Accepting request 1109457 from home:pmonrealgonzalez:branches:server:dns

- Update to 1.18.0:
  * Features:
    - Аdd a metric about the maximum number of collisions in lrushah.
    - Set max-udp-size default to 1232. This is the same default value
      as the default value for edns-buffer-size. It restricts client
      edns buffer size choices, and makes unbound behave similar to
      other DNS resolvers.
    - Add harden-unknown-additional option. It removes unknown records
      from the authority section and additional section.
    - Added new static zone type block_a to suppress all A queries for
      specific zones.
    - [FR] Ability to use Redis unix sockets.
    - [FR] Ability to set the Redis password.
    - Features/dropqueuedpackets, with sock-queue-timeout option that
      drops packets that have been in the socket queue for too long.
      Added statistics num.queries_timed_out and query.queue_time_us.max
      that track the socket queue timeouts.
    - 'eqvinox' Lamparter: NAT64 support.
    - [FR] Use kernel timestamps for dnstap.
    - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
      statistical counter.
    - Add SVCB dohpath support.
    - Add validation EDEs to queries where the CD bit is set.
    - Add prefetch support for subnet cache entries.
    - Add EDE (RFC8914) caching.
    - Add support for EDE caching in cachedb and subnetcache.
    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
      cookies for clients that send client cookies. This needs to be explicitly
      turned on in the config file with: `answer-cookie: yes`.
  * Bug Fixes

OBS-URL: https://build.opensuse.org/request/show/1109457
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=165
This commit is contained in:
Marcus Rückert 2023-09-07 10:39:49 +00:00 committed by Git OBS Bridge
parent fbf5ab5836
commit e451daacea
8 changed files with 151 additions and 21 deletions

View File

@ -1,3 +1,68 @@
-------------------------------------------------------------------
Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
- Response change to NODATA for some ANY queries since 1.12.
- Fix not following cleared RD flags potentially enables
amplification DDoS attacks.
- Set default for harden-unknown-additional to no. So that it
does not hamper future protocol developments.
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can fetch
improved content.
- Allow TTL refresh of expired error responses.
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
- Fix unbound-dnstap-socket test program to reply the finish frame over
a TLS connection correctly.
- Fix: reserved identifier violation
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
- Fix: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- unbound.service: Main process exited, code=killed, status=11/SEGV.
Fixes cachedb configuration handling.
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com> Thu May 4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com>

View File

@ -22,7 +22,7 @@
%bcond_without hardened_build %bcond_without hardened_build
# #
Name: libunbound-devel-mini Name: libunbound-devel-mini
Version: 1.17.1 Version: 1.18.0
#!BcntSyncTag: unbound #!BcntSyncTag: unbound
Release: 0 Release: 0
Summary: Just a devel package for build loops Summary: Just a devel package for build loops

BIN
unbound-1.17.1.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmO/wmUACgkQn28cLX4E
X40EBxAApOIAHQGYxRcnMWgqB+hN2YR+M/CcOz19UiQ/KrG8f+ji9mUfIUsUTQsa
Oat/TuWPqQ4gCXocX4Dc4+LE0bebHVJkg4TQniEIjYOWja/6uBOfav14GBfJsq+m
3A9IBdOGYTAR5mGfTs1cxJfWAbX3U+oroKwn5zPh+wCRR0CoY8sEumZu7Tzb4yUx
OPhlj1Qzz/NkSi+0RkwogJy2hHdXVvHYUtTDKheFye/GeGa+trRnu8mCKpuyw6N9
dnQ7oXlCds8JW7YgaBf4qh1pH6VO18CTo7KG3yKiEeRb+HRRmr7KKQUOlefjcct+
QKOFhSPnVYhfvaPYEQiqVQ92ae7/wBT6cQzOMXRbY+NQjr/QfeF3QWTMRFrz3kHn
ZccpvcsjOR3wRDGQkcaa8ta40soEkzD+XRPK4oxB9D/Z5FOVoR/WTX9DZVm7PJ5+
SGHFBGOddICBWao1h01KCSyQ7nxNi1lLIRndj+AKtQAW/kO8hKh4YYKHAlI0dRQD
MLitcrQOU1pJha+hhb/87BihtXlevUVO45ctCLLooSCrVG8cca8p3jwvJoPPwdCp
1MBVZv8STPAO//4XoZkAtTcgnaUle/ro/1DFmAK/IhDyU4KP6l3uvcUvsk3Xpk1O
AzazgiqVuIYXQ98cTh0QzAGUuFAWNFqWSF2mj+poNv0RnL/J14U=
=xZw4
-----END PGP SIGNATURE-----

3
unbound-1.18.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3da95490a85cff6420f26fae0b84a49f5112df1bf1b7fc34f8724f02082cb712
size 6315297

16
unbound-1.18.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmTu91gACgkQn28cLX4E
X40hGg//TtnNy+MiXJbt//5tEmW9NFFL6BEmD4B9WN+Mm7HFJpOaMiOobM/mWCmD
kRDrx7HGJ5tDwOxCdHytsWq73OvJuMtyV7uUzGe1QFDyU7OiIgM0ZgPA4zp+/PDh
3oZjNlLb1IlXwZE3VtgxR0IVjKeWgDrnB5Ir1iYk55Q1aWI5tdDDDmjT/m/5fjuh
FTaMuy6W/J3K/EW0IyjSy1GUPi14lSpmjXUhJdY3hqr+lZ9Z9eXyUyezS0S3c8i+
c4t01ZC5NZ7RjNgGd9Hx/WDnf8V0KSrb1qk/QfgysVSKLneDzwAAGWrGnt/CN8LO
wPRou7u7vkZqbKNTTU6LZtWX6bmFRFZZDjgRwtPHH47SM8Sj4wqDyexW5dZYeepM
cNbIo+Jf4JOm+BhJqWFU/fLETi2HKSNGa8uaMn6sFxboFGw87JPeKoC0YZiXTw8B
5qWl+2elzScxckMFKdK91iI01mCVV5WoZUyPAl/Xrw5ecoK3v/2aAAuYee4KTQNh
tVvACJkIBE8rWGVXDa8ihPNi8HPd8NHthOKhFoMvidBgDui7eA/+4LlEt4qYi7Zd
TJQJ4Tz+2ibtw9pnHJDHbtupiIC4cCcUuBQPgdlribXacPGh7YeEO9QWCNX8duAM
cU3Y4wFCw1QV4PtuRy9E6d+V5Uc7oX5+OixtDvOXu6o/WFrwYqo=
=FPbs
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,68 @@
-------------------------------------------------------------------
Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
- Response change to NODATA for some ANY queries since 1.12.
- Fix not following cleared RD flags potentially enables
amplification DDoS attacks.
- Set default for harden-unknown-additional to no. So that it
does not hamper future protocol developments.
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can fetch
improved content.
- Allow TTL refresh of expired error responses.
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
- Fix unbound-dnstap-socket test program to reply the finish frame over
a TLS connection correctly.
- Fix: reserved identifier violation
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
- Fix: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- unbound.service: Main process exited, code=killed, status=11/SEGV.
Fixes cachedb configuration handling.
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 24 10:07:02 UTC 2023 - Marcus Rueckert <mrueckert@suse.de> Thu Aug 24 10:07:02 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>

View File

@ -33,7 +33,7 @@
%define piddir /run %define piddir /run
Name: unbound Name: unbound
Version: 1.17.1 Version: 1.18.0
Release: 0 Release: 0
BuildRequires: flex BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: ldns-devel >= %{ldns_version}