Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.13 release

W.C.A. Wijngaards
Thu Sep 15 10:50:11 CEST 2011

Hash: SHA1


Unbound 1.4.13 is released with bug fixes:
SHA1 checksum: 834ccfd1cb41a44f53b33f8338a8f9cc68febaf7
SHA256: 83c7dc2756c488ab5bfcb9b25b81236a4ec42fb3d505267fcaf005555f3a2313

Important change is the different answer for QTYPE ANY with a CNAME in
the answer section, where the format of the answer is now different, but
it DNSSEC validates properly.  This is a change in answers from the
previous unbound versions.  If applications act differently this would
be interesting to know.  The response is meant for debugging (by RFC)
and should have partial contents from cache normally, thus the current
implementation is according to spec (but delivers a different subset of
the available data).

Interesting option is tcp-upstream for tunneling DNS over TCP.  For
difficult deployment situations.

And miscellaneous bugs and patches (thanks to the contributers!)

More details below,
   Best regards,

    * Note that Unbound implements RFC6303 (since version 1.4.7).
    * tcp-upstream yes/no option (works with set_option) for tunnels.
    * The format of answers to the qtype ANY with a CNAME have changed,
so that there can be proper validated DNSSEC answers for them. This is
for queries with qtype ANY where the domain name has a CNAME. Now an
answer is returned, where before it resulted in SERVFAIL due to
validation failure. When DNSSEC validation is disabled, the contents of
the response have changed: the CNAME is not followed, and the correct
contents of the RRsets at the initial name are included (where
previously only partial contents of the initial names could have been
included but the CNAME was followed). The qtype ANY is a query for debug
where the resolver is to fill in relevant data that happens to be at
hand from the cache.

Bug Fixes
    * Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
Zhang and Luo Ce). Unbound responds with the RR types that are available
at the name for qtype ANY and validates those RR types. It does not test
for completeness (i.e. with NSEC or NSEC3 query), and it does not follow
the CNAME or DNAME to another name (with even more data for the already
large response)
    * Documented the options that work with control set_option command.
    * Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
    * Fix validation of . DS query.
    * Fix wildcard expansion no-data reply under an optout NSEC3 zone is
validated as insecure, reported by Jia Li (lijia
    * Fix python site-packages path to /usr/lib64.
    * fix memory and fd leak after out-of-memory condition.
    * patch from Tom Hendrikx fixes load of python modules.
    * Applied patch from Karel Slany that fixes a memory leak in the
unbound python module, in string conversions.
    * Fix num-threads 0 does not segfault, reported by Simon Deziel.
    * fix autoconf 2.68 warnings
    * iana portlist updated

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -