Accepting request 1298773 from server:dns

OBS-URL: https://build.opensuse.org/request/show/1298773
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=75

libunbound-devel-mini.changes

@@ -1,3 +1,465 @@
+-------------------------------------------------------------------
+Sun Aug 10 18:26:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.23.1:
+  Bug Fixes:
+  * Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
+    AOSP Lab Nankai University.
+
+-------------------------------------------------------------------
+Thu Apr 24 11:58:41 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.23.0:
+  Features:
+  * Increase the default of max-global-quota to 200 from 128 after
+    operational feedback. Still keeping the possible amplification
+    factor (CAMP related issues) in the hundreds.
+  * Fix #1175: serve-expired does not adhere to secure-by-default
+    principle. The default value of serve-expired-client-timeout
+    is set to 1800 as suggested by RFC8767.
+  * For #1175, the default value of serve-expired-ttl is set to 86400
+    (1 day) as suggested by RFC8767.
+  * For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
+    LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
+  * Add resolver.arpa and service.arpa to the default locally served
+    zones.
+  * Merge #1042: Fast Reload. The unbound-control fast_reload is added.
+    It reads changed config in a thread, then only briefly pauses the
+    service threads, that keep running. DNS service is only interrupted
+    briefly, less than a second.
+  * Merge #1019: Redis read-only replica support.
+    Introduces new 'redis-replica-*' options for the Redis cache backend.
+  * Merge #902: DNS Error Reporting (RFC 9567). Introduces new
+    configuration option 'dns-error-reporting' and new statistics for
+    'num.dns_error_reports'.
+
+  Bug Fixes:
+  * Fix #1154: Tag Incorrectly Applying for Other Interfaces
+    Using the Same IP. This fix is not for 1.22.0.
+  * Fix #1163: Typos in unbound.conf documentation.
+  * Merge #1159: Stats for discard-timeout and wait-limit.
+  * Add test case for #1159.
+  * Some clean up for stat_values.test.
+  * Merge #1170 from Melroy van den Berg, Fix chroot manpage
+    description.
+  * Merge #1157 from Liang Zhu, Fix heap corruption when calling
+    ub_ctx_delete in Windows.
+  * Fix redis that during a reload it does not fail if the redis
+    server does not connect or does not respond. It still logs the
+    errors and if the server is up checks expiration features.
+  * Merge #1167: Makefile.in: fix occasional parallel build failures
+    around bison rule.
+  * Fix SETEX check during Redis (re)initialization.
+  * Fix for the serve expired DNSSEC information fix, it would not allow
+    current delegation information be updated in cache. The fix allows
+    current delegation and validation recursion information to be
+    updated, but as a consequence no longer has certain expired
+    information around for later dnssec valid expired responses.
+  * Fix to log redis timeout error string on failure.
+  * More descriptive text for 'harden-algo-downgrade'.
+  * Complete fix for max-global-quota to 200.
+  * Fix #1183: the data being used is released in method
+    nsec3_hash_test_entry.
+  * Fix for #1183: release nsec3 hashes per test file.
+  * Merge #1169 from Sergey Kacheev, fix: lock-free counters for
+    auth_zone up/down queries.
+  * Fix comparison to help static analyzer.
+  * For #1175, update serve-expired tests.
+  * Merge #1189: Fix the dname_str method to cause conversion errors
+    when the domain name length is 255.
+  * Merge #1197: dname_str() fixes.
+  * Merge #1198: Fix log-servfail with serve expired and no useful cache
+    contents.
+  * Safeguard alias loop while looking in the cache for expired answers.
+  * Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
+    drop.
+  * Fix typo in log_servfail.tdir test.
+  * Merge #1204: ci: set persist-credentials: false for actions/checkout
+    per zizmor suggestion.
+  * Merge #1174: Serve expired cache update fixes. Fixes a regression bug
+    with serve-expired that appeared in 1.22.0 and would not allow the
+    iterator to update the cache with not-yet-validated entries resulting
+    in increased outgoing traffic.
+  * Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
+    handshake.
+  * Fix #1213: Misleading error message on default access control causing
+    refuse.
+  * Merge #1221: Consider auth zones when checking for forwarders.
+  * Merge #1222: Unique DoT and DoH SSL contexts to allow for different
+    ALPN.
+  * Create the quic SSL listening context only when needed.
+  * Fix compile of interface check code when dnscrypt or quic is
+    disabled.
+  * Fix encoding of RR type ATMA.
+  * Fix to check length in ATMA string to wire.
+  * Merge #1229: check before use daemon->shm_info.
+  * Use the same interface listening port discovery code for all needed
+    protocols.
+  * Port to string only when needed before getaddrinfo().
+  * Do not open unencrypted channels next to encrypted ones on the same
+    port.
+  * Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
+    set.
+  * Merge #1220 from Petr Menšík, Add unbound members group access to
+    control key.
+  * Make the default value of module-config "validator iterator"
+    regardless of compilation options. --enable-subnet would implicitly
+    change the value to enable the subnetcache module by default in the
+    past.
+  * Fix #986: Resolving sas.com with dnssec-validation fails though
+    signed delegations seem to be (mostly) correct.
+    Consider reconfigurations when calculating the still_useful_timeout
+    for servers in the infrastructure cache.
+  * Fix static analysis report about unhandled EOF on error conditions
+    when reading anchor key files.
+  * Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
+    values.
+  * Fix hash calculation for cachedb to ignore case. Previously, cached
+    records there were only relevant for same case queries (if not
+    already in Unbound's internal cache).
+  * Merge #1243: Do not shadow tm on line 236.
+  * Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
+    Add --help output description for the SOURCE_DATE_EPOCH variable.
+  * Fix 'unbound-control flush_negative' when reporting removed data;
+    reported by David 'eqvinox' Lamparter.
+  * Fix representation of types GPOS and RESINFO, add rdf type for
+    unquoted str.
+  * Fix #1251: WSAPoll first argument cannot be NULL.
+  * Fix for windows compile create ssl contexts.
+  * Fix print of RR type NSAP-PTR, it is an unquoted string.
+  * Fix #1253: Cache entries fail to be removed from Redis cachedb
+    backend with unbound-control flush* +c.
+  * Fix for #1253: Fix for redis cachedb backend to expect an integer
+    reply for the EXPIRE command.
+  * Fix #1254: send failed: Socket is not connected and
+    remote address is 0.0.0.0 port 53.
+  * Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
+  * For #1255, for ios use an older expat version that does not require
+    C++11 language features.
+  * For #1255, for ios disable building tests that require C++11.
+  * For #1255, for ios try the latest expat version again.
+  * Fix unit test dname log printout typecast.
+  * Fix for ci test, expat is installed on the osx image.
+  * iana portlist update.
+  * Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
+  * Fix escape more characters when printing an RR type with an unquoted
+    string.
+  * Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
+  * Fix unbound-control test so it counts the new flush_negative output,
+    also answers the _ta probe from testns and prints command output
+    and skip a thread specific test when no threads are available.
