Accepting request 1109457 from home:pmonrealgonzalez:branches:server:dns

- Update to 1.18.0:
  * Features:
    - Аdd a metric about the maximum number of collisions in lrushah.
    - Set max-udp-size default to 1232. This is the same default value
      as the default value for edns-buffer-size. It restricts client
      edns buffer size choices, and makes unbound behave similar to
      other DNS resolvers.
    - Add harden-unknown-additional option. It removes unknown records
      from the authority section and additional section.
    - Added new static zone type block_a to suppress all A queries for
      specific zones.
    - [FR] Ability to use Redis unix sockets.
    - [FR] Ability to set the Redis password.
    - Features/dropqueuedpackets, with sock-queue-timeout option that
      drops packets that have been in the socket queue for too long.
      Added statistics num.queries_timed_out and query.queue_time_us.max
      that track the socket queue timeouts.
    - 'eqvinox' Lamparter: NAT64 support.
    - [FR] Use kernel timestamps for dnstap.
    - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
      statistical counter.
    - Add SVCB dohpath support.
    - Add validation EDEs to queries where the CD bit is set.
    - Add prefetch support for subnet cache entries.
    - Add EDE (RFC8914) caching.
    - Add support for EDE caching in cachedb and subnetcache.
    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
      cookies for clients that send client cookies. This needs to be explicitly
      turned on in the config file with: `answer-cookie: yes`.
  * Bug Fixes

OBS-URL: https://build.opensuse.org/request/show/1109457
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=165

libunbound-devel-mini.changes

@@ -1,3 +1,68 @@
+-------------------------------------------------------------------
+Thu Sep  7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 1.18.0:
+  * Features:
+    - Аdd a metric about the maximum number of collisions in lrushah.
+    - Set max-udp-size default to 1232. This is the same default value
+      as the default value for edns-buffer-size. It restricts client
+      edns buffer size choices, and makes unbound behave similar to
+      other DNS resolvers.
+    - Add harden-unknown-additional option. It removes unknown records
+      from the authority section and additional section.
+    - Added new static zone type block_a to suppress all A queries for
+      specific zones.
+    - [FR] Ability to use Redis unix sockets.
+    - [FR] Ability to set the Redis password.
+    - Features/dropqueuedpackets, with sock-queue-timeout option that
+      drops packets that have been in the socket queue for too long.
+      Added statistics num.queries_timed_out and query.queue_time_us.max
+      that track the socket queue timeouts.
+    - 'eqvinox' Lamparter: NAT64 support.
+    - [FR] Use kernel timestamps for dnstap.
+    - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
+      statistical counter.
+    - Add SVCB dohpath support.
+    - Add validation EDEs to queries where the CD bit is set.
+    - Add prefetch support for subnet cache entries.
+    - Add EDE (RFC8914) caching.
+    - Add support for EDE caching in cachedb and subnetcache.
+    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
+      cookies for clients that send client cookies. This needs to be explicitly
+      turned on in the config file with: `answer-cookie: yes`.
+  * Bug Fixes
+    - Response change to NODATA for some ANY queries since 1.12.
+    - Fix not following cleared RD flags potentially enables
+      amplification DDoS attacks.
+    - Set default for harden-unknown-additional to no. So that it
+      does not hamper future protocol developments.
+    - Fix to ignore entirely empty responses, and try at another authority.
+      This turns completely empty responses, a type of noerror/nodata into
+      a servfail, but they do not conform to RFC2308, and the retry can fetch
+      improved content.
+    - Allow TTL refresh of expired error responses.
+    - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
+    - Fix unbound-dnstap-socket test program to reply the finish frame over
+      a TLS connection correctly.
+    - Fix: reserved identifier violation
+    - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
+      without tls-cert-bundle
+    - Extra consistency check to make sure that when TLS is requested,
+      either we set up a TLS connection or we return an error.
+    - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
+    - Fix: Bad interaction with 0 TTL records and serve-expired
+    - Fix RPZ IP responses with trigger rpz-drop on cache entries.
+    - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
+    - Fix dereference of NULL variable warning in mesh_do_callback.
+    - Fix ip_ratelimit test to work with dig that enables DNS cookies.
+    - Fix for iter_dec_attempts that could cause a hang, part of capsforid
+      and qname minimisation, depending on the settings.
+    - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
+    - Fix stat_values test to work with dig that enables DNS cookies.
+    - unbound.service: Main process exited, code=killed, status=11/SEGV.
+      Fixes cachedb configuration handling.
+    - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
+
 -------------------------------------------------------------------
 Thu May  4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
 

