Maintained by: NLnet Labs

Unbound 1.6.0rc1 prerelease

Ralph Dolmans
Mon Dec 12 11:19:26 CET 2016


Hi Spike,

On 08-12-16 17:05, Spike via Unbound-users wrote:
> Fantastic improvement, thanks Wouter and everybody else that made this
> possible.
> 
> A couple questions from an unbound noob regarding the new features, bear
> with me please:
> 
> -  "Added two flags to module_qstate", does this mean that a python
> plugin now could intercept a request before it's served by cache and
> override it? We need to override some domains differently for different
> parts of the org and right now I'm running two diff unbounds because my
> understanding was that if the answer was cached after group1 hit the
> domain for example, that would be served to group2 too because their
> python script would never be called since no resolution was necessary.
> Does this new feature change this?

A module (C or Python) can now dictate that the Unbound cache should be
bypassed when receiving queries containing the by the module registered
EDNS options. This makes the module responsible to do the cache lookup.
If you disable cache lookup and don't implement the cache lookup in your
module, you wont use any cache at all!

In your case you could better use the local-zones and data with tags, or
views, to do the overrides based on client addresses.

> 
> - "Added views functionality." does this change the above completely in
> terms of serving different As to different part of the orgs? how does
> this compare to say Bind's views? or am I misunderstanding entirely what
> you mean with views here?

A view in Unbound is a named list of configuration options. The
currently supported view configuration options are local-zone and
local-data. Mapping a view to a client can be done using the
access-control-view element.

> 
> - "Patch that resolves CNAMEs entered in local-data" , this mentions
> "hosts on the internet", does that mean it's still not possible to have
> CNAMEs for local-data to local servers? I understand unbound is not an
> authoritative server and I like that design choice, but I do maintain a
> few pointers for internal infrastructure and would be nice to be able to
> do everything with unbound without running bind.

You would like Unbound to also give the local-data record for the domain
the local-data CNAME is pointing to? That is not yet possible, but an
interesting idea!

