From 8789da29431412a467e25e98d023fa8ab1ef3842 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 1 Oct 2018 19:29:21 +0200 Subject: [PATCH 1/4] Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname minimisation with a forwarder when connectivity has issues from rejecting responses. Resolves: rhbz#1633874 --- unbound-1.8.0-rh1633874.patch | 39 +++++++++++++++++++++++++++++++++++ unbound.spec | 7 ++++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 unbound-1.8.0-rh1633874.patch diff --git a/unbound-1.8.0-rh1633874.patch b/unbound-1.8.0-rh1633874.patch new file mode 100644 index 0000000..6740a66 --- /dev/null +++ b/unbound-1.8.0-rh1633874.patch @@ -0,0 +1,39 @@ +From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Thu, 27 Sep 2018 08:19:29 +0000 +Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, + fixes qname minimisation with a forwarder when connectivity has issues + from rejecting responses. + +git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + iterator/iterator.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 7baf92b7..2f26bd33 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + return 0; + } + +- if(iq->minimisation_state == INIT_MINIMISE_STATE) { ++ if(iq->minimisation_state == INIT_MINIMISE_STATE ++ && !(iq->chase_flags & BIT_RD)) { + /* (Re)set qinfo_out to (new) delegation point, except when + * qinfo_out is already a subdomain of dp. This happens when + * increasing by more than one label at once (QNAMEs with more +@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + sock_list_insert(&qstate->reply_origin, + &qstate->reply->addr, qstate->reply->addrlen, + qstate->region); +- if(iq->minimisation_state != DONOT_MINIMISE_STATE) { ++ if(iq->minimisation_state != DONOT_MINIMISE_STATE ++ && !(iq->chase_flags & BIT_RD)) { + if(FLAGS_GET_RCODE(iq->response->rep->flags) != + LDNS_RCODE_NOERROR) { + if(qstate->env->cfg->qname_minimisation_strict) +-- +2.14.4 + diff --git a/unbound.spec b/unbound.spec index e373aaf..15cf39d 100644 --- a/unbound.spec +++ b/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.7.3 -Release: 8%{?extra_version:.%{extra_version}}%{?dist} +Release: 9%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -59,6 +59,7 @@ Patch2: unbound-1.7.2-python3-devel.patch Patch3: unbound-1.7.2-python3-pkgconfig.patch Patch4: unbound-1.7.3-anchor-fallback.patch Patch5: unbound-1.7.3-host-any.patch +Patch6: unbound-1.8.0-rh1633874.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -158,6 +159,7 @@ pushd %{pkgname} %patch3 -p1 -b .python3 %patch4 -p1 -b .anchor-fallback %patch5 -p1 -b .host-any +%patch6 -p1 # only for snapshots # autoreconf -iv @@ -429,6 +431,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Oct 01 2018 Petr Menšík - 1.7.3-9 +- Skip ipv6 forwarders without ipv6 support (#1633874) + * Tue Jul 31 2018 Petr Menšík - 1.7.3-8 - Release memory in unbound-host From bee9007b57d34a464f144ffabc649363b8d34fbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Oct 2018 20:39:31 +0200 Subject: [PATCH 2/4] Fix occasional crashes (#1562594) Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. --- unbound-1.7.3-rh1562594.patch | 156 ++++++++++++++++++++++++++++++++++ unbound.spec | 7 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 unbound-1.7.3-rh1562594.patch diff --git a/unbound-1.7.3-rh1562594.patch b/unbound-1.7.3-rh1562594.patch new file mode 100644 index 0000000..476ab58 --- /dev/null +++ b/unbound-1.7.3-rh1562594.patch @@ -0,0 +1,156 @@ +From a31d45b13e2e496b2fdb6ce4715481681362472f Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Tue, 26 Jun 2018 13:48:36 +0000 +Subject: [PATCH] - Fix that auth-zone master reply with current SOA serial + does not stop scan of masters for an updated zone. + +git-svn-id: file:///svn/unbound/trunk@4755 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + services/authzone.c | 75 ++++++++++++++++++++++++++++++++++------------------- + services/authzone.h | 3 +++ + 2 files changed, 52 insertions(+), 26 deletions(-) + +diff --git a/services/authzone.c b/services/authzone.c +index a76b51f6..9de43b75 100644 +--- a/services/authzone.c ++++ b/services/authzone.c +@@ -5090,7 +5090,8 @@ xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) + xfr_transfer_disown(xfr); + + /* pick up the nextprobe task and wait */ +- xfr_set_timeout(xfr, env, 1, 0); ++ if(xfr->task_nextprobe->worker == NULL) ++ xfr_set_timeout(xfr, env, 1, 0); + lock_basic_unlock(&xfr->lock); + } + +@@ -5547,7 +5548,8 @@ process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) + return; + } else { + /* pick up the nextprobe task and wait (normail wait time) */ +- xfr_set_timeout(xfr, env, 0, 0); ++ if(xfr->task_nextprobe->worker == NULL) ++ xfr_set_timeout(xfr, env, 0, 0); + } + lock_basic_unlock(&xfr->lock); + return; +@@ -5888,29 +5890,35 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, + return 0; + + } ++ /* other tasks are running, we don't do this anymore */ ++ xfr_probe_disown(xfr); ++ lock_basic_unlock(&xfr->lock); ++ /* return, we don't sent a reply to this udp packet, ++ * and we setup the tasks to do next */ ++ return 0; + } else { +- /* if zone not updated, start the wait timer again */ +- verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait"); +- if(xfr->have_zone) +- xfr->lease_time = *env->now; +- if(xfr->task_nextprobe->worker == NULL) +- xfr_set_timeout(xfr, env, 0, 0); ++ verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); ++ /* we if cannot find updates amongst the ++ * masters, this means we then have a new lease ++ * on the zone */ ++ xfr->task_probe->have_new_lease = 1; ++ } ++ } else { ++ if(verbosity >= VERB_ALGO) { ++ char buf[256]; ++ dname_str(xfr->name, buf); ++ verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); + } +- /* other tasks are running, we don't do this anymore */ +- xfr_probe_disown(xfr); +- lock_basic_unlock(&xfr->lock); +- /* return, we don't sent a reply to this udp packet, +- * and we setup the tasks to do next */ +- return 0; + } +- } +- if(verbosity >= VERB_ALGO) { +- char buf[256]; +- dname_str(xfr->name, buf); +- verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); ++ } else { ++ if(verbosity >= VERB_ALGO) { ++ char buf[256]; ++ dname_str(xfr->name, buf); ++ verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); ++ } + } + +- /* failed lookup */ ++ /* failed lookup or not an update */ + /* delete commpoint so a new one is created, with a fresh port nr */ + comm_point_delete(xfr->task_probe->cp); + xfr->task_probe->cp = NULL; +@@ -6013,7 +6021,8 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) + /* only wanted lookups for copy, stop probe and start wait */ + xfr->task_probe->only_lookup = 0; + xfr_probe_disown(xfr); +- xfr_set_timeout(xfr, env, 0, 0); ++ if(xfr->task_nextprobe->worker == NULL) ++ xfr_set_timeout(xfr, env, 0, 0); + lock_basic_unlock(&xfr->lock); + return; + } +@@ -6029,12 +6038,24 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) + xfr_probe_nextmaster(xfr); + } + +- /* we failed to send this as well, move to the wait task, +- * use the shorter retry timeout */ +- xfr_probe_disown(xfr); ++ /* done with probe sequence, wait */ ++ if(xfr->task_probe->have_new_lease) { ++ /* if zone not updated, start the wait timer again */ ++ verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait"); ++ xfr_probe_disown(xfr); ++ if(xfr->have_zone) ++ xfr->lease_time = *env->now; ++ if(xfr->task_nextprobe->worker == NULL) ++ xfr_set_timeout(xfr, env, 0, 0); ++ } else { ++ /* we failed to send this as well, move to the wait task, ++ * use the shorter retry timeout */ ++ xfr_probe_disown(xfr); ++ /* pick up the nextprobe task and wait */ ++ if(xfr->task_nextprobe->worker == NULL) ++ xfr_set_timeout(xfr, env, 1, 0); ++ } + +- /* pick up the nextprobe task and wait */ +- xfr_set_timeout(xfr, env, 1, 0); + lock_basic_unlock(&xfr->lock); + } + +@@ -6168,6 +6189,8 @@ xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, + xfr->task_probe->cp = NULL; + + /* start the task */ ++ /* have not seen a new lease yet, this scan */ ++ xfr->task_probe->have_new_lease = 0; + /* if this was a timeout, no specific first master to scan */ + /* otherwise, spec is nonNULL the notified master, scan + * first and also transfer first from it */ +diff --git a/services/authzone.h b/services/authzone.h +index 69158de2..6b25452d 100644 +--- a/services/authzone.h ++++ b/services/authzone.h +@@ -309,6 +309,9 @@ struct auth_probe { + /** we only want to do lookups for making config work (for notify), + * don't proceed with UDP SOA probe queries */ + int only_lookup; ++ /** we have seen a new lease this scan, because one of the masters ++ * replied with the current SOA serial version */ ++ int have_new_lease; + + /** once notified, or the timeout has been reached. a scan starts. */ + /** the scan specific target (notify source), or NULL if none */ +-- +2.14.4 + diff --git a/unbound.spec b/unbound.spec index 15cf39d..57cb629 100644 --- a/unbound.spec +++ b/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.7.3 -Release: 9%{?extra_version:.%{extra_version}}%{?dist} +Release: 10%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -60,6 +60,7 @@ Patch3: unbound-1.7.2-python3-pkgconfig.patch Patch4: unbound-1.7.3-anchor-fallback.patch Patch5: unbound-1.7.3-host-any.patch Patch6: unbound-1.8.0-rh1633874.patch +Patch7: unbound-1.7.3-rh1562594.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -160,6 +161,7 @@ pushd %{pkgname} %patch4 -p1 -b .anchor-fallback %patch5 -p1 -b .host-any %patch6 -p1 +%patch7 -p1 -b .rh1562594 # only for snapshots # autoreconf -iv @@ -431,6 +433,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Oct 02 2018 Petr Menšík - 1.7.3-10 +- Try to fix occasional crash (#1562594) + * Mon Oct 01 2018 Petr Menšík - 1.7.3-9 - Skip ipv6 forwarders without ipv6 support (#1633874) From c342a9260cca31151c877683dc9a00e55a57e499 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 8 Oct 2018 17:23:30 +0200 Subject: [PATCH 3/4] More fixes for potential crash (#1562594) --- unbound-1.7.3-rh1562594-2.patch | 54 ++++++++++++++ unbound-1.7.3-rh1562594-3.patch | 27 +++++++ unbound-1.7.3-rh1562594-4.patch | 125 ++++++++++++++++++++++++++++++++ unbound.spec | 10 +++ 4 files changed, 216 insertions(+) create mode 100644 unbound-1.7.3-rh1562594-2.patch create mode 100644 unbound-1.7.3-rh1562594-3.patch create mode 100644 unbound-1.7.3-rh1562594-4.patch diff --git a/unbound-1.7.3-rh1562594-2.patch b/unbound-1.7.3-rh1562594-2.patch new file mode 100644 index 0000000..066617b --- /dev/null +++ b/unbound-1.7.3-rh1562594-2.patch @@ -0,0 +1,54 @@ +From 1958d9fbd5de593738f9d4264498726e7dfac9d8 Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Wed, 15 Aug 2018 09:26:13 +0000 +Subject: [PATCH] - Fix segfault in auth-zone read and reorder of RRSIGs. + +git-svn-id: file:///svn/unbound/trunk@4853 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + services/authzone.c | 3 ++- + testcode/unitauth.c | 8 +++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/services/authzone.c b/services/authzone.c +index b9576eaa..e8c99077 100644 +--- a/services/authzone.c ++++ b/services/authzone.c +@@ -1014,7 +1014,8 @@ rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, + } + /* copy base values */ + memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); +- sigd->rrsig_count -= sigs; ++ /* in sigd the RRSIGs are stored in the base of the RR, in count */ ++ sigd->count -= sigs; + /* setup rr_len */ + sigd->rr_len = (size_t*)((uint8_t*)sigd + + sizeof(struct packed_rrset_data)); +diff --git a/testcode/unitauth.c b/testcode/unitauth.c +index 4b538ef6..19d3c4f6 100644 +--- a/testcode/unitauth.c ++++ b/testcode/unitauth.c +@@ -131,6 +131,12 @@ static const char* zone_example_com = + "z9.example.com. 3600 IN A 10.0.0.10\n" + "z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" + "z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" ++/* different covered types, first RRSIGs then, RRs, then another RRSIG */ ++"z10.example.com. 3600 IN RRSIG AAAA 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" ++"z10.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" ++"z10.example.com. 3600 IN A 10.0.0.10\n" ++"z10.example.com. 3600 IN RRSIG CNAME 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" ++"z10.example.com. 3600 IN AAAA ::11\n" + #endif /* if0 for duplicates and reordering */ + ; + +@@ -554,7 +560,7 @@ checkfile(char* f1, char *f2) + log_info("in files %s and %s:%d", f1, f2, line); + log_info("'%s'", buf1); + log_info("'%s'", buf2); +- fatal_exit("files are not eqaul"); ++ fatal_exit("files are not equal"); + } + } + unit_assert(feof(i1) && feof(i2)); +-- +2.14.4 + diff --git a/unbound-1.7.3-rh1562594-3.patch b/unbound-1.7.3-rh1562594-3.patch new file mode 100644 index 0000000..dc198d4 --- /dev/null +++ b/unbound-1.7.3-rh1562594-3.patch @@ -0,0 +1,27 @@ +From d967ceb98bc019d5e710fd885be14e09ed56521e Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Tue, 2 Oct 2018 12:32:33 +0000 +Subject: [PATCH] Remove that fix, analyzer is for debug with assertions. - Fix + clang analyzer for optimize compile analysis. + +git-svn-id: file:///svn/unbound/trunk@4929 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + services/authzone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/services/authzone.c b/services/authzone.c +index 4d0dd1b5..1f29c3ae 100644 +--- a/services/authzone.c ++++ b/services/authzone.c +@@ -2828,7 +2828,7 @@ az_generate_any_answer(struct auth_zone* z, struct regional* region, + if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; + added++; + } +- if(added == 0 && node->rrsets) { ++ if(added == 0 && node && node->rrsets) { + if(!msg_add_rrset_an(z, region, msg, node, + node->rrsets)) return 0; + } +-- +2.14.4 + diff --git a/unbound-1.7.3-rh1562594-4.patch b/unbound-1.7.3-rh1562594-4.patch new file mode 100644 index 0000000..cd18890 --- /dev/null +++ b/unbound-1.7.3-rh1562594-4.patch @@ -0,0 +1,125 @@ +From 2e9d09b961bc7784e04ee885e1717dc233c661a4 Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Thu, 13 Sep 2018 12:20:41 +0000 +Subject: [PATCH] - initialize statistics totals for printout. - in + authzone check that node exists before adding rrset. - in unbound-anchor, + use