Bug Fixes:
* Added explicit note on unbound-anchor usage: Please note usage of
unbound-anchor root anchor is at your own risk and under the terms of our
LICENSE (see that file in the source).
* Fix remove private address does not throw away entire response. [bugzilla: 361 ]
* Fix, time.elapsed variable not reset with stats_noreset.
* Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
* give config parse error for multiple names on a stub or forward zone.
* updated ldns tarball to 1.6.9(snapshot).
* iana portlist updated.
Features:
* harden-below-nxdomain config option, default off (because very old software
may be incompatible). We could enable it by default in the future.
From draft-vixie-dnsext-resimprove-00.
* typetransparent localzone: does not block other RR types.
* so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes:
* Fix so a changed NS RRset does not get moved name stuck on old server,
for type NS the TTL is not increased.
* Fix prefetch so it does not get stuck on old server for moved names.
* Fix insecure CNAME sequence marked as secure, reported by Bert Hubert.
* faster lruhash get_mem routine.
* [bugzilla: 346 ] remove ITAR scripts from contrib,
the service is discontinued, use the root.
* Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
* algorithm compromise protection using the algorithms signalled in the DS
record. Also, trust anchors, DLV, and RFC5011 receive this, and thus,
if you have multiple algorithms in your trust-anchor-file then it will now
behave different than before. Also, 5011 rollover for algorithms needs to be
double-signature until the old algorithm is revoked.
* squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)
* fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
* Fix our 'BDS' license (typo reported by Xavier Belanger).
* [bugzilla: 338 ] print address when socket creation fails.
* Fix storage of EDNS failures in the infra cache.
* silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
* unbound-anchor compiles with openssl 0.9.7.
* Be lenient and accept imgw.pl malformed packet (like BIND).
* the included ldns tarball is updated (to 1.6.8)
* iana portlist updated.
unbound 1.47:
Features:
* unbound-anchor app, unbound requires libexpat (xml parser library).
It creates or updates a root.key file. Use it before you start the validator
(e.g. at system boot time).
* dump_infra and flush_infra commands for unbound-control.
Bug Fixes:
* GOST code enabled by default (RFC 5933).
* Configure detects libev-4.00.
* do not synthesize a CNAME message from cache for qtype DS.
* Use central entropy to seed threads.
* Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
* Fix validation failure for parent and child on same server with an insecure
childzone and a CNAME from parent to child.
* Change of timeout code. No more lost and backoff in blockage. At 12sec timeout
(and at least 2x lost before) one probe per IP is allowed only. At 120sec,
the IP is blocked. After 15min, a 120sec entry has a single retry packet.
* no timeout backoff if meanwhile a query succeeded.
* Configure errors if ldns is not found.
* Windows 7 fix for the installer.
* Fix bug where fallback_tcp causes wrong roundtrip and edns observation to be
noted in cache. Fix bug where EDNSprobe halted exponential backoff if EDNS
status unknown.
* interface automatic works for some people with ip6 disabled. Therefore the
error check is removed, so they can use the option.
* Fix TCP so it uses a random outgoing-interface.
* Fix bug when DLV below a trust-anchor that uses NSEC3 optout where the zone
has a secure delegation hosted on the same server did not verify as secure
(it was insecure by mistake).
* Fix alloc_reg_release for longer uptime in out of memory conditions.
* [bugzilla: 329 ] in example.conf show correct ipv4 link-local 169.254/16.
* compliance with draft-ietf-dnsop-default-local-zones-14,
removed reverse ipv6 orchid prefix from builtin list.
* Algorithm rollover operational reality intrudes, for trust-anchor and
5011-store, if one key matches it's good enough.
* Fix reported validation error in out of memory condition.
* Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
* increased mesh-max-activation from 1000 to 3000 for crazy domains like
_tcp.slb.com with 262 servers.
* [bugzilla: 327 ] Fix for cannot access stub zones until the root is primed.
* openbsd-lint fixes
* [bugzilla: 321 ] Fix resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
* [bugzilla: 322 ] Fix, configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line if use
sun-cc, but some systems need different flags.
* Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP changes,
uses m4_bpatsubst now.
* make test (or make check) should be more portable and run the unit test and
testbound scripts. (make longtest has special requirements).
* More pleasant remote control command parsing.
* Fix name of rrset printed that failed validation.
* Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
* Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
* iana portlist updated.
* updated ldns tarball.
Features:
* Builtin root hints contain AAAA for I.ROOT-SERVERS.NET.
* unbound.h has extern "C" statement for easier include in c++.
* added feature to print configure date, target and options with -h.
* added feature to print event backend system details with -h.
* (ports and works on Minix 3.1.7). On Minix, add /usr/gnu/bin to PATH,
use ./configure AR=/usr/gnu/bin/gar and gmake.
* GOST enabled if SSL is recent and ldns has GOST enabled too.
Bug Fixes:
* Fix TCPreply on systems with no writev, if just 1 byte could be sent.
* Fix to use one pointer less for iterator query state store_parent_NS.
* Max referral count from 30 to 130, because 128 one character domains is valid DNS.
* added documentation for the histogram printout to syslog.
* Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong.
* updated ldns tarball.
* iana portlist updated.
* Unbound reports libev or libevent correctly in logs in verbose mode.
* Fix handling of corner case reply from lame server, follows rfc2308.
* Fix jostle list bug found by Vince (luoce at cnnic), it caused the qps in
overload situations to be about 5 qps for the class of shortly serviced
queries.
* Fix the max number of reply-address count to be applied for duplicate queries,
and not for new query list entries.
* Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex must be
signed with all algorithms from the DS rrset at the parent.
* Fix validation of qtype DNSKEY when a key-cache entry exists but no rr-cache
entry is used (it expired or prefetch), it then goes back up to the DS or
trust-anchor to validate the DNSKEY.
* log if a server is skipped because it is on the donotquery list, at verbosity
4, to enable diagnosis why no queries to 127.0.0.1.
* failure to chown the pidfile is not fatal any more.
* Neat function prototypes, unshadowed local declarations.
* Fix integer underflow in prefetch ttl creation from cache.
This fixes a potential negative prefetch ttl.
* Changed the defaults for num-queries-per-thread/outgoing-range.
Features:
* unbound-control get_option domain-insecure shows config file items.
* Autotrust anchor file can be initialized with a ZSK key as well
(if the domain's DNSKEY set is signed with that ZSK).
* Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
* Contribution from Migiel de Vos (Surfnet): nagios patch for unbound-host,
in contrib/ (in the source tarball). Makes unbound-host suitable for
monitoring dnssec(-chain) status.
* GOST disabled-by-default, the algorithm number is allocated but the RFC
is still has to pass AUTH48 at the IETF.
Bug Fixes:
* Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
* Squelch log message: sendto failed permission denied for 255.255.255.255,
it is visible in VERB_DETAIL (verbosity 2).
* Fix fetch from blacklisted dnssec lame servers as last resort.
The server's IP address is then given in validator errors as well.
* Fix local-zone type redirect that did not use the query name for the
answer rrset.
* Compile fix using Sun Studio 12 compiler on Solaris 5.9, use CPPFLAGS
during configure process.
* Fix if libev is installed on the base system (not libevent),
detect it from the event.h header file and link with -lev.
* Fix configlexer.lex gets config.h, and configyyrename.h added by make,
no more double include.
* More strict scrubber (Thanks to George Barwood for the idea):
NS set must be pertinent to the query.
* [bugzilla: 307 ] In 0x20 backoff fix fallback so the number of outstanding
queries does not become -1 and block the request. Fixed handling of
recursion-lame in combination with 0x20 fallback. Fix so RRsets are
compared canonicalized and sorted if the immediate comparison fails,
this makes the 0x20 option work around round-robin sites.
* Fix retry sequence if prime hints are recursion-lame.
* Fix so harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the
target-fetch-policy, this increases the depth to which is checked.
* Fix detection of GOST support in ldns (reported by Chris Smith).
* Fix for dnssec lameness detection to use the key cache.
* infra cache entries that are expired are wiped clean.
Previously it was possible to not expire host data (if accessed often).
* Fix dnssec-missing detection that was turned off by server selection.
* [bugzilla: 308 ] Fix spelling error in variable name in parser and lexer.
* Fix various compiler warnings from the clang llvm compiler.
* Fix comments in iter_utils:dp_is_useless.
* EDNS timeout code will not fire if EDNS status already known.
* EDNS failure not stored if EDNS status known to work.
* Parent-child disagreement approach altered. Older fixes are removed in
place of a more exhaustive search for misconfigured data available via
the parent of a delegation. This is designed to be throttled by cache
entries, with TTL from the parent if possible. Additionally the
loop-counter is used. It also tests for NS RRset differences between
parent and child. The fetch of misconfigured data should be more
reliable and thorough. It should work reliably even with no or only
partial data in cache. Data received from the child (as always) is
deemed more authoritative than information received from the delegation
parent. The search for misconfigured data is not performed normally.
* Fix AD flag handling, it could in some cases mistakenly copy the AD flag
from upstream servers.
* Ignore Z flag in incoming messages too.
* alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
* Parentside names are dispreferred but not said to be dnssec-lame.
* Fix parentside and querytargets modulestate, for dump_requestlist.
* unbound-control-setup makes keys -rw-r--- so not all users permitted.
* libtoolize 2.2.6b, autoconf 2.65 applied to configure.
* Fix compile warning if compiled without threads.
* iana portlist updated.
* included ldns tarball updated.
* Fix bug where a long loop could be entered, now cycle detection has
a loop-counter and maximum search amount.
Features:
* Experimental ECC-GOST algorithm support.
* unbound-host disables use-syslog from config file.
* Include less in config.h and include per code file for ldns, ssl.
Bug Fixes:
* [bugzilla: 305 ] (regarding pkt_dname_tolower).
* Fix chain of trust with CNAME, for the DS processing proof.
* Fix validation of queries with wildcard names (*.example).
* Fix EDNS probe for .de DNSSEC testbed failure (backoff).
* unbound control flushed items are not counted when flushed again.
* iana portlist updated.
* [bugzilla: 301 ] (regarding unbound-checkconf).
* Fixed random numbers for port, interface and server selection.
* Refer to the listing in unbound-control man page in the extended \
statistics entry in the unbound.conf man page.
* Fix interface-automatic for OpenBSD: msg.controllen was too small.
* check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
* for NSEC3 check if signatures are cached.
* Reordered configure checks so fork and -lnsl -lsocket checks are earlier.
* ldns tarball updated.
* Fix python use when multithreaded.
* Fix solaris python compile.
* spelling fix in validation error involving cnames.
- Fix a memory alignment issue, that can be triggered remote on (some)
64bit systems
- Fix daemonize on Solaris 10 to correctly detach from terminal
- Extend unbound-control with new functions
- Better VERB_DETAIL output
- Improve latency of DNSSEC requeries by optionally prefetching the key
earlier in the validation process
- Prefetch option for popular queries before they expire
- Fix re-query pattern on invalid DNSKEY or DS records to reduce traffic
to a few packets / zone instead of a few packets / record
- Fixed bug where NSEC3 signature was not checked. This meant that
a DS could be spoofed away by a carefully crafted packet.
A downgrade attack on existing secure delegations.
- updated iana port list.
- improve chroot handling
- even stricter validation
- support for blocking DNS rebinding attacks
- DLV support
- bugfixes
The package now uses the normal net/ldns package instead of the local
copy.
stricter filtering to defeat some additional DNS attacks and support for
source address randomisation and optional capitalisation support. The
former can be configured when multiple public IPs are present, the
latter is considered experimental as a small number of servers doesn't
support it.
