Dec 11, 2017
Bugfixes
ignore fallthrough compiler warning in flex EOF rule.
Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access.
Fix spelling error in xfr-inspect.
Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets.
Add test for support of -Wno-address-of-packed-member for --enable-packed.
NSD 4.1.18
Nov 30, 2017
Features
xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir.
retry timeout between sending notifies dropped from 15 to 3 sec.
NSD sends 16 notifies simultaneously.
configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%.
Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory.
make ip-transparent option work on OpenBSD.
Save about 2% memory by changing usage count size in name tree.
Fix#2871: Increase number of sockets for xfrd transfers.
Bugfixes
Fix gcc 7.1.1 warnings.
Fix writev compile warning on FreeBSD.
Fix#1446: A corrupted zone file "propagates" to good ones.
nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time.
Fix collision printout of nsec3 to print name, hash and reverse.
Fix#1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog.
Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly.
NSD 4.1.17
Jul 21, 2017
Features
zone parser parses type AVC (it has TXT format).
Fix#1272: use writev to put tcp length field with data for outgoing zone transfer requests.
Bugfixes
Fix potential null pointer in nsec3 adjustment tree.
Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string.
NSD 4.1.16
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.
NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix#1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.
- use ${G_OBJS} directly, it avoids issues with .c vs .cc files.
- add a method to not rm -rf .ab for inspection.
- fix and add missing depends for many things.
- use -Wno-error for mips and arm insn-recog.c, due to eg:
insn-recog.c:10304:7: error: this decimal constant is unsigned only in ISO C90 [-Werror]
mips.md:3474:11: error: this decimal constant is unsigned only in ISO C90 [-Werror]
arm armeb earm earmeb earmhf earmhfeb earmv4eb earmv6 earmv6eb
earmv6hf earmv6hfeb earmv7 earmv7eb earmv7hf earmv7hfeb
mipsel, ppc64 and ia64 didn't work properly this time, and vax
has a problem with libstdc++.
Download: unbound-1.6.8.tar.gz
SHA1 checksum: 492737be9647c26ee39d4d198f2755062803b412
SHA256 checksum: e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49
PGP signature: unbound-1.6.8.tar.gz.asc
Date: 19 Jan, 2018
Bug Fixes
Fix for CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records.
Older versions
Unbound 1.6.7
Download: unbound-1.6.7.tar.gz
SHA1 checksum: 098f8acfc3e9d1cab54f07863e61eabbb67c80dc
SHA256 checksum: 4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f
PGP signature: unbound-1.6.7.tar.gz.asc
Date: 10 Oct, 2017
Features
Set trust-anchor-signaling default to yes
#1440: [dnscrypt] client nonce cache.
#1435: Allow UDP to be disabled separately upstream and downstream.
Bug Fixes
Fix that looping modules always stop the query, and don't pass control.
Fix unbound-host to report error for DNSSEC state of failed lookups.
Spelling fixes, from Josh Soref.
Fix#1400: allowing use of global cache on ECS-forwarding unless always-forward.
use a cachedb answer even if it's "expired" when serve-expired is yes (patch from Jinmei Tatuya).
trigger refetching of the answer in that case (this will bypass cachedb lookup)
allow storing a 0-TTL answer from cachedb in the in-memory message cache when serve-expired is yes
Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
Log name of looping module
Fix#1450: Generate again patch contrib/aaaa-filter-iterator.patch (by Danilo G. Baio).
Fix param unused warning for windows exportsymbol compile.
Use RCODE from A query on DNS64 synthesized answer.
Fix trust-anchor-signaling works in libunbound.
Fix spelling in unbound-control man page.
Unbound 1.6.6
Download: unbound-1.6.6.tar.gz
SHA1 checksum: d205c03a402f5d900d5bad3d036849a12804a49e
SHA256 checksum: 972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390
PGP signature: unbound-1.6.6.tar.gz.asc
Date: 18 Sep, 2017
Features
unbound-control dump_infra prints port number for address if not 53.
Fix#1344: RFC6761-reserved domains: test. and invalid.
Fix#1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). With the -p option unbound does not create a pidfile.