readwrite memory BIO. - assertion in autotrust that packed rrset is + formed correctly. + +git-svn-id: file:///svn/unbound/trunk@4903 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + daemon/remote.c | 1 + + services/authzone.c | 6 +++--- + smallapp/unbound-anchor.c | 15 +++++++-------- + validator/autotrust.c | 1 + + 4 files changed, 12 insertions(+), 11 deletions(-) + +diff --git a/daemon/remote.c b/daemon/remote.c +index 6a8ff4dc..3971e454 100644 +--- a/daemon/remote.c ++++ b/daemon/remote.c +@@ -1070,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset) + struct ub_stats_info total; + struct ub_stats_info s; + int i; ++ memset(&total, 0, sizeof(total)); + log_assert(daemon->num > 0); + /* gather all thread statistics in one place */ + for(i=0; inum; i++) { +diff --git a/services/authzone.c b/services/authzone.c +index fe56c9f8..4d0dd1b5 100644 +--- a/services/authzone.c ++++ b/services/authzone.c +@@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region, + { + log_assert(msg->rep->ns_numrrsets == 0); + log_assert(msg->rep->ar_numrrsets == 0); +- if(!rrset) ++ if(!rrset || !node) + return 1; + if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, + z->dclass)) +@@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region, + struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) + { + log_assert(msg->rep->ar_numrrsets == 0); +- if(!rrset) ++ if(!rrset || !node) + return 1; + if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, + z->dclass)) +@@ -265,7 +265,7 @@ static int + msg_add_rrset_ar(struct auth_zone* z, struct regional* region, + struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) + { +- if(!rrset) ++ if(!rrset || !node) + return 1; + if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, + z->dclass)) +diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c +index cd2da149..36f82666 100644 +--- a/smallapp/unbound-anchor.c ++++ b/smallapp/unbound-anchor.c +@@ -1097,11 +1097,14 @@ read_http_result(SSL* ssl) + } + if(!data) return NULL; + if(verb >= 4) print_data("read data", data, (int)len); +- m = BIO_new_mem_buf(data, (int)len); ++ m = BIO_new(BIO_s_mem()); + if(!m) { + if(verb) printf("out of memory\n"); ++ free(data); + exit(0); + } ++ BIO_write(m, data, (int)len); ++ free(data); + return m; + } + +@@ -1172,10 +1175,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname) + static void + free_file_bio(BIO* bio) + { +- char* pp = NULL; +- (void)BIO_reset(bio); +- (void)BIO_get_mem_data(bio, &pp); +- free(pp); + BIO_free(bio); + } + +@@ -1603,7 +1602,7 @@ xml_parse(BIO* xml, time_t now) + xml_parse_setup(parser, &data, now); + + /* parse it */ +- (void)BIO_reset(xml); ++ (void)BIO_seek(xml, 0); + len = (int)BIO_get_mem_data(xml, &pp); + if(!len || !pp) { + if(verb) printf("out of memory\n"); +@@ -1777,8 +1776,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) + X509_VERIFY_PARAM_free(param); + #endif + +- (void)BIO_reset(p7s); +- (void)BIO_reset(data); ++ (void)BIO_seek(p7s, 0); ++ (void)BIO_seek(data, 0); + + /* convert p7s to p7 (the signature) */ + p7 = d2i_PKCS7_bio(p7s, NULL); +diff --git a/validator/autotrust.c b/validator/autotrust.c +index a34a7c96..a7296730 100644 +--- a/validator/autotrust.c ++++ b/validator/autotrust.c +@@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, + list_i = list; + i = 0; + while(iter(&list_i, &rr, &rr_len, &dname_len)) { ++ log_assert(data->rr_data[i]); + memmove(data->rr_data[i], + sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), + data->rr_len[i]); +-- +2.14.4 + diff --git a/unbound.spec b/unbound.spec index 57cb629..79714d0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -60,7 +60,14 @@ Patch3: unbound-1.7.2-python3-pkgconfig.patch Patch4: unbound-1.7.3-anchor-fallback.patch Patch5: unbound-1.7.3-host-any.patch Patch6: unbound-1.8.0-rh1633874.patch +# commit a31d45b13e2e496b2fdb6ce4715481681362472f Patch7: unbound-1.7.3-rh1562594.patch +# commit 1958d9fbd5de593738f9d4264498726e7dfac9d8 +Patch8: unbound-1.7.3-rh1562594-2.patch +# commit d967ceb98bc019d5e710fd885be14e09ed56521e +Patch9: unbound-1.7.3-rh1562594-3.patch +# commit 2e9d09b961bc7784e04ee885e1717dc233c661a4 +Patch10: unbound-1.7.3-rh1562594-4.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -162,6 +169,9 @@ pushd %{pkgname} %patch5 -p1 -b .host-any %patch6 -p1 %patch7 -p1 -b .rh1562594 +%patch8 -p1 -b .rh1562594 +%patch9 -p1 -b .rh1562594 +%patch10 -p1 # only for snapshots # autoreconf -iv From 12de69b2048f42b7630cf54d788daddef6c2088c Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 5 Dec 2018 12:16:41 -0500 Subject: [PATCH 4/4] * Wed Dec 05 2018 Paul Wouters - 1.8.2-1 - Updated to 1.8.2. - Enabled deny ANY query support and edns-tcp-keepalive - Set serve-stale timeout to 4h - Updated unbound.conf for latest options --- .gitignore | 3 + sources | 2 +- unbound-1.7.2-python3-devel.patch | 320 -------------------------- unbound-1.7.2-python3-pkgconfig.patch | 31 --- unbound-1.7.3-anchor-fallback.patch | 182 --------------- unbound-1.7.3-host-any.patch | 12 - unbound-1.7.3-rh1562594-2.patch | 54 ----- unbound-1.7.3-rh1562594-3.patch | 27 --- unbound-1.7.3-rh1562594-4.patch | 125 ---------- unbound-1.7.3-rh1562594.patch | 156 ------------- unbound-1.8.0-rh1633874.patch | 39 ---- unbound-aarch64.patch | 22 -- unbound-keygen.service | 6 +- unbound.conf | 71 +++++- unbound.spec | 35 +-- 15 files changed, 78 insertions(+), 1007 deletions(-) delete mode 100644 unbound-1.7.2-python3-devel.patch delete mode 100644 unbound-1.7.2-python3-pkgconfig.patch delete mode 100644 unbound-1.7.3-anchor-fallback.patch delete mode 100644 unbound-1.7.3-host-any.patch delete mode 100644 unbound-1.7.3-rh1562594-2.patch delete mode 100644 unbound-1.7.3-rh1562594-3.patch delete mode 100644 unbound-1.7.3-rh1562594-4.patch delete mode 100644 unbound-1.7.3-rh1562594.patch delete mode 100644 unbound-1.8.0-rh1633874.patch delete mode 100644 unbound-aarch64.patch diff --git a/.gitignore b/.gitignore index a56c606..d2824e0 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,6 @@ unbound-1.4.5.tar.gz /unbound-1.7.1.tar.gz /unbound-1.7.2.tar.gz /unbound-1.7.3.tar.gz +/unbound-1.8.0.tar.gz +/unbound-1.8.1.tar.gz +/unbound-1.8.2.tar.gz diff --git a/sources b/sources index 2f3a9ac..808f2d2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (unbound-1.7.3.tar.gz) = 34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a +SHA512 (unbound-1.8.2.tar.gz) = a775c799d41ede3c2df82a5cf4d419ec1d037d84c9bb7f2f4216727afc1e3d82c991d1a1ee99baf315530c094a416004e836312ba1ee2b7b17a4a60454878cb5 diff --git a/unbound-1.7.2-python3-devel.patch b/unbound-1.7.2-python3-devel.patch deleted file mode 100644 index db6fce0..0000000 --- a/unbound-1.7.2-python3-devel.patch +++ /dev/null @@ -1,320 +0,0 @@ -From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 27 Jun 2018 05:46:36 +0000 -Subject: [PATCH 1/2] - #4109: Fix that package config depends on python - unconditionally. - -git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - configure | 257 +++++++++++++++++++++++++++++++---------------------------- - configure.ac | 5 +- - 2 files