- While here, fix format of $FreeBSD$ tag in rc script
- Also remove fbsd:nokeywords and add svn:keywords to rc script
PR: 203059
Submitted by: Gregorio Guidi <gregorio.guidi@gmail.com> (original patch)
Approved by: Leo Vandewoestijne <freebsd@dns-lab.com> (maintainer)
* Replace Jansson with YAJL for JSON rendering, which results in a
substantial performance improvement.
* dnstable_dump: Add "--rrset_names" and "--rdata_names" options which dump
the RRSET_NAME_FWD and RDATA_NAME_REV indices.
* New function dnstable_reader_reload_setfile(), which calls
mtbl_fileset_reload_now() on a dnstable_reader object's underlying
mtbl_fileset object, if present. This requires libmtbl >= 0.8.0.
Sponsored by: Farsight Security, Inc.
[ Henry Stern ]
* wdns_str_to_rdata(): New function.
* wdns_str_to_rrclass(): New function.
[ Robert Edmonds ]
* examples/wdns-dump-file: New utility.
Sponsored by: Farsight Security, Inc.
FEATURES:
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
Major BUG FIXES:
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer
and older serial numbers.
PR: 203231
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
- Move Perl's man1 files along with its man3 files.
- Move where Perl installs its modules man1 pages.
- Convert the ports installing man1 pages.
- Make different Perl versions installable at the same time.
Though you should note that only the default version can be used to
install Perl modules, and the non default Perl versions cannot use the
modules installed via ports if they contain .so as they are installed
in a version specific directory.
Reviewed by: bapt (the Mk bits)
Exp-run by: antoine
Sponsored by: Absolight
Differential Revision: https://reviews.freebsd.org/D3542
- QPS Limit total
- QPS Limit per IP address or subnet
- Modify query to remove RD bit
PR: 202955
Submitted by: Carlos J Puga Medina <cpm@fbsd.es> (maintainer)
This is a port of dnscrypt-wrapper, which adds dnscrypt support to any name
resolver. It is the server-side counterpart of dnscrypt-proxy, and is in
fact derived from its source.
PR: 200015
Submitted by: freebsd@toyingwithfate.com
Approved by: feld (mentor)
Differential Revision: https://reviews.freebsd.org/D3535
UNIQUENAME was never unique, it was only used by USE_LDCONFIG and now,
we won't have conflicts there.
Use PKGBASE instead of LATEST_LINK in PKGLATESTFILE, the *only* consumer
is pkg-devel, and it works just fine without LATEST_LINK as pkg-devel
has the correct PKGNAME anyway.
Now that UNIQUENAME is gone, OPTIONSFILE is too. (it's been called
OPTIONS_FILE now.)
Reviewed by: antoine, bapt
Exp-run by: antoine
Sponsored by: Absolight
Differential Revision: https://reviews.freebsd.org/D3336
64 bit linuxulator support (not activated by default):
- most of the work was done by Alan Jude
- all errors are mine
- 64bit (may) have rough edges
- I validated
* that the 32bit part doesn't has deinstall regressions (incl. EXP runs by
antoine)
* 29 of 72 64bit ports ports don't have deinstall leftovers (more validation
later, when I dare to activate the 64bit linuxulator in the kernel)
- the infrastructure part looks mature enough to let more test-bunnies get
some experience with the new 64 bit parts
- to use it you shall have no linux ports installed and have to specify
(on your own risk) the following in make.conf before installing the ports:
OVERRIDE_LINUX_BASE_PORT=c6_64
OVERRIDE_LINUX_NONBASE_PORTS=c6_64
This is on top of the exiting c6 linux ports. Given that CentOS 7 is 64bits
only, we decided to have it as an "overlay" instead of new ports.
The 64bit part only installs 64bit executables, the 32bit ports can not be
installed at the same time (if needed we can think of letting the 64bit
overlay install the 32bit parts too, but given the CentOS 7 comment
above...).
