unbound: add a WIP "unbound-1.25.0beta" package, based on -current from github.

[Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Mon Apr 20 14:48:09 2026 +0000
Changeset:	fe1550f7e1ed7659963d32ba1761387e2d88cfe8

Added Files:
	unbound/DESCR
	unbound/Makefile
	unbound/PLIST
	unbound/buildlink3.mk
	unbound/distinfo
	unbound/files/smf/manifest.xml
	unbound/files/smf/unbound.sh
	unbound/files/unbound.sh
	unbound/options.mk
	unbound/patches/patch-configure

Log Message:
unbound: add a WIP "unbound-1.25.0beta" package, based on -current from github.

Among other things, this version will reportedly reload any renewed
certificates on "fast_reload", as opposed to earlier released
versions which require a full restart.  Ref.
https://github.com/NLnetLabs/unbound/issues/278.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=fe1550f7e1ed7659963d32ba1761387e2d88cfe8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 unbound/DESCR                   |   6 +++
 unbound/Makefile                | 104 ++++++++++++++++++++++++++++++++++++++++
 unbound/PLIST                   |  50 +++++++++++++++++++
 unbound/buildlink3.mk           |  21 ++++++++
 unbound/distinfo                |   6 +++
 unbound/files/smf/manifest.xml  |  35 ++++++++++++++
 unbound/files/smf/unbound.sh    |  11 +++++
 unbound/files/unbound.sh        |  37 ++++++++++++++
 unbound/options.mk              |  20 ++++++++
 unbound/patches/patch-configure |  16 +++++++
 10 files changed, 306 insertions(+)

diffs:
diff --git a/unbound/DESCR b/unbound/DESCR
new file mode 100644
index 0000000000..67cd289695
--- /dev/null
+++ b/unbound/DESCR
@@ -0,0 +1,6 @@
+Unbound is an implementation of a DNS resolver.  It provides a library
+similiar to libresolv that can be used for synchronous and asynchronous
+DNS lookups.  It also provides a caching-only (recursive) DNS server.
+
+Unbound has full support for IPv6 and DNSSEC validation,
+DNS-over-TLS and DNS-over-HTTPS.
diff --git a/unbound/Makefile b/unbound/Makefile
new file mode 100644
index 0000000000..6e064ebc59
--- /dev/null
+++ b/unbound/Makefile
@@ -0,0 +1,104 @@
+# $NetBSD: Makefile,v 1.133 2026/01/14 12:57:36 wiz Exp $
+
+DISTNAME=	unbound-1.25.0beta
+CATEGORIES=	net
+#MASTER_SITES=	https://nlnetlabs.nl/downloads/unbound/
+MASTER_SITES=	${MASTER_SITE_GITHUB:=NLnetLabs/}
+GITHUB_TAG=	e1d146d6b04c434a7ebc5b381771609863f9c2a5
+WRKSRC=		${WRKDIR}/${PKGBASE}-${GITHUB_TAG}
+
+MAINTAINER=	pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE=	https://nlnetlabs.nl/projects/unbound/
+COMMENT=	DNS resolver and recursive server
+LICENSE=	modified-bsd
+
+BUILD_DEFS+=	PKG_SYSCONFBASE VARBASE
+BUILD_DEFS+=	UNBOUND_USER UNBOUND_GROUP UNBOUND_LOG_FACILITY
+FILES_SUBST+=	UNBOUND_USER=${UNBOUND_USER} UNBOUND_GROUP=${UNBOUND_GROUP}
+
+USE_LIBTOOL=		yes
+CONFIGURE_ARGS+=	--enable-allsymbols
+CONFIGURE_ARGS+=	--with-libexpat=${BUILDLINK_PREFIX.expat}
+CONFIGURE_ARGS+=	--with-libevent=${BUILDLINK_PREFIX.libevent}
+CONFIGURE_ARGS+=	--enable-event-api
+CONFIGURE_ARGS+=	--with-ssl=${BUILDLINK_PREFIX.openssl}
+CONFIGURE_ARGS+=	--with-syslog-facility=${UNBOUND_LOG_FACILITY}
+CONFIGURE_ARGS+=	--with-pidfile=${VARBASE}/run/unbound/unbound.pid
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFBASE}
+GNU_CONFIGURE=		yes
+TEST_TARGET=		test
+
+USE_TOOLS+=	pkg-config
+
+.include "options.mk"
+
+# unbound uses some OpenBSD libc functions such as reallocarray(3).