changed, 137 insertions(+), 125 deletions(-) - -diff --git a/configure b/configure -index 3f1c372a..2a1687ae 100755 ---- a/configure -+++ b/configure -@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS - SYSTEMD_DAEMON_CFLAGS - SYSTEMD_LIBS - SYSTEMD_CFLAGS --PKG_CONFIG_LIBDIR --PKG_CONFIG_PATH --PKG_CONFIG - staticexe - PC_LIBEVENT_DEPENDENCY - UNBOUND_EVENT_UNINSTALL -@@ -697,6 +694,9 @@ swig - SWIG_LIB - SWIG - PC_PY_DEPENDENCY -+PKG_CONFIG_LIBDIR -+PKG_CONFIG_PATH -+PKG_CONFIG - PY_MAJOR_VERSION - PYTHON_SITE_PKG - PYTHON_LDFLAGS -@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h - CPPFLAGS="$PYTHON_CPPFLAGS" - fi - ub_have_python=yes -- PC_PY_DEPENDENCY="python" -+ -+ -+ -+ -+ -+ -+ -+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then -+ if test -n "$ac_tool_prefix"; then -+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. -+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_PKG_CONFIG+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $PKG_CONFIG in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+PKG_CONFIG=$ac_cv_path_PKG_CONFIG -+if test -n "$PKG_CONFIG"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 -+$as_echo "$PKG_CONFIG" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+fi -+if test -z "$ac_cv_path_PKG_CONFIG"; then -+ ac_pt_PKG_CONFIG=$PKG_CONFIG -+ # Extract the first word of "pkg-config", so it can be a program name with args. -+set dummy pkg-config; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $ac_pt_PKG_CONFIG in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG -+if test -n "$ac_pt_PKG_CONFIG"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 -+$as_echo "$ac_pt_PKG_CONFIG" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ if test "x$ac_pt_PKG_CONFIG" = x; then -+ PKG_CONFIG="" -+ else -+ case $cross_compiling:$ac_tool_warned in -+yes:) -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -+ac_tool_warned=yes ;; -+esac -+ PKG_CONFIG=$ac_pt_PKG_CONFIG -+ fi -+else -+ PKG_CONFIG="$ac_cv_path_PKG_CONFIG" -+fi -+ -+fi -+if test -n "$PKG_CONFIG"; then -+ _pkg_min_version=0.9.0 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 -+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } -+ if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ PKG_CONFIG="" -+ fi -+fi -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}" -+else -+ PC_PY_DEPENDENCY="python" -+fi - - - # Check for SWIG -@@ -18960,126 +19089,6 @@ else - fi - - have_systemd=no -- -- -- -- -- -- -- --if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then -- if test -n "$ac_tool_prefix"; then -- # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. --set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 --$as_echo_n "checking for $ac_word... " >&6; } --if ${ac_cv_path_PKG_CONFIG+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- case $PKG_CONFIG in -- [\\/]* | ?:[\\/]*) -- ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. -- ;; -- *) -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR --for as_dir in $PATH --do -- IFS=$as_save_IFS -- test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -- ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -- break 2 -- fi --done -- done --IFS=$as_save_IFS -- -- ;; --esac --fi --PKG_CONFIG=$ac_cv_path_PKG_CONFIG --if test -n "$PKG_CONFIG"; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 --$as_echo "$PKG_CONFIG" >&6; } --else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } --fi -- -- --fi --if test -z "$ac_cv_path_PKG_CONFIG"; then -- ac_pt_PKG_CONFIG=$PKG_CONFIG -- # Extract the first word of "pkg-config", so it can be a program name with args. --set dummy pkg-config; ac_word=$2 --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 --$as_echo_n "checking for $ac_word... " >&6; } --if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- case $ac_pt_PKG_CONFIG in -- [\\/]* | ?:[\\/]*) -- ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. -- ;; -- *) -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR --for as_dir in $PATH --do -- IFS=$as_save_IFS -- test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -- ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -- break 2 -- fi --done -- done --IFS=$as_save_IFS -- -- ;; --esac --fi --ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG --if test -n "$ac_pt_PKG_CONFIG"; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 --$as_echo "$ac_pt_PKG_CONFIG" >&6; } --else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } --fi -- -- if test "x$ac_pt_PKG_CONFIG" = x; then -- PKG_CONFIG="" -- else -- case $cross_compiling:$ac_tool_warned in --yes:) --{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 --$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} --ac_tool_warned=yes ;; --esac -- PKG_CONFIG=$ac_pt_PKG_CONFIG -- fi --else -- PKG_CONFIG="$ac_cv_path_PKG_CONFIG" --fi -- --fi --if test -n "$PKG_CONFIG"; then -- _pkg_min_version=0.9.0 -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 --$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } -- if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 --$as_echo "yes" >&6; } -- else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } -- PKG_CONFIG="" -- fi --fi - if test "x$enable_systemd" != xno; then : - - -diff --git a/configure.ac b/configure.ac -index 1828253c..b2c95d1a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then - CPPFLAGS="$PYTHON_CPPFLAGS" - fi - ub_have_python=yes -- PC_PY_DEPENDENCY="python" -+ PKG_PROG_PKG_CONFIG -+ PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"], -+ [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"], -+ [PC_PY_DEPENDENCY="python"]) - AC_SUBST(PC_PY_DEPENDENCY) - - # Check for SWIG --- -2.14.4 - diff --git a/unbound-1.7.2-python3-pkgconfig.patch b/unbound-1.7.2-python3-pkgconfig.patch deleted file mode 100644 index 86ba0b8..0000000 --- a/unbound-1.7.2-python3-pkgconfig.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 27 Jun 2018 06:07:31 +0000 -Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?= - =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - contrib/libunbound.pc.in | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in -index 0cb9f875..810c5713 100644 ---- a/contrib/libunbound.pc.in -+++ b/contrib/libunbound.pc.in -@@ -7,7 +7,8 @@ Name: unbound - Description: Library with validating, recursive, and caching DNS resolver - URL: http://www.unbound.net - Version: @PACKAGE_VERSION@ --Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@ -+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ -+Requires.private: @PC_PY_DEPENDENCY@ - Libs: -L${libdir} -lunbound -lssl -lcrypto - Libs.private: @SSLLIB@ @LIBS@ - Cflags: -I${includedir} --- -2.14.4 - diff --git a/unbound-1.7.3-anchor-fallback.patch b/unbound-1.7.3-anchor-fallback.patch deleted file mode 100644 index 2470ce1..0000000 --- a/unbound-1.7.3-anchor-fallback.