Compare commits
25 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
05be45ef97
|
|||
|
6009512f17
|
|||
|
abb288f410
|
|||
|
8b98049e11
|
|||
|
0e942d97ea
|
|||
|
d5fbe28fea
|
|||
|
cc0d4d917a
|
|||
|
a88134e09c
|
|||
| 45b8656053 | |||
| 46ad51449c | |||
| 602ae39175 | |||
| d95cae9d05 | |||
| f35d66188c | |||
| 8edd97db41 | |||
| 85b77de3dc | |||
| 782bb8ffbb | |||
| 694a51992a | |||
| 6836f2acef | |||
| 698dcbbcb2 | |||
| f66756741a | |||
| 3e2de2b0a5 | |||
| a9ce76fffd | |||
| 9cdf590e6f | |||
| 07733f6c7b | |||
| cc69efeb4c |
@@ -1,3 +1,634 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 26 11:33:22 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.2:
|
||||
Bug Fixes:
|
||||
* Additional fix for CVE-2025-11411 (possible domain hijacking
|
||||
attack), to include YXDOMAIN and non-referral nodata answers in
|
||||
the mitigation as well, reported by TaoFei Guo from Peking
|
||||
University, Yang Luo and JianJun Chen from Tsinghua University.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 22 10:35:26 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.1:
|
||||
Security Fixes:
|
||||
* Fix CVE-2025-11411 (possible domain hijacking attack)
|
||||
[bsc#1252525]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 10:54:29 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.0:
|
||||
Features:
|
||||
* Increase default to num-queries-per-thread: 2048, when unbound
|
||||
is compiled with libevent. It makes saturation of the task
|
||||
queue more resource intensive and less practical.
|
||||
* Auto-configure '-slabs' values.
|
||||
* Change default for so-sndbuf to 1m, to mitigate a cross-layer
|
||||
issue where the UDP socket send buffers are exhausted waiting
|
||||
for ARP/NDP resolution.
|
||||
* Adjusted so-sndbuf default to 4m.
|
||||
* Add extra statistic to track the number of signature validation
|
||||
operations. Adds 'num.valops' to extended statistics.
|
||||
* [FR] Disable TLSv1.2.
|
||||
* unbound-control cache_lookup prints the cached rrsets and
|
||||
messages for those.
|
||||
* unbound-control cache_lookup +t allows tld and root names. And
|
||||
subnet cache contents are printed.
|
||||
* [FR] zone status for Unbound auth-zones.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix assertion failure testcode/unitverify.c:202.
|
||||
* Use macros for the fr_check_changed* functions.
|
||||
* Fix for parallel build of dnstap protoc-c output.
|
||||
* Fix dnstap to use protoc.
|
||||
* Sync unbound and unbound-checkconf log output for unknown
|
||||
modules.
|
||||
* Fix forward-zone "name: ." conflicts with auth-zone "name: ."
|
||||
in 1.23.0, but worked in 1.22.0.
|
||||
* Fix unsafe usage of atoi() while parsing the configuration
|
||||
file.
|
||||
* Fix auth nsec3 code. Fixes NSEC3 code to not break on broken
|
||||
auth zones that include unsigned out of zone (above apex) data.
|
||||
Could lead to hang while trying to prove a wildcard answer.
|
||||
* Fix NULL pointer deref in az_find_nsec_cover() (latent bug) by
|
||||
adding a log_assert() to safeguard future development.
|
||||
* Fix log-destaddr fail on long ipv6 addresses.
|
||||
* Fix config of slab values when there is no config file.
|
||||
* Fix for cname chain length with qtype ANY and qname
|
||||
minimisation.
|
||||
* RST man pages. It introduces restructuredText man pages to sync
|
||||
the online and source code man page documentation. The
|
||||
templated man pages (*.in) are still part of the repo but
|
||||
generated with docutils from their .rst counterpart.
|
||||
Documentation on how to generate those (mainly for core
|
||||
developers) is in README.man.
|
||||
* Add more checks about respip in unbound-checkconf. Also fixes
|
||||
unbound-checkconf not reporting RPZ configuration error.
|
||||
* [FR] Improve fuzzing of unbound by adapting the netbound
|
||||
program.
|
||||
* Small manpage corrections for the 'disable-dnssec-lame-check'
|
||||
option.
|
||||
* Fix unbound-anchor certificate file read for line ends and end
|
||||
of file.
|
||||
* Fix comment for the dname_remove_label_limit_len function.
|
||||
* iana portlist updated.
|
||||
* Fix bitwise operators in conditional expressions with
|
||||
parentheses.
|
||||
* Fix conditional expressions with parentheses for bitwise and.
|
||||
* Fix header return value description for skip_pkt_rrs and
|
||||
parse_edns_from_query_pkt.
|
||||
* Fix to check control-interface addresses in unbound-checkconf.
|
||||
* Fix Windows 32-bit binaries download seems to be missing dll
|
||||
dependency.
|
||||
* Fix for consistent use of local zone CNAME alias for configured
|
||||
auth zones. Now it also applies to downstream configured auth
|
||||
zones.
|
||||
* Fix DNS over QUIC depends on a very outdated version of ngtcp2.
|
||||
Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
|
||||
* edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
|
||||
* Fix rrset cache create allocation failure case.
|
||||
* Fix EDE 6 is attached to insecure cached answers when client
|
||||
sends the CD bit.
|
||||
* Fix forward-first: ssl handshake failed on root nameservers.
|
||||
* Turn off fetch-policy for delegation when looking into parent
|
||||
side name servers that may not update the addresses and hit
|
||||
NXNS limits.
|
||||
* Replay test (added tcp_transport to outnet_serviced_query).
|
||||
* Generate ltmain.sh and configure again.
|
||||
* Fix is 'sock-queue-timeout' a linux only feature.
|
||||
* Implement sock-queue-timeout for FreeBSD as well.
|
||||
* Fix layout of comm_point_udp_ancil_callback.
|
||||
* Fix to improve dnstap discovery on Fedora.
|
||||
* Fix detection of SSL_CTX_set_tmp_ecdh function.
|
||||
* Fix configure cant find SSL_is_quic in OpenSSL 3.5.1.
|
||||
* Test num.valops in existing stat_values.tdir.
|
||||
* Add num.valops in the unbound-control man page.
|
||||
* Add unit tests for non-ecs aggregation.
|
||||
* Fix to not set rlimits in the unit tests.
|
||||
* iana portlist updated.
|
||||
* Redis checks for server down and throttles reconnects.
|
||||
* Fix redis cachedb module gettimeofday init failure.
|
||||
* Fix testbound test program to accurately output packets from
|
||||
hex.
|
||||
* Fix incorrectly reclaimed tcp handler can cause data corruption
|
||||
and segfault.
|
||||
* Fix to use assertions for consistency checks in reclaimed tcp
|
||||
handlers.
|
||||
* Fix edns subnet, so that the subquery without subnet is stored
|
||||
in global cache if the querier used 0.0.0.0/0 and the name and
|
||||
address do not receive subnet treatment. If the name and
|
||||
address are configured for subnet, it is stored in the subnet
|
||||
cache.
|
||||
* Fix dname_str for printout of long names.
|
||||
* Fix that edns-subnet failure to create a subquery errors as
|
||||
servfail, and not formerror.
|
||||
* Fix to whitespace in dname_str.
|
||||
* Fix that unbound-control dump_cache releases the cache locks
|
||||
every so often, so that the server stays responsive.
|
||||
* Fix to remove debug from cache_lookup.
|
||||
* Fix to unlock cache_lookup message for malformed records.
|
||||
* Fix to increase responsiveness of dump_cache.
|
||||
* Fix to decouple file descriptor activity and cache lookups in
|
||||
dump_cache.
|
||||
* Fix cache_lookup subnet printout to wipe zero part of the
|
||||
prefix.
|
||||
* Fix cache_lookup subnet print to not print messages without
|
||||
rrsets and perform in-depth check on node in the addrtree.
|
||||
* Fix to check for extraneous command arguments for
|
||||
unbound-control, when the command takes no arguments but there
|
||||
are arguments present.
|
||||
* Fix contrib/unbound.service comment path for systemd network
|
||||
configuration.
|
||||
* Fix compile warnings for DoH compile on windows.
|
||||
* Fix sha1 enable environment variable in test code on windows.
|
||||
* Fix that the zone acquired timestamp is set after the zonefile
|
||||
is read.
|
||||
* Fix unbound-control dump_cache for double unlock of lruhash
|
||||
table.
|
||||
* Fix setup_listen_sslctx warning for nettle compile.
|
||||
* Limit the number of consecutive reads on an HTTP/2 session.
|
||||
* Fix to free edns options scratch in ratelimit case.
|
||||
* Fix outdated Python2 code in unbound/pythonmod/examples/log.py.
|
||||
* Fix memory leak in 'msgparse.c' in
|
||||
'parse_edns_options_from_query(...)'.
|
||||
* Fix indentation in tcp-mss option parsing.
|
||||
* Fix make depend.
|
||||
* Update documentation for using "SET ... EX" in Redis.
|
||||
* Document max buffer sizes for Redis commands.
|
||||
* Update man pages.
|
||||
* Fix CNAME chains are sometimes not followed when RPZs add a
|
||||
local CNAME rewrite.
|
||||
* Update contrib/aaaa-filter-iterator.patch so it applies on
|
||||
1.24.0.
|
||||
* Small debug output improvement when attaching an EDE.
|
||||
* Fix to print warning for when so-sndbuf setsockopt is not
|
||||
granted.
|
||||
* Too many quotes for the EDE message debug printout.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Aug 10 18:26:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- Update to 1.23.1:
|
||||
Bug Fixes:
|
||||
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
|
||||
AOSP Lab Nankai University.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 24 11:58:41 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.23.0:
|
||||
Features:
|
||||
* Increase the default of max-global-quota to 200 from 128 after
|
||||
operational feedback. Still keeping the possible amplification
|
||||
factor (CAMP related issues) in the hundreds.
|
||||
* Fix #1175: serve-expired does not adhere to secure-by-default
|
||||
principle. The default value of serve-expired-client-timeout
|
||||
is set to 1800 as suggested by RFC8767.
|
||||
* For #1175, the default value of serve-expired-ttl is set to 86400
|
||||
(1 day) as suggested by RFC8767.
|
||||
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
|
||||
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
|
||||
* Add resolver.arpa and service.arpa to the default locally served
|
||||
zones.
|
||||
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
|
||||
It reads changed config in a thread, then only briefly pauses the
|
||||
service threads, that keep running. DNS service is only interrupted
|
||||
briefly, less than a second.
|
||||
* Merge #1019: Redis read-only replica support.
|
||||
Introduces new 'redis-replica-*' options for the Redis cache backend.
|
||||
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
|
||||
configuration option 'dns-error-reporting' and new statistics for
|
||||
'num.dns_error_reports'.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
|
||||
Using the Same IP. This fix is not for 1.22.0.
|
||||
* Fix #1163: Typos in unbound.conf documentation.
|
||||
* Merge #1159: Stats for discard-timeout and wait-limit.
|
||||
* Add test case for #1159.
|
||||
* Some clean up for stat_values.test.
|
||||
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
|
||||
description.
|
||||
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
|
||||
ub_ctx_delete in Windows.
|
||||
* Fix redis that during a reload it does not fail if the redis
|
||||
server does not connect or does not respond. It still logs the
|
||||
errors and if the server is up checks expiration features.
|
||||
* Merge #1167: Makefile.in: fix occasional parallel build failures
|
||||
around bison rule.
|
||||
* Fix SETEX check during Redis (re)initialization.
|
||||
* Fix for the serve expired DNSSEC information fix, it would not allow
|
||||
current delegation information be updated in cache. The fix allows
|
||||
current delegation and validation recursion information to be
|
||||
updated, but as a consequence no longer has certain expired
|
||||
information around for later dnssec valid expired responses.
|
||||
* Fix to log redis timeout error string on failure.
|
||||
* More descriptive text for 'harden-algo-downgrade'.
|
||||
* Complete fix for max-global-quota to 200.
|
||||
* Fix #1183: the data being used is released in method
|
||||
nsec3_hash_test_entry.
|
||||
* Fix for #1183: release nsec3 hashes per test file.
|
||||
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
|
||||
auth_zone up/down queries.
|
||||
* Fix comparison to help static analyzer.
|
||||
* For #1175, update serve-expired tests.
|
||||
* Merge #1189: Fix the dname_str method to cause conversion errors
|
||||
when the domain name length is 255.
|
||||
* Merge #1197: dname_str() fixes.
|
||||
* Merge #1198: Fix log-servfail with serve expired and no useful cache
|
||||
contents.
|
||||
* Safeguard alias loop while looking in the cache for expired answers.
|
||||
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
|
||||
drop.
|
||||
* Fix typo in log_servfail.tdir test.
|
||||
* Merge #1204: ci: set persist-credentials: false for actions/checkout
|
||||
per zizmor suggestion.
|
||||
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
|
||||
with serve-expired that appeared in 1.22.0 and would not allow the
|
||||
iterator to update the cache with not-yet-validated entries resulting
|
||||
in increased outgoing traffic.
|
||||
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
|
||||
handshake.
|
||||
* Fix #1213: Misleading error message on default access control causing
|
||||
refuse.
|
||||
* Merge #1221: Consider auth zones when checking for forwarders.
|
||||
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
|
||||
ALPN.
|
||||
* Create the quic SSL listening context only when needed.
|
||||
* Fix compile of interface check code when dnscrypt or quic is
|
||||
disabled.
|
||||
* Fix encoding of RR type ATMA.
|
||||
* Fix to check length in ATMA string to wire.
|
||||
* Merge #1229: check before use daemon->shm_info.
|
||||
* Use the same interface listening port discovery code for all needed
|
||||
protocols.
|
||||
* Port to string only when needed before getaddrinfo().
|
||||
* Do not open unencrypted channels next to encrypted ones on the same
|
||||
port.
|
||||
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
|
||||
set.
|
||||
* Merge #1220 from Petr Menšík, Add unbound members group access to
|
||||
control key.
|
||||
* Make the default value of module-config "validator iterator"
|
||||
regardless of compilation options. --enable-subnet would implicitly
|
||||
change the value to enable the subnetcache module by default in the
|
||||
past.
|
||||
* Fix #986: Resolving sas.com with dnssec-validation fails though
|
||||
signed delegations seem to be (mostly) correct.
|
||||
Consider reconfigurations when calculating the still_useful_timeout
|
||||
for servers in the infrastructure cache.
