Message ID | 20190209094036.11201-1-matthias.fischer@ipfire.org |
---|---|
State | Accepted |
Commit | 97a238f4bf11d8f1964c764216bc55020a54e3d4 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id DF61688B606 for <patchwork@web07.i.ipfire.org>; Sat, 9 Feb 2019 09:40:43 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 43xRqv0kTPz5HDMB; Sat, 9 Feb 2019 09:40:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549705243; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=+MztlnSIbhwzGmAudh9c5lw+U/Jk+q58sSE4PM6pJqM=; b=nJE9oMyUw591yMMIqj7aB9J1AnvKlRW7CmmPmNYKfpyFqcTFghq+7FOb6a4G9AAlIJuc5a 7kHktDK0AkJFwUC8AZ8YeE2VvZX32LmJKA6mAqx2fsUV737nR/HbIni4YAGseYi78S1jJw NTNZ+o5xrKxviIEi/XU7PWTwaS+6cJAZ2WHwdIisODWp35XqJrNba3m9ab3EZkCy9bz2kD 9Reiwc/GmPUFjfLpD2zQQ7l62XQb6TYj0Fbw7VcBPn4RvpkoneB7jX1ZnZ+PIhIOcK17LY n9UZv7lsNg7yg3V/J12fG2z5TYn7v5YF19jWS5HcmNJHAZiCR0VD4w2VnaKGQQ== Received: from Devel.localdomain (p4FF5633E.dip0.t-ipconnect.de [79.245.99.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 43xRqq4ltgz5HDMD for <development@lists.ipfire.org>; Sat, 9 Feb 2019 09:40:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1549705239; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=+MztlnSIbhwzGmAudh9c5lw+U/Jk+q58sSE4PM6pJqM=; b=l0fbgk0FWqL6YgJ1yxxNeGL7oRDUqz51WzcanPijCDXuROJh8rgyUp0a/Rt8gEFLyfQ544 qNCpS8+cGhryjNyDUdBaqQS/Gzi7eVHcZrnymSj1QOLRXrSCb9ddCwkHmQijxTCsVH+DkI mcX0wiMIrw/xtlwCfs4tCd1GVVDj0I5emat10NB6QzLaJTMJXOBe7gRLSrreO2nsSj0t+g i562iq7ZQlEzAXhhSEDG67UhkMVKLlcWv/JBqzqYkkKqEwzHlj6TXE8dz5b7djeRkxIurt Xga55wwh22DfnamcKR5Ym8b/aF+fia3c3a5dkccSp56MiG+/zkWUGCVbpCk8NA== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] unbound: Update to 1.9.0 Date: Sat, 9 Feb 2019 10:40:36 +0100 Message-Id: <20190209094036.11201-1-matthias.fischer@ipfire.org> X-Mailer: git-send-email 2.18.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=mfischer smtp.mailfrom=matthias.fischer@ipfire.org X-Spamd-Result: default: False [-5.00 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.90)[-0.968,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3320, ipnet:79.192.0.0/10, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-5.00 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
unbound: Update to 1.9.0
|
|
Commit Message
Matthias Fischer
Feb. 9, 2019, 8:40 p.m. UTC
For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/unbound | 2 +-
lfs/unbound | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
Comments
Hi, I did *not* merge this one, yet. The change log that you linked wasn’t very helpful, but there was an announcement email with some more details: https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it. So, please remind me to merge this next week in case I forgot. Best, -Michael > On 9 Feb 2019, at 09:40, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > For details see: > https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog > > Best, > Matthias > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > config/rootfiles/common/unbound | 2 +- > lfs/unbound | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound > index 9a8126c15..843e0eeca 100644 > --- a/config/rootfiles/common/unbound > +++ b/config/rootfiles/common/unbound > @@ -11,7 +11,7 @@ etc/unbound/unbound.conf > #usr/lib/libunbound.la > #usr/lib/libunbound.so > usr/lib/libunbound.so.8 > -usr/lib/libunbound.so.8.0.3 > +usr/lib/libunbound.so.8.1.0 > #usr/lib/pkgconfig/libunbound.pc > usr/sbin/unbound > usr/sbin/unbound-anchor > diff --git a/lfs/unbound b/lfs/unbound > index 07501d1d6..b090010d4 100644 > --- a/lfs/unbound > +++ b/lfs/unbound > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.8.3 > +VER = 1.9.0 > > THISAPP = unbound-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead > +$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f > > install : $(TARGET) > > -- > 2.18.0 >
Hi Michael, On 13.02.2019 18:32, Michael Tremer wrote: > Hi, > > I did *not* merge this one, yet. No problem - I'm in touch with Erik trying to help testing TFO and DoT. Its a bit weird... > The change log that you linked wasn’t very helpful, but there was an announcement email with some more details: > > https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html > > This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it. > > So, please remind me to merge this next week in case I forgot. No hurry - I'll do. ;-) Best, Matthias > ...
Hi, > On 14 Feb 2019, at 07:05, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi Michael, > > On 13.02.2019 18:32, Michael Tremer wrote: >> Hi, >> >> I did *not* merge this one, yet. > > No problem - I'm in touch with Erik trying to help testing TFO and DoT. Please don’t forget to share what you are doing on this list :) > > Its a bit weird... > >> The change log that you linked wasn’t very helpful, but there was an announcement email with some more details: >> >> https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html >> >> This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it. >> >> So, please remind me to merge this next week in case I forgot. > > No hurry - I'll do. ;-) > > Best, > Matthias > >> ... -Michael
Hi Michael, On 14.02.2019 12:01, Michael Tremer wrote: >>> I did *not* merge this one, yet. >> No problem - I'm in touch with Erik trying to help testing TFO and DoT. > Please don’t forget to share what you are doing on this list Of course. ;-) So far, I got the same results as Erik. But my test environment is not as extensive as his. One important result for me: the iptables rules to prevent dns hijacking are still working. Best, Matthias
On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > Hi Michael, > > On 14.02.2019 12:01, Michael Tremer wrote: >>>> I did *not* merge this one, yet. >>> No problem - I'm in touch with Erik trying to help testing TFO and DoT. >> Please don’t forget to share what you are doing on this list > > Of course. ;-) > > So far, I got the same results as Erik. But my test environment is not > as extensive as his. > > One important result for me: the iptables rules to prevent dns hijacking > are still working. The ones for the captive portal? Or did you have any custom rules? > > Best, > Matthias
Hi Michael, another point was TFO for DoT whereby Matthis found an interessting mailinglist entry --> https://www.mail-archive.com/unbound-users@nlnetlabs.nl/msg00523.html . So it appears that DoT currently do not benefits from TFO which reflects also my testings. There has been longer time ago also some requests on OpenSSL causing this topic --> https://github.com/openssl/openssl/issues/4783 (there ist more). In general, after some faster tests with curl, TFO seems to work --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954&start=15#p122372 . Best, Erik On Do, 2019-02-14 at 11:01 +0000, Michael Tremer wrote: > Hi, > > > On 14 Feb 2019, at 07:05, Matthias Fischer < > > matthias.fischer@ipfire.org> wrote: > > > > Hi Michael, > > > > On 13.02.2019 18:32, Michael Tremer wrote: > > > Hi, > > > > > > I did *not* merge this one, yet. > > > > No problem - I'm in touch with Erik trying to help testing TFO and > > DoT. > > Please don’t forget to share what you are doing on this list :) > > > > > Its a bit weird... > > > > > The change log that you linked wasn’t very helpful, but there was > > > an announcement email with some more details: > > > > > > > > > https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html > > > > > > This release contains all the EDNS Flag Day changes and that > > > might cause some trouble. I would prefer to merge this with the > > > next Core Update because Core 128 should already have been closed > > > and I do not want to risk re-opening it. > > > > > > So, please remind me to merge this next week in case I forgot. > > > > No hurry - I'll do. ;-) > > > > Best, > > Matthias > > > > > ... > > -Michael
On 15.02.2019 12:34, Michael Tremer wrote: > On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >> >> Hi Michael, >> >> On 14.02.2019 12:01, Michael Tremer wrote: >>>>> I did *not* merge this one, yet. >>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT. >>> Please don’t forget to share what you are doing on this list >> >> Of course. ;-) >> >> So far, I got the same results as Erik. But my test environment is not >> as extensive as his. >> >> One important result for me: the iptables rules to prevent dns hijacking >> are still working. > > The ones for the captive portal? Or did you have any custom rules? I use custom rules in 'firewall.local' (Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger): ***SNIP*** sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53 ***SNAP*** I'm still testing testing under various conditions. Best, Matthias
Hi, I have just merged this patch into next for c129. -Michael > On 15 Feb 2019, at 16:48, Matthias Fischer <matthias.fischer@ipfire.org> wrote: > > On 15.02.2019 12:34, Michael Tremer wrote: >> On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer@ipfire.org> wrote: >>> >>> Hi Michael, >>> >>> On 14.02.2019 12:01, Michael Tremer wrote: >>>>>> I did *not* merge this one, yet. >>>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT. >>>> Please don’t forget to share what you are doing on this list >>> >>> Of course. ;-) >>> >>> So far, I got the same results as Erik. But my test environment is not >>> as extensive as his. >>> >>> One important result for me: the iptables rules to prevent dns hijacking >>> are still working. >> >> The ones for the captive portal? Or did you have any custom rules? > > I use custom rules in 'firewall.local' > (Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger): > > ***SNIP*** > sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53 > > /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53 > ***SNAP*** > > I'm still testing testing under various conditions. > > Best, > Matthias
diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 9a8126c15..843e0eeca 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.8 -usr/lib/libunbound.so.8.0.3 +usr/lib/libunbound.so.8.1.0 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/lfs/unbound b/lfs/unbound index 07501d1d6..b090010d4 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ include Config -VER = 1.8.3 +VER = 1.9.0 THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead +$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f install : $(TARGET)