vendor/unbound/1.5.2

10 files changed, 122 insertions, 16 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 1bd19f19c436..4b3a4949a217 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,12 +1,94 @@
-8 December 2014: Wouter
-	- Fix CVE-2014-8602: denial of service by making resolver chase
-	  endless series of delegations.
+13 February 2015: Wouter
+	- Fix #643: doc/example.conf.in: unnecessary whitespace.
+
+12 February 2015: Wouter
+	- tag 1.5.2rc1
+
+11 February 2015: Wouter
+	- iana portlist update.
+
+10 February 2015: Wouter
+	- Fix scrubber with harden-glue turned off to reject NS (and other
+	  not-address) records.
+
+9 February 2015: Wouter
+	- Fix validation failure in case upstream forwarder (ISC BIND) does
+	  not have the same trust anchors and decides to insert unsigned NS
+	  record in authority section.
+
+2 February 2015: Wouter
+	- infra-cache-min-rtt patch from Florian Riehm, for expected long
+	  uplink roundtrip times.
+
+30 January 2015: Wouter
+	- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
+	  section changes.
+	- Portability fix for Solaris ('sun' is not usable for a variable).
+
+29 January 2015: Wouter
+	- Fix pyunbound byte string representation for python3.
+
+26 January 2015: Wouter
+	- Fix unintended use of gcc extension for incomplete enum types,
+	  compile with pedantic c99 compliance (from Daniel Dickman).
+
+23 January 2015: Wouter
+	- windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
+
+16 January 2015: Wouter
+	- unit test for local unix connection.  Documentation and log_addr
+	  does not inspect port for AF_LOCAL.
+	- unbound-checkconf -f prints chroot with pidfile path.
+
+13 January 2015: Wouter
+	- iana portlist update.
+
+12 January 2015: Wouter
+	- Cast sun_len sizeof to socklen_t.
+	- Fix pyunbound ord call, portable for python 2 and 3.
+
+7 January 2015: Wouter
+	- Fix warnings in pythonmod changes.
+
+6 January 2015: Wouter
+	- iana portlist update.
 	- patch for remote control over local sockets, from Dag-Erling
 	  Smorgrav, Ilya Bakulin.  Use control-interface: /path/sock and
 	  control-use-cert: no.
 	- Fixup that patch and uid lookup (only for daemon).
 	- coded the default of control-use-cert, to yes.
 
+5 January 2015: Wouter
+	- getauxval test for ppc64 linux compatibility.
+	- make strip works for unbound-host and unbound-anchor.
+	- patch from Stephane Lapie that adds to the python API, that
+	  exposes struct delegpt, and adds the find_delegation function.
+	- print query name when max target count is exceeded.
+	- patch from Stuart Henderson that fixes DESTDIR in
+	  unbound-control-setup for installs where config is not in
+	  the prefix location.
+	- Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
+	  IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
+	- Updated contrib warmup.cmd/sh to support two modes - load
+	  from pre-defined list of domains or (with filename as argument)
+	  load from user-specified list of domains, and updated contrib
+	  unbound_cache.sh/cmd to support loading/save/reload cache to/from
+	  default path or (with secondary argument) arbitrary path/filename,
+	  from Yuri Voinov.
+	- Patch from Philip Paeps to contrib/unbound_munin_ that uses
+	  type ABSOLUTE.  Allows munin.conf: [idleserver.example.net]
+	  unbound_munin_hits.graph_period minute
+
+9 December 2014: Wouter
+	- svn trunk has 1.5.2 in development.
+	- config.guess and config.sub update from libtoolize.
+	- local-zone: example.com inform makes unbound log a message with
+	  client IP for queries in that zone.  Eg. for finding infected hosts.
+
+8 December 2014: Wouter
+	- Fix CVE-2014-8602: denial of service by making resolver chase
+	  endless series of delegations.
+
 1 December 2014: Wouter
 	- Fix bug#632: unbound fails to build on AArch64, protects
 	  getentropy compat code from calling sysctl if it is has been removed.
diff --git a/doc/README b/doc/README
index df92fccb5d36..5c6648599e5c 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.1
+README for Unbound 1.5.2
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index b95b3a6339c4..ddcb4f03d1bc 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.1.
+# See unbound.conf(5) man page, version 1.5.2.
 #
 # this is a comment.
 