|
||||
* Fix static analysis report about unhandled EOF on error conditions
|
||||
when reading anchor key files.
|
||||
* Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
|
||||
values.
|
||||
* Fix hash calculation for cachedb to ignore case. Previously, cached
|
||||
records there were only relevant for same case queries (if not
|
||||
already in Unbound's internal cache).
|
||||
* Merge #1243: Do not shadow tm on line 236.
|
||||
* Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
|
||||
Add --help output description for the SOURCE_DATE_EPOCH variable.
|
||||
* Fix 'unbound-control flush_negative' when reporting removed data;
|
||||
reported by David 'eqvinox' Lamparter.
|
||||
* Fix representation of types GPOS and RESINFO, add rdf type for
|
||||
unquoted str.
|
||||
* Fix #1251: WSAPoll first argument cannot be NULL.
|
||||
* Fix for windows compile create ssl contexts.
|
||||
* Fix print of RR type NSAP-PTR, it is an unquoted string.
|
||||
* Fix #1253: Cache entries fail to be removed from Redis cachedb
|
||||
backend with unbound-control flush* +c.
|
||||
* Fix for #1253: Fix for redis cachedb backend to expect an integer
|
||||
reply for the EXPIRE command.
|
||||
* Fix #1254: send failed: Socket is not connected and
|
||||
remote address is 0.0.0.0 port 53.
|
||||
* Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
|
||||
* For #1255, for ios use an older expat version that does not require
|
||||
C++11 language features.
|
||||
* For #1255, for ios disable building tests that require C++11.
|
||||
* For #1255, for ios try the latest expat version again.
|
||||
* Fix unit test dname log printout typecast.
|
||||
* Fix for ci test, expat is installed on the osx image.
|
||||
* iana portlist update.
|
||||
* Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
|
||||
* Fix escape more characters when printing an RR type with an unquoted
|
||||
string.
|
||||
* Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
|
||||
* Fix unbound-control test so it counts the new flush_negative output,
|
||||
also answers the _ta probe from testns and prints command output
|
||||
and skip a thread specific test when no threads are available.
|
||||
* Fix that ub_event has the facility to deal with callbacks for
|
||||
fast reload, doq, windows-stop and dnstap.
|
||||
* Fix fast reload test to check if pid exists before acting on it.
|
||||
* Merge #1262 from markyang92, fix build with
|
||||
'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
|
||||
* For #1262, ifdef is no longer needed.
|
||||
* Fix #1263: Exempt loopback addresses from wait-limit.
|
||||
* Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
|
||||
to allow two arguments.
|
||||
* Fix ub_event and include dnstap and win_svc headers.
|
||||
* Fix test for stat_values for wait limit defaults for localhost.
|
||||
* Fix parameter unused warning in net_help.c.
|
||||
* Fix mesh_copy_client_info to omit null contents from copy.
|
||||
* Fix comment name in the rpz nsdname test.
|
||||
* Fix nettle compile for warnings and ticket keys.
|
||||
* Fix redis_replica test for unused option defaults and log printout.
|
||||
* Fix test to speed up common.sh script kill_pid.
|
||||
* Fix to update common.sh for speed of kill_pid.
|
||||
* Update to the manpage for the fast_reload part.
|
||||
* Fix fast_reload to print chroot with config file name.
|
||||
* Fix to detect if atomic_store links in configure.
|
||||
* Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
|
||||
* Fix for print of connection type in log-replies for dot and doh.
|
||||
* Merge #1265: Fix WSAPoll.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 18 11:13:51 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.22.0:
|
||||
Features:
|
||||
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
|
||||
configuration options.
|
||||
* Merge patch to fix for glue that is outside of zone, with
|
||||
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
|
||||
Enabling this option protects the Unbound resolver against bad
|
||||
glue, that is unverified out of zone glue, by resolving them.
|
||||
It uses the records as last resort if there is no other working
|
||||
glue.
|
||||
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
|
||||
that can set the timeout separately for commands and the
|
||||
connection set up to the redis server. If they are not
|
||||
specified, the redis-timeout value is used.
|
||||
* Log timestamps in ISO8601 format with timezone. This adds the
|
||||
option `log-time-iso: yes` that logs in ISO8601 format.
|
||||
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
|
||||
that enable dnsoverquic, and the counters `num.query.quic` and
|
||||
`mem.quic` in the statistics output. The feature needs to be
|
||||
enabled by compiling with libngtcp2, with
|
||||
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
|
||||
that with `--with-ssl=path` to compile unbound as well.
|
||||
|
||||
Bug Fixes:
|
||||
* unbound-control-setup hangs while testing for openssl presence
|
||||
starting from version 1.21.0.
|
||||
* Fix error: "memory exhausted" when defining more than 9994
|
||||
local-zones.
|
||||
* Fix documentation for cache_fill_missing function.
|
||||
* Fix Loads of logs: "validation failure: key for validation
|
||||
<domain>. is marked as invalid because of a previous" for
|
||||
non-DNSSEC signed zone.
|
||||
* Fix that when rpz is applied the message does not get picked up
|
||||
by the validator. That stops validation failures for the
|
||||
message.
|
||||
* Fix that stub-zone and forward-zone clauses do not exhaust
|
||||
memory for long content.
|
||||
* Fix to print port number in logs for auth zone transfer
|
||||
activities.
|
||||
* b.root renumbering.
|
||||
* Add new IANA trust anchor.
|
||||
* Fix config file read for dnstap-sample-rate.
|
||||
* Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
|
||||
(RFC9077).
|
||||
* Fix dns64 with prefetch that the prefetch is stored in cache.
|
||||
* Attempt to further fix doh_downstream_buffer_size.tdir
|
||||
flakiness.
|
||||
* More clear text for prefetch and minimal-responses in the
|
||||
unbound.conf man page.
|
||||
* Fix cache update when serve expired is used. Expired records
|
||||
are favored over resolution and validation failures when
|
||||
serve-expired is used.
|
||||
* Fix negative cache NSEC3 parameter compares for zero length
|
||||
NSEC3 salt.
|
||||
* Fix unbound-control-setup hangs sometimes depending on the
|
||||
openssl version.
|
||||
* Fix Cannot override tcp-upstream and tls-upstream with
|
||||
forward-tcp-upstream and forward-tls-upstream.
|
||||
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
|
||||
the prefetch ttl for messages after a CNAME with short TTL.
|
||||
* Fix to disable detection of quic configured ports when quic is
|
||||
not compiled in.
|
||||
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
|
||||
* Fix contrib/aaaa-filter-iterator.patch for change in call
|
||||
signature for cache_fill_missing.
|
||||
* Fix to display warning if quic-port is set but dnsoverquic is
|
||||
not enabled when compiled.
|
||||
* Fix dnsoverquic to extend the number of streams when one is
|
||||
closed.
|
||||
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
|
||||
* Fix for dnsoverquic and dnstap to use the correct dnstap
|
||||
environment.
|
||||
|
||||
- Update keyring
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 7 11:07:12 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.21.1:
|
||||
Security Fixes:
|
||||
* Fix CVE-2024-8508, unbounded name compression could lead to
|
||||
denial of service.
|
||||
[CVE-2024-8508, bsc#1231284]
|
||||
|
||||
- Update keyring
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.21.0:
|
||||
Security Fixes:
|
||||
* Merge #1073: fix null pointer dereference issue in function
|
||||
ub_ctx_set_fwd.
|
||||
[CVE-2024-43167, bsc#1229068]
|
||||
|
||||
Features:
|
||||
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
|
||||
with `unbound-control flush*` commands.
|
||||
* Fix #144: Port ipset to BSD pf tables.
|
||||
* Add dnstap-sample-rate that logs only 1/N messages, for high
|
||||
volume server environments. Thanks Dan Luther.
|
||||
* Add root key 38696 from 2024 for DNSSEC validation. It is added
|
||||
to the default root keys in unbound-anchor. The content can be
|
||||
inspected with `unbound-anchor -l`.
|
||||
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
|
||||
"unbound_cookiesecrets.txt"` option to store cookie secrets for
|
||||
EDNS COOKIE secret rollover. The remote control
|
||||
add_cookie_secret, activate_cookie_secret and
|
||||
drop_cookie_secret commands can be used for rollover, the
|
||||
command print_cookie_secrets shows the values in use.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix CAMP issues with global quota. Thanks to Huayi
|
||||
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
|
||||
group, ETH Zurich.
|
||||
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
|
||||
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
|
||||
(Tel-Aviv University and Reichman University).
|
||||
* Merge #1062: Fix potential overflow bug while parsing port in
|
||||
function cfg_mark_ports.
|
||||
* Fix for #1062: declaration before statement, avoid print of
|
||||
null, and redundant check for array size.
|
||||
* Fix to squelch udp connect errors in the log at low verbosity
|
||||
about invalid argument for IPv6 link local addresses.
|
||||
* Fix when the mesh jostle is exceeded that nameserver targets
|
||||
are marked as resolved, so that the lookup is not stuck on the
|
||||
requestlist.
|
||||
* Add missing common functions to tdir tests.
|
||||
* Merge #1070: Fix rtt assignement for low values of
|
||||
infra-cache-max-rtt.
|
||||
* Merge #1069: Fix unbound-control stdin commands for
|
||||
multi-process Unbounds.
|
||||
* Fix unbound-control commands that read stdin in multi-process
|
||||
operation (local_zones_remove, local_zones, local_datas_remove,
|
||||
local_datas, view_local_datas_remove, view_local_datas). They
|
||||
will be properly distributed to all processes. dump_cache and
|
||||
load_cache are no longer supported in multi-process operation.
|
||||
* Remove testdata/remote-threaded.tdir.
|
||||
testdata/09-unbound-control.tdir now checks both single and
|
||||
multi process/thread operation.
|
||||
* Fix to print a parse error when config is read with no name for
|
||||
a forward-zone, stub-zone or view.
|
||||
* Fix for parse end of forward-zone, stub-zone and view.
|
||||
* Fix for #1064: Fix that cachedb expired messages are considered
|
||||
insecure, and thus can be served to clients when dnssec is
|
||||
enabled.
|
||||
* Fix #1059: Intermittent DNS blocking failure with local-zone
|
||||
and always_nxdomain. Addition of local_zones dynamically via
|
||||
unbound-control was not finding the zone's parent correctly.
|
||||
* Fix #1064: Unbound 1.20 Cachedb broken?
|
||||
* Fix unused variable warning on compilation with no thread
|
||||
support.
|
||||
* unbound-control-setup: check openssl availability before doing
|
||||
anything, patch from Michael Tokarev.
|
||||
* Update patch to remove 'command' shell builtin and update error
|
||||
text.
|
||||
* Fix to enable that SERVFAIL is cached, for a short period, for
|
||||
more cases. In the cases where limits are exceeded.
|
||||
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
|
||||
* Merge #1078: Only check old pid if no username.
|
||||
* Fix #1079: tags from tagged rpz zones are no longer honored
|
||||
after upgrade from 1.19.3 to 1.20.0.
|
||||
* Fix for #1079: fix RPZ taglist in iterator callback that no
|
||||
client info is like no taglist intersection.
|
||||
* Fix to squelch connection reset by peer errors from log. And
|
||||
fix that the tcp read errors are labeled as initial for the
|
||||
first calls.
|
||||
* Merge #1080: AddressSanitizer detection in tdir tests and
|
||||
memory leak fixes.
|
||||
* Fix memory leak when reload_keep_cache is used and num-threads
|
||||
changes.
|
||||
* Fix memory leak on exit for unbound-dnstap-socket; creates
|
||||
false negatives during testing.
|
||||
* Fix memory leak in setup of dsa sig.
|
||||
* Fix typos for 'the the' in text.
|
||||
* Fix validation for repeated use of a DNAME record.
|
||||
* Add unit test for validation of repeated use of a DNAME record.
|
||||
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
|
||||
OPENSSL_NO_DEPRECATED.
|
||||
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
|
||||
by adding helpful text for the Python interpreter version and
|
||||
allowing the default pkg-config unavailability error message to
|
||||
be shown.
|
||||
* Fix pkg-config availability check in dnstap/dnstap.m4 and
|
||||
systemd.m4.
|
||||
* Explicitly set the RD bit for the mesh query flags when
|
||||
prefetching. These queries have no waiting client but they need
|
||||
to be treated as recursive.
|
||||
* Fix ip-ratelimit-cookie setting, it was not applied.
|
||||
* Fix to remove unused include from the readzone test program.
|
||||
* Fix unused variable warning in do_cache_remove.
|
||||
* Fix compile warning in worker pthread id printout.
|
||||
* Add unit test skip files and bison and flex output to
|
||||
gitignore.
|
||||
* Fix to use modstack_init in zonemd unit test.
|
||||
* Fix to remove unneeded linebreak in fptr_wlist.c.
|
||||
* Fix compile warnings in fptr_wlist.c.
|
||||
* Fix for repeated use of a DNAME record: first overallocate and
|
||||
then move the exact size of the init value to avoid false
|
||||
positive heap overflow reads from address sanitizers.
|
||||
* Fix to print details about the failure to lookup a DNSKEY
|
||||
record when validation fails due to the missing DNSKEY. Also
|
||||
for key prime and DS lookups.
|
||||
* Fix for neater printout for error for missing DS response.
|
||||
* Fix neater printout.
|
||||
* Fix #1099: Unbound core dump on SIGSEGV.
|
||||
* Fix for #1099: Fix to check for deleted RRset when the contents
|
||||
is updated and fetched after it is stored, and also check for a
|
||||
changed RRset.
|
||||
* Don't check for message TTL changes if the RRsets remain the
|
||||
same.
|
||||
* Fix that validation reason failure that uses string print uses
|
||||
separate buffer that is passed, from the scratch validation
|
||||
buffer.
|
||||
* Fixup algo_needs_reason string buffer length.
|
||||
* Fix shadowed error string variable in validator dnskey
|
||||
handling.
|
||||
* Update list of known EDE codes.
|
||||
* For #773: In contrib/unbound.service.in set unbound to start
|
||||
after network-online.target. Also for
|
||||
contrib/unbound_portable.service.in.
|
||||
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
|
||||
* For #1103: fix to also drop mesh state reference when a h2
|
||||
reply is dropped.
|
||||
* Add RPZ tag tests in acl_interface.tdir.
|
||||
* For #1102: clearer text for using interface-* options for the
|
||||
loopback interface.
|
||||
* For #1103: fix to also drop mesh state reference when the
|
||||
discard limit is reached, when there is an error making a new
|
||||
recursion state and when the connection is dropped with
|
||||
is_drop.
|
||||
* For #1103: Fix to drop mesh state reference for the http2
|
||||
stream associated with the reply, not the currently active
|
||||
stream. And it does not remove it twice on a mesh_send_reply
|
||||
call. The reply h2_stream is NULL when not in use, for more
|
||||
initialisation.
|
||||
* Fix dnstap wakeup, a running wakeup timer is left to expire and
|
||||
not increased, a timer is started when the dtio thread is
|
||||
sleeping, the timer set disabled when the dtio thread goes to
|
||||
sleep, and after sleep the thread checks to see if there are
|
||||
messages to log immediately.
|
||||
* Merge #1110: Make fallthrough explicit for libworker.c.
|
||||
* For #1110: Test for fallthrough attribute in configure and add
|
||||
fallthrough attribute annotations.
|
||||
* Fix compile when the compiler does not support the noreturn
|
||||
attribute.
|
||||
* Fix to have empty definition when not supported for weak
|
||||
attribute.
|
||||
* Fix uninitialized variable warning in create_tcp_accept_sock.
|
||||
* Fix link of dnstap without openssl.
|
||||
* Fix link of unbound-dnstap-socket without openssl.
|
||||
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
|
||||
* Cleanup ede.tdir test.
|
||||
* For #935 and #1104, clarify RPZ order and semantics.
|
||||
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
|
||||
* Fix for #1114: Fix that cache fill for forward-host names is
|
||||
performed, so that with nonzero target-fetch-policy it fetches
|
||||
forwarder addresses and uses them from cache. Also updated that
|
||||
delegation point cache fill routines use CDflag for AAAA
|
||||
message lookups, so that its negative lookup stops a recursion
|
||||
since the cache uses the bit for disambiguation for dns64 but
|
||||
the recursion uses CDflag for the AAAA target lookups, so the
|
||||
check correctly stops a useless recursion by its cache lookup.
|
||||
* Fix dnstap test program, cleans up to have clean memory on
|
||||
exit, for tap_data_free, does not delete NULL items. Also it
|
||||
does not try to free the tail, specifically in the free of the
|
||||
list since that picked up the next item in the list for its
|
||||
loop causing invalid free. Added internal unit test to
|
||||
unbound-dnstap-socket for that.
|
||||
* Fix that the worker mem report with alloc stats does not
|
||||
attempt to print memory use of forwards and hints if they have
|
||||
been deleted already.
|
||||
* Fix that alloc stats has strdup checks, it stops debuggers from
|
||||
complaining about mismatch at free time.
|
||||
* Fix testbound for alloc stats strdup in util/alloc.c.
|
||||
* Fix that alloc stats for forwards and hints are printed, and
|
||||
when alloc stats is enabled, the unit test for unbound control
|
||||
waits for reloads to complete.
|
||||
* Fix that for windows the module startup is called and sets up
|
||||
the module-config.
|
||||
* Fix spelling for the cache-min-negative-ttl entry in the
|
||||
example.conf.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package libunbound-devel-mini
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -22,7 +22,7 @@
|
||||
%bcond_without hardened_build
|
||||
#
|
||||
Name: libunbound-devel-mini
|
||||
Version: 1.20.0
|
||||
Version: 1.24.2
|
||||
#!BcntSyncTag: unbound
|
||||
Release: 0
|
||||
Summary: Just a devel package for build loops
|
||||
|
||||
3
tmpfiles-unbound-anchor.conf
Normal file
3
tmpfiles-unbound-anchor.conf
Normal file
@@ -0,0 +1,3 @@
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /var/lib/unbound 0755 unbound unbound - -
|
||||
C /var/lib/unbound/root.key 0644 unbound unbound - /usr/share/unbound/root.key
|
||||
@@ -1 +1,2 @@
|
||||
D /run/unbound 0755 unbound unbound -
|
||||
#Type Path Mode UID GID Age Argument
|
||||
D /run/unbound 0755 unbound unbound - -
|
||||
|
||||
BIN
unbound-1.20.0.tar.gz
LFS
BIN
unbound-1.20.0.tar.gz
LFS
Binary file not shown.
@@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmY7MtIACgkQn28cLX4E
|
||||
X43TZw//UOLWFXCT36DydXV2gi8vAB9xIFOGj7LbfOSIu8mg2gOvxaBFcC3qb8iB
|
||||
Wh4prktm+ANRyrmaDq5jlhG2JS0JGYCAGXntN8O09IZt8cx5s1N4UWOOOHp/XEcF
|
||||
spQpohJlJMnDl+WuIW0rGUnME4mytEBd/HwIM2Q4XyhXOEQj4hEW1tGlNF1qNq5b
|
||||
8KV5AbRa1OMPeaOaLUb3rg4Wll90twKnlVsdAga1GzYHYHIjbrvso8TbEAZQOzk1
|
||||
Vu20zwNV1mFNRQcBhhkRBSirmZQ3p73HDT3j3yZZ7D2VaZyi1TQSNxCKAkBpM7NX
|
||||
ZXBXHpYjf/9kei8vMeQBE4pIoXgcSAASyHh1FNZ8vzyklR8lP8grNtgn1R7ACryN
|
||||
U1W+0Mh4gjZLjK4sgfouunqpuDpKnpb7a/b19D4fqGBYen+V/BBwARbdxPABs2fK
|
||||
Y5kMnSIM3eZPZD2PnLEL8uqfuES1QZ9OkhGvEX9jhO3plYWzUDa7J/5eFqyUEpPc
|
||||
zkAlQvJySW1T18U7YWPLM7ipsVIZc7XPkvEHpit6cSj7f4wUPurJio2glOHwXafZ
|
||||
+mmzb7nFahTE6tmvOF3dBbvxRpzYtHI6qa1tNTVR9EFJsc8Bm9a8dcI6Jd4e6M2i
|
||||
XWA32DOSppyEdLz3aEmpIQLT3VpSPRHuLB+slfi+xsBcwNJHL4w=
|
||||
=mEBa
|
||||
-----END PGP SIGNATURE-----
|
||||
BIN
unbound-1.24.2.tar.gz
LFS
Normal file
BIN
unbound-1.24.2.tar.gz
LFS
Normal file
Binary file not shown.
17
unbound-1.24.2.tar.gz.asc
Normal file
17
unbound-1.24.2.tar.gz.asc
Normal file
@@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJIBAABCAAyFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmkm1EQUHGdlb3JnZUBu
|
||||
bG5ldGxhYnMubmwACgkQz/M0TZCHpJBShg//WYjN8jarUIfeH1IhnnqxTBxZ5CvT
|
||||
WUkgQy5laBIeWRE9l+rWdG7KRVjIH5wDLN9kuwSA6daO1owwxubrj20czkyaByFi
|
||||
Mfb2V0FgpUwvfqXILEW0taEzQyGnzJy/UPV3nZXWWaLeRIrjVb5rNtazprQMlFSV
|
||||
1OhCJX77BI1NNC87/I5HGPO5dAR8epe3+6tdXP29vDJHnkWkEvy17y8uTxDwRA/b
|
||||
Yip9yiT7HbOHQsQhfFwQ747Tzc6CZ8XkRPLd2QNWA6tGaqQINDJv7N8/VqxqnjXF
|
||||
wtpsRpn/qBx8m3T6u6/au0LiwnGUikmPyjsPZapIvlgP/BW33wU/HO2AxQWFO234
|
||||
5wdZ37BSchvHJFPtNJXX3Wak4FcWbe41GlP9dHCD74D/d1uG9DyeuMC5aoGStQZu
|
||||
ldMzCoNwLKS4bfQyFsNA1rldinNRtoz7/Ac2Y9+Z6VhI6d/uqb+FBmenavvqQblz
|
||||
bFccL0nQ4I4xjhGFqSjfTrQgwHQnyKKTToZzTSABqssG97m3F6twdrcZOqYCotLN
|
||||
9ttXdwEwOUIpVD2UUbjS3LfZHBuQDjIETqgC89UZb6cOVzLbTFfnAQBDhFTGvqq5
|
||||
ohhAiZa9ePg8gXuziPtxp7AyQ+izvWESn7Af1yuXu315xuU7OG/7Wh1wyN2wjD5+
|
||||
vbIU556z7rrFT30=
|
||||
=vyR7
|
||||
-----END PGP SIGNATURE-----
|
||||
13
unbound-swig-4.4.0-compat.patch
Normal file
13
unbound-swig-4.4.0-compat.patch
Normal file
@@ -0,0 +1,13 @@
|
||||
diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
|
||||
index dc125146c..9ed1be90b 100644
|
||||
--- a/libunbound/python/libunbound.i
|
||||
+++ b/libunbound/python/libunbound.i
|
||||
@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
|
||||
%{
|
||||
//printf("resolve_start(%lX)\n",(long unsigned int)arg1);
|
||||
Py_BEGIN_ALLOW_THREADS
|
||||
- $function
|
||||
+ $action
|
||||
Py_END_ALLOW_THREADS
|
||||
//printf("resolve_stop()\n");
|
||||
%}
|
||||
685
unbound.changes
685
unbound.changes
@@ -1,3 +1,688 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 30 12:21:42 UTC 2026 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Create /var/lib/unbound with systemd-tmpfiles, move root.key to
|
||||
/usr/share/unbound and copy it to /var/lib/unbound/root.key to
|
||||
improve immutable os compatibility.
|
||||
- Add BuildRequires for pkgconfig(systemd) to avoid tmpfiles not
|
||||
found error in install section.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 26 11:31:04 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.2:
|
||||
Bug Fixes:
|
||||
* Additional fix for CVE-2025-11411 (possible domain hijacking
|
||||
attack), to include YXDOMAIN and non-referral nodata answers in
|
||||
the mitigation as well, reported by TaoFei Guo from Peking
|
||||
University, Yang Luo and JianJun Chen from Tsinghua University.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 23 09:56:53 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Add patch to fix build issue with swig 4.4.0
|
||||
[unbound-swig-4.4.0-compat.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 22 10:35:26 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.1:
|
||||
Security Fixes:
|
||||
* Fix CVE-2025-11411 (possible domain hijacking attack)
|
||||
[bsc#1252525]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 10:54:29 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.24.0:
|
||||
Features:
|
||||
* Increase default to num-queries-per-thread: 2048, when unbound
|
||||
is compiled with libevent. It makes saturation of the task
|
||||
queue more resource intensive and less practical.
|
||||
* Auto-configure '-slabs' values.
|
||||
* Change default for so-sndbuf to 1m, to mitigate a cross-layer
|
||||
issue where the UDP socket send buffers are exhausted waiting
|
||||
for ARP/NDP resolution.
|
||||
* Adjusted so-sndbuf default to 4m.
|
||||
* Add extra statistic to track the number of signature validation
|
||||
operations. Adds 'num.valops' to extended statistics.
|
||||
* [FR] Disable TLSv1.2.
|
||||
* unbound-control cache_lookup prints the cached rrsets and
|
||||
messages for those.
|
||||
* unbound-control cache_lookup +t allows tld and root names. And
|
||||
subnet cache contents are printed.
|
||||
* [FR] zone status for Unbound auth-zones.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix assertion failure testcode/unitverify.c:202.
|
||||
* Use macros for the fr_check_changed* functions.
|
||||
* Fix for parallel build of dnstap protoc-c output.
|
||||
* Fix dnstap to use protoc.
|
||||
* Sync unbound and unbound-checkconf log output for unknown
|
||||
modules.
|
||||
* Fix forward-zone "name: ." conflicts with auth-zone "name: ."
|
||||
in 1.23.0, but worked in 1.22.0.
|
||||
* Fix unsafe usage of atoi() while parsing the configuration
|
||||
file.
|
||||
* Fix auth nsec3 code. Fixes NSEC3 code to not break on broken
|
||||
auth zones that include unsigned out of zone (above apex) data.
|
||||
Could lead to hang while trying to prove a wildcard answer.
|
||||
* Fix NULL pointer deref in az_find_nsec_cover() (latent bug) by
|
||||
adding a log_assert() to safeguard future development.
|
||||
* Fix log-destaddr fail on long ipv6 addresses.
|
||||
* Fix config of slab values when there is no config file.
|
||||
* Fix for cname chain length with qtype ANY and qname
|
||||
minimisation.
|
||||
* RST man pages. It introduces restructuredText man pages to sync
|
||||
the online and source code man page documentation. The
|
||||
templated man pages (*.in) are still part of the repo but
|
||||
generated with docutils from their .rst counterpart.
|
||||
Documentation on how to generate those (mainly for core
|
||||
developers) is in README.man.
|
||||
* Add more checks about respip in unbound-checkconf. Also fixes
|
||||
unbound-checkconf not reporting RPZ configuration error.
|
||||
* [FR] Improve fuzzing of unbound by adapting the netbound
|
||||
program.
|
||||
* Small manpage corrections for the 'disable-dnssec-lame-check'
|
||||
option.
|
||||
* Fix unbound-anchor certificate file read for line ends and end
|
||||
of file.
|
||||
* Fix comment for the dname_remove_label_limit_len function.
|
||||
* iana portlist updated.
|
||||
* Fix bitwise operators in conditional expressions with
|
||||
parentheses.
|
||||
* Fix conditional expressions with parentheses for bitwise and.
|
||||
* Fix header return value description for skip_pkt_rrs and
|
||||
parse_edns_from_query_pkt.
|
||||
* Fix to check control-interface addresses in unbound-checkconf.
|
||||
* Fix Windows 32-bit binaries download seems to be missing dll
|
||||
dependency.
|
||||
* Fix for consistent use of local zone CNAME alias for configured
|
||||
auth zones. Now it also applies to downstream configured auth
|
||||
zones.
|
||||
* Fix DNS over QUIC depends on a very outdated version of ngtcp2.
|
||||
Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
|
||||
* edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
|
||||
* Fix rrset cache create allocation failure case.
|
||||
* Fix EDE 6 is attached to insecure cached answers when client
|
||||
sends the CD bit.
|
||||
* Fix forward-first: ssl handshake failed on root nameservers.
|
||||
* Turn off fetch-policy for delegation when looking into parent
|
||||
side name servers that may not update the addresses and hit
|
||||
NXNS limits.
|
||||
* Replay test (added tcp_transport to outnet_serviced_query).
|
||||
* Generate ltmain.sh and configure again.
|
||||
* Fix is 'sock-queue-timeout' a linux only feature.
|
||||
* Implement sock-queue-timeout for FreeBSD as well.
|
||||
* Fix layout of comm_point_udp_ancil_callback.
|
||||
* Fix to improve dnstap discovery on Fedora.
