update unbound from upstream

7 files changed, 259 insertions, 17 deletions

diff --git a/external/unbound/doc/Changelog b/external/unbound/doc/Changelog
index c82ae8ade..31f84c445 100644
--- a/external/unbound/doc/Changelog
+++ b/external/unbound/doc/Changelog
@@ -1,3 +1,173 @@
+26 March 2015: Wouter
+	- remote.c probedelay line is easier to read.
+	- rename ldns subdirectory to sldns to avoid name collision.
+
+25 March 2015: Wouter
+	- Fix #657:  libunbound(3) recommends deprecated
+	  CRYPTO_set_id_callback.
+	- If unknown trust anchor algorithm, and libressl is used, error
+	  message encourages upgrade of the libressl package.
+
+23 March 2015: Wouter
+	- Fix segfault on user not found at startup (from Maciej Soltysiak).
+
+20 March 2015: Wouter
+	- Fixed to add integer overflow checks on allocation (defense in depth).
+
+19 March 2015: Wouter
+	- Add ip-transparent config option for bind to non-local addresses.
+
+17 March 2015: Wouter
+	- Use reallocarray for integer overflow protection, patch submitted
+	  by Loganaden Velvindron.
+
+16 March 2015: Wouter
+	- Fixup compile on cygwin, more portable openssl thread id.
+
+12 March 2015: Wouter
+	- Updated default keylength in unbound-control-setup to 3k.
+
+10 March 2015: Wouter
+	- Fix lintian warning in unbound-checkconf man page (from Andreas
+	  Schulze).
+	- print svnroot when building windows dist.
+	- iana portlist update.
+	- Fix warning on sign compare in getentropy_linux.
+
+9 March 2015: Wouter
+	- Fix #644: harden-algo-downgrade option, if turned off, fixes the
+	  reported excessive validation failure when multiple algorithms
+	  are present.  It allows the weakest algorithm to validate the zone.
+	- iana portlist update.
+
+5 March 2015: Wouter
+	- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
+	  scripts.  Contributed by Yuri Voinov.
+	- Document that incoming-num-tcp increase is good for large servers.
+	- stats reports tcp usage, of incoming-num-tcp buffers.
+
+4 March 2015: Wouter
+	- Patch from Brad Smith that syncs compat/getentropy_linux with
+	  OpenBSD's version (2015-03-04).
+	- 0x20 fallback improved: servfail responses do not count as missing
+	  comparisons (except if all responses are errors),
+	  inability to find nameservers does not fail equality comparisons,
+	  many nameservers does not try to compare more than max-sent-count,
+	  parse failures start 0x20 fallback procedure.
+	- store caps_response with best response in case downgrade response
+	  happens to be the last one.
+	- Document windows 8 tests.
+
+3 March 2015: Wouter
+	- tag 1.5.3rc1
+	[ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
+
+2 March 2015: Wouter
+	- iana portlist update.
+
+20 February 2015: Wouter
+	- Use the getrandom syscall introduced in Linux 3.17 (from Heiner
+	  Kallweit).
+	- Fix #645 Portability to Solaris 10, use AF_LOCAL.
+	- Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
+	- Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
+	  reload.
+
+19 February 2015: Wouter
+	- 1.5.2 release tag.
+	- svn trunk contains 1.5.3 under development.
+
+13 February 2015: Wouter
+	- Fix #643: doc/example.conf.in: unnecessary whitespace.
+
+12 February 2015: Wouter
+	- tag 1.5.2rc1
+
+11 February 2015: Wouter
+	- iana portlist update.
+
+10 February 2015: Wouter
+	- Fix scrubber with harden-glue turned off to reject NS (and other
+	  not-address) records.
+
+9 February 2015: Wouter
+	- Fix validation failure in case upstream forwarder (ISC BIND) does
+	  not have the same trust anchors and decides to insert unsigned NS
+	  record in authority section.
+
+2 February 2015: Wouter
+	- infra-cache-min-rtt patch from Florian Riehm, for expected long
+	  uplink roundtrip times.
+
+30 January 2015: Wouter
+	- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
+	  section changes.
+	- Portability fix for Solaris ('sun' is not usable for a variable).
+
+29 January 2015: Wouter
+	- Fix pyunbound byte string representation for python3.
+
+26 January 2015: Wouter
+	- Fix unintended use of gcc extension for incomplete enum types,
+	  compile with pedantic c99 compliance (from Daniel Dickman).
