upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 14:53:15 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8126 commits 23 branches 209 tags 123 MiB
Commit graph

8126 commits

This branch
This branch
All branches
Author SHA1 Message Date
Wouter Wijngaards
aa21e38b3a
Fix for analysis and ports workflows iOS, Windows (#1361)
Some checks failed
ci / build (push) Has been cancelled
Details 
* - Remove SDK_VERSION and only run failed jobs, echo windows config.log

* Use commented out to fix syntax of ci.

* - Turn off succeeded tests, only link libssp for cross compile, use
no-shared for openssl ios.

* - Remove iPhone armv7s, and iPhoneSimulator i386 from ios ci.
  The lib system does not provide symbols for it on the new macos
  runner.
- Fix to exclude libssp for windows compiles.
 2025-10-15 16:12:39 +02:00
W.C.A. Wijngaards
964848b94a - Fix unbound.conf man page entry for root-hints to say it can 
be used without strongly recommending it.
 2025-10-15 15:40:47 +02:00
Yorgos Thessalonikefs
a4dd321fd8 - Remove extra gpg instructions from makedist.sh output. 2025-10-15 14:59:48 +02:00
Yorgos Thessalonikefs
d23a28a693 - ci: don't fail fast for the analysis_port workflow.
Some checks are pending
ci / build (push) Waiting to run
Details
2025-10-15 14:10:20 +02:00
W.C.A. Wijngaards
5423c0a8e9 Update ios ci with older sdk version to use. 2025-10-15 13:41:36 +02:00
W.C.A. Wijngaards
6a5385f291 - Fix to update openssl version in ios ci. 2025-10-15 12:25:44 +02:00
W.C.A. Wijngaards
16f3478048 - Add extended dns error code for invalid query type to definition 
list.
 2025-10-15 11:39:58 +02:00
W.C.A. Wijngaards
c8860a5fb6 - Fix to reply with SERVFAIL when the wait-limit is exceeded. 2025-10-15 11:36:29 +02:00
W.C.A. Wijngaards
735c96aac7 - Fix to drop UDP for discard-timeout, but not stream connections. 2025-10-15 11:04:22 +02:00
W.C.A. Wijngaards
a75ea01a15 - Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.
Some checks failed
ci / build (push) Has been cancelled
Details
2025-10-10 09:17:08 +02:00
Yorgos Thessalonikefs
21f02a0865 - Note clearly that 'wait-limit: 0' disables all wait limits. 
- 'wait-limit-cookie: 0' can now disable cookie validated wait
  limits.
 2025-10-03 16:44:44 +02:00
Yorgos Thessalonikefs
e017d66fc1 - Note 'respip' and 'dns64' module order in the unbound.conf 
man page.
 2025-10-03 11:27:26 +02:00
W.C.A. Wijngaards
adaf5dab49 - Fix that https is set up as enabled when the port is listed in 
interface-automatic-ports. Also for the set up of quic it is
  enabled when listed there.
 2025-10-02 10:16:06 +02:00
W.C.A. Wijngaards
feeebc95f8 - Fix for #1344: Fix that respip and dns64 can be enabled at the 
same time, the client info is copied for attach_sub and add_sub
  calls. That makes respip work on dns64 synthesized answers, and
  also makes RPZ work with DNS64. The order for the modules is
  module-config: "respip dns64 validator iterator".
 2025-09-30 11:28:15 +02:00
W.C.A. Wijngaards
187aa52859 - Fix #1344: module conf 'respip dns64 validator cachedb iterator' 
is not known to work.
 2025-09-29 16:11:50 +02:00
W.C.A. Wijngaards
f1fea8dc46 - Fix #1353: auth-zone can not use empty label for $ORIGIN when 
http download.
 2025-09-29 14:24:31 +02:00
Yorgos Thessalonikefs
0c01257d1d Changelog entry for #1351: 
- Merge #1351: ac_cv_func_malloc_0_nonnull for malloc(0) check.
 2025-09-29 13:14:07 +02:00
W.C.A. Wijngaards
50a11ebcc8 - Rebuild configure script from its sources. 2025-09-29 13:13:15 +02:00
Yorgos Thessalonikefs
1e2dc657a1
ac_cv_func_malloc_0_nonnull for malloc(0) check (#1351) 
- For #1339, use the standard variable ac_cv_func_malloc_0_nonnull for
  the malloc(0) check during configure; patch from Helmut Grohne.
 2025-09-29 13:12:27 +02:00
Yorgos Thessalonikefs
843124852f Changelog entry for #1349: 
- Merge #1349: Fix #1346: [FR] Please allow back TLS 1.2.
 2025-09-29 12:10:34 +02:00
W.C.A. Wijngaards
5e2fdff8e5 - Fix fr_atomic_copy_cfg. 2025-09-29 12:08:30 +02:00
Yorgos Thessalonikefs
499a3a7a61
Fix #1346: [FR] Please allow back TLS 1.2. (#1349) 
* 'tls-use-system-policy-versions' is introduced to allow Unbound to use
  any system available TLS version when serving TLS.