|
||||
* Fix detection of SSL_CTX_set_tmp_ecdh function.
|
||||
* Fix configure cant find SSL_is_quic in OpenSSL 3.5.1.
|
||||
* Test num.valops in existing stat_values.tdir.
|
||||
* Add num.valops in the unbound-control man page.
|
||||
* Add unit tests for non-ecs aggregation.
|
||||
* Fix to not set rlimits in the unit tests.
|
||||
* iana portlist updated.
|
||||
* Redis checks for server down and throttles reconnects.
|
||||
* Fix redis cachedb module gettimeofday init failure.
|
||||
* Fix testbound test program to accurately output packets from
|
||||
hex.
|
||||
* Fix incorrectly reclaimed tcp handler can cause data corruption
|
||||
and segfault.
|
||||
* Fix to use assertions for consistency checks in reclaimed tcp
|
||||
handlers.
|
||||
* Fix edns subnet, so that the subquery without subnet is stored
|
||||
in global cache if the querier used 0.0.0.0/0 and the name and
|
||||
address do not receive subnet treatment. If the name and
|
||||
address are configured for subnet, it is stored in the subnet
|
||||
cache.
|
||||
* Fix dname_str for printout of long names.
|
||||
* Fix that edns-subnet failure to create a subquery errors as
|
||||
servfail, and not formerror.
|
||||
* Fix to whitespace in dname_str.
|
||||
* Fix that unbound-control dump_cache releases the cache locks
|
||||
every so often, so that the server stays responsive.
|
||||
* Fix to remove debug from cache_lookup.
|
||||
* Fix to unlock cache_lookup message for malformed records.
|
||||
* Fix to increase responsiveness of dump_cache.
|
||||
* Fix to decouple file descriptor activity and cache lookups in
|
||||
dump_cache.
|
||||
* Fix cache_lookup subnet printout to wipe zero part of the
|
||||
prefix.
|
||||
* Fix cache_lookup subnet print to not print messages without
|
||||
rrsets and perform in-depth check on node in the addrtree.
|
||||
* Fix to check for extraneous command arguments for
|
||||
unbound-control, when the command takes no arguments but there
|
||||
are arguments present.
|
||||
* Fix contrib/unbound.service comment path for systemd network
|
||||
configuration.
|
||||
* Fix compile warnings for DoH compile on windows.
|
||||
* Fix sha1 enable environment variable in test code on windows.
|
||||
* Fix that the zone acquired timestamp is set after the zonefile
|
||||
is read.
|
||||
* Fix unbound-control dump_cache for double unlock of lruhash
|
||||
table.
|
||||
* Fix setup_listen_sslctx warning for nettle compile.
|
||||
* Limit the number of consecutive reads on an HTTP/2 session.
|
||||
* Fix to free edns options scratch in ratelimit case.
|
||||
* Fix outdated Python2 code in unbound/pythonmod/examples/log.py.
|
||||
* Fix memory leak in 'msgparse.c' in
|
||||
'parse_edns_options_from_query(...)'.
|
||||
* Fix indentation in tcp-mss option parsing.
|
||||
* Fix make depend.
|
||||
* Update documentation for using "SET ... EX" in Redis.
|
||||
* Document max buffer sizes for Redis commands.
|
||||
* Update man pages.
|
||||
* Fix CNAME chains are sometimes not followed when RPZs add a
|
||||
local CNAME rewrite.
|
||||
* Update contrib/aaaa-filter-iterator.patch so it applies on
|
||||
1.24.0.
|
||||
* Small debug output improvement when attaching an EDE.
|
||||
* Fix to print warning for when so-sndbuf setsockopt is not
|
||||
granted.
|
||||
* Too many quotes for the EDE message debug printout.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 11 10:19:50 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- simplify python handling. python2 support is dropped and python3
|
||||
is built by default. Conditionals for the latter are removed.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 11 10:14:25 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- enable EDNS subnet handling
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Aug 10 18:26:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- Update to 1.23.1: (boo#1246625)
|
||||
Bug Fixes:
|
||||
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
|
||||
AOSP Lab Nankai University.
|
||||
- our package was not built with EDNS subnet support up to this
|
||||
point and therefor was not affected.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Aug 10 18:07:02 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
- prepare enabling quic support:
|
||||
currently fails on missing quic support in openssl. aws-lc is
|
||||
sadly not a drop in replacement for unbound.
|
||||
- enable TCP Fast Open for the server and client
|
||||
- remove unused --with-ldns option
|
||||
- enable cachedb including hiredis support on Tumbleweed
|
||||
new BuildRequires pkgconfig(libhiredis)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 20 18:17:33 UTC 2025 - Mia Herkt <mia@0x0.st>
|
||||
|
||||
- Remove leftover dependency on sudo (not required)
|
||||
See also: boo#1215628
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 24 11:58:41 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.23.0:
|
||||
Features:
|
||||
* Increase the default of max-global-quota to 200 from 128 after
|
||||
operational feedback. Still keeping the possible amplification
|
||||
factor (CAMP related issues) in the hundreds.
|
||||
* Fix #1175: serve-expired does not adhere to secure-by-default
|
||||
principle. The default value of serve-expired-client-timeout
|
||||
is set to 1800 as suggested by RFC8767.
|
||||
* For #1175, the default value of serve-expired-ttl is set to 86400
|
||||
(1 day) as suggested by RFC8767.
|
||||
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
|
||||
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
|
||||
* Add resolver.arpa and service.arpa to the default locally served
|
||||
zones.
|
||||
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
|
||||
It reads changed config in a thread, then only briefly pauses the
|
||||
service threads, that keep running. DNS service is only interrupted
|
||||
briefly, less than a second.
|
||||
* Merge #1019: Redis read-only replica support.
|
||||
Introduces new 'redis-replica-*' options for the Redis cache backend.
|
||||
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
|
||||
configuration option 'dns-error-reporting' and new statistics for
|
||||
'num.dns_error_reports'.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
|
||||
Using the Same IP. This fix is not for 1.22.0.
|
||||
* Fix #1163: Typos in unbound.conf documentation.
|
||||
* Merge #1159: Stats for discard-timeout and wait-limit.
|
||||
* Add test case for #1159.
|
||||
* Some clean up for stat_values.test.
|
||||
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
|
||||
description.
|
||||
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
|
||||
ub_ctx_delete in Windows.
|
||||
* Fix redis that during a reload it does not fail if the redis
|
||||
server does not connect or does not respond. It still logs the
|
||||
errors and if the server is up checks expiration features.
|
||||
* Merge #1167: Makefile.in: fix occasional parallel build failures
|
||||
around bison rule.
|
||||
* Fix SETEX check during Redis (re)initialization.
|
||||
* Fix for the serve expired DNSSEC information fix, it would not allow
|
||||
current delegation information be updated in cache. The fix allows
|
||||
current delegation and validation recursion information to be
|
||||
updated, but as a consequence no longer has certain expired
|
||||
information around for later dnssec valid expired responses.
|
||||
* Fix to log redis timeout error string on failure.
|
||||
* More descriptive text for 'harden-algo-downgrade'.
|
||||
* Complete fix for max-global-quota to 200.
|
||||
* Fix #1183: the data being used is released in method
|
||||
nsec3_hash_test_entry.
|
||||
* Fix for #1183: release nsec3 hashes per test file.
|
||||
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
|
||||
auth_zone up/down queries.
|
||||
* Fix comparison to help static analyzer.
|
||||
* For #1175, update serve-expired tests.
|
||||
* Merge #1189: Fix the dname_str method to cause conversion errors
|
||||
when the domain name length is 255.
|
||||
* Merge #1197: dname_str() fixes.
|
||||
* Merge #1198: Fix log-servfail with serve expired and no useful cache
|
||||
contents.
|
||||
* Safeguard alias loop while looking in the cache for expired answers.
|
||||
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
|
||||
drop.
|
||||
* Fix typo in log_servfail.tdir test.
|
||||
* Merge #1204: ci: set persist-credentials: false for actions/checkout
|
||||
per zizmor suggestion.
|
||||
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
|
||||
with serve-expired that appeared in 1.22.0 and would not allow the
|
||||
iterator to update the cache with not-yet-validated entries resulting
|
||||
in increased outgoing traffic.
|
||||
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
|
||||
handshake.
|
||||
* Fix #1213: Misleading error message on default access control causing
|
||||
refuse.
|
||||
* Merge #1221: Consider auth zones when checking for forwarders.
|
||||
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
|
||||
ALPN.
|
||||
* Create the quic SSL listening context only when needed.
|
||||
* Fix compile of interface check code when dnscrypt or quic is
|
||||
disabled.
|
||||
* Fix encoding of RR type ATMA.
|
||||
* Fix to check length in ATMA string to wire.
|
||||
* Merge #1229: check before use daemon->shm_info.
|
||||
* Use the same interface listening port discovery code for all needed
|
||||
protocols.
|
||||
* Port to string only when needed before getaddrinfo().
|
||||
* Do not open unencrypted channels next to encrypted ones on the same
|
||||
port.
|
||||
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
|
||||
set.
|
||||
* Merge #1220 from Petr Menšík, Add unbound members group access to
|
||||
control key.
|
||||
* Make the default value of module-config "validator iterator"
|
||||
regardless of compilation options. --enable-subnet would implicitly
|
||||
change the value to enable the subnetcache module by default in the
|
||||
past.
|
||||
* Fix #986: Resolving sas.com with dnssec-validation fails though
|
||||
signed delegations seem to be (mostly) correct.
|
||||
Consider reconfigurations when calculating the still_useful_timeout
|
||||
for servers in the infrastructure cache.
|
||||
* Fix static analysis report about unhandled EOF on error conditions
|
||||
when reading anchor key files.
|
||||
* Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
|
||||
values.
|
||||
* Fix hash calculation for cachedb to ignore case. Previously, cached
|
||||
records there were only relevant for same case queries (if not
|
||||
already in Unbound's internal cache).
|
||||
* Merge #1243: Do not shadow tm on line 236.
|
||||
* Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
|
||||
Add --help output description for the SOURCE_DATE_EPOCH variable.
|
||||
* Fix 'unbound-control flush_negative' when reporting removed data;
|
||||
reported by David 'eqvinox' Lamparter.
|
||||
* Fix representation of types GPOS and RESINFO, add rdf type for
|
||||
unquoted str.
|
||||
* Fix #1251: WSAPoll first argument cannot be NULL.
|
||||
* Fix for windows compile create ssl contexts.
|
||||
* Fix print of RR type NSAP-PTR, it is an unquoted string.
|
||||
* Fix #1253: Cache entries fail to be removed from Redis cachedb
|
||||
backend with unbound-control flush* +c.
|
||||
* Fix for #1253: Fix for redis cachedb backend to expect an integer
|
||||
reply for the EXPIRE command.
|
||||
* Fix #1254: send failed: Socket is not connected and
|
||||
remote address is 0.0.0.0 port 53.
|
||||
* Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
|
||||
* For #1255, for ios use an older expat version that does not require
|
||||
C++11 language features.
|
||||
* For #1255, for ios disable building tests that require C++11.
|
||||
* For #1255, for ios try the latest expat version again.
|
||||
* Fix unit test dname log printout typecast.
|
||||
* Fix for ci test, expat is installed on the osx image.
|
||||
* iana portlist update.
|
||||
* Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
|
||||
* Fix escape more characters when printing an RR type with an unquoted
|
||||
string.
|
||||
* Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
|
||||
* Fix unbound-control test so it counts the new flush_negative output,
|
||||
also answers the _ta probe from testns and prints command output
|
||||
and skip a thread specific test when no threads are available.
|
||||
* Fix that ub_event has the facility to deal with callbacks for
|
||||
fast reload, doq, windows-stop and dnstap.
|
||||
* Fix fast reload test to check if pid exists before acting on it.
|
||||
* Merge #1262 from markyang92, fix build with
|
||||
'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
|
||||
* For #1262, ifdef is no longer needed.
|
||||
* Fix #1263: Exempt loopback addresses from wait-limit.
|
||||
* Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
|
||||
to allow two arguments.
|
||||
* Fix ub_event and include dnstap and win_svc headers.
|
||||
* Fix test for stat_values for wait limit defaults for localhost.
|
||||
* Fix parameter unused warning in net_help.c.
|
||||
* Fix mesh_copy_client_info to omit null contents from copy.
|
||||
* Fix comment name in the rpz nsdname test.
|
||||
* Fix nettle compile for warnings and ticket keys.
|
||||
* Fix redis_replica test for unused option defaults and log printout.
|
||||
* Fix test to speed up common.sh script kill_pid.
|
||||
* Fix to update common.sh for speed of kill_pid.
|
||||
* Update to the manpage for the fast_reload part.
|
||||
* Fix fast_reload to print chroot with config file name.
|
||||
* Fix to detect if atomic_store links in configure.
|
||||
* Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
|
||||
* Fix for print of connection type in log-replies for dot and doh.
|
||||
* Merge #1265: Fix WSAPoll.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 27 11:45:12 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
||||
|
||||
- add workaround for bug
|
||||
https://github.com/NLnetLabs/unbound/issues/509
|
||||
Starting up with 127.0.0.1 in the /etc/resolv.conf leads to long
|
||||
delays if the anchor update is being run as ExecStartPre in the
|
||||
unbound service
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 18 11:02:26 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.22.0:
|
||||
Features:
|
||||
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
|
||||
configuration options.
|
||||
* Merge patch to fix for glue that is outside of zone, with
|
||||
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
|
||||
Enabling this option protects the Unbound resolver against bad
|
||||
glue, that is unverified out of zone glue, by resolving them.
|
||||
It uses the records as last resort if there is no other working
|
||||
glue.
|
||||
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
|
||||
that can set the timeout separately for commands and the
|
||||
connection set up to the redis server. If they are not
|
||||
specified, the redis-timeout value is used.
|
||||
* Log timestamps in ISO8601 format with timezone. This adds the
|
||||
option `log-time-iso: yes` that logs in ISO8601 format.
|
||||
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
|
||||
that enable dnsoverquic, and the counters `num.query.quic` and
|
||||
`mem.quic` in the statistics output. The feature needs to be
|
||||
enabled by compiling with libngtcp2, with
|
||||
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
|
||||
that with `--with-ssl=path` to compile unbound as well.
|
||||
|
||||
Bug Fixes:
|
||||
* unbound-control-setup hangs while testing for openssl presence
|
||||
starting from version 1.21.0.
|
||||
* Fix error: "memory exhausted" when defining more than 9994
|
||||
local-zones.
|
||||
* Fix documentation for cache_fill_missing function.
|
||||
* Fix Loads of logs: "validation failure: key for validation
|
||||
<domain>. is marked as invalid because of a previous" for
|
||||
non-DNSSEC signed zone.
|
||||
* Fix that when rpz is applied the message does not get picked up
|
||||
by the validator. That stops validation failures for the
|
||||
message.
|
||||
* Fix that stub-zone and forward-zone clauses do not exhaust
|
||||
memory for long content.
|
||||
* Fix to print port number in logs for auth zone transfer
|
||||
activities.
|
||||
* b.root renumbering.
|
||||
* Add new IANA trust anchor.
|
||||
* Fix config file read for dnstap-sample-rate.
|
||||
* Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
|
||||
(RFC9077).
|
||||
* Fix dns64 with prefetch that the prefetch is stored in cache.
|
||||
* Attempt to further fix doh_downstream_buffer_size.tdir
|
||||
flakiness.
|
||||
* More clear text for prefetch and minimal-responses in the
|
||||
unbound.conf man page.
|
||||
* Fix cache update when serve expired is used. Expired records
|
||||
are favored over resolution and validation failures when
|
||||
serve-expired is used.
|
||||
* Fix negative cache NSEC3 parameter compares for zero length
|
||||
NSEC3 salt.
|
||||
* Fix unbound-control-setup hangs sometimes depending on the
|
||||
openssl version.
|
||||
* Fix Cannot override tcp-upstream and tls-upstream with
|
||||
forward-tcp-upstream and forward-tls-upstream.
|
||||
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
|
||||
the prefetch ttl for messages after a CNAME with short TTL.
|
||||
* Fix to disable detection of quic configured ports when quic is
|
||||
not compiled in.
|
||||
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
|
||||
* Fix contrib/aaaa-filter-iterator.patch for change in call
|
||||
signature for cache_fill_missing.
|
||||
* Fix to display warning if quic-port is set but dnsoverquic is
|
||||
not enabled when compiled.
|
||||
* Fix dnsoverquic to extend the number of streams when one is
|
||||
closed.
|
||||
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
|
||||
* Fix for dnsoverquic and dnstap to use the correct dnstap
|
||||
environment.
|
||||
|
||||
- Update keyring
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 7 11:06:04 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.21.1:
|
||||
Security Fixes:
|
||||
* Fix CVE-2024-8508, unbounded name compression could lead to
|
||||
denial of service.
|
||||
[CVE-2024-8508, bsc#1231284]
|
||||
|
||||
- Update keyring
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.21.0:
|
||||
Security Fixes:
|
||||
* Merge #1073: fix null pointer dereference issue in function
|
||||
ub_ctx_set_fwd.
|
||||
[CVE-2024-43167, bsc#1229068]
|
||||
|
||||
Features:
|
||||
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
|
||||
with `unbound-control flush*` commands.
|
||||
* Fix #144: Port ipset to BSD pf tables.
|
||||
* Add dnstap-sample-rate that logs only 1/N messages, for high
|
||||
volume server environments. Thanks Dan Luther.
|
||||
* Add root key 38696 from 2024 for DNSSEC validation. It is added
|
||||
to the default root keys in unbound-anchor. The content can be
|
||||
inspected with `unbound-anchor -l`.
|
||||
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
|
||||
"unbound_cookiesecrets.txt"` option to store cookie secrets for
|
||||
EDNS COOKIE secret rollover. The remote control
|
||||
add_cookie_secret, activate_cookie_secret and
|
||||
drop_cookie_secret commands can be used for rollover, the
|
||||
command print_cookie_secrets shows the values in use.
|
||||
|
||||
Bug Fixes:
|
||||
* Fix CAMP issues with global quota. Thanks to Huayi
|
||||
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
|
||||
group, ETH Zurich.
|
||||
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
|
||||
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
|
||||
(Tel-Aviv University and Reichman University).
|
||||
* Merge #1062: Fix potential overflow bug while parsing port in
|
||||
function cfg_mark_ports.
|
||||
* Fix for #1062: declaration before statement, avoid print of
|
||||
null, and redundant check for array size.
|
||||
* Fix to squelch udp connect errors in the log at low verbosity
|
||||
about invalid argument for IPv6 link local addresses.
|
||||
* Fix when the mesh jostle is exceeded that nameserver targets
|
||||
are marked as resolved, so that the lookup is not stuck on the
|
||||
requestlist.
|
||||
* Add missing common functions to tdir tests.
|
||||
* Merge #1070: Fix rtt assignement for low values of
|
||||
infra-cache-max-rtt.
|
||||
* Merge #1069: Fix unbound-control stdin commands for
|
||||
multi-process Unbounds.
|
||||
* Fix unbound-control commands that read stdin in multi-process
|
||||
operation (local_zones_remove, local_zones, local_datas_remove,
|
||||
local_datas, view_local_datas_remove, view_local_datas). They
|
||||
will be properly distributed to all processes. dump_cache and
|
||||
load_cache are no longer supported in multi-process operation.
|
||||
* Remove testdata/remote-threaded.tdir.
|
||||
testdata/09-unbound-control.tdir now checks both single and
|
||||
multi process/thread operation.
|
||||
* Fix to print a parse error when config is read with no name for
|
||||
a forward-zone, stub-zone or view.
|
||||
* Fix for parse end of forward-zone, stub-zone and view.
|
||||
* Fix for #1064: Fix that cachedb expired messages are considered
|
||||
insecure, and thus can be served to clients when dnssec is
|
||||
enabled.
|
||||
* Fix #1059: Intermittent DNS blocking failure with local-zone
|
||||
and always_nxdomain. Addition of local_zones dynamically via
|
||||
unbound-control was not finding the zone's parent correctly.
|
||||
* Fix #1064: Unbound 1.20 Cachedb broken?
|
||||
* Fix unused variable warning on compilation with no thread
|
||||
support.
|
||||
* unbound-control-setup: check openssl availability before doing
|
||||
anything, patch from Michael Tokarev.
|
||||
* Update patch to remove 'command' shell builtin and update error
|
||||
text.
|
||||
* Fix to enable that SERVFAIL is cached, for a short period, for
|
||||
more cases. In the cases where limits are exceeded.
|
||||
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
|
||||
* Merge #1078: Only check old pid if no username.
|
||||
* Fix #1079: tags from tagged rpz zones are no longer honored
|
||||
after upgrade from 1.19.3 to 1.20.0.
|
||||
* Fix for #1079: fix RPZ taglist in iterator callback that no
|
||||
client info is like no taglist intersection.
|
||||
* Fix to squelch connection reset by peer errors from log. And
|
||||
fix that the tcp read errors are labeled as initial for the
|
||||
first calls.
|
||||
* Merge #1080: AddressSanitizer detection in tdir tests and
|
||||
memory leak fixes.
|
||||
* Fix memory leak when reload_keep_cache is used and num-threads
|
||||
changes.
|
||||
* Fix memory leak on exit for unbound-dnstap-socket; creates
|
||||
false negatives during testing.
|
||||
* Fix memory leak in setup of dsa sig.
|
||||
* Fix typos for 'the the' in text.
|
||||
* Fix validation for repeated use of a DNAME record.
|
||||
* Add unit test for validation of repeated use of a DNAME record.
|
||||
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
|
||||
OPENSSL_NO_DEPRECATED.
|
||||
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
|
||||
by adding helpful text for the Python interpreter version and
|
||||
allowing the default pkg-config unavailability error message to
|
||||
be shown.
|
||||
* Fix pkg-config availability check in dnstap/dnstap.m4 and
|
||||
systemd.m4.
|
||||
* Explicitly set the RD bit for the mesh query flags when
|
||||
prefetching. These queries have no waiting client but they need
|
||||
to be treated as recursive.
|
||||
* Fix ip-ratelimit-cookie setting, it was not applied.
|
||||
* Fix to remove unused include from the readzone test program.
|
||||
* Fix unused variable warning in do_cache_remove.
|
||||
* Fix compile warning in worker pthread id printout.
|
||||
* Add unit test skip files and bison and flex output to
|
||||
gitignore.
|
||||
* Fix to use modstack_init in zonemd unit test.
|
||||
* Fix to remove unneeded linebreak in fptr_wlist.c.
|
||||
* Fix compile warnings in fptr_wlist.c.
|
||||
* Fix for repeated use of a DNAME record: first overallocate and
|
||||
then move the exact size of the init value to avoid false
|
||||
positive heap overflow reads from address sanitizers.
|
||||
* Fix to print details about the failure to lookup a DNSKEY
|
||||
record when validation fails due to the missing DNSKEY. Also
|
||||
for key prime and DS lookups.
|
||||
* Fix for neater printout for error for missing DS response.
|
||||
* Fix neater printout.
|
||||
* Fix #1099: Unbound core dump on SIGSEGV.
|
||||
* Fix for #1099: Fix to check for deleted RRset when the contents
|
||||
is updated and fetched after it is stored, and also check for a
|
||||
changed RRset.
|
||||
* Don't check for message TTL changes if the RRsets remain the
|
||||
same.
|
||||
* Fix that validation reason failure that uses string print uses
|
||||
separate buffer that is passed, from the scratch validation
|
||||
buffer.
|
||||
* Fixup algo_needs_reason string buffer length.
|
||||
* Fix shadowed error string variable in validator dnskey
|
||||
handling.
|
||||
* Update list of known EDE codes.
|
||||
* For #773: In contrib/unbound.service.in set unbound to start
|
||||
after network-online.target. Also for
|
||||
contrib/unbound_portable.service.in.
|
||||
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
|
||||
* For #1103: fix to also drop mesh state reference when a h2
|
||||
reply is dropped.
|
||||
* Add RPZ tag tests in acl_interface.tdir.
|
||||
* For #1102: clearer text for using interface-* options for the
|
||||
loopback interface.
|
||||
* For #1103: fix to also drop mesh state reference when the
|
||||
discard limit is reached, when there is an error making a new
|
||||
recursion state and when the connection is dropped with
|
||||
is_drop.
|
||||
* For #1103: Fix to drop mesh state reference for the http2
|
||||
stream associated with the reply, not the currently active
|
||||
stream. And it does not remove it twice on a mesh_send_reply
|
||||
call. The reply h2_stream is NULL when not in use, for more
|
||||
initialisation.
|
||||
* Fix dnstap wakeup, a running wakeup timer is left to expire and
|
||||
not increased, a timer is started when the dtio thread is
|
||||
sleeping, the timer set disabled when the dtio thread goes to
|
||||
sleep, and after sleep the thread checks to see if there are
|
||||
messages to log immediately.
|
||||
* Merge #1110: Make fallthrough explicit for libworker.c.
|
||||
* For #1110: Test for fallthrough attribute in configure and add
|
||||
fallthrough attribute annotations.
|
||||
* Fix compile when the compiler does not support the noreturn
|
||||
attribute.
|
||||
* Fix to have empty definition when not supported for weak
|
||||
attribute.
|
||||
* Fix uninitialized variable warning in create_tcp_accept_sock.
|
||||
* Fix link of dnstap without openssl.
|
||||
* Fix link of unbound-dnstap-socket without openssl.
|
||||
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
|
||||
* Cleanup ede.tdir test.
|
||||
* For #935 and #1104, clarify RPZ order and semantics.
|
||||
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
|
||||
* Fix for #1114: Fix that cache fill for forward-host names is
|
||||
performed, so that with nonzero target-fetch-policy it fetches
|
||||
forwarder addresses and uses them from cache. Also updated that
|
||||
delegation point cache fill routines use CDflag for AAAA
|
||||
message lookups, so that its negative lookup stops a recursion
|
||||
since the cache uses the bit for disambiguation for dns64 but
|
||||
the recursion uses CDflag for the AAAA target lookups, so the
|
||||
check correctly stops a useless recursion by its cache lookup.
|
||||
* Fix dnstap test program, cleans up to have clean memory on
|
||||
exit, for tap_data_free, does not delete NULL items. Also it
|
||||
does not try to free the tail, specifically in the free of the
|
||||
list since that picked up the next item in the list for its
|
||||
loop causing invalid free. Added internal unit test to
|
||||
unbound-dnstap-socket for that.
|
||||
* Fix that the worker mem report with alloc stats does not
|
||||
attempt to print memory use of forwards and hints if they have
|
||||
been deleted already.
|
||||
* Fix that alloc stats has strdup checks, it stops debuggers from
|
||||
complaining about mismatch at free time.
|
||||
* Fix testbound for alloc stats strdup in util/alloc.c.
|
||||
* Fix that alloc stats for forwards and hints are printed, and
|
||||
when alloc stats is enabled, the unit test for unbound control
|
||||
waits for reloads to complete.
|
||||
* Fix that for windows the module startup is called and sets up
|
||||
the module-config.
