Merge unbound from Debian unstable for kinetic

Upstream: 1.16.0
Debian: 1.16.0-2
Ubuntu: 1.13.1-1ubuntu5

Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.

Dominic requests (via LP: #1946909, commit #1): "Please ensure that whatever happens, Unbound on Ubuntu continues to be compiled with the nghttp2 library. Unbound on Debian is currently not compiled with nghttp2."

### New Debian Changes ###

unbound (1.15.0-8) unstable; urgency=medium

  * fix the brown-paper bag bug in the previous upload. I did it again:
    it is var += newvalue, not var := newvalue. This made the previous
    upload to built without many build options

 -- Michael Tokarev <email address hidden> Fri, 29 Apr 2022 18:33:16 +0300

unbound (1.15.0-7) unstable; urgency=medium

  * unbound-resolvconf.service:
   - do not (re)start it explicitly from the postinst script, it should
     only be started as a part of unbound.service. Closes: #1009928
   - add comments to this service file to clarify its purpose
   - add lintian overrides for this service file
  * /etc/resolvconf/update.d/unbound resolvconf hook script:
   - ship it enabled for new installs. Closes: #1003135
   - but do not re-enable it for previous installs
   - add more comments to this file clarifying its purpose and possible issues
   - add comments about various ways to enable/disable this hook,
   - implement ability to disable it by setting USE_RESOLVCONF_FORWARDS=false
     in /etc/default/unbound
   - multiple other small changes and cleanups
   - rename it in debian packaging from d/resolvconf to d/resolvconf-forwards
     to make it's purpose more explicit
  * use dns root.key stored in /usr/share/dns/ (as provided by dns-root-data
    package) instead of the unbound-owned /var/lib/unbound/root.key (which is
    managed by an untrusted user). This changes defaults for unbound-host and
    unbound-anchor. Add Recommends: dns-root-data for unbound-host so it can
    find this root.key in the default install. Closes: #641704

 -- Michael Tokarev <email address hidden> Fri, 29 Apr 2022 16:53:50 +0300

unbound (1.15.0-6) unstable; urgency=medium

  * actually install the forgotten remote-control.conf.

 -- Michael Tokarev <email address hidden> Thu, 28 Apr 2022 20:15:21 +0300

unbound (1.15.0-5) unstable; urgency=medium

  * use unix-domain socket /run/unbound.ctl for the control interface
    instead of tcp localhost socket. This makes the keys/certs files
    for the remote contol to be unnecessary, so stop running
    unbound-control-setup in postinst too.
    (Closes: #1010271)
  * move remote-control section out of main unbound.conf file into
    unbound.conf.d/remote-control.conf. Main file now becomes the
    same as before version 1.15. There was no need to mess with the
    main config file since the NEWS file already gives the user
    enough information.
  * do-not-chown-control-socket.patch: stop chowning control socket
    to the unprivileged user, only group ownership is needed.
  * do-not-look-at-pidfile.patch: stop messing up with the pidfile.
    Unbound does not need to look at its pid file for the previous
    instance, since it will not be able to open listening sockets
    if the daemon is already running. Remove whole reading of the
    pid file, and especially remove setting ownership of the pid file
    to the unprivileged user (done in order to be able to clean it up),
    since this is a potential security issue.
  * unbound.postrm: stop removing the unbound system user
  * fix wording and reformat the previous unbound.NEWS entry, and merge
    old NEWS file into unbound.NEWS, since all news in there are actually
    about the unbound package, not about all other binary packages we build.
  * a few more tweaks for d/unbound-helper, in do_resolvconf_{start|stop}.
    Thank you Simon Deziel for the ideas.

 -- Michael Tokarev <email address hidden> Thu, 28 Apr 2022 19:15:23 +0300

unbound (1.15.0-4) unstable; urgency=medium

  * d/unbound.conf: move and fix the remote-control section
    Move the remote-control section above the include directive so it is
    possible to override it there, and fix comment. Do this remote-control
    section in unbound.conf directly (instead of in new unbound.conf.d/
    fragment), so it is more obvious that the default were flipped and
    the default value is changed.

 -- Michael Tokarev <email address hidden> Wed, 20 Apr 2022 10:52:26 +0300

unbound (1.15.0-3) unstable; urgency=medium

  * modify the default unbound.conf to include control-enale: yes so
    the remote control is enabled by default even if the default value
    is not flipped by a patch (upstream sets it to 'no')
  * d/control: use the right spelling for Recommends:

 -- Michael Tokarev <email address hidden> Wed, 20 Apr 2022 00:37:17 +0300

unbound (1.15.0-2) experimental; urgency=medium

  [ Michael Stella ]
  * Add clarifying description to resolvconf hook

  [ Simon Deziel ]
  * debian/unbound.init: ask start-stop-daemon to remove the PID file
    when stopping the daemon. Closes: #947771

  [ Michael Tokarev ]
  * d/changelog: mention #1000201 closed by 1.15.0-1

### Old Ubuntu Delta ###

unbound (1.13.1-1ubuntu5) jammy; urgency=medium

  * Cherry-pick upstream commits for Python 3.10 compatibility

 -- Rico Tzschichholz <email address hidden> Tue, 01 Feb 2022 15:23:57 +0100

unbound (1.13.1-1ubuntu4) jammy; urgency=medium

  * No-change rebuild with Python 3.10 as default version

 -- Graham Inggs <email address hidden> Thu, 13 Jan 2022 20:38:08 +0000

unbound (1.13.1-1ubuntu3) jammy; urgency=medium

  * debian/patches/openssl3.patch: compatibility with OpenSSL 3.

 -- Steve Langasek <email address hidden> Thu, 09 Dec 2021 20:51:29 +0000

unbound (1.13.1-1ubuntu2) jammy; urgency=medium

  * No-change rebuild against libssl3

 -- Steve Langasek <email address hidden> Thu, 09 Dec 2021 00:22:14 +0000

unbound (1.13.1-1ubuntu1) impish; urgency=medium

  * Enable DNS-over-HTTPS support (LP: #1927877)
    - d/control: add Build-Depends on libnghttp2-dev
    - d/rules: compile with libnghttp2

 -- Athos Ribeiro <email address hidden> Thu, 01 Jul 2021 11:16:26 -0300