Tags give the ability to mark specific points in history as being important
-
-
-
release-1.17.1
90831af9 · ·Unbound 1.17.1 This release fixes a number of bugs. There are also new configuration options that by default do not change the existing behaviour of Unbound. With `statistics-inhibit-zero` the printout of zero values by stats can be controlled. Similarly with `max-sent-count` and `max-query-restarts` the iterator behaviour can be controlled. The maximum CNAME chain length that is accepted can be changed by increasing the `max-query-restarts` number. This takes more time to follow those elements. The keep-cache option allows reloads to change configuration whilst keeping the cache memory intact, making the cache hot for good response times after the change has completed. The release contains an additional fix for service downgrade due to wrong hash values for wildcards in a hyperlocal zone, that was reported by Sergey Kacheev. Features - Expose 'statistics-inhibit-zero' as a configuration option; the default value retains Unbound's behavior. - Expose 'max-sent-count' as a configuration option; the default value retains Unbound's behavior. - Merge #461 from Christian Allred: Add max-query-restarts option. Exposes an internal configuration but the default value retains Unbound's behavior. - Merge #569 from JINMEI Tatuya: add keep-cache option to 'unbound-control reload' to keep caches. Bug Fixes - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU extension. - In unit test, print python script name list correctly. - testcode/dohclient sets log identity to its name. - Clarify the use of MAX_SENT_COUNT in the iterator code. - Fix that cachedb does not store failures in the external cache. - Merge #767 from jonathangray: consistently use IPv4/IPv6 in unbound.conf.5. - Fix to ignore tcp events for closed comm points. - Fix to make sure to not read again after a tcp comm point is closed. - Fix #775: libunbound: subprocess reap causes parent process reap to hang. - iana portlist update. - Complementary fix for distutils.sysconfig deprecation in Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. - Fix #779: [doc] Missing documention in ub_resolve_event() for callback parameter was_ratelimited. - Ignore expired error responses. - Merge #720 from jonathangray: fix use after free when WSACreateEvent() fails. - Fix for the ignore of tcp events for closed comm points, preserve the use after free protection features. - Fix #782: Segmentation fault in stats.c:404. - Add SVCB and HTTPS to the types removed by 'unbound-control flush'. - Clear documentation for interactivity between the subnet module and the serve-expired and prefetch configuration options. - Fix #773: When used with systemd-networkd, unbound does not start until systemd-networkd-wait-online.service times out. - Merge #808: Wrap Makefile script's directory variables in quotes. - Fix to wrap Makefile scripts directory in quotes for uninstall. - Fix windows compile for libunbound subprocess reap comm point closes. - Update github workflows to use checkout v3. - Fix wildcard in hyperlocal zone service degradation, reported by Sergey Kacheev.
-
-
-
release-1.17.0
d25e0cd9 · ·Unbound 1.17.0 This release has new interface acl configuration options. These allow access-control actions, per interface. Also tags, and views can be configured per interface, queries over the interface are answered with these tags and views. It is configured with the options `interface-action`, `interface-tag`, `interface-tag-action`, `interface-tag-data` and `interface-view`. If there is also an access-control setting for the query, this overrides the interface settings for that query. The PROXYv2 protocol is supported. It can be configured with the `proxy-protocol-port: portno` option. It is used to convey the IP addresses of clients that connect via a proxy to Unbound. There are also fixes for a number of bugs. In some cases a blocking wait on a socket could happen, and this has been fixed. If the upstream sends a TC flag, erroneously, the reply is ignored and retried. When under load, with the new NRDelegation fixes from the previous release, there are mitigations to continue target discovery. There is also a fix for possible loops in the tcp reuse code. The release version differs from the RC1, there is a bugfix for the proxy protocol for tcp read when no proxied addresses are provided. Features - Merge #753: ACL per interface. (New interface-* configuration options). - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option). Bug Fixes - Fix #728: alloc_reg_obtain() core dump. Stop double alloc_reg_release when serviced_create fails. - Fix edns subnet so that scope 0 answers only match sourcemask 0 queries for answers from cache if from a query with sourcemask 0. - Fix unittest for edns subnet change. - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due to unsupported IPV6_USER_MTU socket option being set. - Fix ratelimit inconsistency, for ip-ratelimits the value is the amount allowed, like for ratelimits. - Fix #734 [FR] enable unbound-checkconf to detect more (basic) errors. - Fix to log accept error ENFILE and EMFILE errno, but slowly, once per 10 seconds. Also log accept failures when no slow down is used. - Fix to avoid process wide fcntl calls mixed with nonblocking operations after a blocked write. - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive operations, so that instruction reordering does not cause mistakenly blocking socket operations. - Fix to wait for blocked write on UDP sockets, with a timeout if it takes too long the packet is dropped. - Fix for wait for udp send to stop when packet is successfully sent. - Fix #741: systemd socket activation fails on IPv6. - Fix to update config tests to fix checking if nonblocking sockets work on OpenBSD. - Slow down log frequency of write wait failures. - Fix to set out of file descriptor warning to operational verbosity. - Fix to log a verbose message at operational notice level if a thread is not responding, to stats requests. It is logged with thread identifiers. - Remove include that was there for debug purposes. - Fix to check pthread_t size after pthread has been detected. - Convert tdir tests to use the new skip_test functionality. - Remove unused testcode/mini_tpkg.sh file. - Better output for skipped tdir tests. - Fix doxygen warning in respip.h. - Fix to remove erroneous TC flag from TCP upstream. - Fix test tdir skip report printout. - Fix windows compile, the identifier interface is defined in headers. - Fix to close errno block in comm_point_tcp_handle_read outside of ifdef. - Fix static analysis report to remove dead code from the rpz_callback_from_iterator_module function. - Fix to clean up after the acl_interface unit test. - Merge #764: Leniency for target discovery when under load (for NRDelegation changes). - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. - Fix string comparison in mini_tdir.sh. - Make ede.tdir test more predictable by using static data. - Fix checkconf test for dnscrypt and proxy port. - Fix dnscrypt compile for proxy protocol code changes. - Fix to stop responses with TC flag from resulting in partial responses. It retries to fetch the data elsewhere, or fails the query and in depth fix removes the TC flag from the cached item. - Fix proxy length debug output printout typecasts. - Fix to stop possible loops in the tcp reuse code (write_wait list and tcp_wait list). Based on analysis and patch from Prad Seniappan and Karthik Umashankar. - Fix PROXYv2 header read for TCP connections when no proxied addresses are provided.
-
-
-
release-1.16.3
13771952 · ·Unbound 1.16.3 This release fixes CVE-2022-3204 Non-Responsive Delegation Attack. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University. This fixes for better performance when under load, by cutting promiscuous queries for nameserver discovery and limiting the number of times a delegation point can look in the cache for missing records. Bug Fixes - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
-
-
-
release-1.16.2
cbed768b · ·Unbound 1.16.2 This release fixes the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. They were reported by Xiang Li from the Network and Information Security Lab of Tsinghua University. Other than that there are some bug fixes, and an option to configure the max retransmit timeout, infra-cache-max-rtt. If left at default it does not make any change. Features - Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout. Bug Fixes - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. - Fix verbose EDE error printout. - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. - For windows crosscompile, fix setting the IPV6_MTU socket option equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions. - Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code. - iana portlist update. - Update documentation for 'outbound-msg-retry:'. - Tests for ghost domain fixes.
-
release-1.16.1
903538c7 · ·Unbound 1.16.1 This release fixes a number of bugs. The number of nxdomains encountered when looking up a nameserver is not counted as such when the lookup was from cache. Also parent side queries are not created when the addresses are lame or already in cache. This solves lookup problems of domains with a lot of nxdomains, and that have parent-child differences. Algorithms that are not supported are disabled when the system OpenSSL does not provide them, for FIPS OpenSSL installations. Unbound sets IP_BIND_ADDRESS_NO_PORT socket option on outgoing tcp sockets to make the port space larger that can be used. The number of outgoing udp packets is collected in the num.query.udpout statistic. Features - Fix #704: [FR] Statistics counter for number of outgoing UDP queries sent; introduces 'num.query.udpout' to the 'unbound-control stats' command. Bug Fixes - makedist.sh picks up 32bit libssp-0.dll when 32bit compile. - Fix for edns client subnet to respect not looking in its cache when instructed to do so (e.g., prefetch). - Merge PR #688: Rpz url notify issue. - Note in the unbound.conf text that NOTIFY is allowed from the url: addresses for auth and rpz zones. - Remove unused LDNS function check for GOST Engine unloading. - Fix for loading locally stored zones that have lines with blanks or blanks and comments. - Fix #663: use after free issue with edns options. - Clarify -v flag manpage entry (#705) - Fix test program dohclient close to use portability routine. - Show the output of the exact .rpl run that failed with 'make test'. - Fix for cached 0 TTL records to not trigger prefetching when serve-expired-client-timeout is set. - Add debug option to the mini_tdir.sh test code. - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. - Allow fallback to the parent side when MAX_TARGET_NX is reached. This will also allow MAX_TARGET_NX more NXDOMAINs. - iana portlist update. - Fix detection of libz on windows compile with static option. - Fix compile warning for windows compile. - Merge PR #706: NXNS fallback. - From #706: Cached NXDOMAIN does not increase the target nx responses. - From #706: Don't generate parent side queries if we already have the lame records in cache. - From #706: When a lame address is the best choice, don't try to generate target queries when the missing targets are all lame. - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS mode on openssl3. - Merge PR #660 from Petr Menšík: Sha1 runtime insecure. - For #660: formatting, less verbose logging, add EDE information. - Fix for correct openssl error when adding windows CA certificates to the openssl trust store. - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. - Reintroduce documentation and more EDE support for val_sigcrypt.c::dnskeyset_verify_rrset_sig. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets.
-
-