Maintained by: NLnet Labs

[Unbound-users] Unbound 1.5.4 release

W.C.A. Wijngaards
Thu Jul 9 11:37:40 CEST 2015

Hash: SHA256


Unbound 1.5.4 is available:
sha1 ce0abc1563baa776a0f2c21516ffc13e6bff7d0f
sha256 a1e1c1a578cf8447cb51f6033714035736a0f04444854a983123c094cc6fb137

Ratelimiting feature debuts, config for negative cache TTL, option to
turn off algorithm strictness (requested to stop unbound from checking
for algorithm rollover mistakes).  Type ANY is answered from cache if
a couple well-known types are available, for speed, it is not an
exhaustive cache search.

DLV is going to be decommissioned.  Added advice to the documentation
to stop using it.  If the 5011-trust anchor file, fails to be writable
unbound will exit (probably soon after startup, seconds); this to
elicit rollover-operational issues beforehand.

Additionally this version has better compatibility backoff for the
0x20 capsforid option, has integer overflow checks for safety, and the
local-zone inform_deny option (write log and withhold access to domain).

- -   [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
fixes the reported excessive validation failure when multiple
algorithms are present. If set to 'no', it allows the weakest
algorithm to validate the zone.
- -   stats reports tcp usage, of incoming-num-tcp buffers.
- -   contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
scripts. Contributed by Yuri Voinov.
- -   Add ip-transparent config option for bind to non-local addresses.
- -   Synthesize ANY responses from cache. Does not search exhaustively,
- -   unbound-control list_insecure command shows the negative trust
anchors currently configured, patch from Jelte Jansen.
- -   ratelimit feature, ratelimit: 1000, can be used to turn it on. It
ratelimits recursion effort per zone. For particular names you can
configure exceptions in unbound.conf.
- -   Ratelimit does not apply to prefetched queries, and
ratelimit-factor is default 10. Repeated normal queries get resolved
and with prefetch stay in the cache.
- -   unbound-control ratelimit_list lists high rate domains.
- -   caps-whitelist in unbound.conf allows whitelist of loadbalancers
that cannot work with caps-for-id or its fallback.
- -   RFC 7553 RR type URI support, is now enabled by default.
- -   cache-max-negative-ttl config option, default 3600.
- -   Add local-zone type inform_deny, that logs query and drops answer.

Bug Fixes
- -   Unbound exits with a fatal error when the auto-trust-anchor-file
fails to be writable. This is seconds after startup. You can load a
readonly auto-trust-anchor-file with trust-anchor-file. The file has
to be writable to notice the trust anchor change, without it, a trust
anchor change will be unnoticed and the system will then become
- -   DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect.
- -   Patch from Brad Smith that syncs compat/getentropy_linux with
OpenBSD's version (2015-03-04).
- -   0x20 fallback improved: servfail responses do not count as missing
comparisons (except if all responses are errors), inability to find
nameservers does not fail equality comparisons, many nameservers does
not try to compare more than max-sent-count, parse failures start 0x20
fallback procedure.
- -   store caps_response with best response in case downgrade response
happens to be the last one.
- -   Document that incoming-num-tcp increase is good for large servers.
- -   Fix lintian warning in unbound-checkconf man page (from Andreas
- -   Updated default keylength in unbound-control-setup to 3k.
- -   Fixup compile on cygwin, more portable openssl thread id.
- -   Use reallocarray for integer overflow protection, patch submitted
by Loganaden Velvindron.
- -   Fixed to add integer overflow checks on allocation (defense in depth
- -   Fix segfault on user not found at startup (from Maciej Soltysiak).
- -   [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
- -   If unknown trust anchor algorithm, and libressl is used, error
message encourages upgrade of the libressl package.
- -   rename ldns subdirectory to sldns to avoid name collision.
- -   [bugzilla: 660 ] Fix interface-automatic broken in the presence of
asymmetric routing.
- -   Libunbound skips dos-line-endings from etc/hosts.
- -   Fix crash in dnstap: Do not try to log TCP responses after timeout.
- -   Fix that get_option for cache-sizes does not print double newline.
- -   [bugzilla: 663 ] Fix that ssl handshake fails when using unix
socket because dh size is too small.
- -   [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
Hozza); Use print_function also for Python2. libunbound examples:
produce sorted output. libunbound-Python: libldns is not used anymore.
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
- -   Fix leaked dns64prefix configuration string.
- -   Removed contrib/unbound_unixsock.diff, because it has been
integrated, use control-interface: /path in unbound.conf.
- -   Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
validation failure < TXT IN>: signature crypto failed
from 2001:DB8:7:bba4::53 for <* NSEC IN>
- -   Fix that unparseable error responses are ratelimited.
- -   SOA negative TTL is capped at minimumttl in its rdata section.
- -   [bugzilla: 674 ] Do not free pointers given by getenv.
- -   [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
incorrectly and was therefore always synthesized (thanks to Valentin
Dietrich). And fix DNAME responses from cache that failed internal
chain test.
- -   iana portlist update. and are also

Best regards,
Version: GnuPG v2