![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / net / unbound
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
unbound: updated to 1.13.2
1.13.2
Features
Merge 317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones.
Fix: Resolve interface names on control-interface too.
Merge 470 from edevil: Allow configuration of persistent TCP connections.
Fix 474: always_null and others inside view.
Add that log-servfail prints an IP address and more information about one of the last failures for that query.
Merge 478: Allow configuration of TCP timeout while waiting for response.
Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes.
zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone.
Merge 486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
Merge 491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https.
Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
Bug Fixes
Fix for Python 3.9, no longer use deprecated functions of PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now none), PyParser_SimpleParseFile (now Py_CompileString).
Merge 420 from dyunwei: DOH not responsing with "http2_query_read_done failure" logged.
Fix 422: IPv6 fallback issues when IPv6 is not properly enabled/configured.
Fix to make tests work with support indicators set for iterator.
Fix build on Python 3.10.
Fix doxygen and pydoc warnings.
Fix 429: rpz: url: with https: broken (regression in 1.13.1).
rpz skip nsec3param records, and nicer log for unsupported actions.
Fix 431: Squelch permission denied errors for tcp connect and udp connect from the logs, unless at high verbosity.
Fix for zonemd, that nxdomain for the chain of trust is allowed for island zones, it is treated as an insecure zone for verification.
Fix for zonemd, that domain-insecure zones work without dnssec.
Fix for zonemd, do not reject insecure result from trust anchor validation step in dnssec chain of trust.
On startup of unbound it checks if rlimits on memory size look sufficient for the configured cache size, and logs warning if not.
Fix function documentation.
Fix unit test for added ulimit checks.
spelling fix in header.
Fix 384: (1) A minor request to improve the log (2) A minor bug in one log message.
ipsecmod: Better logging for detecting a cycle when attaching the A/AAAA subquery.
Merge 367 : DNSTAP log local address. With code from 365 and fixes 368 : dnstap does not log the DNS message ID for FORWARDER_QUERY.
Fix to allow rpz with wildcard that applies to all TLDs at once.
Fix for 367: rc_ports don't have ub_sock; skip cleaning up.
Fix spurious errors about "Could not generate request: out of memory". The mesh detect cycle routine no longer wrongly stops the check when the calling mesh state is unique.
Workaround for 439: prevent loops in the reuse rbtree.
Debug output for 411 and 439: printout internal error and details.
Fix parse of LOC RR type for decimetres.
Fix 441: Minimal NSEC range not accepted for top level domains.
Fix for 447: squelch connection refused tcp connection failures from the log, unless verbosity is high.
Merge 449 from orbea: build: Add missing linker flags.
Comment out nonworking OSX and IOS travis tests, vm fails to start.
Fix compile error in listen_dnsport on Android.
Fix memory leak reported by asan in rpz SOA record query name.
Fix unused-function warning when compiling with --enable-dnscrypt.
Fix for 367: fix memory leak when cannot bind to listening port.
Reformat pythonmod/pythonmod_utils.{c,h}.
Travis enable all tests again. Clang analyzer only a couple times, when there is a difference. homebrew updates disabled, so it does not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure.
travis, analyzer disabled on test without debug, that does not run anway. Turn off failing tests except one. Update iOS test to xcode image 12.2.
Fix deprecation test to work for iOS TVOS and WatchOS, it uses CFLAGS and CPPFLAGS and also checks if the item is unavailable.
Travis, fix script to fail when tasks fail.
Travis, fix warning in ubsan compile.
Fix configure Targetconfiditionals.h header check, to use compile.
Fix that cachedb does not produce empty object files when disabled.
Fix 429: Also fix end of transfer for http download of auth zones.
Disable the use of stack-protector for cross compiled 32-bit windows builds; relates to 444.
Fix stack-protector change to not override other CFLAGS options.
Clean makedist.sh.
Merge 460 from orbea: build: Link with the libtool archive.
Fix to stop IPv6 PMTU discovery.
Fix for 411: Depth protect for crash on deleted element timeout.
rebuild configure to set EXTRALINK to libunbound.la for 460.
Fix permission denied sendto log, squelch the log messages unless high verbosity is set.
Fix (increase) verbosity level for iterator error log in processQueryTargets().
Fix that nxdomain synthesis does not happen above the stub or forward definition.
Fix documentation comment for files previously residing in checkconf/.
Remove unused functions worker_handle_reply and libworker_handle_reply.
Merge 466 from FGasper: Support OpenSSLs that lack SSL_get0_alpn_selected.
Fix 468: OpenSSL 1.0.1 can no longer build Unbound.
