Add a patch to Unbound from upstream correcting a bug resulting

in failure to validate DNSSEC which was introduced in 1.4.15: http://permalink.gmane.org/gmane.network.dns.unbound.user/2006 Full update to Unbound 1.4.16 can wait until we're done with 5.1 ok ajacoutot@
2012-02-02 13:42:13 +00:00 · 2012-02-02 13:42:13 +00:00 · 42efe7f60b
commit 42efe7f60b
parent b9644080ef
2 changed files with 22 additions and 1 deletions
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.38 2012/01/26 22:04:03 sthen Exp $
+# $OpenBSD: Makefile,v 1.39 2012/02/02 13:42:13 sthen Exp $

 COMMENT=	validating DNS resolver

 DISTNAME=	unbound-1.4.15
+REVISION=	0
 CATEGORIES=	net

 MASTER_SITES=	http://www.unbound.net/downloads/
--- a/net/unbound/patches/patch-services_cache_rrset_c
+++ b/net/unbound/patches/patch-services_cache_rrset_c
@ -0,0 +1,20 @@
+$OpenBSD: patch-services_cache_rrset_c,v 1.1 2012/02/02 13:42:13 sthen Exp $
+
+http://permalink.gmane.org/gmane.network.dns.unbound.user/2006
+
+Fix DNSSEC validation failures after hours or days:
+"validation failure xx: no NSEC3 closest encloser from yy for DS zz while
+building chain of trust."
+
+--- services/cache/rrset.c.orig	Thu Feb  2 11:05:28 2012
+++ services/cache/rrset.c	Thu Feb  2 11:05:49 2012
+@@ -207,7 +207,8 @@ rrset_cache_update(struct rrset_cache* r, struct rrset
+ 			/* cache is superior, return that value */
+ 			lock_rw_unlock(&e->lock);
+ 			ub_packed_rrset_parsedelete(k, alloc);
+-			return 2;
+			if(equal) return 2;
+			return 1;
+ 		}
+ 		lock_rw_unlock(&e->lock);
+ 		/* Go on and insert the passed item.