The main motivations for this release are bug fixes related to use
cases with large number of zones (more than 50 zones) in combination
with an XFR based setup. Too much concurrent zone transfers causes new
transfers to be held back. These excess transfers however were not
properly scheduled for later.
No migration steps needed when upgrading from OpenDNSSEC 1.4.8.
Bugfixes:
* Add TCP waiting queue. Fix signer getting 'stuck' when adding many
zones at once. Thanks to Haavard Eidnes to bringing this to our attention.
* OPENDNSSEC-723: received SOA serial reported as on disk.
* Fix potential locking issue on SOA serial.
* Crash on shutdown. At all times join xfr and dns handler threads.
* Make handling of notifies more consistent. Previous implementation would
bounce between code paths.
Known Issues:
When using SoftHSM2 compiled with OpenSSL, and libmysql with OpenSSL
as database backend for OpenDNSSEC. "ods-ksmutil key list --verbose"
crashes on exit. This is ultimately a bug in OpenSSL and not new for
this particular release. Make sure you don't use this specific
combination.
From <https://www.opendnssec.org>
PR: 206491
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
- add OPTION for DNSTAP logging support
- rename OPTION s/MUNIN/MUNIN_PLUGIN/ so it is consistent with nsd
- use OPTIONS_SUB
- use ${opt}_target
- use @sample macro for unbound.conf
- sort pkg-plist
Features
- ip-transparent option for FreeBSD with IP_BINDANY socket option.
- insecure-lan-zones: yesno config option, patch from Dag-Erling Smørgrav.
- RR Type CSYNC support RFC 7477, in debug printout and config input.
- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
- [bugzilla: 731 ] tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
from Daisuke Higashi.
- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked by
default, andcan be unblocked with "nodefault" localzone config.
- ub_ctx_set_stub() function for libunbound to config stub zones.
The release fixes line endings in the unbound-control-setup script, and
a potential gost-hash validation failure and handles the ".onion" domain
to avoid privacy leakage.
PR: 207948
Submitted by: jaap@NLnetLabs.nl (maintainer)
- add ability to build agains openssl or libressl from ports
- add MUNIN_PLUGIN_IMPLIES= BIND8_STATS
- use @sample macro in pkg-plist for nsd.conf
- s/exec/postexec/ pkg-plist
FEATURES:
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on reload,
if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
BUG FIXES:
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
- Fix#736: segfault during zone transfer.
- Fix#744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
PR: 207951
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Changes:
Fix potential segfault in zone transfer corner case.
NSD 3 is end of life and support stops on May 20th, 2016.
BUG FIXES:
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
(Same as NSD 4.1.8).
- Fix#736: segfault during zone transfer. (Same as NSD 4.1.8).
PR: 207952
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Tool suite for analysis and visualization of Domain Name System
(DNS) behavior, including its security extensions (DNSSEC). The
Web-based analysis is run from the same software.
WWW: http://dnsviz.net/
Git shortlog since test release #10:
Simon Kelley (14):
Add TTL parameter to --host-record and --cname.
Add --dhcp-ttl option.
Update CHANGELOG.
Add --tftp-mtu option.
Apply ceiling of lease length to TTL when --dhcp-ttl in use.
Fix --add-subnet when returning empty or default subnet.
Replace incoming EDNS0_OPTION_NOMDEVICEID and EDNS0_OPTION_NOMCPEID options.
Fix typo in last commit.
Check return code from open()
format fix.
Fix pointer declaration botch.
Tidy parsing code.
Fix broken DNSMASQ_USER<x> envvars in script with more than one class.
Tighten syntax checking for dhcp-range and clarify man page.
PR: 207589, 207628
Submitted by: Miroslav Lachman <000.fbsd@quip.cz>, Dan Lukes <dan@obluda.cz>, Chris Hutchinsin <portmaster@bsdforge.com> (maintainer)
Changes:
https://gitlab.labs.nic.cz/labs/knot/raw/1.6/NEWS
- IXFR: Log change of the zone serial number after the transfer
- RRL: Document operational impact of various settings
- RRL: Add support for zero slip (dropping of all limited responses)
- Added 'timer-db' configuration option allowing relocation of timer database
PR: 207414
Submitted by: Leo Vandewoestijne <freebsd@dns-lab.com> (maintainer)
Upstream's CHANGELOG since -test8:
Don't crash with divide-by-zero if an IPv6 dhcp-range is declared as a
whole /64. (ie xx::0 to xx::ffff:ffff:ffff:ffff)
Thanks to Laurent Bendel for spotting this problem.
Changes per diff of the CHANGELOG file:
Fix wrong answer to simple name query when --domain-needed set, but no
upstream servers configured. Dnsmasq returned REFUSED, in this case,
when it should be the same as when upstream servers are configured -
NOERROR. Thanks to Allain Legacy for spotting the problem.
Return REFUSED when running out of forwarding table slots, not SERVFAIL.
Add --max-port configuration. Thanks to Hans Dedecker for the patch.
Add --script-arp and two new functions for the dhcp-script. These are
"arp" and "arp-old" which announce the arrival and removal of entries
in the ARP or nieghbour tables.
Extend --add-mac to allow a new encoding of the MAC address as base64,
by configurting --add-mac=base64
Add --add-cpe-id option.
"gqlite3" should have been "gsqlite3", like it was before that SVN commit,
otherwise the build breaks.
Submitted by: Andrew Nichols <andrew@quadrant.net>
- Bump PORTREVISIOn on dependent ports
Some Upgrade Notes:
This release fixes a validation failure for nodata with wildcards and
emptynonterminals. Fixes OpenSSL Library compability. Fixes correct
response for malformed EDNS queries. For crypto in libunbound there is
libnettle support.
Qname minimisation is implemented. Use qname-minimisation: yes to
enable it. This version sends the full query name when an error is
found for intermediate names. It should therefore not fail for names
on nonconformant servers. It combines well with
harden-below-nxdomain: yes because those nxdomains are probed by the
qname minimisation, and that will both stop privacy sensitive traffic
and reduce nonsense traffic to authority servers. So consider
enabling both. In this implementation IPv6 reverse lookups add
several labels per increment, because otherwise those lookups would be
very slow. [ Reference
https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-08 ]
More details at <http://unbound.net>
PR: 206347
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
Approved by: maintainer timeout
Sponsored by: DK Hostmaster A/S