Added stats for queries that have been ratelimited by domain recursion.
Patch to show DNSCrypt status in help output, from Carsten Strotmann.
Fix#1407: Add ECS options check to unbound-checkconf.
Fix#1415: [dnscrypt] shared secret cache, patch from Manu Bretelle.
Bug Fixes
fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
First fix for zero b64 and hex text zone format in sldns.
Better fixup of dnscrypt_cert_chacha test for different escapes.
Fix that infra cache host hash does not change after reconfig.
Fix python example0 return module wait instead of error for pass.
enhancement for hardened-tls for DNS over TLS. Removed duplicated security settings.
Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned on.
Fix#1331: libunbound segfault in threaded mode when context is deleted.
Fix pythonmod link line option flag.
Fix openssl 1.1.0 load of ssl error strings from ssl init.
Fix 1332: Bump verbosity of failed chown'ing of the control socket.
Redirect all localhost names to localhost address for RFC6761.
Fix#1350: make cachedb backend configurable (from JINMEI Tatuya).
Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), config.sub(2016-09-05).
annotate case statement fallthrough for gcc 7.1.1.
flex output from flex 2.6.1.
snprintf of thread number does not warn about truncated string.
squelch TCP fast open error on FreeBSD when kernel has it disabled, unless verbosity is high.
remove warning from windows compile.
Fix compile with libnettle
Fix DSA configure switch (--disable dsa) for libnettle and libnss.
Fix#1365: Add Ed25519 support using libnettle.
Fix#1394: mix of serve-expired and response-ip could cause a crash.
Remove unused iter_env member (ip6arpa_dname)
Do not reset rrset.bogus stats when called using stats_noreset.
Do not add rrset_bogus and query ratelimiting stats per thread, these module stats are global.
Fix#1397: Recursive DS lookups for AS112 zones names should recurse.
Fix#1398: make cachedb secret configurable.
Remove spaces from Makefile.
Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason.
Fix#1402: squelch invalid argument error for fd_set_block on windows.
Fix to reclaim tcp handler when it is closed due to dnscrypt buffer allocation failure.
Fix#1415: patch to free dnscrypt environment on reload.
iana portlist update
Small fixes for the shared secret cache patch.
Fix WKS records on kvm autobuild host, with default protobyname entries for udp and tcp.
Fix#1414: fix segfault on parse failure and log_replies.
zero qinfo in handle_request, this zeroes local_alias and also the qname member.
new keys and certs for dnscrypt tests.
fixup WKS test on buildhost without servicebyname.
updated contrib/fastrpz.patch to apply with configparser changes.
Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
Fix#1424: cachedb:testframe is not thread safe.
Fix#1417: [dnscrypt] shared secret cache counters, and works when dnscrypt is not enabled. And cache size configuration option.
Fix#1418: [ip ratelimit] initialize slabhash using ip-ratelimit-slabs.
Recommend 1472 buffer size in unbound.conf
Fix#1412: QNAME minimisation strict mode not honored
Fix#1434: Fix windows openssl 1.1.0 linking.
Add dns64 for client-subnet in unbound-checkconf.
Unbound 1.6.5
Download: unbound-1.6.5.tar.gz
SHA1 checksum: ecb260b94d139d84fae2bff80f9701f53a329e26
SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
PGP signature: unbound-1.6.5.tar.gz.asc
Date: 21 Aug, 2017
Bug Fixes
Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes the root.key file if created when unbound is installed between sep11 and oct11 2017.
Unbound 1.6.4
Download: unbound-1.6.4.tar.gz
SHA1 checksum: 836ecc48518b9159f600a738c276423ef1f95021
SHA256 checksum: df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed
PGP signature: unbound-1.6.4.tar.gz.asc
Date: 27 Jun, 2017
Features
Implemented trust anchor signaling using key tag query.
unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt.
unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames.
Implemented opportunistic IPsec support module (ipsecmod).
Added redirect-bogus.patch to contrib directory.
Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
renumbering B-Root's IPv6 address to 2001:500:200::b.
Fix#1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
Fix#1277: disable domain ratelimit by setting value to 0.
Added fastrpz patch to contrib
Bug Fixes
Added ECS unit test (from Manu Bretelle).
ECS documentation fix (from Manu Bretelle).
Fix#1252: more indentation inconsistencies.
Fix#1253: unused variable in edns-subnet/addrtree.c:getbit().
Fix#1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
iana portlist update
Based on #1257: check parse limit before t increment in sldns RR string parse routine.
Fix#1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86).
Fix#1259: "--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
iana portlist update
Added test for leak of stub information.
Fix sldns wire2str printout of RR type CAA tags.
Fix sldns int16_data parse.
Fix sldns parse and printout of TSIG RRs.
sldns SMIMEA and AVC definitions, same as getdns definitions.
Fix tcp-mss failure printout text.
Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations).
Add 'c' to getopt() in testbound.
Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there.
Fix queries for nameservers under a stub leaking to the internet.
document trust-anchor-signaling in example config file.
updated configure, dependencies and flex output.
better module memory lookup, fix of unbound-control shm names for module memory printout of statistics.
Fix type AVC sldns rrdef.
Some whitespace fixup.
Fix#1265: contrib/unbound.service contains hardcoded path.
Fix#1265 to use /bin/kill.
Fix#1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL.
Fix#1268: SIGSEGV after log_reopen.
exec_prefix is by default equal to prefix.
printout localzone for duplicate local-zone warnings.
Fix assertion for low buffer size and big edns payload when worker overrides udpsize.
Support for openssl EVP_DigestVerify.
Fix#1269: inconsistent use of built-in local zones with views.
Add defaults for new local-zone trees added to views using unbound-control.
Fix#1273: cachedb.c doesn't compile with -Wextra.
If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
Also use global local-zones when there is a matching view that does not have any local-zone specified.
Fix fastopen EPIPE fallthrough to perform connect.
Fix#1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle).
Fix#1275: cached data in cachedb is never used.
Fix that unbound-control can set val_clean_additional and val_permissive_mode.
Add dnscrypt XChaCha20 tests.
Detect chacha for dnscrypt at configure time.
dnscrypt unit tests with chacha.
Added domain name based ECS whitelist.
Fix#1278: Incomplete wildcard proof.
Fix#1279: Memory leak on reload when python module is enabled.
Fix#1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.
More fixes in depth for buffer checks in 0x20 qname checks.
Fix stub zone queries leaking to the internet for harden-referral-path ns checks.
Fix query for refetch_glue of stub leaking to internet.
Fix#1301: memory leak in respip and tests.
Free callback in edns-subnetmod on exit and restart.
Fix memory leak in sldns_buffer_new_frm_data.
Fix memory leak in dnscrypt config read.
Fix dnscrypt chacha cert support ifdefs.
Fix dnscrypt chacha cert unit test escapes in grep.
Fix to unlock view in view test.
Fix warning in pythonmod under clang compiler.
Fix lintian typo.
Fix#1316: heap read buffer overflow in parse_edns_options.
Unbound 1.6.3
Download: unbound-1.6.3.tar.gz
SHA1 checksum: 4477627c31e8728058565f3bae3a12a1544d8a9c
SHA256 checksum: 4c7e655c1d0d2d133fdeb81bc1ab3aa5c155700f66c9f5fb53fa6a5c3ea9845f
PGP signature: unbound-1.6.3.tar.gz.asc
Date: 13 Jun, 2017
Bug Fixes
Fix#1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.
Unbound 1.6.2
Download: unbound-1.6.2.tar.gz
SHA1 checksum: de370b1ac8e260db9c4c1504453752713dd8818f
SHA256 checksum: 1a323d72c32180b7141c9e6ebf199fc68a0208dfebad4640cd2c4c27235e3b9c
PGP signature: unbound-1.6.2.tar.gz.asc
Date: 24 Apr, 2017
Features
Add trustanchor.unbound CH TXT that gets a response with a number of TXT RRs with a string like "example.com. 2345 1234" with the trust anchors and their keytags.
Patch for view functionality for local-data-ptr from Björn Ketelaars.
