Unbound Downloads
The latest version of unbound (currently 1.7.0) can always be downloaded from
http://www.unbound.net/downloads/unbound-latest.tar.gz
Current version
Source:
unbound-1.7.0.tar.gz
SHA1 checksum: d90b09315c75ad2843b868785b3d12a2c4f27b28
SHA256 checksum: 94dd9071fb13d8ccd122a3ac67c4524a3324d0e771fc7a8a7c49af8abfb926a2
PGP signature: unbound-1.7.0.tar.gz.asc
License: BSD
Doc: man-page
Linux and *BSD sources and binaries can easily be obtained
using (your favorite) package manager or ports collection.
Windows version for 64bit compiled from the source
Installer:
unbound_setup_1.7.0.exepgp sig32bit-version
Binaries (no install):
unbound-1.7.0.zippgp sig32bit-version
Doc: README,
manual(pdf)
Unbound 1.7.0
Download: unbound-1.7.0.tar.gz
SHA1 checksum: d90b09315c75ad2843b868785b3d12a2c4f27b28
SHA256 checksum: 94dd9071fb13d8ccd122a3ac67c4524a3324d0e771fc7a8a7c49af8abfb926a2
PGP signature: unbound-1.7.0.tar.gz.asc
Date: 15 Mar, 2018Features
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
from Manu Bretelle.
This option allows handling multiple cert/key pairs while only
distributing some of them.
In order to reliably match a client magic with a given key without
strong assumption as to how those were generated, we need both key and
cert. Likewise, in order to know which ES version should be used.
On the other hand, when rotating a cert, it can be desirable to only
serve the new cert but still be able to handle clients that are still
using the old certs's public key.
The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix #3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
duplicates
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
fail.
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
set for stub zone. It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
away, without a repeat query picking the DS from cache.
The correct reply should have been an answer, the reply is fixed
by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
edns-subnet/addrtree.c after the assert made clang analyzer
produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.
Older versions
Unbound 1.6.8
Download: unbound-1.6.8.tar.gz
SHA1 checksum: 492737be9647c26ee39d4d198f2755062803b412
SHA256 checksum: e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49
PGP signature: unbound-1.6.8.tar.gz.asc
Date: 19 Jan, 2018Bug Fixes
- Fix for CVE-2017-15105: vulnerability in the processing of
wildcard synthesized NSEC records.
Unbound 1.6.7
Download: unbound-1.6.7.tar.gz
SHA1 checksum: 098f8acfc3e9d1cab54f07863e61eabbb67c80dc
SHA256 checksum: 4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f
PGP signature: unbound-1.6.7.tar.gz.asc
Date: 10 Oct, 2017Features
- Set trust-anchor-signaling default to yes
- #1440: [dnscrypt] client nonce cache.
- #1435: Allow UDP to be disabled separately upstream and
downstream.
Bug Fixes
- Fix that looping modules always stop the query, and don't pass
control.
- Fix unbound-host to report error for DNSSEC state of failed lookups.
- Spelling fixes, from Josh Soref.
- Fix #1400: allowing use of global cache on ECS-forwarding unless
always-forward.
- use a cachedb answer even if it's "expired" when serve-expired is yes
(patch from Jinmei Tatuya).
- trigger refetching of the answer in that case (this will bypass
cachedb lookup)
- allow storing a 0-TTL answer from cachedb in the in-memory message
cache when serve-expired is yes
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
- Log name of looping module
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
(by Danilo G. Baio).
- Fix param unused warning for windows exportsymbol compile.
- Use RCODE from A query on DNS64 synthesized answer.
- Fix trust-anchor-signaling works in libunbound.
- Fix spelling in unbound-control man page.
Unbound 1.6.6
Download: unbound-1.6.6.tar.gz
SHA1 checksum: d205c03a402f5d900d5bad3d036849a12804a49e
SHA256 checksum: 972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390
PGP signature: unbound-1.6.6.tar.gz.asc
Date: 18 Sep, 2017Features
- unbound-control dump_infra prints port number for address if not 53.
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
- Added stats for queries that have been ratelimited by domain
recursion.
- Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
- Fix #1407: Add ECS options check to unbound-checkconf.
- Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
Bug Fixes
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
- First fix for zero b64 and hex text zone format in sldns.
- Better fixup of dnscrypt_cert_chacha test for different escapes.
- Fix that infra cache host hash does not change after reconfig.
- Fix python example0 return module wait instead of error for pass.
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
- Fix #1331: libunbound segfault in threaded mode when context is
deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
- Redirect all localhost names to localhost address for RFC6761.
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
- Fix #1424: cachedb:testframe is not thread safe.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
- Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
- Recommend 1472 buffer size in unbound.conf
- Fix #1412: QNAME minimisation strict mode not honored
- Fix #1434: Fix windows openssl 1.1.0 linking.
- Add dns64 for client-subnet in unbound-checkconf.
Unbound 1.6.5
Download: unbound-1.6.5.tar.gz
SHA1 checksum: ecb260b94d139d84fae2bff80f9701f53a329e26
SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
PGP signature: unbound-1.6.5.tar.gz.asc
Date: 21 Aug, 2017Bug Fixes
- Fix install of trust anchor when two anchors are present, makes both
valid. Checks hash of DS but not signature of new key. This fixes
the root.key file if created when unbound is installed between
sep11 and oct11 2017.
Unbound 1.6.4
Download: unbound-1.6.4.tar.gz
SHA1 checksum: 836ecc48518b9159f600a738c276423ef1f95021
SHA256 checksum: df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed
PGP signature: unbound-1.6.4.tar.gz.asc
Date: 27 Jun, 2017Features
- Implemented trust anchor signaling using key tag query.
- unbound-checkconf -o allows query of dnstap config variables.
Also unbound-control get_option. Also for dnscrypt.
- unbound.h exports the shm stats structures. They use
type long long and no ifdefs, and ub_ before the typenames.
- Implemented opportunistic IPsec support module (ipsecmod).
- Added redirect-bogus.patch to contrib directory.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
- Fix #1277: disable domain ratelimit by setting value to 0.
- Added fastrpz patch to contrib
Bug Fixes
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
- Based on #1257: check parse limit before t increment in sldns RR
string parse routine.
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
and fix that 64bit getting installed in C:\Program Files (x86).
- Fix #1259: "--disable-ecdsa" argument overwritten
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
- iana portlist update
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
connect limited tcp connections. With the option tcp connections
can share the same source port (for different destinations).
- Add 'c' to getopt() in testbound.
- Adjust servfail by iterator to not store in cache when serve-expired
is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
module memory printout of statistics.
- Fix type AVC sldns rrdef.
- Some whitespace fixup.
- Fix #1265: contrib/unbound.service contains hardcoded path.
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
and compatibility with BoringSSL.
- Fix #1268: SIGSEGV after log_reopen.
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
- Fix assertion for low buffer size and big edns payload when worker
overrides udpsize.
- Support for openssl EVP_DigestVerify.
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
unbound-control.
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
- Also use global local-zones when there is a matching view that does
not have any local-zone specified.
- Fix fastopen EPIPE fallthrough to perform connect.
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
(from Manu Bretelle).
- Fix #1275: cached data in cachedb is never used.
- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
- Added domain name based ECS whitelist.
- Fix #1278: Incomplete wildcard proof.
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- More fixes in depth for buffer checks in 0x20 qname checks.
- Fix stub zone queries leaking to the internet for
harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Fix to unlock view in view test.
- Fix warning in pythonmod under clang compiler.
- Fix lintian typo.
- Fix #1316: heap read buffer overflow in parse_edns_options.
Unbound 1.6.3
Download: unbound-1.6.3.tar.gz
SHA1 checksum: 4477627c31e8728058565f3bae3a12a1544d8a9c
SHA256 checksum: 4c7e655c1d0d2d133fdeb81bc1ab3aa5c155700f66c9f5fb53fa6a5c3ea9845f
PGP signature: unbound-1.6.3.tar.gz.asc
Date: 13 Jun, 2017Bug Fixes
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
Unbound 1.6.2
Download: unbound-1.6.2.tar.gz
SHA1 checksum: de370b1ac8e260db9c4c1504453752713dd8818f
SHA256 checksum: 1a323d72c32180b7141c9e6ebf199fc68a0208dfebad4640cd2c4c27235e3b9c
PGP signature: unbound-1.6.2.tar.gz.asc
Date: 24 Apr, 2017Features
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
- Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
which uses less cpu.
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
DS records. NSEC3 is not disabled.
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
- harden-algo-downgrade: no also makes unbound more lenient about
digest algorithms in DS records.
Bug Fixes
- sldns has ED25519 and ED448 algorithm number and name for display.
- sldns updated for vfixed and buffer resize indication from getdns.
- iana portlist update
- Fix #1224: Fix that defaults should not fall back to "Program Files
(x86) if Unbound is 64bit by default on windows.
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
redirect.
- make depend, autoconf, doxygen and lint fixed up.
- include sys/time.h for new shm code on NetBSD.
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
- Fix #1226: provide official 32bit binary for windows.
- For #1227: if we have sha256, set the cipher list to have no
known vulns.
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
record.
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- Fix #1230: swig version 2.0.1 is required for pythonmod, with
1.3.40 it crashes when running repeatly unbound-control reload.
- fix enum conversion warnings
- fake-sha1 test option; print warning if used. To make unit tests.
- unbound-control list local zone and data commands listed in the
help output.
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
in ANSWER section.
- testbound understands Deckard MATCH rcode question answer commands.
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
of YXDOMAIN + query loop, reported by Petr Spacek.
- Fix that SHM is not inited if not enabled.
- Fix that looped DNAMEs do not cause unbound to spend effort.
- trustanchor tags are sorted. reusable routine to fetch taglist.
- Fix #1237 - Wrong resolving in chain, for norec queries that get
SERVFAIL returned.
- make depend, autoconf, remove warnings about statement before var.
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
- fixup for lruhash (whitespace and header file comment).
- dnscrypt tests.
- Fix doxygen for dnscrypt files.
- Fix #1238: segmentation fault when adding through the remote
interface a per-view local zone to a view with no previous
(configured) local zones.
- Fix #1229: Systemd service sandboxing, options in wrong sections.
- Fix #1239: configure fails to find python distutils if python
prints warning.
- Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.
- Remove (now unused) event2 include from dnscrypt code.
- Fix #1217: Add metrics to unbound-control interface showing
crypted, cert request, plaintext and malformed queries (from
Manu Bretelle).
- Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
- Fix #1244: document that use of chroot requires trust anchor file to
be under chroot.
- Small fixup for documentation.
- Fix respip for braces when locks arent used.
- Fix pythonmod for cb changes.
- Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event
- remove malloc from inplace_cb_register
- Unlock view in respip unit test
- Some whitespace fixup.
- Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc.
- Respip dereference after NULL check.
- Zero initialize addrtree allocation.
- Use correct identifier for SHM destroy.
- Display ECS module memory usage.
- Fix #1247: unbound does not shorten source prefix length when
forwarding ECS.
- Properly check for allocation failure in local_data_find_tag_datas.
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- Set SHM ECS memory usage to 0 when module not loaded.
- subnet mem value is available in shm, also when not enabled,
to make the struct easier to memmap by other applications,
independent of the configuration of unbound.
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
Unbound 1.6.1
Download: unbound-1.6.1.tar.gz
SHA1 checksum: 41369fcfd37844b02b7293b37ec78e69f0db34c7
SHA256 checksum: 42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
PGP signature: unbound-1.6.1.tar.gz.asc
Date: 21 Feb, 2017Features
- configure --enable-systemd and lets unbound use systemd sockets if
you enable use-systemd: yes in unbound.conf.
Also there are contrib/unbound.socket and contrib/unbound.service:
systemd files for unbound, install them in /usr/lib/systemd/system.
Contributed by Sami Kerola and Pavel Odintsov.
-
Source IP rate limiting, patch from Larissa Feng.
-
Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
patch from Larissa Feng.
- Include root trust anchor id 20326 in unbound-anchor.
- 64bit is default for windows builds.
Bug Fixes
-
Fix stack size too small for Alpine Linux.
- Fix unbound-control and ipv6 only.
-
Fix Resource leak (socket), at startup.
-
Fix attempt to fix setup error at end, pop result values
at end of install.
- iana portlist update
- Fix inet_ntop and inet_pton warnings in windows compile.
-
Fix remove comment about view deletion.
-
Fix unresolved symbol 'fake_dsa' in libunbound.so when built
with Nettle
-
Fix to not echo back EDNS options in local-zone error response.
-
Fix if cross build fails when $host isn't `uname` for getentropy.
- Fix reload chdir failure when also chrooted to that directory.
- Fix to return formerr for queries for meta-types, to avoid
packet amplification if this meta-type is sent on to upstream.
-
Fix missing unlock in answer_from_cache error condition.
-
Fix code comment that packed_rrset_data is not always
'packed'.
- Fix to also block meta types 128 through to 248 with formerr.
-
Fix that some view-related commands are missing from 'unbound-control -h'
- Fix to rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t
type names are reserved by POSIX.
- Increase MAX_MODULE to 16.
-
Fix can't enable interface-automatic if no IPv6 with
more helpful error message.
- fix root_anchor test for updated icannbundle.pem lower certificates.
- Fix compile on solaris of the fix to use $host detect.
- Fix for type name change and fix warning on windows compile.
- Fix pythonmod for typedef changes.
- Fix dnstap for warning of set but not used.
- Fix autoconf of systemd check for lack of pkg-config.
Unbound 1.6.0
Download: unbound-1.6.0.tar.gz
SHA1 checksum: 9b7606b016b447dc837efc108cee94f3fecf4ede
SHA256 checksum: 6b7db874e6debda742fee8869d722e5a17faf1086e93c911b8564532aeeffab7
PGP signature: unbound-1.6.0.tar.gz.asc
Date: 15 Dec, 2016Features
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four EDNS
option lists were added to module_qstate (module_qstate.edns_opts_*) to
store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" (robbat2@gentoo.org).
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
Bug Fixes
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- g.root-servers.net has AAAA address.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again.
The -- is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies,
from Pavel Odintsov.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
this means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf,
not the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies
on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for
this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain
synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
using no encryption over the unix socket.
- hyphen as minus fix, by Andreas Schulze
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset
tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code.
Unbound 1.5.10
Download: unbound-1.5.10.tar.gz
SHA1 checksum: 6102849c400db3a4195b1f16df8f312568a6ec57
SHA256 checksum: a39b8b4fcca2a2b35a2daa53fe35150cc3f09038dc9acede09c912fc248a9486
PGP signature: unbound-1.5.10.tar.gz.asc
Date: 27 Sep, 2016Features
- Create a pkg-config file for libunbound in contrib.
- TCP Fast open patch from Sara Dickinson.
- Finegrained localzone control with define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override. And added types always_transparent,
always_refuse, always_nxdomain with that.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
-
Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
freebind to use 64bits of entropy for every query with random local
part.
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
- keep debug symbols in windows build.
Bug Fixes
-
Fix unbound 1.5.9: -h segfault (null deref).
- Fix unbound-anchor.exe file location defaults to
Program Files with (x86) appended.
- Fix to not ignore return value of chown() in daemon startup.
- Better help text from -h (from Ray Griffith).
-
Fix Non-standard Python location build failure with pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
- Revert fix for NetworkService account on windows due to breakage
it causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that directory,
so that include: file below that is relative to that directory.
With chroot, make the directory an absolute path inside chroot.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
- Fix directory: fix for unbound-checkconf, it restores cwd.
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME minimisation.
Stop minimising when number of time-outs for a QNAME/QTYPE pair is
more than three.
-
Fix unbound-host and unbound-anchor crash on windows, ignore
null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
-
Fix Union casting is non-portable.