+
+23 January 2015: Wouter
+	- windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
+
+16 January 2015: Wouter
+	- unit test for local unix connection.  Documentation and log_addr
+	  does not inspect port for AF_LOCAL.
+	- unbound-checkconf -f prints chroot with pidfile path.
+
+13 January 2015: Wouter
+	- iana portlist update.
+
+12 January 2015: Wouter
+	- Cast sun_len sizeof to socklen_t.
+	- Fix pyunbound ord call, portable for python 2 and 3.
+
+7 January 2015: Wouter
+	- Fix warnings in pythonmod changes.
+
+6 January 2015: Wouter
+	- iana portlist update.
+	- patch for remote control over local sockets, from Dag-Erling
+	  Smorgrav, Ilya Bakulin.  Use control-interface: /path/sock and
+	  control-use-cert: no.
+	- Fixup that patch and uid lookup (only for daemon).
+	- coded the default of control-use-cert, to yes.
+
+5 January 2015: Wouter
+	- getauxval test for ppc64 linux compatibility.
+	- make strip works for unbound-host and unbound-anchor.
+	- patch from Stephane Lapie that adds to the python API, that
+	  exposes struct delegpt, and adds the find_delegation function.
+	- print query name when max target count is exceeded.
+	- patch from Stuart Henderson that fixes DESTDIR in
+	  unbound-control-setup for installs where config is not in
+	  the prefix location.
+	- Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
+	  IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
+	- Updated contrib warmup.cmd/sh to support two modes - load
+	  from pre-defined list of domains or (with filename as argument)
+	  load from user-specified list of domains, and updated contrib
+	  unbound_cache.sh/cmd to support loading/save/reload cache to/from
+	  default path or (with secondary argument) arbitrary path/filename,
+	  from Yuri Voinov.
+	- Patch from Philip Paeps to contrib/unbound_munin_ that uses
+	  type ABSOLUTE.  Allows munin.conf: [idleserver.example.net]
+	  unbound_munin_hits.graph_period minute
+
+9 December 2014: Wouter
+	- svn trunk has 1.5.2 in development.
+	- config.guess and config.sub update from libtoolize.
+	- local-zone: example.com inform makes unbound log a message with
+	  client IP for queries in that zone.  Eg. for finding infected hosts.
+
+8 December 2014: Wouter
+	- Fix CVE-2014-8602: denial of service by making resolver chase
+	  endless series of delegations.
+
 1 December 2014: Wouter
 	- Fix bug#632: unbound fails to build on AArch64, protects
 	  getentropy compat code from calling sysctl if it is has been removed.
diff --git a/external/unbound/doc/example.conf.in b/external/unbound/doc/example.conf.in
index 03f6184a4..69b3cf39e 100644
--- a/external/unbound/doc/example.conf.in
+++ b/external/unbound/doc/example.conf.in
@@ -87,6 +87,10 @@ server:
 	
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
+	
+	# use IP_TRANSPARENT so the interface: addresses can be non-local
+	# and you can config non-existing IPs that are going to work later on
+	# ip-transparent: no
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
@@ -138,6 +142,9 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
+	
+	# minimum wait time for responses, increase if uplink is long. In msec.
+	# infra-cache-min-rtt: 50
 
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
@@ -281,6 +288,11 @@ server:
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
+	# Harden against algorithm downgrade when multiple algorithms are
+	# advertised in the DS record.  If no, allows the weakest algorithm
+	# to validate the zone.
+	# harden-algo-downgrade: yes
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
@@ -437,7 +449,7 @@ server:
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
-	
+
 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one
@@ -497,6 +509,7 @@ server:
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
+	# o inform resolves normally, but logs client IP address
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -552,6 +565,10 @@ remote-control:
 	# set up the keys and certificates with unbound-control-setup.
 	# control-enable: no
 
+	# Set to no and use an absolute path as control-interface to use
+	# a unix local named pipe for unbound-control.
+	# control-use-cert: yes
+
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
 	# control-interface: 127.0.0.1
diff --git a/external/unbound/doc/ietf67-design-02.odp b/external/unbound/doc/ietf67-design-02.odp
index 8321b556f..4be2c7d4e 100644
--- a/external/unbound/doc/ietf67-design-02.odp
+++ b/external/unbound/doc/ietf67-design-02.odp
diff --git a/external/unbound/doc/libunbound.3.in b/external/unbound/doc/libunbound.3.in
index 7f693e950..1cefbea51 100644
--- a/external/unbound/doc/libunbound.3.in
+++ b/external/unbound/doc/libunbound.3.in
@@ -175,6 +175,7 @@ to read them.
