[PATCH] unbound: Update to 1.9.0

[PATCH] unbound: Update to 1.9.0

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 config/rootfiles/common/unbound | 2 +-
 lfs/unbound                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 9a8126c15..843e0eeca 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.0.3
+usr/lib/libunbound.so.8.1.0
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor
diff --git a/lfs/unbound b/lfs/unbound
index 07501d1d6..b090010d4 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.8.3
+VER        = 1.9.0
 
 THISAPP    = unbound-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead
+$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f
 
 install : $(TARGET)
 
-- 
2.18.0

Re: [PATCH] unbound: Update to 1.9.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1984 bytes --]

Hi,

I did *not* merge this one, yet.

The change log that you linked wasn’t very helpful, but there was an announcement email with some more details:

  https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html

This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it.

So, please remind me to merge this next week in case I forgot.

Best,
-Michael

> On 9 Feb 2019, at 09:40, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> For details see:
> https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog
> 
> Best,
> Matthias
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> config/rootfiles/common/unbound | 2 +-
> lfs/unbound                     | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
> index 9a8126c15..843e0eeca 100644
> --- a/config/rootfiles/common/unbound
> +++ b/config/rootfiles/common/unbound
> @@ -11,7 +11,7 @@ etc/unbound/unbound.conf
> #usr/lib/libunbound.la
> #usr/lib/libunbound.so
> usr/lib/libunbound.so.8
> -usr/lib/libunbound.so.8.0.3
> +usr/lib/libunbound.so.8.1.0
> #usr/lib/pkgconfig/libunbound.pc
> usr/sbin/unbound
> usr/sbin/unbound-anchor
> diff --git a/lfs/unbound b/lfs/unbound
> index 07501d1d6..b090010d4 100644
> --- a/lfs/unbound
> +++ b/lfs/unbound
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 1.8.3
> +VER        = 1.9.0
> 
> THISAPP    = unbound-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = 4646203343d3b8f5aeb1b57753c27ead
> +$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f
> 
> install : $(TARGET)
> 
> -- 
> 2.18.0
> 

Re: [PATCH] unbound: Update to 1.9.0

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

Hi Michael,

On 13.02.2019 18:32, Michael Tremer wrote:
> Hi,
> 
> I did *not* merge this one, yet.

No problem - I'm in touch with Erik trying to help testing TFO and DoT.

Its a bit weird...

> The change log that you linked wasn’t very helpful, but there was an announcement email with some more details:
> 
>   https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html
> 
> This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it.
> 
> So, please remind me to merge this next week in case I forgot.

No hurry - I'll do. ;-)

Best,
Matthias

> ...

Re: [PATCH] unbound: Update to 1.9.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

Hi,

> On 14 Feb 2019, at 07:05, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 13.02.2019 18:32, Michael Tremer wrote:
>> Hi,
>> 
>> I did *not* merge this one, yet.
> 
> No problem - I'm in touch with Erik trying to help testing TFO and DoT.

Please don’t forget to share what you are doing on this list :)

> 
> Its a bit weird...
> 
>> The change log that you linked wasn’t very helpful, but there was an announcement email with some more details:
>> 
>>  https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html
>> 
>> This release contains all the EDNS Flag Day changes and that might cause some trouble. I would prefer to merge this with the next Core Update because Core 128 should already have been closed and I do not want to risk re-opening it.
>> 
>> So, please remind me to merge this next week in case I forgot.
> 
> No hurry - I'll do. ;-)
> 
> Best,
> Matthias
> 
>> ...

-Michael

Re: [PATCH] unbound: Update to 1.9.0

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 452 bytes --]

Hi Michael,

On 14.02.2019 12:01, Michael Tremer wrote:
>>> I did *not* merge this one, yet.
>> No problem - I'm in touch with Erik trying to help testing TFO and DoT.
> Please don’t forget to share what you are doing on this list 

Of course. ;-)

So far, I got the same results as Erik. But my test environment is not
as extensive as his.

One important result for me: the iptables rules to prevent dns hijacking
are still working.

Best,
Matthias

Re: [PATCH] unbound: Update to 1.9.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 661 bytes --]

On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 14.02.2019 12:01, Michael Tremer wrote:
>>>> I did *not* merge this one, yet.
>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT.
>> Please don’t forget to share what you are doing on this list 
> 
> Of course. ;-)
> 
> So far, I got the same results as Erik. But my test environment is not
> as extensive as his.
> 
> One important result for me: the iptables rules to prevent dns hijacking
> are still working.

The ones for the captive portal? Or did you have any custom rules?

> 
> Best,
> Matthias

Re: [PATCH] unbound: Update to 1.9.0

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]

Hi Michael,
another point was TFO for DoT whereby Matthis found an interessting
mailinglist entry -->
https://www.mail-archive.com/unbound-users(a)nlnetlabs.nl/msg00523.html .
So it appears that DoT currently do not benefits from TFO which
reflects also my testings. There has been longer time ago also some
requests on OpenSSL causing this topic -->
https://github.com/openssl/openssl/issues/4783 (there ist more).

In general, after some faster tests with curl, TFO seems to work --> 
https://forum.ipfire.org/viewtopic.php?f=50&t=21954&start=15#p122372 .


Best,

Erik


On Do, 2019-02-14 at 11:01 +0000, Michael Tremer wrote:
> Hi,
> 
> > On 14 Feb 2019, at 07:05, Matthias Fischer <
> > matthias.fischer(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > 
> > On 13.02.2019 18:32, Michael Tremer wrote:
> > > Hi,
> > > 
> > > I did *not* merge this one, yet.
> > 
> > No problem - I'm in touch with Erik trying to help testing TFO and
> > DoT.
> 
> Please don’t forget to share what you are doing on this list :)
> 
> > 
> > Its a bit weird...
> > 
> > > The change log that you linked wasn’t very helpful, but there was
> > > an announcement email with some more details:
> > > 
> > >  
> > > https://nlnetlabs.nl/pipermail/unbound-users/2019-February/011353.html
> > > 
> > > This release contains all the EDNS Flag Day changes and that
> > > might cause some trouble. I would prefer to merge this with the
> > > next Core Update because Core 128 should already have been closed
> > > and I do not want to risk re-opening it.
> > > 
> > > So, please remind me to merge this next week in case I forgot.
> > 
> > No hurry - I'll do. ;-)
> > 
> > Best,
> > Matthias
> > 
> > > ...
> 
> -Michael

Re: [PATCH] unbound: Update to 1.9.0

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 1341 bytes --]

On 15.02.2019 12:34, Michael Tremer wrote:
> On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi Michael,
>> 
>> On 14.02.2019 12:01, Michael Tremer wrote:
>>>>> I did *not* merge this one, yet.
>>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT.
>>> Please don’t forget to share what you are doing on this list 
>> 
>> Of course. ;-)
>> 
>> So far, I got the same results as Erik. But my test environment is not
>> as extensive as his.
>> 
>> One important result for me: the iptables rules to prevent dns hijacking
>> are still working.
> 
> The ones for the captive portal? Or did you have any custom rules?

I use custom rules in 'firewall.local'
(Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger):

***SNIP***
sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53
***SNAP***

I'm still testing testing under various conditions.

Best,
Matthias

Re: [PATCH] unbound: Update to 1.9.0

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1560 bytes --]

Hi,

I have just merged this patch into next for c129.

-Michael

> On 15 Feb 2019, at 16:48, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> On 15.02.2019 12:34, Michael Tremer wrote:
>> On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Hi Michael,
>>> 
>>> On 14.02.2019 12:01, Michael Tremer wrote:
>>>>>> I did *not* merge this one, yet.
>>>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT.
>>>> Please don’t forget to share what you are doing on this list 
>>> 
>>> Of course. ;-)
>>> 
>>> So far, I got the same results as Erik. But my test environment is not
>>> as extensive as his.
>>> 
>>> One important result for me: the iptables rules to prevent dns hijacking
>>> are still working.
>> 
>> The ones for the captive portal? Or did you have any custom rules?
> 
> I use custom rules in 'firewall.local'
> (Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger):
> 
> ***SNIP***
> sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53
> 
> /sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53
> 
> /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53
> 
> /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53
> ***SNAP***
> 
> I'm still testing testing under various conditions.
> 
> Best,
> Matthias