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 4 Jul 2018 10:02:16 +0000 -Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will - not pass if DNSSEC is not enabled. New option -R allows fallback from - resolv.conf to direct queries. - -git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - doc/unbound-anchor.8.in | 5 ++++ - smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++------------- - 2 files changed, 53 insertions(+), 18 deletions(-) - -diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in -index 02a3e781..e114eb25 100644 ---- a/doc/unbound-anchor.8.in -+++ b/doc/unbound-anchor.8.in -@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive - resolver, cannot use that recursive resolver itself because it is bootstrapping - that server. - .TP -+.B \-R -+Allow fallback from \-f resolv.conf file to direct root servers query. -+It allows you to prefer local resolvers, but fallback automatically -+to direct root query if they do not respond or do not support DNSSEC. -+.TP - .B \-v - More verbose. Once prints informational messages, multiple times may enable - large debug amounts (such as full certificates or byte\-dumps of downloaded -diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c -index b3009108..f3985090 100644 ---- a/smallapp/unbound-anchor.c -+++ b/smallapp/unbound-anchor.c -@@ -192,9 +192,10 @@ usage(void) - printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); - printf("-4 work using IPv4 only\n"); - printf("-6 work using IPv6 only\n"); -- printf("-f resolv.conf use given resolv.conf to resolve -u name\n"); -- printf("-r root.hints use given root.hints to resolve -u name\n" -+ printf("-f resolv.conf use given resolv.conf\n"); -+ printf("-r root.hints use given root.hints\n" - " builtin root hints are used by default\n"); -+ printf("-R fallback from -f to root query on error\n"); - printf("-v more verbose\n"); - printf("-C conf debug, read config\n"); - printf("-P port use port for https connect, default 443\n"); -@@ -1920,8 +1921,7 @@ static int - do_certupdate(const char* root_anchor_file, const char* root_cert_file, - const char* urlname, const char* xmlname, const char* p7sname, - const char* p7signer, const char* res_conf, const char* root_hints, -- const char* debugconf, int ip4only, int ip6only, int port, -- struct ub_result* dnskey) -+ const char* debugconf, int ip4only, int ip6only, int port) - { - STACK_OF(X509)* cert; - BIO *xml, *p7s; -@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, - #ifndef S_SPLINT_S - sk_X509_pop_free(cert, X509_free); - #endif -- ub_resolve_free(dnskey); - ip_list_free(ip_list); - return 1; - } -@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file) - return 0; - } - -+static struct ub_result * -+fetch_root_key(const char* root_anchor_file, const char* res_conf, -+ const char* root_hints, const char* debugconf, -+ int ip4only, int ip6only) -+{ -+ struct ub_ctx* ctx; -+ struct ub_result* dnskey; -+ -+ ctx = create_unbound_context(res_conf, root_hints, debugconf, -+ ip4only, ip6only); -+ add_5011_probe_root(ctx, root_anchor_file); -+ dnskey = prime_root_key(ctx); -+ ub_ctx_delete(ctx); -+ return dnskey; -+} -+ - /** perform the unbound-anchor work */ - static int - do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - const char* urlname, const char* xmlname, const char* p7sname, - const char* p7signer, const char* res_conf, const char* root_hints, -- const char* debugconf, int ip4only, int ip6only, int force, int port) -+ const char* debugconf, int ip4only, int ip6only, int force, -+ int res_conf_fallback, int port) - { -- struct ub_ctx* ctx; - struct ub_result* dnskey; - int used_builtin = 0; -+ int rcode; - - /* see if builtin rootanchor needs to be provided, or if - * rootanchor is 'revoked-trust-point' */ -@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - - /* make unbound context with 5011-probe for root anchor, - * and probe . DNSKEY */ -- ctx = create_unbound_context(res_conf, root_hints, debugconf, -- ip4only, ip6only); -- add_5011_probe_root(ctx, root_anchor_file); -- dnskey = prime_root_key(ctx); -- ub_ctx_delete(ctx); -- -+ dnskey = fetch_root_key(root_anchor_file, res_conf, -+ root_hints, debugconf, ip4only, ip6only); -+ rcode = dnskey->rcode; -+ -+ if (res_conf_fallback && res_conf && !dnskey->secure) { -+ if (verb) printf("%s failed, retrying direct\n", res_conf); -+ ub_resolve_free(dnskey); -+ /* try direct query without res_conf */ -+ dnskey = fetch_root_key(root_anchor_file, NULL, -+ root_hints, debugconf, ip4only, ip6only); -+ if (rcode != 0 && dnskey->rcode == 0) { -+ res_conf = NULL; -+ rcode = 0; -+ } -+ } -+ - /* if secure: exit */ - if(dnskey->secure && !force) { - if(verb) printf("success: the anchor is ok\n"); -@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - return used_builtin; - } - if(force && verb) printf("debug cert update forced\n"); -+ ub_resolve_free(dnskey); - - /* if not (and NOERROR): check date and do certupdate */ -- if((dnskey->rcode == 0 && -+ if((rcode == 0 && - probe_date_allows_certupdate(root_anchor_file)) || force) { - if(do_certupdate(root_anchor_file, root_cert_file, urlname, - xmlname, p7sname, p7signer, res_conf, root_hints, -- debugconf, ip4only, ip6only, port, dnskey)) -+ debugconf, ip4only, ip6only, port)) - return 1; - return used_builtin; - } - if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); -- ub_resolve_free(dnskey); - return used_builtin; - } - -@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[]) - const char* root_hints = NULL; - const char* debugconf = NULL; - int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; -+ int res_conf_fallback = 0; - /* parse the options */ -- while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) { -+ while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) { - switch(c) { - case 'l': - dolist = 1; -@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[]) - case 'r': - root_hints = optarg; - break; -+ case 'R': -+ res_conf_fallback = 1; -+ break; - case 'C': - debugconf = optarg; - break; -@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[]) - - return do_root_update_work(root_anchor_file, root_cert_file, urlname, - xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, -- ip4only, ip6only, force, port); -+ ip4only, ip6only, force, res_conf_fallback, port); - } --- -2.14.4 - diff --git a/unbound-1.7.3-host-any.patch b/unbound-1.7.3-host-any.patch deleted file mode 100644 index 9db4b94..0000000 --- a/unbound-1.7.3-host-any.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c -index 53bf3277..f02511fe 100644 ---- a/smallapp/unbound-host.c -+++ b/smallapp/unbound-host.c -@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname) - exit(1); - } - printf("%s\n", s); -+ free(s); - } else printf(" has no %s record", tstr); - printf(" %s\n", secstatus); - } diff --git a/unbound-1.7.3-rh1562594-2.patch b/unbound-1.7.3-rh1562594-2.patch deleted file mode 100644 index 066617b..0000000 --- a/unbound-1.7.3-rh1562594-2.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 1958d9fbd5de593738f9d4264498726e7dfac9d8 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 15 Aug 2018 09:26:13 +0000 -Subject: [PATCH] - Fix segfault in auth-zone read and reorder of RRSIGs. - -git-svn-id: file:///svn/unbound/trunk@4853 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - services/authzone.c | 3 ++- - testcode/unitauth.c | 8 +++++++- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/services/authzone.c b/services/authzone.c -index b9576eaa..e8c99077 100644 ---- a/services/authzone.c -+++ b/services/authzone.c -@@ -1014,7 +1014,8 @@ rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, - } - /* copy base values */ - memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); -- sigd->rrsig_count -= sigs; -+ /* in sigd the RRSIGs are stored in the base of the RR, in count */ -+ sigd->count -= sigs; - /* setup rr_len */ - sigd->rr_len = (size_t*)((uint8_t*)sigd + - sizeof(struct packed_rrset_data)); -diff --git a/testcode/unitauth.c b/testcode/unitauth.c -index 4b538ef6..19d3c4f6 100644 ---- a/testcode/unitauth.c -+++ b/testcode/unitauth.c -@@ -131,6 +131,12 @@ static const char* zone_example_com = - "z9.example.com. 3600 IN A 10.0.0.10\n" - "z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" - "z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" -+/* different covered types, first RRSIGs then, RRs, then another RRSIG */ -+"z10.example.com. 3600 IN RRSIG AAAA 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" -+"z10.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" -+"z10.example.com. 3600 IN A 10.0.0.10\n" -+"z10.example.com. 3600 IN RRSIG CNAME 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n" -+"z10.example.com. 3600 IN AAAA ::11\n" - #endif /* if0 for duplicates and reordering */ - ; - -@@ -554,7 +560,7 @@ checkfile(char* f1, char *f2) - log_info("in files %s and %s:%d", f1, f2, line); - log_info("'%s'", buf1); - log_info("'%s'", buf2); -- fatal_exit("files are not eqaul"); -+ fatal_exit("files are not equal"); - } - } - unit_assert(feof(i1) && feof(i2)); --- -2.14.4 - diff --git a/unbound-1.7.3-rh1562594-3.patch b/unbound-1.7.3-rh1562594-3.patch deleted file mode 100644 index dc198d4..0000000 --- a/unbound-1.7.3-rh1562594-3.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d967ceb98bc019d5e710fd885be14e09ed56521e Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Tue, 2 Oct 2018 12:32:33 +0000 -Subject: [PATCH] Remove that fix, analyzer is for debug with assertions. - Fix - clang analyzer for optimize compile analysis. - -git-svn-id: file:///svn/unbound/trunk@4929 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - services/authzone.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/services/authzone.c b/services/authzone.c -index 4d0dd1b5..1f29c3ae 100644 ---- a/services/authzone.c -+++ b/services/authzone.c -@@ -2828,7 +2828,7 @@ az_generate_any_answer(struct auth_zone* z, struct regional* region, - if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; - added++; - } -- if(added == 0 && node->rrsets) { -+ if(added == 0 && node && node->rrsets) { - if(!msg_add_rrset_an(z, region, msg, node, - node->rrsets)) return 0; - } --- -2.14.4 - diff --git a/unbound-1.7.3-rh1562594-4.patch b/unbound-1.7.3-rh1562594-4.patch deleted file mode 100644 index cd18890..0000000 --- a/unbound-1.7.3-rh1562594-4.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 2e9d09b961bc7784e04ee885e1717dc233c661a4 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Thu, 13 Sep 2018 12:20:41 +0000 -Subject: [PATCH] - initialize statistics totals for printout. - in - authzone check that node exists before adding rrset. - in unbound-anchor, - use readwrite memory BIO. - assertion in autotrust that packed rrset is - formed correctly. - -git-svn-id: file:///svn/unbound/trunk@4903 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - daemon/remote.c | 1 + - services/authzone.c | 6 +++--- - smallapp/unbound-anchor.c | 15 +++++++-------- - validator/autotrust.c | 1 + - 4 files changed, 12 insertions(+), 11 deletions(-) - -diff --git a/daemon/remote.c b/daemon/remote.c -index 6a8ff4dc..3971e454 100644 ---- a/daemon/remote.c -+++ b/daemon/remote.c -@@ -1070,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset) - struct ub_stats_info total; - struct ub_stats_info s; - int i; -+ memset(&total, 0, sizeof(total)); - log_assert(daemon->num > 0); - /* gather all thread statistics in one place */ - for(i=0; inum; i++) { -diff --git a/services/authzone.c b/services/authzone.c -index fe56c9f8..4d0dd1b5 100644 ---- a/services/authzone.c -+++ b/services/authzone.c -@@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region, - { - log_assert(msg->rep->ns_numrrsets == 0); - log_assert(msg->rep->ar_numrrsets == 0); -- if(!rrset) -+ if(!rrset || !node) - return 1; - if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, - z->dclass)) -@@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region, - struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) - { - log_assert(msg->rep->ar_numrrsets == 0); -- if(!rrset) -+ if(!rrset || !node) - return 1; - if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, - z->dclass)) -@@ -265,7 +265,7 @@ static int - msg_add_rrset_ar(struct auth_zone* z, struct regional* region, - struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) - { -- if(!rrset) -+ if(!rrset || !node) - return 1; - if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, - z->dclass)) -diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c -index cd2da149..36f82666 100644 ---- a/smallapp/unbound-anchor.c -+++ b/smallapp/unbound-anchor.c -@@ -1097,11 +1097,14 @@ read_http_result(SSL* ssl) - } - if(!data) return NULL; - if(verb >= 4) print_data("read data", data, (int)len); -- m = BIO_new_mem_buf(data, (int)len); -+ m = BIO_new(BIO_s_mem()); - if(!m) { - if(verb) printf("out of memory\n"); -+ free(data); - exit(0); - } -+ BIO_write(m, data, (int)len); -+ free(data); - return m; - } - -@@ -1172,10 +1175,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname) - static void - free_file_bio(BIO* bio) - { -- char* pp = NULL; -- (void)BIO_reset(bio); -- (void)BIO_get_mem_data(bio, &pp); -- free(pp); - BIO_free(bio); - } - -@@ -1603,7 +1602,7 @@ xml_parse(BIO* xml, time_t now) - xml_parse_setup(parser, &data, now); - - /* parse it */ -- (void)BIO_reset(xml); -+ (void)BIO_seek(xml, 0); - len = (int)BIO_get_mem_data(xml, &pp); - if(!len || !pp) { - if(verb) printf("out of memory\n"); -@@ -1777,8 +1776,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) - X509_VERIFY_PARAM_free(param); - #endif - -- (void)BIO_reset(p7s); -- (void)BIO_reset(data); -+ (void)BIO_seek(p7s, 0); -+ (void)BIO_seek(data, 0); - - /* convert p7s to p7 (the signature) */ - p7 = d2i_PKCS7_bio(p7s, NULL); -diff --git a/validator/autotrust.c b/validator/autotrust.c -index a34a7c96..a7296730 100644 ---- a/validator/autotrust.c -+++ b/validator/autotrust.c -@@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*, - list_i = list; - i = 0; - while(iter(&list_i, &rr, &rr_len, &dname_len)) { -+ log_assert(data->rr_data[i]); - memmove(data->rr_data[i], - sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), - data->rr_len[i]); --- -2.14.4 - diff --git a/unbound-1.7.3-rh1562594.patch b/unbound-1.7.3-rh1562594.patch deleted file mode 100644 index 476ab58..0000000 --- a/unbound-1.7.3-rh1562594.patch +++ /dev/null @@ -1,156 +0,0 @@ -From