@@ -138,6 +138,9 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
+	
+	# minimum wait time for responses, increase if uplink is long. In msec.
+	# infra-cache-min-rtt: 50
 
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
@@ -437,7 +440,7 @@ server:
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
-	
+
 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one
@@ -497,6 +500,7 @@ server:
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
+	# o inform resolves normally, but logs client IP address
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -552,6 +556,10 @@ remote-control:
 	# set up the keys and certificates with unbound-control-setup.
 	# control-enable: no
 
+	# Set to no and use an absolute path as control-interface to use
+	# a unix local named pipe for unbound-control.
+	# control-use-cert: yes
+
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
 	# control-interface: 127.0.0.1
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 55a9cb286e6e..02f45e66fc69 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "libunbound" "3" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.1 functions.
+\- Unbound DNS validating resolver 1.5.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 80a3438dcaac..aaba750ae0ed 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-anchor" "8" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 5ab53480b6fe..93fe204a1aa2 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-checkconf" "8" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
@@ -13,6 +13,7 @@ unbound\-checkconf
 .SH "SYNOPSIS"
 .B unbound\-checkconf
 .RB [ \-h ]
+.RB [ \-f ]
 .RB [ \-o
 .IR option ]
 .RI [ cfgfile ]
@@ -29,6 +30,9 @@ The available options are:
 .B \-h
 Show the version and commandline option help.
 .TP
+.B \-f
+Print full pathname, with chroot applied to it.  Use with the -o option.
+.TP
 .B \-o\fI option
 If given, after checking the config file the value of this option is 
 printed to stdout.  For "" (disabled) options an empty line is printed.
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 92d2d1a9343d..95ed5908616b 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-control" "8" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index d9e92bbe099a..475b04cc473e 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound\-host" "1" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 3b74a3242ada..50a04b3d0a25 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound" "8" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.1.
+\- Unbound DNS validating resolver 1.5.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index d4420e26a0a4..bbfce632e30f 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound.conf" "5" "Feb 19, 2015" "NLnet Labs" "unbound 1.5.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -301,6 +301,11 @@ by threads. Must be set to a power of 2.
 .B infra\-cache\-numhosts: \fI<number>
 Number of hosts for which information is cached. Default is 10000.
 .TP
+.B infra\-cache\-min\-rtt: \fI<msec>
+Lower limit for dynamic retransmit timeout calculation in infrastructure
+cache. Default is 50 milliseconds. Increase this value if using forwarders
+needing more time to do recursive name resolution.
+.TP
 .B do\-ip4: \fI<yes or no>
 Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .TP
@@ -791,7 +796,7 @@ data leakage about the local network to the upstream DNS servers.
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
-transparent, redirect, nodefault, typetransparent, and are explained
+transparent, redirect, nodefault, typetransparent, inform, and are explained
 below. After that the default settings are listed. Use local\-data: to
 enter data into the local zone. Answers for local zones are authoritative
 DNS answers. By default the zones are class IN.
@@ -841,6 +846,13 @@ local\-data: "example.com. A 127.0.0.1"
 queries for www.example.com and www.foo.example.com are redirected, so
 that users with web browsers cannot access sites with suffix example.com.
 .TP 10
+\h'5'\fIinform\fR 
+The query is answered normally.  The client IP address (@portnumber)
+is printed to the logfile.  The log message is: timestamp, unbound-pid,
+info: zonename inform IP@port queryname type class.  This option can be
+used for normal resolution, but machines looking up infected names are
+logged, eg. to run antivirus on them.
+.TP 10
 \h'5'\fInodefault\fR 
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option