-
Fix MAP_ANON not defined in HP-UX 11.31.
-
Fix prealloc() is an HP-UX system library call.
- Decrease dp attempts at each QNAME minimisation iteration
-
Fix Build configure assumess that having getpwnam means there
is endpwent function available.
- Updated repository with newer flex and bison output.
- Fix static compile on windows missing gdi32.
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
-
Fix for nettle 3.0: Failed to build with Nettle >= 3.0 and
--with-libunbound-only --with-nettle.
- Fixed unbound.doxygen for 1.8.11.
-
Fix Client-side TCP fast open fails (Linux).
-
Fix missing error condition handling in
daemon_create_workers().
-
Fix workaround for function parameters that are "unused"
without log_assert.
-
Fix confusing (and incorrect) code comment in daemon_cleanup().
-
Fix wrong comment removed.
- use sendmsg instead of sendto for TFO.
-
Fix workaround for possible some "unused" function parameters
in test code, from Jinmei Tatuya.
- Note that OPENPGPKEY type is RFC 7929.
-
Fix #804: unbound stops responding after outage. Fixes queries
that attempt to wait for an empty list of subqueries.
- Fix for #804: lower num_target_queries for iterator also for failed
lookups.
-
Fix set sldns_str2wire_rr_buf() dual meaning len parameter
in each iteration in find_tag_datas().
-
Fix OpenSSL 1.1.0 compatibility, patch from Sebastian A.
Siewior.
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
-
Fix refuse_non_local could result in a broken response.
- iana portlist update.
- Fix compile with openssl 1.1.0 with api=1.1.0.
-
Fix doc of sldns_wire2str_rdata_buf() return value has an
off-by-one typo, from Jinmei Tatuya (Infoblox).
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
-
Fix missing type in access-control-tag-action redirect results
in NXDOMAIN.
- Take configured minimum TTL into consideration when reducing TTL
to original TTL from RRSIG.
-
Fix workaround for spurious fread_chk warning against petal.c
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
-
Fix error for duplicate local zone entry.
-
Fix --disable-dsa with nettle verify.
Unbound 1.5.9
Download: unbound-1.5.9.tar.gz
SHA1 checksum: 4882c52aac0abcd72a86ac5d06e9cd39576620ce
SHA256 checksum: 01328cfac99ab5b8c47115151896a244979e442e284eb962c0ea84b7782b6990
PGP signature: unbound-1.5.9.tar.gz.asc
Date: 9 June, 2016Features
- generic edns option parse and store code.
- Updated L root IPv6 address.
- User defined pluggable event API for libunbound
- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
binding to an IP address while the interface or address is down.
- OpenSSL 1.1.0 portability, --disable-dsa configure option.
- disable-dnssec-lame-check config option from Charles Walker.
Bug Fixes
-
Fix unbound.py - idn2dname throws UnicodeError when idnname
contains trailing dot.
- configure tests for the weak attribute support by the compiler.
-
Fix assert in outnet_serviced_query_stop.
- Updated configure and ltmain.sh.
- Fixup of compile fix for pluggable event API from P.Y. Adi
Prasaja.
- Fixup backend2str for libev.
- Fix libev usage of dispatch return value.
- No side effects in tolower() call, in case it is a macro.
- Fix warnings in ifdef corner case, older or unknown libevent.
- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
- Fix ip-transparent for tcp on freebsd.
-
Fix unbound sets CD bit on all forwards.
If no trust anchors, it'll not set CD bit when forwarding to another
server. If a trust anchor, no CD bit on the first attempt to a
forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
- Limit number of QNAME minimisation iterations.
- Validate QNAME minimised NXDOMAIN responses.
- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
harden-below-nxdomain.
- Fix compile of getentropy_linux for SLES11 servicepack 4.
- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
- Fix test for openssl to use HMAC_Update for 1.1.0.
- ERR_remove_state deprecated since openssl 1.0.0.
- OPENSSL_config is deprecated, removing.
- Document permit-small-holddown for 5011 debug.
-
Fix unbound-checkconf gets SIGSEGV when use against a
malformatted conf file.
-
Fix document dump_requestlist is for first thread.
- Fix some malformed reponses to edns queries get fallback to nonedns.
-
Fix 0x20 capsforid no longer checks type PTR, for
compatibility with cisco dns guard. This lowers false positives.
- Fix sldns with static checking fixes copied from getdns.
- Fix memory leak in out-of-memory conditions of local zone add.
-
Fix DNSSEC LAME false positive resolving nic.club.
-
Fix dns64 should synthesize results on timeout/errors.
- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
signed zones.
-
Fix Reference to an expired Internet-Draft in
harden-below-nxdomain documentation.
- remove memory leak from lame-check patch.
-
Fix Small subgroup attack on DH used in unix pipe on localhost
if unbound control uses a unix local named pipe.
- Document write permission to directory of trust anchor needed.
-
Fix Unbound Service Sometimes Can Not Shutdown
Completely, WER Report Shown Up. Close handle before closing WSA.
- Fix time in case answer comes from cache in ub_resolve_event().
- Fix windows service to be created run with limited rights, as a
network service account, from Mario Turschmann.
-
Fix retry resource temporarily unavailable on control pipe.
- iana ports fetched via https.
- iana portlist update.
Unbound 1.5.8
Download: unbound-1.5.8.tar.gz
SHA1 checksum: 1391888d2e3395d766545cd3dbdf0f1879c48080
SHA256 checksum: 33567a20f73e288f8daa4ec021fbb30fe1824b346b34f12677ad77899ecd09be
PGP signature: unbound-1.5.8.tar.gz.asc
Date: 2 March, 2016Features
- ip-transparent option for FreeBSD with IP_BINDANY socket
option.
- insecure-lan-zones: yesno config option, patch from Dag-Erling
Smørgrav.
- RR Type CSYNC support RFC 7477, in debug printout and config
input.
- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
-
tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
from Daisuke Higashi.
- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
by default, and can be unblocked with "nodefault" localzone config.
- ub_ctx_set_stub() function for libunbound to config stub zones.
Bug Fixes
- Fix that NSEC3 negative cache is used when there is no salt.
- sorted ubsyms.def file with exported libunbound functions.
- Print understandable debug log when unusable DS record is seen.
- load gost algorithm if digest is seen before key algorithm.
- Fix that "make install" fails due to "text file busy" error.
- Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
- wait for sendto to drain socket buffers when they are full.
- Neater cmdline_verbose increment patch from Edgar Pettijohn.
- Made netbsd sendmsg test nonfatal, in case of false positives.
-
Fix: log message for dnstap socket connection is more clear.
-
Fix: chown the pidfile if it resides inside the chroot.
- Fix cmsg alignment for argument to sendmsg on NetBSD.
- Fix that unbound complains about unimplemented IP_PKTINFO for
sendmsg on NetBSD (for interface-automatic).
-
Fix: Swig should not be invoked with CPPFLAGS.
- Squelch 'cannot assign requested address' log messages unless
verbosity is high, it was spammed after network down.
- Fix to simplify empty string checking from Michael McConville.
-
Fix: Do not log an error when the PID file cannot be chown'ed.
Patch from Simon Deziel.
- Fix test if -pthreads unused to use better grep for portability.
- Fix mingw crosscompile for recent mingw.
- Update aclocal, autoconf output with new versions (1.15, 2.4.6).
- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
for Linux glibc 2.20.
- Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
source code, so it applies cleanly again. Removed unused variable
warnings.
-
Fix: omit use of escape sequences in echo since they are not
portable (unbound-control-setup).
- remove NULL-checks before free, patch from Michael McConville.
- updated ax_pthread.m4 to version 21 with clang support, this
removes a warning from compilation.
- OSX portability, detect if sbrk is deprecated.
- OSX clang, stop -pthread unused during link stage warnings.
- OSX clang new flto check.
- iana portlist update.
Unbound 1.5.7
Download: unbound-1.5.7.tar.gz
SHA1 checksum: 6306fec537f507a41b9c3a7e16e4aa1c10532510
SHA256 checksum: 4b2088e5aa81a2d48f6337c30c1cf7e99b2e2dc4f92e463b3bee626eee731ca8
PGP signature: unbound-1.5.7.tar.gz.asc
Date: 10 December, 2015Features
-
libunbound: optionally use libnettle
for crypto. Contributed by Luca Bruno. Added --with-nettle for use with
--with-libunbound-only.
- Implemented qname minimisation
Bug Fixes
-
Fix unbound-anchor appears to not fsync root.key.
-
Fix Document config to block private-address for IPv4
mapped IPv6 addresses.
- portability, replace snprintf if return value broken
- portability fixes.
- detect libexpat without xml_StopParser function.
- isblank() compat implementation.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
-
Fix nodata proof with empty non-terminals and wildcards.
-
Fix unbound-control-setup with support for env
without HEREDOC bash support.
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
- Change example.conf: ftp.internic.net to https://www.internic.net
- Fix for lenient accept of reverse order DNAME and CNAME.
- spelling fixes from Igor Sobrado Delgado.
- Fix that malformed EDNS query gets a response without malformed EDNS.
- Added assert on rrset cache correctness.
-
Fix add windows scripts to zip bundle,
and fix unbound-control-setup windows batch file.
-
Fix conf syntax to read files from run dir (on Windows).
And fix PCA prompt for unbound-service-install.exe.
And add Changelog to windows binary dist. And fixup for unbound-control.
- .gitignore for git users.
- iana portlist update.
- Removed unneeded whitespace from example.conf.
- Do not minimise forwarded requests.
Unbound 1.5.6
Download: unbound-1.5.6.tar.gz
SHA1 checksum: b1e521669d6e5a3c1baf8b71dad070e38887162b
SHA256 checksum: ad3823f5895f59da9e408ea273fcf81d8a76914c18864fba256d7f140b83e404
PGP signature: unbound-1.5.6.tar.gz.asc
Date: 20 October, 2015Features
- Default for ssl-port is port 853, the temporary port assignment
for secure domain name system traffic.
If you used to rely on the older default of port 443, you have
to put a clause in unbound.conf for that. The new value is likely
going to be the standardised port number for this traffic.
- ANY responses include DNAME records if present, as per Evan Hunt's
remark in dnsop.
Bug Fixes
- Fix segfault in the dns64 module in the formaterror error path.
- Fix manpage to suggest using SIGTERM to terminate the server.
- iana portlist update.
Unbound 1.5.5
Download: unbound-1.5.5.tar.gz
SHA1 checksum: ff93df847187120c9ee98e7eebe4bb1bc859a8f2
SHA256 checksum: f3bd7d3bc9519e8717abdc35c26cb2d84c3c3a3e2cd657604307e6860b37da5e
PGP signature: unbound-1.5.5.tar.gz.asc
Date: 6 October, 2015Features
- Change default of harden-algo-downgrade to off. This is lenient
for algorithm rollover.
- Added permit-small-holddown config to debug fast 5011 rollover.
- Allow certificate chain files to allow for intermediate certificates.
(thanks Daniel Kahn Gillmor)
- Enable ECDHE for servers. Where available, use
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
enable ECDHE. Otherwise, manually offer curve p256.
Client connections should automatically use ECDHE when available.
(thanks Daniel Kahn Gillmor)
-
Feature --enable-pie option to that builds PIE binary.
-
Feature --enable-relro-now option that enables full read-only
relocation.
-
New IPs for for h.root-servers.net.
Bug Fixes
-
Fix setting forwarders with unbound-control forward
implicitly turns on forward-first.
-
Fix that reload fails when so-reuseport is yes after changing
num-threads.
- please afl-gcc (llvm) for uninitialised variable warning.
- Fix mktime in unbound-anchor not using UTC.
- Fix 5011 anchor update timer after reload.
- 5011 implementation does not insist on all algorithms, when
harden-algo-downgrade is turned off.
- Document in the manual more text about configuring locally served
zones.
- Document that local-zone nodefault matches exactly and transparent
can be used to release a subzone.
-
Fix that configure script does not detect LibreSSL 2.2.2
- Fix deadlock for local data add and zone add when unbound-control
list_local_data printout is interrupted.
-
Fix get PY_MAJOR_VERSION failure at configure for python
2.4 to 2.6.
- changed windows setup compression to be more transparent.
- Fix config globbed include chroot treatment, this fixes reload of
globs (patch from Dag-Erling Smørgrav).
-
Fix ub_ctx_set_fwd() return value mishandled on windows.
- Fix minor error in unbound.conf.5.in.
- Fix unbound.conf(5) access-control description for precedence
and default.
- Fix unbound-control flush that does not succeed in removing data.
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
failures.
- iana portlist update.
Unbound 1.5.4
Download: unbound-1.5.4.tar.gz
SHA1 checksum: ce0abc1563baa776a0f2c21516ffc13e6bff7d0f
SHA256 checksum: a1e1c1a578cf8447cb51f6033714035736a0f04444854a983123c094cc6fb137
PGP signature: unbound-1.5.4.tar.gz.asc
Date: 9 July, 2015Features
-
harden-algo-downgrade option, if turned off, fixes the
reported excessive validation failure when multiple algorithms
are present. If set to 'no', it allows the weakest algorithm to validate the zone.
- stats reports tcp usage, of incoming-num-tcp buffers.
- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
scripts. Contributed by Yuri Voinov.
- Add ip-transparent config option for bind to non-local addresses.
- Synthesize ANY responses from cache. Does not search exhaustively,
but MX,A,AAAA,SOA,NS also CNAME.
- unbound-control list_insecure command shows the negative trust
anchors currently configured, patch from Jelte Jansen.
- ratelimit feature, ratelimit: 1000, can be
used to turn it on. It ratelimits recursion effort per zone.
For particular names you can configure exceptions in unbound.conf.
- Ratelimit does not apply to prefetched queries, and ratelimit-factor
is default 10. Repeated normal queries get resolved and with
prefetch stay in the cache.
- unbound-control ratelimit_list lists high rate domains.
- caps-whitelist in unbound.conf allows whitelist of loadbalancers
that cannot work with caps-for-id or its fallback.
- RFC 7553 RR type URI support, is now enabled by default.
- cache-max-negative-ttl config option, default 3600.
- Add local-zone type inform_deny, that logs query and drops answer.
Bug Fixes
- Unbound exits with a fatal error when the auto-trust-anchor-file
fails to be writable. This is seconds after startup. You can
load a readonly auto-trust-anchor-file with trust-anchor-file.
The file has to be writable to notice the trust anchor change,
without it, a trust anchor change will be unnoticed and the system
will then become inoperable.
- DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect.
- Patch from Brad Smith that syncs compat/getentropy_linux with
OpenBSD's version (2015-03-04).
- 0x20 fallback improved: servfail responses do not count as missing
comparisons (except if all responses are errors),
inability to find nameservers does not fail equality comparisons,
many nameservers does not try to compare more than max-sent-count,
parse failures start 0x20 fallback procedure.
- store caps_response with best response in case downgrade response
happens to be the last one.
- Document that incoming-num-tcp increase is good for large servers.
- Fix lintian warning in unbound-checkconf man page (from Andreas
Schulze).
- Updated default keylength in unbound-control-setup to 3k.
- Fixup compile on cygwin, more portable openssl thread id.
- Use reallocarray for integer overflow protection, patch submitted
by Loganaden Velvindron.
- Fixed to add integer overflow checks on allocation (defense in depth).
- Fix segfault on user not found at startup (from Maciej Soltysiak).
-
Fix that libunbound(3) recommends deprecated CRYPTO_set_id_callback.
- If unknown trust anchor algorithm, and libressl is used, error
message encourages upgrade of the libressl package.
- rename ldns subdirectory to sldns to avoid name collision.
-
Fix interface-automatic broken in the presence of
asymmetric routing.
