Maintained by: NLnet Labs

Unbound 1.6.0rc1 prerelease

Spike
Thu Dec 8 17:05:40 CET 2016


Fantastic improvement, thanks Wouter and everybody else that made this
possible.

A couple questions from an unbound noob regarding the new features, bear
with me please:

-  "Added two flags to module_qstate", does this mean that a python plugin
now could intercept a request before it's served by cache and override it?
We need to override some domains differently for different parts of the org
and right now I'm running two diff unbounds because my understanding was
that if the answer was cached after group1 hit the domain for example, that
would be served to group2 too because their python script would never be
called since no resolution was necessary. Does this new feature change this?

- "Added views functionality." does this change the above completely in
terms of serving different As to different part of the orgs? how does this
compare to say Bind's views? or am I misunderstanding entirely what you
mean with views here?

- "Patch that resolves CNAMEs entered in local-data" , this mentions "hosts
on the internet", does that mean it's still not possible to have CNAMEs for
local-data to local servers? I understand unbound is not an authoritative
server and I like that design choice, but I do maintain a few pointers for
internal infrastructure and would be nice to be able to do everything with
unbound without running bind.

thanks again to everybody who worked on this, the rest of us really
appreciate it.

Spike

On Thu, Dec 8, 2016 at 3:19 AM W.C.A. Wijngaards via Unbound-users <
unbound-users at unbound.net> wrote:

> Hi,
>
> Unbound 1.6.0rc1 maintainers prerelease is available:
> http://www.unbound.net/downloads/unbound-1.6.0rc1.tar.gz
> sha256 7c94ea4fbeab7cdc7b56c862c90021a078c0d30a5643431aaaa8c676347086a5
> pgp http://www.unbound.net/downloads/unbound-1.6.0rc1.tar.gz.asc
> http://www.unbound.net/downloads/unbound-1.6.0rc1.zip
> http://www.unbound.net/downloads/unbound_setup_1.6.0rc1.exe
>
> Unbound 1.6.0 has a number of features and bugfixes.  More extensible
> EDNS support.  Views and local-zone tags provide for more feature rich
> filtering options, with CNAME support.  SSL configuration features to
> turn on dns over tls for particular parts of the namespace.
>
>
> Features
> - Added generic EDNS code for registering known EDNS option codes,
> bypassing the cache response stage and uniquifying mesh states. Four
> EDNS option lists were added to module_qstate
> (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
> - Added two flags to module_qstate (no_cache_lookup, no_cache_store)
> that control the modules' cache interactions.
> - Added code for registering inplace callback functions. The registered
> functions can be called just before replying with local data or Chaos,
> replying from cache, replying with SERVFAIL, replying with a resolved
> query, sending a query to a nameserver. The functions can inspect the
> available data and maybe change response/query related data (i.e. append
> EDNS options).
> - Updated Python module for the above.
> - Updated Python documentation.
> - Added views functionality.
> - Added qname-minimisation-strict config option.
> - Patch that resolves CNAMEs entered in local-data conf statements that
> point to data on the internet, from Jinmei Tatuya (Infoblox).
> - serve-expired config option: serve expired responses with TTL 0.
> - .gitattributes line for githubs code language display.
> - log-identity: config option to set sys log identity, patch from "Robin
> H. Johnson" (robbat2 at gentoo.org).
> - Added stub-ssl-upstream and forward-ssl-upstream options.
> - Added local-zones and local-data bulk addition and removal
> functionality in unbound-control (local_zones, local_zones_remove,
> local_datas and local_datas_remove).
> - g.root-servers.net has AAAA address.
>
> Bug Fixes
> - Fix #836: unbound could echo back EDNS options in an error response.
> - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
> - Fix #839: Memory grows unexpectedly with large RPZ files.
> - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
> - Fix #841: big local-zone's make it consume large amounts of memory.
> - Fix dnstap relaying "random" messages instead of resolver/forwarder
> responses, from Nikolay Edigaryev.
> - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
> - Fix #1117: spelling errors, from Robert Edmonds.
> - iana portlist update.
> - fix memoryleak logfile when in debug mode.
> - Re-fix #839 from view commit overwrite.
> - Fixup const void cast warning.
> - Removed patch comments from acllist.c and msgencode.c
> - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
> Jinmei Tatuya (Infoblox).
> - Fix #1125: unbound could reuse an answer packet incorrectly for
> clients with different EDNS parameters, from Jinmei Tatuya.
> - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
> - Added Requires line to libunbound.pc
> - Fix #1130: whitespace in example.conf.in more consistent.
> - suppress compile warning in lex files.
> - init lzt variable, for older gcc compiler warnings.
> - fix --enable-dsa to work, instead of copying ecdsa enable.
> - Fix DNSSEC validation of query type ANY with DNAME answers.
> - Fixup query_info local_alias init.
> - Ported tests for local_cname unit test to testbound framework.
> - Fix #1134: unbound-control set_option -- val-override-date: -1 works
> immediately to ignore datetime, or back to 0 to enable it again. The --
> is to ignore the '-1' as an option flag.
> - Patch for server.num.zero_ttl stats for count of expired replies, from
> Pavel Odintsov.
> - Fix failure to build on arm64 with no sbrk.
> - Set OpenSSL security level to 0 when using aNULL ciphers.
> - configure detects ssl security level API function in the autoconf
> manner. Every function on its own, so that other libraries (eg.
> LibreSSL) can develop their API without hindrance.
> - Fix #1154: segfault when reading config with duplicate zones.
> - Note that for harden-below-nxdomain the nxdomain must be secure, this
> means nsec3 with optout is insufficient.
> - Fix #1155: test status code of unbound-control in 04-checkconf, not
> the status code from the tee command.
> - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
> Underneath" for the harden-below-nxdomain option.
> - patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
> - Make access-control-tag-data RDATA absolute. This makes the RDATA
> origin consistent between local-data and access-control-tag-data.
> - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
> subdomain of the NSEC owner.
> - QNAME minimisation uses QTYPE=A, therefore always check cache for this
> type in harden-below-nxdomain functionality.
> - Added unit test for QNAME minimisation + harden below nxdomain synergy.
> - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
> no encryption over the unix socket.
> - hyphen as minus fix, by Andreas Schulze
> - Fix #1170: document that 'inform' local-zone uses local-data.
> - Fix #1173: differ local-zone type deny from unset tag_actions element.
> - Add DSA support for OpenSSL 1.1.0
> - Fix remote control without cert for LibreSSL
> - Fix downcast warnings from visual studio in sldns code.
>
> Best regards, Wouter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20161208/4581a11e/attachment-0001.html>