Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.14 release

W.C.A. Wijngaards
Mon Dec 19 12:27:13 CET 2011

Hash: SHA1


Unbound 1.4.14 is release, get it here:
sha1 1435029abe63d0106213acb9f173b885183cf1d7
sha256 c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3

It contains a patch for VU#209659 CVE-2011-4528: Unbound denial of
service vulnerabilities from nonstandard redirection and denial of

Therefore, 1.4.14 does not equal 1.4.14rc1, it has code changes (this
patch and some other fixes found during the review process).

Major changes are a new BSD-compatible makefile (with BSD-make).
SSL-wrapped query support (for dnssec-trigger, passing firewalls, it
does *not* check the actual SSL certificate at this time).

It stores timeouts per-zonename, for compatibility with servers that
drop out-of-served-zone queries.  It attempts EDNS1480 (or 12xx on
ip6) probes in case EDNS0 fails to workaround fragmentation issues
more easily.

- -   Makefile changed for BSD make compatibility.
- -   dns over ssl support as a client, ssl-upstream yes turns it on. It
performs an SSL transaction for every DNS query.
- -   dns over ssl support as a server, ssl-service-pem and
ssl-service-key files can be given and then TCP queries are serviced
wrapped in SSL.
- -   lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- -   TCP-upstream calculates tcp-ping so server selection works if
there are alternatives.
- -   Unbound probes at EDNS1480 if there an EDNS0 timeout.

Bug Fixes
- -   Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
- -   Fix for tcp-upstream and ssl-upstream for if a laptop sleeps,
causes SERVFAILs. Also fixed for UDP (but less likely).
- -   Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- -   Fix double free in unbound-host, reported by Steve Grubb.
- -   fix -flto detection on Lion for llvm-gcc.
- -   [bugzilla: 416 ] Infra cache stores information about ping and
lameness per IP, zone.
- -   [bugzilla: 415 ] Fix resolve of
with a fix for the server selection for choosing out of a (particular)
list of bad choices.
- -   Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to Matthew
- -   fix unbound-anchor for broken strptime on OSX lion, detected in
- -   Detect if GOST really works, openssl1.0 on OSX fails.
- -   Implement ipv6%interface notation for scope_id usage.
- -   better documentation for inform_super (Thanks Yang Zhe).
- -   Fix for out-of-memory condition in libunbound (thanks Robert
- -   Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur. The
feature is disabled on windows.
- -   updated contrib/unbound_munin_ to family=auto so that it works
with munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
- -   unbound.exe -w windows option for start and stop service.
- -   Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for
Thanks to Amanda Constant from Secure64.
- -   [bugzilla: 408 ] accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- -   fix various compiler warnings (reported by Paul Wouters).
- -   max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch
if sentcount > 3, stop query if sentcount > 16. Count is reset when
referral or CNAME happens. This makes unbound better at managing large
NS sets, they are explored when there is continued interest (in the
form of queries).
- -   remove uninit warning from cachedump code.
- -   Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
- -   fix infra cache comparison.
- -   Fix to constrain signer_name to be a parent of the lookupname.
- -   robust checks for next-closer NSEC3s.
- -   iana portlist updated.

Best regards,
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE -