Unbound 1.8.2 released

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Dec 4 17:03:48 CET 2018


Hi Yuri,

Good to hear it works well for you.  Fixed the windows 32bit version
files not sitting in the right place, so the link did not show up; but
the 32 (and also the 64bit) versions are now available from the download
links on the download web page.

Best regards, Wouter

On 12/4/18 4:40 PM, Yuri via Unbound-users wrote:
> Runs ok. Thank you!
> 
> PS. BTW, No more win32 version? :-)
> 
> 04.12.2018 15:28, Wouter Wijngaards via Unbound-users пишет:
>> Hi,
>>
>> Unbound 1.8.2 is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.2.tar.gz
>> sha256 19f2235a8936d89e7dc919bbfcef355de759f220e36bb5e1e931ac000ed04993
>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.8.2.tar.gz.asc
>>
>>
>> The option so-reuseport is by default disabled on FreeBSD, but it has
>> support to work on FreeBSD 12 with the REUSEPORT_LB variant, if enabled
>> in unbound.conf.
>>
>> The python code in unbound supports python 3.6, but also python 2.7
>> works. The python module prints the python exceptions to the log, so
>> that compatibility problems are more easy to troubleshoot.
>>
>> Fast server selection options are added that select from the fastest
>> servers in the available set, with fast-server-num and
>> fast-server-permil this can be turned on.  When enabled the fastest
>> servers are selected, instead of a random server.  Randomness is good
>> for poisoning prevention, but fast selection can result in faster
>> roundtrips.
>>
>> The nameserver records in large returned negative responses are scrubbed
>> out of the packet to avoid fragmentation based DNS cache poisoning,
>> from a report from T.Suzuki.
>>
>> The automated test set now has static code analysis of the source code,
>> this is performed with the clang analyzer.
>>
>> There is a new option to deny ANY packets, with deny-any: yes in
>> unbound.conf.  The option unknown-server-time-limit can be used for
>> cases behind a slow uplink to avoid multiple timeouts on every query to
>> attain the necessary long timeout length for that uplink.
>>
>>
>> Features
>> - Add fast-server-permil and fast-server-num options.
>> - Deprecate low-rtt and low-rtt-permil options.
>> - Change fast-server-num default to 3.
>> - Fix #4154: make ECS_MAX_TREESIZE configurable, with
>>   the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
>> - Fix #4190: Please create a "ANY" deny option, adds the option
>>   deny-any: yes in unbound.conf.  This responds with an empty message
>>   to queries of type ANY.
>> - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
>>   adds the option unknown-server-time-limit to unbound.conf that
>>   can be increased to avoid the problem.
>> - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
>> - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
>>   option in unbound.conf.
>> - Add unbound-control view_local_datas command, like local_datas.
>>
>> Bug Fixes
>> - dnscrypt.c removed sizeof to get array bounds.
>> - Fix testlock code to set noreturn on error routine.
>> - Remove unused variable from contrib fastrpz/rpz.c and
>>   remove unused diagnostic pragmas that themselves generate warnings
>> - clang analyze test is used only when assertions are enabled.
>> - Squelch EADDRNOTAVAIL errors when the interface goes away,
>>   this omits 'can't assign requested address' errors unless
>>   verbosity is set to a high value.
>> - Set default for so-reuseport to no for FreeBSD.  It is enabled
>>   by default for Linux and DragonFlyBSD.  The setting can
>>   be configured in unbound.conf to override the default.
>> - iana port update.
>> - Squelch log of failed to tcp initiate after TCP Fastopen failure.
>> - Fix #4192: unbound-control-setup generates keys not readable by
>>   group.
>> - check that the dnstap socket file can be opened and exists, print
>>   error if not.
>> - Add markdel function to ECS slabhash.
>> - Limit ECS scope returned to client to the scope used for caching.
>> - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
>> - Fix #4141: More randomness to rrset-roundrobin.
>> - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
>> - remade makefile dependencies.
>> - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
>> - Scrub NS records from NXDOMAIN responses to stop fragmentation
>>   poisoning of the cache.
>> - Scrub NS records from NODATA responses as well.
>> - Add patch from Jan Vcelak for pythonmod,
>>   add sockaddr_storage getters, add support for query callbacks,
>>   allow raw address access via comm_reply and update API documentation.
>> - Removed compile warnings in pythonmod sockaddr routines.
>> - With ./configure --with-pyunbound --with-pythonmodule
>>   PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
>>   succeed for the python module.
>> - pythonmod logs the python error and traceback on failure.
>> - ignore debug python module for test in doxygen output.
>> - review fixes for python module.
>> - Fix #4209: Crash in libunbound when called from getdns.
>> - auth zone zonefiles can be in a chroot, the chroot directory
>>   components are removed before use.
>> - Fix that empty zonefile means the zonefile is not set and not used.
>> - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
>>   sorted and in a predictable order.
>> - Fix #4193: Fix that prefetch failure does not overwrite valid cache
>>   entry with SERVFAIL.
>> - Fix DNS64 to not store intermediate results in cache, this avoids
>>   other threads from picking up the wrong data.  The module restores
>>   the previous no_cache_store setting when the the module is finished.
>> - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
>> - New and better fix for Fix #4193: Fix that prefetch failure does
>>   not overwrite valid cache entry with SERVFAIL.
>> - auth-zone give SERVFAIL when expired, fallback activates when
>>   expired, and this is documented in the man page.
>> - stat count SERVFAIL downstream auth-zone queries for expired zones.
>> - Put new logos into windows installer.
>> - Fix windows compile for new rrset roundrobin fix.
>> - Update contrib fastrpz patch for latest release.
>> - Fix chroot auth-zone fix to remove chroot prefix.
>> - windows icon updated.
>>
>> Best regards, Wouter
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://nlnetlabs.nl/pipermail/unbound-users/attachments/20181204/b6b22869/attachment-0001.sig>


More information about the Unbound-users mailing list