Tags give the ability to mark specific points in history as being important
-
release-1.13.2
8e538dca · ·Unbound 1.13.2 This release contains a number of bug fixes. There is a crash fix for broken internal structures in stream reuse, that is used when many TCP or TLS upstream connections are made. Also a number of features are added. The ZONEMD support allows verification of downloaded authority zone files with the zonemd hash. It can be enabled with the zonemd-check option. It implements RFC8976. With zonemd-permissive-mode it is possible to try out the functionality without withholding the zone if the checks fail. With zonemd-reject-absence the zonemd record becomes a requirement for a zone. It is possible to use interface names for the control-interface as well, it was already possible for the interface, but now also for the remote control functionality. It allows the user to config the interface with the interface name, like 'eth0', instead of an IP address. It is possible to configure the persistent TCP connection, with the options max-reuse-tcp-queries and tcp-reuse-timeout. These also apply to TLS reused connections. The local zone types always_null, always_nodata and always_deny work inside the local zones that are defined inside a view. The log servfail error message now includes more information, it attempts to add an IP address and information about the one of the last failures that is associated with that query. With the option tcp-auth-query-timeout, the time to wait for queries to upstream authority servers can be configured, for TCP and TLS queries. It is possible to configure unbound with --with-deprecate-rsa-1024, that stops the use of RSA 1024 keys. That makes unbound work with certain FIPS installations that do not allow such calls to the crypto API. If the option is enabled, Unbound treats RSA keys with an insufficiently sized key as not supported. Responses with unsupported crypto are marked insecure. The NSEC3 maximum iterations are lowered to 150. This is the new default setting. This puts this in line with other DNS implementations. If the iterations count is exceeded the response becomes insecure. The number of validator retries when there is a DNSSEC failure can be configured with the val-max-restart option. The RR types SVCB and HTTPS are supported according to the draft specification. The syntax can be used in local zones and zone files, and debug output. The types themselves were already supported on the wire the RFC3597 unknown RR type support. The HTTP user agent header can be configured or elided, to avoid printing the version of type of the software running on the server, with the options http-user-agent and hide-http-user-agent. Features - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support. ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones. - Fix: Resolve interface names on control-interface too. - Merge #470 from edevil: Allow configuration of persistent TCP connections. - Fix #474: always_null and others inside view. - Add that log-servfail prints an IP address and more information about one of the last failures for that query. - Merge #478: Allow configuration of TCP timeout while waiting for response. - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. - Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes. - zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone. - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable. - Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https. - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. Bug Fixes - Fix for Python 3.9, no longer use deprecated functions of PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now none), PyParser_SimpleParseFile (now Py_CompileString). - Merge PR #420 from dyunwei: DOH not responsing with "http2_query_read_done failure" logged. - Fix #422: IPv6 fallback issues when IPv6 is not properly enabled/configured. - Fix to make tests work with support indicators set for iterator. - Fix build on Python 3.10. - Fix doxygen and pydoc warnings. - Fix #429: rpz: url: with https: broken (regression in 1.13.1). - rpz skip nsec3param records, and nicer log for unsupported actions. - Fix #431: Squelch permission denied errors for tcp connect and udp connect from the logs, unless at high verbosity. - Fix for zonemd, that nxdomain for the chain of trust is allowed for island zones, it is treated as an insecure zone for verification. - Fix for zonemd, that domain-insecure zones work without dnssec. - Fix for zonemd, do not reject insecure result from trust anchor validation step in dnssec chain of trust. - On startup of unbound it checks if rlimits on memory size look sufficient for the configured cache size, and logs warning if not. - Fix function documentation. - Fix unit test for added ulimit checks. - spelling fix in header. - Fix #384: (1) A minor request to improve the log (2) A minor bug in one log message. - ipsecmod: Better logging for detecting a cycle when attaching the A/AAAA subquery. - Merge PR #367 : DNSTAP log local address. With code from PR #365 and fixes #368 : dnstap does not log the DNS message ID for FORWARDER_QUERY. - Fix to allow rpz with wildcard that applies to all TLDs at once. - Fix for #367: rc_ports don't have ub_sock; skip cleaning up. - Fix spurious errors about "Could not generate request: out of memory". The mesh detect cycle routine no longer wrongly stops the check when the calling mesh state is unique. - Workaround for #439: prevent loops in the reuse rbtree. - Debug output for #411 and #439: printout internal error and details. - Fix parse of LOC RR type for decimetres. - Fix #441: Minimal NSEC range not accepted for top level domains. - Fix for #447: squelch connection refused tcp connection failures from the log, unless verbosity is high. - Merge #449 from orbea: build: Add missing linker flags. - Comment out nonworking OSX and IOS travis tests, vm fails to start. - Fix compile error in listen_dnsport on Android. - Fix memory leak reported by asan in rpz SOA record query name. - Fix unused-function warning when compiling with --enable-dnscrypt. - Fix for #367: fix memory leak when cannot bind to listening port. - Reformat pythonmod/pythonmod_utils.{c,h}. - Travis enable all tests again. Clang analyzer only a couple times, when there is a difference. homebrew updates disabled, so it does not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure. - travis, analyzer disabled on test without debug, that does not run anway. Turn off failing tests except one. Update iOS test to xcode image 12.2. - Fix deprecation test to work for iOS TVOS and WatchOS, it uses CFLAGS and CPPFLAGS and also checks if the item is unavailable. - Travis, fix script to fail when tasks fail. - Travis, fix warning in ubsan compile. - Fix configure Targetconfiditionals.h header check, to use compile. - Fix that cachedb does not produce empty object files when disabled. - Fix #429: Also fix end of transfer for http download of auth zones. - Disable the use of stack-protector for cross compiled 32-bit windows builds; relates to #444. - Fix stack-protector change to not override other CFLAGS options. - Clean makedist.sh. - Merge #460 from orbea: build: Link with the libtool archive. - Fix to stop IPv6 PMTU discovery. - Fix for #411: Depth protect for crash on deleted element timeout. - rebuild configure to set EXTRALINK to libunbound.la for #460. - Fix permission denied sendto log, squelch the log messages unless high verbosity is set. - Fix (increase) verbosity level for iterator error log in processQueryTargets(). - Fix that nxdomain synthesis does not happen above the stub or forward definition. - Fix documentation comment for files previously residing in checkconf/. - Remove unused functions worker_handle_reply and libworker_handle_reply. - Merge #466 from FGasper: Support OpenSSLs that lack SSL_get0_alpn_selected. - Fix #468: OpenSSL 1.0.1 can no longer build Unbound. - Further fix for #468: detect SSL_CTX_set_alpn_protos for build with OpenSSL 1.0.1. - Fix that testcode dohclient has OpenSSL initialisation calls. - Fix compiler warning for signed/unsigned comparison for max_reuse_tcp_queries. - Fix #481: Fix comment in configuration file. - Fix to squelch tcp socket bind failures when the interface is gone. - Rerun flex and bison. - Fix for #367: only attempt to get the interface for queries that are no longer on the tcp_waiting_list. - Add more logging for out-of-memory cases. - Fix #485: Unbound occasionally reports broken stats. - Remove case fallthrough from deprecate-rsa-1024 code. - Merge PR #487: ifdef RLIMIT_AS in recently added check. - Fix that auth-zone zonefiles use last TTL if no TTL is specified. - Fix #489: Compile using MSYS2 MinGW 64-bit. - Fix for #411, #439, #469: Reset the DNS message ID when moving queries between TCP streams. - Refactor for uniform way to produce random DNS message IDs. - Test code has -q option for quiet output. - Fix #492: module-config respip missing in unbound.conf.5.in man page. Merges #494 from he32. - For #492: Fix font highlighting for the man page on emacs. - Merge #496 from banburybill: Use build system endianness if available, otherwise try to work it out. - Fix test for zonemd-check option. - Merge #448 from shoeper: Update unbound-control.8.in, fix rpz_disable typo. - Fix #425: Document auth-zone supports communication with DNS primary on nondefault port. - Fix unused variable warning when compiling with --enable-dnstap. - Generated lexer and parser for #486; updated example.conf. - Fix #413 (based on patch by k-ronny): unbound: does not compile on macOS 11.1-x86_64 host. - Use host_os instead of target_os in configure for Darwin8 build. - Fix #500: SPEC file in version 1.13.1 references version 1.4; unable to build RPM from source. - Fix contrib/unbound.spec, fixed url and comment. - Fix configure nonblocking test and onmingw test to use host. - Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file. - Fix a number of warnings reported by the gcc analyzer. - Fix #495: Documentation or implementation of "verbosity" option. - Fix #503: DNS over HTTPS response truncated. - Fix warnings reported by the gcc analyzer. - Add analyzer and port compile github workflow. - Fix up permissions on rpl data file in tests. - Fix testbound newline treatment in moment_read and tempfile write. - Fix configure grep for reuseport default for failure. - Fix compat ctime_r return value - Fix configure does not require pkg-config if not needed. - Fix unit test in the ctime_r calls for autotrust and in testbound. - Fix auth zone download on windows to unlink before rename. - Fix #506: Python Module Seems to Leak Memory if it Experiences an Unhandled Exception. - Fix Wunused-result compile warnings. - Fix compiler warnings for #491. - Fix clang-analysis warnings for testcode/readzone.c. - Merge #510 from ndptech: Don't call a function which hasn't been defined. - Fix for #510: in depth, use ifdefs for windows api event calls. - Fix spelling in doc/unbound.doxygen comment. - Fix spelling in localzone.h comment. - Fix unbound-control local_data and local_datas to print detailed syntax errors. - review fix to remove duplicate error printout. - Insert