Further fix for 468: detect SSL_CTX_set_alpn_protos for build with OpenSSL 1.0.1.
Fix that testcode dohclient has OpenSSL initialisation calls.
Fix compiler warning for signed/unsigned comparison for max_reuse_tcp_queries.
Fix 481: Fix comment in configuration file.
Fix to squelch tcp socket bind failures when the interface is gone.
Rerun flex and bison.
Fix for 367: only attempt to get the interface for queries that are no longer on the tcp_waiting_list.
Add more logging for out-of-memory cases.
Fix 485: Unbound occasionally reports broken stats.
Remove case fallthrough from deprecate-rsa-1024 code.
Merge 487: ifdef RLIMIT_AS in recently added check.
Fix that auth-zone zonefiles use last TTL if no TTL is specified.
Fix 489: Compile using MSYS2 MinGW 64-bit.
Fix for 411, 439, 469: Reset the DNS message ID when moving queries between TCP streams.
Refactor for uniform way to produce random DNS message IDs.
Test code has -q option for quiet output.
Fix 492: module-config respip missing in unbound.conf.5.in man page. Merges 494 from he32.
For 492: Fix font highlighting for the man page on emacs.
Merge 496 from banburybill: Use build system endianness if available, otherwise try to work it out.
Fix test for zonemd-check option.
Merge 448 from shoeper: Update unbound-control.8.in, fix rpz_disable typo.
Fix 425: Document auth-zone supports communication with DNS primary on nondefault port.
Fix unused variable warning when compiling with --enable-dnstap.
Generated lexer and parser for 486; updated example.conf.
Fix 413 (based on patch by k-ronny): unbound: does not compile on macOS 11.1-x86_64 host.
Use host_os instead of target_os in configure for Darwin8 build.
Fix 500: SPEC file in version 1.13.1 references version 1.4; unable to build RPM from source.
Fix contrib/unbound.spec, fixed url and comment.
Fix configure nonblocking test and onmingw test to use host.
Merge 440 by kimheino: Various fixes to contrib/unbound_munin_ file.
Fix a number of warnings reported by the gcc analyzer.
Fix 495: Documentation or implementation of "verbosity" option.
Fix 503: DNS over HTTPS response truncated.
Fix warnings reported by the gcc analyzer.
Add analyzer and port compile github workflow.
Fix up permissions on rpl data file in tests.
Fix testbound newline treatment in moment_read and tempfile write.
Fix configure grep for reuseport default for failure.
Fix compat ctime_r return value
Fix configure does not require pkg-config if not needed.
Fix unit test in the ctime_r calls for autotrust and in testbound.
Fix auth zone download on windows to unlink before rename.
Fix 506: Python Module Seems to Leak Memory if it Experiences an Unhandled Exception.
Fix Wunused-result compile warnings.
Fix compiler warnings for 491.
Fix clang-analysis warnings for testcode/readzone.c.
Merge 510 from ndptech: Don't call a function which hasn't been defined.
Fix for 510: in depth, use ifdefs for windows api event calls.
Fix spelling in doc/unbound.doxygen comment.
Fix spelling in localzone.h comment.
Fix unbound-control local_data and local_datas to print detailed syntax errors.
review fix to remove duplicate error printout.
Insert header into testcode/readzone.c, it was missing.
Fix from lint for ignored return value.
Fix for older parsers for function call in serve expired get cached.
Fix that ldns_zone_new_frm_fp_l counts the line number for an empty line after a comment.
Merge 512: unbound.service.in: upgrade hardening to latest standards.
Fix readzone unknown type print for memory resize.
Merge 513: Stream reuse, attempt to fix 411, 439, 469. This introduces a couple of fixes for the stream reuse functionality that could result in broken internal structures.
Fix 515: Compilation against openssl 3.0.0 beta2 is failing to build unbound.
For 515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and SSL_get_peer_certificate.
Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results.
Move RSA and DSA to use OpenSSL 3.0.0 API.
Move ECDSA functions to use OpenSSL 3.0.0 API.
iana portlist update.
Fix verbose printout failure in tcp reuse unit test.
Merge 517 from dyunwei: 420 breaks the mesh reply list function that need to reuse the dns answer.
Annotate assertion into error printout; we think it may be an error, but the situation looks harmless.
Fix sign comparison warning on FreeBSD.
Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed.
Merge 415 from sibeream: Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports. (New --enable-linux-ip-local-port-range configuration option)
Bump MAX_RESTART_COUNT to 11 from 8; in relation to 438. This allows longer CNAME chains in Unbound.
In unit test use openssl set security level to allow keys in test.
