Maintained by: NLnet Labs

[Unbound-users] Release of unbound 1.3.0

W.C.A. Wijngaards
Thu Jun 11 13:02:57 CEST 2009

Hash: SHA1


Unbound 1.3.0 is released.
SHA1 67fe06f087083fd24b0175b68e624efc375a3e0f
SHA256 ebaed25422a32a7f13386982485d9d01b65cf3aefbebdcf4add6a4d7c71a4610

For port maintainers - this version has changes compared to rc1.

Windows is supported in this version.  There is a friendly installer
that gives the daemon with all the same configuration options.  Or you
can compile yourself with mingw/msys.

Python support was contributed by Zdenek Vasicek and Marek Vavrusa.

Previous releases accidentally enabled experimental rsasha256
algorithms, fixed here, more details are documented below.

And smaller features as well as bug fixes for your upgrading pleasure.

    * Major features are Windows port, and Python contribution. Previous
releases accidentally enabled experimental rsasha256 algorithms, fixed,
see below. There are minor features and bug fixes too.
    * initgroups(3) is called to drop secondary group permissions, if
this OS functionality is available.
    * daemon(3) posix call is used when available
    * configure option --with-ldns-builtin forces the use of the inluded
ldns package with the unbound source. The -I include is put before the
others, so it avoids bad include files from an older ldns install.
    * --enable-sha2 option for rsasha256 and rsasha512 support
(experimental because it is still in working group draft stage). Default
is off. Previous releases accidentally enabled this feature when lib
openssl supported SHA256. It then used algorithms 8, 9 for RSASHA256 and
10, 11 for RSASHA512 (using four numbers as was according to the draft
spec at that time). The earlier versions support NSEC and NSEC3 for all
these algorithm numbers. People with these earlier versions may also
have earlier openssl versions (0.9.7), and therefore the experimental
feature is disabled. As long as these signing algorithm code points are
not allocated, there is no problem. You are advised to upgrade to the
current version to avoid surprises.
    * new option log-time-ascii: yes if you enable it prints timestamps
in the log file as Feb 06 13:45:26 (like syslog does).
    * verbosity level 5 logs customer IP for new requestlist entries.
    * contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
    * call setusercontext() if available (on BSD)
    * Added stats_noreset feature for unbound-control.
    * Added flush_requestlist feature for unbound-control.
    * unbound-control status shows if root forwarding is in use.
    * Added forward command for unbound control to change forwarders to
use on the fly.
    * unbound-checkconf and unbound server print warnings when trust
anchors have unsupported algorithms.
    * Added contrib/ This script is similar to, and updates from the IANA ITAR repository. You can
provide your own PGP key and trust repo, or can use the builtin. The
program uses wget and gpg to work.
    * Support spaces and backslashes in configure default paths
    * register and deregister util programs for unbound.exe into the
windows service control manager. Works on XP and with Vista UAC.
    * unbound can work as a service on windows, for the registry
settings and default program location and so on, see the windows manual.
    * installer for unbound on windows. uninstalls too. Menu entries
optional. Can install DLV anchor with updater application
(anchor-update.exe, works a bit like to enable DNSSEC
easily. Uses the NSIS open source installer system.
    * Added contrib/unbound_cacti for statistics support in cacti,
contributed by Dmitriy Demidov.
    * domain-insecure: "" statement added. Sets domain
insecure regardless of chain of trust DSs or DLVs. The inverse of a
    * use _beginthreadex() when available (performs stack alignment on
    * added launchd plist example file for MacOSX to contrib.
    * reworked configure scripts to be neater.
    * python contribution from Zdenek Vasicek and Marek Vavrusa. This
contains support to use libunbound from python code. And support to
create unbound modules written in python that perform custom processing
of queries. The code is disabled by default and needs to be enabled by
passing options to configure. Installs the following files:
/usr/lib/python2.x/site-packages/ and*. The script examples are not installed. Sphinx docs can be
built with make doc (if sphinx-build is available).
    * new libunbound calls to manage local data more easily
    * read /dev/random before chroot
    * suppress errors when trying to contact authority servers that gave
ipv6 AAAA records for their nameservers with ipv4 mapped contents. Still
tries to do so, higher verbosity shows the error.
    * clock skew checks in unbound, config statements.
    * Added cache-min-ttl option.
    * [bugzilla: 226 ]
      Added dump_requestlist feature for unbound-control.
    * [bugzilla: 227 ]
      Added flush_stats feature for unbound-control.
    * [bugzilla: 231 ]
      Added unbound-checkconf -o option, that prints that value from
config file. Useful for scripting in management scripts and the like.

