unbound: 1.21.1 -> 1.22.0

[Scrumplex]

https://github.com/NLnetLabs/unbound/releases/tag/release-1.22.0

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[Scrumplex]

The package as well as all its tests build

[getchoo]

From the release notes

Merge NLnetLabs/unbound#871: DNS over QUIC. This adds quic-port: 853 and
quic-size: 8m that enable dnsoverquic, and the counters
num.query.quic and mem.quic in the statistics output.
The feature needs to be enabled by compiling with libngtcp2,
with --with-libngtcp2=path and libngtcp2 needs openssl+quic,
pass that with --with-ssl=path to compile unbound as well.

It'd be nice to have this option in Nixpkgs as well

[Scrumplex]

It seems like our dependencies aren't ready for QUIC support yet. We need to create a variant of ngtcp2 with openssl support, as well as build OpenSSL with QUIC support. I think we should do this in a subsequent PR to get this shipped first.

Edit: nevermind! It seems like "OpenSSL" means quictls here, as ngtcp2 uses that instead of upstream OpenSSL.

[Scrumplex]

I am not able to get it working.

It fails with this error during configurePhase:

checking for SSL_is_quic... no
configure: error: No QUIC support detected in OpenSSL. Need OpenSSL version with QUIC support to enable DNS over QUIC with libngtcp2.

The offending line is here: https://github.com/NLnetLabs/unbound/blob/release-1.22.0/configure.ac#L1618

Doing a naive rg SSL_is_quic in quictls.dev reveals that the function does exist. The Unbound manual doesn't describe any additional steps either.

---

Patch

From 17a805da342ae204f811458208953b6ba6768c78 Mon Sep 17 00:00:00 2001
From: Sefa Eyeoglu <[email protected]>
Date: Sun, 8 Dec 2024 15:42:53 +0100
Subject: [PATCH] unbound: add DoQ support

Signed-off-by: Sefa Eyeoglu <[email protected]>
---
 pkgs/by-name/un/unbound/package.nix | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index 8b52ebd9dfc2..5f451bcff2f8 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -30,6 +30,9 @@
 , systemd ? null
   # optionally support DNS-over-HTTPS as a server
 , withDoH ? false
+  # optionally support DNS-over-QUIC as a server
+  # NOTE: this replaces openssl with quictls
+, withDoQ ? true
 , withECS ? false
 , withDNSCrypt ? false
 , withDNSTAP ? false
@@ -44,11 +47,20 @@
 , withLto ? !stdenv.hostPlatform.isStatic && !stdenv.hostPlatform.isMinGW
 , withMakeWrapper ? !stdenv.hostPlatform.isMinGW
 , libnghttp2
+, ngtcp2
+, quictls
 
 # for passthru.tests
 , gnutls
 }:
 
+let
+  openssl' =
+    if withDoQ
+    then quictls
+    else openssl;
+in
+
 stdenv.mkDerivation (finalAttrs: {
   pname = "unbound";
   version = "1.22.0";
@@ -68,15 +80,16 @@ stdenv.mkDerivation (finalAttrs: {
     ++ [ pkg-config flex ]
     ++ lib.optionals withPythonModule [ swig ];
 
-  buildInputs = [ openssl nettle expat libevent ]
+  buildInputs = [ openssl' nettle expat libevent ]
     ++ lib.optionals withSystemd [ systemd ]
     ++ lib.optionals withDoH [ libnghttp2 ]
+    ++ lib.optionals withDoQ [ ngtcp2 ]
     ++ lib.optionals withPythonModule [ python ];
 
   enableParallelBuilding = true;
 
   configureFlags = [
-    "--with-ssl=${openssl.dev}"
+    "--with-ssl=${openssl'.dev}"
     "--with-libexpat=${expat.dev}"
     "--with-libevent=${libevent.dev}"
     "--localstatedir=/var"
@@ -93,6 +106,8 @@ stdenv.mkDerivation (finalAttrs: {
     "--with-pythonmodule"
   ] ++ lib.optionals withDoH [
     "--with-libnghttp2=${libnghttp2.dev}"
+  ] ++ lib.optionals withDoQ [
+    "--with-libngtcp2=${ngtcp2.dev}"
   ] ++ lib.optionals withECS [
     "--enable-subnet"
   ] ++ lib.optionals withDNSCrypt [
@@ -132,7 +147,7 @@ stdenv.mkDerivation (finalAttrs: {
     make unbound-event-install
   '' + lib.optionalString withMakeWrapper ''
     wrapProgram $out/bin/unbound-control-setup \
-      --prefix PATH : ${lib.makeBinPath [ openssl ]}
+      --prefix PATH : ${lib.makeBinPath [ openssl' ]}
   '' + lib.optionalString (withMakeWrapper && withPythonModule) ''
     wrapProgram $out/bin/unbound \
       --prefix PYTHONPATH : "$out/${python.sitePackages}" \
-- 
2.47.0

[getchoo]

I am not able to get it working.

Ah that's alright then. Can always follow up in the future

Everything else here LGTM

[nixpkgs-ci]

Successfully created backport PR for staging-24.11:

• [Backport staging-24.11] unbound: 1.21.1 -> 1.22.0 #363704

[nixpkgs-ci]

Git push to origin failed for staging-24.11 with exitcode 1

[Luflosi]

This broke pyunbound. A fix is in #374369.