Merge branch 'master' into stream-reuse

contrib/aaaa-filter-iterator.patch

@@ -13,9 +13,9 @@ Index: trunk/doc/unbound.conf.5.in
 +This also causes an additional A query to be sent for each AAAA query.
 +This breaks DNSSEC!
 +.TP
- .B private\-address: \fI<IP address or subnet>
- Give IPv4 of IPv6 addresses or classless subnets. These are addresses
- on your private network, and are not allowed to be returned for
+ .B aggressive\-nsec: \fI<yes or no>
+ Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+ and other denials, using information from previous NXDOMAINs answers.
 Index: trunk/iterator/iter_scrub.c
 ===================================================================
 --- trunk/iterator/iter_scrub.c	(revision 4357)
@@ -125,7 +125,7 @@ Index: trunk/iterator/iterator.c
 + * ASN: This event state was added as an intermediary step between
 + * QUERYTARGETS_STATE and the next step, in order to cast a subquery for the
 + * purpose of caching A records for the queried name.
-+ * 
++ *
 + * @param qstate: query state.
 + * @param iq: iterator query state.
 + * @param ie: iterator shared global environment.
@@ -147,9 +147,9 @@ Index: trunk/iterator/iterator.c
 +
 +	/* re-throw same query, but with a different type */
 +	if(!generate_sub_request(iq->qchase.qname,
-+        	iq->qchase.qname_len, LDNS_RR_TYPE_A,
++		iq->qchase.qname_len, LDNS_RR_TYPE_A,
 +		iq->qchase.qclass, qstate, id, iq,
-+		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
++		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
 +		log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: failed "
 +			"preloading of A record for",
 +			iq->qchase.qname, LDNS_RR_TYPE_A,
@@ -188,7 +188,7 @@ Index: trunk/iterator/iterator.c
  	return 0;
  }
  
-+/** 
++/**
 + * ASN: Do final processing on responses to A queries originated from AAAA
 + * queries. Events reach this state after the iterative resolution algorithm
 + * terminates.

contrib/libunbound.pc.in

@@ -7,8 +7,7 @@ Name: unbound
 Description: Library with validating, recursive, and caching DNS resolver
 URL: http://www.unbound.net
 Version: @PACKAGE_VERSION@
-Requires: @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@
-Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@
+Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@
 Libs: -L${libdir} -lunbound
 Libs.private: @SSLLIB@ @LIBS@
 Cflags: -I${includedir}

doc/Changelog

@@ -1,3 +1,22 @@
+17 June 2020: Wouter
+	- Fix default explanation in man page for qname-minimisation-strict.
+	- Fix display of event loop method with libev.
+
+8 June 2020: Wouter
+	- Mention tls name possible when tls is enabled for stub-addr in the
+	  man page.
+
+27 May 2020: George
+	- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
+	  "Requires:".
+
+25 May 2020: George
+	- Update contrib/aaaa-filter-iterator.patch for the recent
+	  generate_sub_request() change and to apply cleanly.
+
+21 May 2020: George
+	- Fix for integer overflow when printing RDF_TYPE_TIME.
+
 19 May 2020: Wouter
 	- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
 	  query into a large number of queries directed to a target.

doc/unbound.conf.5.in

@@ -864,7 +864,7 @@ NXDOMAIN from a DNSSEC signed zone. Default is yes.
 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
 potentially broken nameservers. A lot of domains will not be resolvable when
 this option in enabled. Only use if you know what you are doing.
-This option only has effect when qname-minimisation is enabled. Default is off.
+This option only has effect when qname-minimisation is enabled. Default is no.
 .TP
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
@@ -1614,6 +1614,9 @@ Name of stub zone nameserver. Is itself resolved before it is used.
 .B stub\-addr: \fI<IP address>
 IP address of stub zone nameserver. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
+If tls is enabled, then you can append a '#' and a name, then it'll check
+the tls authentication certificates with that name.  If you combine
+the '@' and '#', the '@' comes first.
 .TP
 .B stub\-prime: \fI<yes or no>
 This option is by default no.  If enabled it performs NS set priming,

sldns/parseutil.c

@@ -167,7 +167,7 @@ sldns_gmtime64_r(int64_t clock, struct tm *result)
 static int64_t
 sldns_serial_arithmetics_time(int32_t time, time_t now)
 {
-	int32_t offset = time - (int32_t) now;
+	int32_t offset = (int32_t)((uint32_t) time - (uint32_t) now);
 	return (int64_t) now + offset;
 }
 

util/ub_event.c

@@ -148,7 +148,7 @@ const char* ub_event_get_version(void)
 	return event_get_version();
 }
 
-#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EVBACKEND_SELECT)
+#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EV_FEATURE_BACKENDS)
 static const char* ub_ev_backend2str(int b)
 {
 	switch(b) {
@@ -184,7 +184,7 @@ ub_get_event_sys(struct ub_event_base* base, const char** n, const char** s,
 	*n = "libev";
 	if (!b)
 		b = (struct event_base*)ev_default_loop(EVFLAG_AUTO);
-#    ifdef EVBACKEND_SELECT
+#    ifdef EV_FEATURE_BACKENDS
 	*m = ub_ev_backend2str(ev_backend((struct ev_loop*)b));
 #    else
 	*m = "not obtainable";