Differential Revision: https://reviews.freebsd.org/D174
Submitted by: alanjude
Sponsored by: Essen FreeBSD Hackathon 2015
Reviewed by: xmj, eadler (earlier versions)
Approved by: portmgr (antoine after some EXP-runs)
dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its
goal in life is to route DNS traffic to the best DNS server,
delivering top performance to legitimate users while shunting or
blocking abusive traffic.
WWW: http://dnsdist.org
PR: 202156
Submitted by: Carlos Jacobo Puga Medina <cpm@fbsd.es>
Requested by: pi
axfr2acl transfers A records from the given DNS zones and converts them to
an ACL for use in BIND configuration files.
rpsl2acl queries a set of RPSL database objects (normally route-sets) and
converts them to an ACL for use in BIND configuration files.
WWW: http://www.gnu.org.ua/software/dnstools/
<file> on ELF systems, but this doesn't really do what -export-symbols is
meant to do. On GNU ELF systems it converts <file> to a simple version
script first and then uses -version-script instead of -retain-symbols-file.
Let USES=libtool patch libtool scripts to do this on all systems with GNU
ld(1).
Bump PORTREVISION on all ports where the build log contains -export-symbols.
audio/calf: This port builds a module that now exports only one function,
but it also builds a number of executables that link to this module and
expect to see other functions. Because it's already a bit dodgy to link to
a module (libtool warns about this) let the module continue to export only
one function and instead build an ordinary library from the same source that
the executables can link to. Fix a number of other issues in the same
Makefile.am and clean up the port Makefile.
japanese/scim-honoka: Tries to hide all symbols that start with an
underscore, but because this library is written in C++ all symbols start
with _Z so it ends up hiding everything. Just don't hide anything at all
like the textproc/scim configure script does.
multimedia/schroedinger: Apply an upstream patch.
textproc/scim-input-pad: Same as japanese/scim-honoka.
PR: 201922
Approved by: portmgr (antoine)
Exp-run by: antoine
version 2.74
Fix reversion in 2.73 where --conf-file would attempt to
read the default file, rather than no file.
Fix inotify code to handle dangling symlinks better and
not SEGV in some circumstances.
DNSSEC fix. In the case of a signed CNAME generated by a
wildcard which pointed to an unsigned domain, the wrong
status would be logged, and some necessary checks omitted.
IO::Async::Resolver::DNS extends the IO::Async::Resolver class with extra
methods and resolver functions to perform DNS-specific resolver lookups. It does
not directly provide any methods or functions of its own.
These functions are provided for performing DNS-specific lookups, to obtain MX
or SRV records, for example. For regular name resolution, the usual getaddrinfo
and getnameinfo methods on the standard IO::Async::Resolver should be used.
WWW: http://search.cpan.org/dist/IO-Async-Resolver-DNS/
- most of the work was done by Alan Jude
- all errors are mine
- 64bit (may) have rough edges
- I validated
* that the 32bit part doesn't has deinstall regressions
* 29 of 72 64bit ports ports don't have deinstall leftovers (more validation
later, when I dare to activate the 64bit linuxulator in the kernel)
- the infrastructure part looks mature enough to let more test-bunnies get
some experience with it
- to use it you shall have no linux ports installed and have to specify
(on your own risk) the following in make.conf before installing the ports:
OVERRIDE_LINUX_BASE_PORT=c6_64
OVERRIDE_LINUX_NONBASE_PORTS=c6_64
This is on top of the exiting c6 linux ports. Given that CentOS 7 is 64bits
only, we decided to have it as an "overlay" instead of new ports.
The 64bit part only installs 64bit executables, the 32bit ports can not be
installed at the same time (if needed we can think of letting the 64bit
overlay install the 32bit parts too, but given the CentOS 7 comment
above...).