 Before you call this, use the openssl functions CRYPTO_set_id_callback and
 CRYPTO_set_locking_callback to set up asyncronous operation if you use
 lib openssl (the application calls these functions once for initialisation).
+Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
 .TP
 .B ub_ctx_delete
 Delete validation context and free associated resources.
diff --git a/external/unbound/doc/unbound-checkconf.8.in b/external/unbound/doc/unbound-checkconf.8.in
index 6d0e54516..f38049a03 100644
--- a/external/unbound/doc/unbound-checkconf.8.in
+++ b/external/unbound/doc/unbound-checkconf.8.in
@@ -13,6 +13,7 @@ unbound\-checkconf
 .SH "SYNOPSIS"
 .B unbound\-checkconf
 .RB [ \-h ]
+.RB [ \-f ]
 .RB [ \-o
 .IR option ]
 .RI [ cfgfile ]
@@ -29,6 +30,9 @@ The available options are:
 .B \-h
 Show the version and commandline option help.
 .TP
+.B \-f
+Print full pathname, with chroot applied to it.  Use with the \-o option.
+.TP
 .B \-o\fI option
 If given, after checking the config file the value of this option is 
 printed to stdout.  For "" (disabled) options an empty line is printed.
diff --git a/external/unbound/doc/unbound-control.8.in b/external/unbound/doc/unbound-control.8.in
index b050ac7b4..259eee1d0 100644
--- a/external/unbound/doc/unbound-control.8.in
+++ b/external/unbound/doc/unbound-control.8.in
@@ -322,6 +322,11 @@ less than this time.  Because of big outliers (usually queries to non
 responsive servers), the average can be bigger than the median.  This median
 has been calculated by interpolation from a histogram.
 .TP
+.I threadX.tcpusage
+The currently held tcp buffers for incoming connections.  A spot value on
+the time of the request.  This helps you spot if the incoming\-num\-tcp
+buffers are full.
+.TP
 .I total.num.queries
 summed over threads.
 .TP
@@ -355,6 +360,9 @@ summed over threads.
 .I total.recursion.time.median
 averaged over threads.
 .TP
+.I total.tcpusage
+summed over threads.
+.TP
 .I time.now
 current time in seconds since 1970.
 .TP
diff --git a/external/unbound/doc/unbound.conf.5.in b/external/unbound/doc/unbound.conf.5.in
index 67ff89b0c..91b8b24ae 100644
--- a/external/unbound/doc/unbound.conf.5.in
+++ b/external/unbound/doc/unbound.conf.5.in
@@ -164,12 +164,14 @@ By default only ports above 1024 that have not been assigned by IANA are used.
 Give a port number or a range of the form "low\-high", without spaces.
 .TP
 .B outgoing\-num\-tcp: \fI<number>
-Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done.
+Number of outgoing TCP buffers to allocate per thread. Default is 10. If
+set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
+are done.  For larger installations increasing this value is a good idea.
 .TP
 .B incoming\-num\-tcp: \fI<number>
-Number of incoming TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries from clients are accepted.
+Number of incoming TCP buffers to allocate per thread. Default is
+10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
+accepted. For larger installations increasing this value is a good idea.
 .TP
 .B edns\-buffer\-size: \fI<number>
 Number of bytes size to advertise as the EDNS reassembly buffer size.
@@ -265,6 +267,16 @@ it then attempts to open the port and passes the option if it was available
 at compile time, if that works it is used, if it fails, it continues
 silently (unless verbosity 3) without the option.
 .TP
+.B ip\-transparent: \fI<yes or no>
+If yes, then use IP_TRANSPARENT socket option on sockets where unbound
+is listening for incoming traffic.  Default no.  Allows you to bind to
+non\-local interfaces.  For example for non\-existant IP addresses that
+are going to exist later on, with host failover configuration.  This is
+a lot like interface\-automatic, but that one services all interfaces
+and with this option you can select which (future) interfaces unbound
+provides service on.  This option needs unbound to be started with root
+permissions on some systems.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -301,6 +313,11 @@ by threads. Must be set to a power of 2.
 .B infra\-cache\-numhosts: \fI<number>
 Number of hosts for which information is cached. Default is 10000.
 .TP
+.B infra\-cache\-min\-rtt: \fI<msec>
+Lower limit for dynamic retransmit timeout calculation in infrastructure
+cache. Default is 50 milliseconds. Increase this value if using forwarders
+needing more time to do recursive name resolution.