a31d45b13e2e496b2fdb6ce4715481681362472f Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Tue, 26 Jun 2018 13:48:36 +0000 -Subject: [PATCH] - Fix that auth-zone master reply with current SOA serial - does not stop scan of masters for an updated zone. - -git-svn-id: file:///svn/unbound/trunk@4755 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - services/authzone.c | 75 ++++++++++++++++++++++++++++++++++------------------- - services/authzone.h | 3 +++ - 2 files changed, 52 insertions(+), 26 deletions(-) - -diff --git a/services/authzone.c b/services/authzone.c -index a76b51f6..9de43b75 100644 ---- a/services/authzone.c -+++ b/services/authzone.c -@@ -5090,7 +5090,8 @@ xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) - xfr_transfer_disown(xfr); - - /* pick up the nextprobe task and wait */ -- xfr_set_timeout(xfr, env, 1, 0); -+ if(xfr->task_nextprobe->worker == NULL) -+ xfr_set_timeout(xfr, env, 1, 0); - lock_basic_unlock(&xfr->lock); - } - -@@ -5547,7 +5548,8 @@ process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) - return; - } else { - /* pick up the nextprobe task and wait (normail wait time) */ -- xfr_set_timeout(xfr, env, 0, 0); -+ if(xfr->task_nextprobe->worker == NULL) -+ xfr_set_timeout(xfr, env, 0, 0); - } - lock_basic_unlock(&xfr->lock); - return; -@@ -5888,29 +5890,35 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, - return 0; - - } -+ /* other tasks are running, we don't do this anymore */ -+ xfr_probe_disown(xfr); -+ lock_basic_unlock(&xfr->lock); -+ /* return, we don't sent a reply to this udp packet, -+ * and we setup the tasks to do next */ -+ return 0; - } else { -- /* if zone not updated, start the wait timer again */ -- verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait"); -- if(xfr->have_zone) -- xfr->lease_time = *env->now; -- if(xfr->task_nextprobe->worker == NULL) -- xfr_set_timeout(xfr, env, 0, 0); -+ verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); -+ /* we if cannot find updates amongst the -+ * masters, this means we then have a new lease -+ * on the zone */ -+ xfr->task_probe->have_new_lease = 1; -+ } -+ } else { -+ if(verbosity >= VERB_ALGO) { -+ char buf[256]; -+ dname_str(xfr->name, buf); -+ verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); - } -- /* other tasks are running, we don't do this anymore */ -- xfr_probe_disown(xfr); -- lock_basic_unlock(&xfr->lock); -- /* return, we don't sent a reply to this udp packet, -- * and we setup the tasks to do next */ -- return 0; - } -- } -- if(verbosity >= VERB_ALGO) { -- char buf[256]; -- dname_str(xfr->name, buf); -- verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); -+ } else { -+ if(verbosity >= VERB_ALGO) { -+ char buf[256]; -+ dname_str(xfr->name, buf); -+ verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); -+ } - } - -- /* failed lookup */ -+ /* failed lookup or not an update */ - /* delete commpoint so a new one is created, with a fresh port nr */ - comm_point_delete(xfr->task_probe->cp); - xfr->task_probe->cp = NULL; -@@ -6013,7 +6021,8 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) - /* only wanted lookups for copy, stop probe and start wait */ - xfr->task_probe->only_lookup = 0; - xfr_probe_disown(xfr); -- xfr_set_timeout(xfr, env, 0, 0); -+ if(xfr->task_nextprobe->worker == NULL) -+ xfr_set_timeout(xfr, env, 0, 0); - lock_basic_unlock(&xfr->lock); - return; - } -@@ -6029,12 +6038,24 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) - xfr_probe_nextmaster(xfr); - } - -- /* we failed to send this as well, move to the wait task, -- * use the shorter retry timeout */ -- xfr_probe_disown(xfr); -+ /* done with probe sequence, wait */ -+ if(xfr->task_probe->have_new_lease) { -+ /* if zone not updated, start the wait timer again */ -+ verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait"); -+ xfr_probe_disown(xfr); -+ if(xfr->have_zone) -+ xfr->lease_time = *env->now; -+ if(xfr->task_nextprobe->worker == NULL) -+ xfr_set_timeout(xfr, env, 0, 0); -+ } else { -+ /* we failed to send this as well, move to the wait task, -+ * use the shorter retry timeout */ -+ xfr_probe_disown(xfr); -+ /* pick up the nextprobe task and wait */ -+ if(xfr->task_nextprobe->worker == NULL) -+ xfr_set_timeout(xfr, env, 1, 0); -+ } - -- /* pick up the nextprobe task and wait */ -- xfr_set_timeout(xfr, env, 1, 0); - lock_basic_unlock(&xfr->lock); - } - -@@ -6168,6 +6189,8 @@ xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, - xfr->task_probe->cp = NULL; - - /* start the task */ -+ /* have not seen a new lease yet, this scan */ -+ xfr->task_probe->have_new_lease = 0; - /* if this was a timeout, no specific first master to scan */ - /* otherwise, spec is nonNULL the notified master, scan - * first and also transfer first from it */ -diff --git a/services/authzone.h b/services/authzone.h -index 69158de2..6b25452d 100644 ---- a/services/authzone.h -+++ b/services/authzone.h -@@ -309,6 +309,9 @@ struct auth_probe { - /** we only want to do lookups for making config work (for notify), - * don't proceed with UDP SOA probe queries */ - int only_lookup; -+ /** we have seen a new lease this scan, because one of the masters -+ * replied with the current SOA serial version */ -+ int have_new_lease; - - /** once notified, or the timeout has been reached. a scan starts. */ - /** the scan specific target (notify source), or NULL if none */ --- -2.14.4 - diff --git a/unbound-1.8.0-rh1633874.patch b/unbound-1.8.0-rh1633874.patch deleted file mode 100644 index 6740a66..0000000 --- a/unbound-1.8.0-rh1633874.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Thu, 27 Sep 2018 08:19:29 +0000 -Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, - fixes qname minimisation with a forwarder when connectivity has issues - from rejecting responses. - -git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - iterator/iterator.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/iterator/iterator.c b/iterator/iterator.c -index 7baf92b7..2f26bd33 100644 ---- a/iterator/iterator.c -+++ b/iterator/iterator.c -@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, - return 0; - } - -- if(iq->minimisation_state == INIT_MINIMISE_STATE) { -+ if(iq->minimisation_state == INIT_MINIMISE_STATE -+ && !(iq->chase_flags & BIT_RD)) { - /* (Re)set qinfo_out to (new) delegation point, except when - * qinfo_out is already a subdomain of dp. This happens when - * increasing by more than one label at once (QNAMEs with more -@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - sock_list_insert(&qstate->reply_origin, - &qstate->reply->addr, qstate->reply->addrlen, - qstate->region); -- if(iq->minimisation_state != DONOT_MINIMISE_STATE) { -+ if(iq->minimisation_state != DONOT_MINIMISE_STATE -+ && !(iq->chase_flags & BIT_RD)) { - if(FLAGS_GET_RCODE(iq->response->rep->flags) != - LDNS_RCODE_NOERROR) { - if(qstate->env->cfg->qname_minimisation_strict) --- -2.14.4 - diff --git a/unbound-aarch64.patch b/unbound-aarch64.patch deleted file mode 100644 index 47f0b3f..0000000 --- a/unbound-aarch64.