Patch 2 by sh4nnu · Pull Request #10 · NetBSD/src

sh4nnu · 2019-04-04T04:08:54Z

No description provided.

Merge all the changes from the recent FreeBSD snapshot (HEAD as of today) into our local copy. FreeBSD actively maintains this program in their sources and their repository contains over 100 commits with changes. Keep the delta between the FreeBSD and NetBSD versions to absolute minimum, mostly RCS Id and compatiblity fixes. Major chages in this import: - Added an option -ldi<N> to control indentation of local variable names. - Added option -P for loading user-provided files as profiles - Added -tsn for setting tabsize - Rename -nsac/-sac ("space after cast") to -ncs/-cs - Added option -fbs Enables (disables) splitting the function declaration and opening brace across two lines. - Respect SIMPLE_BACKUP_SUFFIX environment variable in indent(1) - Group global option variables into an options structure - Use bsearch() for looking up type keywords. - Don't produce unneeded space character in function declarators - Don't unnecessarily add a blank before a comment ends. - Don't ignore newlines after comments that follow braces. Merge the FreeBSD intend(1) tests with our ATF framework. All tests pass. Upgrade prepared by Manikishan Ghantasala. Final polishing by myself.

1 March 2019: Wouter - output forwarder log in ssl_req_order test. 28 February 2019: Wouter - Remove memory leak on pythonmod python2 script file init. - Remove swig gcc8 python function cast warnings, they are ignored. - Print correct module that failed when module-config is wrong. 27 February 2019: Wouter - Fix #4229: Unbound man pages lack information, about access-control order and local zone tags, and elements in views. - Fix #14: contrib/unbound.init: Fix wrong comparison judgment before copying. - Fix for python module on Windows, fix fopen. 25 February 2019: Wouter - Fix #4227: pair event del and add for libevent for tcp_req_info. 21 February 2019: Wouter - Fix the error for unknown module in module-config is understandable, and explains it was not compiled in and where to see the list. - In example.conf explain where to put cachedb module in module-config. - In man page and example config explain that most modules have to be listed at the start of module-config. 20 February 2019: Wouter - Fix pythonmod include and sockaddr_un ifdefs for compile on Windows, and for libunbound. 18 February 2019: Wouter - Print query name with ip_ratelimit exceeded log lines. - Spaces instead of tabs in that log message. - Print query name and IP address when domain rate limit exceeded. 14 February 2019: Wouter - Fix capsforid canonical sort qsort callback. 11 February 2019: Wouter - Note default for module-config in man page. - Fix recursion lame test for qname minimisation asked queries, that were not present in the set of prepared answers. - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for cert name matching, from man page. - make depend, with newer gcc, nicer layout. 7 February 2019: Wouter - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. - Fix that qname minimisation does not skip a label when missing nameserver targets need to be fetched. - Fix #4225: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation. 4 February 2019: Wouter - Fix that log-replies prints the correct name for local-alias names, for names that have a CNAME in local-data configuration. It logs the original query name, not the target of the CNAME. - Add local-zone type inform_redirect, which logs like type inform, and redirects like type redirect. - Perform canonical sort for 0x20 capsforid compare of replies, this sorts rrsets in the authority and additional section before comparison, so that out of order rrsets do not cause failure. 31 January 2019: Wouter - Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf. - improve documentation for tls-service-key and forward-first. - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of conditional section, fixes systemd builds, from Enrico Scholz. - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, still supports the set_id_callback previous API. And for 1.1.0 no locking callbacks are needed. - #8: Fix OpenSSL without ENGINE support compilation. - Wipe TLS session key data from memory on exit. 30 January 2019: Ralph - Fix case in which query timeout can result in marking delegation as edns_lame_known. 29 January 2019: Wouter - Fix spelling of tls-ciphers in example.conf.in. - Fix #4224: auth_xfr_notify.rpl test broken due to typo - Fix locking for libunbound context setup with broken port config. 28 January 2019: Wouter - ub_ctx_set_tls call for libunbound that enables DoT for the machines set with ub_ctx_set_fwd. Patch from Florian Obser. - Set build system for added call in the libunbound API. - List example config for root zone copy locally hosted with auth-zone as suggested from draft-ietf-dnsop-7706-bis-02. But with updated B root address. - set version to 1.9.0 for release. And this was released with the spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in development. 25 January 2019: Wouter - Fix that tcp for auth zone and outgoing does not remove and then gets the ssl read again applied to the deleted commpoint. - updated contrib/fastrpz.patch to cleanly diff. - no lock when threads disabled in tcp request buffer count. - remove compile warnings from libnettle compile. - output of newer lex 2.6.1 and bison 3.0.5. 24 January 2019: Wouter - Newer aclocal and libtoolize used for generating configure scripts, aclocal 1.16.1 and libtoolize 2.4.6. - Fix unit test for python 3.7 new keyword 'async'. - clang analysis fixes, assert arc4random buffer in init, no check for already checked delegation pointer in iterator, in testcode check for NULL packet matches, in perf do not copy from NULL start list when growing capacity. Adjust host and file only when present in test header read to please checker. In testcode for unknown macro operand give zero result. Initialise the passed argv array in test code. In test code add EDNS data segment copy only when nonempty. - Patch from Florian Obser fixes some compiler warnings: include mini_event.h to have a prototype for mini_ev_cmp include edns.h to have a prototype for apply_edns_options sldns_wire2str_edns_keepalive_print is only called in the wire2str, module declare it static to get rid of compiler warning: no previous prototype for function infra_find_ip_ratedata() is only called in the infra module, declare it static to get rid of compiler warning: no previous prototype for function do not shadow local variable buf in authzone auth_chunks_delete and az_nsec3_findnode are only called in the authzone module, declare them static to get rid of compiler warning: no previous prototype for function... copy_rrset() is only called in the respip module, declare it static to get rid of compiler warning: no previous prototype for function 'copy_rrset' no need for another variable "r"; gets rid of compiler warning: declaration shadows a local variable in libunbound.c no need for another variable "ns"; gets rid of compiler warning: declaration shadows a local variable in iterator.c - Moved includes and make depend. 