Maintained by: NLnet Labs

[Unbound-users] unbound release 1.4.5

W.C.A. Wijngaards
Tue Jun 15 09:44:12 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.4.5 is available,
http://www.unbound.net/downloads/unbound-1.4.5.tar.gz
sha1:   c1f227b95448cdfd0006d6d00b3d4354500d7564
sha256: 905685836715ac715098909ae5268504322f0f226c957d18ed32895c76d8224c

This release has bugfixes.  You can find a detailed list of changes
below.  Nice new feature is a contributed patch to use unbound-host for
monitoring the validation of a chain of trust inside the Nagios framework.

Bugfix highlights: EDNS backoff corner cases, some validator corner
cases, new handling for parent-child misconfigured domain lookups, and
caps-for-id and harden-referral-path option fixes.

The ECC-GOST option, although it uses the official algorithm number, is
not yet enabled if support is detected in openssl (which is what we
intend to do), because the RFC with the protocol spec has not passed the
final stages at the RFC Editor in the IETF.

There have been patches to the rc1 release candidate.  In the new
parent-child miconfigured domain code a fix to make it faster, not
trying bad nameservers again.  A bug that could trigger too much CPU
consumption was fixed by throttling CPU expenditure for cycle detection.


Features
    * unbound-control get_option domain-insecure shows config file items.
    * Autotrust anchor file can be initialized with a ZSK key as well
(if the domain's DNSKEY set is signed with that ZSK).
    * Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
    * Contribution from Migiel de Vos (Surfnet): nagios patch for
unbound-host, in contrib/ (in the source tarball). Makes unbound-host
suitable for monitoring dnssec(-chain) status.
    * GOST disabled-by-default, the algorithm number is allocated but
the RFC is still has to pass AUTH48 at the IETF.

Bug Fixes
    * Fix validation failure for qtype ANY caused by a RRSIG parse
failure. The validator error message was 'no signatures from ...'.
    * Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
    * Fix fetch from blacklisted dnssec lame servers as last resort. The
server's IP address is then given in validator errors as well.
    * Fix local-zone type redirect that did not use the query name for
the answer rrset.
    * Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
CPPFLAGS during configure process.
    * Fix if libev is installed on the base system (not libevent),
detect it from the event.h header file and link with -lev.
    * Fix configlexer.lex gets config.h, and configyyrename.h added by
make, no more double include.
    * More strict scrubber (Thanks to George Barwood for the idea): NS
set must be pertinent to the query.
    * [bugzilla: 307 ]
      In 0x20 backoff fix fallback so the number of outstanding queries
does not become -1 and block the request. Fixed handling of
recursion-lame in combination with 0x20 fallback. Fix so RRsets are
compared canonicalized and sorted if the immediate comparison fails,
this makes the 0x20 option work around round-robin sites.
    * Fix retry sequence if prime hints are recursion-lame.
    * Fix so harden-referral-path does not result in failures due to
max-depth. You can increase the max-depth by adding numbers (' 0') after
the target-fetch-policy, this increases the depth to which is checked.
    * Fix detection of GOST support in ldns (reported by Chris Smith).
    * Fix for dnssec lameness detection to use the key cache.
    * infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
    * Fix dnssec-missing detection that was turned off by server selection.
    * [bugzilla: 308 ]
      Fix spelling error in variable name in parser and lexer.
    * Fix various compiler warnings from the clang llvm compiler.
    * Fix comments in iter_utils:dp_is_useless.
    * EDNS timeout code will not fire if EDNS status already known.
    * EDNS failure not stored if EDNS status known to work.
    * Parent-child disagreement approach altered. Older fixes are
removed in place of a more exhaustive search for misconfigured data
available via the parent of a delegation. This is designed to be
throttled by cache entries, with TTL from the parent if possible.
Additionally the loop-counter is used. It also tests for NS RRset
differences between parent and child. The fetch of misconfigured data
should be more reliable and thorough. It should work reliably even with
no or only partial data in cache. Data received from the child (as
always) is deemed more authoritative than information received from the
delegation parent. The search for misconfigured data is not performed
normally.
    * Fix AD flag handling, it could in some cases mistakenly copy the
AD flag from upstream servers.
    * Ignore Z flag in incoming messages too.
    * alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
    * Parentside names are dispreferred but not said to be dnssec-lame.
    * Fix parentside and querytargets modulestate, for dump_requestlist.
    * unbound-control-setup makes keys -rw-r--- so not all users permitted.
    * libtoolize 2.2.6b, autoconf 2.65 applied to configure.
    * Fix compile warning if compiled without threads.
    * iana portlist updated.
    * included ldns tarball updated.
    * Fix bug where a long loop could be entered, now cycle detection
has a loop-counter and maximum search amount.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwXL0wACgkQkDLqNwOhpPgvKQCcCSsOBDsOQrNS+EtcnX3LrvOR
uecAnjlw3uGLzvKp937TA68Vygl4OovG
=XjUq
-----END PGP SIGNATURE-----