2024-08-21 17:42:58 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.21.0:
|
|
|
|
|
Security Fixes:
|
|
|
|
|
* Merge #1073: fix null pointer dereference issue in function
|
|
|
|
|
ub_ctx_set_fwd.
|
|
|
|
|
[CVE-2024-43167, bsc#1229068]
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
|
|
|
|
|
with `unbound-control flush*` commands.
|
|
|
|
|
* Fix #144: Port ipset to BSD pf tables.
|
|
|
|
|
* Add dnstap-sample-rate that logs only 1/N messages, for high
|
|
|
|
|
volume server environments. Thanks Dan Luther.
|
|
|
|
|
* Add root key 38696 from 2024 for DNSSEC validation. It is added
|
|
|
|
|
to the default root keys in unbound-anchor. The content can be
|
|
|
|
|
inspected with `unbound-anchor -l`.
|
|
|
|
|
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
|
|
|
|
|
"unbound_cookiesecrets.txt"` option to store cookie secrets for
|
|
|
|
|
EDNS COOKIE secret rollover. The remote control
|
|
|
|
|
add_cookie_secret, activate_cookie_secret and
|
|
|
|
|
drop_cookie_secret commands can be used for rollover, the
|
|
|
|
|
command print_cookie_secrets shows the values in use.
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
* Fix CAMP issues with global quota. Thanks to Huayi
|
|
|
|
|
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
|
|
|
|
|
group, ETH Zurich.
|
|
|
|
|
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
|
|
|
|
|
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
|
|
|
|
|
(Tel-Aviv University and Reichman University).
|
|
|
|
|
* Merge #1062: Fix potential overflow bug while parsing port in
|
|
|
|
|
function cfg_mark_ports.
|
|
|
|
|
* Fix for #1062: declaration before statement, avoid print of
|
|
|
|
|
null, and redundant check for array size.
|
|
|
|
|
* Fix to squelch udp connect errors in the log at low verbosity
|
|
|
|
|
about invalid argument for IPv6 link local addresses.
|
|
|
|
|
* Fix when the mesh jostle is exceeded that nameserver targets
|
|
|
|
|
are marked as resolved, so that the lookup is not stuck on the
|
|
|
|
|
requestlist.
|
|
|
|
|
* Add missing common functions to tdir tests.
|
|
|
|
|
* Merge #1070: Fix rtt assignement for low values of
|
|
|
|
|
infra-cache-max-rtt.
|
|
|
|
|
* Merge #1069: Fix unbound-control stdin commands for
|
|
|
|
|
multi-process Unbounds.
|
|
|
|
|
* Fix unbound-control commands that read stdin in multi-process
|
|
|
|
|
operation (local_zones_remove, local_zones, local_datas_remove,
|
|
|
|
|
local_datas, view_local_datas_remove, view_local_datas). They
|
|
|
|
|
will be properly distributed to all processes. dump_cache and
|
|
|
|
|
load_cache are no longer supported in multi-process operation.
|
|
|
|
|
* Remove testdata/remote-threaded.tdir.
|
|
|
|
|
testdata/09-unbound-control.tdir now checks both single and
|
|
|
|
|
multi process/thread operation.
|
|
|
|
|
* Fix to print a parse error when config is read with no name for
|
|
|
|
|
a forward-zone, stub-zone or view.
|
|
|
|
|
* Fix for parse end of forward-zone, stub-zone and view.
|
|
|
|
|
* Fix for #1064: Fix that cachedb expired messages are considered
|
|
|
|
|
insecure, and thus can be served to clients when dnssec is
|
|
|
|
|
enabled.
|
|
|
|
|
* Fix #1059: Intermittent DNS blocking failure with local-zone
|
|
|
|
|
and always_nxdomain. Addition of local_zones dynamically via
|
|
|
|
|
unbound-control was not finding the zone's parent correctly.
|
|
|
|
|
* Fix #1064: Unbound 1.20 Cachedb broken?
|
|
|
|
|
* Fix unused variable warning on compilation with no thread
|
|
|
|
|
support.
|
|
|
|
|
* unbound-control-setup: check openssl availability before doing
|
|
|
|
|
anything, patch from Michael Tokarev.
|
|
|
|
|
* Update patch to remove 'command' shell builtin and update error
|
|
|
|
|
text.
|
|
|
|
|
* Fix to enable that SERVFAIL is cached, for a short period, for
|
|
|
|
|
more cases. In the cases where limits are exceeded.
|
|
|
|
|
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
|
|
|
|
|
* Merge #1078: Only check old pid if no username.
|
|
|
|
|
* Fix #1079: tags from tagged rpz zones are no longer honored
|
|
|
|
|
after upgrade from 1.19.3 to 1.20.0.
