Unbound 1.8.0 released

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Sep 10 15:12:55 CEST 2018


Hi,

Unbound 1.8.0 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0.tar.gz
sha256 78f79d6d3b643fdcd74a14fc76542250da886c82f82bc55b51e189663d61b83f
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0.tar.gz.asc

Windows zip files and setup.exe are also available,
https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0-w32.zip
https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0.zip
https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0-w32.exe
https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0.exe

With pgp signatures
https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0-w32.zip.asc
https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0.zip.asc
https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0-w32.exe.asc
https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0.exe.asc


This release has a number of bug fixes, a list of features added and
some defaults changed.

The defaults that are changed enable options that have been introduced
in the past with an option that defaulted to off, but have proven to
work, improve speed and resilience and we would now recommend to enable
when configuring the server.  Still the option exists if you want to
manually specify the feature.

New features include options for unbound-control: auth_zone_reload,
auth_zone_transfer.  New counters in the statistics output:
num.queries.tls, num.query.subnet, num.query.subnet_cache.  New options
in unbound.conf: dns64-ignore-aaaa, tcp-idle-timeout,
edns-tcp-keepalive, edns-tcp-keepalive-timeout, tcp-connection-limit,
stub-no-cache, forward-no-cache, log-servfail, log-local-actions,
serve-expired-ttl, serve-expired-ttl-reset.  Commandline options -R (use
direct queries) for unbound-anchor, -d (delay) for streamtcp.  There is
support for RR type SMIMEA.  There is support for EDNS option EDNS
KeepAlive.

The libunbound library has gone up an api version increment because one
of the callback signatures has changed.  New information is available to
the callback, existing usage of the function could conceivable get an
upgrade by ignoring the extra function call parameter.  For python
scripts, a similar situation, where new information has been made
available to the callback functions, in the form of extra function call
parameters.  This information is also available to module callbacks
internally.  For python the extra arguments functionality is used to
extend the arguments.  The extra information is connection information,
exposing the client's IP address to the callback function and whether
the query failed because of rate limiting.

There are a number of bug fixes for Qname minimisation, and a number of
fixes for auth-zone functionality.  And there has been a fix in the
processing of dns64 negative cache entries and a fix about fallthrough
in the view local-zone processing functionality.


Features
- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
- unbound-control auth_zone_transfer _zone_ option starts the probe
  sequence for a master to transfer the zone from and transfers when
  a new zone version is available.
- num.queries.tls counter for queries over TLS.
- log port number with err_addr logs.
- dns64-ignore-aaaa: config option to list domain names for which the
  existing AAAA is ignored and dns64 processing is used on the A
  record.
- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
  if DNSSEC is not enabled.  New option -R allows fallback from
  resolv.conf to direct queries.
- Note RFC8162 support.  SMIMEA record type can be read in by the
  zone record parser.
- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
- Add config tcp-idle-timeout (default 30s). This applies to
  client connections only; the timeout on TCP connections upstream
  is unaffected.
- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
  and implement option in client responses.
- Add delay parameter to streamtcp, -d secs.
  To be used when testing idle timeout.
- Expose if a query (or a subquery) was ratelimited (not src IP
  ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
  This also introduces a change to 'ub_event_callback_type' in
  libunbound/unbound-event.h.
- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
  This limits the number of simultaneous TCP client connections
  from a nominated netblock.
- Fix #4142: unbound.service.in: improvements and fixes.
  Add unit dependency ordering (based on systemd-resolved).
  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
  about missing privileges during startup). Add 'AF_INET6' to
  'RestrictAddressFamilies' (without it IPV6 can't work). From
  Guido Shanahan.
- unbound-checkconf checks if modules exist and prints if they are
  not compiled in the name of the wrong module.
- Patch for stub-no-cache and forward-no-cache options that disable
  caching for the contents of that stub or forward, for when you
  want immediate changes visible, from Bjoern A. Zeeb.
- Upgraded crosscompile script to include libunbound DLL in the
  zipfile.
- Set libunbound to increase current, because the libunbound change
  to the event callback function signature.  That needs programs,
  that use it, to recompile against the new header definition.
- log-servfail: yes prints log lines that say why queries are
  returning SERVFAIL to clients.
- log-local-actions: yes option for unbound.conf that logs all the
  local zone actions, a patch from Saksham Manchanda (Secure64).
- #4146: num.query.subnet and num.query.subnet_cache counters.
- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
  gives access to reply information for the client's communication
  point when the callback is called before the mesh state (modules).
  Changes to C and Python's inplace_callback signatures were also
  necessary.
- Set defaults to yes for a number of options to increase speed and
  resilience of the server.  The so-reuseport, harden-below-nxdomain,
  and minimal-responses options are enabled by default.  They used
  to be disabled by default, waiting to make sure they worked.  They
  are enabled by default now, and can be disabled explicitly by
  setting them to "no" in the unbound.conf config file.  The reuseport
  and minimal options increases speed of the server, and should be
  otherwise harmless.  The harden-below-nxdomain option works well
  together with the recently default enabled qname minimisation, this
  causes more fetches to use information from the cache.
- Added serve-expired-ttl and serve-expired-ttl-reset options.


Bug Fixes
- Windows example service.conf edited with more windows specific
  configuration.
- #4108: systemd reload hang fix.
- Fix usage printout for unbound-host, hostname has to be last
  argument on BSDs and Windows.
- Partial fix for permission denied on IPv6 address on FreeBSD.
- Fix that auth-zone master reply with current SOA serial does not
  stop scan of masters for an updated zone.
- Fix that auth-zone does not start the wait timer without checking
  if the wait timer has already been started.
- #4109: Fix that package config depends on python unconditionally.
- Patch, do not export python from pkg-config, from Petr Menšík.
- Fix checking for libhiredis printout in configure output.
- Fix typo on man page in ip-address description.
- Update libunbound/python/examples/dnssec_test.py example code to
  also set the 20326 trust anchor for the root in the example code.
- Better documentation for unblock-lan-zones and insecure-lan-zones
  config statements.
- Fix permission denied printed for auth zone probe random port nrs.
- Fix documentation ambiguity for tls-win-cert in tls-upstream and
  forward-tls-upstream docs.
- iana port update.
- Fix round robin for failed addresses with prefer-ip6: yes
- Note in documentation that the cert name match code needs
  OpenSSL 1.1.0 or later to be enabled.
- Fix to improve systemd socket activation code file descriptor
  assignment.
- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
  easily changed to adjust default rtt assumptions.
- Fix #4127 unbound -h does not list -p help.
- Print error if SSL name verification configured but not available
  in the ssl library.
- Fix that ratelimit and ip-ratelimit are applied after reload of
  changed config file.
- Resize ratelimit and ip-ratelimit caches if changed on reload.
- Fix #4129 unbound-control error message with wrong cert permissions
  is too cryptic.
- Fix #4130: print text describing -dd and unbound-checkconf on
  config file read error at startup, the errors may have been moved
  away by the startup process.
- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
- Fix use-systemd readiness signalling, only when use-systemd is yes
  and not in signal handler.
- Fix #4135: 64-bit Windows Installer Creates Entries Under The
  Wrong Registry Key, reported by Brian White.
- Fix man page, say that chroot is enabled by default.
- Sort out test runs when the build directory isn't the project
  root directory.
- Error if EDNS Keepalive received over UDP.
- Correct and expand manual page entries for keepalive and idle timeout.
- Implement progressive backoff of TCP idle/keepalive timeout.
- Fix 'make depend' to work when build dir is not project root.
- Fix #4139: Fix unbound-host leaks memory on ANY.
- Fix to remove systemd sockaddr function check, that is not
  always present.  Make socket activation more lenient.  But not
  different when socket activation is not used.
- Fix #4136: insufficiency from mismatch of FLEX capability between
  released tarball and build host.  Fix to unconditionally call
  destroy in daemon.c.
- Make capsforid fallback QNAME minimisation aware.
- document --enable-subnet in doc/README.
- Fix #4144: dns64 module caches wrong (negative) information.
- Fix that printout of error for cycle targets is a verbosity 4
  printout and does not wrongly print it is a memory error.
- Fix segfault in auth-zone read and reorder of RRSIGs.
- Fix contrib/fastrpz.patch.
- Fix warning on compile without threads.
- print servfail info to log as error.
- added more servfail printout statements, to the iterator.
- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
  enabled.
- Fix only misc failure from log-servfail when val-log-level is not
  enabled.
- Fix lintflags for lint on FreeBSD.
- Fix that a local-zone with a local-zone-type that is transparent
  in a view with view-first, makes queries check for answers from the
  local-zones defined outside of views.


Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://nlnetlabs.nl/pipermail/unbound-users/attachments/20180910/66896686/attachment.sig>


More information about the Unbound-users mailing list