Unbound 1.8.2 released

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Dec 4 10:28:08 CET 2018


Unbound 1.8.2 is available:
sha256 19f2235a8936d89e7dc919bbfcef355de759f220e36bb5e1e931ac000ed04993
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.8.2.tar.gz.asc

The option so-reuseport is by default disabled on FreeBSD, but it has
support to work on FreeBSD 12 with the REUSEPORT_LB variant, if enabled
in unbound.conf.

The python code in unbound supports python 3.6, but also python 2.7
works. The python module prints the python exceptions to the log, so
that compatibility problems are more easy to troubleshoot.

Fast server selection options are added that select from the fastest
servers in the available set, with fast-server-num and
fast-server-permil this can be turned on.  When enabled the fastest
servers are selected, instead of a random server.  Randomness is good
for poisoning prevention, but fast selection can result in faster

The nameserver records in large returned negative responses are scrubbed
out of the packet to avoid fragmentation based DNS cache poisoning,
from a report from T.Suzuki.

The automated test set now has static code analysis of the source code,
this is performed with the clang analyzer.

There is a new option to deny ANY packets, with deny-any: yes in
unbound.conf.  The option unknown-server-time-limit can be used for
cases behind a slow uplink to avoid multiple timeouts on every query to
attain the necessary long timeout length for that uplink.

- Add fast-server-permil and fast-server-num options.
- Deprecate low-rtt and low-rtt-permil options.
- Change fast-server-num default to 3.
- Fix #4154: make ECS_MAX_TREESIZE configurable, with
  the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
- Fix #4190: Please create a "ANY" deny option, adds the option
  deny-any: yes in unbound.conf.  This responds with an empty message
  to queries of type ANY.
- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
  adds the option unknown-server-time-limit to unbound.conf that
  can be increased to avoid the problem.
- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
  option in unbound.conf.
- Add unbound-control view_local_datas command, like local_datas.

Bug Fixes
- dnscrypt.c removed sizeof to get array bounds.
- Fix testlock code to set noreturn on error routine.
- Remove unused variable from contrib fastrpz/rpz.c and
  remove unused diagnostic pragmas that themselves generate warnings
- clang analyze test is used only when assertions are enabled.
- Squelch EADDRNOTAVAIL errors when the interface goes away,
  this omits 'can't assign requested address' errors unless
  verbosity is set to a high value.
- Set default for so-reuseport to no for FreeBSD.  It is enabled
  by default for Linux and DragonFlyBSD.  The setting can
  be configured in unbound.conf to override the default.
- iana port update.
- Squelch log of failed to tcp initiate after TCP Fastopen failure.
- Fix #4192: unbound-control-setup generates keys not readable by
- check that the dnstap socket file can be opened and exists, print
  error if not.
- Add markdel function to ECS slabhash.
- Limit ECS scope returned to client to the scope used for caching.
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
- Fix #4141: More randomness to rrset-roundrobin.
- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
- remade makefile dependencies.
- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
- Scrub NS records from NXDOMAIN responses to stop fragmentation
  poisoning of the cache.
- Scrub NS records from NODATA responses as well.
- Add patch from Jan Vcelak for pythonmod,
  add sockaddr_storage getters, add support for query callbacks,
  allow raw address access via comm_reply and update API documentation.
- Removed compile warnings in pythonmod sockaddr routines.
- With ./configure --with-pyunbound --with-pythonmodule
  PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
  succeed for the python module.
- pythonmod logs the python error and traceback on failure.
- ignore debug python module for test in doxygen output.
- review fixes for python module.
- Fix #4209: Crash in libunbound when called from getdns.
- auth zone zonefiles can be in a chroot, the chroot directory
  components are removed before use.
- Fix that empty zonefile means the zonefile is not set and not used.
- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
  sorted and in a predictable order.
- Fix #4193: Fix that prefetch failure does not overwrite valid cache
  entry with SERVFAIL.
- Fix DNS64 to not store intermediate results in cache, this avoids
  other threads from picking up the wrong data.  The module restores
  the previous no_cache_store setting when the the module is finished.
- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
- New and better fix for Fix #4193: Fix that prefetch failure does
  not overwrite valid cache entry with SERVFAIL.
- auth-zone give SERVFAIL when expired, fallback activates when
  expired, and this is documented in the man page.
- stat count SERVFAIL downstream auth-zone queries for expired zones.
- Put new logos into windows installer.
- Fix windows compile for new rrset roundrobin fix.
- Update contrib fastrpz patch for latest release.
- Fix chroot auth-zone fix to remove chroot prefix.
- windows icon updated.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://nlnetlabs.nl/pipermail/unbound-users/attachments/20181204/2ce38192/attachment.sig>

More information about the Unbound-users mailing list