+# The existing tests just look for the symbol in libc regardless
+# of anything in stdlib.h
+CPPFLAGS.NetBSD+=		-D_OPENBSD_SOURCE
+
+# Add the same logic as for ldns, so sha2/gost is configured automatically
+CHECK_BUILTIN.openssl=	yes
+.include "../../security/openssl/builtin.mk"
+CHECK_BUILTIN.openssl=	no
+.include "../../security/openssl/buildlink3.mk"
+
+PLIST_VARS+=		sha2 gost
+.if defined(USE_BUILTIN.openssl) && ${USE_BUILTIN.openssl:tl} == yes
+PLIST_VARS.gost!=	\
+	if ${PKG_ADMIN} pmatch 'openssl>=1.0.0' ${BUILTIN_PKG.openssl}; then \
+		${ECHO} "yes";                                          \
+	else                                                            \
+		${ECHO} "no";                                           \
+	fi
+PLIST_VARS.sha2!=	\
+	if ${PKG_ADMIN} pmatch 'openssl>=0.9.8' ${BUILTIN_PKG.openssl}; then \
+		${ECHO} "yes";                                          \
+	else                                                            \
+		${ECHO} "no";                                           \
+	fi
+.else
+PLIST_VARS.gost!=	\
+	if ${PKG_INFO} -qe 'openssl>=1.0.0'; then                       \
+		${ECHO} yes;                                            \
+	else                                                            \
+		${ECHO} no;                                             \
+	fi
+PLIST_VARS.sha2!=	\
+	if ${PKG_INFO} -qe 'openssl>=0.9.8'; then                       \
+		${ECHO} yes;                                            \
+	else                                                            \
+		${ECHO} no;                                             \
+	fi
+.endif
+.if ${PLIST_VARS.gost} == "yes"
+CONFIGURE_ARGS+=	--enable-gost
+.else
+CONFIGURE_ARGS+=	--disable-gost
+.endif
+.if ${PLIST_VARS.sha2} == "yes"
+CONFIGURE_ARGS+=	--enable-sha2
+.else
+CONFIGURE_ARGS+=	--disable-sha2
+.endif
+
+INSTALL_MAKE_FLAGS+=	\
+	configfile=${PREFIX}/share/examples/unbound/unbound.conf
+
+PKG_SYSCONFSUBDIR=	unbound
+
+CONF_FILES+=	share/examples/unbound/unbound.conf \
+		${PKG_SYSCONFDIR}/unbound.conf
+
+RCD_SCRIPTS=	unbound
+SMF_METHODS=	unbound
+SMF_NAME=	unbound
+
+PKG_GROUPS=	${UNBOUND_GROUP}
+PKG_USERS=	${UNBOUND_USER}:${UNBOUND_GROUP}
+
+.include "../../devel/libevent/buildlink3.mk"
+.include "../../textproc/expat/buildlink3.mk"
+BUILDLINK_API_DEPENDS.flex+=	flex>=2.6.4
+.include "../../devel/flex/buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/unbound/PLIST b/unbound/PLIST
new file mode 100644
index 0000000000..8369a89770
--- /dev/null
+++ b/unbound/PLIST
@@ -0,0 +1,50 @@
+@comment $NetBSD: PLIST,v 1.10 2021/08/27 07:55:36 adam Exp $
+include/unbound-event.h
+include/unbound.h
+lib/libunbound.la
+lib/pkgconfig/libunbound.pc
+man/man1/unbound-host.1
+man/man3/libunbound.3
+man/man3/ub_cancel.3
+man/man3/ub_ctx.3
+man/man3/ub_ctx_add_ta.3
+man/man3/ub_ctx_add_ta_file.3
+man/man3/ub_ctx_async.3
+man/man3/ub_ctx_config.3
+man/man3/ub_ctx_create.3
+man/man3/ub_ctx_data_add.3
+man/man3/ub_ctx_data_remove.3
+man/man3/ub_ctx_debuglevel.3
+man/man3/ub_ctx_debugout.3
+man/man3/ub_ctx_delete.3
+man/man3/ub_ctx_get_option.3
+man/man3/ub_ctx_hosts.3
+man/man3/ub_ctx_print_local_zones.3
+man/man3/ub_ctx_resolvconf.3
+man/man3/ub_ctx_set_fwd.3
+man/man3/ub_ctx_set_option.3
+man/man3/ub_ctx_trustedkeys.3
+man/man3/ub_ctx_zone_add.3
+man/man3/ub_ctx_zone_remove.3
+man/man3/ub_fd.3
+man/man3/ub_poll.3
+man/man3/ub_process.3
+man/man3/ub_resolve.3
+man/man3/ub_resolve_async.3
+man/man3/ub_resolve_free.3
+man/man3/ub_result.3
+man/man3/ub_strerror.3
+man/man3/ub_wait.3
+man/man5/unbound.conf.5
+man/man8/unbound-anchor.8
+man/man8/unbound-checkconf.8
+man/man8/unbound-control-setup.8
+man/man8/unbound-control.8
+man/man8/unbound.8
+sbin/unbound
+sbin/unbound-anchor
+sbin/unbound-checkconf
+sbin/unbound-control
+sbin/unbound-control-setup
+sbin/unbound-host
+share/examples/unbound/unbound.conf
diff --git a/unbound/buildlink3.mk b/unbound/buildlink3.mk
new file mode 100644
index 0000000000..8a9433e7c2
--- /dev/null
+++ b/unbound/buildlink3.mk
@@ -0,0 +1,21 @@
+# $NetBSD: buildlink3.mk,v 1.15 2026/01/07 08:48:29 wiz Exp $
+
+BUILDLINK_TREE+=	unbound
+
+.if !defined(UNBOUND_BUILDLINK3_MK)
+UNBOUND_BUILDLINK3_MK:=
+
+BUILDLINK_API_DEPENDS.unbound+=	unbound>=1.6.0
+BUILDLINK_ABI_DEPENDS.unbound+=	unbound>=1.24.2nb1
+BUILDLINK_PKGSRCDIR.unbound?=	../../wip/unbound
+
+.include "../../devel/libevent/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+pkgbase := unbound
+.include "../../mk/pkg-build-options.mk"
+.if ${PKG_BUILD_OPTIONS.unbound:Mdoh}
+.include "../../www/nghttp2/buildlink3.mk"
+.endif
+.endif	# UNBOUND_BUILDLINK3_MK
+
+BUILDLINK_TREE+=	-unbound
diff --git a/unbound/distinfo b/unbound/distinfo
new file mode 100644
index 0000000000..866ec06736
--- /dev/null
+++ b/unbound/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.89 2025/12/03 14:09:02 adam Exp $
+
+BLAKE2s (unbound-1.25.0beta-e1d146d6b04c434a7ebc5b381771609863f9c2a5.tar.gz) = 874ba0c3ed9ee29d9ab2df78468169724a891b443e5962c5cf1000ecd92dbeb7
+SHA512 (unbound-1.25.0beta-e1d146d6b04c434a7ebc5b381771609863f9c2a5.tar.gz) = 9f44f648452d7d8eddf01cca63f35bf133c98164e4beb4ce89be2c2f61659d11c394643919a069f08d6b9312ac90929e8c7fa8c95516b178951abbc75ed47381
+Size (unbound-1.25.0beta-e1d146d6b04c434a7ebc5b381771609863f9c2a5.tar.gz) = 6228224 bytes
+SHA1 (patch-configure) = 0779bb9174e358163430fa0b05e81c464776b12f
diff --git a/unbound/files/smf/manifest.xml b/unbound/files/smf/manifest.xml
new file mode 100644
index 0000000000..f6c1eb4817
--- /dev/null
+++ b/unbound/files/smf/manifest.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<!-- $NetBSD: manifest.xml,v 1.3 2016/06/08 10:16:55 jperkin Exp $ -->
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="manifest" name="export">
+  <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
+    <create_default_instance enabled="false" />
+    <single_instance />
+    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
+      <service_fmri value='svc:/milestone/network:default' />
+    </dependency>
+    <dependency name='filesystem-local' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/filesystem/local:default' />
+    </dependency>
+    <method_context>
+      <method_environment>
+        <envvar name="LD_PRELOAD_32" value="/usr/lib/extendedFILE.so.1" />
+      </method_environment>
+    </method_context>
+    <exec_method type='method' name='start' exec='@PREFIX@/@SMF_METHOD_FILE.unbound@ %{config_file}' timeout_seconds='60' />
+    <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
+    <exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="60" />
+    <property_group name="startd" type="framework">
+      <propval name="duration" type="astring" value="contract" />
