19 June 2018: Wouter
- Fix for unbound-control on Windows and set TCP socket parameters
more closely.
- Fix windows unbound-control no cert bad file descriptor error.
18 June 2018: Wouter
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
- Fix unbound-checkconf for control-use-cert.
15 June 2018: Wouter
- tag for 1.7.3rc1.
14 June 2018: Wouter
- #4103: Fix that auth-zone does not insist on SOA record first in
file for url downloads.
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
- Fix nettle compile.
12 June 2018: Ralph
- Don't count CNAME response types received during qname minimisation as
query restart.
12 June 2018: Wouter
- #4102 for NSD, but for Unbound. Named unix pipes do not use
certificate and key files, access can be restricted with file and
directory permissions. The option control-use-cert is no longer
used, and ignored if found in unbound.conf.
- Rename tls-additional-ports to tls-additional-port, because every
line adds one port.
- Fix buffer size warning in unit test.
- remade dependencies in the Makefile.
6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.
5 June 2018: Wouter
- Fix crash if ratelimit taken into use with unbound-control
instead of with unbound.conf.
4 June 2018: Wouter
- Fix deadlock caused by incoming notify for auth-zone.
- tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
trunk is 1.7.3 in development from this point.
- #4100: Fix stub reprime when it becomes useless.
1 June 2018: Wouter
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
30 May 2018: Wouter
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
29 May 2018: Wouter
- in compat/arc4random call getentropy_urandom when getentropy fails
with ENOSYS.
- Fix that fallback for windows port.
28 May 2018: Wouter
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
25 May 2018: Wouter
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
24 May 2018: Wouter
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
23 May 2018: Wouter
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
17 May 2018: Ralph
- Qname minimisation default changed to yes.
15 May 2018: Wouter
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
11 May 2018: Wouter
- Fix contrib/libunbound.pc for libssl libcrypto references,
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
7 May 2018: Wouter
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
3 May 2018: Wouter
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
2 May 2018: Wouter
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
1 May 2018: Wouter
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
30 April 2018: Wouter
- Fix spelling error in man page and note defaults as no instead of
off.
26 April 2018: Wouter
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
is from here 1.7.2 in development.
25 April 2018: Ralph
- Fix memory leak when caching wildcard records for aggressive NSEC use
24 April 2018: Wouter
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
24 April 2018: Ralph
- Added root-key-sentinel support
23 April 2018: Wouter
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix#4092: libunbound: use-caps-for-id lacks colon in
config_set_option.
- auth zone http download stores exact copy of downloaded file,
including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- list_auth_zones unbound-control command.
20 April 2018: Wouter
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix#4091: Fix that reload of auth-zone does not merge the zonefile
with the previous contents.
- Delete auth zone when removed from config.
19 April 2018: Wouter
- Can set tls authentication with forward-addr: IP#tls.auth.name
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
such as forward-addr: 9.9.9.9@853#dns.quad9.net or
1.1.1.1@853#cloudflare-dns.com
- Fix#658: unbound using TLS in a forwarding configuration does not
verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
18 April 2018: Wouter
- Fix auth-zone retry timer to be on schedule with retry timeout,
with backoff. Also time a refresh at the zone expiry.
17 April 2018: Wouter
- auth zone notify work.
- allow-notify: config statement for auth-zones.
- unit test for allow-notify
16 April 2018: Wouter
- Fix auth zone target lookup iterator.
- auth zone notify with prefix
- auth zone notify work.
13 April 2018: Wouter
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
auth zone gets stopped, before trying to send there.
- auth zone notify work.
10 April 2018: Ralph
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
statistics counters.
10 April 2018: Wouter
- documentation for low-rtt and low-rtt-pct.
- auth zone notify work.
9 April 2018: Wouter
- Fix that flush_zone sets prefetch ttl expired, so that with
serve-expired enabled it'll start prefetching those entries.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Fix downstream auth zone, only fallback when auth zone fails to
answer and fallback is enabled.
- Accept both option names with and without colon for get_option
and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
of fast servers for some percentage of the time.