23 January 2019: Wouter - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites options for unbound.conf. - Fixes for the patch, and man page entry. - Fix configure to detect SSL_CTX_set_ciphersuites, for better library compatibility when compiling. - Patch for TLS session resumption from Manabu Sonoda, enable with tls-session-ticket-keys in unbound.conf. - Fixes for patch (includes, declarations, warnings). Free at end and keep config options in order read from file to keep the first one as the first one. - Fix for IXFR fallback to reset counter when IXFR does not timeout. 22 January 2019: Wouter - Fix space calculation for tcp req buffer size. - Doc for stream-wait-size and unit test. - unbound-control stats has mem.streamwait that counts TCP and TLS waiting result buffers. - Fix for #4219: secondaries not updated after serial change, unbound falls back to AXFR after IXFR gives several timeout failures. - Fix that auth zone after IXFR fallback tries the same master. 21 January 2019: Wouter - Fix tcp idle timeout test, for difference in the tcp reply code. - Unit test for tcp request reorder and timeouts. - Unit tests for ssl out of order processing. - Fix that multiple dns fragments can be carried in one TLS frame. - Add stream-wait-size: 4m config option to limit the maximum memory used by waiting tcp and tls stream replies. This avoids a denial of service where these replies use up all of the memory. 17 January 2019: Wouter - For caps-for-id fallback, use the whitelist to avoid timeout starting a fallback sequence for it. - increase mesh max activation count for capsforid long fetches. 16 January 2019: Ralph - Get ready for the DNS flag day: remove EDNS lame procedure, do not re-query without EDNS after timeout. 15 January 2019: Wouter - In the out of order processing, reset byte count for (potential) partial read. - Review fixes in out of order processing. 14 January 2019: Wouter - streamtcp option -a send queries consecutively and prints answers as they arrive. - Fix for out of order processing administration quit cleanup. - unit test for tcp out of order processing. 11 January 2019: Wouter - Initial commit for out-of-order processing for TCP and TLS. 9 January 2019: Wouter - Log query name for looping module errors. 8 January 2019: Wouter - Fix syntax in comment of local alias processing. - Fix NSEC3 record that is returned in wildcard replies from auth-zone zones with NSEC3 and wildcards. 7 January 2019: Wouter - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN, and server tcp fastopen is enabled at compile time. - Document interaction between the tls-upstream option in the server section and forward-tls-upstream option in the forward-zone sections. - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, the patch adds a program used for fuzzing. 12 December 2018: Wouter - Fix for crash in dns64 module if response is null. 10 December 2018: Wouter - Fix config parser memory leaks. - ip-ratelimit-factor of 1 allows all traffic through, instead of the previous blocking everything. - Fix for FreeBSD port make with dnscrypt and dnstap enabled. - Fix #4206: support openssl 1.0.2 for TLS hostname verification, alongside the 1.1.0 and later support that is already there. - Fixup openssl 1.0.2 compile 6 December 2018: Wouter - Fix dns64 allocation in wrong region for returned internal queries. 3 December 2018: Wouter - Fix icon, no ragged edges and nicer resolutions available, for eg. Win 7 and Windows 10 display. - cache-max-ttl also defines upperbound of initial TTL in response. 30 November 2018: Wouter - Patch for typo in unbound.conf man page. - log-tag-queryreply: yes in unbound.conf tags the log-queries and log-replies in the log file for easier log filter maintenance. 29 November 2018: Wouter - iana portlist updated. - Fix chroot auth-zone fix to remove chroot prefix. - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon updated. Trunk contains 1.8.3 in development. Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec. Trunk then became 1.8.4 in development. - Fix that unbound-checkconf does not complains if the config file is not placed inside the chroot. - Refuse to start with no ports. - Remove clang analysis warnings. 28 November 2018: Wouter - Fix leak in chroot fix for auth-zone. - Fix clang analysis for outside directory build test. 27 November 2018: Wouter - Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished. - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page. - stat count SERVFAIL downstream auth-zone queries for expired zones. - Put new logos into windows installer. - Fix windows compile for new rrset roundrobin fix. - Update contrib fastrpz patch for latest release. 26 November 2018: Wouter - Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order. - Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. - Add unbound-control view_local_datas command, like local_datas. - Fix that unbound-control can send file for view_local_datas. 22 November 2018: Wouter - With ./configure --with-pyunbound --with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module. - pythonmod logs the python error and traceback on failure. - ignore debug python module for test in doxygen output. - review fixes for python module. - Fix #4209: Crash in libunbound when called from getdns. - auth zone zonefiles can be in a chroot, the chroot directory components are removed before use. - Fix that empty zonefile means the zonefile is not set and not used. - make depend. 