+  * Fix that ub_event has the facility to deal with callbacks for
+    fast reload, doq, windows-stop and dnstap.
+  * Fix fast reload test to check if pid exists before acting on it.
+  * Merge #1262 from markyang92, fix build with
+    'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
+  * For #1262, ifdef is no longer needed.
+  * Fix #1263: Exempt loopback addresses from wait-limit.
+  * Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
+    to allow two arguments.
+  * Fix ub_event and include dnstap and win_svc headers.
+  * Fix test for stat_values for wait limit defaults for localhost.
+  * Fix parameter unused warning in net_help.c.
+  * Fix mesh_copy_client_info to omit null contents from copy.
+  * Fix comment name in the rpz nsdname test.
+  * Fix nettle compile for warnings and ticket keys.
+  * Fix redis_replica test for unused option defaults and log printout.
+  * Fix test to speed up common.sh script kill_pid.
+  * Fix to update common.sh for speed of kill_pid.
+  * Update to the manpage for the fast_reload part.
+  * Fix fast_reload to print chroot with config file name.
+  * Fix to detect if atomic_store links in configure.
+  * Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
+  * Fix for print of connection type in log-replies for dot and doh.
+  * Merge #1265: Fix WSAPoll.
+
+-------------------------------------------------------------------
+Fri Oct 18 11:13:51 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.22.0:
+  Features:
+  * Add iter-scrub-ns, iter-scrub-cname and max-global-quota
+    configuration options.
+  * Merge patch to fix for glue that is outside of zone, with
+    `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
+    Enabling this option protects the Unbound resolver against bad
+    glue, that is unverified out of zone glue, by resolving them.
+    It uses the records as last resort if there is no other working
+    glue.
+  * Add redis-command-timeout: 20 and redis-connect-timeout: 200,
+    that can set the timeout separately for commands and the
+    connection set up to the redis server. If they are not
+    specified, the redis-timeout value is used.
+  * Log timestamps in ISO8601 format with timezone. This adds the
+    option `log-time-iso: yes` that logs in ISO8601 format.
+  * DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
+    that enable dnsoverquic, and the counters `num.query.quic` and
+    `mem.quic` in the statistics output. The feature needs to be
+    enabled by compiling with libngtcp2, with
+    `--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
+    that with `--with-ssl=path` to compile unbound as well.
+
+  Bug Fixes:
+  * unbound-control-setup hangs while testing for openssl presence
+    starting from version 1.21.0.
+  * Fix error: "memory exhausted" when defining more than 9994
+    local-zones.
+  * Fix documentation for cache_fill_missing function.
+  * Fix Loads of logs: "validation failure: key for validation
+    <domain>. is marked as invalid because of a previous" for
+    non-DNSSEC signed zone.
+  * Fix that when rpz is applied the message does not get picked up
+    by the validator. That stops validation failures for the
+    message.
+  * Fix that stub-zone and forward-zone clauses do not exhaust
+    memory for long content.
+  * Fix to print port number in logs for auth zone transfer
+    activities.
+  * b.root renumbering.
+  * Add new IANA trust anchor.
+  * Fix config file read for dnstap-sample-rate.
+  * Fix alloc-size and calloc-transposed-args compiler warnings.
+  * Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
+    (RFC9077).
+  * Fix dns64 with prefetch that the prefetch is stored in cache.
+  * Attempt to further fix doh_downstream_buffer_size.tdir
+    flakiness.
+  * More clear text for prefetch and minimal-responses in the
+    unbound.conf man page.
+  * Fix cache update when serve expired is used. Expired records
+    are favored over resolution and validation failures when
+    serve-expired is used.
+  * Fix negative cache NSEC3 parameter compares for zero length
+    NSEC3 salt.
+  * Fix unbound-control-setup hangs sometimes depending on the
+    openssl version.
+  * Fix Cannot override tcp-upstream and tls-upstream with
+    forward-tcp-upstream and forward-tls-upstream.
+  * Fix to limit NSEC TTL for messages from cachedb. Fix to limit
+    the prefetch ttl for messages after a CNAME with short TTL.
+  * Fix to disable detection of quic configured ports when quic is
+    not compiled in.
+  * Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
+  * Fix contrib/aaaa-filter-iterator.patch for change in call
+    signature for cache_fill_missing.
+  * Fix to display warning if quic-port is set but dnsoverquic is
+    not enabled when compiled.
+  * Fix dnsoverquic to extend the number of streams when one is
+    closed.
+  * Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
+  * Fix for dnsoverquic and dnstap to use the correct dnstap
+    environment.
+
+- Update keyring
+
+-------------------------------------------------------------------
+Mon Oct  7 11:07:12 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.21.1:
+  Security Fixes:
+  * Fix CVE-2024-8508, unbounded name compression could lead to
+    denial of service.
+    [CVE-2024-8508, bsc#1231284]
+
+- Update keyring
+
+-------------------------------------------------------------------
+Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.21.0:
+  Security Fixes:
+  * Merge #1073: fix null pointer dereference issue in function
+    ub_ctx_set_fwd.
+    [CVE-2024-43167, bsc#1229068]
+
+  Features:
+  * Fix #1071: [FR] Clear both in-memory and cachedb module cache
+    with `unbound-control flush*` commands.
+  * Fix #144: Port ipset to BSD pf tables.
+  * Add dnstap-sample-rate that logs only 1/N messages, for high
+    volume server environments. Thanks Dan Luther.
+  * Add root key 38696 from 2024 for DNSSEC validation. It is added
+    to the default root keys in unbound-anchor. The content can be
+    inspected with `unbound-anchor -l`.
+  * Merge #1090: Cookie secret file. Adds `cookie-secret-file:
+    "unbound_cookiesecrets.txt"` option to store cookie secrets for
+    EDNS COOKIE secret rollover. The remote control
+    add_cookie_secret, activate_cookie_secret and
+    drop_cookie_secret commands can be used for rollover, the
+    command print_cookie_secrets shows the values in use.
+
+  Bug Fixes:
+  * Fix CAMP issues with global quota. Thanks to Huayi
+    Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
+    group, ETH Zurich.
+  * Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
+    Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
+    (Tel-Aviv University and Reichman University).
+  * Merge #1062: Fix potential overflow bug while parsing port in
+    function cfg_mark_ports.
+  * Fix for #1062: declaration before statement, avoid print of
+    null, and redundant check for array size.
+  * Fix to squelch udp connect errors in the log at low verbosity
+    about invalid argument for IPv6 link local addresses.
+  * Fix when the mesh jostle is exceeded that nameserver targets
+    are marked as resolved, so that the lookup is not stuck on the
+    requestlist.
+  * Add missing common functions to tdir tests.
+  * Merge #1070: Fix rtt assignement for low values of
+    infra-cache-max-rtt.
+  * Merge #1069: Fix unbound-control stdin commands for
+    multi-process Unbounds.
+  * Fix unbound-control commands that read stdin in multi-process
+    operation (local_zones_remove, local_zones, local_datas_remove,
+    local_datas, view_local_datas_remove, view_local_datas). They
+    will be properly distributed to all processes. dump_cache and
