Hello community, here is the log from the commit of package unbound for openSUSE:Factory checked in at 2018-04-24 15:30:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/unbound (Old) and /work/SRC/openSUSE:Factory/.unbound.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unbound" Tue Apr 24 15:30:24 2018 rev:23 rq:599800 version:1.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/unbound/libunbound-devel-mini.changes 2018-01-23 13:46:23.536105402 +0100 +++ /work/SRC/openSUSE:Factory/.unbound.new/libunbound-devel-mini.changes 2018-04-24 15:30:26.452058441 +0200 @@ -1,0 +2,123 @@ +Sun Apr 22 19:26:03 UTC 2018 - [email protected] + +- Commented configuration directive dlv-anchor-file: in unbound.conf + (see bsc#1055060). The DLV key file is deliberately still + shipped in the package so users could easily re-enable this. + +------------------------------------------------------------------- +Wed Apr 4 11:54:01 UTC 2018 - [email protected] + +- update to 1.7.0 + +Features +- auth-zone provides a way to configure RFC7706 from unbound.conf, + eg. with auth-zone: name: "." for-downstream: no for-upstream: yes + fallback-enabled: yes and masters or a zonefile with data. +- Aggressive use of NSEC implementation. Use cached NSEC records to + generate NXDOMAIN, NODATA and positive wildcard answers. +- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is + also recognized and means the same. Also for tls-port, + tls-service-key, tls-service-pem, stub-tls-upstream and + forward-tls-upstream. +- [dnscrypt] introduce dnscrypt-provider-cert-rotated option, + from Manu Bretelle. + This option allows handling multiple cert/key pairs while only + distributing some of them. + In order to reliably match a client magic with a given key without + strong assumption as to how those were generated, we need both key and + cert. Likewise, in order to know which ES version should be used. + On the other hand, when rotating a cert, it can be desirable to only + serve the new cert but still be able to handle clients that are still + using the old certs's public key. + The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not + publish the cert as part of the DNS's provider_name's TXT answer. +- Update B root ipv4 address. +- make ip-transparent option work on OpenBSD. +- Fix #2801: Install libunbound.pc. +- ltrace.conf file for libunbound in contrib. +- Fix #3598: Fix swig build issue on rhel6 based system. + configure --disable-swig-version-check stops the swig version check. + +Bug Fixes +- Fix #1749: With harden-referral-path: performance drops, due to + circular dependency in NS and DS lookups. +- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert + duplicates +- Better documentation for cache-max-negative-ttl. +- Fixed libunbound manual typo. +- Fix #1949: [dnscrypt] make provider name mismatch more obvious. +- Fix #2031: Double included headers +- Document that errno is left informative on libunbound config read + fail. +- iana port update. +- Fix #1913: ub_ctx_config is under circumstances thread-safe. +- Fix #2362: TLS1.3/openssl-1.1.1 not working. +- Fix #2034 - Autoconf and -flto. +- Fix #2141 - for libsodium detect lack of entropy in chroot, print + a message and exit. +- Fix #2492: Documentation libunbound. +- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is + set for stub zone. It no longer searches for DNSSEC information. +- Fix #3299 - forward CNAME daisy chain is not working +- Fix link failure on OmniOS. +- Check whether --with-libunbound-only is set when using --with-nettle + or --with-nss. +- Fix qname-minimisation documentation (A QTYPE, not NS) +- Fix that DS queries with referral replies are answered straight + away, without a repeat query picking the DS from cache. + The correct reply should have been an answer, the reply is fixed + by the scrubber to have the answer in the answer section. +- Fix that expiration date checks don't fail with clang -O2. +- Fix queries being leaked above stub when refetching glue. +- Copy query and correctly set flags on REFUSED answers when cache + snooping is not allowed. +- make depend: code dependencies updated in Makefile. +- Fix #3397: Fix that cachedb could return a partial CNAME chain. +- Fix #3397: Fix that when the cache contains an unsigned DNAME in + the middle of a cname chain, a result without the DNAME could + be returned. +- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file + for startup scripts to get the full pathname(s) of anchor file(s). +- Print fatal errors about remote control setup before log init, + so that it is printed to console. +- Use NSEC with longest ce to prove wildcard absence. +- Only use *.ce to prove wildcard absence, no longer names. +- Fix unfreed locks in log and arc4random at exit of unbound. +- Fix lock race condition in dns cache dname synthesis. +- Fix #3451: dnstap not building when you have a separate build dir. + And removed protoc warning, set dnstap.proto syntax to proto2. +- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test) +- Unit test for auth zone https url download. +- tls-cert-bundle option in unbound.conf enables TLS authentication. +- Fixes for clang static analyzer, the missing ; in + edns-subnet/addrtree.c after the assert made clang analyzer + produce a failure to analyze it. +- Fix #3505: Documentation for default local zones references + wrong RFC. +- Fix #3494: local-zone noview can be used to break out of the view + to the global local zone contents, for queries for that zone. +- Fix for more maintainable code in localzone. +- more robust cachedump rrset routine. +- Save wildcard RRset from answer with original owner for use in + aggressive NSEC. +- Fixup contrib/fastrpz.patch so that it applies. +- Fix compile without threads, and remove unused variable. +- Fix compile with staticexe and python module. +- Fix nettle compile. +- Fix to check define of DSA for when openssl is without deprecated. +- iana port update. +- Fix #3582: Squelch address already in use log when reuseaddr option + causes same port to be used twice for tcp connections. +- Reverted fix for #3512, this may not be the best way forward; + although it could be changed at a later time, to stay similar to + other implementations. +- Fix for windows compile. +- Fixed contrib/fastrpz.patch, even though this already applied + cleanly for me, now also for others. +- patch to log creates keytag queries, from A. Schulze. +- patch suggested by Debian lintian: allow to -> allow one to, from + A. Schulze. +- Attempt to remove warning about trailing whitespace. +- Added documentation for aggressive-nsec: yes. + +------------------------------------------------------------------- unbound.changes: same change Old: ---- unbound-1.6.8.tar.gz New: ---- unbound-1.7.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libunbound-devel-mini.spec ++++++ --- /var/tmp/diff_new_pack.oQTTiS/_old 2018-04-24 15:30:28.555982321 +0200 +++ /var/tmp/diff_new_pack.oQTTiS/_new 2018-04-24 15:30:28.559982177 +0200 @@ -24,7 +24,7 @@ # Name: libunbound-devel-mini -Version: 1.6.8 +Version: 1.7.0 Release: 0 # # ++++++ unbound.spec ++++++ --- /var/tmp/diff_new_pack.oQTTiS/_old 2018-04-24 15:30:28.599980730 +0200 +++ /var/tmp/diff_new_pack.oQTTiS/_new 2018-04-24 15:30:28.603980584 +0200 @@ -58,7 +58,7 @@ %endif Name: unbound -Version: 1.6.8 +Version: 1.7.0 Release: 0 # # @@ -409,6 +409,7 @@ %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so +%{_libdir}/pkgconfig/libunbound.pc %{_mandir}/man3/libunbound.3* %{_mandir}/man3/ub_*.3* ++++++ unbound-1.6.8.tar.gz -> unbound-1.7.0.tar.gz ++++++ ++++ 30067 lines of diff (skipped) ++++++ unbound.conf ++++++ --- /var/tmp/diff_new_pack.oQTTiS/_old 2018-04-24 15:30:30.055928054 +0200 +++ /var/tmp/diff_new_pack.oQTTiS/_new 2018-04-24 15:30:30.059927909 +0200 @@ -346,7 +346,7 @@ # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key - dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" + # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry.
