Features:
* Makefile changed for BSD make compatibility.
* dns over ssl support as a client, ssl-upstream yes turns it on.
It performs an SSL transaction for every DNS query.
* dns over ssl support as a server, ssl-service-pem and ssl-service-key files
can be given and then TCP queries are serviced wrapped in SSL.
* lame-ttl and lame-size options no longer exist, it is integrated with the
host info. They are ignored (with verbose warning) if encountered
to keep the config file backwards compatible.
* TCP-upstream calculates tcp-ping so server selection works if there are
alternatives.
* Unbound probes at EDNS1480 if there an EDNS0 timeout.
Bug Fixes:
* Fix for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities
from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
* Fix for tcp-upstream and ssl-upstream for if a laptop sleeps,
causes SERVFAILs. Also fixed for UDP (but less likely).
* Fix quartile time estimate, it was too low.
* Fix double free in unbound-host.
* fix -flto detection on Lion for llvm-gcc.
* [bugzilla: 416 ] Infra cache stores information about ping and lameness
per IP, zone.
* [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com with a fix
for the server selection for choosing out of a (particular) list of bad
choices.
* Fix make_new_space function so that the incoming query is not overwritten
if a jostled out query causes a waiting query to be resumed that then fails
and sends an error message.
* fix unbound-anchor for broken strptime on OSX lion, detected in configure.
* Detect if GOST really works, openssl1.0 on OSX fails.
* Implement ipv6%interface notation for scope_id usage.
* better documentation for inform_super.
* Fix for out-of-memory condition in libunbound.
* Fix --enable-allsymbols, it depended on link specifics of the target platform, or fptr_wlist assertion failures could occur.
* updated contrib/unbound_munin_ to family=auto so that it works with
munin-node-configure automatically.
* Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
* [bugzilla: 408 ] accept patch from Steve Snyder that comments out unused
functions in lookup3.c.
* fix various compiler warnings.
* max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch if
sentcount > 3, stop query if sentcount > 16. Count is reset when referral
or CNAME happens. This makes unbound better at managing large NS sets,
they are explored when there is continued interest (in the form of queries).
* remove uninit warning from cachedump code.
* Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
* fix infra cache comparison.
* Fix to constrain signer_name to be a parent of the lookupname.
* robust checks for next-closer NSEC3s.
* iana portlist updated.
(Ok'ed by wiz@)
28f537c72f