+    load_cache are no longer supported in multi-process operation.
+  * Remove testdata/remote-threaded.tdir.
+    testdata/09-unbound-control.tdir now checks both single and
+    multi process/thread operation.
+  * Fix to print a parse error when config is read with no name for
+    a forward-zone, stub-zone or view.
+  * Fix for parse end of forward-zone, stub-zone and view.
+  * Fix for #1064: Fix that cachedb expired messages are considered
+    insecure, and thus can be served to clients when dnssec is
+    enabled.
+  * Fix #1059: Intermittent DNS blocking failure with local-zone
+    and always_nxdomain. Addition of local_zones dynamically via
+    unbound-control was not finding the zone's parent correctly.
+  * Fix #1064: Unbound 1.20 Cachedb broken?
+  * Fix unused variable warning on compilation with no thread
+    support.
+  * unbound-control-setup: check openssl availability before doing
+    anything, patch from Michael Tokarev.
+  * Update patch to remove 'command' shell builtin and update error
+    text.
+  * Fix to enable that SERVFAIL is cached, for a short period, for
+    more cases. In the cases where limits are exceeded.
+  * Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
+  * Merge #1078: Only check old pid if no username.
+  * Fix #1079: tags from tagged rpz zones are no longer honored
+    after upgrade from 1.19.3 to 1.20.0.
+  * Fix for #1079: fix RPZ taglist in iterator callback that no
+    client info is like no taglist intersection.
+  * Fix to squelch connection reset by peer errors from log. And
+    fix that the tcp read errors are labeled as initial for the
+    first calls.
+  * Merge #1080: AddressSanitizer detection in tdir tests and
+    memory leak fixes.
+  * Fix memory leak when reload_keep_cache is used and num-threads
+    changes.
+  * Fix memory leak on exit for unbound-dnstap-socket; creates
+    false negatives during testing.
+  * Fix memory leak in setup of dsa sig.
+  * Fix typos for 'the the' in text.
+  * Fix validation for repeated use of a DNAME record.
+  * Add unit test for validation of repeated use of a DNAME record.
+  * Fix #1091: Build fails with OpenSSL >= 3.0 built with
+    OPENSSL_NO_DEPRECATED.
+  * Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
+    by adding helpful text for the Python interpreter version and
+    allowing the default pkg-config unavailability error message to
+    be shown.
+  * Fix pkg-config availability check in dnstap/dnstap.m4 and
+    systemd.m4.
+  * Explicitly set the RD bit for the mesh query flags when
+    prefetching. These queries have no waiting client but they need
+    to be treated as recursive.
+  * Fix ip-ratelimit-cookie setting, it was not applied.
+  * Fix to remove unused include from the readzone test program.
+  * Fix unused variable warning in do_cache_remove.
+  * Fix compile warning in worker pthread id printout.
+  * Add unit test skip files and bison and flex output to
+    gitignore.
+  * Fix to use modstack_init in zonemd unit test.
+  * Fix to remove unneeded linebreak in fptr_wlist.c.
+  * Fix compile warnings in fptr_wlist.c.
+  * Fix for repeated use of a DNAME record: first overallocate and
+    then move the exact size of the init value to avoid false
+    positive heap overflow reads from address sanitizers.
+  * Fix to print details about the failure to lookup a DNSKEY
+    record when validation fails due to the missing DNSKEY. Also
+    for key prime and DS lookups.
+  * Fix for neater printout for error for missing DS response.
+  * Fix neater printout.
+  * Fix #1099: Unbound core dump on SIGSEGV.
+  * Fix for #1099: Fix to check for deleted RRset when the contents
+    is updated and fetched after it is stored, and also check for a
+    changed RRset.
+  * Don't check for message TTL changes if the RRsets remain the
+    same.
+  * Fix that validation reason failure that uses string print uses
+    separate buffer that is passed, from the scratch validation
+    buffer.
+  * Fixup algo_needs_reason string buffer length.
+  * Fix shadowed error string variable in validator dnskey
+    handling.
+  * Update list of known EDE codes.
+  * For #773: In contrib/unbound.service.in set unbound to start
+    after network-online.target. Also for
+    contrib/unbound_portable.service.in.
+  * Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
+  * For #1103: fix to also drop mesh state reference when a h2
+    reply is dropped.
+  * Add RPZ tag tests in acl_interface.tdir.
+  * For #1102: clearer text for using interface-* options for the
+    loopback interface.
+  * For #1103: fix to also drop mesh state reference when the
+    discard limit is reached, when there is an error making a new
+    recursion state and when the connection is dropped with
+    is_drop.
+  * For #1103: Fix to drop mesh state reference for the http2
+    stream associated with the reply, not the currently active
+    stream. And it does not remove it twice on a mesh_send_reply
+    call. The reply h2_stream is NULL when not in use, for more
+    initialisation.
+  * Fix dnstap wakeup, a running wakeup timer is left to expire and
+    not increased, a timer is started when the dtio thread is
+    sleeping, the timer set disabled when the dtio thread goes to
+    sleep, and after sleep the thread checks to see if there are
+    messages to log immediately.
+  * Merge #1110: Make fallthrough explicit for libworker.c.
+  * For #1110: Test for fallthrough attribute in configure and add
+    fallthrough attribute annotations.
+  * Fix compile when the compiler does not support the noreturn
+    attribute.
+  * Fix to have empty definition when not supported for weak
+    attribute.
+  * Fix uninitialized variable warning in create_tcp_accept_sock.
+  * Fix link of dnstap without openssl.
+  * Fix link of unbound-dnstap-socket without openssl.
+  * Fix #1106: ratelimit-below-domain logs the wrong FROM address.
+  * Cleanup ede.tdir test.
+  * For #935 and #1104, clarify RPZ order and semantics.
+  * Fix to document parameters of auth_zone_verify_zonemd_with_key.
+  * Fix for #1114: Fix that cache fill for forward-host names is
+    performed, so that with nonzero target-fetch-policy it fetches
+    forwarder addresses and uses them from cache. Also updated that
+    delegation point cache fill routines use CDflag for AAAA
+    message lookups, so that its negative lookup stops a recursion
+    since the cache uses the bit for disambiguation for dns64 but
+    the recursion uses CDflag for the AAAA target lookups, so the
+    check correctly stops a useless recursion by its cache lookup.
+  * Fix dnstap test program, cleans up to have clean memory on
+    exit, for tap_data_free, does not delete NULL items. Also it
+    does not try to free the tail, specifically in the free of the
+    list since that picked up the next item in the list for its
+    loop causing invalid free. Added internal unit test to
+    unbound-dnstap-socket for that.
+  * Fix that the worker mem report with alloc stats does not
+    attempt to print memory use of forwards and hints if they have
+    been deleted already.
+  * Fix that alloc stats has strdup checks, it stops debuggers from
+    complaining about mismatch at free time.
+  * Fix testbound for alloc stats strdup in util/alloc.c.
+  * Fix that alloc stats for forwards and hints are printed, and
+    when alloc stats is enabled, the unit test for unbound control
+    waits for reloads to complete.
+  * Fix that for windows the module startup is called and sets up
+    the module-config.
+  * Fix spelling for the cache-min-negative-ttl entry in the
+    example.conf.
+
 -------------------------------------------------------------------
 Wed May  8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