|
||||
* Fix spelling for the cache-min-negative-ttl entry in the
|
||||
example.conf.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
|
||||
289
unbound.keyring
289
unbound.keyring
@@ -1,57 +1,238 @@
|
||||
pub rsa4096 2011-04-21 [SCA] [expires: 2024-12-07]
|
||||
EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D
|
||||
uid W.C.A. Wijngaards <wouter@nlnetlabs.nl>
|
||||
sub rsa4096 2011-04-21 [E] [expires: 2024-12-07]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
|
||||
SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
|
||||
1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
|
||||
TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
|
||||
l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
|
||||
qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
|
||||
Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
|
||||
x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
|
||||
WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
|
||||
/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
|
||||
hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
|
||||
tCdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6JAlUEEwEI
|
||||
AD8CGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE7fqj8spObrBWga+On28c
|
||||
LX4EX40FAl3uCXUFCRmkDdkACgkQn28cLX4EX40PIBAAnvuPWg0B0bmXQxytVQiS
|
||||
s4W/jL33SI75fHkMZY6RvVM+WNewceEln7ixwnhpYdZuiDgFnluIOlqMJtXnNT5F
|
||||
Wu/U3a5Cm9DMXy0mreog24rlYw8ctm1qJFtP3D8yfxaFg7RAtB/VEwDG+UBgQ2VG
|
||||
y7sF+2Y7zJAIR9ef4TvRo+ER6B9USRiQC0bWc47c7Cai+d5FvxFefVdU+/TaHMsd
|
||||
NfIsOdCZ9NpiPMGCWfR2XOQuw/iufb3Ki0WYJKyazm8NLBL92BTgWKf9Q3ph9pxz
|
||||
zAUijJjeUQHK99oLlI3eARFn9kOwKPkJ4XYtetVtGCgluCQJjqEOG0NMHxPUOWlC
|
||||
BoVBedi/mnPB8u3QcmghMQgP1k6kEP4lT8m5qSUIRaJ1rf35qcWxNsCk4UhDh0zu
|
||||
u3uXtyX1G9LzSrLMmaI2qOIdTBeZ72jzSqMm1sCp6TTNDkXMpfmqICsFuxNeUxFN
|
||||
ExOf/4ALBcEQ3Ap0hCp5LIDNN9tZte0Q3yWwmoyL+Owxw2BN8r4UWYwiQmsNBqMN
|
||||
bA0Vo3ThaZiIsQ+f78ebscqkhz7hgLF5RL5fmd0XXOW0O6QFru1DaUd4ZyT34PCi
|
||||
9sajhe+VShvfzYyxPNMo/MHVaAnw774s6wbTl5xyOPYAjAnzamxiG+clYZk3XqO5
|
||||
Yvk3vYZSdg6x57oxiZRXvqe5Ag0ETa/9HAEQAKbwynlS4kmsxEnU2PSrElrKqAd/
|
||||
KbzrLtuTOPbRI3OU7WOS8CjXJKpHkZSfNzvHRRu1AVbhsCymn/+jkf6XtuLqWdu3
|
||||
jjllu7F70Db+Wl5TmHxfpoyIVCDao6uKSg5jtXPSe4eXfmrjlX83IH6LYNwVQmip
|
||||
+ernI4kCdOfblDH4Fk71ZYm56Ce3XmXILfL+1XCyvY7/j/ECR0yMg8yXfiY3Y7h1
|
||||
6gvwN+0+RvWfOMfMGK0GOpmZjiGGjI8CCnYBXjfpy5OYXpwEVM+DExVFuI/YR6bs
|
||||
gBaJg0Pd/8JB2fSBAoU8XWZ377Hf/2eOb33F/XUDPrbkfFwmE4VbEnCNU58EeOoY
|
||||
uTZH5h6Nx1ccAfP6MCfhWQ7EzQWyXewFctu15OC+YS3uwcCw7RTMjqeJToqQjO//
|
||||
5rRQfZk86pzsIkksk0ZcBlASZM0BVkGtGem32MAOvstXZ9fR+dfRluPYq7Zftvlv
|
||||
FuDfKC64iIz76q0DsmhCxXEX1ehXy4tPRz4R1W3ozqiBGzrX7jdPpo66xgMKK7X0
|
||||
wY38PNDflvdAU77WuCtksox3CU5A2HoXzqP+SDKRrQ7DoL7Amw2hUZzSbmLUqkJr
|
||||
1pNSiDyMOgpHSbWWt/qt2AOw+6LzlR9TgUyjXQY3Pl+FvC+UfTAspl1r4Ij/udkr
|
||||
9VSHGZrJwga8CuPdABEBAAGJAjwEGAEIACYCGwwWIQTt+qPyyk5usFaBr46fbxwt
|
||||
fgRfjQUCXe4JfQUJGaQN4QAKCRCfbxwtfgRfjdNAD/4lXxF4xEkKfcJ+pt7nJwWf
|
||||
ynp0hWcmJC6GITK7nLN2lKQrLNxUUk5tByrDuznQUm4tRvF29ty4YhqhO7t2EGhR
|
||||
c7m064hACwpN8Z+Cg6B6Umb7+raHrjkScBUg0ZswNeuajj9QUmQ2NQwDpJCL/KJq
|
||||
bs3TLnx6gMLiwaYEq43YRbYyhZqGVfDxJLX4Bv2pUGz9GptLLp/Wckvf1o+k8Oa/
|
||||
Ik5Ji0ec1IWVhZWGvTMYCLmuezCUUasQIZsemvkVqNQrvNya009uLsXfQrjzF8Xd
|
||||
ecMh4gFx6usQFAxo9RlwGV10aGZJVUllT9iFHfkk2A+eanfeA65lpGJb2Vq5kXCw
|
||||
xAEgGQuklahS27xAuTILQeYnNVF6nT+zVGTNon7UbUHNdNCJdotpRBYbmHelwwPx
|
||||
/Fjmqn0psb/7XRtjSxFtEFeBLqbPt10doG2D8Ty3LacQHUcNcD0cAe7sqUf173qw
|
||||
9mPP0LjpmI5d7pkA6TrAFi2zhEbhsJD2kY5En4/YmvanPU1lBuzUCGeMmLFOx9l+
|
||||
wZnmUfEYuMjLG10YH+KssSo1Mgx6TbKngJKGZahnA3RXdoZgx7+sLi1Jcbv0h4o3
|
||||
AXdV3kwe0H6FwkbarO0G0pC5bb2ttEDls3HBNZ7yyTA4qzFec/1EL3viTReQ9L5X
|
||||
CCZWA03V7BL/Sge+YQ/vVA==
|
||||
=Sy7Z
|
||||
mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
|
||||
SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
|
||||
omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
|
||||
qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
|
||||
W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
|
||||
elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
|
||||
UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
|
||||
YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
|
||||
S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
|
||||
2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
|
||||
g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
|
||||
tCtHZW9yZ2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBubG5ldGxhYnMubmw+iQI9
|
||||
BBMBCAAnAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQJhFXGpBQkM8ovDAAoJ
|
||||
EM/zNE2Qh6SQMTkP/j4dP/X1ILrba+X93LszR0gIGconbznZzn9oK4YR4n6Gi63f
|
||||
h+vNvVIMEWmJsVsc8tOiN9djUOroIkafLOBuSsi/L7RhRFmNFjLjDIc9mXy60QmJ
|
||||
+cohIXgEyHUPYd95cWgQDZqC9BtQ2sXsImU3cKqBwcW5X4ev0HkhkFlT00d0+tcv
|
||||
4W0s4EzjzGM4X1N6HXFP+KZOLsam3OaQikyHW5BKLAzn0Iux43YAY0UH9AI/9Jmq
|
||||
c/3Zw9frMr6CrWAiVtNA+lVoFu5MxOX3UL+LwBRbo/i7HhMrEiZLP5rIKFlBa8Wa
|
||||
SzSDGydijESnuFQhkmf3kjFYhheP7D3+YplQg3rWb4JWrN1QwUsxoRYBuqrOWdQs
|
||||
eXwbxhLNrfWegIp6Y7zQZ770Il5BLSToOXvZ++lIXWz/K41IoyszFfKEpd3vCwjX
|
||||
gfFi+cvjhNq1oGNg0SAxffujo539fiteiujdGNJ5IDKrYq6ba/oDneqLgevoiLN4
|
||||
V39TJRynZCS47TfolqhGkuZ0mXffNPKjdUvPRmIZbA/VxN2Xb4UzuBfo8ySke1E8
|
||||
BtvFUuwgIElr6pS8TM/V1CbeOcmX60SbllNO7ta65Wn6NWE898SUPase95rEpyEU
|
||||
5cz6RV+NLNU+woeg1Oa4pBnRUzhN/kRNMFxpvn8ZspJMPTpX4V/9eMVPkaudiQI9
|
||||
BBMBCAAnAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQJfLTc9BQkJNkzWAAoJ
|
||||
EM/zNE2Qh6SQg8kP/3AzVxcSlYiMrJn+02z07Hc382BWr4E0N9IywMrrFznMVqI1
|
||||
xP4Aj4hOKPwuJXB3vS3RnkF+R50/IlyiiiBg7MmrtZsXDeDRUwKC2qrnoYVQBR4m
|
||||
RYjIU3tpOKYAwNetclZ/l3y+q+QJq4qlF1x3b1tyBRbNYJL0keD3oouyeHPyidag
|
||||
RlWaMvyHsMLy2Nm4yg8DrO7DbySMf6OB05nTcQes26l05qAEsAhHw1R+rhMU5Fk/
|
||||
pa+itEY9ABjKIjzu/U5yMM0m2SjTX+Wgp43OYvZhsJiMlEfBQoHRjhuR7PIaZv02
|
||||
dxYjWTTMgmWOyis8KY6i4wQ9W5XYxrK3PgsVuySJ/m5hkgh9p1WCEjI37K1At34t
|
||||
renUJJr66BWUWmTKdSxwhkbS4uDPk3DWnZVYQi5aCzUfTZ7tqvChlYAYgnYDz6BE
|
||||
NDqjHpzKmQ5tMnX/nQUWy/O/+kxgW8/W32pDoxuLtvHCNKPsVU+JdvOiDMGEDDil
|
||||
rDEIk+6kJG+E2G65qmil4DXJOu2r4emcitCvtrnTv10S8CpjIa7Vmah6USHui7Vv
|
||||
Jvr+KDcyazCHFhTfOszSU0ttJxxlU1tiub5AF/RYDonPLWVa32jDkaDVrtFiFf3M
|
||||
jx9J1gFw5Ea5bNuhIxAXTFuoI7Pwe3Kt5DIyUtioerlhgOMkiQzaAxdDFsN6iQI9
|
||||
BBMBCAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJ
|
||||
EM/zNE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWes
|
||||
CGaIvyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUx
|
||||
ZEoWT2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/
|
||||
xVvKVe9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJH
|
||||
W5saA332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp
|
||||
23g9KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeN
|
||||
eAFhus4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+yw
|
||||
YrekCp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5L
|
||||
aADlBmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuN
|
||||
WRvU5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUY
|
||||
sYPOTJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxiQJU
|
||||
BBMBCAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9d
|
||||
z/M0TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCqLxAAkJHhCJkHnq/Y7GNO
|
||||
ulsiKb64XMusbVo3lvL9WWrEaIvgzhVngNfDuYg9+FGiDzxhUbuj0XUjC3VKrXpR
|
||||
YDjVQ51xLqjhgKbTHAiOMKePjSBXdNL9CfQPbq+8VrdENDtXzIxTjD2uaECvXYNT
|
||||
AiNP0VkTmzj393CK9jYYFsAbikwpbishXJp0UF8MsQRggUbyucypgPAQZZx7j37p
|
||||
0wHHbjUhMVMd3tMOQQ+ZXBuGHsrkfiEXGByTxlNtH+t+HQ0iRiibxsY6WgsRkDXG
|
||||
urPDKZKt5Zvw9yGuFacPx3YkmsL/1O9Uv+BepXLTI76Eu9wKPQ2eIgz6pBye9x4n
|
||||
Tae59uUi51yq7mbJ14rY2E/Lnj+28niz4uyL6qBDV6FzajXw7l36q4v1pxz2Fmyi
|
||||
HY+VlhXmkd1rPrM8N1qpe5idXDRVmzQhO6xhT4Ujcht5+ppRAVClGJ/BbjhfTx8M
|
||||
FpfOhhyyOjuMTiKIREsq2a6tpiUutbEqugAEO3KselDDSXQXIAeUcu6kVBemZqMG
|
||||
Wbt2lhReHVvi8DL7mhYys0obCs4/BghNAaUA48viHljNpgVZ3rgonFsL20s1Vsfj
|
||||
sONkEb5h/CWvT6qCGHiUFIjK9fmgBupFCt1VuIroLLt/6BSJRa5GGcvWBHwjhDIK
|
||||
kSi/3LgSU2bdDjxURP/TvzPxVZiJAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
|
||||
AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
|
||||
8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
|
||||
pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
|
||||
gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
|
||||
ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
|
||||
bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
|
||||
qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
|
||||
yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
|
||||
aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
|
||||
tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
|
||||
KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
|
||||
qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkCPQQT
|
||||
AQgAJwIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCXWUUTQUJB24p5wAKCRDP
|
||||
8zRNkIekkDt/D/9fhAn3HvztCOCkYNcuBAAuhcpunff6V2XHz4NAuPuttQ0DP2Bs
|
||||
6kfk9+HNhTN5ezytLKOFm362ggKpOTw0sHtrpQktr45Fy1Bvf26MFjhaYhR2L4TY
|
||||
2Hk6X5B0HrYsbb8X5v6QbFBUe1wpSh3rvpAwIThmMWWNtFCL+mh9VnDiwo2X4+j7
|
||||
b4fdjwox1DUlLLxvAYJ60dpUtsp++vypkx7Yv7gsNl7uGSvAoLvX1JT33/4jZwpy
|
||||
0NnApw+kNhncBz9b4+DDW1Ieqb8wpy2Y0BB7g2jH4QRrG/YeKWrw/Ht1OkL8Xceo
|
||||
wUQV/WBrUfRpCcV+6mCVErS/WHByWxLjEJF3viJWC0n8XkiaXaaQt7NO/YyGFEXn
|
||||
8/y8K6bfQRfo/SiNai0vO3/Tq+U/lAjh2nw8G7GrjiQZZXPGuzqjfnSOS7y+htop
|
||||
pzpMKWwLO45exgC7fhfobhPj7O89NutvIewK1qPTBrRcQOIaJLdnTlZnggiH6FEd
|
||||
