Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.11 release

W.C.A. Wijngaards
Thu Jun 30 10:43:28 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.4.11 is released, bugfixes and small features.

http://unbound.net/downloads/unbound-1.4.11.tar.gz
sha1: 3dbd7854b05b1e48fcc088be50e4c7aafc8d7306
sha256: 19e44dd7a737de678456885483002c6cd84147d334c7323cb3674d2012c82b4b

It has small and happy changes: querylog option, ignore-cdflag for
support of (win) legacy servers, lto optimization for speedup,
- --enable-allsymbols to have smaller install size.  The control port
number has been registered with IANA.  The unbound-control sends a
version number in its header, so its protocol has changed and you need
to update unbound(server) and unbound-control(client).

This version of unbound does DNSSEC validation also for queries received
with CD flag (from downstream validators).  It returns the answer
regardless (it continues to support CD flag).  But the DNSSEC validation
protects its cache from bogus data with failover to other authority
servers; this means that a downstream validator is more likely to find
'good' data here.

Features
    * log-queries: yesno option, default is no, prints querylog.
    * ignore-cd-flag: yesno to provide dnssec to legacy servers.
    * Use -flto compiler flag for link time optimization, if supported.
    * unbound-control has version number in the header, and uses port
number registered with IANA, 8953.

Bug Fixes
    * Fix Makefile for U in environment, since wrong U is more common
than deansification necessity.
    * defense in depth against the assertion failure bug fixed in
1.4.10, an error is printed to log instead of an assertion failure.
    * [bugzilla: 386 ] --enable-allsymbols option links all binaries to
libunbound and reduces install size significantly.
    * Fix TTL of SOA so negative TTL is separately cached from normal TTL.
    * configure created with newer autoconf 2.66.
    * [bugzilla: 378 ] Fix that configure checks for ldns_get_random
presence.
    * queries with CD flag set cause DNSSEC validation, but the answer
is not withheld if it is bogus. Thus, unbound will retry if it is bad
and curb the TTL if it is bad, thus protecting the cache for use by
downstream validators.
    * val-override-date: -1 ignores dates entirely, for NTP usage.
    * harden-below-nxdomain: changed so that it activates when the
cached nxdomain is dnssec secure. This avoids backwards incompatibility
because those old servers do not have dnssec.
    * statistics-interval prints the number of jostled queries to log.
    * IPv6 service address for d.root-servers.net (2001:500:2D::D).
    * updated ldns tarball to 1.6.10rc2 snapshot
    * iana portlist updated.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJODDcwAAoJEJ9vHC1+BF+NL3cP/03yFkiE5vdIWdIWQjvcoESV
S9nPWyEut55CXl+obeT2V77XMYew/6JrCN/sW3KZncpi8SdSXtkfC+Ayfk5X4gc/
7GbcZ8HJzFc3G+VmeU/YZ5hFTZWx/VwY+8nfE9VMhD0rcWqLa0JVqz6Am7a0aO5U
tRMV2uLfO/TjIeh1lJXkEv0BUNjoBf0e60NdvIQJAPaJ2yXYIwJAbojB6v6aC+Hk
4VVRzGvJ13kMK+2nflG3Orgks9pScBavdG3rwFY/cUU5eQHi23O37TMIDzyDtX1B
7RFKCo0qC4DbYk/AfRxumNdppZI7gq5rVwrUMGmiHcL6XGfR88HZ4QOcLWOO2mx3
UwcdhVtyA3RP2cJZDmKEONT0550WbUx1kGlvKf89vnvSyctnuHywgkauwTnYiGos
+ZzvSNfm2gtve9KOBYYX1GOwv2zEG8dpah9CMRRd9N5bWf2ZGrm8S0pV6YBXyWxr
LXxCO/rA8sp44XguwcZF7Wl5iIMBwngGR+mC55oVypOQkv1FxoogodNLY1b6g0zz
Ua+caWF1RzguuII0jq3kbpDoW88oVs0xpLFT561FYfA9nxu+CBE1h83z4Pd2PjWR
0pv1xIVhxssAkCSr1xE9YXi/ioDN2P9a0fDnn1rybJvqdJW9zMAPTbX7BSU9Jtyb
hEXLDsosZT8EQZZ0Wrem
=XMsS
-----END PGP SIGNATURE-----