- Libunbound skips dos-line-endings from etc/hosts.
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
- Fix that get_option for cache-sizes does not print double newline.
-
Fix that ssl handshake fails when using unix socket because dh size
is too small.
-
libunbound python3 related fixes (from Tomas Hozza);
Use print_function also for Python2.
libunbound examples: produce sorted output.
libunbound-Python: libldns is not used anymore.
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
- Fix leaked dns64prefix configuration string.
- Removed contrib/unbound_unixsock.diff, because it has been
integrated, use control-interface: /path in unbound.conf.
- Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
validation failure <www.example.nl. TXT IN>: signature crypto
failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
- Fix that unparseable error responses are ratelimited.
- SOA negative TTL is capped at minimumttl in its rdata section.
-
Do not free pointers given by getenv.
-
Fix CNAME corresponding to a DNAME was checked incorrectly
and was therefore always synthesized (thanks to Valentin Dietrich).
And fix DNAME responses from cache that failed internal chain test.
- iana portlist update.
Unbound 1.5.3
Download: unbound-1.5.3.tar.gz
SHA1 checksum: 9ae0d8270df4591559d54ee4d61c550526521ca3
SHA256 checksum: 76bdc875ed4d1d3f8e4cfe960e6df78ee5c6c7c18abac11331cf93a7ae129eca
PGP signature: unbound-1.5.3.tar.gz.asc
Date: 10 March, 2015Bug Fixes
-
Fix #647 crash in 1.5.2 because pwd.db no longer accessible after reload.
-
Fix #645 Portability to Solaris 10, use AF_LOCAL.
-
Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
- Use the getrandom syscall introduced in Linux 3.17 (from Heiner Kallweit).
Unbound 1.5.2
Download: unbound-1.5.2.tar.gz
SHA1 checksum: 91c805af3fc702eb98ec2679a586cacd05fc4268
SHA256 checksum: 33ab6c6a5ce3247b0a57e34d209fe8936e1218ff89a9b7ca3ff00c2060dd35c7
PGP signature: unbound-1.5.2.tar.gz.asc
Date: 19 February, 2015Features
- local-zone: example.com inform makes unbound log a message with
client IP for queries in that zone. Eg. for finding infected hosts.
- patch from Stephane Lapie that adds to the python API, that
exposes struct delegpt, and adds the find_delegation function.
- Updated contrib warmup.cmd/sh to support two modes - load
from pre-defined list of domains or (with filename as argument)
load from user-specified list of domains, and updated contrib
unbound_cache.sh/cmd to support loading/save/reload cache to/from
default path or (with secondary argument) arbitrary path/filename,
from Yuri Voinov.
- patch for remote control over local sockets, from Dag-Erling
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
control-use-cert: no.
- unbound-checkconf -f prints chroot with pidfile path.
- infra-cache-min-rtt patch from Florian Riehm, for expected long
uplink roundtrip times.
Bug Fixes
- config.guess and config.sub update from libtoolize.
- getauxval test for ppc64 linux compatibility.
- make strip works for unbound-host and unbound-anchor.
- print query name when max target count is exceeded.
- patch from Stuart Henderson that fixes DESTDIR in
unbound-control-setup for installs where config is not in
the prefix location.
-
Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
- Patch from Philip Paeps to contrib/unbound_munin_ that uses
type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
unbound_munin_hits.graph_period minute
- Fix pyunbound ord call, portable for python 2 and 3.
- Fix unintended use of gcc extension for incomplete enum types,
compile with pedantic c99 compliance (from Daniel Dickman).
- Fix pyunbound byte string representation for python3.
- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
section changes.
- Fix validation failure in case upstream forwarder (ISC BIND) does
not have the same trust anchors and decides to insert unsigned NS
record in authority section.
- Fix scrubber with harden-glue turned off to reject NS (and other
not-address) records.
- iana portlist update.
-
Fix doc/example.conf.in: unnecessary whitespace.
Unbound 1.5.1
Download: unbound-1.5.1.tar.gz
SHA1 checksum: 5606c2246e7394bce88cc4f16edbd6b964237ea2
SHA256 checksum: 0ff82709fb2bd7ecbde8dbdcf60fa417d2b43379570a3d460193a76a169900ec
PGP signature: unbound-1.5.1.tar.gz.asc
Date: 8 December, 2014Features
- Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
added to contrib/aaaa-filter-iterator.patch.
Bug Fixes
- Fix that CD flag disables DNS64 processing, returning the DNSSEC
signed AAAA denial.
- Fix compat/getentropy_win.c check if CryptGenRandom works and no
immediate exit on windows.
- Fix crash on multiple thread random usage on systems without
arc4random.
- Fix log at high verbosity and memory allocation failure.
- Fix libunbound undefined symbol errors for main.
- Patch from Robert Edmonds to build pyunbound python module
differently. No versioninfo, with -shared and without $(LIBS).
- Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
- Removed 'increased limit open files' log message that is written
to console. It is only written on verbosity 4 and higher.
This keeps system bootup console cleaner.
- Patch from James Raftery, always print stats for rcodes 0..5.
-
Fix SSL_CTX_load_verify_locations return code not properly
checked.
- Fix makefile for build from noexec source tree.
- Add include to getentropy_linux.c, fixing debian build.
-
Fix that unbound fails to build on AArch64, protects
getentropy compat code from calling sysctl if it is has been removed.
- Fix CVE-2014-8602: denial of service by making resolver chase endless
series of delegations.
Unbound 1.5.0
Download: unbound-1.5.0.tar.gz
SHA1 checksum: 6eb6d783b7376a48dc0b3dccfd8723d7074b4279
SHA256 checksum: 9fde4aeb8258bc864cd5e5d6d9b8bcf8fa12a57059424fece1c6adcc6387b876
PGP signature: unbound-1.5.0.tar.gz.asc
Date: 18 November, 2014Features
- This release has DNS64, DNSTAP, better random numbers and
ub_ctx_add_ta_autr(), num.query.tcpout=value, flush_negative,
unblock-lan-zones conf.
- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
hints (patch from Anand Buddhdev).
- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
option for DNS fragmentation defense.
- unbound-control stats prints num.query.tcpout with number of TCP
outgoing queries made in the previous statistics interval.
- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
if available on the OS, it gets entropy from the OS.
- Add unbound-control flush_negative that flushed nxdomains, nodata,
and errors from the cache. For dnssec-trigger and NetworkManager,
fixes cases where network changes have localdata that was already
negatively cached from the previous network.
- Contrib windows scripts from Yuri Voinov added to src/contrib:
create_unbound_ad_servers.cmd: enters anti-ad server lists.
unbound_cache.cmd: saves and loads the cache.
Also warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
- Added unbound-control-setup.cmd from Yuri Voinov to the windows
unbound distribution set. It requires openssl installed in %PATH%.
- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
- Feature, unblock-lan-zones: yesno that you can use to make unbound
perform 10.0.0.0/8 and other reverse lookups normally, for use if
unbound is running service for localhost on localhost.
- unbound-host -D enabled dnssec and reads root trust anchor from
the default root key file that was compiled in.
- Add AAAA for B root server to default root hints.
- unbound-control status reports if so-reuseport was successful.
- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
- arc4random in compat/ and getentropy, explicit_bzero, chacha for
dependencies, from OpenBSD. arc4_lock and sha512 in compat.
This makes arc4random available on all platforms, except when
compiled with LIBNSS (it uses libNSS crypto random).
- Patch from Dag-Erling Smorgrav that implements that: unbound -dd
does not fork in the background and also logs to stderr.
- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
Initial commit of the patch from the FreeBSD base (with its fixes).
This adds a module (for module-config in unbound.conf) dns64 that
performs DNS64 processing, see README.DNS64.
- Patch add msg, rrset, infra and key cache sizes to stats command
from Maciej Soltysiak.
- DNSTAP support, with a patch from Farsight Security, written by
Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
It is BSD licensed (see dnstap/dnstap.c). Also --with-libfstrm
and --with-protobuf-c configure options.
- type CDS and CDNSKEY types.
- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
is longer and more tcp connections can be handled.
- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
tracked trust anchor to libunbound.
Bug Fixes
- Fix print filename of encompassing config file on read failure.
- Patch from Stuart Henderson to build unbound-host man from .1.in.
-
Fix do_tcp is do-tcp in unbound.conf man page.
-
Fix unit test failure for systems with different
/etc/services.
- iana portlist updated.
-
Fix make test fails on Ubuntu 14.04. Disabled remote-control
in testbound scripts.
- Documented that dump_requestlist only prints queries from thread 0.
-
Fix unbound lists if forward zone is secure or insecure with
+i annotation in output of list_forwards, also for list_stubs
(for NetworkManager integration).
And remove ':' from output of stub and forward lists, this is
easier to parse.
-
Fix use unsigned long to print 64bit statistics counters on
64bit systems.
-
Fix failed prefetch lookup does not remove cached response
but delays next prefetch (in lieu of caching a SERVFAIL).
-
Fix improved logging, the ip address of the error is printed
on the same log-line as the error.
-
Fix explain that do-ip6 disable does not stop AAAA lookups,
but it stops the use of the ipv6 transport layer for DNS traffic.
- Fix compile with libevent2 on FreeBSD.
- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
- Fixup out-of-directory compile with unbound-control-setup.sh.in.
- Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
fixes from FreeBSD's copy of Unbound, he notes:
Generate unbound-control-setup.sh at build time so it respects
prefix and sysconfdir from the configure script. Also fix the
umask to match the comment, and the comment to match the umask.
Add const and static where needed. Use unions instead of
playing pointer poker. Move declarations that are needed in
multiple source files into a shared header. Move sldns_bgetc()
from parse.c to buffer.c where it belongs. Introduce a new
header file, worker.h, which declares the callbacks that
all workers must define. Remove those declarations from
libworker.h. Include the correct headers in the correct places.
Fix a few dummy callbacks that don't match their prototype.
Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
Remove a useless printf which breaks reproducible builds.
Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
no longer used. Add unbound-control-setup.sh to the list of
generated files. The prototype for libworker_event_done_cb()
needs to be moved from libunbound/libworker.h to
libunbound/worker.h.
- Fix caps-for-id fallback, and added fallback attempt when servers
drop 0x20 perturbed queries.
-
Fix segfault or crash upon rotating logfile.
- fake-rfc2553 patch (thanks Benjamin Baier).
- LibreSSL provides compat items, check for that in configure.
-
Bail out of unbound-control list_local_zones when ssl write fails.
- Fix endian.h include for OpenBSD.
-
Fix unbound-checkconf -o option should skip verification checks.
- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
- Update unbound manpage with more explanation (from Florian Obser).
- Fix tcp timer waiting list removal code.
- patches to also build with Python 3.x (from Pavel Simerda).
- improve python configuration detection to build on Fedora 22.
- Fix swig and python examples for Python 3.x.
- Fix for mingw compile with openssl-1.0.1i.
-
Fix create service with service.conf in present directory and
auto load it.
-
Allow tab ws in var length last rdfs (in ldns str2wire).
-
Fix man page variable substitution bug.
- Whitespaces after $ORIGIN are not part of the origin dname (ldns).
- $TTL's value starts at position 5 (ldns).
- Fix unbound-checkconf check for module config with dns64 module.
- Fix unbound capsforid fallback, it ignores TTLs in comparison.
-
Fix in ldns in unbound, lowercase WKS services.
- Fix ctype invocation casts.
- Disabled use of SSLv3 in remote-control and ssl-upstream.
- Redefine internal minievent symbols to unique symbols that helps
linking on platforms where the linker leaks names across modules.
- Fix bug where forward or stub addresses with same address but
different port number were not tried.
Unbound 1.4.22
Download: unbound-1.4.22.tar.gz
SHA1 checksum: a56e31e2f3a2fefa3caaad9200dd943d174ca81e
SHA256 checksum: 1caf5081b2190ecdb23fc4d998b7999e28640c941f53baff7aee03c092a7d29f
PGP signature: unbound-1.4.22.tar.gz.asc
Date: 12 March, 2014Features
- separate ldns into core ldns inside ldns/ subdirectory. No more
configure --with-ldns is needed and unbound does not rely on libldns.
- Accept ip-address: as an alternative for interface: for
consistency with nsd.conf syntax.
-
acl_deny_non_local and refuse_non_local added.
- so-reuseport: yesno option to distribute queries evenly over
threads on Linux (Thanks Robert Edmonds).
Reuseport is attempted, then fallback to without on failure.
- delay-close: msec option that delays closing ports for which
the UDP reply has timed out. Keeps the port open, only accepts
the correct reply. This correct reply is not used, but the port
is open so that no port-denied ICMPs are generated.
Bug Fixes
-
Fix if very high logging (4 or more) segfault on allow_snoop.
-
Fix Set SO_REUSEADDR so that the wildcard interface and a
more specific interface port 53 can be used at the same time, and
one of the daemons is unbound.
- if configured --with-libunbound-only fix make install.
- Patch from Neel Goyal to fix callback in libunbound.
- Patch from Neel Goyal to fix async id assignment if callback
is called by libunbound in the mesh attach.
-
Fix compile python plugin without ldns library.
- Windows port, adjust %lld to %I64d, and warning in win_event.c.
-
Fixed +i causes segfault when running with module
conf "iterator".
-
Fix no trustanchor written if filesystem full, fclose checked.
- unbound-event.h is installed if you configure --enable-event-api.
It contains low-level library calls, that use libevent's event_base
and a wireformat return packet in a buffer to perform async
resolution in the client's eventloop.
- speed up unbound, by reducing lock contention on localzones.lock.
- Fix parse (in ldns) of quoted parenthesized text strings.
- Detect libevent2 install automatically by configure and fixup
link with lib/event2 subdir.
-
License change "Regents" to "Copyright holder", matching
the BSD license on opensource.org.
-
Fix parse of #553(NSD) string in sldns, quotes without spaces.
- Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
received. This is okay according 4035, but not after revising
existence in 4592. NSEC empty non-terminals exist and thus the
RCODE should have been NOERROR. If this occurs, and the RRsets
are secure, we set the RCODE to NOERROR and the security status
of the response is also considered secure.
- iana portlist updated.
-
contrib/cacti plugin did not report SERVFAIL rcodes
because of spelling. Patch from Chris Coates.
Unbound 1.4.21
Download: unbound-1.4.21.tar.gz
SHA1 checksum: 3ef4ea626e5284368d48ab618fe2207d43f2cee1
SHA256 checksum: 502f817a72721f78243923eb1d6187029639f7a8bdcc33a6ce0819bbb2a80970
PGP signature: unbound-1.4.21.tar.gz.asc
Date: 10 September, 2013Features
- Implement max-udp-size config option, default 4096 (thanks
Daisuke Higashi), with fix#524 for nonEDNS0 queries.
- add unbound-control insecure_add and insecure_remove for the
administration of negative trust anchors.
- install copy of unbound-control.8 man page for
unbound-control-setup.
- code improve for minimal responses, small speed increase.
- max include of 100.000 files (depth and globbed at one time).
This is to preserve system memory in bug cases, or endless cases.
- unbound.h header file has UNBOUND_VERSION_MAJOR define.
- get_option, set_option, unbound-checkconf -o and libunbound
getoption() and setoption() support cache-min-ttl and cache-max-ttl.
Also log-time-ascii, python-script, val-sig-skew-min and val-sig-skew-max.
log-time-ascii takes effect immediately. The others are mostly useful
for libunbound users.
- configure --disable-flto option (from Robert Edmonds).
- streamtcp man page, contributed by Tomas Hozza.
- Make reverse zones easier by documenting the nodefault statements
commented-out in the example config file.
Bug Fixes
- committed libunbound version 4:1:2 for binary API updated in
1.4.20
- Fix for 2038, with time_t instead of uint32_t.
- Fix resolve of names that use a mix of public and private addresses.
-
Fix endianness detection, revert to older lookup3.c
detection and put new detect lines after previous tests, to avoid
regressions but allow new detections to succeed. And add detection for
machine/endian.h to it.
- Fix queries leaking up for stubs and forwards, if the configured nameservers all fail to answer.
- unbound-anchor review: BIO_write can return 0 successfully if it
has successfully appended a zero length string.
- Fix so that for a configuration line of include: "*.conf" it is not
an error if there are no files matching the glob pattern.
- own implementation of compat/snprintf.c.
-
pick program name (0th argument) as syslog identity.
- Fixup snprintf return value usage, fixed libunbound_get_option.
- Robust checks on dname validity from rdata for dname compare.
- iana portlist update.
- Fix round-robin doesn't work with some Windows clients (from Ilya
Bakulin).
-
use on non-initialised values on socket
bind failures.
-
use-after-free in out-of-memory handling code (thanks
Jake Montgomery).
- Explain bogus and secure flags in libunbound more.
- Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
patch to it to not fail when -Werror is also specified, from the
autoconf-archives.
- Fixup manpage syntax.
- Fix for const string literals in C++ for libunbound, from Karel
Slany.
- Squelch sendto-permission denied errors when the network is
not connected, to avoid spamming syslog.
- libunbound documentation on how to avoid openssl race conditions.
-
NSS returned arrays out of setup function to be statics.
-
dnssec lameness detection for answers that are improper.
-
ub_ctx_delete may hang in some scenarios (libunbound).
-
Errors found by static analysis from Tomas Hozza(redhat).
Unbound 1.4.20
Download: unbound-1.4.20.tar.gz
SHA1 checksum: 1752976533be2a4f0c9cdbab9d2cbb67d4f27c43
SHA256 checksum: 14527002307873e557348a4d76b62ac036937d9c3033610a8425018c379fb56e
PGP signature: unbound-1.4.20.tar.gz.asc
Date: 21 March, 2013Features
- add libunbound.ttl at end of result structure, version bump for
libunbound. Code compiled with 1.4.19 is binary compatible with the 1.4.20
library. If code uses the ttl it needs the 1.4.20 version.
Bug Fixes
- Change of D.ROOT-SERVERS.NET A address in default root hints.
- Fix openssl lock free on exit (reported by Robert Fleischman).
- unbound-anchors checks the emailAddress of the signer of the
root.xml file, default is dnssec@iana.org. It also checks that
the signer has the correct key usage for a digital signature.
- printout name of zone with duplicate fwd and hint errors.
- includes and have_ssl fixes for nss.
- detect endianness in lookup3 on BSD.
- iana portlist updated.
Unbound 1.4.19
Download: unbound-1.4.19.tar.gz
SHA1 checksum: ccf0d465fc0045d59ceca11ecde688edebd28ec1
SHA256 checksum: 47e681cf2489cdbad9c9687d579e9b052dceada8f9a720ba447689246aaeeadd
PGP signature: unbound-1.4.19.tar.gz.asc
Date: 12 December, 2012Features
- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled. The contrib/patch_rsamd5_enable.diff patch enables RSAMD5 validation otherwise it is treated as insecure. The MD5 hash is considered weak for some purposes, if you want to sign your zone, then RSASHA256 is an uncontested hash.
- unbound-control -q option is quiet, patch from Mariano Absatz.
- include: directive in config file accepts wildcards. Patch from
Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
Bug Fixes
- Fix openssl race condition, initializes openssl locks, reported
by Einar Lonn and Patrik Wallstrom.
- Improved forward-first and stub-first documentation.
- Fix that enables modules to register twice for the same
serviced_query, without race conditions or administration issues.
- Fix forward-first option where it sets the RD flag wrongly.
- added manpage links for libunbound calls (Thanks Paul Wouters).
- Add documentation to libunbound for default nonuse of resolv.conf.
- Fix timeouts so that when a server has been offline for a while and is probed to see it works, it becomes fully available for server selection again.
- Fallback to 1472 and 1232, one fragment size without headers.
-
Nicer comments outgoing-port-avoid, thanks Stu.
- chdir to / after chroot call (suggested by Camiel Dobbelaar).
- updated contrib/unbound.spec, patch from Valentin Bud.
- ignore trusted-keys globs that have no files (from Paul Wouters).
- fix text in unbound-anchor man page.
- fix build of pythonmod in objdir (thanks Jakob Schlyter).
- make clean and makerealclean remove generated python and docs.
- Fix validation for responses with both CNAME and wildcard
expanded CNAME records in answer section.
-
Fix unbound-anchor segfault if EDNS is blocked.
- Fix unbound-control forward disables configured stubs below it.
-
Fix python example0.
- iana portlist updated.
Unbound 1.4.18
Download: unbound-1.4.18.tar.gz
SHA1 checksum: b64b4c9f7981df4e7589ebb770a31352a09db3fb
SHA256 checksum: b20f45ff90b944f306fc1875084af8ecba68ca0db16895148288d43cec225b8d
PGP signature: unbound-1.4.18.tar.gz.asc
Date: 2 August, 2012Features
- implement log-time-ascii on windows.
- --with-libunbound-only build option, only builds the library and
not the daemon and other tools.
- --with-nss build option (for now, --with-libunbound-only), uses
libNSS for crypto operations.
- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
- Add flush_bogus option for unbound-control.
Bug Fixes
- Fix libunbound report of errors when in background mode.
- fix bogus nodata cname chain not reported as bogus by validator,
(Thanks Peter van Dijk).
-
Fix for ACX_CHECK_COMPILER_FLAG from configure.ac,
if CFLAGS is specified at configure time then '-g -O2' is not
appended to CFLAGS, so that the user can override them.
- FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
- fix missing break for GOST DS hash function.
- implemented forward_first for the root.
- code review: return value of cache_store can be ignored for better
performance in out of memory conditions.
- patch for unbound_munin_ script to handle arbitrary thread count by
Sven Ulland.
- Fix validation of qtype DS queries that result in no data for
non-optout NSEC3 zones.
- fix edns-buffer-size and msg-buffer-size manpage documentation.
- fix error handling of alloc failure during rrsig verification.
- The key-cache bad key ttl is now 60 seconds.
-
fix crash on assert in mesh_state_attachment.
Fixes DS NS search to not generate duplicate sub queries.
- silence warning from swig-generated code (md set but not used in
swig initmodule, due to ifdefs in swig-generated code).
- Fix debian-bugs-658021: Please enable hardened build flags.
- update iana ports list
Unbound 1.4.17
Download: unbound-1.4.17.tar.gz
SHA1 checksum: fea4d812c03af4737ef671ac30b7b7400d346516
SHA256 checksum: 2637d6bda4065d7abf1cd11ee25bfc8e916241153c2d331de99ab6c63df5e3d3
PGP signature: unbound-1.4.17.tar.gz.asc
Date: 24 May, 2012Features
- unbound-control forward_add, forward_remove, stub_add, stub_remove
can modify stubs and forwards for running unbound they can also add and
remove domain-insecure for the zone. This is to support reconfiguration
of a DNSSEC validator on a computer that changes networks and has to enable
new network config for the new location.
- new approach to NS fetches for DS lookup that works with
cornercases, and is more robust and considers forwarders.
- contrib/validation-reporter follows rotated log file (patch from
Augie Schwer).
- Applied patch from Daisuke HIGASHI for rrset-roundrobin and
minimal-responses features (new options, enable in unbound.conf to use).
- ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
openssl.
- Patch for access to full DNS packet data in unbound python module
from Ondrej Mikle.
- forward-first option. Tries without forward if a query fails.
Also stub-first option that is similar.
Bug Fixes
- Fix possible uninitialised variable in windows pipe implementation.
- Fix alignment problem in util/random on sparc64/freebsd.
- Fix for accept spinning reported by OpenBSD.
- Fix validation of nodata for DS query in NSEC zones, reported by
Ondrej Mikle.
-
Fix that setusercontext was called too late (thanks Bjorn
Ketelaars).
-
Fix --with-chroot-dir not honoured by configure.
-
Fix that Makefile depends on pythonmod headers
even using --without-pythonmodule.
- Fix to locate nameservers for DS lookup with NS fetches.
- Applied line-buffer patch from Augie Schwer to
validation.reporter.sh.
- flush_infra cleans timeouted servers from the cache too.
- Fix from code review, if EINPROGRESS not defined chain if statement
differently.
-
Fix windows port to check registry for config file location
for unbound-control.exe, and unbound-checkconf.exe.
- Fix to squelch 'network unreachable' errors from tcp connect in
logs, high verbosity will show them.
- Fix prefetch and sticky NS ghost domain. It picks
nameservers that 'would be valid in the future', and if this makes
the NS timeout, it updates that NS by asking delegation from the
parent again. If child NS has longer TTL, that TTL does not get
refreshed from the lookup to the child nameserver.
- RT#2955 Fix for cygwin compilation.
- Slightly smaller critical region in one case in infra cache.
- Fix timeouts to keep track of query type, A, AAAA and other, if
another has caused timeout blacklist, different type can still probe.
- unit test fix for nomem_cnametopos.rpl race condition.
- fix memory leak in errorcase for DSA signatures.
- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
- fix for windows, rename() is not posix compliant on windows.
- iana portlist updated
Unbound 1.4.16
Download: unbound-1.4.16.tar.gz
SHA1 checksum: 68ed8737b1a6e3f9a67812f7e962fd6740494c1e
SHA256 checksum: fb71665851eb11d3b1ad5dd5f9d7b167e0902628c06db3d6fc14afd95cc970fa
PGP signature: unbound-1.4.16.tar.gz.asc
Date: 2 February, 2012Features
- applied patch to support outgoing-interface with ub_ctx_set_option.
Bug Fixes
- Fix validation failures (like: validation failure xx: no NSEC3
closest encloser from yy for DS zz. while building chain of trust,
because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
for an NSEC3. Now it does not change rdata, and fixes TTL.
- Fix version-number in libtool to be version-info so it produces
libunbound.so.2 like it should.
- Fixes for port to OpenIndiana OS with gcc 4.6.
- Fix to write key files completely to a temporary file, and if that
succeeds, replace the real key file. So failures leave a useful file.
Unbound 1.4.15
Download: unbound-1.4.15.tar.gz
SHA1 checksum: bbda46664ea8391ca7986300ce98a79787c0e322
SHA256 checksum: 729d427c00c160de4ee66945d762b3282677e957407450152088369216a30020
PGP signature: unbound-1.4.15.tar.gz.asc
Date: 26 January, 2012Bug Fixes
- Fix for memory leak (about 20 bytes when a tcp or udp send operation
towards authority servers failed, takes about 50.000 such failures to
leak one Mb, such failures are also usually logged), reported by Robert
Fleischmann.
- Fix to randomize hash function, based on 28c3 congress, reported
by Peter van Dijk.
-
unbound reports wrong TTL in reply, it reports a TTL
that would be permissible by the RFCs but it is not the TTL in the cache.
-
add ub_version() call to libunbound. API version increase,
with (binary) backwards compatibility for the previous version.
- Fix bug where canonical_compare of RRSIG did not downcase the
signer-name. This is mostly harmless because RRSIGs do not have
to be sorted in canonical order, usually.
- uninitialised variable in reprobe for rtt blocked domains fixed.
- iana portlist updated.
Unbound 1.4.14
Download: unbound-1.4.14.tar.gz
SHA1 checksum: 1435029abe63d0106213acb9f173b885183cf1d7
SHA256 checksum: c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3
PGP signature: unbound-1.4.14.tar.gz.asc
Date: 19 December, 2011Features
- Makefile changed for BSD make compatibility.
- dns over ssl support as a client, ssl-upstream yes turns it on.
It performs an SSL transaction for every DNS query.
- dns over ssl support as a server, ssl-service-pem and ssl-service-key files
can be given and then TCP queries are serviced wrapped in SSL.
- lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- TCP-upstream calculates tcp-ping so server selection works if there
are alternatives.
- Unbound probes at EDNS1480 if there an EDNS0 timeout.
Bug Fixes
- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
SERVFAILs. Also fixed for UDP (but less likely).
- Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- Fix double free in unbound-host, reported by Steve Grubb.
- fix -flto detection on Lion for llvm-gcc.
-
Infra cache stores information about ping and lameness per IP, zone.
-
Fix resolve of partners.extranet.microsoft.com with a fix for the
server selection for choosing out of a (particular) list of bad
choices.
- Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to
Matthew Lee).
- fix unbound-anchor for broken strptime on OSX lion, detected
in configure.
- Detect if GOST really works, openssl1.0 on OSX fails.
- Implement ipv6%interface notation for scope_id usage.
- better documentation for inform_super (Thanks Yang Zhe).
- Fix for out-of-memory condition in libunbound (thanks Robert Fleischman).
- Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur. The feature is
disabled on windows.
- updated contrib/unbound_munin_ to family=auto so that it works with
munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
- unbound.exe -w windows option for start and stop service.
- Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
-
accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- fix various compiler warnings (reported by Paul Wouters).
- max sent count. EDNS1480 only for rtt < 5000. No promiscuous
fetch if sentcount > 3, stop query if sentcount > 16. Count is
reset when referral or CNAME happens. This makes unbound better
at managing large NS sets, they are explored when there is continued
interest (in the form of queries).
- remove uninit warning from cachedump code.
- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
- fix infra cache comparison.
- Fix to constrain signer_name to be a parent of the lookupname.
- robust checks for next-closer NSEC3s.
- iana portlist updated.
Unbound 1.4.13
Download: unbound-1.4.13.tar.gz
SHA1 checksum: 834ccfd1cb41a44f53b33f8338a8f9cc68febaf7
SHA256 checksum: 83c7dc2756c488ab5bfcb9b25b81236a4ec42fb3d505267fcaf005555f3a2313
PGP signature: unbound-1.4.13.tar.gz.asc
Date: 15 September, 2011Features
- Note that Unbound implements RFC6303 (since version 1.4.7).
- tcp-upstream yes/no option (works with set_option) for tunnels.
- The format of answers to the qtype ANY with a CNAME have
changed, so that there can be proper validated DNSSEC answers for them.
This is for queries with qtype ANY where the domain name has a CNAME.
Now an answer is returned, where before it resulted in SERVFAIL due to
validation failure. When DNSSEC validation is disabled, the contents
of the response have changed: the CNAME is not followed, and the correct
contents of the RRsets at the initial name are included (where previously
only partial contents of the initial names could have been included but
the CNAME was followed). The qtype ANY is a query for debug where the
resolver is to fill in relevant data that happens to be at hand from
the cache.
Bug Fixes
- Fix validation of qtype ANY responses with CNAMEs (thanks Cathy Zhang
and Luo Ce). Unbound responds with the RR types that are available at
the name for qtype ANY and validates those RR types. It does not test
for completeness (i.e. with NSEC or NSEC3 query), and it does not follow
the CNAME or DNAME to another name (with even more data for the already
large response)
- Documented the options that work with control set_option command.
- Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
- Fix validation of . DS query.
- Fix wildcard expansion no-data reply under an optout NSEC3 zone is
validated as insecure, reported by Jia Li (lijia cnnic.cn).
- Fix python site-packages path to /usr/lib64.
- fix memory and fd leak after out-of-memory condition.
- patch from Tom Hendrikx fixes load of python modules.
- Applied patch from Karel Slany that fixes a memory leak in the unbound
python module, in string conversions.
- Fix num-threads 0 does not segfault, reported by Simon Deziel.