21 November 2018: Wouter - Scrub NS records from NODATA responses as well. 20 November 2018: Wouter - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. - Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation. - Removed compile warnings in pythonmod sockaddr routines. 19 November 2018: Wouter - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. 6 November 2018: Ralph - Bugfix min-client-subnet-ipv6 25 October 2018: Ralph - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. 25 October 2018: Wouter - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4190: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY. - Fix #4141: More randomness to rrset-roundrobin. - Fix #4132: Openness/closeness of RANGE intervals in rpl files. - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem. - remade makefile dependencies. - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. 24 October 2018: Ralph - Add markdel function to ECS slabhash. - Limit ECS scope returned to client to the scope used for caching. - Make lint like previous #4154 fix. 22 October 2018: Wouter - Fix #4192: unbound-control-setup generates keys not readable by group. - check that the dnstap socket file can be opened and exists, print error if not. - Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options. 22 October 2018: Ralph - Change fast-server-num default to 3. 8 October 2018: Ralph - Add fast-server-permil and fast-server-num options. - Deprecate low-rtt and low-rtt-permil options. 8 October 2018: Wouter - Squelch log of failed to tcp initiate after TCP Fastopen failure. 5 October 2018: Wouter - Squelch EADDRNOTAVAIL errors when the interface goes away, this omits 'can't assign requested address' errors unless verbosity is set to a high value. - Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default. - iana port update. 2 October 2018: Wouter - updated contrib/fastrpz.patch to apply for this version - dnscrypt.c removed sizeof to get array bounds. - Fix testlock code to set noreturn on error routine. - Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings - clang analyze test is used only when assertions are enabled. 1 October 2018: Wouter - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with fastrpz.patch fix included. Trunk has 1.8.2 in development. 27 September 2018: Wouter - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes qname minimisation with a forwarder when connectivity has issues from rejecting responses. 25 September 2018: Wouter - Perform TLS SNI indication of the host that is being contacted for DNS over TLS service. It sets the configured tls auth name. This is useful for hosts that apart from the DNS over TLS services also provide other (web) services. - Fix #4149: Add SSL cleanup for tcp timeout. 17 September 2018: Wouter - Fix compile on Mac for unbound, provide explicit_bzero when libc does not have it. - Fix unbound for openssl in FIPS mode, it uses the digests with the EVP call contexts. - Fix that with harden-below-nxdomain and qname minisation enabled some iterator states for nonresponsive domains can get into a state where they waited for an empty list. - Stop UDP to TCP failover after timeouts that causes the ping count to be reset by the TCP time measurement (that exists for TLS), because that causes the UDP part to not be measured as timeout. - Fix #4156: Fix systemd service manager state change notification. 13 September 2018: Wouter - Fix seed for random backup code to use explicit zero when wiped. - exit log routine is annotated as noreturn function. - free memory leaks in config strlist and str2list insert functions. - do not move unused argv variable after getopt. - Remove unused if clause in testcode. - in testcode, free async ids, initialise array, and check for null pointer during test of the test. And use exit for return to note irregular program stop. - Free memory leak in config strlist append. - make sure nsec3 comparison salt is initialized. - unit test has clang analysis. - remove unused variable assignment from iterator scrub routine. - check for null in delegation point during iterator refetch in forward zone. - neater pointer cast in libunbound context quit routine. - initialize statistics totals for printout. - in authzone check that node exists before adding rrset. - in unbound-anchor, use readwrite memory BIO. - assertion in autotrust that packed rrset is formed correctly. - Fix memory leak when message parse fails partway through copy. - remove unused udpsize assignment in message encode. - nicer bio free code in unbound-anchor. - annotate exit functions with noreturn in unbound-control. 11 September 2018: Wouter - Fixed unused return value warnings in contrib/fastrpz.patch for asprintf. - Fix to squelch respip warning in unit test, it is printed at higher verbosity settings. - Fix spelling errors. - Fix initialisation in remote.c 10 September 2018: Wouter - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply). - iana port update. 5 September 2018: Wouter - Fix spelling error in header, from getdns commit by Andreas Gelmini. 4 September 2018: Ralph - More explicitly mention the type of ratelimit when applying ip-ratelimit. 4 September 2018: Wouter - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018. 31 August 2018: Wouter - Disable minimal-responses in subnet unit tests. 30 August 2018: Wouter - Fix that a local-zone with a local-zone-type that is transparent in a view with view-first, makes queries check for answers from the local-zones defined outside of views. 28 August 2018: Ralph - Disable minimal-responses in ipsecmod unit tests. - Added serve-expired-ttl and serve-expired-ttl-reset options. 27 August 2018: Wouter - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. - next release is called 1.8.0. - Fix lintflags for lint on FreeBSD. 22 August 2018: George - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary. 21 August 2018: Wouter - log-local-actions: yes option for unbound.conf that logs all the local zone actions, a patch from Saksham Manchanda (Secure64). - #4146: num.query.subnet and num.query.subnet_cache counters. - Fix only misc failure from log-servfail when val-log-level is not enabled. 17 August 2018: Ralph - Fix classification for QTYPE=CNAME queries when QNAME minimisation is enabled. 