Fix static analysis warnings about localzone locks that are unused.
Fix missing locks in zonemd unit test.
Fix readzone compile under debug config.
Fix out of sourcedir run of zonemd unit tests.
Fix libnettle zonemd unit test.
Fix unit test zonemd_reload for use in run_vm.
Fix 520: Unbound 1.13.2rc1 fails to build python module.
fixes PR pkg/54126
Upgrade unbound to version 1.7.0. Pkgsrc changes: * Add libunbound.pc to PLIST. Upstream changes: Features - auth-zone provides a way to configure RFC7706 from unbound.conf, eg. with auth-zone: name: "." for-downstream: no for-upstream: yes fallback-enabled: yes and masters or a zonefile with data. - Aggressive use of NSEC implementation. Use cached NSEC records to generate NXDOMAIN, NODATA and positive wildcard answers. - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is also recognized and means the same. Also for tls-port, tls-service-key, tls-service-pem, stub-tls-upstream and forward-tls-upstream. - [dnscrypt] introduce dnscrypt-provider-cert-rotated option, from Manu Bretelle. This option allows handling multiple cert/key pairs while only distributing some of them. In order to reliably match a client magic with a given key without strong assumption as to how those were generated, we need both key and cert. Likewise, in order to know which ES version should be used. On the other hand, when rotating a cert, it can be desirable to only serve the new cert but still be able to handle clients that are still using the old certs's public key. The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not publish the cert as part of the DNS's provider_name's TXT answer. - Update B root ipv4 address. - make ip-transparent option work on OpenBSD. - Fix #2801: Install libunbound.pc. - ltrace.conf file for libunbound in contrib. - Fix #3598: Fix swig build issue on rhel6 based system. configure --disable-swig-version-check stops the swig version check. Bug Fixes - Fix #1749: With harden-referral-path: performance drops, due to circular dependency in NS and DS lookups. - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert duplicates - Better documentation for cache-max-negative-ttl. - Fixed libunbound manual typo. - Fix #1949: [dnscrypt] make provider name mismatch more obvious. - Fix #2031: Double included headers - Document that errno is left informative on libunbound config read fail. - iana port update. - Fix #1913: ub_ctx_config is under circumstances thread-safe. - Fix #2362: TLS1.3/openssl-1.1.1 not working. - Fix #2034 - Autoconf and -flto. - Fix #2141 - for libsodium detect lack of entropy in chroot, print a message and exit. - Fix #2492: Documentation libunbound. - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is set for stub zone. It no longer searches for DNSSEC information. - Fix #3299 - forward CNAME daisy chain is not working - Fix link failure on OmniOS. - Check whether --with-libunbound-only is set when using --with-nettle or --with-nss. - Fix qname-minimisation documentation (A QTYPE, not NS) - Fix that DS queries with referral replies are answered straight away, without a repeat query picking the DS from cache. The correct reply should have been an answer, the reply is fixed by the scrubber to have the answer in the answer section. - Fix that expiration date checks don't fail with clang -O2. - Fix queries being leaked above stub when refetching glue. - Copy query and correctly set flags on REFUSED answers when cache snooping is not allowed. - make depend: code dependencies updated in Makefile. - Fix #3397: Fix that cachedb could return a partial CNAME chain. - Fix #3397: Fix that when the cache contains an unsigned DNAME in the middle of a cname chain, a result without the DNAME could be returned. - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file for startup scripts to get the full pathname(s) of anchor file(s). - Print fatal errors about remote control setup before log init, so that it is printed to console. - Use NSEC with longest ce to prove wildcard absence. - Only use *.ce to prove wildcard absence, no longer names. - Fix unfreed locks in log and arc4random at exit of unbound. - Fix lock race condition in dns cache dname synthesis. - Fix #3451: dnstap not building when you have a separate build dir. And removed protoc warning, set dnstap.proto syntax to proto2. - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test) - Unit test for auth zone https url download. - tls-cert-bundle option in unbound.conf enables TLS authentication. - Fixes for clang static analyzer, the missing ; in edns-subnet/addrtree.c after the assert made clang analyzer produce a failure to analyze it. - Fix #3505: Documentation for default local zones references wrong RFC. - Fix #3494: local-zone noview can be used to break out of the view to the global local zone contents, for queries for that zone. - Fix for more maintainable code in localzone. - more robust cachedump rrset routine. - Save wildcard RRset from answer with original owner for use in aggressive NSEC. - Fixup contrib/fastrpz.patch so that it applies. - Fix compile without threads, and remove unused variable. - Fix compile with staticexe and python module. - Fix nettle compile. - Fix to check define of DSA for when openssl is without deprecated. - iana port update. - Fix #3582: Squelch address already in use log when reuseaddr option causes same port to be used twice for tcp connections. - Reverted fix for #3512, this may not be the best way forward; although it could be changed at a later time, to stay similar to other implementations. - Fix for windows compile. - Fixed contrib/fastrpz.patch, even though this already applied cleanly for me, now also for others. - patch to log creates keytag queries, from A. Schulze. - patch suggested by Debian lintian: allow to -> allow one to, from A. Schulze. - Attempt to remove warning about trailing whitespace. - Added documentation for aggressive-nsec: yes.
Remove example rc.d scripts from PLISTs. These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise.
Unbound 1.4.21 Features: * Implement max-udp-size config option, default 4096 with fix#524 for nonEDNS0 queries. * add unbound-control insecure_add and insecure_remove for the administration of negative trust anchors. * install copy of unbound-control.8 man page for unbound-control-setup. * code improve for minimal responses, small speed increase. * max include of 100.000 files (depth and globbed at one time). This is to preserve system memory in bug cases, or endless cases. * unbound.h header file has UNBOUND_VERSION_MAJOR define. * get_option, set_option, unbound-checkconf -o and libunbound getoption() and setoption() support cache-min-ttl and cache-max-ttl. Also log-time-ascii, python-script, val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect immediately. The others are mostly useful for libunbound users. * configure --disable-flto option. * streamtcp man page. * Make reverse zones easier by documenting the nodefault statements commented-out in the example config file. Bug Fixes: * committed libunbound version 4:1:2 for binary API updated in 1.4.20 * Fix for 2038, with time_t instead of uint32_t. * Fix resolve of names that use a mix of public and private addresses. * [bugzilla: 492 ] Fix endianness detection, revert to older lookup3.c detection and put new detect lines after previous tests, to avoid regressions but allow new detections to succeed. And add detection for machine/endian.h to it. * Fix queries leaking up for stubs and forwards, if the configured nameservers all fail to answer. * unbound-anchor review: BIO_write can return 0 successfully if it has successfully appended a zero length string. * Fix so that for a configuration line of include: "*.conf" it is not an error if there are no files matching the glob pattern. * own implementation of compat/snprintf.c. * [bugzilla: 491 ] pick program name (0th argument) as syslog identity. * Fixup snprintf return value usage, fixed libunbound_get_option. * Robust checks on dname validity from rdata for dname compare. * iana portlist update. * Fix round-robin doesn't work with some Windows clients. * [bugzilla: 500 ] use on non-initialised values on socket bind failures. * [bugzilla: 499 ] use-after-free in out-of-memory handling code. * Explain bogus and secure flags in libunbound more. * Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply patch to it to not fail when -Werror is also specified, from the autoconf-archives. * Fixup manpage syntax. * Fix for const string literals in C++ for libunbound. * Squelch sendto-permission denied errors when the network is not connected, to avoid spamming syslog. * libunbound documentation on how to avoid openssl race conditions. * [bugzilla: 512 ] NSS returned arrays out of setup function to be statics. * [bugzilla: 516 ] dnssec lameness detection for answers that are improper. * [bugzilla: 519 ] ub_ctx_delete may hang in some scenarios (libunbound). * [bugzilla: 520 ] Errors found by static analysis
Unbound 1.4.19 Features: * RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled. The contrib/patch_rsamd5_enable.diff patch enables RSAMD5 validation otherwise it is treated as insecure. The MD5 hash is considered weak for some purposes, if you want to sign your zone, then RSASHA256 is an uncontested hash. * unbound-control -q option is quiet * include: directive in config file accepts wildcards. Suggested use: include: "/etc/unbound.d/conf.d/*" Bug Fixes: * Fix openssl race condition, initializes openssl locks. * Improved forward-first and stub-first documentation. * Fix that enables modules to register twice for the same serviced_query, without race conditions or administration issues. * Fix forward-first option where it sets the RD flag wrongly. * added manpage links for libunbound calls. * Add documentation to libunbound for default nonuse of resolv.conf. * Fix timeouts so that when a server has been offline for a while and is probed to see it works, it becomes fully available for server selection again. * Fallback to 1472 and 1232, one fragment size without headers. * [bugzilla: 465 ] Nicer comments outgoing-port-avoid. * chdir to / after chroot call (suggested by Camiel Dobbelaar). * updated contrib/unbound.spec. * ignore trusted-keys globs that have no files (from Paul Wouters). * fix text in unbound-anchor man page. * fix build of pythonmod in objdir. * make clean and makerealclean remove generated python and docs. * Fix validation for responses with both CNAME and wildcard expanded CNAME records in answer section. * [bugzilla: 477 ] Fix unbound-anchor segfault if EDNS is blocked. * Fix unbound-control forward disables configured stubs below it. * [bugzilla: 481 ] Fix python example0. * iana portlist updated.