- fix autoconf 2.68 warnings
- iana portlist updated
Unbound 1.4.12
Download: unbound-1.4.12.tar.gz
SHA1 checksum: c46c05d1fa2402a59c10f51864fd4c62d10a472f
SHA256 checksum: d7f0ee340b8a62e3fe02e505fdf6f2e4742ae7eaf8fd1da200fb38c4947e2d66
PGP signature: unbound-1.4.12.tar.gz.asc
Date: 14 July, 2011Bug Fixes
- removed ldns-src tarball inside the unbound tarball.
-
fix that id bits of other query may leak out under conditions
- fix replyaddr count wrong after jostled queries, which leads to
eventual starvation where the daemon has no replyaddrs left to use.
- fix that the listening socket is not closed when too many remote
control connections are made at the same time.
- version number in example config file.
- fix that --enable-static-exe does not complain about it unknown.
- iana portlist updated
Unbound 1.4.11
Download: unbound-1.4.11.tar.gz
SHA1 checksum: 3dbd7854b05b1e48fcc088be50e4c7aafc8d7306
SHA256 checksum: 19e44dd7a737de678456885483002c6cd84147d334c7323cb3674d2012c82b4b
PGP signature: unbound-1.4.11.tar.gz.asc
Date: 30 June, 2011Features
- log-queries: yesno option, default is no, prints querylog.
- ignore-cd-flag: yesno to provide dnssec to legacy servers.
- Use -flto compiler flag for link time optimization, if supported.
- unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes
- Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
- defense in depth against the assertion failure bug fixed in 1.4.10,
an error is printed to log instead of an assertion failure.
-
--enable-allsymbols option links all binaries to libunbound
and reduces install size significantly.
- Fix TTL of SOA so negative TTL is separately cached from normal TTL.
- configure created with newer autoconf 2.66.
-
Fix that configure checks for ldns_get_random presence.
- queries with CD flag set cause DNSSEC validation, but the answer is
not withheld if it is bogus. Thus, unbound will retry if it is bad
and curb the TTL if it is bad, thus protecting the cache for use by
downstream validators.
- val-override-date: -1 ignores dates entirely, for NTP usage.
- harden-below-nxdomain: changed so that it activates when the
cached nxdomain is dnssec secure. This avoids backwards
incompatibility because those old servers do not have dnssec.
- statistics-interval prints the number of jostled queries to log.
- IPv6 service address for d.root-servers.net (2001:500:2D::D).
- updated ldns tarball to 1.6.10rc2 snapshot
- iana portlist updated.
Unbound 1.4.10
Download: unbound-1.4.10.tar.gz
SHA1 checksum: ac9ab61a51e147ade69ca8b043fee2ed76336a62
SHA256 checksum: dace571f8906e858cebaa347824e3e0be711c830cc6eb747eb6c2246e2e5ecea
PGP signature: unbound-1.4.10.tar.gz.asc
Date: 25 May, 2011Bug Fixes
- Fix assertion failure when unbound generates an empty error reply in
response to a query, CVE-2011-1922 VU#531342.
Unbound 1.4.9
Download: unbound-1.4.9.tar.gz
SHA1 checksum: f2ac7b4ef1d1b330e2dd5e2eedeb6fd2bbad8478
SHA256 checksum: da0b989fe8cf10e43481343873eaedf60bef63be473c86d73d0254b79c5916b7
PGP signature: unbound-1.4.9.tar.gz.asc
Date: 24 March, 2011Bug Fixes
- Added explicit note on unbound-anchor usage:
Please note usage of unbound-anchor root anchor is at your own risk
and under the terms of our LICENSE (see that file in the source).
- Fix remove private address does not throw away entire response.
-
Fix, time.elapsed variable not reset with stats_noreset.
- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
- give config parse error for multiple names on a stub or forward zone.
- updated ldns tarball to 1.6.9(snapshot).
- iana portlist updated.
Unbound 1.4.8
Download: unbound-1.4.8.tar.gz
SHA1 checksum: 557a9c10de9a83f88cd7c66d44488f1cb65de4fa
SHA256 checksum: 5bf4060d2e778a1268498f4937583726d1d36909d7f40900ee31a722a64d506f
PGP signature: unbound-1.4.8.tar.gz.asc
Date: 24 January, 2011Features
- harden-below-nxdomain config option, default off (because very old
software may be incompatible). We could enable it by default in
the future. From draft-vixie-dnsext-resimprove-00.
- typetransparent localzone: does not block other RR types.
- so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes
- Fix so a changed NS RRset does not get moved name stuck on old
server, for type NS the TTL is not increased.
- Fix prefetch so it does not get stuck on old server for moved names.
- Fix insecure CNAME sequence marked as secure, reported by Bert
Hubert.
- faster lruhash get_mem routine.
-
remove ITAR scripts from contrib, the service is discontinued, use the root.
- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
- algorithm compromise protection using the algorithms signalled in
the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
and thus, if you have multiple algorithms in your trust-anchor-file
then it will now behave different than before. Also, 5011 rollover
for algorithms needs to be double-signature until the old algorithm
is revoked.
- squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
- fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
- Fix our 'BDS' license (typo reported by Xavier Belanger).
-
print address when socket creation fails.
- Fix storage of EDNS failures in the infra cache.
- silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
- unbound-anchor compiles with openssl 0.9.7.
- Be lenient and accept imgw.pl malformed packet (like BIND).
- the included ldns tarball is updated (to 1.6.8)
- iana portlist updated.
Unbound 1.4.7
Download: unbound-1.4.7.tar.gz
SHA1 checksum: 6e9d663b414bcbbc7db75d0fc3b9174e45ec0951
SHA256 checksum: fe17ef4639f965cbf0864d0e49ec00d567d7c4ab9f199f2a6f00842b6e48016c
PGP signature: unbound-1.4.7.tar.gz.asc
Date: 8 November, 2010Features
- unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the
validator (e.g. at system boot time).
- dump_infra and flush_infra commands for unbound-control.
Bug Fixes
- GOST code enabled by default (RFC 5933).
- Configure detects libev-4.00.
- do not synthesize a CNAME message from cache for qtype DS.
- Use central entropy to seed threads.
- Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
- Fix validation failure for parent and child on same server with an
insecure childzone and a CNAME from parent to child.
- Change of timeout code. No more lost and backoff in blockage.
At 12sec timeout (and at least 2x lost before) one probe per IP
is allowed only. At 120sec, the IP is blocked. After 15min, a
120sec entry has a single retry packet.
- no timeout backoff if meanwhile a query succeeded.
- Configure errors if ldns is not found.
- Windows 7 fix for the installer.
- Fix bug where fallback_tcp causes wrong roundtrip and edns
observation to be noted in cache. Fix bug where EDNSprobe halted
exponential backoff if EDNS status unknown.
- interface automatic works for some people with ip6 disabled.
Therefore the error check is removed, so they can use the option.
- Fix TCP so it uses a random outgoing-interface.
- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
the zone has a secure delegation hosted on the same server did not
verify as secure (it was insecure by mistake).
- Fix alloc_reg_release for longer uptime in out of memory conditions.
-
in example.conf show correct ipv4
link-local 169.254/16.
- compliance with draft-ietf-dnsop-default-local-zones-14, removed
reverse ipv6 orchid prefix from builtin list.
- Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
- Fix reported validation error in out of memory condition.
- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
- increased mesh-max-activation from 1000 to 3000 for crazy domains
like _tcp.slb.com with 262 servers.
-
Fix for cannot access stub zones until the root is
primed.
- openbsd-lint fixes
-
Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
-
Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
if use sun-cc, but some systems need different flags.
- Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
changes, uses m4_bpatsubst now.
- make test (or make check) should be more portable and run the unit
test and testbound scripts. (make longtest has special requirements).
- More pleasant remote control command parsing.
- Fix name of rrset printed that failed validation.
- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
- Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
- iana portlist updated.
- updated ldns tarball.
Unbound 1.4.6
Download: unbound-1.4.6.tar.gz
SHA1 checksum: b0d7c58f173c5c80cc81345f6766555f96bde20d
SHA256 checksum: 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de
PGP signature: unbound-1.4.6.tar.gz.asc
Date: 3 August, 2010Features
- Builtin root hints contain AAAA for I.ROOT-SERVERS.NET.
- unbound.h has extern "C" statement for easier include in c++.
- added feature to print configure date, target and options with -h.
- added feature to print event backend system details with -h.
- (ports and works on Minix 3.1.7). On Minix,
add /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar
and gmake.
- GOST enabled if SSL is recent and ldns has GOST enabled too.
Bug Fixes
- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
- Fix to use one pointer less for iterator query state store_parent_NS.
- Max referral count from 30 to 130, because 128 one character domains is valid DNS.
- added documentation for the histogram printout to syslog.
- Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong.
- updated ldns tarball.
- iana portlist updated.
- Unbound reports libev or libevent correctly in logs in verbose mode.
- Fix handling of corner case reply from lame server, follows rfc2308.
It could lead to a nodata reply getting into the cache if the search
for a non-lame server turned up other misconfigured servers.
- Fix jostle list bug found by Vince (luoce at cnnic), it caused the qps
in overload situations to be about 5 qps for the class of shortly
serviced queries. The capacity of the resolver is then
about (numqueriesperthread / 2) / (average time for such long queries) qps
for long queries. And about (numqueriesperthread / 2)/(jostletimeout in
whole seconds) qps for short queries, per thread.
- Fix the max number of reply-address count to be applied for duplicate
queries, and not for new query list entries. This raises the memory
usage to a max of (16+1)*numqueriesperthread reply addresses.
- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
must be signed with all algorithms from the DS rrset at the parent.
This is now checked and becomes bogus if not.
- Fix validation of qtype DNSKEY when a key-cache entry exists but
no rr-cache entry is used (it expired or prefetch), it then goes
back up to the DS or trust-anchor to validate the DNSKEY.
- log if a server is skipped because it is on the donotquery list,
at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
- failure to chown the pidfile is not fatal any more.
- Neat function prototypes, unshadowed local declarations.
- Fix integer underflow in prefetch ttl creation from cache. This
fixes a potential negative prefetch ttl.
- Changed the defaults for num-queries-per-thread/outgoing-range.
For builtin-select: 512/960, for libevent 1024/4096 and for
windows 24/48 (because of win api). This makes the ratio this way
to improve resilience under heavy load. For high performance, use
libevent and possibly higher numbers.
Unbound 1.4.5
Download: unbound-1.4.5.tar.gz
SHA1 checksum: c1f227b95448cdfd0006d6d00b3d4354500d7564
SHA256 checksum: 905685836715ac715098909ae5268504322f0f226c957d18ed32895c76d8224c
PGP signature: unbound-1.4.5.tar.gz.asc
Date: 3 June, 2010Features
- unbound-control get_option domain-insecure shows config file items.
- Autotrust anchor file can be initialized with a ZSK key as well (if the domain's DNSKEY set is signed with that ZSK).
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
- Contribution from Migiel de Vos (Surfnet): nagios patch for
unbound-host, in contrib/ (in the source tarball). Makes unbound-host
suitable for monitoring dnssec(-chain) status.
- GOST disabled-by-default, the algorithm number is allocated but the
RFC is still has to pass AUTH48 at the IETF.
Bug Fixes
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
- Fix fetch from blacklisted dnssec lame servers as last resort. The
server's IP address is then given in validator errors as well.
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
CPPFLAGS during configure process.
- Fix if libev is installed on the base system (not libevent), detect
it from the event.h header file and link with -lev.
- Fix configlexer.lex gets config.h, and configyyrename.h added by make,
no more double include.
- More strict scrubber (Thanks to George Barwood for the idea): NS set
must be pertinent to the query.
-
In 0x20 backoff fix fallback so the number of
outstanding queries does not become -1 and block the request.
Fixed handling of recursion-lame in combination with 0x20 fallback. Fix so
RRsets are compared canonicalized and sorted if the immediate comparison
fails, this makes the 0x20 option work around round-robin sites.
- Fix retry sequence if prime hints are recursion-lame.
- Fix so harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the
target-fetch-policy, this increases the depth to which is checked.
- Fix detection of GOST support in ldns (reported by Chris Smith).
- Fix for dnssec lameness detection to use the key cache.
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
- Fix dnssec-missing detection that was turned off by server selection.
-
Fix spelling error in variable name in parser and lexer.
- Fix various compiler warnings from the clang llvm compiler.
- Fix comments in iter_utils:dp_is_useless.
- EDNS timeout code will not fire if EDNS status already known.
- EDNS failure not stored if EDNS status known to work.
- Parent-child disagreement approach altered. Older fixes are removed
in place of a more exhaustive search for misconfigured data available via
the parent of a delegation. This is designed to be throttled by cache
entries, with TTL from the parent if possible. Additionally the loop-counter
is used. It also tests for NS RRset differences between parent and child.
The fetch of misconfigured data should be more reliable and thorough. It
should work reliably even with no or only partial data in cache. Data
received from the child (as always) is deemed more authoritative than
information received from the delegation parent. The search for
misconfigured data is not performed normally.
- Fix AD flag handling, it could in some cases mistakenly copy the AD
flag from upstream servers.
- Ignore Z flag in incoming messages too.
- alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
- Parentside names are dispreferred but not said to be dnssec-lame.
- Fix parentside and querytargets modulestate, for dump_requestlist.
- unbound-control-setup makes keys -rw-r--- so not all users permitted.
- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
- Fix compile warning if compiled without threads.
- iana portlist updated.
- included ldns tarball updated.
- Fix bug where a long loop could be entered, now cycle detection
has a loop-counter and maximum search amount.
Unbound 1.4.4
Download: unbound-1.4.4.tar.gz
SHA1 checksum: 2cb4c34ece87e43c9acc8da85d2ea1c8ea1ffe66
SHA256 checksum: 0ed08d9a60670730f906a571cbd0ed8b5b78deca9417161b5df8296d77ad7f5f
PGP signature: unbound-1.4.4.tar.gz.asc
Date: 22 April, 2010Features
- Experimental ECC-GOST algorithm support, needs openssl-1.0.0
and currently needs ldns from svn trunk. Uses ECC-GOST algorithm
number 12 (assigned by IANA). As the RFC is written, we intend to make it
optional, because a dependency on openssl-1.0.0 is hard across distributions
right now.
- unbound-host disables use-syslog from config file so that the
config file for the main server can be used more easily.
- Include less in config.h and include per code file for ldns, ssl.
Bug Fixes
-
pkt_dname_tolower could read beyond end of buffer or
get into an endless loop, if 0x20 was enabled, and buffers are small or
particular broken packets are received.
- Fix chain of trust with CNAME at an intermediate step, for the DS
processing proof.
- Fix validation of queries with wildcard names (*.example).
- Fix EDNS probe for .de DNSSEC testbed failure, where the infra cache
timeout coincided with a server update, the current EDNS backoff is less
sensitive, and does not cache the backoff unless the backoff actually
works and the domain is not expecting DNSSEC.
- unbound control flushed items are not counted when flushed again.
- iana portlist updated.
-
unbound-checkconf could not parse interface
'0.0.0.0@5353', even though unbound itself worked fine.
- Fixed random numbers for port, interface and server selection.
Removed very small bias.
- Refer to the listing in unbound-control man page in the extended
statistics entry in the unbound.conf man page.
- Fix interface-automatic for OpenBSD: msg.controllen was too small,
also assertions on ancillary data buffer.
- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
- for NSEC3 check if signatures are cached.
- Reordered configure checks so fork and -lnsl -lsocket checks are
earlier, and thus later checks benefit from and do not hinder them.
- ldns tarball updated.
- Fix python use when multithreaded.
- Fix solaris python compile.
- spelling fix in validation error involving cnames.
