain is not working
+- Fix link failure on OmniOS.
+- Check whether --with-libunbound-only is set when using --with-nettle
+  or --with-nss.
+- Fix qname-minimisation documentation (A QTYPE, not NS)
+- Fix that DS queries with referral replies are answered straight
+  away, without a repeat query picking the DS from cache.
+  The correct reply should have been an answer, the reply is fixed
+  by the scrubber to have the answer in the answer section.
+- Fix that expiration date checks don't fail with clang -O2.
+- Fix queries being leaked above stub when refetching glue.
+- Copy query and correctly set flags on REFUSED answers when cache
+  snooping is not allowed.
+- make depend: code dependencies updated in Makefile.
+- Fix #3397: Fix that cachedb could return a partial CNAME chain.
+- Fix #3397: Fix that when the cache contains an unsigned DNAME in
+  the middle of a cname chain, a result without the DNAME could
+  be returned.
+- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
+  for startup scripts to get the full pathname(s) of anchor file(s).
+- Print fatal errors about remote control setup before log init,
+  so that it is printed to console.
+- Use NSEC with longest ce to prove wildcard absence.
+- Only use *.ce to prove wildcard absence, no longer names.
+- Fix unfreed locks in log and arc4random at exit of unbound.
+- Fix lock race condition in dns cache dname synthesis.
+- Fix #3451: dnstap not building when you have a separate build dir.
+  And removed protoc warning, set dnstap.proto syntax to proto2.
+- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
+- Unit test for auth zone https url download.
+- tls-cert-bundle option in unbound.conf enables TLS authentication.
+- Fixes for clang static analyzer, the missing ; in
+  edns-subnet/addrtree.c after the assert made clang analyzer
+  produce a failure to analyze it.
+- Fix #3505: Documentation for default local zones references
+  wrong RFC.
+- Fix #3494: local-zone noview can be used to break out of the view
+  to the global local zone contents, for queries for that zone.
+- Fix for more maintainable code in localzone.
+- more robust cachedump rrset routine.
+- Save wildcard RRset from answer with original owner for use in
+  aggressive NSEC.
+- Fixup contrib/fastrpz.patch so that it applies.
+- Fix compile without threads, and remove unused variable.
+- Fix compile with staticexe and python module.
+- Fix nettle compile.
+- Fix to check define of DSA for when openssl is without deprecated.
+- iana port update.
+- Fix #3582: Squelch address already in use log when reuseaddr option
+  causes same port to be used twice for tcp connections.
+- Reverted fix for #3512, this may not be the best way forward;
+  although it could be changed at a later time, to stay similar to
+  other implementations.
+- Fix for windows compile.
+- Fixed contrib/fastrpz.patch, even though this already applied
+  cleanly for me, now also for others.
+- patch to log creates keytag queries, from A. Schulze.
+- patch suggested by Debian lintian: allow to -> allow one to, from
+  A. Schulze.
+- Attempt to remove warning about trailing whitespace.
+- Added documentation for aggressive-nsec: yes.
+
 -------------------------------------------------------------------
 Fri Jan 19 10:34:41 UTC 2018 - michael@stroeder.com
 

libunbound-devel-mini.spec

@@ -24,7 +24,7 @@
 
 #
 Name:           libunbound-devel-mini
-Version:        1.6.8
+Version:        1.7.0
 Release:        0
 #
 #

unbound-1.6.8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49
-size 5467536

unbound-1.7.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:94dd9071fb13d8ccd122a3ac67c4524a3324d0e771fc7a8a7c49af8abfb926a2
+size 5538228

