Maintained by: NLnet Labs

[Unbound-users] unbound-1.4.2 release

W.C.A. Wijngaards
Tue Mar 9 09:51:52 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.4.2 is released, get it here:
http://www.unbound.net/downloads/unbound-1.4.2.tar.gz
SHA1 checksum: bad6b453924c853b177234890522a05904b2e5f9
SHA256 9b2821eeb9fee3145ac04c7dc648ea1ae7d9a600de6b0a1ffacebe7643b913e1

Most significant is a number of bugfixes.  As well as the fix that
lowers the query-pattern in case of DNSSEC bogus zones.  See also
http://unbound.net/pipermail/unbound-users/2010-February/001031.html


Features
    * unbound-control list_stubs, list_forwards, list_local_zones,
list_local_data, log_reopen, set_option and get_option.
    * libunbound ub_ctx_get_option() added.
    * --enable-checking: enables assertions but does not look nonproduction.
    * nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
nxdomain and nodata distinguished.
    * prefetch-key option that performs DNSKEY queries earlier in the
validation process, and that could halve the latency on DNSSEC queries.
It takes some extra processing (CPU, a cache is needed).
    * prefetch option that prefetches popular queries before they expire.
    * change unbound-control-setup from 1024(sha1) to 1536(sha256).

Bug Fixes
    * Re-query pattern changed on validation failure. To protect
troubled authority servers, unbound caches a failure for the DNSKEY or
DS records for the entire zone, and only retries that 900 seconds later.
This implies that only a handful of packets are sent extra to the
authority if the zone fails. We made the choice to send out more
conservatively, protecting against an aggregate effect more than
protecting a single user (from their own folly, perhaps in case of
misconfig).
    * Fix crash in control channel code.
    * iana portlist updated.
    * make install depends on make all.
    * Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
    * ldns tarball updated: long label length syntax error fix, libdl
compile fix.
    * --disable-rpath fixed for libtool not found errors.
    * Fixup prototype for lexer cleanup in daemon code.
    * Fix scrubber bug that potentially let NS records through. Reported
by Amanda Constant.
    * Also delete potential poison references from additional.
    * Fix: no classification of a forwarder as lame, throwaway instead.
    * More strict DS scrubbing.
    * No more blacklisting of unresponsive servers, a 2 minute timeout
is backed off to.
    * RD flag not enabled for dnssec-blacklisted tries, unless necessary.
    * log 'tcp connect: connection timed out' only in high verbosity.
    * Disregard DNSKEY from authority section for chain of trust. DS
records that are irrelevant to a referral scrubbed. Anti-poison.
    * Check for 'no space left on device' (or other errors) when writing
updated autotrust anchors and print errno to log.
    * Fixup in compat snprintf routine, %f 1.02 and %g support.
    * include math.h for testbound test compile portability.
    * Updated url of IANA itar, interim trust anchor repository, in script.
    * configure test for memcmp portability.
    * removed warning on format string in validator error log statement.
    * libtool finish the install of unbound python dynamic library.
    * Fixup lookup trouble for parent-child domains on the first query.
    * Fixup ldns detection to also check for header files.
    * Fix unbound-checkconf for auto-trust-anchor-file present checks.
    * Fix for parent-child disagreement code which could have trouble
when (a) ipv6 was disabled and (b) the TTL for parent and child were
different. There were two bugs, the parent-side information is fixed to
no longer block lookup of child side information and the iterator is
fixed to no longer attempt to get ipv6 when it is not enabled and then
give up in failure.
    * Fixup python documentation (thanks Leo Vandewoestijne).
    * [bugzilla: 291 ]
      DNS wireformat max is 255. dname_valid allowed 256 length.
    * verbose output includes parent-side-address notion for lameness.
    * documented val-log-level: 2 setting in example.conf and man page.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkuWDCcACgkQkDLqNwOhpPhJewCfVjWyXtMbon1dHIAR/XECkV+e
K5IAn1ZzV6AIOibHlqguFhge0cnzTsXQ
=rpgK
-----END PGP SIGNATURE-----