Differential Revision: https://reviews.freebsd.org/D174
Submitted by: alanjude
Sponsored by: Essen FreeBSD Hackathon 2015
Reviewed by: xmj, eadler (earlier versions)
Approved by: portmgr (implicit, I remember blanked approval for
linux parts loooong ago, punish me if you don't
agree anymore)
To fix three regressions in 2.73:
1) The meaning of --conf-file without an argument changed from "don't
read any conf-file" to "read the default conf-file"
2) A resolv-file which was dangling symlink at startup causes
problems, up to and including a segmentation fault.
3) Under some circumstances, dnsmasq can use more file descriptors,
and this shows up that the code doesn't handle the limit (normally
1024) in the number of descriptors handled by the select() system call.
- Update to 4.1.2
- Update pkg-plist
- USES: pkg-config is now a global dependency
- OPTIONS: with-sytem-pgm is now with-pgm, update helpers
- OPTIONS: with-libsodium no longer takes args, update helpers
- Override pkgconfigdir via configure, deprecate USES: pathfix
- Bump PORTREVISION for dependent ports for shared library version
change
While I'm here:
- Whitespace align Makefile
Based on:
PR: 200502
Reported by: Sevan Janiyan <venture37 geeklan co uk>
Submitted by: Jason Unovitch <jason.unovitch gmail com>
MFH: 2015Q2
Security: 10a6d0aa-0b1c-11e5-bb90-002590263bf5
Security: CVE-2014-9721
Git shortlog since rc #9:
Neil Jerram (6):
Fix logging of unknown interface in --bridge-interface, DHPCv4.
Extend --bridge-interface aliasing to DHCPv6.
Allow router advertisements to have the "off-link" bit set.
Upply --bridge-interface aliasing to solicited router advertisements.
Apply --bridge-interfaces to unsolicited router advertisements.
Documenation updates for --bridge-interface and "off-link".
Nicolas Cavallari (1):
Add Dbus methods to create and delete DHCP leases.
Simon Kelley (2):
Add a couple of missed logging strings to the catalogue.
Merge messages and fix makefile process to do this.
Relevant Git shortlog excerpt since -rc8:
Christian Demsar (1):
Man page typo.
John Hanks (1):
Add infiniband to example config file.
Simon Kelley (8):
Remove support for DNS Extended Label Types.
Select correct DHCP context when in PXE bootserver mode.
DHCPv6: DHCPCONFIRM should be OK for any address on link, not just dynamic addresses.
Handle corner cases in NSEC coverage checks.
swigger (1):
Correctly sanitise DNS header bits in answer when recreating query for retry.
FEATURES:
- Synthesize CNAMEs with same TTL as DNAME.
- RFC 7344: CDS and CDNSKEY (read in).
- hmac sha224, sha384 and sha512 support, patch from David Gwynne.
- max-interfaces raised to 32.
BUG FIXES:- Fix endian.h include for OpenBSD.
- Fix per-zone query class statistics.
- Fixes for wildcard addition and deletion.
- Fixes to zonec origin and b64 read (like in NSD 4.1.2).
- Fix tcp waiting list for zone transfers where the bind and connect calls
fail. (like in NSD 4.1.2)
- Removed compiler warnings from lex about unput and input functions.
NSD 3 is end-of-life. Please install an NSD 4 package if you want to
use NSD. Our support commitment lasts for about a year. For details,
see http://www.nlnetlabs.nl/pipermail/nsd-users/2015-May/002100.html .
PR: 200491
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Add CPE information [2].
Extract from shortlog, omitting irrelevant entries:
Nicolas Cavallari (1):
Constify some DHCP lease management functions.
Simon Kelley (10):
Don't remove RRSIG RR from answers to ANY queries when the do bit is not set.
Handle UDP packet loss when fragmentation of large packets is broken.
Check IPv4-mapped IPv6 addresses with --stop-rebind.
Tweak EDNS timeout code.
Pointer to mail-archive mailing list mirror in doc.html.
Allow T1 and T2 DHCPv4 options to be set.
Use correct DHCP context for PXE-proxy server-id.
Fix buffer overflow introduced in 2.73rc6.