Bug Fixes

    * fix for threadsafety in solaris thr_key_create() in tests.
    * fixes for porting the python code to BSD and Darwin
    * fix for openssl-1.0.0beta, use of STRING #define, libdl linking.
    * Fix reentrant in minievent handler for unix. Could have resulted
in spurious event callbacks.
    * [bugzilla: 245 ]
      fix munin plugin, perform cleanup of stale lockfiles.
    * Fix for removal of RSASHA256_NSEC3 protonumber from ldns. Also new
rsasha512 (interim) algorithm number.
    * Detect FreeBSD jail without ipv6 addresses assigned.
    * Fixed a bug that caused messages to be stored in the cache too
long. Hard to trigger, but NXDOMAINs for nameservers or CNAME targets
have been more vulnerable to the TTL miscalculation bug.
    * fixed bug in unbound-control flush_zone where it would not flush
every message in the target domain. This especially impacted NXDOMAIN
messages which could remain in the cache regardless.
    * Fixup so no non-absolute rpaths are added.
    * Fixup validation of RRSIG queries, they are let through.
    * fix util/configlexer.c and solaris -std=c99 flag.
    * deprecation test for daemon(3) (on MacOSX).
    * [bugzilla: 239 ]
      module-config entries order is important. Documented.
    * Fix for and test for unknown algorithms in a trust anchor
definition. Trust anchors with no supported algos are ignored. This
means a (higher)DS or DLV entry for them could succeed, and otherwise
they are treated as insecure.
    * Added tests, unknown algorithms become insecure. fallback works.
    * fixed so queries do not fail on opportunistic target queries.
    * munin plugin fix benign locking error printout.
    * fixup --export-symbols to be -export-symbls for libtool. This
should fix extraneous symbols exported from libunbound. Thanks to Ondrej
Sury and Robert Edmonds for finding it.
    * document FAQ entry on stub/forward zones and default blocking.
    * Remove fwrite warning on Ubuntu
    * Added more cycle detection. Also for target queries.
    * Fixup bug where during deletion of the mesh queries the callbacks
that were reentrant caused assertion failures. Keep the mesh in a
reentrant safe state. Affected libunbound, reload of server, on quit and
    * documented that unbound-host reads no config file by default.
    * slightly nicer memory management in iter-fwd code.
    * small refactor of stats clearing.
    * fixup EOL in include directive (reported by Paul Wouters).
    * config parser changed. Gives some syntax errors closer to where
they occurred. Does not enforce a space after keyword anymore. Does not
allow literal newlines inside quoted strings anymore.
    * detect event_base_new() in libevent-1.4.1 and later and use it.
    * MacOSX Leopard cleaner text output from configure.
    * change in libunbound API: ub_cancel can return an error, that the
async_id did not exist, or that it was already delivered. The result
could have been delivered just before the cancel routine managed to
acquire the lock, so a caller may get the result at the same time they
call cancel. For this case, ub_cancel tries to return an error code.
Fixes race condition in use of ub_cancel() libunbound function.
    * Fixup assertion failure (thanks to Brett Carr).
    * Fix detection of no ipv6 on XP (with different error code).
    * Fixup a crash-on-exit which was triggered by a very long queue.
    * Fixed bug that could cause a crash if root prime failed when there
were message backlogs.
    * fixup documentation-bug in README reported by Matthew Dempsky.
    * Fixup bad free() when wrongly encoded DSA signature is seen.
Reported by Paul Wouters.
    * updated ldns tarball to latest
    * updated iana portlist

Best regards,

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -