Maintained by: NLnet Labs

[Unbound-users] Release of unbound 1.1.0

Wouter Wijngaards
Tue Nov 18 13:56:38 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The version 1.1.0 of unbound is released.

Get it here:
http://unbound.net/downloads/unbound-1.1.0.tar.gz
sha1 is fb7a4421c64812d3acfa48409360ec232197a2f9
sha256 b98421c97089dfcf7d7798d7148886c0a8672476dc44dd2b43d62ba5e3be27b5

On the website, additional HowTos are available:
http://unbound.net/documentation/howto_setup.html
http://unbound.net/documentation/howto_optimise.html
http://unbound.net/documentation/howto_statistics.html

The long feature list is below. The big features are:
DLV
'rndc' remote control
load-store cache contents
experimental full forgery resistance
extended statistics (nice pictures on the howto).
RSASHA256 and RSASHA512 support.
DNS rebinding attack blocking.
And bug fixes.

Features
    * DLV support
    * contrib update-anchor.sh neatly updates keys for DLV or root or
others and only restarts the nameserver when keys have changed. exits 0
when a restart is needed, other values if not. So, update-anchor.sh -d
mydir && /etc/rc.d/unbound restart can restart unbound exactly when
needed. Use -b for BIND mode.
    * Negative caching for NSEC, NSEC3 for DLV lookups, as well as for
securely insecure delegations.
    * Filter out overreaching NSEC records
    * dev/log(syslog) opened before chroot
    * use setresuid/setresgid, more secure.
    * logfile message classification as notice, info, debug.
    * harden-referral-path option implements
draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against
many Kaminsky variations. Default is off, because of added load it
generates, and experimental status.
    * disallow nonrecursive queries for cache snooping by default. You
can allow it using access-control: subnet allow_snoop. The defaults do
allow access to authoritative data without RD bit.
    * DoS resistance implementation. Half of queries run-to-completion.
Other half are a lifo where old entries are overwritten if 200 msec old.
    * Block DNS rebinding attacks. This disallows domains from the
public internet from pretending to have internet addresses in your own
netblock. Use the private-address and private-domain statements (see
unbound.conf(5) man page for details). We may consider turning this on
by default for rfc1918 (local subnet) addresses.
    * remote control feature, unbound-control. Remotely (using SSL)
stop, change redirections, flush cache, load cache, store cache, or get
statistics
    * extended statistics (off by default). Put Howto documentation on
website.
    * munin example plugin to draw statistics added to contrib
    * hosts that drop EDNS packets are detected, eventually.
    * fixed recursion servers deployed as authoritative detection, so
that as a last resort, a +RD query is sent there to get the correct answer.
    * RSASHA256 and RSASHA512 support, using experimental protocol
numbers from draft.
    * stubs work much more intuitively, but can be configure for old and
new behaviour with new option stub-prime. This makes stubs on localhost
on a different port number work.
    * dns-0x20 fallback code implemented
    * IPv4 and IPv6 PTR shorthand local-data-ptr: "1.2.3.4 www.ex.com"
    * code refactored for domain, address tree lookups.
    * unbound-control-setup.sh script to set up (selfsigned) certificates.
    * spoof nearmiss indicator, when extended statistics are enabled,
unbound-control stats prints out unwanted_replies count.
    * if server selection is faced with only bad choices, it will
attempt to get more options to be fetched.
    * changed bogus-ttl default value from 900 to 60 seconds. In
anticipation that operator caused failures are more likely than actual
attacks at this time. And thus repeated validation helps the operators
get the problem fixed sooner. It makes validation failures go away
sooner (60 seconds after the zone is fixed). Also it is likely to try
different nameserver targets every minute, so that if a zone is bad on
one server but not another, it is likely to pick up the 'correct' one
after a couple minutes, and if the TTL is big enough that solves
validation for the zone.
    * do not query bogus nameservers. It is as-if nameservers that have
the NS or A or AAAA record bogus are listed as donotquery.
    * CFLAGS are picked up by configure from the environment.
    * silenced EHOSTDOWN, verbosity 2 and higher show it.
    * configure check for ldns version 1.4.0 or later

Bug Fixes
    * Fixed rrset security updated overwriting rfc2181 trust status.
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
    * [bugzilla: 217 ]
      Fixed setreuid on MacOSX 10.4
    * Fixed so make realclean works better, by Rober Edmonds
    * [bugzilla: 208 ]
      extra rc.d unbound flexibility for freebsd/nanobsd.
    * [bugzilla: 203 ]
      nicer do-auto log message when user sets incompatible options. DLV
implemented.
    * [bugzilla: 204 ]
      variable name ameliorated in log.c.
    * [bugzilla: 206 ]
      in iana_update, no egrep, but awk use.
    * [bugzilla: 199 ]
      fixed, pidfile can be outside chroot. openlog is done before
chroot and drop permissions. logfile is created with correct permissions
again. Some errors are not written to logfile (pidfile writing,
forking), and these are only visible by using the -d commandline flag.
    * Fix update-anchor.sh to work both in BSD shell and bash.
    * Fix so unsigned additionals are not marked bogus, they are left
unchecked, since signatures may have fallen off due to message size.
Unchecked items are removed from the additional just like bogus is for
that message. Defers validation for those rrsets.
    * Fix assertion fail on bogus key handling
    * Fix so dnssec lameness detection works on first query at trust apex.
    * Fix compilation without pthreads on linux.
    * builtin iana assigned portlist updated
    * ldns snapshot inside source tarball updated to 1.4.0
    * Fix NSEC_AT_APEX classification for short typemaps.
    * Fix nonblocking and timeouts on TCP sockets
    * Fix for multiple simultaneous timeout back offs. Could cause
trouble for forwarders
    * Fix SHA256 DS downgrade, no longer possible to downgrade to SHA1.
    * Fix negative TTL values appearing (reported by Attila Nagy)
    * detect if libssl needs libdl. For static linking with libssl.
    * Fix build process for Mac OSX linker
    * Fix possible memory leak in key_entry_key deletion. Would leak a
couple bytes when trust anchors were replaced.
    * DNAMEs used from cache have their synthesized CNAMEs initialized
properly.
    * Fix file descriptor leak for localzone type deny (for TCP).
    * Fix memleak for the keyword 'nodefault' when reading config. Would
leak bytes per reload command received.
    * Fix listen to closed fd, would log a message with "bad file
descriptor"
    * Fix for problem reported on mailing list, If a delegation point
has no A but only AAAA and do-ip6 is no, resolution would fail. Fixed to
ask for the A and AAAA records. It has to ask for both always, so that
it can fail quietly, from TLD perspective, when a zone is only reachable
on one transport.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkiu4YACgkQkDLqNwOhpPhZ3wCfXqhGLME/0y7vYBenFNWs407a
WjAAn11DiKcceHroZ2jcrQaBwrF84/2d
=7XUs
-----END PGP SIGNATURE-----