507938 – net-dns/unbound-1.4.22 version bump

Bug 507938 - net-dns/unbound-1.4.22 version bump

Summary: net-dns/unbound-1.4.22 version bump

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Tim Harder

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2014-04-17 20:14 UTC by Tomáš Mózes
Modified:	2014-09-27 00:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2014-04-17 20:14:19 UTC

Unbound 1.4.22
Date: 12 March, 2014
Features
- separate ldns into core ldns inside ldns/ subdirectory. No more configure --with-ldns is needed and unbound does not rely on libldns.
- Accept ip-address: as an alternative for interface: for consistency with nsd.conf syntax.
- [bugzilla: 536 ] acl_deny_non_local and refuse_non_local added.
- so-reuseport: yesno option to distribute queries evenly over threads on Linux (Thanks Robert Edmonds). Reuseport is attempted, then fallback to without on failure.
- delay-close: msec option that delays closing ports for which the UDP reply has timed out. Keeps the port open, only accepts the correct reply. This correct reply is not used, but the port is open so that no port-denied ICMPs are generated.

It would be nice to have a local caching DNS server and not to use bind, that is mostly an overkill. However, with the default settings, one must emerge openssl USE="-bindist" (and recompile the dependending packages). I was thinking of creating a minimal caching version of unbound without having to rebuild several other packages, so the idea is to disable ecdsa by default. I don't know how to say the ebuild way that "depend on openssl, but when ecdsa use is set, depend on openssl[-bindist]" in a clean and nice way. It would be even better to be able to completely disable ssl (like with bind), but I failed to manage that.

--- unbound-1.4.21-r1.ebuild    2014-01-14 14:01:26.000000000 +0000
+++ unbound-1.4.22.ebuild 2014-04-17 19:56:49.463351348 +0000
@@ -14,13 +14,13 @@
 LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 x86 ~x64-macos"
-IUSE="debug gost python selinux static-libs test threads"
+IUSE="debug ecdsa gost python selinux static-libs test threads"
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"

 RDEPEND="dev-libs/expat
        dev-libs/libevent
        >=dev-libs/openssl-0.9.8
-       >=net-libs/ldns-1.6.13[ecdsa,ssl,gost?]
+       ecdsa? ( >=dev-libs/openssl-0.9.8[-bindist] )
        selinux? ( sec-policy/selinux-bind )"

 DEPEND="${RDEPEND}
@@ -58,13 +58,12 @@
        econf \
                $(use_enable debug) \
                $(use_enable gost) \
+               $(use_enable ecdsa) \
                $(use_enable static-libs static) \
                $(use_with python pythonmodule) \
                $(use_with python pyunbound) \
                $(use_with threads pthreads) \
                --disable-rpath \
-               --enable-ecdsa \
-               --with-ldns="${EPREFIX}"/usr \
                --with-libevent="${EPREFIX}"/usr \
                --with-pidfile="${EPREFIX}"/var/run/unbound.pid \
                --with-rootkey-file="${EPREFIX}"/etc/dnssec/root-anchors.txt

Comment 1 Michał Górny archtester

2014-05-13 18:29:27 UTC

So they bundle ldns now? Really awesome from security standpoint.

Comment 2 Tim Harder gentoo-dev

2014-09-27 00:16:15 UTC

This was bumped a while ago, albeit somewhat wrong but that's been fixed in 1.4.22-r1.