Maintained by: NLnet Labs

Unbound 1.5.5rc1 maintainers prerelease

W.C.A. Wijngaards
Mon Sep 28 16:25:29 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Unbound 1.5.5rc1 maintainers prelease candidate 1 is available:
http://www.unbound.net/downloads/unbound-1.5.5rc1.tar.gz
sha1 5b00efea35abb168d7788d6970edf221ddcc975d
sha256 d03f293305ca5c5e354db6fb1389870322b1fa2ec02e3c146c6a14c2ba53c525
pgp http://www.unbound.net/downloads/unbound-1.5.5rc1.tar.gz.asc

This release contains new H root server IPs for the upcoming change in
December 2015.  There are fixes for the 5011 tracking, and a feature
that makes it easier to test.  Algorithm rollover is made easier by
the new default for harden-algo-downgrade that is more lenient.


Features
- - Change default of harden-algo-downgrade to off. This is lenient for
  algorithm rollover.
- - Added permit-small-holddown config to debug fast 5011 rollover.
- - Allow certificate chain files to allow for intermediate certificates.
  (thanks Daniel Kahn Gillmor)
- - Enable ECDHE for servers. Where available, use
  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
  enable ECDHE. Otherwise, manually offer curve p256. Client
  connections should automatically use ECDHE when available. (thanks
  Daniel Kahn Gillmor)
- - [bugzilla: 699] Feature --enable-pie option to that builds PIE
  binary.
- - [bugzilla: 700] Feature --enable-relro-now option that enables full
  read-only relocation.
- - [bugzilla: 702] New IPs for for h.root-servers.net.

Bug Fixes
- - [bugzilla: 681] Fix setting forwarders with unbound-control forward
  implicitly turns on forward-first.
- - [bugzilla: 690] Fix that reload fails when so-reuseport is yes after
  changing num-threads.
- - please afl-gcc (llvm) for uninitialised variable warning.
- - Fix mktime in unbound-anchor not using UTC.
- - Fix 5011 anchor update timer after reload.
- - 5011 implementation does not insist on all algorithms, when harden-
  algo-downgrade is turned off.
- - Document in the manual more text about configuring locally served
  zones.
- - Document that local-zone nodefault matches exactly and transparent
  can be used to release a subzone.
- - [bugzilla: 694] Fix that configure script does not detect LibreSSL
  2.2.2
- - Fix deadlock for local data add and zone add when unbound-control
  list_local_data printout is interrupted.
- - [bugzilla: 697] Fix get PY_MAJOR_VERSION failure at configure for
  python 2.4 to 2.6.
- - changed windows setup compression to be more transparent.
- - Fix config globbed include chroot treatment, this fixes reload of
  globs (patch from Dag-Erling Smørgrav).
- - [bugzilla: 705] Fix ub_ctx_set_fwd() return value mishandled on
  windows.
- - Fix minor error in unbound.conf.5.in.
- - Fix unbound.conf(5) access-control description for precedence and
  default.
- - Fix unbound-control flush that does not succeed in removing data.
- - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
  failures.
- - iana portlist update.


Best regards, Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWCU3YAAoJEJ9vHC1+BF+N2hkQAJnhe+86cYkImRNKZkEzkzFE
JLK5pX6+bbYPQQ5vVIYkSM9XM615Lj0aDQ5SpxQKMXW5y/6Gy3g7kEuZfuuFtYdH
jt7/QLx8N7K+s209JSprbaVIRFCn/7D7ub9S8eyGqKnc9DBr/1tvhDzC3PbHZldb
GQR1KAx5xzxbNf1gzIo+QA9S7hpeBH0riD+K74THy2hWtVmvAKZ0b1AgRjCppiT3
a6kb1Hfn62z6QWbGIMrudxhgUS2DcpZA2UzffS9kMSFJiV1sGx95LE785nrI8Jpl
05tT1ZoTB7aZpmyAQNNk6gFrPyi/jbJqwgUnrcV2A0uxUU8ZPtK4txICMKqs2SkM
dsZFICOMbFoHc9HNzOQg6pg1Y8Ko/zgg3cKYsqp31jDx7awQWyFKdGHUfAqOuvu5
kg1YMLmdEr7KDMMNZxRX0LWC89Pkg8Gx6QwJanshtcfvqrP3u9aLoVqR24DxOK+t
zv3qc17pQIc+fxyEEAzWvzx+/SNun7J5OmZiaMn34LjiJzkSa3L8RMUsl8mIjEpp
YpTwazUZEw5szFyYzo11ZDvxDNxbZzfE5t5vbjm1paDkmd8v9d1Ot6UXRX3Xhj4E
uUqJl5/HwqHax4yUCAL0zl1rS+Z0HQYn6R5t6GblVucPk5OaT7E/zyHvsWBlVsUg
PRhP1fjHsXMjGrn35PkK
=aZju
-----END PGP SIGNATURE-----