* Apply suggestions from code review

---------

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2025-09-29 12:03:56 +02:00
W.C.A. Wijngaards
2024c1d050 - Neaten up the change in acx_nlnetlabs.m4 to version 49. 2025-09-29 11:40:14 +02:00
W.C.A. Wijngaards
6cd595a816 - Fix modstack_call_init to use the original string when it has 
changed, to call modstack_config with. And skip the changed name
  in the string correctly. Thanks to Jan Komissar.
 2025-09-29 11:31:50 +02:00
W.C.A. Wijngaards
74cf81e9a7 - Rebuild configure script from its sources. 2025-09-29 10:02:54 +02:00
Yorgos Thessalonikefs
35f6fd47fb - Test for nonstring attribute in configure and add 
nonstring attribute annotations.
 2025-09-26 16:23:55 +02:00
Alex Band
270e099aab
Update Mastodon shield 2025-09-25 21:39:39 +02:00
Yorgos Thessalonikefs
64645e1401 - Avoid calling mesh_detect_cycle_found() when there is no mesh state 
to begin with.
 2025-09-24 14:30:24 +02:00
Yorgos Thessalonikefs
421d317a64 - For #1350, same CAP_NET_ADMIN change for unbound_portable.service.in 
as well.
 2025-09-23 17:42:41 +02:00
Yorgos Thessalonikefs
0b8ed987de Changelog entry for #1350: 
- Merge #1350 from Maryse47: unbound.service.in: allow CAP_NET_ADMIN.
 2025-09-23 17:37:59 +02:00
Yorgos Thessalonikefs
9511797487
Merge pull request #1350 from Maryse47/patch-1 
unbound.service.in: allow CAP_NET_ADMIN and drop CAP_NET_RAW (redundant now).
 2025-09-23 17:37:09 +02:00
Yorgos Thessalonikefs
0b7bb75152 - For #1352, align with the current Python<3 code. 2025-09-23 17:31:55 +02:00
Yorgos Thessalonikefs
88c688ec10 Changelog entry for #1352: 
- Merge #1352 from Petr Vaganov: pythonmod: fix HANDLE_LEAK on
  pythonmod_init.
 2025-09-23 17:15:16 +02:00
Maryse47
81fd1dc71c
unbound.service.in: drop CAP_NET_RAW 
CAP_NET_RAW is unnecessary after CAP_NET_ADMIN was added
 2025-09-23 17:13:31 +02:00
Yorgos Thessalonikefs
69217cf675
Merge pull request #1352 from petrvaganoff/dev-52227 
pythonmod: fix HANDLE_LEAK on pythonmod_init
 2025-09-23 17:13:30 +02:00
Petr Vaganov
7c28f1b99c pythonmod: fix HANDLE_LEAK on pythonmod_init 
Found by the static analyzer Svace (ISP RAS).

Handle 'script_py' is created at pythonmod.c:436
by calling function 'fopen' and lost at pythonmod.c:457,465.

Signed-off-by: Petr Vaganov <petrvaganoff@gmail.com>
 2025-09-23 19:51:46 +05:00
Maryse47
fa6340cfa5
unbound.service.in: allow CAP_NET_ADMIN 
Allowing CAP_NET_ADMIN is necessary for SO_SNDBUFFORCE and SO_RCVBUFFORCE calls.
 2025-09-23 13:00:50 +02:00
Yorgos Thessalonikefs
e471e15774 - unbound.conf manpage: explicitly mention RFC6891. 2025-09-19 15:49:07 +02:00
Yorgos Thessalonikefs
ec3db03121 Changelog entry for #1337: 
- Merge #1337: 0 TTL cached replies and some TTL behavior changes.
 2025-09-19 15:01:30 +02:00
Yorgos Thessalonikefs
e2bf773089 Merge branch 'features/no-ttl-zero-cacherep' 2025-09-19 14:56:04 +02:00
Yorgos Thessalonikefs
3017a0aa52 - Update README.man with clearer text. 2025-09-19 10:03:10 +02:00
W.C.A. Wijngaards
8419e9780e - Fix to remove configure~ from release tarballs. 2025-09-19 09:46:34 +02:00
W.C.A. Wijngaards
c429c4ab96 - Tag for 1.24.0 release. Includes the fixes below after rc1. 
The repository continues with version 1.24.1.
 2025-09-18 10:57:37 +02:00
Yorgos Thessalonikefs
bc61034f60
code review: use proper roundrobin index 
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2025-09-17 12:19:20 +02:00
Yorgos Thessalonikefs
2dd821c257 - Too many quotes for the EDE message debug printout. 2025-09-17 11:27:16 +02:00
W.C.A. Wijngaards
713b5db537 - Fix to print warning for when so-sndbuf setsockopt is not granted. 2025-09-15 16:11:27 +02:00
Yorgos Thessalonikefs
c3a8d5251f - Small debug output improvement when attaching an EDE. 2025-09-15 12:06:49 +02:00
Yorgos Thessalonikefs
73e408f1d0 A few changes for TTL processing: 
- Cached messages that reach 0 TTL are considered expired. This prevents
  Unbound itself from issuing replies with TTL 0 and possibly causing a
  thundering herd at the last second. Upstream replies of TTL 0 still
  get the usual pass-through but they are not considered for caching
  from Unbound or any of its caching modules.
- 'serve-expired-reply-ttl' is changed and is now capped by the original
  TTL value of the record to try and make some sense when replying
  with expired records.
- TTL decoding was updated to adhere to RFC8767 section 4 where a set
  high-order bit means the value is positive instead of 0.
 2025-09-15 10:03:35 +02:00
Yorgos Thessalonikefs
d521135f66 Merge branch 'master' into features/no-ttl-zero-cacherep 2025-09-12 15:24:06 +02:00
W.C.A. Wijngaards
d71ead5598 - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0. 2025-09-11 13:23:51 +02:00