diff --git a/contrib/aaaa-filter-iterator.patch b/contrib/aaaa-filter-iterator.patch index b5c526822..9881bde89 100644 --- a/contrib/aaaa-filter-iterator.patch +++ b/contrib/aaaa-filter-iterator.patch @@ -13,9 +13,9 @@ Index: trunk/doc/unbound.conf.5.in +This also causes an additional A query to be sent for each AAAA query. +This breaks DNSSEC! +.TP - .B private\-address: \fI - Give IPv4 of IPv6 addresses or classless subnets. These are addresses - on your private network, and are not allowed to be returned for + .B aggressive\-nsec: \fI + Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + and other denials, using information from previous NXDOMAINs answers. Index: trunk/iterator/iter_scrub.c =================================================================== --- trunk/iterator/iter_scrub.c (revision 4357) @@ -125,7 +125,7 @@ Index: trunk/iterator/iterator.c + * ASN: This event state was added as an intermediary step between + * QUERYTARGETS_STATE and the next step, in order to cast a subquery for the + * purpose of caching A records for the queried name. -+ * ++ * + * @param qstate: query state. + * @param iq: iterator query state. + * @param ie: iterator shared global environment. @@ -147,9 +147,9 @@ Index: trunk/iterator/iterator.c + + /* re-throw same query, but with a different type */ + if(!generate_sub_request(iq->qchase.qname, -+ iq->qchase.qname_len, LDNS_RR_TYPE_A, ++ iq->qchase.qname_len, LDNS_RR_TYPE_A, + iq->qchase.qclass, qstate, id, iq, -+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) { + log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: failed " + "preloading of A record for", + iq->qchase.qname, LDNS_RR_TYPE_A, @@ -188,7 +188,7 @@ Index: trunk/iterator/iterator.c return 0; } -+/** ++/** + * ASN: Do final processing on responses to A queries originated from AAAA + * queries. Events reach this state after the iterative resolution algorithm + * terminates. diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in index 1442ed523..453bf7d4f 100644 --- a/contrib/libunbound.pc.in +++ b/contrib/libunbound.pc.in @@ -7,8 +7,7 @@ Name: unbound Description: Library with validating, recursive, and caching DNS resolver URL: http://www.unbound.net Version: @PACKAGE_VERSION@ -Requires: @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ -Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ +Requires.private: @PC_PY_DEPENDENCY@ @PC_LIBBSD_DEPENDENCY@ @PC_CRYPTO_DEPENDENCY@ @PC_LIBEVENT_DEPENDENCY@ Libs: -L${libdir} -lunbound Libs.private: @SSLLIB@ @LIBS@ Cflags: -I${includedir} diff --git a/doc/Changelog b/doc/Changelog index ec84296f8..00d2ecfcf 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,22 @@ +17 June 2020: Wouter + - Fix default explanation in man page for qname-minimisation-strict. + - Fix display of event loop method with libev. + +8 June 2020: Wouter + - Mention tls name possible when tls is enabled for stub-addr in the + man page. + +27 May 2020: George + - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use + "Requires:". + +25 May 2020: George + - Update contrib/aaaa-filter-iterator.patch for the recent + generate_sub_request() change and to apply cleanly. + +21 May 2020: George + - Fix for integer overflow when printing RDF_TYPE_TIME. + 19 May 2020: Wouter - CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 2f2733773..de5a333bd 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -864,7 +864,7 @@ NXDOMAIN from a DNSSEC signed zone. Default is yes. QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. -This option only has effect when qname-minimisation is enabled. Default is off. +This option only has effect when qname-minimisation is enabled. Default is no. .TP .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN @@ -1614,6 +1614,9 @@ Name of stub zone nameserver. Is itself resolved before it is used. .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check +the tls authentication certificates with that name. If you combine +the '@' and '#', the '@' comes first. .TP .B stub\-prime: \fI This option is by default no. If enabled it performs NS set priming, diff --git a/sldns/parseutil.c b/sldns/parseutil.c index 82dbc0fe1..3515d64c5 100644 --- a/sldns/parseutil.c +++ b/sldns/parseutil.c @@ -167,7 +167,7 @@ sldns_gmtime64_r(int64_t clock, struct tm *result) static int64_t sldns_serial_arithmetics_time(int32_t time, time_t now) { - int32_t offset = time - (int32_t) now; + int32_t offset = (int32_t)((uint32_t) time - (uint32_t) now); return (int64_t) now + offset; } diff --git a/util/ub_event.c b/util/ub_event.c index 9af476ad4..68f633bb0 100644 --- a/util/ub_event.c +++ b/util/ub_event.c @@ -148,7 +148,7 @@ const char* ub_event_get_version(void) return event_get_version(); } -#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EVBACKEND_SELECT) +#if (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && defined(EV_FEATURE_BACKENDS) static const char* ub_ev_backend2str(int b) { switch(b) { @@ -184,7 +184,7 @@ ub_get_event_sys(struct ub_event_base* base, const char** n, const char** s, *n = "libev"; if (!b) b = (struct event_base*)ev_default_loop(EVFLAG_AUTO); -# ifdef EVBACKEND_SELECT +# ifdef EV_FEATURE_BACKENDS *m = ub_ev_backend2str(ev_backend((struct ev_loop*)b)); # else *m = "not obtainable";