17 August 2018: Wouter - Set libunbound to increase current, because the libunbound change to the event callback function signature. That needs programs, that use it, to recompile against the new header definition. - print servfail info to log as error. - added more servfail printout statements, to the iterator. - log-servfail: yes prints log lines that say why queries are returning SERVFAIL to clients. 16 August 2018: Wouter - Fix warning on compile without threads. - Fix contrib/fastrpz.patch. 15 August 2018: Wouter - Fix segfault in auth-zone read and reorder of RRSIGs. 14 August 2018: Wouter - Fix that printout of error for cycle targets is a verbosity 4 printout and does not wrongly print it is a memory error. - Upgraded crosscompile script to include libunbound DLL in the zipfile. 10 August 2018: Wouter - Fix #4144: dns64 module caches wrong (negative) information. 9 August 2018: Wouter - unbound-checkconf checks if modules exist and prints if they are not compiled in the name of the wrong module. - document --enable-subnet in doc/README. - Patch for stub-no-cache and forward-no-cache options that disable caching for the contents of that stub or forward, for when you want immediate changes visible, from Bjoern A. Zeeb. 7 August 2018: Ralph - Make capsforid fallback QNAME minimisation aware. 7 August 2018: Wouter - Fix #4142: unbound.service.in: improvements and fixes. Add unit dependency ordering (based on systemd-resolved). Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings about missing privileges during startup). Add 'AF_INET6' to 'RestrictAddressFamilies' (without it IPV6 can't work). From Guido Shanahan. - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock. - make depend, yacc, lex, doc, headers. And log the limit exceeded message only on high verbosity, so as to not spam the logs when it is busy. 6 August 2018: Wouter - Fix for #4136: Fix to unconditionally call destroy in daemon.c. 3 August 2018: George - Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h. - Tidy pylib tests. 3 August 2018: Wouter - Revert previous change for #4136: because it introduces build problems. - New fix for #4136: This one ignores lex without without yylex_destroy. 1 August 2018: Wouter - Fix to remove systemd sockaddr function check, that is not always present. Make socket activation more lenient. But not different when socket activation is not used. - iana port list update. 31 July 2018: Wouter - Patches from Jim Hague (Sinodun) for EDNS KeepAlive. - Sort out test runs when the build directory isn't the project root directory. - Add config tcp-idle-timeout (default 30s). This applies to client connections only; the timeout on TCP connections upstream is unaffected. - Error if EDNS Keepalive received over UDP. - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options and implement option in client responses. - Correct and expand manual page entries for keepalive and idle timeout. - Implement progressive backoff of TCP idle/keepalive timeout. - Fix 'make depend' to work when build dir is not project root. - Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout. - From Wouter: make depend, the dependencies in the patches did not apply cleanly. Also remade yacc and lex. - Fix mesh.c incompatible pointer pass. - Please doxygen so it passes. - Fix #4139: Fix unbound-host leaks memory on ANY. 30 July 2018: Wouter - Fix #4136: insufficiency from mismatch of FLEX capability between released tarball and build host. 27 July 2018: Wouter - Fix man page, say that chroot is enabled by default. 26 July 2018: Wouter - Fix #4135: 64-bit Windows Installer Creates Entries Under The Wrong Registry Key, reported by Brian White. 23 July 2018: Wouter - Fix use-systemd readiness signalling, only when use-systemd is yes and not in signal handler. 20 July 2018: Wouter - Fix #4130: print text describing -dd and unbound-checkconf on config file read error at startup, the errors may have been moved away by the startup process. - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared. 19 July 2018: Wouter - Fix #4129 unbound-control error message with wrong cert permissions is too cryptic. 17 July 2018: Wouter - Fix #4127 unbound -h does not list -p help. - Print error if SSL name verification configured but not available in the ssl library. - Fix that ratelimit and ip-ratelimit are applied after reload of changed config file. - Resize ratelimit and ip-ratelimit caches if changed on reload. 16 July 2018: Wouter - Fix qname minimisation NXDOMAIN validation lookup failures causing error_supers assertion fails. - Squelch can't bind socket errors with Permission denied unless verbosity is 4 or higher, for UDP outgoing sockets. 12 July 2018: Wouter - Fix to improve systemd socket activation code file descriptor assignment. - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more easily changed to adjust default rtt assumptions. 10 July 2018: Wouter - Note in documentation that the cert name match code needs OpenSSL 1.1.0 or later to be enabled. 6 July 2018: Wouter - Fix documentation ambiguity for tls-win-cert in tls-upstream and forward-tls-upstream docs. - iana port update. - Note RFC8162 support. SMIMEA record type can be read in by the zone record parser. - Fix round robin for failed addresses with prefer-ip6: yes 4 July 2018: Wouter - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries. 3 July 2018: Wouter - Better documentation for unblock-lan-zones and insecure-lan-zones config statements. - Fix permission denied printed for auth zone probe random port nrs. 2 July 2018: Wouter - Fix checking for libhiredis printout in configure output. - Fix typo on man page in ip-address description. - Update libunbound/python/examples/dnssec_test.py example code to also set the 20326 trust anchor for the root in the example code. 29 June 2018: Wouter - dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record. 28 June 2018: Wouter - num.queries.tls counter for queries over TLS. - log port number with err_addr logs. 27 June 2018: Wouter - #4109: Fix that package config depends on python unconditionally. - Patch, do not export python from pkg-config, from Petr Menšík. 26 June 2018: Wouter - Partial fix for permission denied on IPv6 address on FreeBSD. - Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. - Fix that auth-zone does not start the wait timer without checking if the wait timer has already been started. 21 June 2018: Wouter - #4108: systemd reload hang fix. - Fix usage printout for unbound-host, hostname has to be last argument on BSDs and Windows.