libunbound-devel-mini.spec

@@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.17.1
+Version:        1.18.0
 #!BcntSyncTag: unbound
 Release:        0
 Summary:        Just a devel package for build loops

unbound-1.17.1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmO/wmUACgkQn28cLX4E
-X40EBxAApOIAHQGYxRcnMWgqB+hN2YR+M/CcOz19UiQ/KrG8f+ji9mUfIUsUTQsa
-Oat/TuWPqQ4gCXocX4Dc4+LE0bebHVJkg4TQniEIjYOWja/6uBOfav14GBfJsq+m
-3A9IBdOGYTAR5mGfTs1cxJfWAbX3U+oroKwn5zPh+wCRR0CoY8sEumZu7Tzb4yUx
-OPhlj1Qzz/NkSi+0RkwogJy2hHdXVvHYUtTDKheFye/GeGa+trRnu8mCKpuyw6N9
-dnQ7oXlCds8JW7YgaBf4qh1pH6VO18CTo7KG3yKiEeRb+HRRmr7KKQUOlefjcct+
-QKOFhSPnVYhfvaPYEQiqVQ92ae7/wBT6cQzOMXRbY+NQjr/QfeF3QWTMRFrz3kHn
-ZccpvcsjOR3wRDGQkcaa8ta40soEkzD+XRPK4oxB9D/Z5FOVoR/WTX9DZVm7PJ5+
-SGHFBGOddICBWao1h01KCSyQ7nxNi1lLIRndj+AKtQAW/kO8hKh4YYKHAlI0dRQD
-MLitcrQOU1pJha+hhb/87BihtXlevUVO45ctCLLooSCrVG8cca8p3jwvJoPPwdCp
-1MBVZv8STPAO//4XoZkAtTcgnaUle/ro/1DFmAK/IhDyU4KP6l3uvcUvsk3Xpk1O
-AzazgiqVuIYXQ98cTh0QzAGUuFAWNFqWSF2mj+poNv0RnL/J14U=
-=xZw4
------END PGP SIGNATURE-----

unbound-1.18.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3da95490a85cff6420f26fae0b84a49f5112df1bf1b7fc34f8724f02082cb712
+size 6315297

unbound-1.18.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmTu91gACgkQn28cLX4E
+X40hGg//TtnNy+MiXJbt//5tEmW9NFFL6BEmD4B9WN+Mm7HFJpOaMiOobM/mWCmD
+kRDrx7HGJ5tDwOxCdHytsWq73OvJuMtyV7uUzGe1QFDyU7OiIgM0ZgPA4zp+/PDh
+3oZjNlLb1IlXwZE3VtgxR0IVjKeWgDrnB5Ir1iYk55Q1aWI5tdDDDmjT/m/5fjuh
+FTaMuy6W/J3K/EW0IyjSy1GUPi14lSpmjXUhJdY3hqr+lZ9Z9eXyUyezS0S3c8i+
+c4t01ZC5NZ7RjNgGd9Hx/WDnf8V0KSrb1qk/QfgysVSKLneDzwAAGWrGnt/CN8LO
+wPRou7u7vkZqbKNTTU6LZtWX6bmFRFZZDjgRwtPHH47SM8Sj4wqDyexW5dZYeepM
+cNbIo+Jf4JOm+BhJqWFU/fLETi2HKSNGa8uaMn6sFxboFGw87JPeKoC0YZiXTw8B
+5qWl+2elzScxckMFKdK91iI01mCVV5WoZUyPAl/Xrw5ecoK3v/2aAAuYee4KTQNh
+tVvACJkIBE8rWGVXDa8ihPNi8HPd8NHthOKhFoMvidBgDui7eA/+4LlEt4qYi7Zd
+TJQJ4Tz+2ibtw9pnHJDHbtupiIC4cCcUuBQPgdlribXacPGh7YeEO9QWCNX8duAM
+cU3Y4wFCw1QV4PtuRy9E6d+V5Uc7oX5+OixtDvOXu6o/WFrwYqo=
+=FPbs
+-----END PGP SIGNATURE-----