PR: 199955 [2]
Submitted by: shun, amdmi3 [2]
Reviewed by: amdmi3 [2]
Security: 7927165a-0126-11e5-9d98-080027ef73ec
This one allows for GOST in DNSSEC.
Add conflict with upcoming knot2 port.
PR: 199866
Submitted by: Leo Vandewoestijne <freebsd@dns-lab.com> (maintainer)
- Replace ${MASTER_SITE_FOO} with FOO.
- Merge MASTER_SITE_SUBDIR into MASTER_SITES when possible. (This means 99.9%
of the time.)
- Remove occurrences of MASTER_SITE_LOCAL when no subdirectory was present and
no hint of what it should be was present.
- Fix some logic.
- And generally, make things more simple and easy to understand.
While there, add magic values to the FESTIVAL, GENTOO, GIMP, GNUPG, QT and
SAMBA macros.
Also, replace some EXTRACT_SUFX occurences with USES=tar:*.
Checked by: make fetch-urlall-list
With hat: portmgr
Sponsored by: Absolight
When appropriate:
- Try to use DISTVERSION{SUF,PRE}FIX
- Replace PORTNAME-PORTVERSION by DISTNAME
- Convert MASTER_SITES to use macros
- Other light cleanup
With hat: portmgr
Sponsored by: Absolight
Git shortlog:
Johnny S. Lee (1):
Make get-version work when repo is a git submodule.
Simon Kelley (2):
Logs in DHCPv6 not suppressed by dhcp6-quiet.
Fix argument-order botch which broke DNSSEC for TCP queries.
- Remove an extra blankline from dns/powerdns/distinfo
PR: 199720
Submitted by: Ralf van der Enden
Approved by: bdrewery (mentor)
MFH: 2105Q1
Security: 64e6006e-f009-11e4-98c6-000c292ee6b8
Git shortlog since release candidate #4:
Moshe Levi (1):
Check IP address command line arg in dhcp_release.c
Simon Kelley (7):
Fix crash in auth code with odd configuration.
Auth: correct replies to NS and SOA in .arpa zones.
Note CVE-2015-3294
Log domain when reporting DNSSEC validation failure.
Revert 61b838dd574c51d96fef100285a0d225824534f9 and just quieten log inste
Handle domain names with '.' or /000 within labels.
Tweaks to previous, DNS label charset commit.
Stefan Tomanek (1):
Fix (srk induced) crash in new tftp_no_fail code.
- Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not
when CONFIGURE_ARGS already sets it. (GNU configure scripts set it to
PREFIX/var when PREFIX != /usr.)
- Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so
they aren't affected by this change (for now at least). This commit is
meant to ensure that new ports don't make the same mistake.
- games/acm: the configure script in this port is very old; instead of
patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE.
- irc/charybdis: it already used /var but adding --localstatedir=/var
changed the behaviour of the configure script; adjust the port to this.
PR: 199506
Exp-run by: antoine
Approved by: portmgr (antoine)
AnyEvent::CacheDNS provides a very simple DNS resolver that caches its results
and can improve the connection times to remote hosts.
WWW: http://search.cpan.org/dist/AnyEvent-CacheDNS/
- Move bison(1) from BUILD_DEPENDS to USES
- Register CONFLICTS with knot-devel-1.*
- Enable compiler messages in batch (package building) mode
- Add new options (DNSTAP, GOST, LMDB)
- Rename IDNA option to our standard (shared) IDN
- Allow to build against `security/libressl' as OPENSSL_PORT
- Switch to using @sample keyword for knot.sample.conf
- Sort pkg-plist and reformat pkg-descr while I'm at it
- Update files/pkg-message.in to include instructions for both new
and legacy rc systems (e.g. FreeBSD 8.4 has service(8), but no
sysrc(8) utility)
PR: 199298
Submitted by: maintainer
Resolves checksum trouble.
Git shortlog between rc#3 and rc#4:
Simon Kelley (4):
Return INSECURE, rather than BOGUS when DS proved not to exist.
Fix compiler warning when not including DNSSEC.
Fix crash caused by looking up servers.bind when many servers defined.
Fix crash on receipt of certain malformed DNS requests.
Stefan Tomanek (2):
add --tftp-no-fail to ignore missing tftp root
Convert to use MASTER_SIGHTS_FARSIGHT.
Differential Revision: https://reviews.freebsd.org/D2235
Approved by: mat (mentor)
Sponsored by: Farsight Security, Inc.
Python bindings for the dnstable library
Differential Revision: https://reviews.freebsd.org/D2231
Approved by: mat (mentor)
Sponsored by: Farsight Security, Inc.
dnstable implements an encoding format for passive DNS data. It
consists of a C library, libdnstable, and several command line
utilities for creating, querying, and merging dnstable data files.
It stores key-value records in Sorted String Table (SSTable) files
and provides high-level interfaces for querying or iterating over
the stored records. dnstable encodes individual records using a
format tailored for efficiently storing passive DNS data and can
quickly perform both "forward" and "inverse" searches.
Differential Revision: https://reviews.freebsd.org/D2214
Approved by: mat (mentor)
Sponsored by: Farsight Security, Inc.
For example (${OSVERSION} >= 900000 && ${OSVERSION} < 900021) is always true,
as is (${OSVERSION} > 900002 || ${OSVERSION} < 900000 && ${OSVERSION} > 800107).
Regarding patches, when an EXTRA_PATCHES is no longer needed, I remove it, when
it is always needed, I renamed it, in one case, I merged two patches.
Differential Revision: https://reviews.freebsd.org/D2209
This is pywdns, a Python extension module implemented in Cython
for the wdns C library.
Differential Revision: https://reviews.freebsd.org/D2200
Approved by: mat (mentor)
Sponsored by: Farsight Security, Inc.
Changes since rc1 (git shortlog):
+ Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone.
+ Return SERVFAIL when validation abandoned.
+ Protect against broken DNSSEC upstreams.
+ DNSSEC fix for non-ascii characters in labels.
+ Allow control characters in names in the cache, handle when logging.
Changes from previous 2.73test6 (taken from CHANGELOG's Git repo):
Don't reply to DHCPv6 SOLICIT messages if we're not
configured to do stateful DHCPv6. Thanks to Win King Wan
for the patch.
Fix broken DNSSEC validation of ECDSA signatures.
Add --dnssec-timestamp option, which provides an automatic
way to detect when the system time becomes valid after boot
on systems without an RTC, whilst allowing DNS queries before the
clock is valid so that NTP can run. Thanks to
Kevin Darbyshire-Bryant for developing this idea.
Categories: archivers, dns, french, japanese, news, port-mgmt, x11-wm
The sysutils port was setting configure argument, so the text wasn't
removed but the value of PTHREAD_LIBS was changed.
approved by: PTHREAD blanket
include GH_PROJECT/GH_ACCOUNT/GH_TAGNAME. This prevents the distfile
having the same name despite changing one of these values and causing
a bad checksum.
Differential Revision: https://reviews.freebsd.org/D2103
Reviewed by: mat
With hat: bdrewery
conflict with the old scheme and cause a "reroll" or "invalid checksums". This
also avoids clobbering the FreeBSD distcache.
Use a revision in the DISTNAME for USE_GITHUB in case we need to bump this
again for anything. It's more a hint of how to handle it in the future.
Reported by: mat
Discused with: mat, antoine, swills
With hat: portmgr
Using this new scheme allows only setting the _tag_ or _commit hash_ in
GH_TAGNAME and not having to know the hash for a tag. This scheme will
download a tarball that has a different checksum than before due to a changed
directory name for extraction.
The following MASTER_SITES are provided to retain the old checksum and
directory structure (that require GH_COMMIT):
GH -> GHL
GITHUB -> GITHUB_LEGACY
Differential Revision: https://reviews.freebsd.org/D748
Submitted by: amdmi3
Reviewed by: mat, swills, antoine, bdrewery
With hat: portmgr