libunbound-devel-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libunbound-devel-mini
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.20.0
+Version:        1.23.1
 #!BcntSyncTag: unbound
 Release:        0
 Summary:        Just a devel package for build loops

unbound-1.20.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmY7MtIACgkQn28cLX4E
-X43TZw//UOLWFXCT36DydXV2gi8vAB9xIFOGj7LbfOSIu8mg2gOvxaBFcC3qb8iB
-Wh4prktm+ANRyrmaDq5jlhG2JS0JGYCAGXntN8O09IZt8cx5s1N4UWOOOHp/XEcF
-spQpohJlJMnDl+WuIW0rGUnME4mytEBd/HwIM2Q4XyhXOEQj4hEW1tGlNF1qNq5b
-8KV5AbRa1OMPeaOaLUb3rg4Wll90twKnlVsdAga1GzYHYHIjbrvso8TbEAZQOzk1
-Vu20zwNV1mFNRQcBhhkRBSirmZQ3p73HDT3j3yZZ7D2VaZyi1TQSNxCKAkBpM7NX
-ZXBXHpYjf/9kei8vMeQBE4pIoXgcSAASyHh1FNZ8vzyklR8lP8grNtgn1R7ACryN
-U1W+0Mh4gjZLjK4sgfouunqpuDpKnpb7a/b19D4fqGBYen+V/BBwARbdxPABs2fK
-Y5kMnSIM3eZPZD2PnLEL8uqfuES1QZ9OkhGvEX9jhO3plYWzUDa7J/5eFqyUEpPc
-zkAlQvJySW1T18U7YWPLM7ipsVIZc7XPkvEHpit6cSj7f4wUPurJio2glOHwXafZ
-+mmzb7nFahTE6tmvOF3dBbvxRpzYtHI6qa1tNTVR9EFJsc8Bm9a8dcI6Jd4e6M2i
-XWA32DOSppyEdLz3aEmpIQLT3VpSPRHuLB+slfi+xsBcwNJHL4w=
-=mEBa
------END PGP SIGNATURE-----

unbound-1.23.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmh3YMQACgkQn28cLX4E
+X42aTg/+JTrKV5wyCIXPHYhF7j6UpHtRk73gX9XCEs88sGRkjHM25MqXElBXfnxr
+RmhSlBM077jYxX6hPLmXCyDDMnvv+3kJc3HNJ1Ip6fBXoJveatoesYV0UEhJWbHV
++l5oS9pShKZz/b4SC4ePi4AyRI8OEyHYQzvLVaLQme4aVFwgLiIHFqASHQzv/lWX
+UkEH3VsydV0qwZEUEPVrytV1PLGli78JHiXVvwh+//kbNvs8v5x/ovQSgUxDb5p3
+mfFuOn21S47/oIoL7R/hJgQoZry9xEzFo7H30qytAx5biq00qvnqKpGMJvG8sFHf
+AIVHt4VdvOGLPUl38EThMVOTta1sHZB1FcN6fuaS565+Ue3oa4b6MBmPvNz4lvdC
+HQ6Gbkzqdt5jk+gTWk0HbeVhEOlb3BlOpaTWl8hkb6RZhsSFN2f0a7fJDHxZFtem
+RDpm+Ggja6+B+9uWiafODbLqC8rOweYfZoImPi95lcH+BrJg/0Ivib/ZuzNqXCXL
+Uof+kuE+GLL30uulNiLObVtDsjnWN//+liXCviKXlFP9b8n0cM/Zvpk0P3KDpLwx
+xrHcWOvUvnHtyqdNlvjHKDN1GmLKJ6WXkLWcm+cWlvDTUfBR+/17X/qEiUxhPikk
+ah0pre7ZMtzrIimL17zN1iChQFp+QnoGQ9zFa5Gz3INS/FzR0ug=
+=bW1T
+-----END PGP SIGNATURE-----

