update unbound from upstream

2025-08-04 01:24:15 -04:00 · 2014-12-04 23:10:49 +02:00 · 2014-12-04 23:10:49 +02:00 · 831933425b
commit 831933425b
parent 9f74cc8e19
72 changed files with 1261 additions and 2655 deletions
--- a/external/unbound/doc/Changelog
+++ b/external/unbound/doc/Changelog
@ -1,3 +1,102 @@
+1 December 2014: Wouter
+	- Fix bug#632: unbound fails to build on AArch64, protects
+	  getentropy compat code from calling sysctl if it is has been removed.
+
+29 November 2014: Wouter
+	- Add include to getentropy_linux.c, hopefully fixing debian build.
+
+28 November 2014: Wouter
+	- Fix makefile for build from noexec source tree.
+
+26 November 2014: Wouter
+	- Fix libunbound undefined symbol errors for main.
+	  Referencing main does not seem to be possible for libunbound.
+
+24 November 2014: Wouter
+	- Fix log at high verbosity and memory allocation failure.
+	- iana portlist update.
+
+21 November 2014: Wouter
+	- Fix crash on multiple thread random usage on systems without
+	  arc4random.
+
+20 November 2014: Wouter
+	- fix compat/getentropy_win.c check if CryptGenRandom works and no
+	  immediate exit on windows.
+
+19 November 2014: Wouter
+	- Fix cdflag dns64 processing.
+
+18 November 2014: Wouter
+	- Fix that CD flag disables DNS64 processing, returning the DNSSEC
+	  signed AAAA denial.
+	- iana portlist update.
+
+17 November 2014: Wouter
+	- Fix #627: SSL_CTX_load_verify_locations return code not properly
+	  checked.
+
+14 November 2014: Wouter
+	- parser with bison 2.7
+
+13 November 2014: Wouter
+	- Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
+	added to contrib/aaaa-filter-iterator.patch.
+
+12 November 2014: Wouter
+	- trunk has 1.5.1 in development.
+	- Patch from Robert Edmonds to build pyunbound python module
+	  differently.  No versioninfo, with -shared and without $(LIBS).
+	- Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
+	- Removed 'increased limit open files' log message that is written
+	  to console.  It is only written on verbosity 4 and higher.
+	  This keeps system bootup console cleaner.
+	- Patch from James Raftery, always print stats for rcodes 0..5.
+
+11 November 2014: Wouter
+	- iana portlist update.
+	- Fix bug where forward or stub addresses with same address but
+	  different port number were not tried.
+	- version number in svn trunk is 1.5.0
+	- tag 1.5.0rc1
+	- review fix from Ralph.
+
+7 November 2014: Wouter
+	- dnstap fixes by Robert Edmonds:
+		dnstap/dnstap.m4: cosmetic fixes
+		dnstap/: Remove compiled protoc-c output files
+		dnstap/dnstap.m4: Error out if required libraries are not found
+		dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
+			protobuf-c 1.0.0
+		dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
+
+4 November 2014: Wouter
+	- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
+	  tracked trust anchor to libunbound.
+	- Redefine internal minievent symbols to unique symbols that helps
+	  linking on platforms where the linker leaks names across modules.
+
+27 October 2014: Wouter
+	- Disabled use of SSLv3 in remote-control and ssl-upstream.
+	- iana portlist update.
+
+16 October 2014: Wouter
+	- Documented dns64 configuration in unbound.conf man page.
+
+13 October 2014: Wouter
+	- Fix #617: in ldns in unbound, lowercase WKS services.
+	- Fix ctype invocation casts.
+
+10 October 2014: Wouter
+	- Fix unbound-checkconf check for module config with dns64 module.
+	- Fix unbound capsforid fallback, it ignores TTLs in comparison.
+
+6 October 2014: Wouter
+	- Fix #614: man page variable substitution bug.
+6 October 2014: Willem
+	- Whitespaces after $ORIGIN are not part of the origin dname (ldns).
+	- $TTL's value starts at position 5 (ldns).
+
 1 October 2014: Wouter
 	- fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).

--- a/external/unbound/doc/libunbound.3.in
+++ b/external/unbound/doc/libunbound.3.in
@ -22,6 +22,7 @@
 .B ub_ctx_resolvconf,
 .B ub_ctx_hosts,
 .B ub_ctx_add_ta,
+.B ub_ctx_add_ta_autr,
 .B ub_ctx_add_ta_file,
 .B ub_ctx_trustedkeys,
 .B ub_ctx_debugout,
@ -73,6 +74,9 @@
 \fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
 .LP
 \fIint\fR
+\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
 \fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
 .LP
 \fIint\fR
@ -231,6 +235,15 @@ first resolve is done.
 The format is a string, similar to the zone\-file format,
 [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
 .TP
+.B ub_ctx_add_ta_autr
+Add filename with automatically tracked trust anchor to the given context.
+Pass name of a file with the managed trust anchor.  You can create this
+file with \fIunbound\-anchor\fR(8) for the root anchor.  You can also
+create it with an initial file with one line with a DNSKEY or DS record.
+If the file is writable, it is updated when the trust anchor changes.
+At this time it is only possible to add trusted keys before the
+first resolve is done.
+.TP
 .B ub_ctx_add_ta_file
 Add trust anchors to the given context.
 Pass name of a file with DS and DNSKEY records in zone file format.
--- a/external/unbound/doc/unbound-anchor.8.in
+++ b/external/unbound/doc/unbound-anchor.8.in
@ -24,14 +24,14 @@ Suggested usage:
 .nf
 	# in the init scripts.
 	# provide or update the root anchor (if necessary)
-	unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@"
+	unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
 	# Please note usage of this root anchor is at your own risk
 	# and under the terms of our LICENSE (see source).
 	#
 	# start validating resolver
 	# the unbound.conf contains:
 	#   auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-	unbound -c unbound.conf
+	unbound \-c unbound.conf
 .fi
 .P
 This tool provides builtin default contents for the root anchor and root
@ -138,7 +138,7 @@ tracking, or if an error occurred.
 .P
 You can check the exit value in this manner:
 .nf
-	unbound-anchor -a "root.key" || logger "Please check root.key"
+	unbound-anchor \-a "root.key" || logger "Please check root.key"
 .fi
 Or something more suitable for your operational environment.
 .SH "TRUST"
--- a/external/unbound/doc/unbound.conf.5.in
+++ b/external/unbound/doc/unbound.conf.5.in
@ -1082,6 +1082,19 @@ and the word "python" has to be put in the \fBmodule\-config:\fR option
 .TP
 .B python\-script: \fI<python file>\fR
 The script file to load. 
+.SS "DNS64 Module Options"
+.LP
+The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.TP
+.B dns64\-prefix: \fI<IPv6 prefix>\fR
+This sets the DNS64 prefix to use to synthesize AAAA records with.
+It must be /96 or shorter.  The default prefix is 64:ff9b::/96.
+.TP
+.B dns64\-synthall: \fI<yes or no>\fR
+Debug option, default no.  If enabled, synthesize all AAAA records
+despite the presence of actual AAAA records.
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer