Bug 2027735
| Summary: | [RFE] Rebase unbound to latest stable release | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Florencia Fotorello <ffotorel> |
| Component: | unbound | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> |
| Severity: | urgent | Docs Contact: | Šárka Jana <sjanderk> |
| Priority: | urgent | ||
| Version: | 8.6 | CC: | apmukher, pemensik, pete.perfetti, psklenar, rsahoo, sjanderk |
| Target Milestone: | rc | Keywords: | FutureFeature, Rebase, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | unbound-1.16.2-2.el8 | Doc Type: | Enhancement |
| Doc Text: |
.`unbound` rebased to version 1.16.2
The `unbound` component has been updated to version 1.16.2. `unbound` is a validating, recursive, and caching DNS resolver. Notable improvements include:
* With the ZONEMD Zone Verification with `RFC 8976` support, recipients can now verify the zone contents for data integrity and origin authenticity.
* With `unbound`, you can now configure persistent TCP connections.
* The SVCB and HTTPS types and handling according to the Service binding and parameter specification via the DNS `draft-ietf-dnsop-svcb-https` document were added.
* `unbound` takes the default TLS ciphers from crypto policies.
* You can use a Special-Use Domain `home.arpa.` according to the `RFC8375`. This domain is designated for non-unique use in residential home networks.
* `unbound` now supports selective enabling of `tcp-upstream` queries for stub or forward zones.
* The default of `aggressive-nsec` option is now `yes`.
* The `ratelimit` logic was updated.
* You can use a new `rpz-signal-nxdomain-ra` option for unsetting the `RA` flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply.
* With the basic support for Extended DNS Errors (EDE) according to the `RFC8914`, you can benefit from additional error information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 09:51:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2071968, 2081958, 2116730, 2116737 | ||
|
Comment 10
Petr Menšík
2022-05-06 15:50:41 UTC
Prepared copr build for epel8 on COPR [1]. Infrastructure is broken, so I am unsure it works as it should. But basic things seems to be working. The change on top of released version 1.5.0 is in own branch [2] 1. https://copr.fedorainfracloud.org/coprs/pemensik/unbound/ 2. https://github.com/InfrastructureServices/unbound/tree/rhel8-no-abi-break-1.15 The change looks good, even previously compiled unbound-host is able to continue with a new library and works. But at least libreswan would require a change too, because it expects changed callback format. But that checks only version and our version would not compile libreswan. Fail at: https://download.copr.fedorainfracloud.org/results/pemensik/unbound/epel-8-x86_64/04373948-libreswan/builder-live.log.gz cc -DTimeZoneOffset=timezone -pthread -std=gnu99 -g -Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DNSS_IPSEC_PROFILE -DXFRM_LIFETIME_DEFAULT=30 -DUSE_IKEv1 -DKERNEL_XFRM -DUSE_XFRM_INTERFACE -DUSE_DNSSEC -DDEFAULT_DNSSEC_ROOTKEY_FILE=\""/var/lib/unbound/root.key"\" -DHAVE_LABELED_IPSEC -DHAVE_SECCOMP -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_SYSTEMD_WATCHDOG -DLIBLDAP -DHAVE_NM -DUSE_PAM_AUTH -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA -DUSE_DH31 -DUSE_MD5 -DUSE_SHA1 -DUSE_SHA2 -DUSE_PRF_AES_XCBC -DUSE_NSS_KDF -DDEFAULT_RUNDIR=\"/run/pluto\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DHAVE_LIBCAP_NG \ -I. -I../../OBJ.linux.x86_64.f339a8b5d56c49dda351b3e4a108cf33/programs/pluto -I../../include -I/usr/include/nss3 -I/usr/include/nspr4 -I/builddir/build/BUILD/libreswan-4.6/programs/pluto/linux-copy \ -DHERE_FILENAME=\"programs/pluto/ikev1.c\" \ \ -MF ../../OBJ.linux.x86_64.f339a8b5d56c49dda351b3e4a108cf33/programs/pluto/ikev1.d \ -MP -MMD -MT ikev1.o \ -o ../../OBJ.linux.x86_64.f339a8b5d56c49dda351b3e4a108cf33/programs/pluto/ikev1.o \ -c /builddir/build/BUILD/libreswan-4.6/programs/pluto/ikev1.c /builddir/build/BUILD/libreswan-4.6/programs/pluto/ikev2_ipseckey_dnsr.c: In function 'dns_qry_start': /builddir/build/BUILD/libreswan-4.6/programs/pluto/ikev2_ipseckey_dnsr.c:471:27: error: passing argument 6 of 'ub_resolve_event' from incompatible pointer type [-Werror=incompatible-pointer-types] dnsr->qclass, dnsr, ipseckey_ub_cb, &dnsr->ub_async_id); ^~~~~~~~~~~~~~ In file included from /builddir/build/BUILD/libreswan-4.6/programs/pluto/ikev2_ipseckey_dnsr.c:31: /usr/include/unbound-event.h:258:52: note: expected 'ub_event_callback_type' {aka 'void (*)(void *, int, void *, int, int, char *)'} but argument is of type 'void (*)(void *, int, void *, int, int, char *, int)' int rrclass, void* mydata, ub_event_callback_type callback, ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~ Breaking of libreswan can be avoided by faking 1.7.x version in unbound-event.h. That should also fix any other potential issues with compilation time detection. ub_version() would still report correct version of unbound. But version taken from header would report 1.7.1150 for 1.15.0 release. Thread about this at unbound-users mailing list: https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007737.html I am not proposing this change to normal unbound, therefore it would be downstream only change. No Merge request would be created at upstream. Not included in RHEL9+ or Fedora. Should would also for RHEL7, but no production build would be done for it. It seems most of software uses just ub_resolve_async, which should be unaffected by this change. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7622 |