unbound 1.48: Features: * harden-below-nxdomain config option, default off (because very old software may be incompatible). We could enable it by default in the future. From draft-vixie-dnsext-resimprove-00. * typetransparent localzone: does not block other RR types. * so-sndbuf option for very busy servers, a bit like so-rcvbuf. Bug Fixes: * Fix so a changed NS RRset does not get moved name stuck on old server, for type NS the TTL is not increased. * Fix prefetch so it does not get stuck on old server for moved names. * Fix insecure CNAME sequence marked as secure, reported by Bert Hubert. * faster lruhash get_mem routine. * [bugzilla: 346 ] remove ITAR scripts from contrib, the service is discontinued, use the root. * Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept. * algorithm compromise protection using the algorithms signalled in the DS record. Also, trust anchors, DLV, and RFC5011 receive this, and thus, if you have multiple algorithms in your trust-anchor-file then it will now behave different than before. Also, 5011 rollover for algorithms needs to be double-signature until the old algorithm is revoked. * squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them) * fix validation in this case: CNAME to nodata for co-hosted opt-in NSEC3 insecure delegation, was bogus, fixed to be insecure. * Fix our 'BDS' license (typo reported by Xavier Belanger). * [bugzilla: 338 ] print address when socket creation fails. * Fix storage of EDNS failures in the infra cache. * silence 'tcp connect: broken pipe' and 'net down' at low verbosity. * unbound-anchor compiles with openssl 0.9.7. * Be lenient and accept imgw.pl malformed packet (like BIND). * the included ldns tarball is updated (to 1.6.8) * iana portlist updated. unbound 1.47: Features: * unbound-anchor app, unbound requires libexpat (xml parser library). It creates or updates a root.key file. Use it before you start the validator (e.g. at system boot time). * dump_infra and flush_infra commands for unbound-control. Bug Fixes: * GOST code enabled by default (RFC 5933). * Configure detects libev-4.00. * do not synthesize a CNAME message from cache for qtype DS. * Use central entropy to seed threads. * Change the rtt used to probe EDNS-timeout hosts to 1000 msec. * Fix validation failure for parent and child on same server with an insecure childzone and a CNAME from parent to child. * Change of timeout code. No more lost and backoff in blockage. At 12sec timeout (and at least 2x lost before) one probe per IP is allowed only. At 120sec, the IP is blocked. After 15min, a 120sec entry has a single retry packet. * no timeout backoff if meanwhile a query succeeded. * Configure errors if ldns is not found. * Windows 7 fix for the installer. * Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS status unknown. * interface automatic works for some people with ip6 disabled. Therefore the error check is removed, so they can use the option. * Fix TCP so it uses a random outgoing-interface. * Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone has a secure delegation hosted on the same server did not verify as secure (it was insecure by mistake). * Fix alloc_reg_release for longer uptime in out of memory conditions. * [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16. * compliance with draft-ietf-dnsop-default-local-zones-14, removed reverse ipv6 orchid prefix from builtin list. * Algorithm rollover operational reality intrudes, for trust-anchor and 5011-store, if one key matches it's good enough. * Fix reported validation error in out of memory condition. * Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. * increased mesh-max-activation from 1000 to 3000 for crazy domains like _tcp.slb.com with 262 servers. * [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed. * openbsd-lint fixes * [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20. Delegpt structures checked for duplicates always. No more nameserver lookups generated when depth is full anyway. * [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris. Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use sun-cc, but some systems need different flags. * Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes, uses m4_bpatsubst now. * make test (or make check) should be more portable and run the unit test and testbound scripts. (make longtest has special requirements). * More pleasant remote control command parsing. * Fix name of rrset printed that failed validation. * Return NXDOMAIN after chain of CNAMEs ends at name-not-found. * Fix validation in case a trust anchor enters into a zone with unsupported algorithms. * iana portlist updated. * updated ldns tarball.
Remove @dirrm entries from PLISTs
Update to unbound-1.1.1: - improve chroot handling - even stricter validation - support for blocking DNS rebinding attacks - DLV support - bugfixes The package now uses the normal net/ldns package instead of the local copy.
Import unbound-1.0.0, a DNS recursor library and daemon from the guys that brought us NSD.
Initial revision