+.TP
 .B do\-ip4: \fI<yes or no>
 Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .TP
@@ -543,6 +560,13 @@ extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
 to increase the max depth that is checked to.
 .TP
+.B harden\-algo\-downgrade: \fI<yes or no>
+Harden against algorithm downgrade when multiple algorithms are
+advertised in the DS record.  If no, allows the weakest algorithm to
+validate the zone.  Default is yes.  Zone signers must produce zones
+that allow this feature to work, but sometimes they do not, and turning
+this option off avoids that validation failure.
+.TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20\-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
@@ -791,7 +815,7 @@ data leakage about the local network to the upstream DNS servers.
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
-transparent, redirect, nodefault, typetransparent, and are explained
+transparent, redirect, nodefault, typetransparent, inform, and are explained
 below. After that the default settings are listed. Use local\-data: to
 enter data into the local zone. Answers for local zones are authoritative
 DNS answers. By default the zones are class IN.
@@ -841,6 +865,13 @@ local\-data: "example.com. A 127.0.0.1"
 queries for www.example.com and www.foo.example.com are redirected, so
 that users with web browsers cannot access sites with suffix example.com.
 .TP 10
+\h'5'\fIinform\fR 
+The query is answered normally.  The client IP address (@portnumber)
+is printed to the logfile.  The log message is: timestamp, unbound-pid,
+info: zonename inform IP@port queryname type class.  This option can be
+used for normal resolution, but machines looking up infected names are
+logged, eg. to run antivirus on them.
+.TP 10
 \h'5'\fInodefault\fR 
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option 
@@ -958,36 +989,47 @@ to setup SSLv3 / TLSv1 security for the connection.  The
 section for options.  To setup the correct self\-signed certificates use the
 \fIunbound\-control\-setup\fR(8) utility.
 .TP 5
-.B control\-enable:     \fI<yes or no>
+.B control\-enable: \fI<yes or no>
 The option is used to enable remote control, default is "no".
 If turned off, the server does not listen for control commands.
 .TP 5
-.B control\-interface: <ip address>
-Give IPv4 or IPv6 addresses to listen on for control commands.
+.B control\-interface: \fI<ip address or path>
+Give IPv4 or IPv6 addresses or local socket path to listen on for
+control commands.
 By default localhost (127.0.0.1 and ::1) is listened to.
 Use 0.0.0.0 and ::0 to listen to all interfaces.
+If you change this and permissions have been dropped, you must restart
+the server for the change to take effect.
+.TP 5
+.B control\-port: \fI<port number>
+The port number to listen on for IPv4 or IPv6 control interfaces,
+default is 8953.
+If you change this and permissions have been dropped, you must restart
+the server for the change to take effect.
 .TP 5
-.B control\-port: <port number>
-The port number to listen on for control commands, default is 8953.
-If you change this port number, and permissions have been dropped,
-a reload is not sufficient to open the port again, you must then restart.
+.B control\-use\-cert: \fI<yes or no>
+Whether to require certificate authentication of control connections.
+The default is "yes".
+This should not be changed unless there are other mechanisms in place
+to prevent untrusted users from accessing the remote control
+interface.
 .TP 5
-.B server\-key\-file: "<private key file>"
+.B server\-key\-file: \fI<private key file>
 Path to the server private key, by default unbound_server.key.
 This file is generated by the \fIunbound\-control\-setup\fR utility.
 This file is used by the unbound server, but not by \fIunbound\-control\fR.
 .TP 5
-.B server\-cert\-file: "<certificate file.pem>"
+.B server\-cert\-file: \fI<certificate file.pem>
 Path to the server self signed certificate, by default unbound_server.pem.
 This file is generated by the \fIunbound\-control\-setup\fR utility.
 This file is used by the unbound server, and also by \fIunbound\-control\fR.
 .TP 5
-.B control\-key\-file: "<private key file>"
+.B control\-key\-file: \fI<private key file>
 Path to the control client private key, by default unbound_control.key.
 This file is generated by the \fIunbound\-control\-setup\fR utility.
 This file is used by \fIunbound\-control\fR.
 .TP 5
-.B control\-cert\-file: "<certificate file.pem>"
+.B control\-cert\-file: \fI<certificate file.pem>
 Path to the control client certificate, by default unbound_control.pem.
 This certificate has to be signed with the server certificate.
 This file is generated by the \fIunbound\-control\-setup\fR utility.