Regards,
-- Ralph

> 
> thanks again to everybody who worked on this, the rest of us really
> appreciate it.
> 
> Spike
> 
> On Thu, Dec 8, 2016 at 3:19 AM W.C.A. Wijngaards via Unbound-users
> <unbound-users at unbound.net <mailto:unbound-users at unbound.net>> wrote:
> 
>     Hi,
> 
>     Unbound 1.6.0rc1 maintainers prerelease is available:
>     http://www.unbound.net/downloads/unbound-1.6.0rc1.tar.gz
>     sha256 7c94ea4fbeab7cdc7b56c862c90021a078c0d30a5643431aaaa8c676347086a5
>     pgp http://www.unbound.net/downloads/unbound-1.6.0rc1.tar.gz.asc
>     http://www.unbound.net/downloads/unbound-1.6.0rc1.zip
>     http://www.unbound.net/downloads/unbound_setup_1.6.0rc1.exe
> 
>     Unbound 1.6.0 has a number of features and bugfixes.  More extensible
>     EDNS support.  Views and local-zone tags provide for more feature rich
>     filtering options, with CNAME support.  SSL configuration features to
>     turn on dns over tls for particular parts of the namespace.
> 
> 
>     Features
>     - Added generic EDNS code for registering known EDNS option codes,
>     bypassing the cache response stage and uniquifying mesh states. Four
>     EDNS option lists were added to module_qstate
>     (module_qstate.edns_opts_*) to store EDNS options from/to front/back
>     side.
>     - Added two flags to module_qstate (no_cache_lookup, no_cache_store)
>     that control the modules' cache interactions.
>     - Added code for registering inplace callback functions. The registered
>     functions can be called just before replying with local data or Chaos,
>     replying from cache, replying with SERVFAIL, replying with a resolved
>     query, sending a query to a nameserver. The functions can inspect the
>     available data and maybe change response/query related data (i.e. append
>     EDNS options).
>     - Updated Python module for the above.
>     - Updated Python documentation.
>     - Added views functionality.
>     - Added qname-minimisation-strict config option.
>     - Patch that resolves CNAMEs entered in local-data conf statements that
>     point to data on the internet, from Jinmei Tatuya (Infoblox).
>     - serve-expired config option: serve expired responses with TTL 0.
>     - .gitattributes line for githubs code language display.
>     - log-identity: config option to set sys log identity, patch from "Robin
>     H. Johnson" (robbat2 at gentoo.org <mailto:robbat2 at gentoo.org>).
>     - Added stub-ssl-upstream and forward-ssl-upstream options.
>     - Added local-zones and local-data bulk addition and removal
>     functionality in unbound-control (local_zones, local_zones_remove,
>     local_datas and local_datas_remove).
>     - g.root-servers.net <http://g.root-servers.net> has AAAA address.
> 
>     Bug Fixes
>     - Fix #836: unbound could echo back EDNS options in an error response.
>     - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
>     - Fix #839: Memory grows unexpectedly with large RPZ files.
>     - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
>     - Fix #841: big local-zone's make it consume large amounts of memory.
>     - Fix dnstap relaying "random" messages instead of resolver/forwarder
>     responses, from Nikolay Edigaryev.
>     - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
>     - Fix #1117: spelling errors, from Robert Edmonds.
>     - iana portlist update.
>     - fix memoryleak logfile when in debug mode.
>     - Re-fix #839 from view commit overwrite.
>     - Fixup const void cast warning.
>     - Removed patch comments from acllist.c and msgencode.c
>     - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
>     Jinmei Tatuya (Infoblox).
>     - Fix #1125: unbound could reuse an answer packet incorrectly for
>     clients with different EDNS parameters, from Jinmei Tatuya.
>     - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
>     - Added Requires line to libunbound.pc
>     - Fix #1130: whitespace in example.conf.in <http://example.conf.in>
>     more consistent.
>     - suppress compile warning in lex files.
>     - init lzt variable, for older gcc compiler warnings.
>     - fix --enable-dsa to work, instead of copying ecdsa enable.
>     - Fix DNSSEC validation of query type ANY with DNAME answers.
>     - Fixup query_info local_alias init.
>     - Ported tests for local_cname unit test to testbound framework.
>     - Fix #1134: unbound-control set_option -- val-override-date: -1 works
>     immediately to ignore datetime, or back to 0 to enable it again. The --
>     is to ignore the '-1' as an option flag.
>     - Patch for server.num.zero_ttl stats for count of expired replies, from
>     Pavel Odintsov.
>     - Fix failure to build on arm64 with no sbrk.
>     - Set OpenSSL security level to 0 when using aNULL ciphers.
>     - configure detects ssl security level API function in the autoconf
>     manner. Every function on its own, so that other libraries (eg.
>     LibreSSL) can develop their API without hindrance.
>     - Fix #1154: segfault when reading config with duplicate zones.
>     - Note that for harden-below-nxdomain the nxdomain must be secure, this
>     means nsec3 with optout is insufficient.
>     - Fix #1155: test status code of unbound-control in 04-checkconf, not
>     the status code from the tee command.
>     - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
>     Underneath" for the harden-below-nxdomain option.
>     - patch from Dag-Erling Smorgrav that removes code that relies on
>     sbrk().
>     - Make access-control-tag-data RDATA absolute. This makes the RDATA
>     origin consistent between local-data and access-control-tag-data.
>     - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
>     subdomain of the NSEC owner.
>     - QNAME minimisation uses QTYPE=A, therefore always check cache for this
>     type in harden-below-nxdomain functionality.
>     - Added unit test for QNAME minimisation + harden below nxdomain
>     synergy.
>     - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
>     no encryption over the unix socket.
>     - hyphen as minus fix, by Andreas Schulze
>     - Fix #1170: document that 'inform' local-zone uses local-data.
>     - Fix #1173: differ local-zone type deny from unset tag_actions element.
>     - Add DSA support for OpenSSL 1.1.0
>     - Fix remote control without cert for LibreSSL
>     - Fix downcast warnings from visual studio in sldns code.
> 
>     Best regards, Wouter
>