5 April 2018: Wouter
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
tls_choose_sigalg routine does not allow the ciphers for the pipe,
so use TLSv1.2.
- ED448 support.
3 April 2018: Wouter
- Fix#4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
failing with a forwarder set. Now, auth-zone is only used for
answers (not referrals) when a forwarder is set.
29 March 2018: Ralph
- Check "result" in dup_all(), by Florian Obser.
23 March 2018: Ralph
- Fix unbound-control get_option aggressive-nsec
21 March 2018: Ralph
- Do not use cached NSEC records to generate negative answers for
domains under DNSSEC Negative Trust Anchors.
19 March 2018: Wouter
- iana port update.
16 March 2018: Wouter
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
15 March 2018: Wouter
- Add --with-libhiredis, unbound support for a new cachedb backend
that uses a Redis server as the storage. This implementation
depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
And unbound should be built with both --enable-cachedb and
--with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
should exist). Patch from Jinmei Tatuya (Infoblox).
- Fix#3817: core dump happens in libunbound delete, when queued
servfail hits deleted message queue.
- Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr.
13 March 2018: Wouter
- Fix typo in documentation.
- Fix#3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
flushed with serve-expired on.
12 March 2018: Wouter
- Added documentation for aggressive-nsec: yes.
- tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
now has 1.7.1 in development.
- Fix#3727: Protocol name is TLS, options have been renamed but
documentation is not consistent.
- Check IXFR start serial.
9 March 2018: Wouter
- Fix#3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
8 March 2018: Wouter
- tag 1.7.0rc2.
7 March 2018: Wouter
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
A. Schulze.
- Attempt to remove warning about trailing whitespace.
6 March 2018: Wouter
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
other implementations.
- svn trunk contains 1.7.0, this is the number for the next release.
- Fix for windows compile.
- tag 1.7.0rc1.
5 March 2018: Wouter
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix#3582: Squelch address already in use log when reuseaddr option
causes same port to be used twice for tcp connections.
27 February 2018: Wouter
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
22 February 2018: Ralph
- Save wildcard RRset from answer with original owner for use in
aggressive NSEC.
21 February 2018: Wouter
- Fix#3512: unbound incorrectly reports SERVFAIL for CAA query
when there is a CNAME loop.
- Fix validation for CNAME loops. When it detects a cname loop,
by finding the cname, cname in the existing list, it returns
the partial result with the validation result up to then.
- more robust cachedump rrset routine.
19 February 2018: Wouter
- Fix#3505: Documentation for default local zones references
wrong RFC.
- Fix#3494: local-zone noview can be used to break out of the view
to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
16 February 2018: Wouter
- Fixes for clang static analyzer, the missing ; in
edns-subnet/addrtree.c after the assert made clang analyzer
produce a failure to analyze it.
13 February 2018: Ralph
- Aggressive NSEC tests
13 February 2018: Wouter
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- iana port update.
12 February 2018: Wouter
- Unit test for auth zone https url download.
12 February 2018: Ralph
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Processed aggressive NSEC code review remarks Wouter
8 February 2018: Ralph
- Aggressive use of NSEC implementation. Use cached NSEC records to
generate NXDOMAIN, NODATA and positive wildcard answers.
8 February 2018: Wouter
- iana port update.
- auth zone url config.
5 February 2018: Wouter
- Fix#3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2.
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
2 February 2018: Wouter
- Fix unfreed locks in log and arc4random at exit of unbound.
- unit test with valgrind
- Fix lock race condition in dns cache dname synthesis.
- lock subnet new item before insertion to please checklocks,
no modification of critical regions outside of lock region.
1 February 2018: Wouter
- fix unaligned structure making a false positive in checklock
unitialised memory.
29 January 2018: Ralph
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
25 January 2018: Wouter
- ltrace.conf file for libunbound in contrib.
23 January 2018: Wouter
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
so that it is printed to console.
22 January 2018: Wouter
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- Fix#3397: Fix that cachedb could return a partial CNAME chain.
- Fix#3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
christos