- Fix #52: do not log transient network full errors unless higher verbosity is set. - Fix checkconf test for new error output string. - tag for 4.2.4rc1 release. 27 November 2017 Jeroen - Fix regressions in configparser.y 22 November 2019: Wouter - Fix #48: Add make distclean that removes config.h made by configure. And add maintainer-clean that removes bison and flex output. 18 November 2019: Wouter - Detect fixed time memcmp for openssl 0.9.8 compatibility. - Detect EC_KEY_new_by_curve_name for openssl 0.9.8. - include limits.h for UINT_MAX. - If no recvmmsg, dont use msg_flags member, but errno for error, where our fallback function left it, msg_flags also does not exist on some systems. - Remove unused variable warning for portability. 14 November 2019: Wouter - Fix checkconf test with filenames that sort in the same order. - Tag for 4.2.3rc1. Branch master is 4.2.4 in development. 11 November 2019: Wouter - Fix #44: document that remote-control is a top-level nsd.conf attribute. - Fix compile on OSX. - Fix for #44: nicer top-level clause documentation. 22 October 2019: Jeroen - Number of different UDP handlers has been reduced to one. recvmmsg and sendmmsg implementations are now used on all platforms. Compatible implementations are in place for systems that lack the system calls. - Socket options are now set in designated functions for easy reuse. - Socket setup has been simplified for easy reuse. - Configuration parser is now aware of the context in which an option was specified. 21 October 2019: Wouter - For #21 add contrib/patch_for_s6_startup_and_other_service_supervisors.diff that adds support for readiness notification with READY_FD from Cameron Nemo. 17 October 2019: Jeroen - Fix #40: Merge small fixes for confine-to-zone by Greg Bock. 15 October 2019: Jeroen - For #39: Merge confine-to-zone feature contributes by Greg Bock. 26 September 2019: Wouter - Fix #38: log address and failure reason with tls handshake errors, squelches (the same as unbound) some unless high verbosity is used. - Fixup clang analysis warning in xfrd_parse_received_xfr_packet master dereference. 25 September 2019: Wouter - The nsd.conf includes are sorted ascending, for include statements with a '*' from glob. 16 September 2019: Wouter - Fixup warnings during --disable-ipv6 compile. - Fixup unit test executable to run without IPv6. 4 September 2019: Wouter - Fix #35: excessive logging of ixfr failures, it stops the log when fallback to axfr is possible. log is enabled at high verbosity. 2 September 2019: Wouter - For #21: pidfile "" allows to run NSD without a pidfile, for startup management tools like daemontools. 28 August 2019: Wouter - In tests check for tls test tool availability. 19 August 2019: Wouter - Tag for 4.2.2 release. Git master contains 4.2.3 in development. 13 August 2019: Wouter - Fix error message for out of zone data to have more information. - Tag for 4.2.2rc2. 12 August 2019: Wouter - Fix #33: Fix segfault in service of remaining streams on exit. 6 August 2019: Wouter - Tag for 4.2.2rc1. 5 August 2019: Wouter - PR #31: nsd-control: Add missing stdio header. - PR #32: tsig: Fix compilation without HAVE_SSL. - Cleanup tls context on xfrd exit. 31 July 2019: Wouter - Fix #29: SSHFP check NULL pointer dereference. - Fix #30: SSHFP check failure due to missing domain name. - Fix to timeval_add in minievent for remaining second in microseconds. 22 July 2019: Wouter - Set timeout for refetch immediately, only spread load when there are retries. 19 July 2019: Wouter - Set no renegotiation on the SSL context to stop client session renegotiation. 18 July 2019: Wouter - Fix #25: NSD doesn't refresh zones after extended downtime, it refreshes the old zones, with a random delay of a couple of seconds to spread the load. - Fix so that expired zones stay expired when server is down a long time. 17 July 2019: Wouter - Fix that NSD warns for wrong length of the hash in SSHFP records. 15 July 2019: Wouter - PR #23: Fix typo in nsd.conf man-page. 4 July 2019: Wouter - Set version to 4.2.2 in development. - clean memory on exit of nsd-checkzone for memory debug. - Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the dname_concatenate() function. Reported by Frederic Cambus. It causes the zone parser to crash on a malformed zone file, with assertions enabled, an assertion catches it. - Fix #19: Out-of-bounds read caused by improper validation of array index. Reported by Frederic Cambus. The zone parser fails on type SIG because of mismatched definition with RRSIG. 2 July 2019: Wouter - Tag for 4.2.1rc1 27 June 2019: Wouter - Fix unit test for added options and no dot after zone updated log message. - Fix compile without accept4. 