Re: unbound update
On 2022/08/26 17:47, void wrote: > On Wed, Aug 24, 2022 at 03:03:01PM +0100, Stuart Henderson wrote: > > Anyone want to test this? > > > > Any OKs? > > Hello, > > Seemed to patch OK and built OK with a -current made yesterday, on aarch64. > > I'm a newbie at building/patching openbsd, so if there's anything you > can suggest I test, I'll test. unbound is working. > > unbound -V still reports Version 1.16.0 though. Something went wrong with your patching/build if it shows 1.16.2, I confirmed that it was updated. for reference for building parts of base which have a Makefile.bsd-wrapper file, normally use this: make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper doas make -f Makefile.bsd-wrapper install
Re: unbound update
On Wed, Aug 24, 2022 at 03:03:01PM +0100, Stuart Henderson wrote: > Anyone want to test this? > > Any OKs? Works fine here and nothing jumps out at me in the diff. ok tb
Re: unbound update
On Wed, Aug 24, 2022 at 03:03:01PM +0100, Stuart Henderson wrote: Anyone want to test this? Any OKs? Hello, Seemed to patch OK and built OK with a -current made yesterday, on aarch64. I'm a newbie at building/patching openbsd, so if there's anything you can suggest I test, I'll test. unbound is working. unbound -V still reports Version 1.16.0 though. --
unbound update
Anyone want to test this? Any OKs? The CVEs mentioned are these: === CVE-2022-30698 Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers. === CVE-2022-30699 Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers. More info at https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt Index: doc/Changelog === RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v retrieving revision 1.44 diff -u -p -r1.44 Changelog --- doc/Changelog 7 Jun 2022 15:42:53 - 1.44 +++ doc/Changelog 24 Aug 2022 14:00:08 - @@ -1,9 +1,115 @@ 7 February 2022: Wouter - Fix that TCP interface does not use TLS when TLS is also configured. +1 August 2022: Wouter + - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. + - Tests for ghost domain fixes. + +19 July 2022: George + - Update documentation for 'outbound-msg-retry:'. + +19 July 2022: Wouter + - Merge #718: Introduce infra-cache-max-rtt option to config max + retransmit timeout. + +15 July 2022: Wouter + - Merge PR 714: Avoid treat normal hosts as unresponsive servers. + And fixup the lock code. + - iana portlist update. + +12 July 2022: George + - For windows crosscompile, fix setting the IPV6_MTU socket option + equivalent (IPV6_USER_MTU); allows cross compiling with latest + cross-compiler versions. + +12 July 2022: Wouter + - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. + +11 July 2022: Wouter + - Fix verbose EDE error printout. + +4 July 2022: George + - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for + one loop pass'. + - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on + outbound tcp sockets. + +4 July 2022: Wouter + - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022. + The code repo continues with version 1.16.2 under development. + +3 July 2022: George + - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS + mode on openssl3. + - Merge PR #660 from Petr Menšík: Sha1 runtime insecure. + - For #660: formatting, less verbose logging, add EDE information. + - Fix for correct openssl error when adding windows CA certificates to + the openssl trust store. + - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. + - Reintroduce documentation and more EDE support for + val_sigcrypt.c::dnskeyset_verify_rrset_sig. + +1 July 2022: George + - Merge PR #706: NXNS fallback. + - From #706: Cached NXDOMAIN does not increase the target nx + responses. + - From #706: Don't generate parent side queries if we already + have the lame records in cache. + - From #706: When a lame address is the best choice, don't try to + generate target queries when the missing targets are all lame. + +29 June 2022: Wouter + - iana portlist update. + - Fix detection of libz on windows compile with static option. + - Fix compile warning for windows compile. + +29 June 2022: George + - Add debug option to the mini_tdir.sh test code. + - Fix #704: [FR] Statistics counter for number of outgoing UDP queries + sent; introduces 'num.query.udpout' to the 'unbound-control stats' + command. + - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. + - Allow fallback to the parent side when MAX_TARGET_NX is reached. + This will also allow MAX_TARGET_NX more NXDOMAINs. + +28 June 2022: George + - Show the output of the exact .rpl run that failed with 'make test'. + - Fix for cached 0 TTL records to not trigger prefetching when + serve-expired-client-timeout is set. + +28 June 2022: Wouter + - Fix test program dohclient close to use portability routine. + +23 June 2022: Tom + - Clarify -v flag manpage entry (#705) + +22 June 2022: Philip + - Fix #663: use after free issue with edns options. + +21 June 2022: Philip + - Fix for loading locally stored zones that have lines with blanks or + blanks and comments. + +20 June 2022: George + - Remove unused LDNS function check for GOST Engine unloading. + +14 June 2022: George + - Merge PR #688: Rpz url notify issue. + - Note in the unbound.conf text that NOTIFY is allowed from the url: + addresses for auth and rpz zones. + +3 June 2022: George + - Fix for edns client subnet t
Re: unbound update
Note, there's a new directory so use patch -p0 to apply it.