unbound.changes

@@ -1,3 +1,504 @@
+-------------------------------------------------------------------
+Mon Aug 11 10:19:50 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- simplify python handling. python2 support is dropped and python3
+  is built by default. Conditionals for the latter are removed.
+
+-------------------------------------------------------------------
+Mon Aug 11 10:14:25 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- enable EDNS subnet handling
+
+-------------------------------------------------------------------
+Sun Aug 10 18:26:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.23.1: (boo#1246625)
+  Bug Fixes:
+  * Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
+    AOSP Lab Nankai University.
+  - our package was not built with EDNS subnet support up to this
+    point and therefor was not affected.
+
+-------------------------------------------------------------------
+Sun Aug 10 18:07:02 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- prepare enabling quic support:
+  currently fails on missing quic support in openssl. aws-lc is
+  sadly not a drop in replacement for unbound.
+- enable TCP Fast Open for the server and client
+- remove unused --with-ldns option
+- enable cachedb including hiredis support on Tumbleweed
+  new BuildRequires pkgconfig(libhiredis)
+
+-------------------------------------------------------------------
+Sun Jul 20 18:17:33 UTC 2025 - Mia Herkt <mia@0x0.st>
+
+- Remove leftover dependency on sudo (not required)
+  See also: boo#1215628
+
+-------------------------------------------------------------------
+Thu Apr 24 11:58:41 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.23.0:
+  Features:
+  * Increase the default of max-global-quota to 200 from 128 after
+    operational feedback. Still keeping the possible amplification
+    factor (CAMP related issues) in the hundreds.
+  * Fix #1175: serve-expired does not adhere to secure-by-default
+    principle. The default value of serve-expired-client-timeout
+    is set to 1800 as suggested by RFC8767.
+  * For #1175, the default value of serve-expired-ttl is set to 86400
+    (1 day) as suggested by RFC8767.
+  * For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
+    LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
+  * Add resolver.arpa and service.arpa to the default locally served
+    zones.
+  * Merge #1042: Fast Reload. The unbound-control fast_reload is added.
+    It reads changed config in a thread, then only briefly pauses the
+    service threads, that keep running. DNS service is only interrupted
+    briefly, less than a second.
+  * Merge #1019: Redis read-only replica support.
+    Introduces new 'redis-replica-*' options for the Redis cache backend.
+  * Merge #902: DNS Error Reporting (RFC 9567). Introduces new
+    configuration option 'dns-error-reporting' and new statistics for
+    'num.dns_error_reports'.
+
+  Bug Fixes:
+  * Fix #1154: Tag Incorrectly Applying for Other Interfaces
+    Using the Same IP. This fix is not for 1.22.0.
+  * Fix #1163: Typos in unbound.conf documentation.
+  * Merge #1159: Stats for discard-timeout and wait-limit.
+  * Add test case for #1159.
+  * Some clean up for stat_values.test.
+  * Merge #1170 from Melroy van den Berg, Fix chroot manpage
+    description.
+  * Merge #1157 from Liang Zhu, Fix heap corruption when calling
+    ub_ctx_delete in Windows.
+  * Fix redis that during a reload it does not fail if the redis
+    server does not connect or does not respond. It still logs the
+    errors and if the server is up checks expiration features.
+  * Merge #1167: Makefile.in: fix occasional parallel build failures
+    around bison rule.
+  * Fix SETEX check during Redis (re)initialization.
+  * Fix for the serve expired DNSSEC information fix, it would not allow
+    current delegation information be updated in cache. The fix allows
+    current delegation and validation recursion information to be
+    updated, but as a consequence no longer has certain expired
+    information around for later dnssec valid expired responses.
+  * Fix to log redis timeout error string on failure.
+  * More descriptive text for 'harden-algo-downgrade'.
+  * Complete fix for max-global-quota to 200.
+  * Fix #1183: the data being used is released in method
+    nsec3_hash_test_entry.
+  * Fix for #1183: release nsec3 hashes per test file.
+  * Merge #1169 from Sergey Kacheev, fix: lock-free counters for
+    auth_zone up/down queries.
+  * Fix comparison to help static analyzer.
+  * For #1175, update serve-expired tests.
+  * Merge #1189: Fix the dname_str method to cause conversion errors
+    when the domain name length is 255.
+  * Merge #1197: dname_str() fixes.
+  * Merge #1198: Fix log-servfail with serve expired and no useful cache
+    contents.
+  * Safeguard alias loop while looking in the cache for expired answers.
+  * Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
+    drop.
+  * Fix typo in log_servfail.tdir test.
+  * Merge #1204: ci: set persist-credentials: false for actions/checkout
+    per zizmor suggestion.
+  * Merge #1174: Serve expired cache update fixes. Fixes a regression bug
+    with serve-expired that appeared in 1.22.0 and would not allow the
+    iterator to update the cache with not-yet-validated entries resulting
+    in increased outgoing traffic.
+  * Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
+    handshake.
+  * Fix #1213: Misleading error message on default access control causing
+    refuse.
+  * Merge #1221: Consider auth zones when checking for forwarders.
+  * Merge #1222: Unique DoT and DoH SSL contexts to allow for different
+    ALPN.
+  * Create the quic SSL listening context only when needed.
+  * Fix compile of interface check code when dnscrypt or quic is
+    disabled.
+  * Fix encoding of RR type ATMA.
+  * Fix to check length in ATMA string to wire.
+  * Merge #1229: check before use daemon->shm_info.
+  * Use the same interface listening port discovery code for all needed
+    protocols.
+  * Port to string only when needed before getaddrinfo().
+  * Do not open unencrypted channels next to encrypted ones on the same
+    port.
+  * Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
+    set.
+  * Merge #1220 from Petr Menšík, Add unbound members group access to
+    control key.
+  * Make the default value of module-config "validator iterator"
+    regardless of compilation options. --enable-subnet would implicitly
+    change the value to enable the subnetcache module by default in the
+    past.
+  * Fix #986: Resolving sas.com with dnssec-validation fails though
+    signed delegations seem to be (mostly) correct.
+    Consider reconfigurations when calculating the still_useful_timeout
+    for servers in the infrastructure cache.
+  * Fix static analysis report about unhandled EOF on error conditions
+    when reading anchor key files.
+  * Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
+    values.
+  * Fix hash calculation for cachedb to ignore case. Previously, cached
+    records there were only relevant for same case queries (if not
+    already in Unbound's internal cache).
+  * Merge #1243: Do not shadow tm on line 236.
+  * Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
+    Add --help output description for the SOURCE_DATE_EPOCH variable.
+  * Fix 'unbound-control flush_negative' when reporting removed data;
+    reported by David 'eqvinox' Lamparter.
+  * Fix representation of types GPOS and RESINFO, add rdf type for
+    unquoted str.
+  * Fix #1251: WSAPoll first argument cannot be NULL.
+  * Fix for windows compile create ssl contexts.
+  * Fix print of RR type NSAP-PTR, it is an unquoted string.
+  * Fix #1253: Cache entries fail to be removed from Redis cachedb
+    backend with unbound-control flush* +c.
+  * Fix for #1253: Fix for redis cachedb backend to expect an integer
+    reply for the EXPIRE command.
+  * Fix #1254: send failed: Socket is not connected and
+    remote address is 0.0.0.0 port 53.
+  * Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
+  * For #1255, for ios use an older expat version that does not require
+    C++11 language features.
+  * For #1255, for ios disable building tests that require C++11.