+      <propval name="ignore_error" type="astring" value="core,signal" />
+    </property_group>
+    <property_group name="application" type="application">
+      <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/unbound.conf" />
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang="C">unbound DNS cache</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>
diff --git a/unbound/files/smf/unbound.sh b/unbound/files/smf/unbound.sh
new file mode 100644
index 0000000000..cd1e33e26e
--- /dev/null
+++ b/unbound/files/smf/unbound.sh
@@ -0,0 +1,11 @@
+#!/sbin/sh
+# $NetBSD: unbound.sh,v 1.1 2015/10/21 21:30:14 joerg Exp $
+. /lib/svc/share/smf_include.sh
+
+if [ ! -d @VARBASE@/run/unbound ]; then
+	@MKDIR@ @VARBASE@/run/unbound
+	@CHMOD@ 0750 @VARBASE@/run/unbound
+	@CHOWN@ @UNBOUND_USER@:@UNBOUND_GROUP@ @VARBASE@/run/unbound
+fi
+
+@PREFIX@/sbin/unbound -c "$1"
diff --git a/unbound/files/unbound.sh b/unbound/files/unbound.sh
new file mode 100644
index 0000000000..03f11f4ab8
--- /dev/null
+++ b/unbound/files/unbound.sh
@@ -0,0 +1,37 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: unbound.sh,v 1.5 2015/12/28 13:48:30 bsiegert Exp $
+#
+# PROVIDE: unbound
+# REQUIRE: DAEMON
+#
+
+. /etc/rc.subr
+
+name="unbound"
+rcvar=${name}
+
+command=@PREFIX@/sbin/${name}
+pidfile=/var/run/${name}/${name}.pid
+required_files="@PKG_SYSCONFDIR@/unbound.conf"
+extra_commands="reload"
+start_precmd="unbound_precmd"
+
+unbound_precmd()
+{
+	if [ ! -d @VARBASE@/run/unbound ]; then
+		@MKDIR@ @VARBASE@/run/unbound
+		@CHMOD@ 0750 @VARBASE@/run/unbound
+		@CHOWN@ @UNBOUND_USER@:@UNBOUND_GROUP@ @VARBASE@/run/unbound
+	fi
+}
+
+unbound_flags=${unbound_flags:-""}
+
+if [ -f /etc/rc.subr ]; then
+	load_rc_config ${name}
+	run_rc_command "$1"
+else
+	echo -n " ${name}"
+	${command} ${unbound_flags}
+fi
diff --git a/unbound/options.mk b/unbound/options.mk
new file mode 100644
index 0000000000..b2952448b9
--- /dev/null
+++ b/unbound/options.mk
@@ -0,0 +1,20 @@
+# $NetBSD: options.mk,v 1.5 2021/08/27 07:55:36 adam Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.unbound
+PKG_SUPPORTED_OPTIONS+=	dnstap doh
+PKG_SUGGESTED_OPTIONS+=	doh
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mdnstap)
+CONFIGURE_ARGS+=	--enable-dnstap
+.include "../../net/fstrm/buildlink3.mk"
+.include "../../devel/protobuf/buildlink3.mk"
+.include "../../devel/protobuf-c/buildlink3.mk"
+.endif
+
+# DNS-over-HTTPS
+.if !empty(PKG_OPTIONS:Mdoh)
+.include "../../www/nghttp2/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-libnghttp2=${BUILDLINK_PREFIX.nghttp2}
+.endif
diff --git a/unbound/patches/patch-configure b/unbound/patches/patch-configure
new file mode 100644
index 0000000000..608531a47a
--- /dev/null
+++ b/unbound/patches/patch-configure
@@ -0,0 +1,16 @@
+$NetBSD: patch-configure,v 1.6 2024/05/08 11:16:49 he Exp $
+
+Pretend expat.h is found: it is guaranteed by PkgSrc, but on Darwin it might
+be buried inside an SDK; we don't want the SDK path being exposed in CFLAGS.
+
+--- configure.orig	2017-07-09 07:41:42.000000000 +0000
++++ configure
+@@ -21900,7 +21900,7 @@ fi
+ 
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libexpat" >&5
+ printf %s "checking for libexpat... " >&6; }
+-found_libexpat="no"
++found_libexpat="yes"
+ for dir in $withval ; do
+             if test -f "$dir/include/expat.h"; then
+ 		found_libexpat="yes"