Response actions based on IP address from Jinmei Tatuya (Infoblox).
Patch from Luiz Fernando Softov for Stats Shared Memory.
unbound-control stats_shm command prints stats using shared memory, which uses less cpu.
--disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and DS records. NSEC3 is not disabled.
#1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then enabled in the config file from Manu Bretelle.
Merge EDNS Client subnet implementation from feature branch into main branch, using new EDNS processing framework.
harden-algo-downgrade: no also makes unbound more lenient about digest algorithms in DS records.
Bug Fixes
sldns has ED25519 and ED448 algorithm number and name for display.
sldns updated for vfixed and buffer resize indication from getdns.
iana portlist update
Fix#1224: Fix that defaults should not fall back to "Program Files (x86) if Unbound is 64bit by default on windows.
Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to redirect.
make depend, autoconf, doxygen and lint fixed up.
include sys/time.h for new shm code on NetBSD.
Fix#1227: Fix that Unbound control allows weak ciphersuits.
Fix#1226: provide official 32bit binary for windows.
For #1227: if we have sha256, set the cipher list to have no known vulns.
Fix testpkts.c, check if DO bit is set, not only if there is an OPT record.
Fix#1229: Systemd service sandboxing in contrib/unbound.service.
Fix#1230: swig version 2.0.1 is required for pythonmod, with 1.3.40 it crashes when running repeatly unbound-control reload.
fix enum conversion warnings
fake-sha1 test option; print warning if used. To make unit tests.
unbound-control list local zone and data commands listed in the help output.
Fix#1234: shortening DNAME loop produces duplicate DNAME records in ANSWER section.
testbound understands Deckard MATCH rcode question answer commands.
Fix#1235: Fix too long DNAME expansion produces SERVFAIL instead of YXDOMAIN + query loop, reported by Petr Spacek.
Fix that SHM is not inited if not enabled.
Fix that looped DNAMEs do not cause unbound to spend effort.
trustanchor tags are sorted. reusable routine to fetch taglist.
Fix#1237 - Wrong resolving in chain, for norec queries that get SERVFAIL returned.
make depend, autoconf, remove warnings about statement before var.
lru_demote and lruhash_insert_or_retrieve functions for getdns.
fixup for lruhash (whitespace and header file comment).
dnscrypt tests.
Fix doxygen for dnscrypt files.
Fix#1238: segmentation fault when adding through the remote interface a per-view local zone to a view with no previous (configured) local zones.
Fix#1229: Systemd service sandboxing, options in wrong sections.
Fix#1239: configure fails to find python distutils if python prints warning.
Fix to prevent non-referal query from being cached as referal when the no_cache_store flag was set.
Remove (now unused) event2 include from dnscrypt code.
Fix#1217: Add metrics to unbound-control interface showing crypted, cert request, plaintext and malformed queries (from Manu Bretelle).
Do not add current time twice to TTL before ECS cache store.
Do not touch rrset cache after ECS cache message generation.
Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
Fix#1244: document that use of chroot requires trust anchor file to be under chroot.
Small fixup for documentation.
Fix respip for braces when locks arent used.
Fix pythonmod for cb changes.
Generalise inplace callback (de)registration
(de)register inplace callbacks for module id
No unbound-control set_option for ECS options
Deprecated client-subnet-opcode config option
Introduced client-subnet-always-forward config option
Changed max-client-subnet-ipv6 default to 56 (as in RFC)
Removed extern ECS config options
module_restart_next now calls clear on all following modules
Also create ECS module qstate on module_event_pass event
remove malloc from inplace_cb_register
Unlock view in respip unit test
Some whitespace fixup.
Remove ECS option after REFUSED answer.
Fix small memory leak in edns_opt_copy_alloc.
Respip dereference after NULL check.
Zero initialize addrtree allocation.
Use correct identifier for SHM destroy.
Display ECS module memory usage.
Fix#1247: unbound does not shorten source prefix length when forwarding ECS.
Properly check for allocation failure in local_data_find_tag_datas.
Fix#1249: unbound doesn't return FORMERR to bogus ECS.
Set SHM ECS memory usage to 0 when module not loaded.
subnet mem value is available in shm, also when not enabled, to make the struct easier to memmap by other applications, independent of the configuration of unbound.
Fix#1250: inconsistent indentation in services/listen_dnsport.c.
Unbound 1.6.1
Download: unbound-1.6.1.tar.gz
SHA1 checksum: 41369fcfd37844b02b7293b37ec78e69f0db34c7
SHA256 checksum: 42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
PGP signature: unbound-1.6.1.tar.gz.asc
Date: 21 Feb, 2017
Features
configure --enable-systemd and lets unbound use systemd sockets if you enable use-systemd: yes in unbound.conf. Also there are contrib/unbound.socket and contrib/unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
[bugzilla: 1187 ]
Source IP rate limiting, patch from Larissa Feng.
[bugzilla: 1184 ]
Log DNS replies. This includes the same logging information that DNS queries and response code and response size, patch from Larissa Feng.
Include root trust anchor id 20326 in unbound-anchor.
64bit is default for windows builds.
Bug Fixes
[bugzilla: 1176 ]
Fix stack size too small for Alpine Linux.
Fix unbound-control and ipv6 only.
[bugzilla: 1182 ]
Fix Resource leak (socket), at startup.
[bugzilla: 1178 ]
Fix attempt to fix setup error at end, pop result values at end of install.
iana portlist update
Fix inet_ntop and inet_pton warnings in windows compile.
[bugzilla: 1191 ]
Fix remove comment about view deletion.
[bugzilla: 1188 ]
Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
[bugzilla: 1190 ]
Fix to not echo back EDNS options in local-zone error response.
[bugzilla: 1194 ]
Fix if cross build fails when $host isn't `uname` for getentropy.
Fix reload chdir failure when also chrooted to that directory.
Fix to return formerr for queries for meta-types, to avoid packet amplification if this meta-type is sent on to upstream.
[bugzilla: 1201 ]
Fix missing unlock in answer_from_cache error condition.
[bugzilla: 1202 ]
Fix code comment that packed_rrset_data is not always 'packed'.
Fix to also block meta types 128 through to 248 with formerr.
[bugzilla: 1206 ]
Fix that some view-related commands are missing from 'unbound-control -h'
Fix to rename ub_callback_t to ub_callback_type, because POSIX reserves _t typedefs.
Fix to rename internally used types from _t to _type, because _t type names are reserved by POSIX.
Increase MAX_MODULE to 16.
[bugzilla: 1211 ]
Fix can't enable interface-automatic if no IPv6 with more helpful error message.
fix root_anchor test for updated icannbundle.pem lower certificates.
Fix compile on solaris of the fix to use $host detect.
Fix for type name change and fix warning on windows compile.
Fix pythonmod for typedef changes.
Fix dnstap for warning of set but not used.
Fix autoconf of systemd check for lack of pkg-config.
Unbound 1.6.0
Download: unbound-1.6.0.tar.gz
SHA1 checksum: 9b7606b016b447dc837efc108cee94f3fecf4ede
SHA256 checksum: 6b7db874e6debda742fee8869d722e5a17faf1086e93c911b8564532aeeffab7
PGP signature: unbound-1.6.0.tar.gz.asc
Date: 15 Dec, 2016
Features
Added generic EDNS code for registering known EDNS option codes, bypassing the cache response stage and uniquifying mesh states. Four EDNS option lists were added to module_qstate (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
Added two flags to module_qstate (no_cache_lookup, no_cache_store) that control the modules' cache interactions.
Added code for registering inplace callback functions. The registered functions can be called just before replying with local data or Chaos, replying from cache, replying with SERVFAIL, replying with a resolved query, sending a query to a nameserver. The functions can inspect the available data and maybe change response/query related data (i.e. append EDNS options).
Updated Python module for the above.
Updated Python documentation.
Added views functionality.
Added qname-minimisation-strict config option.
Patch that resolves CNAMEs entered in local-data conf statements that point to data on the internet, from Jinmei Tatuya (Infoblox).
serve-expired config option: serve expired responses with TTL 0.
.gitattributes line for githubs code language display.
log-identity: config option to set sys log identity, patch from "Robin H. Johnson" (robbat2@gentoo.org).
Added stub-ssl-upstream and forward-ssl-upstream options.
Added local-zones and local-data bulk addition and removal functionality in unbound-control (local_zones, local_zones_remove, local_datas and local_datas_remove).
Bug Fixes
Fix#836: unbound could echo back EDNS options in an error response.
Fix#838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
Fix#839: Memory grows unexpectedly with large RPZ files.
Fix#840: infinite loop in unbound_munin_ plugin on unowned lockfile.
Fix#841: big local-zone's make it consume large amounts of memory.
Fix dnstap relaying "random" messages instead of resolver/forwarder responses, from Nikolay Edigaryev.
Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
Fix#1117: spelling errors, from Robert Edmonds.
iana portlist update.
fix memoryleak logfile when in debug mode.
Re-fix #839 from view commit overwrite.
Fixup const void cast warning.
Removed patch comments from acllist.c and msgencode.c
Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from Jinmei Tatuya (Infoblox).
Fix#1125: unbound could reuse an answer packet incorrectly for clients with different EDNS parameters, from Jinmei Tatuya.
Fix#1118: libunbound.pc sets strange Libs, Libs.private values.
Added Requires line to libunbound.pc
Fix#1130: whitespace in example.conf.in more consistent.
suppress compile warning in lex files.
init lzt variable, for older gcc compiler warnings.
fix --enable-dsa to work, instead of copying ecdsa enable.
Fix DNSSEC validation of query type ANY with DNAME answers.
Fixup query_info local_alias init.
Ported tests for local_cname unit test to testbound framework.
g.root-servers.net has AAAA address.
Fix#1134: unbound-control set_option -- val-override-date: -1 works immediately to ignore datetime, or back to 0 to enable it again. The -- is to ignore the '-1' as an option flag.
Patch for server.num.zero_ttl stats for count of expired replies, from Pavel Odintsov.
Fix failure to build on arm64 with no sbrk.
Set OpenSSL security level to 0 when using aNULL ciphers.
configure detects ssl security level API function in the autoconf manner. Every function on its own, so that other libraries (eg. LibreSSL) can develop their API without hindrance.
Fix#1154: segfault when reading config with duplicate zones.
Note that for harden-below-nxdomain the nxdomain must be secure, this means nsec3 with optout is insufficient.
Fix#1155: test status code of unbound-control in 04-checkconf, not the status code from the tee command.
Fix#1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing Underneath" for the harden-below-nxdomain option.
patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data.
Fix NSEC ENT wildcard check. Matching wildcard does not have to be a subdomain of the NSEC owner.
QNAME minimisation uses QTYPE=A, therefore always check cache for this type in harden-below-nxdomain functionality.
Added unit test for QNAME minimisation + harden below nxdomain synergy.
Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket.
hyphen as minus fix, by Andreas Schulze
Fix#1170: document that 'inform' local-zone uses local-data.
Fix#1173: differ local-zone type deny from unset tag_actions element.
Add DSA support for OpenSSL 1.1.0
Fix remote control without cert for LibreSSL
Fix downcast warnings from visual studio in sldns code.
Unbound 1.5.10
Download: unbound-1.5.10.tar.gz
SHA1 checksum: 6102849c400db3a4195b1f16df8f312568a6ec57
SHA256 checksum: a39b8b4fcca2a2b35a2daa53fe35150cc3f09038dc9acede09c912fc248a9486
PGP signature: unbound-1.5.10.tar.gz.asc
Date: 27 Sep, 2016
Features
Create a pkg-config file for libunbound in contrib.
TCP Fast open patch from Sara Dickinson.
Finegrained localzone control with define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override. And added types always_transparent, always_refuse, always_nxdomain with that.
If more than half of tcp connections are in use, a shorter timeout is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
[bugzilla: 787 ]
Fix#787: outgoing-interface netblock/64 ipv6 option to use linux freebind to use 64bits of entropy for every query with random local part.