unbound.changes

@@ -1,3 +1,68 @@
+-------------------------------------------------------------------
+Thu Sep  7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 1.18.0:
+  * Features:
+    - Аdd a metric about the maximum number of collisions in lrushah.
+    - Set max-udp-size default to 1232. This is the same default value
+      as the default value for edns-buffer-size. It restricts client
+      edns buffer size choices, and makes unbound behave similar to
+      other DNS resolvers.
+    - Add harden-unknown-additional option. It removes unknown records
+      from the authority section and additional section.
+    - Added new static zone type block_a to suppress all A queries for
+      specific zones.
+    - [FR] Ability to use Redis unix sockets.
+    - [FR] Ability to set the Redis password.
+    - Features/dropqueuedpackets, with sock-queue-timeout option that
+      drops packets that have been in the socket queue for too long.
+      Added statistics num.queries_timed_out and query.queue_time_us.max
+      that track the socket queue timeouts.
+    - 'eqvinox' Lamparter: NAT64 support.
+    - [FR] Use kernel timestamps for dnstap.
+    - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
+      statistical counter.
+    - Add SVCB dohpath support.
+    - Add validation EDEs to queries where the CD bit is set.
+    - Add prefetch support for subnet cache entries.
+    - Add EDE (RFC8914) caching.
+    - Add support for EDE caching in cachedb and subnetcache.
+    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
+      cookies for clients that send client cookies. This needs to be explicitly
+      turned on in the config file with: `answer-cookie: yes`.
+  * Bug Fixes
+    - Response change to NODATA for some ANY queries since 1.12.
+    - Fix not following cleared RD flags potentially enables
+      amplification DDoS attacks.
+    - Set default for harden-unknown-additional to no. So that it
+      does not hamper future protocol developments.
+    - Fix to ignore entirely empty responses, and try at another authority.
+      This turns completely empty responses, a type of noerror/nodata into
+      a servfail, but they do not conform to RFC2308, and the retry can fetch
+      improved content.
+    - Allow TTL refresh of expired error responses.
+    - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
+    - Fix unbound-dnstap-socket test program to reply the finish frame over
+      a TLS connection correctly.
+    - Fix: reserved identifier violation
+    - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
+      without tls-cert-bundle
+    - Extra consistency check to make sure that when TLS is requested,
+      either we set up a TLS connection or we return an error.
+    - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
+    - Fix: Bad interaction with 0 TTL records and serve-expired
+    - Fix RPZ IP responses with trigger rpz-drop on cache entries.
+    - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
+    - Fix dereference of NULL variable warning in mesh_do_callback.
+    - Fix ip_ratelimit test to work with dig that enables DNS cookies.
+    - Fix for iter_dec_attempts that could cause a hang, part of capsforid
+      and qname minimisation, depending on the settings.
+    - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
+    - Fix stat_values test to work with dig that enables DNS cookies.
+    - unbound.service: Main process exited, code=killed, status=11/SEGV.
+      Fixes cachedb configuration handling.
+    - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
+
 -------------------------------------------------------------------
 Thu Aug 24 10:07:02 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
 

unbound.spec

@@ -33,7 +33,7 @@
 %define piddir /run
 
 Name:           unbound
-Version:        1.17.1
+Version:        1.18.0
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}