Maintained by: NLnet Labs

[Unbound-users] unbound 1.5.4rc1 maintainers prerelease

W.C.A. Wijngaards
Thu Jul 2 07:46:22 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.5.4rc1 maintainers prerelease is available:
http://www.unbound.net/downloads/unbound-1.5.4rc1.tar.gz
sha1 8a2ba37cc2f983ca30b1f1fa02ef59f2b8a6f8a6
sha256 34eaa4a88280597817d6169bdf153f7a474c3e1b8de7d34bac4b01aac69540f0

Ratelimiting feature debuts, config for negative cache TTL, option to
turn off algorithm strictness (requested to stop unbound from checking
for algorithm rollover mistakes).  Type ANY is answered from cache if
a couple well-known types are available, for speed, it is not an
exhaustive cache search.

DLV is going to be decommissioned.  Added advice to the documentation
to stop using it.  If the 5011-trust anchor file, fails to be writable
unbound will exit (probably soon after startup, seconds); this to
elicit rollover-operational issues beforehand.

Additionally this version has better compatibility backoff for the
0x20 capsforid option, has integer overflow checks for safety, and the
local-zone inform_deny option (write log and withhold access to domain).

Features
- -   [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
fixes the reported excessive validation failure when multiple
algorithms are present. If set to 'no', it allows the weakest
algorithm to validate the zone.
- -   stats reports tcp usage, of incoming-num-tcp buffers.
- -   contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
scripts. Contributed by Yuri Voinov.
- -   Add ip-transparent config option for bind to non-local addresses.
- -   Synthesize ANY responses from cache. Does not search exhaustively,
but MX,A,AAAA,SOA,NS also CNAME.
- -   unbound-control list_insecure command shows the negative trust
anchors currently configured, patch from Jelte Jansen.
- -   ratelimit feature, ratelimit: 1000, can be used to turn it on. It
ratelimits recursion effort per zone. For particular names you can
configure exceptions in unbound.conf.
- -   Ratelimit does not apply to prefetched queries, and
ratelimit-factor is default 10. Repeated normal queries get resolved
and with prefetch stay in the cache.
- -   unbound-control ratelimit_list lists high rate domains.
- -   caps-whitelist in unbound.conf allows whitelist of loadbalancers
that cannot work with caps-for-id or its fallback.
- -   RFC 7553 RR type URI support, is now enabled by default.
- -   cache-max-negative-ttl config option, default 3600.
- -   Add local-zone type inform_deny, that logs query and drops answer.

Bug Fixes
- -   Unbound exits with a fatal error when the auto-trust-anchor-file
fails to be writable. This is seconds after startup. You can load a
readonly auto-trust-anchor-file with trust-anchor-file. The file has
to be writable to notice the trust anchor change, without it, a trust
anchor change will be unnoticed and the system will then become
inoperable.
- -   DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect.
- -   Patch from Brad Smith that syncs compat/getentropy_linux with
OpenBSD's version (2015-03-04).
- -   0x20 fallback improved: servfail responses do not count as missing
comparisons (except if all responses are errors), inability to find
nameservers does not fail equality comparisons, many nameservers does
not try to compare more than max-sent-count, parse failures start 0x20
fallback procedure.
- -   store caps_response with best response in case downgrade response
happens to be the last one.
- -   Document that incoming-num-tcp increase is good for large servers.
- -   Fix lintian warning in unbound-checkconf man page (from Andreas
Schulze).
- -   Updated default keylength in unbound-control-setup to 3k.
- -   Fixup compile on cygwin, more portable openssl thread id.
- -   Use reallocarray for integer overflow protection, patch submitted
by Loganaden Velvindron.
- -   Fixed to add integer overflow checks on allocation (defense in depth).
- -   Fix segfault on user not found at startup (from Maciej Soltysiak).
- -   [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
CRYPTO_set_id_callback.
- -   If unknown trust anchor algorithm, and libressl is used, error
message encourages upgrade of the libressl package.
- -   rename ldns subdirectory to sldns to avoid name collision.
- -   [bugzilla: 660 ] Fix interface-automatic broken in the presence of
asymmetric routing.
- -   Libunbound skips dos-line-endings from etc/hosts.
- -   Fix crash in dnstap: Do not try to log TCP responses after timeout.
- -   Fix that get_option for cache-sizes does not print double newline.
- -   [bugzilla: 663 ] Fix that ssl handshake fails when using unix
socket because dh size is too small.
- -   [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
Hozza); Use print_function also for Python2. libunbound examples:
produce sorted output. libunbound-Python: libldns is not used anymore.
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
- -   Fix leaked dns64prefix configuration string.
- -   Removed contrib/unbound_unixsock.diff, because it has been
integrated, use control-interface: /path in unbound.conf.
- -   Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
validation failure <www.example.nl. TXT IN>: signature crypto failed
from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
- -   Fix that unparseable error responses are ratelimited.
- -   SOA negative TTL is capped at minimumttl in its rdata section.
- -   [bugzilla: 674 ] Do not free pointers given by getenv.
- -   [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
incorrectly and was therefore always synthesized (thanks to Valentin
Dietrich). And fix DNAME responses from cache that failed internal
chain test.
- -   iana portlist update.

http://www.unbound.net/downloads/unbound-1.5.4rc1.zip and
http://www.unbound.net/downloads/unbound_setup_1.5.4rc1.exe are also
available.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVlNAuAAoJEJ9vHC1+BF+NMpkP/RxbhOziv5j/U3/DelYNbc6r
RbcXDiQ2iqaKybPEVr79sFNnLF8eqMsAVVI0GAe3aDAK1+oUd1i4C/1vZCgENqoB
gHzT4aScH0ndQs/QCrYu2xbU3p8Nme7N6MJSFQEM16X6TNhyYBuZSbSZcW9S3lPX
CaKPVVGNaa/5adhC6WdaMWvdzFHHaabHgacNHGOldcq0XRQPBddqfsTsf1P7xeai
ZeeybTbKHP2A/uPFggjN5dLXRQHmRuEyqc1ZOhdklfHR7Z5E74LjGBBgt+6ObeEJ
eSC5wy7mCFAFJcP8IDy0Y8F0xdlBSDH+V6nb1aJ58FO+aPnRLQkUK226iY6u/X6t
ukmFRZkoPI9AwZJoW6BVAkC4K/NHmC5hNkIb+fV4atH6ZMqQPGC+aHO5zR4nRNWh
OrTEhvV9zR1dTTrpZYgByiBiDZI1Gr5OWumWBVlB3qJDHzi23ZPfyQIcOlErKsRE
s+G/+3TA4cXrbXaNq/cA/bMSAHxLAcdFHzR8cV3tFLbbl3UkjldwrGpQd1O0pTgQ
N6XQKjG/yUchhOtFCQVKBAHrz+2sAMZe7g7yWKSTWvEnSVH4wgJYRWtd7+aB5em4
rM0FsQuCYUUfB8OzRiqJExK7fg8aRwrSokt78GJ7rsxXO7l3kA7+R9N440WIyhxL
gH0chGrsbJft8/0nJ9sY
=0qV5
-----END PGP SIGNATURE-----