header into testcode/readzone.c, it was missing. - Fix from lint for ignored return value. - Fix for older parsers for function call in serve expired get cached. - Fix that ldns_zone_new_frm_fp_l counts the line number for an empty line after a comment. - Merge #512: unbound.service.in: upgrade hardening to latest standards. - Fix readzone unknown type print for memory resize. - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This introduces a couple of fixes for the stream reuse functionality that could result in broken internal structures. - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to build unbound. - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and SSL_get_peer_certificate. - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check. - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns keyraw functions to produce EVP_PKEY results. - Move RSA and DSA to use OpenSSL 3.0.0 API. - Move ECDSA functions to use OpenSSL 3.0.0 API. - iana portlist update. - Fix verbose printout failure in tcp reuse unit test. - Merge PR #517 from dyunwei: #420 breaks the mesh reply list function that need to reuse the dns answer. - Annotate assertion into error printout; we think it may be an error, but the situation looks harmless. - Fix sign comparison warning on FreeBSD. - Listen to read or write events after the SSL handshake. Sticky events on windows would stick on read when write was needed. - Merge PR #415 from sibeream: Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports. (New --enable-linux-ip-local-port-range configuration option) - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This allows longer CNAME chains in Unbound. - In unit test use openssl set security level to allow keys in test. - Fix static analysis warnings about localzone locks that are unused. - Fix missing locks in zonemd unit test. - Fix readzone compile under debug config. - Fix out of sourcedir run of zonemd unit tests. - Fix libnettle zonemd unit test. - Fix unit test zonemd_reload for use in run_vm. - Fix #520: Unbound 1.13.2rc1 fails to build python module. -
-
release-1.13.1
46939294 · ·Unbound 1.13.1 This release contains a number of bug fixes. There is added support for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID option (RFC 5001). Unbound control has added commands to enable and disable rpz processing. Reply callbacks have a start time passed to them that can be used to calculate time, these are callbacks for response processing. With the option serve-original-ttl the TTL served in responses is the original, not counted down, value, for when in front of authority service. Features - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands to unbound-control. - Merge PR #391 from fhriley: Add start_time to reply callbacks so modules can compute the response time. - Fix #397: [Feature request] add new type always_null to local-zone similar to always_nxdomain. - Support for RFC5001: DNS Name Server Identifier (NSID) Option with the nsid: option in unbound.conf - Padding of queries and responses with DNS over TLS as specified in RFC7830 and RFC8467. - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the original instead of a decrementing TTL ('serve-original-ttl') Bug Fixes - Fix #358: Squelch udp connect 'no route to host' errors on low verbosity. - Fix #360: for the additionally reported TCP Fast Open makes TCP connections fail, in that case we print a hint that this is happening with the error in the logs. - Fix #356: deadlock when listening tcp. - Fix unbound-dnstap-socket to not use log routine from interrupt handler and not print so frequently when invoked in sequence. - Fix on windows to ignore connection failure on UDP, unless verbose. - make depend. - Fix #371: unbound-control timeout when Unbound is not running. - Fix to squelch permission denied and other errors from remote host, they are logged at higher verbosity but not on low verbosity. - Merge PR #335 from fobser: Sprinkle in some static to prevent missing prototype warnings. - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void is a GNU extension. - Fix missing prototypes in the code. - Fix error cases when udp-connect is set and send() returns an error (modified patch from Xin Li @delphij). - For #376: Fix that comm point event is not double removed or double added to event map. - iana portlist updated. - Fix #385: autoconf 2.70 impacts unbound build - Fix #379: zone loading over HTTP appears to have buffer issues. - Merge PR #395 from mptre: add missing null check. - Fix #387: client-subnet-always-forward seems to effectively bypass any caching? - For #391: use struct timeval* start_time for callback information. - For #391: fix indentation. - For #391: more double casts in python start time calculation. - Add comment documentation. - Fix clang analysis warning. - Fix so local zone types always_nodata and always_deny can be used from the config file. - Merge #399 from xiangbao227: The lock of lruhash table should unlocked after markdel entry. - Fix for #93: dynlibmodule link fix for Windows. - Fix for #93: dynlibmodule import library is named libunbound.dll.a. - Merge #402 from fobser: Implement IPv4-Embedded addresses according to RFC6052. - Fix #404: DNS query with small edns bufsize fail. - Fix declaration before statement and signed comparison warning in dns64. - Fix TTL of SOA record for negative answers (localzone and authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM. - Fix compile of unbound-dnstap-socket without dnstap installed. - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor static data. - Ignore cache blacklisting when trying to reply with expired data from cache (#394). - Merge PR #408 from fobser: Prevent a few more yacc clashes. - Annotate that we ignore the return value of if_indextoname. - Fix to use correct type for label count in rpz routine. - Fix empty clause warning in config_file nsid parse. - Fix to use correct type for label count in ipdnametoaddr rpz routine. - Fix empty clause warning in edns pass for padding. - Fix for doxygen 1.8.20 compatibility. - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411. - Fix dynlibmod link on rhel8 for -ldl inclusion. - Fix windows dependency on libssp.dll because of default stack protector in mingw. - Fix indentation of root anchor for use by windows install script. -
-
-
release-1.12.0
52b04806 · ·Unbound 1.12.0 This release contains the DNS Flag Day 2020 changes. This sets the default EDNS buffer size to 1232, that should reduce fragmentation. https://dnsflagday.net/2020/ There is inclusive language in the configuration. There is caps-exempt, ipsecmod-allow and primary server options for auth-zones. The older terms are accepted to keep configuration working. DNS-over-HTTPS is supported in this release. The DoH is enabled when Unbound is compiled with the nghttp2 library, with configure --with-libnghttp2. Then have an interface on the https port, that can be configured with the https-port option. Also have a cert and key available with the tls-service-key and tls-service-pem options. Further settings can be configured for the http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size and http-nodelay options. The max streams sets the maximum concurrent streams, the buffer size options the number of bytes in buffers, and the nodelay option can turn on TCP_NODELAY for DNS-over-HTTPS service. In the statistics the memory used is reported in mem.http.query_buffer and mem.http.response_buffer. The number of queries is reported in num.query.https, they are also included in the tcp and tls counts because https uses TLS and TCP. The DLV options and code to handle DLV lookups have been removed from the code base. The DLV repository is empty nowadays, it has been decommissioned. There is a new feature where it is possible to use interface names to bind to the IP addresses on that interface. It pulls in the addresses at the start of the server, if the addresses change, use the existing freebind and other socket options to register for addresses before they appear, or the interface-automatic option that copies them from queries to answers with ancillary data. There is a new option for the edns-tag draft specification. It can be enabled if you need the tentative implementation to add those tags to outgoing messages. Features - DNS Flag Day 2020: change edns-buffer-size default to 1232. - Merge PR #255: DNS-over-HTTPS support. - Use inclusive language in configuration - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound. The DLV has been decommisioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. - Similar to NSD PR#113, implement that interface names can be used, eg. something like interface: eth0 is resolved at server start and uses the IP addresses for that named interface. - Merge PR #272: Add EDNS client tag functionality. - Add edns-client-tag-opcode option Bug Fixes - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf - Merge PR #269, Fix python module len() implementations, by Torbjörn Lönnemark - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on March 2020, by and0x000. - Fix doxygen comment for no ssl for tls session ticket key callback routine. - Fix mini_event.h on OpenBSD cannot find fd_set. - Improve error log message when inserting rpz RR. - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as definedness, by Felipe Gasper. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix #287: doc typo: "Additionaly". - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available, by Vítězslav Čížek. - Create and init edns tags data for libunbound. - Fix stats double count issue (#289). - Fix that dnstap reconnects do not spam the log with the repeated attempts. Attempts on the timer are only logged on high verbosity, if they produce a connection failure error. - Fix to apply chroot to dnstap-socket-path, if chroot is enabled. - Change configure to use EVP_sha256 instead of HMAC_Update for openssl-3.0.0. - Update documentation in python example code. - Review fix interface, doxygen and assign null in case of error free. - Merge PR #293: Add missing prototype. Also refactor to use the new shorthand function to clean up the code. - Refactor to use sock_strerr shorthand function. - Fix #296: systemd nss-lookup.target is reached before unbound can successfully answer queries. Changed contrib/unbound.service.in. - Fix num.expired statistics output. - Remove x file mode on ipset/ipset.c and h files. - Spelling fix. - Introduce test for statistics. - Fix that prefer-ip4 and prefer-ip6 can be get and set with unbound-control, with libunbound and the unbound-checkconf option output function. - Merge PR #311 by luismerino: Dynlibmod leak. - Error message is logged for dynlibmod malloc failures. - iana portlist updated. - Fix #304: dnstap logging not recovering after dnstap process restarts - Fix edns-client-tags get_option typo - Fix #305: dnstap logging significantly affects unbound performance (regression in 1.11). - Fix #305: only wake up thread when threshold reached. - Fix to ifdef fptr wlist item for dnstap. - Fix memory leak of edns tags at libunbound context delete. - Fix double loopexit for unbound-dnstap-socket after sigterm.