unbound.changes

@@ -1,3 +1,126 @@
+-------------------------------------------------------------------
+Sun Apr 22 19:26:03 UTC 2018 - michael@stroeder.com
+
+- Commented configuration directive dlv-anchor-file: in unbound.conf
+  (see bsc#1055060). The DLV key file is deliberately still
+  shipped in the package so users could easily re-enable this.
+
+-------------------------------------------------------------------
+Wed Apr  4 11:54:01 UTC 2018 - michael@stroeder.com
+
+- update to 1.7.0
+
+Features
+- auth-zone provides a way to configure RFC7706 from unbound.conf,
+  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
+  fallback-enabled: yes and masters or a zonefile with data.
+- Aggressive use of NSEC implementation. Use cached NSEC records to
+  generate NXDOMAIN, NODATA and positive wildcard answers.
+- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
+  also recognized and means the same.  Also for tls-port,
+  tls-service-key, tls-service-pem, stub-tls-upstream and
+  forward-tls-upstream.
+- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
+  from Manu Bretelle.
+  This option allows handling multiple cert/key pairs while only
+  distributing some of them.
+  In order to reliably match a client magic with a given key without
+  strong assumption as to how those were generated, we need both key and
+  cert. Likewise, in order to know which ES version should be used.
+  On the other hand, when rotating a cert, it can be desirable to only
+  serve the new cert but still be able to handle clients that are still
+  using the old certs's public key.
+  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
+  publish the cert as part of the DNS's provider_name's TXT answer.
+- Update B root ipv4 address.
+- make ip-transparent option work on OpenBSD.
+- Fix #2801: Install libunbound.pc.
+- ltrace.conf file for libunbound in contrib.
+- Fix #3598: Fix swig build issue on rhel6 based system.
+  configure --disable-swig-version-check stops the swig version check.
+
+Bug Fixes
+- Fix #1749: With harden-referral-path: performance drops, due to
+  circular dependency in NS and DS lookups.
+- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
+  duplicates
+- Better documentation for cache-max-negative-ttl.
+- Fixed libunbound manual typo.
+- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
+- Fix #2031: Double included headers
+- Document that errno is left informative on libunbound config read
+  fail.
+- iana port update.
+- Fix #1913: ub_ctx_config is under circumstances thread-safe.
+- Fix #2362: TLS1.3/openssl-1.1.1 not working.
+- Fix #2034 - Autoconf and -flto.
+- Fix #2141 - for libsodium detect lack of entropy in chroot, print
+  a message and exit.
+- Fix #2492: Documentation libunbound.
+- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
+  set for stub zone.  It no longer searches for DNSSEC information.
+- Fix #3299 - forward CNAME daisy chain is not working
+- Fix link failure on OmniOS.
+- Check whether --with-libunbound-only is set when using --with-nettle
+  or --with-nss.
+- Fix qname-minimisation documentation (A QTYPE, not NS)
+- Fix that DS queries with referral replies are answered straight
+  away, without a repeat query picking the DS from cache.
+  The correct reply should have been an answer, the reply is fixed
+  by the scrubber to have the answer in the answer section.
+- Fix that expiration date checks don't fail with clang -O2.
+- Fix queries being leaked above stub when refetching glue.
+- Copy query and correctly set flags on REFUSED answers when cache
+  snooping is not allowed.
+- make depend: code dependencies updated in Makefile.
+- Fix #3397: Fix that cachedb could return a partial CNAME chain.
+- Fix #3397: Fix that when the cache contains an unsigned DNAME in
+  the middle of a cname chain, a result without the DNAME could
+  be returned.
+- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
+  for startup scripts to get the full pathname(s) of anchor file(s).
+- Print fatal errors about remote control setup before log init,
+  so that it is printed to console.
+- Use NSEC with longest ce to prove wildcard absence.
+- Only use *.ce to prove wildcard absence, no longer names.
+- Fix unfreed locks in log and arc4random at exit of unbound.
+- Fix lock race condition in dns cache dname synthesis.
+- Fix #3451: dnstap not building when you have a separate build dir.
+  And removed protoc warning, set dnstap.proto syntax to proto2.
+- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
+- Unit test for auth zone https url download.
+- tls-cert-bundle option in unbound.conf enables TLS authentication.
+- Fixes for clang static analyzer, the missing ; in
+  edns-subnet/addrtree.c after the assert made clang analyzer
+  produce a failure to analyze it.
+- Fix #3505: Documentation for default local zones references
+  wrong RFC.
+- Fix #3494: local-zone noview can be used to break out of the view
+  to the global local zone contents, for queries for that zone.
+- Fix for more maintainable code in localzone.
+- more robust cachedump rrset routine.
+- Save wildcard RRset from answer with original owner for use in
+  aggressive NSEC.
+- Fixup contrib/fastrpz.patch so that it applies.
+- Fix compile without threads, and remove unused variable.
+- Fix compile with staticexe and python module.
+- Fix nettle compile.
+- Fix to check define of DSA for when openssl is without deprecated.
+- iana port update.
+- Fix #3582: Squelch address already in use log when reuseaddr option
+  causes same port to be used twice for tcp connections.
+- Reverted fix for #3512, this may not be the best way forward;
+  although it could be changed at a later time, to stay similar to
+  other implementations.
+- Fix for windows compile.
+- Fixed contrib/fastrpz.patch, even though this already applied
+  cleanly for me, now also for others.
+- patch to log creates keytag queries, from A. Schulze.
+- patch suggested by Debian lintian: allow to -> allow one to, from
+  A. Schulze.
+- Attempt to remove warning about trailing whitespace.
+- Added documentation for aggressive-nsec: yes.
+
 -------------------------------------------------------------------
 Fri Jan 19 10:34:41 UTC 2018 - michael@stroeder.com
 

unbound.conf

@@ -346,7 +346,7 @@ server:
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
-	dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
+	# dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.

unbound.spec

@@ -58,7 +58,7 @@
 %endif
 
 Name:           unbound
-Version:        1.6.8
+Version:        1.7.0
 Release:        0
 #
 #
@@ -409,6 +409,7 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %{_includedir}/unbound.h
 %{_includedir}/unbound-event.h
 %{_libdir}/libunbound.so
+%{_libdir}/pkgconfig/libunbound.pc
 %{_mandir}/man3/libunbound.3*
 %{_mandir}/man3/ub_*.3*