For #787: prefer-ip6 option for unbound.conf prefers to send upstream queries to ipv6 servers.
Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
keep debug symbols in windows build.
Bug Fixes
[bugzilla: 778 ]
Fix unbound 1.5.9: -h segfault (null deref).
Fix unbound-anchor.exe file location defaults to Program Files with (x86) appended.
Fix to not ignore return value of chown() in daemon startup.
Better help text from -h (from Ray Griffith).
[bugzilla: 773 ]
Fix Non-standard Python location build failure with pyunbound.
Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
Revert fix for NetworkService account on windows due to breakage it causes.
Fix that windows install will not overwrite existing service.conf file (and ignore gui config choices if it exists).
And delete service.conf.shipped on uninstall.
In unbound.conf directory: dir immediately changes to that directory, so that include: file below that is relative to that directory. With chroot, make the directory an absolute path inside chroot.
do not delete service.conf on windows uninstall.
document directory immediate fix and allow EXECUTABLE syntax in it on windows.
Fix directory: fix for unbound-checkconf, it restores cwd.
Use QTYPE=A for QNAME minimisation.
Keep track of number of time-outs when performing QNAME minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE pair is more than three.
[bugzilla: 775 ]
Fix unbound-host and unbound-anchor crash on windows, ignore null delete for wsaevent.
Fix spelling in freebind option man page text.
Fix windows link of ssl with crypt32.
[bugzilla: 779 ]
Fix Union casting is non-portable.
[bugzilla: 780 ]
Fix MAP_ANON not defined in HP-UX 11.31.
[bugzilla: 781 ]
Fix prealloc() is an HP-UX system library call.
Decrease dp attempts at each QNAME minimisation iteration
[bugzilla: 784 ]
Fix Build configure assumess that having getpwnam means there is endpwent function available.
Updated repository with newer flex and bison output.
Fix static compile on windows missing gdi32.
Fix dynamic link of anchor-update.exe on windows.
Fix detect of mingw for MXE package build.
Fixes for 64bit windows compile.
[bugzilla: 788 ]
Fix for nettle 3.0: Failed to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle.
Fixed unbound.doxygen for 1.8.11.
[bugzilla: 798 ]
Fix Client-side TCP fast open fails (Linux).
[bugzilla: 801 ]
Fix missing error condition handling in daemon_create_workers().
[bugzilla: 802 ]
Fix workaround for function parameters that are "unused" without log_assert.
[bugzilla: 803 ]
Fix confusing (and incorrect) code comment in daemon_cleanup().
[bugzilla: 806 ]
Fix wrong comment removed.
use sendmsg instead of sendto for TFO.
[bugzilla: 807 ]
Fix workaround for possible some "unused" function parameters in test code, from Jinmei Tatuya.
Note that OPENPGPKEY type is RFC 7929.
[bugzilla: 804 ]
Fix#804: unbound stops responding after outage. Fixes queries that attempt to wait for an empty list of subqueries.
Fix for #804: lower num_target_queries for iterator also for failed lookups.
[bugzilla: 820 ]
Fix set sldns_str2wire_rr_buf() dual meaning len parameter in each iteration in find_tag_datas().
[bugzilla: 777 ]
Fix OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior.
RFC 7958 is now out, updated docs for unbound-anchor.
Fix for compile without warnings with openssl 1.1.0.
[bugzilla: 826 ]
Fix refuse_non_local could result in a broken response.
iana portlist update.
Fix compile with openssl 1.1.0 with api=1.1.0.
[bugzilla: 829 ]
Fix doc of sldns_wire2str_rdata_buf() return value has an off-by-one typo, from Jinmei Tatuya (Infoblox).
Fix incomplete prototypes reported by Dag-Erling Smørgrav.
[bugzilla: 828 ]
Fix missing type in access-control-tag-action redirect results in NXDOMAIN.
Take configured minimum TTL into consideration when reducing TTL to original TTL from RRSIG.
[bugzilla: 831 ]
Fix workaround for spurious fread_chk warning against petal.c
Silenced flex-generated sign-unsigned warning print with gcc diagnostic pragma.
Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
fix potential memory leak in daemon/remote.c and nullpointer dereference in validator/autotrust.
[bugzilla: 883 ]
Fix error for duplicate local zone entry.
[bugzilla: 835 ]
Fix --disable-dsa with nettle verify.
Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533, ITS#8634)
Fixed libldap to fail ldap_result if the handle is already bad (ITS#8585)
Fixed libldap to expose error if user specified CA doesn't exist (ITS#8529)
Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)
Fixed libldap GnuTLS use after free (ITS#8385)
Fixed libldap SASL initialization (ITS#8648)
Fixed slapd bconfig rDN escape handling (ITS#8574)
Fixed slapd segfault with invalid hostname (ITS#8631)
Fixed slapd sasl SEGV rebind in same session (ITS#8568)
Fixed slapd syncrepl filter handling (ITS#8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432)
Fixed slapd callback struct so older modules without writewait should function.
Custom modules may need to be updated for sc_writewait callback (ITS#8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS#8576)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794)
Fixed slapd-mdb double free with size zero paged result (ITS#8655)
Fixed slapd-meta uninitialized diagnostic message (ITS#8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423)
Fixed slapo-accesslog with multiple modifications to the same attribute (ITS#6545)
Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428)
Fixed slapo-sssvlv double free (ITS#8592)
Fixed slapo-unique with empty modifications (ITS#8266)
Build Environment
Added test065 for proxyauthz (ITS#8571)
Fix test008 to be portable (ITS#8414)
Fix test064 to wait for slapd to start (ITS#8644)
Fix its4336 regression test (ITS#8534)
Fix its4337 regression test (ITS#8535)
Fix regression tests to execute on all backends (ITS#8539)
Contrib
Added slapo-autogroup(5) man page (ITS#8569)
Added passwd missing conversion scripts for apr1 (ITS#6826)
Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435)
Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS#8099)
admin24 fixed typo cn=config to be slapd.d (ITS#8449)
admin24 fixed slapo-syncprov information to be curent (ITS#8253)
admin24 fixed typo in access control docs (ITS#7341, ITS#8391)
admin24 fixed minor typo in tuning guide (ITS#8499)
admin24 fixed information about the limits option (ITS#7700)
admin24 fixed missing options for syncrepl configuration (ITS#7700)
admin24 fixed accesslog documentation to note it should not be replicated (ITS#8344)
Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS#7177)
Fixed ldapsearch(1) information on the V[V] flag behavior (ITS#7177, ITS#6339)
Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538)
Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS#8635)
Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS#8123)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565)
Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS#8613)
Fixed slapo-syncprov(5) documentation to be current (ITS#8253)
Fixed slapadd(8) manpage to note slapd-mdb (ITS#8215)
Fixed various minor grammar issues in the man pages (ITS#8544)
Fixed various typos (ITS#8587)
- remove many _DIAGASSERT() checks against not NULL for functions
with arguments with nonnull attributes. (probably more to come,
the set between x86 and sparc us disjoint.)
- port libsanitizer's GetPcSpBp() to sparc, sparc64 and amd64.
but only weird code?):
amd's amfs_program_exec() has a missing {} issue.
flex's check_options() has odd inconsistent identation that
trips the new ident checker.
ntpd's oncore_check_leap_sec() and oncore_set_traim() have
missing {} issues.
sntp's optionLoadNested() an identation weirdness that
trips the new ident checker.
vi's cl_attr() has a wrong {} issue, and its vs_paint() has
an identation weirdness that trips the new ident checker.
Bump version to 20171030 for netpgpverify fixes.
Add zsh to default_acceptable_licenses.
Undef bootstrap hack.
Fix OpenSSL 1.1.0 build
OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
Use X509_check_ca rather than a custom and nearly identical implementation.
This is available since OpenSSL 0.9.8 (even in RHEL5).
This is also done because we cannot implement it identically under
OpenSSL 1.1.0 due to missing getters.
Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
1.1.0 getter returning a different code on this case.
Use getter for xkusage in the non-zero test case.
Provide fallback definitions for getters.
PR pkg/52298, PR pkg/52648