Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: unbound 1.22.0
To:
tech <tech@openbsd.org>
Date:
Fri, 21 Feb 2025 08:36:19 +0000

Download raw body.

Thread 
On 2025/02/07 21:30, Stuart Henderson wrote:
> Upstream release was a few months ago. As usual not super easy to read
> as a diff in one go, and many of the changes relate to things not used
> in the OpenBSD build.

I don't have any particular concerns about this - any objection to
committing this so it gets wider testing?

[full diff removed; available at https://junkpile.org/unbound-1.22.0.diff.gz]

> Index: doc/Changelog
> ===================================================================
> RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v
> diff -u -p -r1.53 Changelog
> --- doc/Changelog	4 Sep 2024 09:36:40 -0000	1.53
> +++ doc/Changelog	7 Feb 2025 21:25:44 -0000
> @@ -1,6 +1,155 @@
> +16 October 2024: Yorgos
> +	- Fix for dnsoverquic and dnstap to use the correct dnstap
> +	  environment.
> +
> +16 October 2024: Wouter
> +	- Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
> +
> +14 October 2024: Wouter
> +	- Fix to display warning if quic-port is set but dnsoverquic is not
> +	  enabled when compiled.
> +	- Fix dnsoverquic to extend the number of streams when one is closed.
> +
> +11 October 2024: Wouter
> +	- Fix to disable detection of quic configured ports when quic is
> +	  not compiled in.
> +	- Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
> +	- Fix contrib/aaaa-filter-iterator.patch for change in call
> +	  signature for cache_fill_missing.
> +
> +10 October 2024: Wouter
> +	- Fix cookie_file test sporadic fails for time change during
> +	  the test.
> +	- Fix add reallocarray to alloc stats unit test, and disable
> +	  override of strdup in unbound-host, and the result of config
> +	  get option is freed properly.
> +
> +9 October 2024: Wouter
> +	- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
> +	  `quic-size: 8m` that enable dnsoverquic, and the counters
> +	  `num.query.quic` and `mem.quic` in the statistics output.
> +	  The feature needs to be enabled by compiling with libngtcp2,
> +	  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
> +	  pass that with `--with-ssl=path` to compile unbound as well.
> +	- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
> +	  prefetch ttl for messages after a CNAME with short TTL.
> +	- Fix for dnstap compile of doqclient with doq disabled.
> +
> +8 October 2024: Wouter
> +	- Fix #1149: unbound-control-setup hangs sometimes depending on
> +	  the openssl version.
> +	- Fix #1128: Cannot override tcp-upstream and tls-upstream with
> +	  forward-tcp-upstream and forward-tls-upstream.
> +
> +3 October 2024: Yorgos
> +	- Fix CVE-2024-8508, unbounded name compression could lead to denial
> +	  of service.
> +	- This fix was part of 1.21.1, a security point release on 1.21.0.
> +	  The code repository continues with this fix and the version number
> +	  1.22.0.
> +
> +30 September 2024: Wouter
> +	- Fix negative cache NSEC3 parameter compares for zero length NSEC3
> +	  salt.
> +	- Fix unbound dnstap socket test program analyzer warnings about
> +	  unused variable assignments and variable initialization.
> +
> +25 September 2024: Wouter
> +	- Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
> +	  This adds the option `log-time-iso: yes` that logs in ISO8601
> +	  format.
> +
> +24 September 2024: Yorgos
> +	- Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
> +	- More clear text for prefetch and minimal-responses in the
> +	  unbound.conf man page.
> +	- Merge #1143: Fix cache update when serve expired is used. Expired
> +	  records are favored over resolution and validation failures when
> +	  serve-expired is used.
> +
> +23 September 2024: Wouter
> +	- Fix dns64 with prefetch that the prefetch is stored in cache.
> +
> +23 September 2024: Yorgos
> +	- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
> +	  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
> +	  already disabled.
> +
> +17 September 2024: Wouter
> +	- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
> +	  that can set the timeout separately for commands and the
> +	  connection set up to the redis server. If they are not
> +	  specified, the redis-timeout value is used.
> +
> +16 September 2024: Wouter
> +	- Merge #1140: Fix spelling mistake in comments.
> +
> +11 September 2024: Yorgos
> +	- Fix and add comments in testdata/val_negcache_ttl.rpl.
> +
> +10 September 2024: Wouter
> +	- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
> +	  enabled (RFC9077).
> +	- Add unit test for ttl limit for aggressive nsec.
> +
> +6 September 2024: Yorgos
> +	- Fix alloc-size and calloc-transposed-args compiler warnings.
> +	- Fix comment to not trigger doxygen unknown command.
> +
> +5 September 2024: Wouter
> +	- Fix config file read for dnstap-sample-rate.
> +
> +2 September 2024: Wouter
> +	- Merge #1135: Add new IANA trust anchor.
> +
> +30 August 2024: Wouter
> +	- Merge #1132: b.root renumbering.
> +	- Fix for #1132, adjusted unit test for change in the test file.
> +	- Fix for #1132, comment about adjusted copy of reference check.
> +
> +29 August 2024: Wouter
> +	- Unit test for auth zone transfer TLS, and TLS failure.
> +	- Fix to print port number in logs for auth zone transfer activities.
> +
> +28 August 2024: Wouter
> +	- Fix that when rpz is applied the message does not get picked up by
> +	  the validator. That stops validation failures for the message.
> +	- Fix that stub-zone and forward-zone clauses do not exhaust memory
> +	  for long content.
> +
> +27 August 2024: Wouter
> +	- Fix #1130: Loads of logs: "validation failure: key for validation
> +	  <domain>. is marked as invalid because of a previous" for
> +	  non-DNSSEC signed zone.
> +
> +23 August 2024: Wouter
> +	- Merge patch to fix for glue that is outside of zone, with
> +	  `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
> +	  Enabling this option protects the Unbound resolver against bad
> +	  glue, that is unverified out of zone glue, by resolving them.
> +	  It uses the records as last resort if there is no other working
> +	  glue.
> +	- Fix #1127: error: "memory exhausted" when defining more than 9994
> +	  local-zones.
> +	- Fix documentation for cache_fill_missing function.
> +
> +21 August 2024: Wouter
> +	- Add cross platform freebsd, openbsd and netbsd to github ci.
> +	- Fix for char signedness warnings on NetBSD.
> +
> +20 August 2024: Wouter
> +	- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
> +	  configuration options.
> +
> +19 August 2024: Wouter
> +	- Fix #1126: unbound-control-setup hangs while testing for openssl
> +	  presence starting from version 1.21.0.
> +
>  9 August 2024: Wouter
>  	- Fix spelling for the cache-min-negative-ttl entry in the
>  	  example.conf.
> +	- Tag for release 1.21.0, the repository continues with 1.21.1
> +	  in development.
>  
>  8 August 2024: Wouter
>  	- Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
> @@ -8,7 +157,7 @@
>  	- Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
>  	  Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
>  	  University and Reichman University).
> -	- Set version number to 1.21.0 for release.
> +	- Set version number to 1.21.0 for release. This has tag 1.21.0rc1.
>  	- Fix that for windows the module startup is called and sets up
>  	  the module-config.