21 June 2019: Wouter - Omit remaining tcp processing if the list is empty. - Fix output of nsd-checkconf -h. 20 June 2019: Wouter - Initialize event structures before event_set, to stop uninitialized values from setting event library lists and assertions, that would sometimes also show after event_del. - Added num.tls and num.tls6 stat counters. - PR #12: send-buffer-size, receive-buffer-size, tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek. - Do not use symbol from libc, instead use own replacement, if not available, for accept4. - Fix #14, tcp connections have 1/10 to be active and have to work every second, and then they get time to complete during a reload, this is a process that lingers with the old version during a version update. 19 June 2019: Wouter - Fix tls handshake event callback function mistake, reported by Mykhailo Danylenko. 18 June 2019: Wouter - Fix #15: crash in SSL library, initialize variables for TCP access when TLS is configured. 14 June 2019: Wouter - Fix to init event not pointer, in reassignment. 12 June 2019: Wouter - Fix to init event structure for reassignment. 11 June 2019: Wouter - NSD 4.2.0 release. Current development is 4.2.1. - Fixup of RELNOTES, corrected RFC reference for 4892. - Fix #13: Stray dot at the end of some log entries, removes dot after updated serial number in log entry. - Fix TLS cipher selection, the previous was redundant, prefers CHACHA20-POLY1305 over AESGCM and was not as readable as it could be. - Consolidate server tls context create and remote control context create, with hardening for the remote control tls context too. 6 June 2019: Wouter - NSD 4.2.0rc1 tag. 4 June 2019: Wouter - Fix unit test for outgoing interface to use random port numbers for the outgoing interface config. 29 May 2019: Wouter - Fix to guard _OPENBSD_SOURCE from redefinition. 28 May 2019: Wouter - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. 16 May 2019: Wouter - Fix #10: Fix memory leaks caused by duplicate rr and include instructions. 6 May 2019: Wouter - Note CII best practices badge for NSD on the README.md. 2 May 2019: Wouter - Fix .gitignore for unit test generated files. - Fix checkconf unit test for hide-identity and tls. 1 May 2019: Wouter - Fix makedist.sh for use with git. - Nicer output on travis for clang analysis. - Add .gitignore file to exclude built files from version tracking. - Add README.md file in repository with compile instructions. - Fix .gitignore for dnstap files and aclocal temp. - Add aclocal to README.md for pkgconfig for some configure options. 25 April 2019: Wouter - Add tls.tpkg unit test for DNS over TLS functionality. 18 April 2019: Wouter - Fix to avoid buffer alloc with global buffer in tls write handler. - Fix to initialize event structure when accepting TCP connection. - Use travis for build check, initial unit test and clang analysis. - Disable SSLv2,3,TLSv1.0,1.1 if TLS1.2 is available in libssl. - Disable weak ciphers, enable CIPHER_SERVER_PREFERENCE. - further setup ssl ctx after the keys are loaded, for ECDH. - TLS OCSP stapling support, enabled with tls-service-ocsp: filename, patch from Andreas Schulze. 17 April 2019: Wouter - Fix to share openssl init code, and perform it once. 16 April 2019: Andreas via Sara - Patch to add support for TCP Fast Open - Patch to add support for tls service on a specified tls port 16 April 2019: Wouter - Fix #4249: The option hide-identity: yes stops NSD from responding with the hostname for chaos class queries. Implements the RFC4829 security considerations. - Remove starttls, this signalling method was not standardized. - Remove TO bit, this signalling method was not standardized. - Remove unused first_query and tls_ok states. - Remove sign-compare warning in tls packet send code. - Fix spelling in comment and log printout. - Fix potential uninitialized variable. - Fix documentation for DNS over TLS, and set default port 853. - Fix to add missing comment. - Fix that the TLS handshake routine sets the correct event to continue when done. - Fix that TLS renegotiation calls the read and write routines again with the same parameters when the desired event has been satisfied. - Fix that TCP Fastopen has better error message and supports OSX. - Fix log for fastopen with verbosity. - Squelch TLS handshake failure log until verbosity 3. - Add per-zone statistics for TLS queries, and dnstap for TLS queries, and rcode and TCflag statistics for TCP and TLS queries. 25 March 2019: Wouter - Print IP address when bind socket fails with error. 21 March 2019: Wouter - Fix spelling error in release notes. - Fix to delete unused zparser.default_apex member.

Version 4.4.2 22 January 2020 Release Notes NEW FEATURES Please note that that ISC DHCP is now licensed under the Mozilla Public License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0 license terms. While release 4.4.2 is primarily a maintenance release that addresses a number of defects, it does introduce a few new features: - Keama - Keama is a migration utility that assists in converting ISC DHCP server configuration files to Kea configuration files. It is found in the keama subdirectory and includes a README.md file with instructions on how to build it as well as a manpage on its usage. - Two new server parameters related to ping checking were added: 1. ping-cltt-secs which allows the user to specify the number of seconds that must elapse since CLTT before a ping check is conducted. 2. ping-timeout-ms which allows the user to specify the amount of time the server waits for a ping-check response in milliseconds rather than in seconds. In general, the areas of focus for ISC DHCP 4.4 were: 1. Dynamic DNS additions 2. dhclient improvements 3. Support for dynamic shared libraries Dynamic DNS Improvements: - We added three new server configuration parameters which influence DDNS conflict resolution: 1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior to mitigate issues with non-compliant clients in dual stack environments. 2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching requirement of DNS conflict resolution. 3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to allow unguarded DNS entries to be overwritten in certain cases - The server now honors update-static-leases parameter for static DHCPv6 hosts. dhclient Improvements: - We've added three command line parameters to dhclient: 1. --prefix-len-hint - directs dhclient to use the given length as the prefix length hint when requesting prefixes 2. --decline-wait-time - instructs the client to wait the given number of seconds after declining an IPv4 address before issuing a discover 3. --address-prefix-len - specifies the prefix length passed by dhclient into the client script (via the environment variable ip6_prefixlen) with each IPv6 address. We added this parameter because we have changed the default value from 64 to 128 in order to be compliant with RFC3315bis draft (-09, page 64) and RFC5942, Section 4, point 1. **WARNING**: The new default value of 128 may not be backwardly compatible with your environment. If you are operating without a router, such as between VMs on a host, you may find they cannot see each other with prefix length of 128. In such cases, you'll need to either provide routing or use the command line parameter to set the value to 64. Alternatively you may change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN in includes/site.h. - dhclient will now generate a DHCPv6 DECLINE message when the client script indicates a DAD failure Dynamic shared library support: Configure script, configure.ac+lt, which supports libtool is now provided with the source tar ball. This script can be used to configure ISC DHCP to build with libtool and thus use dynamic shared libraries. Other Highlights: - The server now supports dhcp-cache-threshold for DHCPv6 operations - The server now supports DHPv6 address allocation based on EUI-64 DUIDs - Experimental support for alternate relay port in the both the server and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt) For information on how to install, configure and run this software, as well as how to find documentation and report bugs, please consult the README file. ISC DHCP uses standard GNU configure for installation. Please review the output of "./configure --help" to see what options are available. The system has only been tested on Linux, FreeBSD, and Solaris, and may not work on other platforms. Please report any problems and suggested fixes to <dhcp-users@isc.org>. ISC DHCP is open source software maintained by Internet Systems Consortium. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). Changes since 4.4.2b1 (Bug Fixes) - Added a clarification on DHCPINFORMs and server authority to dhcpd.conf.5 [Gitlab #37] - Only emit lease scrubbing log messages when DEBUG_FAILOVER_MESSAGES is defined. [Gitlab #72] - Added the interface name to socket initialization failure log messages. Prior to this the log messages stated only the error reason without stating the target interface. [Gitlab #75] - Corrected buffer pointer logic in dhcrelay functions that manipulate agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities & Mitigations for reporting the issue. [#71] - Corrected unresolved symbol errors building relay_unittests when configured to build using libtool. [#80] Changes since 4.4.1 (New Features) - A new configuration parameter, ping-cltt-secs (v4 operation only), has been added to allow the user to specify the number of seconds that must elapse since CLTT before a ping check is conducted. Prior to this, the value was hard coded at 60 seconds. Please see the server man pages for a more detailed discussion. [ISC-Bugs #36283] - A new configuration parameter, ping-timeout-ms (v4 operation only), has been added that allows the user to specify the amount of time the server waits for a ping-check response in milliseconds rather than in seconds (via ping-timeout). When greater than zero, the value of ping-timeout-ms will override the value of ping-timeout. Thanks to Jay Doran from Bluecat Networks for suggesting this feature. [Gitlab #10] - An experimental tool called, Keama (KEA Migration Assistant), which helps translate ISC DHCP configurations to Kea configurations, is now included in the distribution. [Gitlab #34] Changes since 4.4.1 (Bug Fixes) - Corrected a misuse of the BIND9 DDNS API which caused DDNS updates to be carried out over TCP rather than UDP. The coding error was exposed by migration to BIND9 9.11. Thanks to Jinmei Tatuya at Infoblox for reporting the issue. [ISC-Bugs #47757] - Bind9 now defaults to requiring python to build. The Makefile for building Bind9 when bundled with ISC DHCP was modified to turn off this dependency. [Gitlab #3] - Corrected a dual-stack mixed-mode issue that occurs when both ddns-guard-id-must-match and ddns-other-guard-is-dynamic are enabled and that caused the server to incorrectly interpret the presence of a guard record belonging to another client as a case of no guard record at all. Thanks to Fernando Soto from BlueCat Networks for reporting this issue. [Gitlab #1] - Corrected a compilation issue that occurred when building without DNS update ability (e.g. by undefining NSUPDATE). [Gitlab #16] - Corrected an issue that was causing the server, when running in DHPCv4 mode, to segfault when class lease limits are reached. Thanks to Peter Nagy at Porion-Digital for reporting the matter and submitting a patch. [Gitlab #13] - Made minor changes to eliminate warnings when compiled with GCC 9. Thanks to Brett Neumeier for bringing the matter to our attention. [Gitlab #15] - Fixed potential memory leaks in parser error message generation spotted by Coverity, CIDs: 1448191, 1448193, 1448194, 1448195 [Gitlab #30] - Updated URL of IEEE oui.txt in contrib/dhcp-lease-list.pl. Thanks to Tommy Smith for contributing the patch. [Gitlab #26] - Fixed define flags when using SO_BINDTODEVICE. Thanks to Joe LeVeque for reporting the issue. [GitLab #19] - Applied a patch from OpenBSD to always set the scope id of outbound DHPCv6 packets. Note this change only applies when compiling under OpenBSD. Thanks to Brad Smith at OpenBSD from bringing it to our attention. [Gitlab #33] - Modified dhclient to not discard config file leases that are duplicates of server-provided leases and to retain such leases after they have been used as the fallback active lease and DHCP service has been restored. This allows them to be used more than once during the lifetime of a dhclient instance. This applies to DHCPv4 operation only. [Gitlab #9] - Corrected a number of reference counter and zero-length buffer leaks. Thanks to Christopher Ertl of MSRC Vulnerabilities & Mitigations for pointing them out. [Gitlab #57] - Closed a small window of time between the installation of graceful shutdown signal handlers and application context startup, during which the receipt of shutdown signal would cause a REQUIRE() assertion to occur. Note this issue is only visible when compiling with ENABLE_GENTLE_SHUTDOWN defined. [Gitlab #53] - Corrected a buffer overflow that can occur when retrieving zone names that are more than 255 characters in length. [Gitlab #20] - The "d" domain name option format was incorrectly handled as text instead of RFC 1035 wire format. Thanks to Jay Doran at BlueCat Networks for reporting this issue. [Gitlab #2] - Improved the error message issued when a host declaration has both a uid and a dhcp-client-identifier. Server configuration parsing will now fail if a host declaration specifies more than one uid. [Gitlab #7] - Updated developer's documentation on building and running unit tests. Removed support for --with-atf=bind as BIND9 no longer bundles in ATF source. [Gitlab #35] - Fixed a syntax error in ldap.c which cropped up under Ubuntu 18.04.1/gcc 7.4.0. Thanks to Charles Hedrick for pointing it out. [Gitlab #51] - Added clarification to dhcp-options.5 section on ip-address values describing the first-use DNS resolution of options with hostnames as values (e.g. next-server). [Gitlab #28] - The option format for the server option omapi-key was changed to a format type 'k' (key name); while server options ldap-port and ldap-init-retry were changed to 'L' (unsigned 32-bit integer). These three options were inadvertantly broken when the 'd' format content was changed to comply with RFC 1035 wire format (see Gitlab #2). [Gitlab #68]

