pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/42785: net/unbound -> needs updating to 1.4.1 [patch included]



>Number:         42785
>Category:       pkg
>Synopsis:       net/unbound -> needs updating to 1.4.1 [patch included]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 10 19:00:01 +0000 2010
>Originator:     Fredrik Pettai
>Release:        NetBSD 5.0_STABLE
>Organization:
NORDUnet A/S
>Environment:
NetBSD morran 5.0_STABLE NetBSD 5.0_STABLE (MORRAN) #0: Sat Feb  6 22:28:19 CET 
2010  root@morran:/usr/src/sys/arch/i386/compile/MORRAN i386
>Description:
net/unbound should be updated to the current stable version.
Changelog of all bugs fixed (many memoryleaks) and new features incorporated:

unbound-1.4.1:

Features:

* Bind the same interface multiple times at different ports. Use multiple 
interface: lines with an @port suffix.

Bug Fixes:

* Fix libtool version to 2 because of why_bogus change in 1.4.0.
[bugzilla: 284 ]
* fix parse of # without end-of-line at end-of-file.
* Fix crash with module-config "iterator".
[bugzilla: 287 ]
* Fix segfault when unbound-control remove nonexistent local data. And an 
update of ldns tarball with fix for parse errors generated for domain names 
like '.example.com'.
* Fix for lookup of parent-child disagreement domains, where the parent-side 
glue works but it does not provide proper NS, A or AAAA for itself, fixing 
motorcaravanners.eu.
* Fix negative cache lookup of closestencloser check of DS type bit.
* Fix SOA excluded from negative DS responses. Reported by Hauke Lampe.
* Fix that verify_rrsig routine checks expiration last.
on IPv4 UDP turn off DF flag.
* Fix qclass=ANY queries, with class IN contents.

unbound-1.4.0:

Features:

* RFC 5702: RSASHA256 and RSASHA512 support enabled by default. Please use 
openssl 0.9.8 or later, that provide sha256 and sha512.
* included ldns tarball updated (which also enables rsasha256 support).
* val-log-level: 2 shows extended error information for validation failures, 
one line per failure. For example: validation failure <example.com. DNSKEY IN>: 
signature expired from 192.0.2.4 for trust anchor example.com. while building 
chain of trust
* Made new validator error string available from libunbound for applications. 
It is in result->why_bogus, a zero-terminated string. unbound-host prints it by 
default if a result is bogus. Also the errinf is public in module_qstate (for 
other modules).
* retry on DNSSEC failures, query other servers, unbound works harder to get 
valid DNSSEC data.
* so-rcvbuf: 4m option added. Set this on large busy servers to not drop the 
occasional packet in spikes due to full socket buffers. netstat -su keeps a 
counter of UDP dropped due to full buffers.
* auto-trust-anchor-file option with RFC5011 support, code from the NLnet Labs 
autotrust project(BSD license), is incorporated. In this way unbound can 
support trust anchor revocation properly, even revocation back to the unsigned 
state. It can read normal anchor files or autotrust files initially, after 
probing the file is written to in a format specific to unbound.
* use linebuffering for log-file: output, this can be significantly faster than 
the previous fflush method and enable some class of resolvers to use high 
verbosity (for short periods). Not on windows, because line buffering does not 
work there.
* Patch from Zdenek Vasicek and Attila Nagy for using the source IP from python 
scripts. See pythonmod/examples/resip.py.
* Got a patch from Luca Bruno for libunbound support on windows to pick up the 
system resolvconf nameservers and hosts there.
* call OPENSSL_config() in unbound and unit test so that the operator can use 
openssl.cnf for configuration options.
* Experimental support (disabled by default) for GOST for unofficial algorithm 
number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to work with 
openssl-1.0.0beta and correct for examples in -01 draft.
* edns-buffer-size option, default 4096. Can be set to 1480 in case of DNS UDP 
fragments not arriving from authority servers.
* iana portlist updated.
* contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the IANA 
ITAR into individual key files that can be tracked with auto-trust-anchor-file.

Bug Fixes:

* fixed do-udp: no (only TCP is used).
* removed abort on prealloc failure, error still printed but softfail.
* Fix bug where autotrust does not work when started with a DS.
* Fix double time subtraction in negative cache reported by Amanda Constant and 
Hugh Mahon.
fix unbound-host so -d can be given before -C.
fix DNSSEC-missing-signature detection for minimal responses for qtype DNSKEY 
(assumes DNSKEY occurs at zone apex).
* fix compile of unbound-host when --enable-alloc-checks.
* Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
* Manual page fixes reported by Tony Finch.
* Fix memory leak reported by Tao Ma.
* increased MAXSYSLOGLEN so .bg key can be printed in debug output.
* Fix bug where DNSSEC-bogus messages were marked with too high TTL. The RRsets 
would still expire at the normal time, but this would keep messages bogus in 
the cache for too long.
* documented that load_cache is meant for debugging.
* fixup printing errors when load_cache, they were printed to the SSL 
connection which had just broken, now to the log.
* Changes to make unbound work with libevent-2.0.3 alpha. (in configure 
detection due to new ssl dependency in libevent).
* do not call sphinx for documentation when python is disabled.
* remove EV_PERSIST from libevent timeout code to make the code compatible with 
the libevent-2.0. Works with older libevent too.
* fix memory leak in python code.
* makefile fix for parallel makes.
* fixup unbound-control lookup to print forward and stub servers.
* fixup memleak in trust anchor unsupported algorithm check.
* free all memory on program exit, fix for ssl and flex.
* fixup DS lookup at anchor point with unsigned parent.
* fixup DLV lookup for DS queries to unsigned domains.
* Fix so that servers are only blacklisted if they fail to reply to 16 queries 
in a row and the timeout gets above 2 minutes.
* unbound-control lookup prints out infra cache information, like RTT.
* Fix bug in DLV lookup reported by Amanda from Secure64. It could sometimes 
wrongly classify a domain as unsigned, which does not give the AD bit on 
replies.
* Thanks to Surfnet found bug in new dnssec-retry code that failed to combine 
well when combined with DLV and then a validation failure.
* removed small memory leak from config file reader.
* fix manpage errors reported by debian lintian.
* Fixed validation failure for CNAME to optout NSEC3 nodata answer.
* unbound-host does not fail on type ANY.
* Fixed wireparse failure to put RRSIGs together with data in some long ANY mix 
cases, which fixes validation failures.
* Fixed signer detection of CNAME responses without signatures.
[bugzilla: 282 ]
* Fixed libunbound memleak on error condition by Eric Sesterhenn.

>How-To-Repeat:

>Fix:
# cvs diff -u
cvs diff: Diffing .
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/net/unbound/Makefile,v
retrieving revision 1.6
diff -u -r1.6 Makefile
--- Makefile    17 Jan 2010 12:02:36 -0000      1.6
+++ Makefile    10 Feb 2010 18:45:07 -0000
@@ -1,7 +1,7 @@
 # $NetBSD: Makefile,v 1.6 2010/01/17 12:02:36 wiz Exp $
 
-DISTNAME=      unbound-1.3.4
-PKGREVISION=   1
+DISTNAME=      unbound-1.4.1
+#PKGREVISION=  1
 CATEGORIES=    net
 MASTER_SITES=  http://www.unbound.net/downloads/
 
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/net/unbound/distinfo,v
retrieving revision 1.5
diff -u -r1.5 distinfo
--- distinfo    19 Oct 2009 17:03:33 -0000      1.5
+++ distinfo    10 Feb 2010 18:45:07 -0000
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.5 2009/10/19 17:03:33 joerg Exp $
 
-SHA1 (unbound-1.3.4.tar.gz) = 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07
-RMD160 (unbound-1.3.4.tar.gz) = ae3a920b2e5f6a31527a83e75a04ade43bfc733e
-Size (unbound-1.3.4.tar.gz) = 4039725 bytes
-SHA1 (patch-ac) = 5c4ea2a3c09b0fadd254c223d04e40d00697bc95
+SHA1 (unbound-1.4.1.tar.gz) = a7bfcc057e4d242bfced847f587a71f8eaa236d7
+RMD160 (unbound-1.4.1.tar.gz) = 2f9b1ad943347305a47a9003f520c7bbe6cd6de6
+Size (unbound-1.4.1.tar.gz) = 4191123 bytes
+SHA1 (patch-ac) = fd729998a51257bd9693971bea11d8a8b8a53176
cvs diff: Diffing files
cvs diff: Diffing patches
Index: patches/patch-ac
===================================================================
RCS file: /cvsroot/pkgsrc/net/unbound/patches/patch-ac,v
retrieving revision 1.4
diff -u -r1.4 patch-ac
--- patches/patch-ac    23 Aug 2009 14:17:39 -0000      1.4
+++ patches/patch-ac    10 Feb 2010 18:45:07 -0000
@@ -1,8 +1,8 @@
 $NetBSD: patch-ac,v 1.4 2009/08/23 14:17:39 hasso Exp $
 
---- Makefile.in.orig   2009-07-15 16:08:52 +0300
-+++ Makefile.in        2009-08-23 17:11:32 +0300
-@@ -91,12 +91,11 @@ UNITTEST_SRC=$(patsubst $(srcdir)/%,%, \
+--- Makefile.in.orig   2009-09-10 16:16:19.000000000 +0200
++++ Makefile.in        2010-02-10 14:04:07.000000000 +0100
+@@ -93,12 +93,11 @@
        testcode/readhex.c testcode/ldns-testpkts.c smallapp/worker_cb.c \
        $(COMMON_SRC)
  UNITTEST_OBJ=$(addprefix $(BUILD),$(UNITTEST_SRC:.c=.lo)) $(COMPAT_OBJ)
@@ -18,9 +18,9 @@
  CONTROL_OBJ=$(addprefix $(BUILD),$(CONTROL_SRC:.c=.lo)) $(COMPAT_OBJ)
  HOST_SRC=smallapp/unbound-host.c
  HOST_OBJ=$(addprefix $(BUILD),$(HOST_SRC:.c=.lo)) $(COMPAT_OBJ)
-@@ -202,21 +201,21 @@ else
- ldnslib=
- endif
+@@ -205,21 +204,21 @@
+       $(INFO) Link $@
+       $Q$(LINK_LIB) -export-symbols $(srcdir)/libunbound/ubsyms.def -o $@ 
$(sort $(LIBUNBOUND_OBJ)) -rpath $(libdir) $(LIBS)
  
 -unbound$(EXEEXT):     $(DAEMON_OBJ) $(ldnslib)
 +unbound$(EXEEXT):     $(DAEMON_OBJ) $(ldnslib) libunbound.la


Home | Main Index | Thread Index | Old Index