4c7dd5f539
Features: - [bugzilla: 644 ] harden-algo-downgrade option, if turned off, fixes the reported excessive validation failure when multiple algorithms are present. If set to 'no', it allows the weakest algorithm to validate the zone. - stats reports tcp usage, of incoming-num-tcp buffers. - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal scripts. - Add ip-transparent config option for bind to non-local addresses. - Synthesize ANY responses from cache. Does not search exhaustively, but MX,A,AAAA,SOA,NS also CNAME. - unbound-control list_insecure command shows the negative trust anchors currently configured. - ratelimit feature, ratelimit: 1000, can be used to turn it on. It ratelimits recursion effort per zone. For particular names you can configure exceptions in unbound.conf. - Ratelimit does not apply to prefetched queries, and ratelimit-factor is default 10. Repeated normal queries get resolved and with prefetch stay in the cache. - unbound-control ratelimit_list lists high rate domains. - caps-whitelist in unbound.conf allows whitelist of loadbalancers that cannot work with caps-for-id or its fallback. - RFC 7553 RR type URI support, is now enabled by default. - cache-max-negative-ttl config option, default 3600. - Add local-zone type inform_deny, that logs query and drops answer. Bug Fixes: - Unbound exits with a fatal error when the auto-trust-anchor-file fails to be writable. This is seconds after startup. You can load a readonly auto-trust-anchor-file with trust-anchor-file. The file has to be writable to notice the trust anchor change, without it, a trust anchor change will be unnoticed and the system will then become inoperable. - DLV is going to be decommissioned. Advice to stop using it, and put text in the example configuration and man page to that effect. - Patch from Brad Smith that syncs compat/getentropy_linux with OpenBSD's version (2015-03-04). - 0x20 fallback improved: servfail responses do not count as missing comparisons (except if all responses are errors), inability to find nameservers does not fail equality comparisons, many nameservers does not try to compare more than max-sent-count, parse failures start 0x20 fallback procedure. - store caps_response with best response in case downgrade response happens to be the last one. - Document that incoming-num-tcp increase is good for large servers. - Fix lintian warning in unbound-checkconf man page. - Updated default keylength in unbound-control-setup to 3k. - Fixup compile on cygwin, more portable openssl thread id. - Use reallocarray for integer overflow protection. - Fixed to add integer overflow checks on allocation (defense in depth). - Fix segfault on user not found at startup. - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated CRYPTO_set_id_callback. - If unknown trust anchor algorithm, and libressl is used, error message encourages upgrade of the libressl package. - rename ldns subdirectory to sldns to avoid name collision. - [bugzilla: 660 ] Fix interface-automatic broken in the presence of asymmetric routing. - Libunbound skips dos-line-endings from etc/hosts. - Fix crash in dnstap: Do not try to log TCP responses after timeout. - Fix that get_option for cache-sizes does not print double newline. - [bugzilla: 663 ] Fix that ssl handshake fails when using unix socket because dh size is too small. - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas Hozza); Use print_function also for Python2. libunbound examples: produce sorted output. libunbound-Python: libldns is not used anymore. Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. - Fix leaked dns64prefix configuration string. - Removed contrib/unbound_unixsock.diff, because it has been integrated, use control-interface: /path in unbound.conf. - Change syntax of particular validator error to be easier for machine parse, swap rrset and ip adres info so it looks like: validation failure <www.example.nl. TXT IN>: signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> - Fix that unparseable error responses are ratelimited. - SOA negative TTL is capped at minimumttl in its rdata section. - [bugzilla: 674 ] Do not free pointers given by getenv. - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked incorrectly and was therefore always synthesized. And fix DNAME responses from cache that failed internal chain test. - iana portlist update.
5 lines
247 B
Text
5 lines
247 B
Text
$NetBSD: distinfo,v 1.28 2015/07/15 18:09:05 pettai Exp $
|
|
|
|
SHA1 (unbound-1.5.4.tar.gz) = ce0abc1563baa776a0f2c21516ffc13e6bff7d0f
|
|
RMD160 (unbound-1.5.4.tar.gz) = 0d77e595ae80191d382b44c89365ef9054f374df
|
|
Size (unbound-1.5.4.tar.gz) = 4844273 bytes
|