unbound: Update to 1.25.0

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0

Changelog is IMHO too long for the list ( ;-) )

I'll just mention "Fix #1404: Priming the root key fails after
loading ipfire.org RPZ zones. Fixed by including the ZONEMD
RRtype in the list of types to ignore for RPZ zones. Analysis
and patch provided by ummeegge."

=> Patch for RPZ ZONEMD has been removed accordingly.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 1cd18c99dc7d589f2fc93ea1d1b2109fe787223e..4ab2ee5b4865e22ebb1696bf3ea6e4aaafb47d57 100644 (file)
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.1.34
+usr/lib/libunbound.so.8.1.36
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor

diff --git a/lfs/unbound b/lfs/unbound
index 604e3d4d4391296a46e97f98f4537e91a8a5e2f7..b0691e864e35530eef77317ee6d9d68d29b2ccb7 100644 (file)
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.24.2
+VER        = 1.25.0
 
 THISAPP    = unbound-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 05a772193a023d6387067b0d6d67a43d1bbfba2ef805a9602a5d3a9bc93d0564d750a7741e9a60d3a7391822131f382c37a9819f51c141fe876a68fce6f8a1c6
+$(DL_FILE)_BLAKE2 = 4c22e198c2257c251505f6845c42e67481edce2c5e8dc0c475584ef6b8e85907c322f32bd7ecfcb06243ba36fb3d91c63d8c1edd67dca66d374c6a242206e548
 
 install : $(TARGET)
 
@@ -71,10 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
-       # Apply unbound RPZ ZONEMD fix.
-       # Fix should be included in one of the following versions
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/unbound-rpz-ignore-zonemd.patch
-
        cd $(DIR_APP) && \
                ./configure \
                        --prefix=/usr \

diff --git a/src/patches/unbound-rpz-ignore-zonemd.patch b/src/patches/unbound-rpz-ignore-zonemd.patch
deleted file mode 100644 (file)
index c761e52..0000000
--- a/src/patches/unbound-rpz-ignore-zonemd.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Subject: [PATCH] RPZ: ignore ZONEMD records to prevent root priming failure
-
-RPZ zones with apex ZONEMD RR (type 63) create phantom QNAME trigger for root
-zone (.) after strip_dname_origin(), breaking DNSSEC priming:
-"rpz: applied [dbl-ads] . rpz-local-data . DNSKEY IN"
-
-Fixes: https://github.com/NLnetLabs/unbound/issues/1404
-Tested-on: unbound-1.24.2
-
-diff -Nur unbound-1.24.2.orig/services/rpz.c unbound-1.24.2/services/rpz.c
---- unbound-1.24.2.orig/services/rpz.c 2025-11-26 10:16:06.000000000 +0000
-+++ unbound-1.24.2/services/rpz.c      2026-02-16 10:00:46.973582336 +0000
-@@ -160,6 +160,7 @@
-               case LDNS_RR_TYPE_NSEC:
-               case LDNS_RR_TYPE_NSEC3:
-               case LDNS_RR_TYPE_NSEC3PARAM:
-+              case LDNS_RR_TYPE_ZONEMD:
-                       return 1;
-               default:
-                       break;
-