+  * For #1255, for ios try the latest expat version again.
+  * Fix unit test dname log printout typecast.
+  * Fix for ci test, expat is installed on the osx image.
+  * iana portlist update.
+  * Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
+  * Fix escape more characters when printing an RR type with an unquoted
+    string.
+  * Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
+  * Fix unbound-control test so it counts the new flush_negative output,
+    also answers the _ta probe from testns and prints command output
+    and skip a thread specific test when no threads are available.
+  * Fix that ub_event has the facility to deal with callbacks for
+    fast reload, doq, windows-stop and dnstap.
+  * Fix fast reload test to check if pid exists before acting on it.
+  * Merge #1262 from markyang92, fix build with
+    'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
+  * For #1262, ifdef is no longer needed.
+  * Fix #1263: Exempt loopback addresses from wait-limit.
+  * Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
+    to allow two arguments.
+  * Fix ub_event and include dnstap and win_svc headers.
+  * Fix test for stat_values for wait limit defaults for localhost.
+  * Fix parameter unused warning in net_help.c.
+  * Fix mesh_copy_client_info to omit null contents from copy.
+  * Fix comment name in the rpz nsdname test.
+  * Fix nettle compile for warnings and ticket keys.
+  * Fix redis_replica test for unused option defaults and log printout.
+  * Fix test to speed up common.sh script kill_pid.
+  * Fix to update common.sh for speed of kill_pid.
+  * Update to the manpage for the fast_reload part.
+  * Fix fast_reload to print chroot with config file name.
+  * Fix to detect if atomic_store links in configure.
+  * Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
+  * Fix for print of connection type in log-replies for dot and doh.
+  * Merge #1265: Fix WSAPoll.
+
+-------------------------------------------------------------------
+Wed Nov 27 11:45:12 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- add workaround for bug
+  https://github.com/NLnetLabs/unbound/issues/509
+  Starting up with 127.0.0.1 in the /etc/resolv.conf leads to long
+  delays if the anchor update is being run as ExecStartPre in the
+  unbound service
+
+-------------------------------------------------------------------
+Fri Oct 18 11:02:26 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.22.0:
+  Features:
+  * Add iter-scrub-ns, iter-scrub-cname and max-global-quota
+    configuration options.
+  * Merge patch to fix for glue that is outside of zone, with
+    `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
+    Enabling this option protects the Unbound resolver against bad
+    glue, that is unverified out of zone glue, by resolving them.
+    It uses the records as last resort if there is no other working
+    glue.
+  * Add redis-command-timeout: 20 and redis-connect-timeout: 200,
+    that can set the timeout separately for commands and the
+    connection set up to the redis server. If they are not
+    specified, the redis-timeout value is used.
+  * Log timestamps in ISO8601 format with timezone. This adds the
+    option `log-time-iso: yes` that logs in ISO8601 format.
+  * DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
+    that enable dnsoverquic, and the counters `num.query.quic` and
+    `mem.quic` in the statistics output. The feature needs to be
+    enabled by compiling with libngtcp2, with
+    `--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
+    that with `--with-ssl=path` to compile unbound as well.
+
+  Bug Fixes:
+  * unbound-control-setup hangs while testing for openssl presence
+    starting from version 1.21.0.
+  * Fix error: "memory exhausted" when defining more than 9994
+    local-zones.
+  * Fix documentation for cache_fill_missing function.
+  * Fix Loads of logs: "validation failure: key for validation
+    <domain>. is marked as invalid because of a previous" for
+    non-DNSSEC signed zone.
+  * Fix that when rpz is applied the message does not get picked up
+    by the validator. That stops validation failures for the
+    message.
+  * Fix that stub-zone and forward-zone clauses do not exhaust
+    memory for long content.
+  * Fix to print port number in logs for auth zone transfer
+    activities.
+  * b.root renumbering.
+  * Add new IANA trust anchor.
+  * Fix config file read for dnstap-sample-rate.
+  * Fix alloc-size and calloc-transposed-args compiler warnings.
+  * Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
+    (RFC9077).
+  * Fix dns64 with prefetch that the prefetch is stored in cache.
+  * Attempt to further fix doh_downstream_buffer_size.tdir
+    flakiness.
+  * More clear text for prefetch and minimal-responses in the
+    unbound.conf man page.
+  * Fix cache update when serve expired is used. Expired records
+    are favored over resolution and validation failures when
+    serve-expired is used.
+  * Fix negative cache NSEC3 parameter compares for zero length
+    NSEC3 salt.
+  * Fix unbound-control-setup hangs sometimes depending on the
+    openssl version.
+  * Fix Cannot override tcp-upstream and tls-upstream with
+    forward-tcp-upstream and forward-tls-upstream.
+  * Fix to limit NSEC TTL for messages from cachedb. Fix to limit
+    the prefetch ttl for messages after a CNAME with short TTL.
+  * Fix to disable detection of quic configured ports when quic is
+    not compiled in.
+  * Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
+  * Fix contrib/aaaa-filter-iterator.patch for change in call
+    signature for cache_fill_missing.
+  * Fix to display warning if quic-port is set but dnsoverquic is
+    not enabled when compiled.
+  * Fix dnsoverquic to extend the number of streams when one is
+    closed.
+  * Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
+  * Fix for dnsoverquic and dnstap to use the correct dnstap
+    environment.
+
+- Update keyring
+
+-------------------------------------------------------------------
+Mon Oct  7 11:06:04 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.21.1:
+  Security Fixes:
+  * Fix CVE-2024-8508, unbounded name compression could lead to
+    denial of service.
+    [CVE-2024-8508, bsc#1231284]
+
+- Update keyring
+
+-------------------------------------------------------------------
+Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.21.0:
+  Security Fixes:
+  * Merge #1073: fix null pointer dereference issue in function
+    ub_ctx_set_fwd.
+    [CVE-2024-43167, bsc#1229068]
+
+  Features:
+  * Fix #1071: [FR] Clear both in-memory and cachedb module cache
+    with `unbound-control flush*` commands.
+  * Fix #144: Port ipset to BSD pf tables.
+  * Add dnstap-sample-rate that logs only 1/N messages, for high
+    volume server environments. Thanks Dan Luther.
+  * Add root key 38696 from 2024 for DNSSEC validation. It is added
+    to the default root keys in unbound-anchor. The content can be
+    inspected with `unbound-anchor -l`.
+  * Merge #1090: Cookie secret file. Adds `cookie-secret-file:
+    "unbound_cookiesecrets.txt"` option to store cookie secrets for
+    EDNS COOKIE secret rollover. The remote control
+    add_cookie_secret, activate_cookie_secret and
+    drop_cookie_secret commands can be used for rollover, the
+    command print_cookie_secrets shows the values in use.
+
+  Bug Fixes:
+  * Fix CAMP issues with global quota. Thanks to Huayi
+    Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
+    group, ETH Zurich.
+  * Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
+    Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
+    (Tel-Aviv University and Reichman University).
+  * Merge #1062: Fix potential overflow bug while parsing port in
+    function cfg_mark_ports.
+  * Fix for #1062: declaration before statement, avoid print of
+    null, and redundant check for array size.
+  * Fix to squelch udp connect errors in the log at low verbosity
+    about invalid argument for IPv6 link local addresses.
+  * Fix when the mesh jostle is exceeded that nameserver targets
+    are marked as resolved, so that the lookup is not stuck on the
+    requestlist.
