Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.8 release

W.C.A. Wijngaards
Mon Jan 24 15:47:02 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.4.8 is available:
http://unbound.net/downloads/unbound-1.4.8.tar.gz
sha1   557a9c10de9a83f88cd7c66d44488f1cb65de4fa
sha256 5bf4060d2e778a1268498f4937583726d1d36909d7f40900ee31a722a64d506f

One major change in this release is fixed algorithm treatment. This is
fixed after long discussions on dnsext (IETF workgroup), it is more
lenient to allow easier key algorithm rollover, but at the same time
unbound still checks that the algorithms advertised (via trust anchor or
DS record) really work. In actual deployments changes happen if you have
multiple DNSKEY algorithms in trust anchors or published DS RRsets. It
would be good for our users to pick up this fix, and implement it, so
that key algorithm rollover becomes easier on the internet.

Also Fixed is 'imgw.pl', many people reported this, now unbound has
'bind-like' lenience for this.


Features

o harden-below-nxdomain config option, default off (because very old
  software may be incompatible).  We could enable it by default in
  the future.  From draft-vixie-dnsext-resimprove-00.
o typetransparent localzone: does not block other RR types.
o so-sndbuf option for very busy servers, a bit like so-rcvbuf.

Bug Fixes

o Fix so a changed NS RRset does not get moved name stuck on old
  server, for type NS the TTL is not increased.
o Fix prefetch so it does not get stuck on old server for moved names.
o Fix insecure CNAME sequence marked as secure, reported by Bert
  Hubert.
o faster lruhash get_mem routine.
o #346: remove ITAR scripts from contrib, the service is discontinued.
o Fix in infra cache that could cause rto larger than TOP_TIMEOUT
  kept.
o algorithm compromise protection using the algorithms signalled in
  the DS record.  Also, trust anchors, DLV, and RFC5011 receive this,
  and thus, if you have multiple algorithms in your trust-anchor-file
  then it will now behave different than before.  Also, 5011 rollover
  for algorithms needs to be double-signature until the old algorithm
  is revoked.
o squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see
  them)
o fix validation in this case: CNAME to nodata for co-hosted opt-in
  NSEC3 insecure delegation, was bogus, fixed to be insecure.
o Fix our 'BDS' license (typo reported by Xavier Belanger).
o #338: print address when socket creation fails.
o Fix storage of EDNS failures in the infra cache.
o silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
o unbound-anchor compiles with openssl 0.9.7.
o Be lenient and accept imgw.pl malformed packet (like BIND).
o the included ldns tarball is updated (to 1.6.8)
o iana portlist updated.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09kOYACgkQkDLqNwOhpPhwhwCeM7VO2eRKFW5CiHdtKDtV2ukc
cbwAoIdP+15FE2OU44XuHnYQYyUZDvtC
=5H2b
-----END PGP SIGNATURE-----