Unbound 1.4.3
Download: unbound-1.4.3.tar.gz
SHA1 checksum: 4b4b979683993452359eccf4f60cf9404600da9d
SHA256 checksum: 7c212228234547af776d51067a04a8c32f572e5db493e16a269370da4413070f
PGP signature: unbound-1.4.3.tar.gz.asc
Date: 11 March, 2010Bug Fixes
- Fix for memory alignment in struct sock_list allocation. This is
a remote denial of service vulnerability, as it could make unbound crash
on 64bit systems if triggered.
- Fix for MacPorts ldns without ssl default, unbound checks if ldns
has dnssec functionality and uses the builtin if not.
- Fix daemonize on Solaris 10, it did not detach from terminal.
Unbound 1.4.2
Download: unbound-1.4.2.tar.gz
SHA1 checksum: bad6b453924c853b177234890522a05904b2e5f9
SHA256 checksum: 9b2821eeb9fee3145ac04c7dc648ea1ae7d9a600de6b0a1ffacebe7643b913e1
PGP signature: unbound-1.4.2.tar.gz.asc
Date: 9 March, 2010Features
- unbound-control list_stubs, list_forwards, list_local_zones, list_local_data, log_reopen, set_option and get_option.
- libunbound ub_ctx_get_option() added.
- --enable-checking: enables assertions but does not look nonproduction.
- nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with nxdomain and nodata distinguished.
- prefetch-key option that performs DNSKEY queries earlier in the validation process, and that could halve the latency on DNSSEC queries. It takes some extra processing (CPU, a cache is needed).
- prefetch option that prefetches popular queries before they expire.
- change unbound-control-setup from 1024(sha1) to 1536(sha256).
Bug Fixes
- Re-query pattern changed on validation failure. To protect troubled
authority servers, unbound caches a failure for the DNSKEY or DS records
for the entire zone, and only retries that 900 seconds later. This
implies that only a handful of packets are sent extra to the authority
if the zone fails. We made the choice to send out more conservatively,
protecting against an aggregate effect more than protecting a single user
(from their own folly, perhaps in case of misconfig).
- Fix crash in control channel code.
- iana portlist updated.
- make install depends on make all.
- Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
- ldns tarball updated: long label length syntax error fix, libdl compile fix.
- --disable-rpath fixed for libtool not found errors.
- Fixup prototype for lexer cleanup in daemon code.
- Fix scrubber bug that potentially let NS records through. Reported by Amanda Constant.
- Also delete potential poison references from additional.
- Fix: no classification of a forwarder as lame, throwaway instead.
- More strict DS scrubbing.
- No more blacklisting of unresponsive servers, a 2 minute timeout is backed off to.
- RD flag not enabled for dnssec-blacklisted tries, unless necessary.
- log 'tcp connect: connection timed out' only in high verbosity.
- Disregard DNSKEY from authority section for chain of trust. DS records that are irrelevant to a referral scrubbed. Anti-poison.
- Check for 'no space left on device' (or other errors) when writing updated autotrust anchors and print errno to log.
- Fixup in compat snprintf routine, %f 1.02 and %g support.
- include math.h for testbound test compile portability.
- Updated url of IANA itar, interim trust anchor repository, in script.
- configure test for memcmp portability.
- removed warning on format string in validator error log statement.
- libtool finish the install of unbound python dynamic library.
- Fixup lookup trouble for parent-child domains on the first query.
- Fixup ldns detection to also check for header files.
- Fix unbound-checkconf for auto-trust-anchor-file present checks.
- Fix for parent-child disagreement code which could have trouble when (a) ipv6 was disabled and (b) the TTL for parent and child were different. There were two bugs, the parent-side information is fixed to no longer block lookup of child side information and the iterator is fixed to no longer attempt to get ipv6 when it is not enabled and then give up in failure.
- Fixup python documentation (thanks Leo Vandewoestijne).
-
DNS wireformat max is 255. dname_valid allowed 256 length.
- verbose output includes parent-side-address notion for lameness.
- documented val-log-level: 2 setting in example.conf and man page.
Unbound 1.4.1
Download: unbound-1.4.1.tar.gz
SHA1 checksum: a7bfcc057e4d242bfced847f587a71f8eaa236d7
SHA256 checksum: 2573db422d7a856a3783b96698f2d5ca18a849d0bd6f0e36eb37a4f0a65b60e2
PGP signature: unbound-1.4.1.tar.gz.asc
Date: 17 December, 2009Features
- Bind the same interface multiple times at different ports. Use multiple interface: lines with an @port suffix.
Bug Fixes
- Fix libtool version to 2 because of why_bogus change in 1.4.0.
-
fix parse of # without end-of-line at end-of-file.
- Fix crash with module-config "iterator".
-
Fix segfault when unbound-control remove nonexistent
local data. And an update of ldns tarball with fix for parse
errors generated for domain names like '.example.com'.
- Fix for lookup of parent-child disagreement domains, where the
parent-side glue works but it does not provide proper NS, A or AAAA
for itself, fixing motorcaravanners.eu.
- Fix negative cache lookup of closestencloser check of DS type bit.
- Fix SOA excluded from negative DS responses. Reported by Hauke
Lampe.
- Fix that verify_rrsig routine checks expiration last.
- on IPv4 UDP turn off DF flag.
- Fix qclass=ANY queries, with class IN contents.
Unbound 1.4.0
Download: unbound-1.4.0.tar.gz
SHA1 checksum: ad5fe28826bfc0baa5b63988361dda7e8dabfb4d
SHA256 checksum: 3f67ecda501d74d8cc9e5c0aa0bcd25c4e03f09ad8e339de643333307ced9c30
PGP signature: unbound-1.4.0.tar.gz.asc
Date: 26 November, 2009Features
- RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
Please use openssl 0.9.8 or later, that provide sha256 and sha512.
- included ldns tarball updated (which also enables rsasha256 support).
- val-log-level: 2 shows extended error information for validation
failures, one line per failure. For example:
validation failure <example.com. DNSKEY IN>: signature expired from
192.0.2.4 for trust anchor example.com. while building chain of trust
- Made new validator error string available from libunbound for
applications. It is in result->why_bogus, a zero-terminated string.
unbound-host prints it by default if a result is bogus.
Also the errinf is public in module_qstate (for other modules).
- retry on DNSSEC failures, query other servers, unbound works harder
to get valid DNSSEC data.
- so-rcvbuf: 4m option added. Set this on large busy servers to not
drop the occasional packet in spikes due to full socket buffers.
netstat -su keeps a counter of UDP dropped due to full buffers.
- auto-trust-anchor-file option with RFC5011 support, code from the
NLnet Labs autotrust project(BSD license), is incorporated. In this way
unbound can support trust anchor revocation properly, even revocation
back to the unsigned state. It can read normal anchor files or autotrust
files initially, after probing the file is written to in a format specific
to unbound.
- use linebuffering for log-file: output, this can be significantly
faster than the previous fflush method and enable some class of
resolvers to use high verbosity (for short periods).
Not on windows, because line buffering does not work there.
- Patch from Zdenek Vasicek and Attila Nagy for using the source IP
from python scripts. See pythonmod/examples/resip.py.
- Got a patch from Luca Bruno for libunbound support on windows to
pick up the system resolvconf nameservers and hosts there.
- call OPENSSL_config() in unbound and unit test so that the
operator can use openssl.cnf for configuration options.
- Experimental support (disabled by default) for GOST for unofficial
algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to work
with openssl-1.0.0beta and correct for examples in -01 draft.
- edns-buffer-size option, default 4096. Can be set to 1480 in case
of DNS UDP fragments not arriving from authority servers.
- iana portlist updated.
- contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the IANA ITAR into individual key files that can be tracked with auto-trust-anchor-file.
Bug Fixes
- fixed do-udp: no (only TCP is used).
- removed abort on prealloc failure, error still printed but softfail.
- Fix bug where autotrust does not work when started with a DS.
- Fix double time subtraction in negative cache reported by
Amanda Constant and Hugh Mahon.
- fix unbound-host so -d can be given before -C.
- fix DNSSEC-missing-signature detection for minimal responses
for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
- fix compile of unbound-host when --enable-alloc-checks.
- Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
- Manual page fixes reported by Tony Finch.
- Fix memory leak reported by Tao Ma.
- increased MAXSYSLOGLEN so .bg key can be printed in debug output.
- Fix bug where DNSSEC-bogus messages were marked with too high TTL.
The RRsets would still expire at the normal time, but this would
keep messages bogus in the cache for too long.
- documented that load_cache is meant for debugging.
- fixup printing errors when load_cache, they were printed to the
SSL connection which had just broken, now to the log.
- Changes to make unbound work with libevent-2.0.3 alpha. (in
configure detection due to new ssl dependency in libevent).
- do not call sphinx for documentation when python is disabled.
- remove EV_PERSIST from libevent timeout code to make the code
compatible with the libevent-2.0. Works with older libevent too.
- fix memory leak in python code.
- makefile fix for parallel makes.
- fixup unbound-control lookup to print forward and stub servers.
- fixup memleak in trust anchor unsupported algorithm check.
- free all memory on program exit, fix for ssl and flex.
- fixup DS lookup at anchor point with unsigned parent.
- fixup DLV lookup for DS queries to unsigned domains.
- Fix so that servers are only blacklisted if they fail to reply
to 16 queries in a row and the timeout gets above 2 minutes.
- unbound-control lookup prints out infra cache information, like RTT.
- Fix bug in DLV lookup reported by Amanda from Secure64.
It could sometimes wrongly classify a domain as unsigned, which
does not give the AD bit on replies.
- Thanks to Surfnet found bug in new dnssec-retry code that failed
to combine well when combined with DLV and then a validation failure.
- removed small memory leak from config file reader.
- fix manpage errors reported by debian lintian.
- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
- unbound-host does not fail on type ANY.
- Fixed wireparse failure to put RRSIGs together with data in some
long ANY mix cases, which fixes validation failures.
- Fixed signer detection of CNAME responses without signatures.
-
Fixed libunbound memleak on error condition by Eric Sesterhenn.
Unbound 1.3.4
Download: unbound-1.3.4.tar.gz
SHA1 checksum: 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07
SHA256 checksum: 5a7f658b12c311f3c131d315b135956eeaa3bd7caa94b25b4777638ee7ce583f
PGP signature: unbound-1.3.4.tar.gz.asc
Date: 7 October, 2009Bug Fixes
- Fixed bug in NSEC3 validation handling code: Under specific
circumstances checks of signatures over NSEC3 records are not done. As a
result carefully crafted delegation responses (created through exploiting
general DNS vulnerabilities such as DNS packet spoofing) can be used to
downgrade an existing secure delegation to insecure. Unbound users who
depend on DNSSEC validation are advised to upgrade.
- iana portlist updated.
Unbound 1.3.3
Download: unbound-1.3.3.tar.gz
SHA1 checksum: 4124d3b70a38d72a1ad47bf2a9e5aee9498ae439
SHA256 checksum: da2b24b87706a92c4b1e447cdcac26e851eb1bcaf4536e9dda1a64acb7ad92b8
PGP signature: unbound-1.3.3.tar.gz.asc
Date: 4 August, 2009Features
- feature val-log-level: 1 prints validation failures so you can
keep track of them during dnssec deployment.
- contrib/update-anchor.sh has -r option for root-hints.
- crosscompile possible
- verified that --enable-sha2 works with draft rsasha256-14
Bug Fixes
- nicer warning when algorithm not supported, tells you to upgrade.
- Updated unbound-cacti contribution from Dmitriy Demidov, with
the queue statistics displayed in its own graph.
- Fix bug found by Michael Tokarev where unbound would try to prime
the root servers even though forwarders are configured for the root.
- Ignore transient sendto errors, no route to host, and host, net
down.
- Fix server selection, so that it waits for open target queries when
faced with lameness.
- iana portlist updated.
- Updated ldns tarball for solaris x64 compile assistance.
- Fixed to not use RAND_MAX on windows, so all 16 ID bits are used.
Unbound 1.3.2
Download: unbound-1.3.2.tar.gz
SHA1 checksum: 6aafdc87a70430f3aab54026bab5c901da2dba86
SHA256 checksum: 5acee05d7ec642e031e0fd392c2b476dfec5b872c7099e0e4d98a7acb5742ad1
PGP signature: unbound-1.3.2.tar.gz.asc
Date: 13 July, 2009Bug Fixes
-
Fix for crash at start on Windows.
Unbound 1.3.1
Download: unbound-1.3.1.tar.gz
SHA1 checksum: 19fd5aaddfce7de9e05bb5d6720707f98c1f649a
SHA256 checksum: 55961c23c6cde824adef8de8d83dae7dcd40528333960d5c3d5028904d799e87
PGP signature: unbound-1.3.1.tar.gz.asc
Date: 9 July, 2009Features
- unbound_munin_ in contrib uses ps to show total memory rss if sbrk
hack does not work.
- Added build-unbound-localzone-from-hosts.pl to contrib, from
Dennis DeDonatis. It converts /etc/hosts into config statements.
Bug Fixes
- Fixup potential wrong NSEC picked out of the cache.
- If unfulfilled callbacks are deleted they are called with an error.
- fwd above stub in configuration works.
-
removed random whitespace from example.conf.
- Fixed bug where cached responses would lose their security status
on second validation, which especially impacted dlv lookups. Reported
by Hauke Lampe.
- Fixup opportunistic target query generation to it does not
generate queries that are known to fail.
- harden-referral-path: handle cases where NS is in answer section.
- updated fedora specfile in contrib from Paul Wouters.
- Fix EDNS fallback when EDNS works for short answers but long answers
are dropped.
- On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
avoid dropped packets at routers.
- Fix of message parse bug where (specifically) an NSEC and RRSIG in
the wrong order would be parsed, but put wrongly into internal structures
so that later validation would fail.
- Queries for type DS when forward or stub zones are there. They are
performed to higherup domains, and thus treated as if going to higher
zones when looking up the right forward or stub server. This makes a stub
pointing to a local server that has a local view of example.com signed
with the same keys as are publicly used work. Reported by Johan Ihren.
- same thing fixed for forward-zone and DS, chain of trust from
public internet into the forward-zone works now.
- flush_type and flush_name remove message cache entries as well, so
they remove errors from the cache as well
- delegationpoint bogus flag copied fix
-
openssl key files are opened 'apache-style', from
user root and before the chroot. This makes permissions on remote-control
key files easier.
- fail to configure with python if swig is not found.
- Fix of empty -L during linking
- updated ldns tarball to latest
- updated iana portlist
Unbound 1.3.0
Download: unbound-1.3.0.tar.gz
SHA1 checksum: 67fe06f087083fd24b0175b68e624efc375a3e0f
SHA256 checksum: ebaed25422a32a7f13386982485d9d01b65cf3aefbebdcf4add6a4d7c71a4610
PGP signature: unbound-1.3.0.tar.gz.asc
Date: 11 June, 2009Features
- Major features are Windows port, and Python contribution. Previous
releases accidentally enabled experimental rsasha256 algorithms, fixed,
see below. There are minor features and bug fixes too.
- initgroups(3) is called to drop secondary group permissions, if
this OS functionality is available.
- daemon(3) posix call is used when available
- configure option --with-ldns-builtin forces the use of the
inluded ldns package with the unbound source. The -I include
is put before the others, so it avoids bad include files from
an older ldns install.
- --enable-sha2 option for rsasha256 and rsasha512 support (experimental
because it is still in working group draft stage). Default is off.
Previous releases accidentally enabled this feature when lib openssl supported
SHA256. It then used algorithms 8, 9 for RSASHA256 and 10, 11 for RSASHA512
(using four numbers as was according to the draft spec at that time).
The earlier versions support NSEC and NSEC3 for all these algorithm numbers.
People with these earlier versions may also have earlier openssl
versions (0.9.7), and therefore the experimental feature is disabled.
As long as these signing algorithm code points are not allocated, there is
no problem. You are advised to upgrade to the current version to
avoid surprises.