NG2cVy05yMLfUaYdtbVZFjpDY0512QhlcB2i3T+O9jH6JEXZuO7rSt/GnB94tpgF
|
||||
XYE3j/Aad8fQqz4yvDRQLPnzAeIaEl0sVGfSfi010wZrk5xMhb0e0s//PLlJHb/p
|
||||
4qrYrBRkBMkla2V0uDPdUG+oNmomGjlb6xUsr3eYGdE74YHQRL3ABSsP8LQuR2Vv
|
||||
cmdlIFRoZXNzYWxvbmlrZWZzIDxnZW9yZ2VAb3Blbm5ldGxhYnMuY29tPokCPQQT
|
||||
AQgAJwIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCXy03PAUJCTZM1gAKCRDP
|
||||
8zRNkIekkNXoD/9gGxQjrYuXoJJ/s0xltAK8G0rR+78U36hFQdAGCYqNt+pLKIUt
|
||||
H97fh/usRuD2QAJkn+TbIt4jw/aU8xR/k4/IqGRvWqgr5pdLAufu3XP9ugDNPcaR
|
||||
z8yqO0N9fFNnjEvBpjkLfWu59ABZtppFm+qmTRGLAWuag6YDV+I/13z/5/JhXafh
|
||||
EgfvhgE6u/UBVqIt+ZMHmvb/bU/2Sk6eLWOdQJtqJF0yoKbmF8i4xBTpKJ2GcKQw
|
||||
YF30O3PssKocpnm+0R16HoZGPk85GDtdwBNg6dTnM0dg8wiXHo9P3TOqqmN8UbWk
|
||||
63hYCsRik3gQZpAdK0apgmPvNy97jjLigN0LudKy8JEy+Kb5GSurIDzIvgZIsNs3
|
||||
W9x9FtLqBlF/twe9UAnaY/I3wKII3BIFxRr4QP62QhcBoVk24X/+6RUZtcDGYgck
|
||||
rRFcDbxij73cDaoLc8iopUK8H84/ow38+m8RwwRz/AZiV4D+3b1hHU8Ui9tF4LZn
|
||||
/DdF4LB6eQWBM+Ra0Uuyy+v4NNj9oZc9JwkROb5OvyMlfcwW+f7vrpFSyrA9Ke+A
|
||||
XTmQWJhgXDYT0kREq5H8yhe1hA50zDd9dfjqOeoZl3eylOLryr+cAxLQ/I2ggSqd
|
||||
YTWCbqNabBGTOq08PkKQsYLAOTQSf1u1W6wOpuDNJwHpm9B96kDlfr8P6IkCPQQT
|
||||
AQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDP
|
||||
8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDvpJrQjAo/02naPcGs4yyUd7yRkhzV
|
||||
KLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rjec14rO30niRymWkBi36iDW46Dpt7J
|
||||
x+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93AnVs97nP4PWpspv2BFiuwKGsSsOyy
|
||||
QPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5t0Rgzo/nWXZBFXWC5xvKeghwkdT+
|
||||
+gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NOdWa9m8ufFOJsEEiWcpdT+EWoDw5J
|
||||
yGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItGWvogUv7alBdHWi48amvZE06RI/nD
|
||||
J/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH4iT1UKmozfzVEfcHb2dsaKnnuFzQ
|
||||
xmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJPMXiEcjASdLtrEKgFSP2B5yGGzt9
|
||||
3C+HbD+VQOU359aAnvVjbTAVz8izuMphd6BzIx1q//q2VmxqjjT3Iv30hBRX02x2
|
||||
M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGhgJN3ecpi2sKWVqN8HUZOwJFj6f9Z
|
||||
X76YSM23wIugHfscMAVJUXvBrbd151WIshOfFFPo62sYGt+SEMXWeRcHjYkCVAQT
|
||||
AQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBJSOtCMixdALeTQPXc/z
|
||||
NE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Qh6SQlmoP/jCTi1tbQTTwPbAXI5fV
|
||||
eAo3NkyEf6/EURr+ZbLVV5V3OU+EkePFL0E8WlFPiiYmuTzrGgLMPcpO2c+K+7pd
|
||||
A1XfbcxwnMMZeOntCsJ9lRgTB04bFgu0A7iu2/uAJcXjuBA1kTz8OAQge2k8ScwN
|
||||
zTuKqRBeE1Xm/e7sjUK9mGkxlM0iOfLwoF4HjqR/Yr6JkItZwsWW3axYdsiifh+B
|
||||
B4CPPg/YkpyTCNekUtXROz2vOSBvqj3d6MAGzpXPrQbEr3WxXUbn0GXojRin0J6N
|
||||
RKMoGbfLL3LiqRgBtX5c6T7uSxPaDLCA4mvYXJ+GBaq/NBeW1ta1LxXgtK2Kff9L
|
||||
oupaN+DwIRIngfF8426QwxJ5ZM4kaM9mDVSZmTlqwgDCNW1BSOf/mFriU1whhetn
|
||||
RHTu2gVqFJHIZBhkhimz1vSmHZqjHXznrqmUQYSrPG4ByAKyfpL4JYQia/6jV+U/
|
||||
KaAhxOW5xMBcZx9kOmtn36TKThMRrz2qAFpcpvyA/zDHrdK4mdosxVHZoxJANB1G
|
||||
mu4ecdXSjIR82A1zlvCrMfbxNuIC6436n7yImKRK5/klbNClKpEdAUVi0WI8qvwY
|
||||
/27U0F3A3mKUI+LS9nF9xKLKmqMuTQxgiuMqljsRDTif2HDuXUzyQzbB5XNiUnXo
|
||||
82uIPABxZZKT59LZX5W7hO6uiQJUBBMBCAA+AhsjBQsJCAcCBhUICQoLAgQWAgMB
|
||||
Ah4BAheAFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0
|
||||
TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8Vm
|
||||
rC26HTPNhmduhn3j9gnBuSHgRAJUWs2Ko1q0A2/O5fFJvqPyEUl30gG8qkzFl5UG
|
||||
RUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3GZv980QXwTE11aXjvPQu4e8sMOR1OVEE
|
||||
H+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJ
|
||||
DL8pfnschkVilC3pEpEk5ExSkt/onOD2WCAKJUiPR6gRI2H6fE0PF8iG9isisvNh
|
||||
Q3MrWUIKS+1WOotoG7Bu7ob46viJKQuN9t7KBqjdftjJHjmVop3mfX0UUEDPjkZX
|
||||
K5R/aUspXi4IGdM+9JijqxveicQegOhMLcE8039Z0AaXn9IA0kQB05A4a+CEnoPL
|
||||
7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZCrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMb
|
||||
POak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc/7AY8qyswRsD2t5bbe4g+fLEt9IsN3Uv
|
||||
KFUKnQ88jcn9Zmps69msMDm9jEj/qo+jQCriLLu8E1ZwhedNVOQN89w4Zww/BUyE
|
||||
nL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzAzn1ysZUyO/Pu7Br2jnGRAQyJAj0EEwEI
|
||||
ACcCGyMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAl1lFFUFCQduKecACgkQz/M0
|
||||
TZCHpJDcZQ/+O4DGhQerP/fNd8mbmcXxqJLBGu1hN1qXvDXu5YlE1mZxxU3ADyU+
|
||||
M0MmTHhpXhDnnuUhKyBa4e/nNvJwAqzhM89DBLz2Ok4p83q0AOlFkZvZEUrBmr0O
|
||||
92ItI8CwTCcK4LsSjgW8L4YhmkzABfK3IKXRVVD5UxKkx5VLjzq8/31g7/3DKeij
|
||||
jcHdJuUcceHvB9ElLdjJtLzeSUC4CuaH3QnW4xglTOnNgRxi34cTvBr4bfGVb+KB
|
||||
ChudOyShOJLrIRsLV9dfs+oSNrCXdWqjbeMFYNZycbgQXf3brnrJtnLIAnHqKqLQ
|
||||
CJCIfLko5enHwcvnWBpWFb/FP1ZUX264S4tRtU7Ea944r6RmLCEueFQJFBVGvoMD
|
||||
niBJNp0zziW2kcOTjE7ADygBCyWBn6EwDu2cnlMmhcBKg+ivKTz8nzvTfeT6WZre
|
||||
hA0KS6dIZHZVtBMVncpYLuiqOkb1oEWUYyO3nWUhnKUmThO2Mvxig/i7u6wkd1mk
|
||||
ffRjN6jW+UIib1oQeYkqbDlroTz7rZFqdNslGkfQRgV3mTqjHEdiiovRqGqracBI
|
||||
+LhRaUy1zf7klXOG6NLoNzlqRcfw7ZLv0WyOD1txVPXKvFByd5bwqrT0MsTBmmGL
|
||||
0PKSZ1vkAfH1J0WKeb1HMWkO5FiopznpXbAPkTlYJe5KoIdBCMAZGem0K1lvcmdv
|
||||
cyBUaGVzc2Fsb25pa2VmcyA8eW9yZ29zQG5sbmV0bGFicy5ubD6JAlcEEwEIAEEC
|
||||
GyMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEWIQSUjrQjIsXQC3k0D13P8zRN
|
||||
kIekkAUCaNaGRwUJEt+b4QAKCRDP8zRNkIekkA1eEAC9Oko2Xn6RTV2VwWtfHimC
|
||||
L+SeF7TLVn4Q1BZUNhOz2/6UyjIJFC4C3UKKvUsAZZ9EF1NCHrQjoNwEOP7XmkUk
|
||||
K/93JmJAs9SDEu0jGTAhRKMQunwl680eEYw3PtBZ0bhISkbZoX8PZnOS9qiiY8aN
|
||||
HKj9uSBHaVrp6qsI7FhU/4VPvrzbJ/RsK9JOzWROufAVj3ezs7ZFyIgxLRdZwc+2
|
||||
iL3onGHNQhP6/SBIW6K1mFEY+H2nIhweZERHXIq6C8ynrEXlSM0hx8tJys2UZeCN
|
||||
zoQmIZdLkIeWIiXGUDGzgnVP0mIZBk4Bb8I/F7gg0PfgOGrC9Bwl20vyO3VvbFRy
|
||||
4V9g1rdJjrvU6cu3cSHAyxgNpIhes+pbxHpe5pLGFviwv+iQeRvzfdsKBpa+NBmB
|
||||
GbWHRHYhjkLeQei2wtR3Z/KCu1VW9ovEYSiL1QGwqgu7aQcQmdXkck6N8kwEEaAY
|
||||
Wxx+TenW/hIADfTE9HuLo7YoOYWxXMvrEpucUwyZrIRV9bMZebEHuW+hvoeski9U
|
||||
fqbHrg6wBjQtAjpptAjdNNmfXf5E3G4BNBL6PS2ptm9Um1YXDjV6qxQ6p40X1bfb
|
||||
e6+ElyMPJiq4BEQiK8VeTPFr3LeuBB8H05f26wPv1qKPjL9gupnFp+UidhSUwbKA
|
||||
04Zeu4VFnsMPrNyIrZm7tYkCVwQTAQgAQQIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
|
||||
AQIXgAIZARYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89AsBQkQ/OXGAAoJEM/z
|
||||
NE2Qh6SQVZ4QAJHHe/U8MY/7bQuKtl6au+fhMOmEfYC6mIlebxHen7tKMoblaFJX
|
||||
05Ix+ACyKBiCmjvcgFVF7Kxq7J9WiT6NTMN6upiMLUDsV8/1uOC7hc3L2ZB7QmF+
|
||||
GMi61B12T75fq+HmJEznMskDFAZm7r1obn7/DAYpb1pbUC8Xy5YIoW37iK8aowGA
|
||||
4agn36YFImcgrrdq63pyIHodXw7wvho2d3H29VLCKc5tfcq+DQokx5C5AjgAHAFB
|
||||
cFlnjv431LErxUBB1J2DUURMyC7YfTZSsD7bDlYvsHDZ1kLRUG9dQTK+NO8QYm+4
|
||||
S0iBYqrzomIEAAY2XVjfrJwkT2WUq7ooIxPWrXjpaCcJgaq0iSwMsMbwxNIr6n0o
|
||||
+dVuXiXPyS0l746zrltvHSQq/EVfT4wvV+87k4hS81fElR+9WeN0YsfJ+wDqd8IE
|
||||
Xt0soBMkFz4+Km5uRx1bMfRhAM5+PeS/fXSeMGYI5GxLBoc8FMezfRRxBkv7M9y4
|
||||
hKvmWHJEeoM0zDK0CYG7EvZZyvcZV7Kd+7iGL8fVvSWV7UvgGYcNKt6LDGARevBz
|
||||
1/AfRgWJZEFplkiDH80WHA9p9efl7HxESuJsXE1pdrAmKbfEst7QA4/Z0A2mwJRl
|
||||
Hf4ZRUtXbw1UIxoehEeUtJ2Y2J5kbC5fJzkyoW9sWPtqdbA48cUGCSUHtC5Zb3Jn
|
||||
b3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BvcGVubmV0bGFicy5jb20+iQJUBBMB
|
||||
CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
|
||||
TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCMGQ//Qi9y01P1P4O0ZnIyLD8m
|
||||
dr0bdCG1bt7GGXHOqpfe0WZmlomPdWzDKoDmHHkF0kRKELyo0SqsEIfFwJmCwu9H
|
||||
cYpz/QtOA/v7tUf+6ABJyuVV4jysHpXWOflyd9jl+x85DyLRv/wL4KIR7RNb3RVE
|
||||
eNhXoNYx1R+pBvcT+yeXbdEwV5MvRCuuTwcujcxOSjtN4pFg5X+D+pCRv0IVBk3L
|
||||
OAiMPu5mLyivyoUn+5lOeUGrn81EMHlnd7DtZdzdCtFReZtsPN2ch4K27m+a6T6F
|
||||
zr2Bs6y32dZ/fLaqUrsGNmpP4+oplr99r+Lmlmm/WEHwOsDZZMik3uJeEK8AFdIS
|
||||
hQ4louRFIlUOrO+5p6o4Q+uTVolIxaiKj/DxFFrUvuTqbzUNzR2phsE5IjgwI2bx
|
||||
lrBAjYvipGzlA5GDidGcB68WCTOEkoVgXY2PNf/bGUC47KbXboM4ML2olIllHu5M
|
||||
4leHTKqSd+Q+ANeNyGnOr5D4Iz6NijoAZqz9c8C5FAJBotJiv1Q8vsWfrb//KxlA
|
||||
DICQlBHW7tTAB3r9RNMxVmlQmwtDIzKKQXtRPgrsxau+RnExE+EZqfQ/alF7foz0
|
||||
EGNhFOnRMiv5SNRPyIF+N2u20j0NCWRwR5CsqFwTfUqqPAkx2K7NumqpdoSyz0AW
|
||||
4meDc7B7C3jAB+3d67VTs9aJAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYCAwEC
|
||||
HgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP8zRN
|
||||
kIekkDn+EACKeXxJ/r1Tqg7i67/C4utVA1TxN7+W/aHD0ezjBDXhaUR+ytqfMRZA
|
||||
DH+iXktnoWyI8lEvIhnPpmTmpb2cpyXToh7crOa+JWWp5tUZfpll2/pxxhPzouIE
|
||||
N2hBfwMKJWyovaDVwIgrQN4ZmiOhWFrQIeVzp8jBteNHYZVzFs7zdWQFl1oqEt9x
|
||||
aZ/We8TrMhtgZpMuvSY1EDw9dfZ6A+KRBbQoqXIogAlTXRxnyPEA0//KTAMb/0O7
|
||||
Vvu4Mhc7U9V7yjjVsgnx439cetCUDTzzN9cd8VFUc/7Cvhsi6ulS4snb0mXlF9ws
|
||||
zOGx4sSipEsr7F/m3PSv4i618GRYUXa0W6VUBabHcb+PJjeVrA5aTdeyoDAsjYjA
|
||||
1dFWoGI2QuQLqzqNppkuzygGBiC2qt2MEN512Irln3V1VuhF7cP73RToxVOqaW2g
|
||||
N9fscjAzi0hi6+3/oHWb5RHPuTF9Rd5h6Zrije3JVI7vxxDnVatQW5WuwaZT4Kgm
|
||||
h2WAoP1Rzbe7nuzGHhIEyfDhoFA0TT2tz3VN2B0QrsCR9VM4pw9/SvEff4PaohiW
|
||||
wvO//9RRmafZYSBObY2uheaSeRsCSvcwtIho9ja8Ab0yobshelt2UHNr6GEJ/oCK
|
||||
uLH253ne6qb6Yy3DICL/8vNolZthLSrSmJffNmgPUud6R6o1du5InrkCDQRX2B3m
|
||||
ARAAtofco0ntkoLXAdB/hNJ3WnsGmWkAhO6vkTuN3aLRh/XhZ1cBOP37XCtUjeNo
|
||||
oZReTp02ij8l74EOlPFvFQfHi43k8AP3Ul7iV+5CaRCvLGj6iT+s01Jj6qfxks0u
|
||||
mK4Si36RZ+HIZssKQxXBjTM9LGF4iYD6ii+1tCrhvs4j06AHlpfHJHl8pe+/5R1Y
|
||||
VmMpWkCRAEpJaglYj10qfbyO/+e1BJuDED18LAwTsLlVanErt2TOTLWPV5W1TzQm
|
||||
JmSDKpofB4GMG4qvXU3yYvur9e/rg0BmXsFiv1sBTPvXQ8e2JE3jgYlHbmLST1uu
|
||||
DVv0Se6bJGywMvjmQKU2VoNHCEjehjpjzdxdAIls1I70jERB4RR8sY+GNeb7gzhb
|
||||
zxhca+MQYsjF9SSwiiujhZ8j36Cfb/6N1IK0IC631wpinb5MAQoCbzdxbMc4Wug7
|
||||
X+kXGdNn6+0gmWYXQa5a35bwtblmdINwPO7LO4eCMN545Tt2l+gaPUeFTi1JIkSo
|
||||
uIZkAcT718SNhEZikaJqOpazGgzMyIw+AD0jNb1H2YLs0MVWKTPJcMtQjnqsbI+a
|
||||
fix+n/xFPuHV2cKKCdbmpwTrxtp7Z8/EhKxPnu8DWBOGv32/MWDOI+6eqmLZzWT2
|
||||
/LI/G78fIll6eANXLFXrclUnIQYU1UIYTaLOqLmKXOIm62MAEQEAAYkCLwQYAQgA
|
||||
DwIbDAUCYRVxqgUJDPKLwwAUCRDP8zRNkIekkAkQz/M0TZCHpJBfAg/+M0rXT0vY
|
||||
qYq9l/SXdSqDdGZ3WZhJ9us8uPr292QBX0CwK68xwG2hDkrxri/QKV8r0XAswuOE
|
||||
XDQSXhR6Mj6M9biHZHQjy42Zs3ksj73D4aScPcwtPJ6tSRqaviZGNls7Q52DlOMb
|
||||
zU0hAWnUzw5OFoG6bNtOaphhAOPbOm2kwAFufu6p2t187CgrBu2COyl/Wh4gb1Me
|
||||
efnKrVIhfNJifbCJ4UMaoEPJ6c+GjYImOHVda9Pun6cPYz9/CuURikeafhOPgr2e
|
||||
GKTGi2a9OFasT5f3BMbJuLumSh6wyz4k5wPt05+NNlVMDd7hlVq9f/wK+uXzdYXX
|
||||
RKORihVp0nvYwhtSg7vEa0o19LzUkY2tHQID32sv+/RTNdkKIEN+K1+uESvkE4xW
|
||||
Oqw/nPMYkuWRejbO7xvQNcPNo6Z9o0ZVkMa8XnQLVIOpMv1ISW4OxCjFWVmT7rtL
|
||||
xRzxp7QTtWqopYPJSYSdufjyUSxUgFU/Oan3sL478kWMTRxS8gpO9OH2/IUtj8er
|
||||
1E4F+OTLopLnx3bxUkJd3SLO0y0KeaTUtLUPe82FBL8csgyiST4XfAcg3T75LgIs
|
||||
eP38I76OLMDR4yH09TQcoo1Ph5SdRLTKtQC2uk/IaPJ8fmZcEclmJrLZNcce0cqx
|
||||
33LHFOnFchxu4NqSAA7xsurNckwqSyN/T/uJAjwEGAEIACYCGwwWIQSUjrQjIsXQ
|
||||
C3k0D13P8zRNkIekkAUCaNaGgAUJEt+cGgAKCRDP8zRNkIekkDiwD/sFms/ifBYX
|
||||
V5BWWIxYnUoob6weLMrhz5mIHrtoUnDiksMIvmjq6c5YfxWhyvWlYL8EyYsbgrvs
|
||||
7app2FQfubNeb911n8NUXfEdO9OYbVbVst3rOPeTqo4VirzI9LZA1Nrf7eg1u1lD
|
||||
5Gm+EICa/YNzUYw80/aEpH8m72v03AZYEQNAG2IxnvzvZAnJHcgXJ9AZG+P4YFsQ
|
||||
G8nAIWZpFvd4OiuFo2EzRvRz9Fsi54RYPjSeQJS2YzhmtzXQcuh3wuLwLiPywioh
|
||||
19MqjVGIlRSDzqrUrekYDzqGg7N5qKFl6RybrAzAaWFfKZs2DjXIH9lN52X3CT5c
|
||||
QRwPodkwJfJ+HnmEF1YbTpoSEwgAuM4KPZWRGcMuY4ouANmSDs45DEN8oAIIK+Tv
|
||||
Ydkbeoq1o32g0fWh5pXBzfK1ZHzLaFAlwLGahCwuf5e+SBxphE2SU9bbPzzXsnd+
|
||||
a+/BLSjqw5ZEctvRcBz41mDiURA6DBUWsTRcgCCRcctBu5AZGlHNGdwdf3lFczMZ
|
||||
vX7ySlYRwzuBrOBQDeiagC6bA0SqZ4FfVOYS0OinWTlEUJJRZu/4DazYZIBvTkwd
|
||||
jQiciEzHMlcRrn50kM9K9mduIZEaFCK0R7h4iWY9w0DWUH4AMUTZRPNylFOjlw4p
|
||||
+tfJlevokISXb60HejmbS/sVF2vr7MhLmA==
|
||||
=T0AM
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
@@ -13,7 +13,8 @@ User=unbound
|
||||
Group=unbound
|
||||
EnvironmentFile=-/etc/sysconfig/unbound
|
||||
#ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
|
||||
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
|
||||
# https://github.com/NLnetLabs/unbound/issues/509
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
|
||||
ExecStartPre=/usr/sbin/unbound-checkconf
|
||||
ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
|
||||
|
||||
|
||||
85
unbound.spec
85
unbound.spec
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package unbound
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -21,11 +21,17 @@
|
||||
%define _fillupdir /var/adm/fillup-templates
|
||||
%endif
|
||||
|
||||
%bcond_without python3
|
||||
%bcond_without munin
|
||||
%bcond_without hardened_build
|
||||
%bcond_without dnstap
|
||||
%bcond_without systemd
|
||||
# needs openssl with quic enabled - aws-lc is sadly not a drop in as it removed some functions used by unbound
|
||||
%bcond_with unbound_quic
|
||||
%if 0%{?suse_version} > 1600
|
||||
%bcond_without unbound_redis
|
||||
%else
|
||||
%bcond_with unbound_redis
|
||||
%endif
|
||||
|
||||
%define _sharedstatedir /var/lib/
|
||||
%define ldns_version 1.6.16
|
||||
@@ -33,7 +39,7 @@
|
||||
%define piddir /run
|
||||
|
||||
Name: unbound
|
||||
Version: 1.20.0
|
||||
Version: 1.24.2
|
||||
Release: 0
|
||||
BuildRequires: flex
|
||||
BuildRequires: ldns-devel >= %{ldns_version}
|
||||
@@ -47,19 +53,22 @@ BuildRequires: libfstrm-devel
|
||||
BuildRequires: libprotobuf-c-devel >= 1.0.0
|
||||
BuildRequires: protobuf-c >= 1.0.0
|
||||
%endif
|
||||
%if %{with python3}
|
||||
BuildRequires: python-rpm-macros
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: swig
|
||||
%endif
|
||||
# needed for dns over https
|
||||
BuildRequires: pkgconfig(libnghttp2)
|
||||
%if %{with unbound_quic}
|
||||
BuildRequires: pkgconfig(libngtcp2)
|
||||
%endif
|
||||
%if %{with unbound_redis}
|
||||
BuildRequires: pkgconfig(hiredis)
|
||||
%endif
|
||||
Requires: ldns >= %{ldns_version}
|
||||
# until we figured something else out for the unbound-anchor part in the systemd unit file
|
||||
Requires: sudo
|
||||
# unbound-control-setup depends on /usr/bin/openssl
|
||||
Requires: openssl
|
||||
%if %{with systemd}
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
@@ -86,6 +95,8 @@ Source15: unbound-anchor.timer
|
||||
Source16: unbound-munin.README
|
||||
Source18: unbound-anchor.service
|
||||
Source19: unbound.sysusers
|
||||
Source20: tmpfiles-unbound-anchor.conf
|
||||
Patch0: unbound-swig-4.4.0-compat.patch
|
||||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
License: BSD-3-Clause
|
||||
@@ -155,7 +166,6 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver.
|
||||
|
||||
This package contains the tools to manage the anchor certs.
|
||||
|
||||
%if %{with python3}
|
||||
%package -n python3-unbound
|
||||
Summary: Python modules and extensions for unbound
|
||||
Group: Applications/System
|
||||
@@ -167,10 +177,9 @@ Provides: unbound-python
|
||||
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
|
||||
|
||||
This package holds the Python modules and extensions for unbound.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
|
||||
@@ -178,15 +187,15 @@ This package holds the Python modules and extensions for unbound.
|
||||
export CFLAGS="%{optflags}"
|
||||
export CXXFLAGS="%{optflags}"
|
||||
|
||||
%if %{with python2}
|
||||
pushd ../p2
|
||||
%configure \
|
||||
--disable-rpath \
|
||||
--with-libevent \
|
||||
--with-pthreads \
|
||||
--disable-static \
|
||||
--with-ldns=%{_prefix} \
|
||||
--with-libnghttp2 \
|
||||
%if %{with unbound_quic}
|
||||
--with-libngtcp2 \
|
||||
%endif
|
||||
--enable-sha2 \
|
||||
--enable-gost \
|
||||
--enable-ecdsa \
|
||||
@@ -194,41 +203,19 @@ pushd ../p2
|
||||
--enable-pie \
|
||||
--enable-relro-now \
|
||||
--enable-dnscrypt \
|
||||
--enable-tfo-client \
|
||||
--enable-tfo-server \
|
||||
--enable-cachedb \
|
||||
--enable-subnet \
|
||||
%if %{with unbound_redis}
|
||||
--with-libhiredis \
|
||||
%endif
|
||||
%if %{with dnstap}
|
||||
--enable-dnstap \
|
||||
%endif
|
||||
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
|
||||
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
|
||||
--with-pythonmodule --with-pyunbound PYTHON=%{__python2}\
|
||||
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
|
||||
--disable-explicit-port-randomisation
|
||||
|
||||
make %{?_smp_mflags} all streamtcp
|
||||
popd
|
||||
%endif
|
||||
|
||||
%configure \
|
||||
--disable-rpath \
|
||||
--with-libevent \
|
||||
--with-pthreads \
|
||||
--disable-static \
|
||||
--with-ldns=%{_prefix} \
|
||||
--with-libnghttp2 \
|
||||
--enable-sha2 \
|
||||
--enable-gost \
|
||||
--enable-ecdsa \
|
||||
--enable-event-api \
|
||||
--enable-pie \
|
||||
--enable-relro-now \
|
||||
--enable-dnscrypt \
|
||||
%if %{with dnstap}
|
||||
--enable-dnstap \
|
||||
%endif
|
||||
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
|
||||
--with-pidfile=%{piddir}/%{name}/%{name}.pid \
|
||||
%if %{with python3}
|
||||
--with-pythonmodule --with-pyunbound PYTHON=%{__python3}\
|
||||
%endif
|
||||
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \
|
||||
--disable-explicit-port-randomisation
|
||||
|
||||
@@ -269,13 +256,14 @@ install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-stream
|
||||
|
||||
# Install tmpfiles.d config
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ \
|
||||
%{buildroot}%{_sharedstatedir}/unbound
|
||||
%{buildroot}%{_datadir}/unbound
|
||||
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
|
||||
install -m 0644 %{SOURCE20} %{buildroot}%{_tmpfilesdir}/unbound-anchor.conf
|
||||
|
||||
# install root and DLV key - we keep a copy of the root key in old location,
|
||||
# in case user has changed the configuration and we wouldn't update it there
|
||||
install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
|
||||
install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
|
||||
install -m 0644 %{SOURCE13} %{buildroot}%{_datadir}/unbound/root.key
|
||||
|
||||
# create softlink for all functions of libunbound man pages
|
||||
for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
|
||||
@@ -387,12 +375,10 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || :
|
||||
%defattr(-,root,root,-)
|
||||
%{_libdir}/libunbound.so.*
|
||||
|
||||
%if %{with python3}
|
||||
%files -n python3-unbound
|
||||
%{python3_sitearch}/*
|
||||
%doc libunbound/python/examples/*
|
||||
%doc pythonmod/examples/*
|
||||
%endif
|
||||
|
||||
%if %{with munin}
|
||||
%files munin
|
||||
@@ -421,8 +407,11 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || :
|
||||
%{_unitdir}/unbound-anchor.timer
|
||||
%{_unitdir}/unbound-anchor.service
|
||||
%{_sysusersdir}/unbound.conf
|
||||
%dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
|
||||
%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
|
||||
%{_tmpfilesdir}/unbound-anchor.conf
|
||||
%ghost %dir %{_sharedstatedir}/%{name}
|
||||
%ghost %attr(0644,root,root) %{_sharedstatedir}/%{name}/root.key
|
||||
%dir %attr(-,unbound,unbound) %{_datadir}/%{name}
|
||||
%attr(0644,unbound,unbound) %{_datadir}/%{name}/root.key
|
||||
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
|
||||
# just left for backwards compat with user changed unbound.conf files - format is different!
|
||||
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/root.key
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
|
||||
|
||||
UNBOUND_OPTIONS=""
|
||||
|
||||
# to disable the anchor update, set this to 'yes'
|
||||
DISABLE_UNBOUND_ANCHOR="no"
|
||||
|
||||
Reference in New Issue
Block a user