unbound update
Here's an update to unbound 1.5.4. There was some file reorganisation so I am providing two diffs: the one inline in this email shows the *code* changes only for those who are interested to review it; this will not build on its own. For applying and testing, use http://junkpile.org/unbound-1.5.4.diff instead (with "patch -Ep0") which has all the Makefile changes, #include path changes etc as well. Test reports, comments and OKs welcome. Changelog entries since what we have in tree: +-- | 29 June 2015: Wouter | - iana portlist update. | - Fix alloc with log for allocation size checks. | | 26 June 2015: Wouter | - Fix #677 Fix DNAME responses from cache that failed internal chain | test. | - iana portlist update. | | 22 June 2015: Wouter | - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly | and was therefore always synthesized (thanks to Valentin Dietrich). | | 4 June 2015: Wouter | - RFC 7553 RR type URI support, is now enabled by default. | | 2 June 2015: Wouter | - Fix #674: Do not free pointers given by getenv. | | 29 May 2015: Wouter | - Fix that unparseable error responses are ratelimited. | - SOA negative TTL is capped at minimumttl in its rdata section. | - cache-max-negative-ttl config option, default 3600. | | 26 May 2015: Wouter | - Document that ratelimit works with unbound-control set_option. | | 21 May 2015: Wouter | - iana portlist update. | - documentation proposes ratelimit of 1000 (closer to what upstream | servers expect from us). | | 20 May 2015: Wouter | - DLV is going to be decommissioned. Advice to stop using it, and | put text in the example configuration and man page to that effect. | | 10 May 2015: Wouter | - Change syntax of particular validator error to be easier for | machine parse, swap rrset and ip adres info so it looks like: | validation failure : signature crypto | failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> | | 1 May 2015: Wouter | - caps-whitelist in unbound.conf allows whitelist of loadbalancers | that cannot work with caps-for-id or its fallback. | | 30 April 2015: Wouter | - Unit test for type ANY synthesis. | | 22 April 2015: Wouter | - Removed contrib/unbound_unixsock.diff, because it has been | integrated, use control-interface: /path in unbound.conf. | - iana portlist update. | | 17 April 2015: Wouter | - Synthesize ANY responses from cache. Does not search exhaustively, | but MX,A,,SOA,NS also CNAME. | - Fix leaked dns64prefix configuration string. | | 16 April 2015: Wouter | - Add local-zone type inform_deny, that logs query and drops answer. | - Ratelimit does not apply to prefetched queries, and ratelimit-factor | is default 10. Repeated normal queries get resolved and with | prefetch stay in the cache. | - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza) | Use print_function also for Python2. | libunbound examples: produce sorted output. | libunbound-Python: libldns is not used anymore. | Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. | | 10 April 2015: Wouter | - unbound-control ratelimit_list lists high rate domains. | - ratelimit feature, ratelimit: 100, or some sensible qps, can be | used to turn it on. It ratelimits recursion effort per zone. | For particular names you can configure exceptions in unbound.conf. | - Fix that get_option for cache-sizes does not print double newline. | - Fix#663: ssl handshake fails when using unix socket because dh size | is too small. | | 8 April 2015: Wouter | - Fix crash in dnstap: Do not try to log TCP responses after timeout. | | 7 April 2015: Wouter | - Libunbound skips dos-line-endings from etc/hosts. | - Unbound exits with a fatal error when the auto-trust-anchor-file | fails to be writable. This is seconds after startup. You can | load a readonly auto-trust-anchor-file with trust-anchor-file. | The file has to be writable to notice the trust anchor change, | without it, a trust anchor change will be unnoticed and the system | will then become inoperable. | - unbound-control list_insecure command shows the negative trust | anchors currently configured, patch from Jelte Jansen. | | 2 April 2015: Wouter | - Fix #660: Fix interface-automatic broken in the presence of | asymmetric routing. | | 26 March 2015: Wouter | - remote.c probedelay line is easier to read. | - rename ldns subdirectory to sldns to avoid name collision. | | 25 March 2015: Wouter | - Fix #657: libunbound(3) recommends deprecated | CRYPTO_set_id_callback. | - If unknown trust anchor algorithm, and lib