- new option log-time-ascii: yes if you enable it prints timestamps
in the log file as Feb 06 13:45:26 (like syslog does).
- verbosity level 5 logs customer IP for new requestlist
entries.
- contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
- call setusercontext() if available (on BSD)
- Added stats_noreset feature for unbound-control.
- Added flush_requestlist feature for unbound-control.
- unbound-control status shows if root forwarding is in use.
- Added forward command for unbound control to change forwarders to use
on the fly.
- unbound-checkconf and unbound server print warnings when trust anchors
have unsupported algorithms.
- Added contrib/update-itar.sh This script is similar to
update-anchor.sh, and updates from the IANA ITAR repository.
You can provide your own PGP key and trust repo, or can use the
builtin. The program uses wget and gpg to work.
- Support spaces and backslashes in configure default paths
- register and deregister util programs for unbound.exe into the
windows service control manager. Works on XP and with Vista UAC.
- unbound can work as a service on windows, for the registry settings
and default program location and so on, see the windows manual.
- installer for unbound on windows. uninstalls too. Menu entries
optional. Can install DLV anchor with updater application (anchor-update.exe,
works a bit like update-anchor.sh) to enable DNSSEC
easily. Uses the NSIS open source installer system.
- Added contrib/unbound_cacti for statistics support in cacti,
contributed by Dmitriy Demidov.
- domain-insecure: "example.com" statement added. Sets domain
insecure regardless of chain of trust DSs or DLVs. The inverse
of a trust-anchor.
- use _beginthreadex() when available (performs stack alignment
on mingw)
- added launchd plist example file for MacOSX to contrib.
- reworked configure scripts to be neater.
- python contribution from Zdenek Vasicek and Marek Vavrusa.
(Sponsored by cz.nic for 'summer of code' development).
This contains support to use libunbound from python code.
And support to create unbound modules written in python that perform
custom processing of queries. The code is disabled by default and
needs to be enabled by passing options to configure. Installs the
following files: /usr/lib/python2.x/site-packages/ unboundmodule.py
unbound.py and _unbound.so*. The script examples are not installed. Sphinx
docs can be built with make doc (if sphinx-build is available).
- new libunbound calls to manage local data more easily
- read /dev/random before chroot
- suppress errors when trying to contact authority servers that gave
ipv6 AAAA records for their nameservers with ipv4 mapped contents.
Still tries to do so, higher verbosity shows the error.
- clock skew checks in unbound, config statements.
- Added cache-min-ttl option.
-
Added dump_requestlist feature for unbound-control.
-
Added flush_stats feature for unbound-control.
-
Added unbound-checkconf -o option, that prints that
value from config file. Useful for scripting in management scripts
and the like.
Bug Fixes
- fix for threadsafety in solaris thr_key_create() in tests.
- fixes for porting the python code to BSD and Darwin
- fix for openssl-1.0.0beta, use of STRING #define, libdl linking.
- Fix reentrant in minievent handler for unix. Could have resulted
in spurious event callbacks.
-
fix munin plugin, perform cleanup of stale
lockfiles.
- Fix for removal of RSASHA256_NSEC3 protonumber from ldns. Also new
rsasha512 (interim) algorithm number.
- Detect FreeBSD jail without ipv6 addresses assigned.
- Fixed a bug that caused messages to be stored in the cache too
long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
targets have been more vulnerable to the TTL miscalculation bug.
- fixed bug in unbound-control flush_zone where it would not flush
every message in the target domain. This especially impacted
NXDOMAIN messages which could remain in the cache regardless.
- Fixup so no non-absolute rpaths are added.
- Fixup validation of RRSIG queries, they are let through.
- fix util/configlexer.c and solaris -std=c99 flag.
- deprecation test for daemon(3) (on MacOSX).
-
module-config entries order is important. Documented.
- Fix for and test for unknown algorithms in a trust anchor
definition. Trust anchors with no supported algos are ignored.
This means a (higher)DS or DLV entry for them could succeed, and
otherwise they are treated as insecure.
- Added tests, unknown algorithms become insecure. fallback works.
- fixed so queries do not fail on opportunistic target queries.
- munin plugin fix benign locking error printout.
- fixup --export-symbols to be -export-symbls for libtool.
This should fix extraneous symbols exported from libunbound.
Thanks to Ondrej Sury and Robert Edmonds for finding it.
- document FAQ entry on stub/forward zones and default blocking.
- Remove fwrite warning on Ubuntu
- Added more cycle detection. Also for target queries.
- Fixup bug where during deletion of the mesh queries the callbacks
that were reentrant caused assertion failures. Keep the mesh in
a reentrant safe state. Affected libunbound, reload of server,
on quit and flush_requestlist.
- documented that unbound-host reads no config file by default.
- slightly nicer memory management in iter-fwd code.
- small refactor of stats clearing.
- fixup EOL in include directive (reported by Paul Wouters).
- config parser changed. Gives some syntax errors closer to where they
occurred. Does not enforce a space after keyword anymore.
Does not allow literal newlines inside quoted strings anymore.
- detect event_base_new() in libevent-1.4.1 and later and use it.
- MacOSX Leopard cleaner text output from configure.
- change in libunbound API: ub_cancel can return an error, that
the async_id did not exist, or that it was already delivered.
The result could have been delivered just before the cancel
routine managed to acquire the lock, so a caller may get the
result at the same time they call cancel. For this case,
ub_cancel tries to return an error code.
Fixes race condition in use of ub_cancel() libunbound function.
- Fixup assertion failure (thanks to Brett Carr).
- Fix detection of no ipv6 on XP (with different error code).
- Fixup a crash-on-exit which was triggered by a very long queue.
- Fixed bug that could cause a crash if root prime failed when there
were message backlogs.
- fixup documentation-bug in README reported by Matthew Dempsky.
- Fixup bad free() when wrongly encoded DSA signature is seen. Reported
by Paul Wouters.
- updated ldns tarball to latest
- updated iana portlist
Unbound 1.2.1
Download: unbound-1.2.1.tar.gz
SHA1 checksum: 996aea210b24f8c4bd1aa7a9584bc5b70b989b1b
SHA256 checksum: 1f95ca2904dfb813bf52f15156a8c769b365deb92fa7b995344062dea966dc29
PGP signature: unbound-1.2.1.tar.gz.asc
Date: 10 February, 2009Features
- negative caching for failed queries. Queries that failed (because
the entire domain is down) are cached for a very short time (seconds),
this lowers the load generated by the failed queries.
If the failure is local, like out of memory, it is not cached.
- stop resolving AAAAs promiscuously when they are in the
negative cache, together with the negative caching feature (just above)
this dampens the spikiness of the requestlist size.
- unbound-host -4 and -6 options. Stops annoying ipv6 errors when
debugging with unbound-host -4 -d ...
- honor QUIET=no on make commandline (or QUIET=yes ).
Bug Fixes
- Fixed server deadlock. Added cycle detection for NS-check, addr-check,
root-prime and stub-prime queries in the iterator.
-
fixup configure checks for compilation with Solaris
sun studio cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
- fixup warnings emitted by sun studio compiler.
- the TTL comparison for the cache used different comparisons, causing
many cache responses that used the iterator and validator state
machines unnecessarily. Fixed.
- Fixed occasional SERVFAIL response when EDNS traffic is dropped
for a domain. Set retry from 4 to 5 so that EDNS drop retry is part of
the first query resolve attempt, and cached error does not stop EDNS
fallback.
- removed debug prints in code that protects against bad referrals.
- fix bug where unbound could crash using libevent 1.3 and older.
- more quiet about ipv6 network failures, i.e. when ipv6 is not
available (network unreachable). Debug still printed on high verbosity.
- printout more detailed errors on ssl certificate loading failures.
- builtin IANA allocated portlist updated (these ports are avoided).
Unbound 1.2.0
Download: unbound-1.2.0.tar.gz
SHA1 checksum: 2c1cef70669dcfa13f4db4306cd7b8eeca6892aa
SHA256 checksum: 88e480bdfb23855656a70cb879b231414d2322fb6c0b7dd594628c7482358784
PGP signature: unbound-1.2.0.tar.gz.asc
Date: 14 January, 2009Features
- Wildcard support for trusted-keys-file: "/etc/keys/*.key"
- unbound-control status command.
- extended statistics has a number of ipv6 queries counter.
contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
- SElinux policy files in contrib/selinux for the unbound daemon,
by Paul Wouters and Adam Tkac.
Bug Fixes
- The long standing bug with libevent use is fixed. It turns out to be
a race condition in the calls to libevent.
The builtin mini-event did not have a problem being called
like this, but libevent and libev usage is now fixed. Libevent 1.1 is
reported to still give problems, but 1.4.5 and 1.4.8 seem fine.
- Certain packets could cause an assertion failure. Resulting in a
denial-of-service vector if the server was compiled with --enable-debug
(assertions enabled). This is fixed.
- fixed bug reported by Duane Wessels: error in DLV lookup, would make
some zones that had correct DLV keys as insecure.
-
fix lame marking. security fix that resolves denial
of service that could be triggered by an unusual configuration. Thanks to
Mark Zealey for reporting.
-
no more race condition in makefile during built with
high -j inside included libldns version.
- iana portlist updated to most recent, avoids allocated ports.
- L root server AAAA record added to builtin root hints.
- removed possible race condition in unit test for race conditions.
- fixup reported problem with transparent local-zone data where
queries with different type could get nxdomain. Now queries
with a different name get resolved normally, with different type
get a correct NOERROR/NODATA answer.
- HINFO no longer downcased for validation, making unbound compatible
with bind and ldns.
- fix reading included config files when chrooted.
Give full path names for include files.
Relative path names work if the start dir equals the working dir.
- fix libunbound message transport when no packet buffer is available.
- fixup getaddrinfo failure handling for remote control port.
- fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
- ldns tarball updated with 1.4.1rc for DLV unit test.
- fixup BSD port for infra host storage. It hashed wrongly.
- follow ldns rc makedist name generation.
- snapshot version uses _ not - to help rpm distinguish the
version number.
- do not reopen syslog to avoid dev/log dependency. This makes chroot
environments easier.
-
better fix for bug #219: use LOG_NDELAY with
openlog() call. Thanks to Tamas Tevesz.
-
fixed: unbound checkconf checks if key files exist if
remote control is enabled. Also fixed NULL printf when not chrooted.
- Fix problem reported by Jaco Engelbrecht where unbound-control stats
freezes up unbound if this was compiled without threading, and
was using multiple processes.
- test for remote control with interprocess communication.
- created command distribution mechanism so that remote control
commands other than 'stats' work on all processes in a nonthreaded
compiled version. dump/load cache work, on the first process.
- fixup remote control local_data addition memory corruption bug.
-
configure complains when --without-ssl is given,
fixed.
- blacklisted servers are polled at a low rate (1%) to see if they
come back up. But not if there is some other working server.
- documented that the user of the server daemon needs read privileges
on the keys and certificates generated by unbound-control-setup.
This is different per system or distribution, usually, running the
script under the same username as the server uses suffices.
i.e. sudo -u unbound unbound-control-setup
- unbound-control-setup.sh removes read/write permissions other
from the keys it creates (as suggested by Dmitriy Demidov).
- fixed tcp accept, errors were printed when they should not.
- fixup fatal error due to faulty error checking after tcp accept.
- add check in rlimit code to avoid integer underflow.
- rlimit check with new formula; better estimate for number
interfaces.
Unbound 1.1.1
Download: unbound-1.1.1.tar.gz
SHA1 checksum: 8c80e892232a05459923826f266afb770d3f7d73
SHA256 checksum: ab6c701f44aeef11a1a8370495749b9b630004597af38dc04094ad5687e73981
PGP signature: unbound-1.1.1.tar.gz.asc
Date: 20 November, 2008Bug Fixes
-
Fixed syslog with chroot, glibc syslog opens only
on demand so a log line has to be printed before chroot.
- fixup fatal error due to faulty error checking after tcp accept.
- rlimit check on startup integer underflow fixup, also makes a
more accurate estimate
Unbound 1.1.0
Download: unbound-1.1.0.tar.gz
SHA1 checksum: fb7a4421c64812d3acfa48409360ec232197a2f9
SHA256 checksum: b98421c97089dfcf7d7798d7148886c0a8672476dc44dd2b43d62ba5e3be27b5
PGP signature: unbound-1.1.0.tar.gz.asc
Date: 11 November, 2008Features
- DLV support
- contrib update-anchor.sh neatly updates keys for DLV or root or
others and only restarts the nameserver when keys have changed.
exits 0 when a restart is needed, other values if not.
So, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
can restart unbound exactly when needed. Use -b for BIND mode.
- Negative caching for NSEC, NSEC3 for DLV lookups, as well as for
securely insecure delegations.
- Filter out overreaching NSEC records
- dev/log(syslog) opened before chroot
- use setresuid/setresgid, more secure.
- logfile message classification as notice, info, debug.
- harden-referral-path option implements draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations. Default is off, because of added load it generates, and experimental status.
- disallow nonrecursive queries for cache snooping by default.
You can allow it using access-control: subnet allow_snoop.
The defaults do allow access to authoritative data without RD bit.
- DoS resistance implementation. Half of queries run-to-completion.
Other half are a lifo where old entries are overwritten if 200 msec old.
- Block DNS rebinding attacks. This disallows domains from the
public internet from pretending to have internet addresses in your own
netblock. Use the private-address and private-domain statements (see
unbound.conf(5) man page for details). We may consider turning this on
by default for rfc1918 (local subnet) addresses.
- remote control feature, unbound-control. Remotely (using SSL)
stop, change redirections, flush cache, load cache, store cache, or
get statistics
- extended statistics (off by default). Put Howto documentation on website.
- munin example plugin to draw statistics added to contrib
- hosts that drop EDNS packets are detected, eventually.
- fixed recursion servers deployed as authoritative detection, so
that as a last resort, a +RD query is sent there to get the correct
answer.
- RSASHA256 and RSASHA512 support, using experimental protocol numbers from draft.
- stubs work much more intuitively, but can be configure for old and
new behaviour with new option stub-prime. This makes stubs on localhost on a different port number work.
- dns-0x20 fallback code implemented
- IPv4 and IPv6 PTR shorthand local-data-ptr: "1.2.3.4 www.ex.com"
- code refactored for domain, address tree lookups.
- unbound-control-setup.sh script to set up (selfsigned) certificates.
- spoof nearmiss indicator, when extended statistics are enabled, unbound-control stats prints out unwanted_replies count.
- if server selection is faced with only bad choices, it will
attempt to get more options to be fetched.
- changed bogus-ttl default value from 900 to 60 seconds.
In anticipation that operator caused failures are more likely than
actual attacks at this time. And thus repeated validation helps
the operators get the problem fixed sooner. It makes validation
failures go away sooner (60 seconds after the zone is fixed).
Also it is likely to try different nameserver targets every minute,
so that if a zone is bad on one server but not another, it is
likely to pick up the 'correct' one after a couple minutes,
and if the TTL is big enough that solves validation for the zone.
- do not query bogus nameservers. It is as-if nameservers that have
the NS or A or AAAA record bogus are listed as donotquery.
- CFLAGS are picked up by configure from the environment.
- silenced EHOSTDOWN, verbosity 2 and higher show it.
- configure check for ldns version 1.4.0 or later
- Fix for problem reported on mailing list, If a delegation point
has no A but only AAAA and do-ip6 is no, resolution would fail. Fixed to
ask for the A and AAAA records. It has to ask for both always, so that
it can fail quietly, from TLD perspective, when a zone is only reachable
on one transport.
Bug Fixes
- Fixed rrset security updated overwriting rfc2181 trust status.
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
-
Fixed setreuid on MacOSX 10.4
- Fixed so make realclean works better, by Rober Edmonds
-
extra rc.d unbound flexibility for freebsd/nanobsd.
-
nicer do-auto log message when user sets incompatible options. DLV implemented.
-
variable name ameliorated in log.c.
-
in iana_update, no egrep, but awk use.
-
fixed, pidfile can be outside chroot. openlog is done
before chroot and drop permissions. logfile is created with correct
permissions again. Some errors are not written to logfile (pidfile writing,
forking), and these are only visible by using the -d commandline flag.
- Fix update-anchor.sh to work both in BSD shell and bash.
- Fix so unsigned additionals are not marked bogus, they are left
unchecked, since signatures may have fallen off due to message size.
Unchecked items are removed from the additional just like bogus is for
that message. Defers validation for those rrsets.
- Fix assertion fail on bogus key handling
- Fix so dnssec lameness detection works on first query at trust apex.
- Fix compilation without pthreads on linux.
- builtin iana assigned portlist updated
- ldns snapshot inside source tarball updated to 1.4.0
- Fix NSEC_AT_APEX classification for short typemaps.
- Fix nonblocking and timeouts on TCP sockets
- Fix for multiple simultaneous timeout back offs. Could cause trouble
for forwarders
- Fix SHA256 DS downgrade, no longer possible to downgrade to SHA1.
- Fix negative TTL values appearing (reported by Attila Nagy)
- detect if libssl needs libdl. For static linking with libssl.
- Fix build process for Mac OSX linker
- Fix possible memory leak in key_entry_key deletion.
Would leak a couple bytes when trust anchors were replaced.
- DNAMEs used from cache have their synthesized CNAMEs initialized
properly.
- Fix file descriptor leak for localzone type deny (for TCP).
- Fix memleak for the keyword 'nodefault' when reading config. Would
leak bytes per reload command received.
- Fix listen to closed fd, would log a message with
"bad file descriptor"
Unbound 1.0.2
Download: unbound-1.0.2.tar.gz
SHA1 checksum: 93faa7b76cf7681b8c7b0c5187aaf84c36b6670b
SHA256 checksum: e6bbc4bb850c211e97ee7b5bc1827f59eb5222d295b715bda4551775766240ac
PGP signature: unbound-1.0.2.tar.gz.asc
Date: 7 August, 2008Features
- Stricter filtering of messages. This means that CNAMEs and DNAMEs
are handled with more paranoia, as well as the removal of more
irrelevant rrsets. More discussion at patch 1.0.2 announcement.
Bug Fixes
- Fixup qtype DS validation code
-
Fix for nicer entropy warning message, OS hints in manpage.
-
Fix segfault on exit cleanup of the app if packets were
still waiting for udp port numbers.
Unbound 1.0.1
Download: unbound-1.0.1.tar.gz
SHA1 checksum: 3a863376c8a2e805903aa4d9a32648b9f4c80ef1
SHA256 checksum: 95d3124b5e2a357848b84413a2f78e5896d41636278ed490dcf13bf89683f395
PGP signature: unbound-1.0.1.tar.gz.asc
Date: 16 July, 2008Features
- This version features bugfixes to compile on various distributions,
some options necessary to assist packaging and distribution of unbound,
a couple of fixes for looking up corner cases (badly operated domains),
and a cleanup of code for config file reading.
- contrib unbound.spec from Patrick Vande Walle
- mingw port with basic functionality on Windows XP and Windows Vista
(single threaded, UDP, TCP, IPv4, IPv6, validation)
- Added IPv6 example prefix to AS112 default blocklist
Bug Fixes
- fixup fedora 9 compilation (in6_pktinfo definition)
- CREDITS fixup of history
- ldns-1.2.2 is ignored if installed, and builtin 1.3.0 ldns used
- lex input and unput functions not generated (compile warnings)
- update of ldns tarball to latest ldns svn.
- update of avoided ports to latest IANA allocated portlist
- fixed up statements of the form local-zone: "30.172.in-addr.arpa."
nodefault, so that the trailing dot is not required.
- reported by Robert Edmonds (akamai zones), fixed so that if multiple
CNAME records for a name are returned, the first is used.
- reported by Richard Doty for mail.opusnet.com, check lameness more
cautiously, first check SOA record, before looking at NS record, then,
additionally, check the AA bit.
- reported for newegg.com, more detailed lameness
checking to distinguish AAAA lameness from qtype A lameness.
- fixup compiling on eeepc xandros linux
- fixup memory leak in root hints file reading
- fixup validation for qtype DS queries with trust anchor for the
same name
- libunbound ub_resolve, fix handling of error condition during setup.
- lowered log_hex blocksize to fit through BSD syslog linesize.
-
make test checks for ldns-testns requirement of tcp_sigpipe test
-
call tzset before chroot to have correct timestamps in system log
-
fixed compilation failure on opensuse, the
--disable-static configure flag caused problems.
Patch from Klaus Singvogel
-
fixed unportable shell usage in configure (relied on bash)
-
same fix as 177.
-
fixed buffer overflow in unbound-checkconf use of strncat
-
fixed buffer overflow in ldns (called by unbound to parse config file parts)
-
pidfile, rundir, and chroot configure options. Also the example.conf and
manual pages get the configured defaults. You can use: (or accept the
defaults to /usr/local/etc/unbound/) --with-conf-file=filename
--with-pidfile=filename --with-run-dir=path --with-chroot-dir=path
-
-r option for unbound-host, read resolv.conf.
-
--disable-shared not passed along to ldns included with
unbound. Fixed so that configure parameters are passed to the
subdir configure script.
Fixed that ./libtool is used always, you can still override
manually with ./configure libtool=mylibtool or set $libtool in
the environment.
Unbound 1.0.0
Download: unbound-1.0.0.tar.gz
SHA1 checksum: a837407d866f0918547c6122f8f654c219b4b51f
SHA256 checksum: 48e27905cb2cbde604252fbdd19dcd915a3b970c55f2ba2a033dac02048de1fe
PGP signature: unbound-1.0.0.tar.gz.asc
Date: 20 May, 2008Features
- This code is the public release
- Honors $DESTDIR during make install and make uninstall, useful for rpm and deb packaging.
- contrib .spec file to build RPMs with
- iana port list updated
- added IPv6 addresses for builtin root hints
Bug Fixes
- Fixup no-IPv4 problem in error callback
- No linking with -lrt if not needed
- library version now has proper version-info (Thanks Ondrej Sury)
- configure --disable-rpath performs libtool fixup
- MacOSX 10.5 /etc/hosts lines ending in %lo0 are skipped (Thanks John Dickinson)
Unbound 0.11
Download: unbound-0.11.tar.gz
SHA1 checksum: c74028b6a815fd5840f6ecbd6c1ec65afff67de2
SHA256 checksum: f6c44ccae56398273c1f03485f2e2b8e4b612663d501d89c82c8cf9f23422d9f
PGP signature: unbound-0.11.tar.gz.asc
Date: 24 Apr, 2008Features
- This code is public beta and ready for deployment.
- Default file locations changed to /usr/local/etc/unbound
- RTT banding (draft-forgery-resilience)
- query name checks (draft-forgery-resilience)
- random ports improved (draft-forgery-resilience)
- AD bit signaling (AD bit in query requests AD bit in reply)
- unbound tries to set ulimit(fds) if it needs to
- stats to rrdtool script in contrib (Thanks Kai Storbeck)
- FEATURES document
Bug Fixes
- Fixed so works with libevent-1.4.3+
- iterator logs spelling fixed (Thanks Koji Kobayashi)
- RFC2181 compliance improved (Thanks Jinmei Tatuya)
- DSA EVP signature decoding fixed
- chroot functionality better documented and checked (Thanks Randy Bush)
- ignore SIGPIPE from dns clients (Thanks Kai Storbeck)
Unbound 0.10
Download: unbound-0.10.tar.gz
SHA1 checksum: c8af5e1721b00c0a776bce06e624d037a332e993
SHA256 checksum: 08d2290b0ed8b10a4bb2fae34bba809692674dcaf6eca489c1b7ca88bdcc1b01
PGP signature: unbound-0.10.tar.gz.asc
Date: 3 Mar, 2008Features
- This code is public beta and ready for deployment.
- updated ldns-tarball inside source from trunk for latest NSEC3
type codes
- installation to /usr/local/sbin by default now, like other servers do
- libunbound returns the full answer packet (with signatures,
additional data, NSECs ...)
- option 'use-caps-for-id: yesno', experimental implementation of
draft-dns-0x20.
- default configure uses builtin event mechanism, since it is faster
and usually good enough. Use libevent when you use huge outgoing port
ranges.
- Various optimisations
- make test shows an indication of cache speed
- unbound-host patch (from Jan-Piet Mens) to read config file
- added contrib/ dir with an /etc/rc.d script for FreeBSD
Bug Fixes
- --prefix option for configure also changes directory: pidfile:
and chroot: defaults in config file.
- fixed so you can start without a config file (will complain, but
start with defaults).
- fixed read of empty lines in /etc/hosts by libunbound
- fix to install all manual pages (unbound-host and libunbound pages
too)
- fixed memory leaks in libunbound (during cancellation and ub_wait).
Unbound 0.9
Download: unbound-0.9.tar.gz
SHA1 checksum: 73eb8706e1a3aab767bbe3ef62c53deb085f57c7
SHA256 checksum: 729857e323ae8a85e57a70ed441748456f0eabc390060b1551d0eb459a064dad
PGP signature: unbound-0.9.tar.gz.asc
Date: Feb 08, 2008Features
- This code is beta and not recommended for operational
deployment.
- Remade verbosity levels, new level 2.
- can answer multiple queries over one TCP stream.
- library libunbound offers a validating stub implementation.
- unbound-host uses library to validate and lookup like host
- statistics-interval: seconds option added.
- interface-automatic: option added. Experimental, uses socket options to guarantee correct source address on UDP replies. Useful for multihomed hosts.
- Memory sizes in config can be given with k, m, or g
- Prints approximation of the median from histogram
- unbound-checkconf checks for local-net misconfigurations
Bug Fixes
- Fixed roothints and keyfiles access from chrooted daemon.
- Random generator uses less entropy.
Unbound 0.8
Download: unbound-0.8.tar.gz
SHA1 checksum: 252a84026dc1c5508cb28ea5ce6e485b304c2695
SHA256 checksum: e04f661ab2eb774b53d727d40b48931371b3dd7f39bdab8b2c60026925b018e8
PGP signature: unbound-0.8.tar.gz.asc
Date: Feb 07, 2008Features
- Local zone data - serve authoritative data
- Access control list - ips that have recursion allowed
- by default blocks AS 112 (reverse local net) queries
- This code is pre-beta and not recommended for operational
deployment.
- per rfc2308, replaced default max-ttl value with 1 day.
Bug Fixes
- Validation works now for non RD queries
- duplicate checking for NSECs and NSEC3s after CNAMEs
- do not downcase NSEC and RRSIG for verification. Follows
draft-ietf-dnsext-dnssec-bis-updates-06.txt.
Unbound 0.7.2
Download: unbound-0.7.2.tar.gz
SHA1 checksum: 2fa26e8bb7b691c80f4146b00a0eef7e0352ae91
SHA256 checksum: fdf28fb02326b15ce8c56b282c6cd26369b111f2e89e18391fbf7c4ff396cd80
PGP signature: unbound-0.7.2.tar.gz.asc
Date: Jan 09, 2008Features
- bugfixes for closed beta test version, not recommended for widespread deployment
Bug Fixes
- Fixup building the source from another directory.
- Fixup failure on start due to lack of entropy.
Unbound 0.7.1
Download: unbound-0.7.1.tar.gz
SHA1 checksum: f0d50a5c7505b138c23f1fbeddda0ecc44430806
SHA256 checksum: 260f1a30ba62654436c55b59fc8d43251995d59a19dc9199cd6ede4279cb2bf1
PGP signature: unbound-0.7.1.tar.gz.asc
Date: Nov 19, 2007Features
- bugfixes for closed beta test version, not recommended for widespread deployment
Bug Fixes
- Fixes in make test to kill daemons more thoroughly after test
- NSEC/RRSIG not downcased, from dnssec-bis-updates draft-06
- libevent not found error nicer
- README discusses GNU make needs
Unbound 0.7
Download: unbound-0.7.tar.gz
SHA1 checksum: f3baa63b522b50124c07769fadd89e8644b4f306
SHA256 checksum: d68ad1572d75c849c7e3e16aba42146d670648c1ba488b3505caf402dd9d7dbb
PGP signature: unbound-0.7.tar.gz.asc
Date: Nov 16, 2007Features
- closed beta test version, not recommended for widespread deployment
- support branch for closed beta participants
Unbound 0.6
Download: unbound-0.6.tar.gz
SHA1 checksum: 5f603c04d64a98dadec2da6003808c41f6ecf3ec
SHA256 checksum: 08ff46c564341698ab06df3eb6552ee314ecdfd1514cf17078509e1113a76776
PGP signature: unbound-0.6.tar.gz.asc
Date: Nov 16, 2007Features
-
Operational features.
-
Secured by default (chroot).
-
Memory leaks gone, lameness detection, corner cases and various fixes
- config file checker unbound-checkconf
- root hints file supported
- ldns library tarball included in source package for ease of installation
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.5
Download: unbound-0.5.tar.gz
SHA1 checksum: d722ebc164d3eaa0eb5a74e0589197e66bae19c2
SHA256 checksum: f2547026ed911f7068f28728c98e3b25df81e723d040231eb120607a4c2b2396
PGP signature: unbound-0.5.tar.gz.asc
Date: Nov 2, 2007Features
-
Validation.
-
Fixes to recursive iterator code.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.4
Download: unbound-0.4.tar.gz
SHA1 checksum: c06d9dff0cecffb16bcf9dc42f439b62b872a19b
SHA256 checksum: 7adc910b345511d928b4dba9da98713c3941a7b72075404f2613a72e0a58fde7
PGP signature: unbound-0.4.tar.gz.asc
Date: Sep 20, 2007Features
- Caching resolver.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.3
Download: unbound-0.3.tar.gz
SHA1 checksum: 9157eafad4ab04a5311bcb25da27ad158fa4c26b
SHA256 checksum: de014e54b3fb2d8f853afb6edc20344ffadf1964dbb68c384d2ccb643830de1d
PGP signature: unbound-0.3.tar.gz.asc
Date: June 20, 2007Features
- Forwarder with RRset cache.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.2
Download: unbound-0.2.tar.gz
SHA1 checksum: faa348486670073f80b30bae00a4d221fe4c002e
SHA256 checksum: 4f2cb6ef18b1e5affcfa78e2a5e1ef15656975bb7c375f30dfa1e6efbdb0338c
PGP signature: unbound-0.2.tar.gz.asc
Date: May 1, 2007Features
- Basic caching forwarder
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.1
Download: unbound-0.1.tar.gz
SHA1 checksum: e14826892d9e4a841c551df3fd902a2bcc94f069
SHA256 checksum: beb6c00750927425645780c26072e4de0e272004d0308c4a59b21d603861c50f
PGP signature: unbound-0.1.tar.gz.asc
Date: Mar 28, 2007Features
- Threaded non-caching forwarder.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.0
Download: unbound-0.0.tar.gz
SHA1 checksum: 967cdd2654b84335622842ee1f39984cfbb39f25
SHA256 checksum: b9b107b39b526cbdd93400f2ee343a0a571f82d84b91ee010aecd665445b29f5
PGP signature: unbound-0.0.tar.gz.asc
Date: Feb 19, 2007Features
- Build environment, configure, make and a non-caching DNS
forwarder.
- This code is pre-beta and not recommended for operational
deployment.