+  * Add missing common functions to tdir tests.
+  * Merge #1070: Fix rtt assignement for low values of
+    infra-cache-max-rtt.
+  * Merge #1069: Fix unbound-control stdin commands for
+    multi-process Unbounds.
+  * Fix unbound-control commands that read stdin in multi-process
+    operation (local_zones_remove, local_zones, local_datas_remove,
+    local_datas, view_local_datas_remove, view_local_datas). They
+    will be properly distributed to all processes. dump_cache and
+    load_cache are no longer supported in multi-process operation.
+  * Remove testdata/remote-threaded.tdir.
+    testdata/09-unbound-control.tdir now checks both single and
+    multi process/thread operation.
+  * Fix to print a parse error when config is read with no name for
+    a forward-zone, stub-zone or view.
+  * Fix for parse end of forward-zone, stub-zone and view.
+  * Fix for #1064: Fix that cachedb expired messages are considered
+    insecure, and thus can be served to clients when dnssec is
+    enabled.
+  * Fix #1059: Intermittent DNS blocking failure with local-zone
+    and always_nxdomain. Addition of local_zones dynamically via
+    unbound-control was not finding the zone's parent correctly.
+  * Fix #1064: Unbound 1.20 Cachedb broken?
+  * Fix unused variable warning on compilation with no thread
+    support.
+  * unbound-control-setup: check openssl availability before doing
+    anything, patch from Michael Tokarev.
+  * Update patch to remove 'command' shell builtin and update error
+    text.
+  * Fix to enable that SERVFAIL is cached, for a short period, for
+    more cases. In the cases where limits are exceeded.
+  * Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
+  * Merge #1078: Only check old pid if no username.
+  * Fix #1079: tags from tagged rpz zones are no longer honored
+    after upgrade from 1.19.3 to 1.20.0.
+  * Fix for #1079: fix RPZ taglist in iterator callback that no
+    client info is like no taglist intersection.
+  * Fix to squelch connection reset by peer errors from log. And
+    fix that the tcp read errors are labeled as initial for the
+    first calls.
+  * Merge #1080: AddressSanitizer detection in tdir tests and
+    memory leak fixes.
+  * Fix memory leak when reload_keep_cache is used and num-threads
+    changes.
+  * Fix memory leak on exit for unbound-dnstap-socket; creates
+    false negatives during testing.
+  * Fix memory leak in setup of dsa sig.
+  * Fix typos for 'the the' in text.
+  * Fix validation for repeated use of a DNAME record.
+  * Add unit test for validation of repeated use of a DNAME record.
+  * Fix #1091: Build fails with OpenSSL >= 3.0 built with
+    OPENSSL_NO_DEPRECATED.
+  * Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
+    by adding helpful text for the Python interpreter version and
+    allowing the default pkg-config unavailability error message to
+    be shown.
+  * Fix pkg-config availability check in dnstap/dnstap.m4 and
+    systemd.m4.
+  * Explicitly set the RD bit for the mesh query flags when
+    prefetching. These queries have no waiting client but they need
+    to be treated as recursive.
+  * Fix ip-ratelimit-cookie setting, it was not applied.
+  * Fix to remove unused include from the readzone test program.
+  * Fix unused variable warning in do_cache_remove.
+  * Fix compile warning in worker pthread id printout.
+  * Add unit test skip files and bison and flex output to
+    gitignore.
+  * Fix to use modstack_init in zonemd unit test.
+  * Fix to remove unneeded linebreak in fptr_wlist.c.
+  * Fix compile warnings in fptr_wlist.c.
+  * Fix for repeated use of a DNAME record: first overallocate and
+    then move the exact size of the init value to avoid false
+    positive heap overflow reads from address sanitizers.
+  * Fix to print details about the failure to lookup a DNSKEY
+    record when validation fails due to the missing DNSKEY. Also
+    for key prime and DS lookups.
+  * Fix for neater printout for error for missing DS response.
+  * Fix neater printout.
+  * Fix #1099: Unbound core dump on SIGSEGV.
+  * Fix for #1099: Fix to check for deleted RRset when the contents
+    is updated and fetched after it is stored, and also check for a
+    changed RRset.
+  * Don't check for message TTL changes if the RRsets remain the
+    same.
+  * Fix that validation reason failure that uses string print uses
+    separate buffer that is passed, from the scratch validation
+    buffer.
+  * Fixup algo_needs_reason string buffer length.
+  * Fix shadowed error string variable in validator dnskey
+    handling.
+  * Update list of known EDE codes.
+  * For #773: In contrib/unbound.service.in set unbound to start
+    after network-online.target. Also for
+    contrib/unbound_portable.service.in.
+  * Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
+  * For #1103: fix to also drop mesh state reference when a h2
+    reply is dropped.
+  * Add RPZ tag tests in acl_interface.tdir.
+  * For #1102: clearer text for using interface-* options for the
+    loopback interface.
+  * For #1103: fix to also drop mesh state reference when the
+    discard limit is reached, when there is an error making a new
+    recursion state and when the connection is dropped with
+    is_drop.
+  * For #1103: Fix to drop mesh state reference for the http2
+    stream associated with the reply, not the currently active
+    stream. And it does not remove it twice on a mesh_send_reply
+    call. The reply h2_stream is NULL when not in use, for more
+    initialisation.
+  * Fix dnstap wakeup, a running wakeup timer is left to expire and
+    not increased, a timer is started when the dtio thread is
+    sleeping, the timer set disabled when the dtio thread goes to
+    sleep, and after sleep the thread checks to see if there are
+    messages to log immediately.
+  * Merge #1110: Make fallthrough explicit for libworker.c.
+  * For #1110: Test for fallthrough attribute in configure and add
+    fallthrough attribute annotations.
+  * Fix compile when the compiler does not support the noreturn
+    attribute.
+  * Fix to have empty definition when not supported for weak
+    attribute.
+  * Fix uninitialized variable warning in create_tcp_accept_sock.
+  * Fix link of dnstap without openssl.
+  * Fix link of unbound-dnstap-socket without openssl.
+  * Fix #1106: ratelimit-below-domain logs the wrong FROM address.
+  * Cleanup ede.tdir test.
+  * For #935 and #1104, clarify RPZ order and semantics.
+  * Fix to document parameters of auth_zone_verify_zonemd_with_key.
+  * Fix for #1114: Fix that cache fill for forward-host names is
+    performed, so that with nonzero target-fetch-policy it fetches
+    forwarder addresses and uses them from cache. Also updated that
+    delegation point cache fill routines use CDflag for AAAA
+    message lookups, so that its negative lookup stops a recursion
+    since the cache uses the bit for disambiguation for dns64 but
+    the recursion uses CDflag for the AAAA target lookups, so the
+    check correctly stops a useless recursion by its cache lookup.
+  * Fix dnstap test program, cleans up to have clean memory on
+    exit, for tap_data_free, does not delete NULL items. Also it
+    does not try to free the tail, specifically in the free of the
+    list since that picked up the next item in the list for its
+    loop causing invalid free. Added internal unit test to
+    unbound-dnstap-socket for that.
+  * Fix that the worker mem report with alloc stats does not
+    attempt to print memory use of forwards and hints if they have
+    been deleted already.
+  * Fix that alloc stats has strdup checks, it stops debuggers from
+    complaining about mismatch at free time.
+  * Fix testbound for alloc stats strdup in util/alloc.c.
+  * Fix that alloc stats for forwards and hints are printed, and
+    when alloc stats is enabled, the unit test for unbound control
+    waits for reloads to complete.
+  * Fix that for windows the module startup is called and sets up
+    the module-config.
+  * Fix spelling for the cache-min-negative-ttl entry in the
+    example.conf.
+
 -------------------------------------------------------------------
 Wed May  8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

