From 66e793f9c3fed746f9aca737c85355dbbab9ea44 Mon Sep 17 00:00:00 2001 From: Ryan Keane Date: Sat, 15 Jun 2024 20:45:29 -0400 Subject: [PATCH] unbound: Update to 1.20.0 Updated 010-configure-uname.patch as source changed. Removed 100-example-conf-in.patch as not needed any more. Release message: This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite. The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses. The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default. The -q option for unbound-checkconf can be added to silence it when there are no errors. Signed-off-by: Ryan Keane (cherry picked from commit d421db0527f41ae48ecff56501de2d56217f1182) --- net/unbound/Makefile | 6 +- net/unbound/patches/010-configure-uname.patch | 2 +- net/unbound/patches/100-example-conf-in.patch | 83 ------------------- 3 files changed, 4 insertions(+), 87 deletions(-) delete mode 100644 net/unbound/patches/100-example-conf-in.patch diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 06fd877edc..d45d6c45a4 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound -PKG_VERSION:=1.19.3 -PKG_RELEASE:=2 +PKG_VERSION:=1.20.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound -PKG_HASH:=3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9 +PKG_HASH:=56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf PKG_MAINTAINER:=Eric Luehrsen PKG_LICENSE:=BSD-3-Clause diff --git a/net/unbound/patches/010-configure-uname.patch b/net/unbound/patches/010-configure-uname.patch index 9b87f8ec2b..95ab8f5b83 100644 --- a/net/unbound/patches/010-configure-uname.patch +++ b/net/unbound/patches/010-configure-uname.patch @@ -3,7 +3,7 @@ Fix cross compile errors by inserting an environment variable for the target. Use "uname" on host only if "UNAME" variable is empty. --- a/configure.ac +++ b/configure.ac -@@ -845,7 +845,7 @@ if test x_$ub_test_python != x_no; then +@@ -849,7 +849,7 @@ if test x_$ub_test_python != x_no; then fi fi diff --git a/net/unbound/patches/100-example-conf-in.patch b/net/unbound/patches/100-example-conf-in.patch deleted file mode 100644 index 15cfc05625..0000000000 --- a/net/unbound/patches/100-example-conf-in.patch +++ /dev/null @@ -1,83 +0,0 @@ -OpenWrt (modification): -Patch the default configuration file with the tiny memory -configuration example from Unbound documentation. This is the best -starting point for embedded routers if one is not going to use UCI. ---- a/doc/example.conf.in -+++ b/doc/example.conf.in -@@ -19,6 +19,76 @@ server: - # verbosity number, 0 is least verbose. 1 is default. - # verbosity: 1 - -+ ############################################################################ -+ # MEMORY CONTROL EXAMPLE -+ # In the example config settings below memory usage is reduced. Some ser- -+ # vice levels are lower, notable very large data and a high TCP load are -+ # no longer supported ... are exceptional for the DNS. -+ # (http://unbound.net/documentation/unbound.conf.html) -+ ############################################################################ -+ -+ # Self jail Unbound with user "unbound" to /var/lib/unbound -+ # The script /etc/init.d/unbound will setup the location -+ username: "unbound" -+ directory: "/var/lib/unbound" -+ chroot: "/var/lib/unbound" -+ -+ # The pid file is created before privleges drop so no concern -+ pidfile: "/var/run/unbound.pid" -+ -+ # no threads and no memory slabs for threads -+ num-threads: 1 -+ msg-cache-slabs: 1 -+ rrset-cache-slabs: 1 -+ infra-cache-slabs: 1 -+ key-cache-slabs: 1 -+ -+ # don't be picky about interfaces but consider your firewall -+ interface: 0.0.0.0 -+ interface: ::0 -+ access-control: 0.0.0.0/0 allow -+ access-control: ::0/0 allow -+ -+ # this limits TCP service but uses less buffers -+ outgoing-num-tcp: 1 -+ incoming-num-tcp: 1 -+ -+ # use somewhat higher port numbers versus possible NAT issue -+ outgoing-port-permit: "10240-65335" -+ -+ # uses less memory but less performance -+ outgoing-range: 60 -+ num-queries-per-thread: 30 -+ -+ # exclude large responses -+ msg-buffer-size: 8192 -+ -+ # tiny memory cache -+ infra-cache-numhosts: 200 -+ msg-cache-size: 100k -+ rrset-cache-size: 100k -+ key-cache-size: 100k -+ neg-cache-size: 10k -+ -+ # gentle on recursion -+ target-fetch-policy: "2 1 0 0 0 0" -+ harden-large-queries: yes -+ harden-short-bufsize: yes -+ -+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust- -+ # -anchor-file:" The init script will copy root key to /var/lib/unbound. -+ # See package documentation for crontab entry to copy RFC5011 results back. -+ #module-config: "validator iterator" -+ #auto-trust-anchor-file: "/var/lib/unbound/root.key" -+ -+ # DNSSEC needs real time to validate signatures. If your device does not -+ # have power off clock (reboot), then you may need this work around. -+ #domain-insecure: "pool.ntp.org" -+ -+ ############################################################################ -+ # Resume Stock example.conf.in -+ ############################################################################ -+ - # print statistics to the log (for every thread) every N seconds. - # Set to "" or 0 to disable. Default is disabled. - # statistics-interval: 0 -- 2.30.2