Maintained by: NLnet Labs

Unbound 1.7.0rc2 pre-release

W.C.A. Wijngaards
Thu Mar 8 14:59:03 CET 2018


Unbound 1.7.0rc2 maintainers prerelease is available:
sha256 ed5e4529af6b1e70abaa8999935ec667db2a8b47ae479563b5f3b25b7a034eed

It was updated from rc1 because the patch for fastrpz did not work for
some, there is a new patch in rc2.

- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.

Best regards, Wouter

On 06/03/18 11:02, W.C.A. Wijngaards wrote:
> Hi,
> Unbound 1.7.0rc1 maintainers prerelease is available:
> sha256 eb9e57e44f7bb6e68879c8672c9a9b15273cece250d1ed85964b9620e736521a
> pgp
> This release adds authority zones, for a local copy of the root zone,
> and also aggressive NSEC processing, for denial of nxdomain floods.
> Features
> - auth-zone provides a way to configure RFC7706 from unbound.conf,
>   eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
>   fallback-enabled: yes and masters or a zonefile with data.
> - Aggressive use of NSEC implementation. Use cached NSEC records to
>   generate NXDOMAIN, NODATA and positive wildcard answers.
> - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
>   also recognized and means the same.  Also for tls-port,
>   tls-service-key, tls-service-pem, stub-tls-upstream and
>   forward-tls-upstream.
> - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
>   from Manu Bretelle.
>   This option allows handling multiple cert/key pairs while only
>   distributing some of them.
>   In order to reliably match a client magic with a given key without
>   strong assumption as to how those were generated, we need both key and
>   cert. Likewise, in order to know which ES version should be used.
>   On the other hand, when rotating a cert, it can be desirable to only
>   serve the new cert but still be able to handle clients that are still
>   using the old certs's public key.
>   The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
>   publish the cert as part of the DNS's provider_name's TXT answer.
> - Update B root ipv4 address.
> - make ip-transparent option work on OpenBSD.
> - Fix #2801: Install libunbound.pc.
> - ltrace.conf file for libunbound in contrib.
> Bug Fixes
> - Fix #1749: With harden-referral-path: performance drops, due to
>   circular dependency in NS and DS lookups.
> - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
>   duplicates
> - Better documentation for cache-max-negative-ttl.
> - Fixed libunbound manual typo.
> - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
> - Fix #2031: Double included headers
> - Document that errno is left informative on libunbound config read
>   fail.
> - iana port update.
> - Fix #1913: ub_ctx_config is under circumstances thread-safe.
> - Fix #2362: TLS1.3/openssl-1.1.1 not working.
> - Fix #2034 - Autoconf and -flto.
> - Fix #2141 - for libsodium detect lack of entropy in chroot, print
>   a message and exit.
> - Fix #2492: Documentation libunbound.
> - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
>   set for stub zone.  It no longer searches for DNSSEC information.
> - Fix #3299 - forward CNAME daisy chain is not working
> - Fix link failure on OmniOS.
> - Check whether --with-libunbound-only is set when using --with-nettle
>   or --with-nss.
> - Fix qname-minimisation documentation (A QTYPE, not NS)
> - Fix that DS queries with referral replies are answered straight
>   away, without a repeat query picking the DS from cache.
>   The correct reply should have been an answer, the reply is fixed
>   by the scrubber to have the answer in the answer section.
> - Fix that expiration date checks don't fail with clang -O2.
> - Fix queries being leaked above stub when refetching glue.
> - Copy query and correctly set flags on REFUSED answers when cache
>   snooping is not allowed.
> - make depend: code dependencies updated in Makefile.
> - Fix #3397: Fix that cachedb could return a partial CNAME chain.
> - Fix #3397: Fix that when the cache contains an unsigned DNAME in
>   the middle of a cname chain, a result without the DNAME could
>   be returned.
> - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
>   for startup scripts to get the full pathname(s) of anchor file(s).
> - Print fatal errors about remote control setup before log init,
>   so that it is printed to console.
> - Use NSEC with longest ce to prove wildcard absence.
> - Only use *.ce to prove wildcard absence, no longer names.
> - Fix unfreed locks in log and arc4random at exit of unbound.
> - Fix lock race condition in dns cache dname synthesis.
> - Fix #3451: dnstap not building when you have a separate build dir.
>   And removed protoc warning, set dnstap.proto syntax to proto2.
> - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
> - Unit test for auth zone https url download.
> - tls-cert-bundle option in unbound.conf enables TLS authentication.
> - Fixes for clang static analyzer, the missing ; in
>   edns-subnet/addrtree.c after the assert made clang analyzer
>   produce a failure to analyze it.
> - Fix #3505: Documentation for default local zones references
>   wrong RFC.
> - Fix #3494: local-zone noview can be used to break out of the view
>   to the global local zone contents, for queries for that zone.
> - Fix for more maintainable code in localzone.
> - more robust cachedump rrset routine.
> - Save wildcard RRset from answer with original owner for use in
>   aggressive NSEC.
> - Fixup contrib/fastrpz.patch so that it applies.
> - Fix compile without threads, and remove unused variable.
> - Fix compile with staticexe and python module.
> - Fix nettle compile.
> - Fix to check define of DSA for when openssl is without deprecated.
> - iana port update.
> - Fix #3582: Squelch address already in use log when reuseaddr option
>   causes same port to be used twice for tcp connections.
> - Reverted fix for #3512, this may not be the best way forward;
>   although it could be changed at a later time, to stay similar to
>   other implementations.
> - Fix for windows compile.
> Best regards, Wouter
> _______________________________________________
> maintainers mailing list
> maintainers at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>