unbound.service

@@ -13,7 +13,8 @@ User=unbound
 Group=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
 #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
-ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+# https://github.com/NLnetLabs/unbound/issues/509
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStartPre=/usr/sbin/unbound-checkconf
 ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
 

unbound.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unbound
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,11 +21,17 @@
   %define _fillupdir /var/adm/fillup-templates
 %endif
 
-%bcond_without python3
 %bcond_without munin
 %bcond_without hardened_build
 %bcond_without dnstap
 %bcond_without systemd
+# needs openssl with quic enabled - aws-lc is sadly not a drop in as it removed some functions used by unbound
+%bcond_with unbound_quic
+%if 0%{?suse_version} > 1600
+%bcond_without unbound_redis
+%else
+%bcond_with    unbound_redis
+%endif
 
 %define _sharedstatedir /var/lib/
 %define ldns_version 1.6.16
@@ -33,7 +39,7 @@
 %define piddir /run
 
 Name:           unbound
-Version:        1.20.0
+Version:        1.23.1
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}
@@ -47,16 +53,18 @@ BuildRequires:  libfstrm-devel
 BuildRequires:  libprotobuf-c-devel >= 1.0.0
 BuildRequires:  protobuf-c >= 1.0.0
 %endif
-%if %{with python3}
 BuildRequires:  python-rpm-macros
 BuildRequires:  python3-devel
 BuildRequires:  swig
-%endif
 # needed for dns over https
 BuildRequires:  pkgconfig(libnghttp2)
+%if %{with unbound_quic}
+BuildRequires:  pkgconfig(libngtcp2)
+%endif
+%if %{with unbound_redis}
+BuildRequires:  pkgconfig(hiredis)
+%endif
 Requires:       ldns >= %{ldns_version}
-# until we figured something else out for the unbound-anchor part in the systemd unit file
-Requires:       sudo
 # unbound-control-setup depends on /usr/bin/openssl
 Requires:       openssl
 %if %{with systemd}
@@ -155,7 +163,6 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver.
 
 This package contains the tools to manage the anchor certs.
 
-%if %{with python3}
 %package -n python3-unbound
 Summary:        Python modules and extensions for unbound
 Group:          Applications/System
@@ -167,7 +174,6 @@ Provides:       unbound-python
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
 
 This package holds the Python modules and extensions for unbound.
-%endif
 
 %prep
 %setup
@@ -178,15 +184,15 @@ This package holds the Python modules and extensions for unbound.
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"
 
-%if %{with python2}
-pushd ../p2
 %configure \
   --disable-rpath \
   --with-libevent \
   --with-pthreads \
   --disable-static \
-  --with-ldns=%{_prefix} \
   --with-libnghttp2 \
+%if %{with unbound_quic}
+  --with-libngtcp2 \
+%endif
   --enable-sha2 \
   --enable-gost \
   --enable-ecdsa \
@@ -194,41 +200,19 @@ pushd ../p2
   --enable-pie \
   --enable-relro-now \
   --enable-dnscrypt \
+  --enable-tfo-client \
+  --enable-tfo-server \
+  --enable-cachedb \
+  --enable-subnet \
+%if %{with unbound_redis}
+  --with-libhiredis \
+%endif
 %if %{with dnstap}
   --enable-dnstap \
 %endif
   --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
   --with-pidfile=%{piddir}/%{name}/%{name}.pid \
-  --with-pythonmodule --with-pyunbound PYTHON=%{__python2}\
-  --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
-  --disable-explicit-port-randomisation
-
-make %{?_smp_mflags} all streamtcp
-popd
-%endif
-
-%configure \
-  --disable-rpath \
-  --with-libevent \
-  --with-pthreads \
-  --disable-static \
-  --with-ldns=%{_prefix} \
-  --with-libnghttp2 \
-  --enable-sha2 \
-  --enable-gost \
-  --enable-ecdsa \
-  --enable-event-api \
-  --enable-pie \
-  --enable-relro-now \
-  --enable-dnscrypt \
-%if %{with dnstap}
-  --enable-dnstap \
-%endif
-  --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
-  --with-pidfile=%{piddir}/%{name}/%{name}.pid \
-%if %{with python3}
   --with-pythonmodule --with-pyunbound PYTHON=%{__python3}\
-%endif
   --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
   --disable-explicit-port-randomisation
 
@@ -387,12 +371,10 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %defattr(-,root,root,-)
 %{_libdir}/libunbound.so.*
 
-%if %{with python3}
 %files -n python3-unbound
 %{python3_sitearch}/*
 %doc libunbound/python/examples/*
 %doc pythonmod/examples/*
-%endif
 
 %if %{with munin}
 %files munin

unbound.sysconfig

@@ -1,3 +1,6 @@
 # for extra debug, add "-v -v" or change verbosity: in unbound.conf
 
 UNBOUND_OPTIONS=""
+
+# to disable the anchor update, set this to 'yes'
+DISABLE_UNBOUND_ANCHOR="no"