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: unbound-1.5.0/compat/getentropy_linux.c -=================================================================== ---- unbound-1.5.0.orig/compat/getentropy_linux.c -+++ unbound-1.5.0/compat/getentropy_linux.c -@@ -102,7 +102,7 @@ getentropy(void *buf, size_t len) - if (ret != -1) - return (ret); - --#ifdef CTL_MAXNAME -+#ifdef SYS__sysctl - /* - * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID. - * sysctl is a failsafe API, so it guarantees a result. This -@@ -235,7 +235,7 @@ nodevrandom: - return -1; - } - --#ifdef CTL_MAXNAME -+#ifdef SYS__sysctl - static int - getentropy_sysctl(void *buf, size_t len) - { diff --git a/unbound-keygen.service b/unbound-keygen.service index ccb2376..f5e6535 100644 --- a/unbound-keygen.service +++ b/unbound-keygen.service @@ -2,7 +2,11 @@ Description=Unbound Control Key And Certificate Generator After=syslog.target Before=unbound.service -ConditionPathExists=!/etc/unbound/unbound_control.key +ConditionPathExists=|!/etc/unbound/unbound_control.pem +ConditionPathExists=|!/etc/unbound/unbound_control.key +ConditionPathExists=|!/etc/unbound/unbound_server.pem +ConditionPathExists=|!/etc/unbound/unbound_server.key +PartOf=unbound.service [Service] Type=oneshot diff --git a/unbound.conf b/unbound.conf index 2de6b64..9326b4c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -165,6 +165,10 @@ server: # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -234,6 +238,15 @@ server: # Default is 0, system default MSS. # outgoing-tcp-mss: 0 + # Idle TCP timeout, connection closed in milliseconds + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 + # Fedora note: do not activate this - can cause a crash # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no @@ -333,6 +346,13 @@ server: # timetoresolve, fromcache and responsesize. # log-replies: no + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" @@ -396,7 +416,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to NS when possible. + # to A when possible. qname-minimisation: yes # QNAME minimisation in strict mode. Do not fall-back to sending full @@ -457,6 +477,9 @@ server: # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes + # deny queries of type ANY with an empty response. + deny-any: yes + # if yes, Unbound rotates RRSet order in response. rrset-roundrobin: yes @@ -555,6 +578,16 @@ server: # Serve expired responses from cache, with TTL 0 in the response, # and then attempt to fetch the data afresh. serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure + # that the expired records will be served as long as there are queries + # for it. + # serve-expired-ttl-reset: no # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -698,14 +731,14 @@ server: # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over SSL (on the TCP sockets), with plain DNS inside - # the SSL stream. Give the certificate to use and private key. + # service clients over TLS (on the TCP sockets), with plain DNS inside + # the TLS stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 # - # request upstream over SSL (with plain DNS inside the SSL stream). + # request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no @@ -716,12 +749,15 @@ server: # tls-win-cert: no # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-ports: portno for each of the port numbers. + # tls-additional-port: portno for each of the port numbers. # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # DNS64 ignore AAAA records for these domains and use A instead. + # dns64-ignore-aaaa: "example.com" + # ratelimit for uncached, new queries, this limits recursion effort. # ratelimiting is experimental, and may help against randomqueryflood. # if 0(default) it is disabled, otherwise state qps allowed per zone. @@ -735,12 +771,6 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 - # what is considered a low rtt (ping time for upstream server), in msec - # low-rtt: 45 - # select low rtt this many times out of 1000. 0 means the fast server - # select is disabled. prefetches are not sped up. - # low-rtt-permil: 0 - # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -761,6 +791,15 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Limit the number of connections simultaneous from a netblock + # tcp-connection-limit: 192.0.2.0/24 12 + + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + # Specific options for ipsecmod. unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -812,12 +851,18 @@ remote-control: # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 # port number for remote control operations. # control-port: 8953 + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "no" + # unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" @@ -847,6 +892,7 @@ include: /etc/unbound/conf.d/*.conf # stub-prime: no # stub-first: no # stub-tls-upstream: no +# stub-no-cache: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -882,6 +928,8 @@ include: /etc/unbound/conf.d/*.conf # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also # download it), master: fetches with AXFR and IXFR, or url to zonefile. +# With allow-notify: you can give additional (apart from masters) sources of +# notifies. auth-zone: name: "." for-downstream: no @@ -948,6 +996,7 @@ auth-zone: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # # For "redis" backend: # # redis server's IP address or host name # redis-server-host: 127.0.0.1 diff --git a/unbound.spec b/unbound.spec index 79714d0..32f6e5c 100644 --- a/unbound.spec +++ b/unbound.spec @@ -4,7 +4,7 @@ %global _hardened_build 1 -#global extra_version rc1 +#%%global extra_version rc1 %if 0%{with_python2} %global python_primary %{__python2} @@ -33,8 +33,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.7.3 -Release: 10%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.8.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -55,20 +55,6 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service -Patch2: unbound-1.7.2-python3-devel.patch -Patch3: unbound-1.7.2-python3-pkgconfig.patch -Patch4: unbound-1.7.3-anchor-fallback.patch -Patch5: unbound-1.7.3-host-any.patch -Patch6: unbound-1.8.0-rh1633874.patch -# commit a31d45b13e2e496b2fdb6ce4715481681362472f -Patch7: unbound-1.7.3-rh1562594.patch -# commit 1958d9fbd5de593738f9d4264498726e7dfac9d8 -Patch8: unbound-1.7.3-rh1562594-2.patch -# commit d967ceb98bc019d5e710fd885be14e09ed56521e -Patch9: unbound-1.7.3-rh1562594-3.patch -# commit 2e9d09b961bc7784e04ee885e1717dc233c661a4 -Patch10: unbound-1.7.3-rh1562594-4.patch - BuildRequires: gcc, make BuildRequires: flex, openssl-devel BuildRequires: libevent-devel expat-devel @@ -163,15 +149,6 @@ Python 3 modules and extensions for unbound %setup -qcn %{pkgname} pushd %{pkgname} -%patch2 -p1 -b .python3 -%patch3 -p1 -b .python3 -%patch4 -p1 -b .anchor-fallback -%patch5 -p1 -b .host-any -%patch6 -p1 -%patch7 -p1 -b .rh1562594 -%patch8 -p1 -b .rh1562594 -%patch9 -p1 -b .rh1562594 -%patch10 -p1 # only for snapshots # autoreconf -iv @@ -443,6 +420,12 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Dec 05 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + * Tue Oct 02 2018 Petr Menšík - 1.7.3-10 - Try to fix occasional crash (#1562594)