unbound: Update to 1.20.0

Updated 010-configure-uname.patch as source changed.
Removed 100-example-conf-in.patch as not needed any more.

Release message:

This release has a fix for the DNSBomb issue CVE-2024-33655. This has a
low severity for Unbound, since it makes Unbound complicit in targeting
others, but does not affect Unbound so much.

To mitigate the issue new configuration options are introduced.
The options discard-timeout: 1900, wait-limit: 1000
and wait-limit-cookie: 10000 are enabled by default. They limit the
number of outstanding queries that a querier can have. This limits
the reply pulse, and make Unbound less favorable for the issue.
With the config wait-limit-netblock and wait-limit-cookie-netblock
the parameters can be fine tuned for specific destinations.
More information on the attack and Unbound's mitigations are
presented further down.

Other fixes in this release are that Unbound no longer follows symlinks
when truncating the pidfile. Unbound also does not chown the pidfile,
this is for safety reasons. There are also a number of fixes for RPZ, in
handling CNAMEs. There is a memory leak fix for the edns client subnet
cache. For DNSSEC validation a case is fixed when the query is of type
DNAME. The unbound-anchor program is fixed to first write to a temporary
file, before replacing the original. This handles disk full situations,
and because of it unbound-anchor needs permission to create that file,
in the same directory as the original file. There is also a fix for
IP_DONTFRAG, to disable fragmentation instead of the opposite.

The option cache-min-negative-ttl can be used to set the minimum TTL
for negative responses in the cache. It complements existing options to
set the maximum ttl for negative responses and to set the minimum and
maximum ttl but not specifically for negative responses.

The option cachedb-check-when-serve-expired option makes Unbound use
cachedb to check for expired responses, when serve-expired is enabled,
and cachedb is used. It is enabled by default.

The -q option for unbound-checkconf can be added to silence it when
there are no errors.

Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
(cherry picked from commit d421db0527f41ae48ecff56501de2d56217f1182)

diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index 06fd877edc4ad3814a73b16b84b19122b0e4cd21..d45d6c45a41608a070bdeea8ba2a5eb114934514 100644 (file)
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
-PKG_VERSION:=1.19.3
-PKG_RELEASE:=2
+PKG_VERSION:=1.20.0
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound
-PKG_HASH:=3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9
+PKG_HASH:=56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf
 
 PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
 PKG_LICENSE:=BSD-3-Clause

diff --git a/net/unbound/patches/010-configure-uname.patch b/net/unbound/patches/010-configure-uname.patch
index 9b87f8ec2b777e13f1d2a722860ce96a3950a1f9..95ab8f5b83008f141d420623ef480550732ca03e 100644 (file)
--- a/net/unbound/patches/010-configure-uname.patch
+++ b/net/unbound/patches/010-configure-uname.patch
@@ -3,7 +3,7 @@ Fix cross compile errors by inserting an environment variable for the
 target. Use "uname" on host only if "UNAME" variable is empty.
 --- a/configure.ac
 +++ b/configure.ac
-@@ -845,7 +845,7 @@ if test x_$ub_test_python != x_no; then
+@@ -849,7 +849,7 @@ if test x_$ub_test_python != x_no; then
     fi
  fi
  

diff --git a/net/unbound/patches/100-example-conf-in.patch b/net/unbound/patches/100-example-conf-in.patch
deleted file mode 100644 (file)
index 15cfc05..0000000
--- a/net/unbound/patches/100-example-conf-in.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-OpenWrt (modification):
-Patch the default configuration file with the tiny memory
-configuration example from Unbound documentation. This is the best
-starting point for embedded routers if one is not going to use UCI.
---- a/doc/example.conf.in
-+++ b/doc/example.conf.in
-@@ -19,6 +19,76 @@ server:
-       # verbosity number, 0 is least verbose. 1 is default.
-       # verbosity: 1
- 
-+      ############################################################################
-+      # MEMORY CONTROL EXAMPLE
-+      # In the example config settings below memory usage is reduced. Some ser-
-+      # vice levels are lower, notable very large data and a high TCP load are
-+      # no longer supported ... are exceptional for the DNS.
-+      # (http://unbound.net/documentation/unbound.conf.html)
-+      ############################################################################
-+
-+      # Self jail Unbound with user "unbound" to /var/lib/unbound
-+      # The script /etc/init.d/unbound will setup the location
-+      username: "unbound"
-+      directory: "/var/lib/unbound"
-+      chroot: "/var/lib/unbound"
-+
-+      # The pid file is created before privleges drop so no concern
-+      pidfile: "/var/run/unbound.pid"
-+
-+      # no threads and no memory slabs for threads
-+      num-threads: 1
-+      msg-cache-slabs: 1
-+      rrset-cache-slabs: 1
-+      infra-cache-slabs: 1
-+      key-cache-slabs: 1
-+
-+      # don't be picky about interfaces but consider your firewall
-+      interface: 0.0.0.0
-+      interface: ::0
-+      access-control: 0.0.0.0/0 allow
-+      access-control: ::0/0 allow
-+
-+      # this limits TCP service but uses less buffers
-+      outgoing-num-tcp: 1
-+      incoming-num-tcp: 1
-+
-+      # use somewhat higher port numbers versus possible NAT issue
-+      outgoing-port-permit: "10240-65335"
-+
-+      # uses less memory but less performance
-+      outgoing-range: 60
-+      num-queries-per-thread: 30
-+
-+      # exclude large responses
-+      msg-buffer-size: 8192
-+
-+      # tiny memory cache
-+      infra-cache-numhosts: 200
-+      msg-cache-size: 100k
-+      rrset-cache-size: 100k
-+      key-cache-size: 100k
-+      neg-cache-size: 10k
-+
-+      # gentle on recursion
-+      target-fetch-policy: "2 1 0 0 0 0"
-+      harden-large-queries: yes
-+      harden-short-bufsize: yes
-+
-+      # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
-+      # -anchor-file:" The init script will copy root key to /var/lib/unbound.
-+      # See package documentation for crontab entry to copy RFC5011 results back.
-+      #module-config: "validator iterator"
-+      #auto-trust-anchor-file: "/var/lib/unbound/root.key"
-+
-+      # DNSSEC needs real time to validate signatures. If your device does not
-+      # have power off clock (reboot), then you may need this work around.
-+      #domain-insecure: "pool.ntp.org"
-+
-+      ############################################################################
-+      # Resume Stock example.conf.in
-+      ############################################################################
-+
-       # print statistics to the log (for every thread) every N seconds.
-       # Set to "" or 0 to disable. Default is disabled.
-       # statistics-interval: 0