Maintained by: NLnet Labs

Unbound 1.5.5 release

W.C.A. Wijngaards
Tue Oct 6 11:08:53 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Unbound 1.5.5 is available:
http://www.unbound.net/downloads/unbound-1.5.5.tar.gz
sha1 ff93df847187120c9ee98e7eebe4bb1bc859a8f2
sha256 f3bd7d3bc9519e8717abdc35c26cb2d84c3c3a3e2cd657604307e6860b37da5e
pgp http://www.unbound.net/downloads/unbound-1.5.5.tar.gz.asc

And windows binaries:
http://www.unbound.net/downloads/unbound-1.5.5.zip
pgp http://www.unbound.net/downloads/unbound-1.5.5.zip.asc
http://www.unbound.net/downloads/unbound_setup_1.5.5.exe
pgp http://www.unbound.net/downloads/unbound_setup_1.5.5.exe.asc


This release contains new H root server IPs for the upcoming change in
December 2015.  There are fixes for the 5011 tracking, and a feature
that makes it easier to test.  Algorithm rollover is made easier by
the new default for harden-algo-downgrade that is more lenient.


Features
- - Change default of harden-algo-downgrade to off. This is lenient for
  algorithm rollover.
- - Added permit-small-holddown config to debug fast 5011 rollover.
- - Allow certificate chain files to allow for intermediate certificates.
  (thanks Daniel Kahn Gillmor)
- - Enable ECDHE for servers. Where available, use
  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
  enable ECDHE. Otherwise, manually offer curve p256. Client
  connections should automatically use ECDHE when available. (thanks
  Daniel Kahn Gillmor)
- - [bugzilla: 699] Feature --enable-pie option to that builds PIE
  binary.
- - [bugzilla: 700] Feature --enable-relro-now option that enables full
  read-only relocation.
- - [bugzilla: 702] New IPs for for h.root-servers.net.

Bug Fixes
- - [bugzilla: 681] Fix setting forwarders with unbound-control forward
  implicitly turns on forward-first.
- - [bugzilla: 690] Fix that reload fails when so-reuseport is yes after
  changing num-threads.
- - please afl-gcc (llvm) for uninitialised variable warning.
- - Fix mktime in unbound-anchor not using UTC.
- - Fix 5011 anchor update timer after reload.
- - 5011 implementation does not insist on all algorithms, when harden-
  algo-downgrade is turned off.
- - Document in the manual more text about configuring locally served
  zones.
- - Document that local-zone nodefault matches exactly and transparent
  can be used to release a subzone.
- - [bugzilla: 694] Fix that configure script does not detect LibreSSL
  2.2.2
- - Fix deadlock for local data add and zone add when unbound-control
  list_local_data printout is interrupted.
- - [bugzilla: 697] Fix get PY_MAJOR_VERSION failure at configure for
  python 2.4 to 2.6.
- - changed windows setup compression to be more transparent.
- - Fix config globbed include chroot treatment, this fixes reload of
  globs (patch from Dag-Erling Smørgrav).
- - [bugzilla: 705] Fix ub_ctx_set_fwd() return value mishandled on
  windows.
- - Fix minor error in unbound.conf.5.in.
- - Fix unbound.conf(5) access-control description for precedence and
  default.
- - Fix unbound-control flush that does not succeed in removing data.
- - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
  failures.
- - iana portlist update.


Best regards, Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWE4+lAAoJEJ9vHC1+BF+Ntx4P/2XF7ol6HLl6/6onCt1+3ShW
hjST8A4rlHXwXr9EDQDLUiAPmBklbQeWdNmYHZnlsRHll1bnJd9I7ydrJVzYh8p6
0RW3RIM8ipZDTf98tbSK4BD1LCNU4JqSJ3+F/Ee1aq5oPPOaR7sfWwn8QRUu5Bch
4knZ1lRNnnZnf38Okc7gWi0mUQbgDx7x5SQTqmpQwjKdPjTdNadY9fHLQX5R6sfg
ZdnFT+Xscr6TGfvwuF42+Sm8Y22CStwlqsVSEAd/0tOPtRzZ1RsPGm6UCGIWUcVw
fxJ7nxeuH25OHuPoWyW4d5mxn9kEtg0NejqrRHHZTPazLqsAOifRWULwmVKBv4xy
i7dOBXdLKuTvGPUfnFV6PrBcYtOHcNbdKtyGGrDZQcdy/Sc+SQd2uit2PX2pvEPm
dM3nvC3o5x43b6yRGScbTLLMU0ymFOyN5xK9pISbTuzlmfo+g/m9IEj74QzdJl+8
w2rYzhggAqqk0Jgn8YmgwjYBRB3LuTM74ne9UgDRL649T552b6Xkv1Rvr5l8/SNR
ffSPX5Jygfkl+ss3SpwlE+m6OkJOvkebzI8ZCCGwL9PFQ9ICt/X/yjwIgYzTDNDV
poryGJV+luvhGZPQ8qhHP+A4woQ+SDekoA0J2vZKn0Wggp15kduZfxxWAklBn6Yz
03U+2bSjCTdsD6NEqz9j
=YugP
-----END PGP SIGNATURE-----