sbin/tunefs/tunefs.c: revision 1.57 tunefs: clarify that "-a" refers to NFSv4 ACLs

sys/netipsec/ipsec_input.c: revision 1.82 Fix dst address log which shows src address wrongly, pointed out by ohishi@IIJ.

krytarowski and others added 5 commits April 2, 2019 11:26

fixed ATF tests for indent(1)

90a900e

Update indent_codes.h

8c56682

Update comments.0

efdaf90

Update elsecomment.0

ea78252

sh4nnu closed this Apr 4, 2019

netbsd-srcmastr pushed a commit that referenced this pull request Dec 20, 2022

Pull up following revision(s) (requested by chs in ticket #10):

ded48a6

sbin/tunefs/tunefs.c: revision 1.57 tunefs: clarify that "-a" refers to NFSv4 ACLs

netbsd-srcmastr pushed a commit that referenced this pull request Jul 30, 2023

Pull up following revision(s) (requested by chs in ticket #10):

d2ca64a

sbin/tunefs/tunefs.c: revision 1.57 tunefs: clarify that "-a" refers to NFSv4 ACLs

netbsd-srcmastr pushed a commit that referenced this pull request Aug 20, 2023

Pull up following revision(s) (requested by chs in ticket #10):

f733c45

sbin/tunefs/tunefs.c: revision 1.57 tunefs: clarify that "-a" refers to NFSv4 ACLs

netbsd-srcmastr pushed a commit that referenced this pull request Aug 16, 2025

Pull up following revision(s) (requested by knakahara in ticket #10):

c3c7d55

sys/netipsec/ipsec_input.c: revision 1.82 Fix dst address log which shows src address wrongly, pointed out by ohishi@IIJ.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Patch 2#10

Patch 2#10
sh4nnu wants to merge 5 commits into
NetBSD:trunkfrom
sh4nnu:patch-2

sh4nnu commented Apr 4, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

sh4nnu commented Apr 4, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants