Merge pull request #7036 from EricLuehrsen/unbound-1.8.0

unbound: update to 1.8.0

net/unbound/Makefile

@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
-PKG_VERSION:=1.7.3
-PKG_RELEASE:=6
+PKG_VERSION:=1.8.0
+PKG_RELEASE:=1
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_HASH:=c11de115d928a6b48b2165e0214402a7a7da313cd479203a7ce7a8b62cba602d
+PKG_HASH:=78f79d6d3b643fdcd74a14fc76542250da886c82f82bc55b51e189663d61b83f
 
 PKG_BUILD_PARALLEL:=1
 PKG_FIXUP:=autoreconf

net/unbound/files/README.md

@@ -273,8 +273,9 @@ config unbound
 
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
-    ip4_only - limit issues if you do not have native IPv6
+    ip4_only - old fashioned IPv4 upstream and downstream
     ip6_only - test environment only; could cauase problems
+    ip6_local - upstream IPv4 only and local network IPv4 and IPv6
     ip6_prefer - both IPv4 and IPv6 but try IPv6 first
     mixed - both IPv4 and IPv6
     default - Unbound built-in defaults

net/unbound/files/unbound.sh

@@ -619,7 +619,6 @@ unbound_conf() {
         echo "  port: $UB_N_RX_PORT"
         echo "  outgoing-port-permit: 10240-65535"
         echo "  interface: 0.0.0.0"
-        echo "  interface: ::0"
         echo "  outgoing-interface: 0.0.0.0"
         echo "  do-ip4: yes"
         echo "  do-ip6: no"
@@ -632,7 +631,6 @@ unbound_conf() {
         echo "  edns-buffer-size: $UB_N_EDNS_SIZE"
         echo "  port: $UB_N_RX_PORT"
         echo "  outgoing-port-permit: 10240-65535"
-        echo "  interface: 0.0.0.0"
         echo "  interface: ::0"
         echo "  outgoing-interface: ::0"
         echo "  do-ip4: no"
@@ -641,6 +639,20 @@ unbound_conf() {
       } >> $UB_CORE_CONF
       ;;
 
+   ip6_local)
+      {
+        echo "  edns-buffer-size: $UB_N_EDNS_SIZE"
+        echo "  port: $UB_N_RX_PORT"
+        echo "  outgoing-port-permit: 10240-65535"
+        echo "  interface: 0.0.0.0"
+        echo "  interface: ::0"
+        echo "  outgoing-interface: 0.0.0.0"
+        echo "  do-ip4: yes"
+        echo "  do-ip6: yes"
+        echo
+      } >> $UB_CORE_CONF
+      ;;
+
     ip6_prefer)
       {
         echo "  edns-buffer-size: $UB_N_EDNS_SIZE"
@@ -692,27 +704,15 @@ unbound_conf() {
   esac
 
 
-  {
-    # Other harding and options for an embedded router
-    echo "  harden-short-bufsize: yes"
-    echo "  harden-large-queries: yes"
-    echo "  harden-glue: yes"
-    echo "  harden-below-nxdomain: no"
-    echo "  harden-referral-path: no"
-    echo "  use-caps-for-id: no"
-    echo
-  } >> $UB_CORE_CONF
-
-
   case "$UB_D_RESOURCE" in
     # Tiny - Unbound's recommended cheap hardware config
     tiny)   rt_mem=1  ; rt_conn=2  ; rt_buff=1 ;;
     # Small - Half RRCACHE and open ports
     small)  rt_mem=8  ; rt_conn=10 ; rt_buff=2 ;;
     # Medium - Nearly default but with some added balancintg
-    medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
+    medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;;
     # Large - Double medium
-    large)  rt_mem=32 ; rt_conn=40 ; rt_buff=4 ;;
+    large)  rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;;
     # Whatever unbound does
     *) rt_mem=0 ; rt_conn=0 ;;
   esac
@@ -720,10 +720,16 @@ unbound_conf() {
 
   if [ "$rt_mem" -gt 0 ] ; then
     {
+      # Other harding and options for an embedded router
+      echo "  harden-short-bufsize: yes"
+      echo "  harden-large-queries: yes"
+      echo "  harden-glue: yes"
+      echo "  use-caps-for-id: no"
+      echo
       # Set memory sizing parameters
       echo "  msg-buffer-size: $(($rt_buff*8192))"
-      echo "  outgoing-range: $(($rt_conn*64))"
-      echo "  num-queries-per-thread: $(($rt_conn*32))"
+      echo "  outgoing-range: $(($rt_conn*32))"
+      echo "  num-queries-per-thread: $(($rt_conn*16))"
       echo "  outgoing-num-tcp: $(($rt_conn))"
       echo "  incoming-num-tcp: $(($rt_conn))"
       echo "  rrset-cache-size: $(($rt_mem*256))k"

net/unbound/patches/200-openssl-log-err.patch

@@ -1,48 +0,0 @@
-Index: daemon/remote.c
-===================================================================
---- a/daemon/remote.c
-+++ b/daemon/remote.c
-@@ -1950,6 +1950,11 @@
- 				return NULL;
- 			}
- 		} else {
-+#ifndef HAVE_SSL_SET1_HOST
-+			if(auth_name)
-+			  log_err("no name verification functionality in "
-+				"ssl library, ignored name for %s", todo);
-+#endif
- 			/* add address */
- 			if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
- 				auth_name)) {
-Index: iterator/iter_fwd.c
-===================================================================
---- a/iterator/iter_fwd.c
-+++ b/iterator/iter_fwd.c
-@@ -239,6 +239,11 @@
- 				s->name, p->str);
- 			return 0;
- 		}
-+#ifndef HAVE_SSL_SET1_HOST
-+		if(tls_auth_name)
-+			log_err("no name verification functionality in "
-+				"ssl library, ignored name for %s", p->str);
-+#endif
- 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
- 			tls_auth_name)) {
- 			log_err("out of memory");
-Index: iterator/iter_hints.c
-===================================================================
---- a/iterator/iter_hints.c
-+++ b/iterator/iter_hints.c
-@@ -252,6 +252,11 @@
- 				s->name, p->str);
- 			return 0;
- 		}
-+#ifndef HAVE_SSL_SET1_HOST
-+		if(auth_name)
-+			log_err("no name verification functionality in "
-+				"ssl library, ignored name for %s", p->str);
-+#endif
- 		if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
- 			auth_name)) {
- 			log_err("out of memory");