|
|
|
|
|
* Fix for #1079: fix RPZ taglist in iterator callback that no
|
|
|
|
|
client info is like no taglist intersection.
|
|
|
|
|
* Fix to squelch connection reset by peer errors from log. And
|
|
|
|
|
fix that the tcp read errors are labeled as initial for the
|
|
|
|
|
first calls.
|
|
|
|
|
* Merge #1080: AddressSanitizer detection in tdir tests and
|
|
|
|
|
memory leak fixes.
|
|
|
|
|
* Fix memory leak when reload_keep_cache is used and num-threads
|
|
|
|
|
changes.
|
|
|
|
|
* Fix memory leak on exit for unbound-dnstap-socket; creates
|
|
|
|
|
false negatives during testing.
|
|
|
|
|
* Fix memory leak in setup of dsa sig.
|
|
|
|
|
* Fix typos for 'the the' in text.
|
|
|
|
|
* Fix validation for repeated use of a DNAME record.
|
|
|
|
|
* Add unit test for validation of repeated use of a DNAME record.
|
|
|
|
|
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
|
|
|
|
|
OPENSSL_NO_DEPRECATED.
|
|
|
|
|
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
|
|
|
|
|
by adding helpful text for the Python interpreter version and
|
|
|
|
|
allowing the default pkg-config unavailability error message to
|
|
|
|
|
be shown.
|
|
|
|
|
* Fix pkg-config availability check in dnstap/dnstap.m4 and
|
|
|
|
|
systemd.m4.
|
|
|
|
|
* Explicitly set the RD bit for the mesh query flags when
|
|
|
|
|
prefetching. These queries have no waiting client but they need
|
|
|
|
|
to be treated as recursive.
|
|
|
|
|
* Fix ip-ratelimit-cookie setting, it was not applied.
|
|
|
|
|
* Fix to remove unused include from the readzone test program.
|
|
|
|
|
* Fix unused variable warning in do_cache_remove.
|
|
|
|
|
* Fix compile warning in worker pthread id printout.
|
|
|
|
|
* Add unit test skip files and bison and flex output to
|
|
|
|
|
gitignore.
|
|
|
|
|
* Fix to use modstack_init in zonemd unit test.
|
|
|
|
|
* Fix to remove unneeded linebreak in fptr_wlist.c.
|
|
|
|
|
* Fix compile warnings in fptr_wlist.c.
|
|
|
|
|
* Fix for repeated use of a DNAME record: first overallocate and
|
|
|
|
|
then move the exact size of the init value to avoid false
|
|
|
|
|
positive heap overflow reads from address sanitizers.
|
|
|
|
|
* Fix to print details about the failure to lookup a DNSKEY
|
|
|
|
|
record when validation fails due to the missing DNSKEY. Also
|
|
|
|
|
for key prime and DS lookups.
|
|
|
|
|
* Fix for neater printout for error for missing DS response.
|
|
|
|
|
* Fix neater printout.
|
|
|
|
|
* Fix #1099: Unbound core dump on SIGSEGV.
|
|
|
|
|
* Fix for #1099: Fix to check for deleted RRset when the contents
|
|
|
|
|
is updated and fetched after it is stored, and also check for a
|
|
|
|
|
changed RRset.
|
|
|
|
|
* Don't check for message TTL changes if the RRsets remain the
|
|
|
|
|
same.
|
|
|
|
|
* Fix that validation reason failure that uses string print uses
|
|
|
|
|
separate buffer that is passed, from the scratch validation
|
|
|
|
|
buffer.
|
|
|
|
|
* Fixup algo_needs_reason string buffer length.
|
|
|
|
|
* Fix shadowed error string variable in validator dnskey
|
|
|
|
|
handling.
|
|
|
|
|
* Update list of known EDE codes.
|
|
|
|
|
* For #773: In contrib/unbound.service.in set unbound to start
|
|
|
|
|
after network-online.target. Also for
|
|
|
|
|
contrib/unbound_portable.service.in.
|
|
|
|
|
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
|
|
|
|
|
* For #1103: fix to also drop mesh state reference when a h2
|
|
|
|
|
reply is dropped.
|
|
|
|
|
* Add RPZ tag tests in acl_interface.tdir.
|
|
|
|
|
* For #1102: clearer text for using interface-* options for the
|
|
|
|
|
loopback interface.
|
|
|
|
|
* For #1103: fix to also drop mesh state reference when the
|
|
|
|
|
discard limit is reached, when there is an error making a new
|
|
|
|
|
recursion state and when the connection is dropped with
|
|
|
|
|
is_drop.
|
|
|
|
|
* For #1103: Fix to drop mesh state reference for the http2
|
|
|
|
|
stream associated with the reply, not the currently active
|
|
|
|
|
stream. And it does not remove it twice on a mesh_send_reply
|
|
|
|
|
call. The reply h2_stream is NULL when not in use, for more
|
|
|
|
|
initialisation.
|
|
|
|
|
* Fix dnstap wakeup, a running wakeup timer is left to expire and
|
|
|
|
|
not increased, a timer is started when the dtio thread is
|
|
|
|
|
sleeping, the timer set disabled when the dtio thread goes to
|
|
|
|
|
sleep, and after sleep the thread checks to see if there are
|
|
|
|
|
messages to log immediately.
|
|
|
|
|
* Merge #1110: Make fallthrough explicit for libworker.c.
|
|
|
|
|
* For #1110: Test for fallthrough attribute in configure and add
|
|
|
|
|
fallthrough attribute annotations.
|
|
|
|
|
* Fix compile when the compiler does not support the noreturn
|
|
|
|
|
attribute.
|
|
|
|
|
* Fix to have empty definition when not supported for weak
|
|
|
|
|
attribute.
|
|
|
|
|
* Fix uninitialized variable warning in create_tcp_accept_sock.
|
|
|
|
|
* Fix link of dnstap without openssl.
|
|
|
|
|
* Fix link of unbound-dnstap-socket without openssl.
|
|
|
|
|
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
|
|
|
|
|
* Cleanup ede.tdir test.
|
|
|
|
|
* For #935 and #1104, clarify RPZ order and semantics.
|
|
|
|
|
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
|
|
|
|
|
* Fix for #1114: Fix that cache fill for forward-host names is
|
|
|
|
|
performed, so that with nonzero target-fetch-policy it fetches
|
|
|
|
|
forwarder addresses and uses them from cache. Also updated that
|
|
|
|
|
delegation point cache fill routines use CDflag for AAAA
|
|
|
|
|
message lookups, so that its negative lookup stops a recursion
|
|
|
|
|
since the cache uses the bit for disambiguation for dns64 but
|
|
|
|
|
the recursion uses CDflag for the AAAA target lookups, so the
|
|
|
|
|
check correctly stops a useless recursion by its cache lookup.
|
|
|
|
|
* Fix dnstap test program, cleans up to have clean memory on
|
|
|
|
|
exit, for tap_data_free, does not delete NULL items. Also it
|
|
|
|
|
does not try to free the tail, specifically in the free of the
|
|
|
|
|
list since that picked up the next item in the list for its
|
|
|
|
|
loop causing invalid free. Added internal unit test to
|
|
|
|
|
unbound-dnstap-socket for that.
|
|
|
|
|
* Fix that the worker mem report with alloc stats does not
|
|
|
|
|
attempt to print memory use of forwards and hints if they have
|
|
|
|
|
been deleted already.
|
|
|
|
|
* Fix that alloc stats has strdup checks, it stops debuggers from
|
|
|
|
|
complaining about mismatch at free time.
|
|
|
|
|
* Fix testbound for alloc stats strdup in util/alloc.c.
|
|
|
|
|
* Fix that alloc stats for forwards and hints are printed, and
|
|
|
|
|
when alloc stats is enabled, the unit test for unbound control
|
|
|
|
|
waits for reloads to complete.
|
|
|
|
|
* Fix that for windows the module startup is called and sets up
|
|
|
|
|
the module-config.
|
|
|
|
|
* Fix spelling for the cache-min-negative-ttl entry in the
|
|
|
|
|
example.conf.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.20.0:
|
|
|
|
|
Features:
|
|
|
|
|
* The config for discard-timeout, wait-limit, wait-limit-cookie,
|
|
|
|
|
wait-limit-netblock and wait-limit-cookie-netblock was added,
|
|
|
|
|
for the fix to the DNSBomb issue.
|
|
|
|
|
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
|
|
|
|
|
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
|
|
|
|
|
updates config.guess(2024-01-01) and config.sub(2024-01-01),
|
|
|
|
|
verified with upstream.
|
|
|
|
|
* Implement cachedb-check-when-serve-expired: yes option, default
|
|
|
|
|
is enabled. When serve expired is enabled with cachedb, it
|
|
|
|
|
first checks cachedb before serving the expired response.
|
|
|
|
|
* Fix GH#876: [FR] can unbound-checkconf be silenced when
|
|
|
|
|
configuration is valid?
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
|
|
|
|
|
Xiang Li from the Network and Information Security Lab of
|
|
|
|
|
Tsinghua University for reporting it.
|
|
|
|
|
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
|
|
|
|
|
deprecation warnings and updates with newer defaults.
|
|
|
|
|
* Remove unused portion from iter_dname_ttl unit test.
|
|
|
|
|
* Fix validator classification of qtype DNAME for positive and
|
|
|
|
|
redirection answers, and fix validator signature routine for
|
|
|
|
|
dealing with the synthesized CNAME for a DNAME without
|
|
|
|
|
previously encountering it and also for when the qtype is
|
|
|
|
|
DNAME.
|
|
|
|
|
* Fix qname minimisation for reply with a DNAME for qtype CNAME
|
|
|
|
|
that answers it.
|
|
|
|
|
* Fix doc test so it ignores but outputs unsupported doxygen
|
|
|
|
|
options.
|
|
|
|
|
* Fix GH#1021 Inconsistent Behavior with Changing
|
|
|
|
|
rpz-cname-override and doing a unbound-control reload.
|
|
|
|
|
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
|
|
|
|
|
edns-tcp-keepalive-timeout.
|
|
|
|
|
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
|
|
|
|
|
working as expected.
|
|
|
|
|
* Fix rpz that the rpz override is taken in case of clientip
|
|
|
|
|
triggers. Fix that the clientip passthru action is logged. Fix
|
|
|
|
|
that the clientip localdata action is logged. Fix rpz override
|
|
|
|
|
action cname for the clientip trigger.
|
|
|
|
|
* Fix to unify codepath for local alias for rpz cname action
|
|
|
|
|
override.
|
|
|
|
|
* Fix rpz for cname override action after nsdname and nsip
|
|
|
|
|
triggers.
|
|
|
|
|
* Fix that addrinfo is not kept around but copied and freed, so
|
|
|
|
|
that log-destaddr uses a copy of the information, much like NSD
|
|
|
|
|
does.
|
|
|
|
|
* Merge GH#1030: Persist the openssl and expat directories for
|
|
|
|
|
repeated Windows builds.
|
|
|
|
|
* Fix that rpz CNAME content is limited to the max number of
|
|
|
|
|
cnames.
|
|
|
|
|
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
|
|
|
|
|
sets the reply query_info values, that is better for debug
|
|
|
|
|
logging.
|
|
|
|
|
* Fix rpz that copies the cname override completely to the temp
|
|
|
|
|
region, so there are no references to the rpz region.
|
|
|
|
|
* Add rpz unit test for nsip action override.
|
|
|
|
|
* Fix rpz for qtype CNAME after nameserver trigger.
|
|
|
|
|
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
|
|
|
|
|
that clientip and nsip can give a CNAME.
|
|
|
|
|
* Fix localdata and rpz localdata to match CNAME only if no
|
|
|
|
|
direct type match is available.
|
|
|
|
|
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
|
|
|
|
|
script (setup.nsi).
|
|
|
|
|
* For GH#831: Format text, use exclamation icon and explicit label
|
|
|
|
|
names.
|
|
|
|
|
* Fix name of unit test for subnet cache response.
|
|
|
|
|
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
|
|
|
|
|
cause memory usage increased beyond expectations.
|
|
|
|
|
* Fix for GH#1032, add safeguard to make table space positive.
|
|
|
|
|
* Fix comment in lruhash space function.
|
|
|
|
|
* Fix to add unit test for lruhash space that exercises the
|
|
|
|
|
routines.
|
|
|
|
|
* Fix that when the server truncates the pidfile, it does not
|
|
|
|
|
follow symbolic links.
|
|
|
|
|
* Fix that the server does not chown the pidfile.
|
|
|
|
|
* Fix GH#1034: DoT forward-zone via unbound-control.
|
|
|
|
|
* Fix for crypto related failures to have a better error string.
|
|
|
|
|
* Fix GH#1035: Potential Bug while parsing port from the
|
|
|
|
|
"stub-host" string; also affected forward-zones and
|
|
|
|
|
remote-control host directives.
|
|
|
|
|
* Fix GH#369: dnstap showing extra responses; for client responses
|
|
|
|
|
right from the cache when replying with expired data or
|
|
|
|
|
prefetching.
|
|
|
|
|
* Fix GH#1040: fix heap-buffer-overflow issue in function
|
|
|
|
|
cfg_mark_ports of file util/config_file.c.
|
|
|
|
|
* For GH#1040: adjust error text and disallow negative ports in
|
|
|
|
|
other parts of cfg_mark_ports.
|
|
|
|
|
* Fix comment syntax for view function views_find_view.
|
|
|
|
|
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
|
|
|
|
|
now first write out to a temp file before replacing the
|
|
|
|
|
original one, like Unbound already does for
|
|
|
|
|
auto-trust-anchor-file.
|
|
|
|
|
* Fixup compile without cachedb.
|
|
|
|
|
* Add test for cachedb serve expired.
|
|
|
|
|
* Extended test for cachedb serve expired.
|
|
|
|
|
* Fix makefile dependencies for fake_event.c.
|
|
|
|
|
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
|
|
|
|
|
* Fix to not reply serve expired unless enabled for cachedb.
|
|
|
|
|
* Fix cachedb for serve-expired with
|
|
|
|
|
serve-expired-client-timeout.
|
|
|
|
|
* Fixup unit test for cachedb server expired client timeout with
|
|
|
|
|
a check if response if from upstream or from cachedb.
|
|
|
|
|
* Fixup cachedb to not refetch when serve-expired-client-timeout
|
|
|
|
|
is used.
|
|
|
|
|
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
|
|
|
|
|
Python 3.8
|
|
|
|
|
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
|
|
|
|
|
* Fix configure, autoconf for GH#1048.
|
|
|
|
|
* Add checklock feature verbose_locking to trace locks and
|
|
|
|
|
unlocks.
|
|
|
|
|
* Fix edns subnet to sort rrset references when storing messages
|
|
|
|
|
in the cache. This fixes a race condition in the rrset locks.
|
|
|
|
|
* Merge GH#1053: Remove child delegations from cache when
|
|
|
|
|
grandchild delegations are returned from parent.
|
|
|
|
|
* Fix ci workflow for macos for moved install locations.
|
|
|
|
|
* Fix configure flto check error, by finding grep for it.
|
|
|
|
|
* Merge GH#1041: Stub and Forward unshare. This has one structure
|
|
|
|
|
for them and fixes GH#1038: fatal error: Could not initialize
|
|
|
|
|
thread / error: reading root hints.
|
|
|
|
|
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
|
|
|
|
|
a nonzero value for the socket option argument.
|
|
|
|
|
* Fix doc unit test for out of directory build.
|
|
|
|
|
* Fix cachedb with serve-expired-client-timeout disabled. The
|
|
|
|
|
edns subnet module deletes global cache and cachedb cache when
|
|
|
|
|
it stores a result, and serve-expired is enabled, so that the
|
|
|
|
|
global reply, that is older than the ecs reply, does not return
|
|
|
|
|
after the ecs reply expires.
|
|
|
|
|
* Add unit tests for cachedb and subnet cache expired data.
|
|
|
|
|
* Man page entry for unbound-checkconf -q.
|
|
|
|
|
* Cleanup unnecessary strdup calls for EDE strings.
|
|
|
|
|
* Fix doxygen comment for errinf_to_str_bogus.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.19.3:
|
|
|
|
|
* Features:
|
|
|
|
|
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
|
|
|
|
|
CNAMEs as per RFC 6672.
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- Fix unit test parse of origin syntax.
|
|
|
|
|
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
|
|
|
|
|
on newer systems.
|
|
|
|
|
- Fix #964: config.h.in~ backup file in release tar balls.
|
|
|
|
|
- Merge #968: Replace the obsolescent fgrep with grep -F in
|
|
|
|
|
tests.
|
|
|
|
|
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
|
|
|
|
|
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
|
|
|
|
|
- Fix dnstap that assertion failed on logging other than UDP
|
|
|
|
|
and TCP traffic. It lists it as TCP traffic.
|
|
|
|
|
- Fix to sync the tests script file common.sh.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Updated IPv4 and IPv6 address for b.root-servers.net in root
|
|
|
|
|
hints.
|
|
|
|
|
- Update test script file common.sh.
|
|
|
|
|
- Fix tests to use new common.sh functions, wait_logfile and
|
|
|
|
|
kill_from_pidfile.
|
|
|
|
|
- Fix #974: doc: default number of outgoing ports without
|
|
|
|
|
libevent.
|
|
|
|
|
- Merge #975: Fixed some syntax errors in rpl files.
|
|
|
|
|
- Fix root_zonemd unit test, it checks that the root ZONEMD
|
|
|
|
|
verifies, now that the root has a valid ZONEMD.
|
|
|
|
|
- Update example.conf with cookie options.
|
|
|
|
|
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
|
|
|
|
|
errors for non-HTTP/2 DoH clients.
|
|
|
|
|
- Merge #985: Add DoH and DoT to dnstap message.
|
|
|
|
|
- Fix #983: Sha1 runtime insecure change was incomplete.
|
|
|
|
|
- Remove unneeded newlines and improve indentation in remote
|
|
|
|
|
control code.
|
|
|
|
|
- Merge #987: skip edns frag retry if advertised udp payload
|
|
|
|
|
size is not smaller.
|
|
|
|
|
- Fix unit test for #987 change in udp1xxx retry packet send.
|
|
|
|
|
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
|
|
|
|
|
records.
|
|
|
|
|
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
|
|
|
|
|
- Fix to link with libssp for libcrypto and getaddrinfo check
|
|
|
|
|
for only header. Also update crosscompile to remove ssp for
|
|
|
|
|
32bit.
|
|
|
|
|
- Merge #993: Update b.root-servers.net also in example config
|
|
|
|
|
file.
|
|
|
|
|
- Update workflow for ports to use newer openssl on windows
|
|
|
|
|
compile.
|
|
|
|
|
- Fix warning for windres on resource files due to
|
|
|
|
|
redefinition.
|
|
|
|
|
- Fix for #997: Print details for SSL certificate failure.
|
|
|
|
|
- Update error printout for duplicate trust anchors to include
|
|
|
|
|
the trust anchor name (relates to #920).
|
|
|
|
|
- Update message TTL when using cached RRSETs. It could result
|
|
|
|
|
in non-expired messages with expired RRSETs (non-usable
|
|
|
|
|
messages by Unbound).
|
|
|
|
|
- Merge #999: Search for protobuf-c with pkg-config.
|
|
|
|
|
- Fix #1006: Can't find protobuf-c package since #999.
|
|
|
|
|
- Fix documentation for access-control in the unbound.conf man
|
|
|
|
|
page.
|
|
|
|
|
- Merge #1010: Mention REFUSED has the TC bit set with
|
|
|
|
|
unmatched allow_cookie acl in the manpage. It also fixes the
|
|
|
|
|
code to match the documentation about clients with a valid
|
|
|
|
|
cookie that bypass the ratelimit regardless of the
|
|
|
|
|
allow_cookie acl.
|
|
|
|
|
- Document the suspend argument for process_ds_response().
|
|
|
|
|
- Move github workflows to use checkoutv4.
|
|
|
|
|
- Fix edns subnet replies for scope zero answers to not get
|
|
|
|
|
stored in the global cache, and in cachedb, when the upstream
|
|
|
|
|
replies without an EDNS record.
|
|
|
|
|
- Fix for #1022: Fix ede prohibited in access control refused
|
|
|
|
|
answers.
|
|
|
|
|
- Fix unbound-control-setup.cmd to use 3072 bits so that
|
|
|
|
|
certificates are long enough for newer OpenSSL versions.
|
|
|
|
|
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
|
|
|
|
|
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
|
|
|
|
|
like unbound-control-setup.sh has.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Mar 8 10:15:41 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.19.2:
|
|
|
|
|
* Bug Fixes:
|
|
|
|
|
- Fix CVE-2024-1931, Denial of service when trimming EDE text
|
|
|
|
|
on positive replies.
|
|
|
|
|
[bsc#1221164]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.19.1:
|
|
|
|
|
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
|
|
|
|
|
- Fix CVE-2023-50387, DNSSEC verification complexity can be
|
|
|
|
|
exploited to exhaust CPU resources and stall DNS resolvers.
|
|
|
|
|
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
|
|
|
|
|
|
|
|
|
|
- as we use --disable-explicit-port-randomisation, also disable
|
|
|
|
|
outgoing-port-permit and outgoing-port-avoid in config file to
|
|
|
|
|
suppress the related unbound-checkconf warnings on every start
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.19.0:
|
|
|
|
|
* Features:
|
|
|
|
|
- Fix #850: [FR] Ability to use specific database in Redis, with
|
|
|
|
|
new redis-logical-db configuration option.
|
|
|
|
|
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
|
|
|
|
|
requests. This can be helpful for devices that cannot handle
|
|
|
|
|
DNSSEC information. But it should not be enabled otherwise, because
|
|
|
|
|
that would stop DNSSEC validation. The DNSSEC validation would not
|
|
|
|
|
work for Unbound itself, and also not for downstream users. Default
|
|
|
|
|
is no. The option is disable-edns-do: no
|
|
|
|
|
- Expose the script filename in the Python module environment 'mod_env'
|
|
|
|
|
instead of the config_file structure which includes the linked list
|
|
|
|
|
of scripts in a multi Python module setup; fixes #79.
|
|
|
|
|
- Expose the configured listening and outgoing interfaces, if any, as
|
|
|
|
|
a list of strings in the Python 'config_file' class instead of the
|
|
|
|
|
current Swig object proxy; fixes #79.
|
|
|
|
|
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
|
|
|
|
|
AAAA when no A record exists for synthesis, and minor DNS64 code
|
|
|
|
|
refactoring for better readability.
|
|
|
|
|
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
|
|
|
|
|
used to stop cachedb from writing messages to the backend storage.
|
|
|
|
|
It reads messages when data is available from the backend.
|
|
|
|
|
The default is no.
|
|
|
|
|
* Bug Fixes:
|
|
|
|
|
- Fix for version generation race condition that ignored changes.
|
|
|
|
|
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
|
|
|
|
|
- Fix for WKS call to getservbyname that creates allocation on exit in
|
|
|
|
|
unit test by testing numbers first and testing from the services list later.
|
|
|
|
|
- Fix autoconf 2.69 warnings in configure.
|
|
|
|
|
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
|
|
|
|
|
- Merge #931: Prevent warnings from -Wmissing-prototypes.
|
|
|
|
|
- Fix to scrub resource records of type A and AAAA that have an
|
|
|
|
|
inappropriate size. They are removed from responses.
|
|
|
|
|
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
|
|
|
|
|
- Fix to add EDE text when RRs have been removed due to length.
|
|
|
|
|
- Fix to set ede match in unit test for rr length removal.
|
|
|
|
|
- Fix to print EDE text in readable form in output logs.
|
|
|
|
|
- Fix send of udp retries when ENOBUFS is returned. It stops looping
|
|
|
|
|
and also waits for the condition to go away. Reported by Florian Obser.
|
|
|
|
|
- Fix authority zone answers for obscured DNAMEs and delegations.
|
|
|
|
|
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
|
|
|
|
|
- Fix to remove two c99 notations.
|
|
|
|
|
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
|
|
|
|
|
- Fix misplaced comment.
|
|
|
|
|
- Merge #881: Generalise the proxy protocol code.
|
|
|
|
|
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
|
|
|
|
|
- Fix edns subnet so that queries with a source prefix of zero cause the
|
|
|
|
|
recursor send no edns subnet option to the upstream.
|
|
|
|
|
- Fix that printout of EDNS options shows the EDNS cookie option by name.
|
|
|
|
|
- Fix infinite loop when reading multiple lines of input on a broken remote
|
|
|
|
|
control socket. Addesses #947 and #948.
|
|
|
|
|
- Fix #949: "could not create control compt".
|
|
|
|
|
- Fix that cachedb does not warn when serve-expired is disabled about use
|
|
|
|
|
of serve-expired-reply-ttl and serve-expired-client-timeout.
|
|
|
|
|
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
|
|
|
|
|
- Better fix for infinite loop when reading multiple lines of input on a
|
|
|
|
|
broken remote control socket, by treating a zero byte line the same as
|
|
|
|
|
transmission end. Addesses #947 and #948.
|
|
|
|
|
- For multi Python module setups, clean previously parsed module functions
|
|
|
|
|
in __main__'s dictionary, if any, so that only current module functions
|
|
|
|
|
are registered.
|
|
|
|
|
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
|
|
|
|
|
- Fixes for the DNS64 patches.
|
|
|
|
|
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
|
|
|
|
|
- Merge #955 from buevsan: fix ipset wrong behavior.
|
|
|
|
|
- Update testdata/ipset.tdir test for ipset fix.
|
|
|
|
|
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
|
|
|
|
|
- Clearer configure text for missing protobuf-c development libraries.
|
|
|
|
|
- autoconf.
|
|
|
|
|
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
|
|
|
|
|
declaration.
|
|
|
|
|
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
|
|
|
|
|
dukeartem to also fix the udp_ancil with dnscrypt.
|
|
|
|
|
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
|
|
|
|
|
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
|
|
|
|
|
- Fix compilation without openssl, remove unused function warning.
|
|
|
|
|
- Mention flex and bison in README.md when building from repository source.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.18.0:
|
|
|
|
|
* Features:
|
|
|
|
|
- Аdd a metric about the maximum number of collisions in lrushah.
|
|
|
|
|
- Set max-udp-size default to 1232. This is the same default value
|
|
|
|
|
as the default value for edns-buffer-size. It restricts client
|
|
|
|
|
edns buffer size choices, and makes unbound behave similar to
|
|
|
|
|
other DNS resolvers.
|
|
|
|
|
- Add harden-unknown-additional option. It removes unknown records
|
|
|
|
|
from the authority section and additional section.
|
|
|
|
|
- Added new static zone type block_a to suppress all A queries for
|
|
|
|
|
specific zones.
|
|
|
|
|
- [FR] Ability to use Redis unix sockets.
|
|
|
|
|
- [FR] Ability to set the Redis password.
|
|
|
|
|
- Features/dropqueuedpackets, with sock-queue-timeout option that
|
|
|
|
|
drops packets that have been in the socket queue for too long.
|
|
|
|
|
Added statistics num.queries_timed_out and query.queue_time_us.max
|
|
|
|
|
that track the socket queue timeouts.
|
|
|
|
|
- 'eqvinox' Lamparter: NAT64 support.
|
|
|
|
|
- [FR] Use kernel timestamps for dnstap.
|
|
|
|
|
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
|
|
|
|
|
statistical counter.
|
|
|
|
|
- Add SVCB dohpath support.
|
|
|
|
|
- Add validation EDEs to queries where the CD bit is set.
|
|
|
|
|
- Add prefetch support for subnet cache entries.
|
|
|
|
|
- Add EDE (RFC8914) caching.
|
|
|
|
|
- Add support for EDE caching in cachedb and subnetcache.
|
|
|
|
|
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
|
|
|
|
|
cookies for clients that send client cookies. This needs to be explicitly
|
|
|
|
|
turned on in the config file with: `answer-cookie: yes`.
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- Response change to NODATA for some ANY queries since 1.12.
|
|
|
|
|
- Fix not following cleared RD flags potentially enables
|
|
|
|
|
amplification DDoS attacks.
|
|
|
|
|
- Set default for harden-unknown-additional to no. So that it
|
|
|
|
|
does not hamper future protocol developments.
|
|
|
|
|
- Fix to ignore entirely empty responses, and try at another authority.
|
|
|
|
|
This turns completely empty responses, a type of noerror/nodata into
|
|
|
|
|
a servfail, but they do not conform to RFC2308, and the retry can fetch
|
|
|
|
|
improved content.
|
|
|
|
|
- Allow TTL refresh of expired error responses.
|
|
|
|
|
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
|
|
|
|
|
- Fix unbound-dnstap-socket test program to reply the finish frame over
|
|
|
|
|
a TLS connection correctly.
|
|
|
|
|
- Fix: reserved identifier violation
|
|
|
|
|
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
|
|
|
|
|
without tls-cert-bundle
|
|
|
|
|
- Extra consistency check to make sure that when TLS is requested,
|
|
|
|
|
either we set up a TLS connection or we return an error.
|
|
|
|
|
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
|
|
|
|
|
- Fix: Bad interaction with 0 TTL records and serve-expired
|
|
|
|
|
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
|
|
|
|
|
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
|
|
|
|
|
- Fix dereference of NULL variable warning in mesh_do_callback.
|
|
|
|
|
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
|
|
|
|
|
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
|
|
|
|
|
and qname minimisation, depending on the settings.
|
|
|
|
|
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
|
|
|
|
|
- Fix stat_values test to work with dig that enables DNS cookies.
|
|
|
|
|
- unbound.service: Main process exited, code=killed, status=11/SEGV.
|
|
|
|
|
Fixes cachedb configuration handling.
|
|
|
|
|
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
|
|
- Add _multibuild to define additional spec files as additional
|
|
|
|
|
flavors.
|
|
|
|
|
Eliminates the need for source package links in OBS.
|
|
|
|
|
|
2024-05-04 01:36:45 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 23 09:15:48 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 1.17.1:
|
|
|
|
|
* Features:
|
|
|
|
|
- Expose 'statistics-inhibit-zero' as a configuration option;
|
|
|
|
|
the default value retains Unbound's behavior.
|
|
|
|
|
- Expose 'max-sent-count' as a configuration option; the default
|
|
|
|
|
value retains Unbound's behavior.
|
|
|
|
|
- Merge #461 from Christian Allred: Add max-query-restarts option.
|
|
|
|
|
Exposes an internal configuration but the default value retains
|
|
|
|
|
Unbound's behavior.
|
|
|
|
|
- Merge #569 from JINMEI Tatuya: add keep-cache option to
|
|
|
|
|
'unbound-control reload' to keep caches.
|
|
|
|
|
* Bug Fixes:
|
|
|
|
|
- Merge #768 from fobser: Arithmetic on a pointer to void is a
|
|
|
|
|
GNU extension.
|
|
|
|
|
- In unit test, print python script name list correctly.
|
|
|
|
|
- testcode/dohclient sets log identity to its name.
|
|
|
|
|
- Clarify the use of MAX_SENT_COUNT in the iterator code.
|
|
|
|
|
- Fix that cachedb does not store failures in the external cache.
|
|
|
|
|
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
|
|
|
|
|
unbound.conf.5.
|
|
|
|
|
- Fix to ignore tcp events for closed comm points.
|
|
|
|
|
- Fix to make sure to not read again after a tcp comm point is
|
|
|
|
|
closed.
|
|
|
|
|
- Fix #775: libunbound: subprocess reap causes parent process
|
|
|
|
|
reap to hang.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Complementary fix for distutils.sysconfig deprecation in
|
|
|
|
|
Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
|
|
|
|
|
- Fix #779: [doc] Missing documention in ub_resolve_event() for
|
|
|
|
|
callback parameter was_ratelimited.
|
|
|
|
|
- Ignore expired error responses.
|
|
|
|
|
- Merge #720 from jonathangray: fix use after free when
|
|
|
|
|
WSACreateEvent() fails.
|
|
|
|
|
- Fix for the ignore of tcp events for closed comm points,
|
|
|
|
|
preserve the use after free protection features.
|
|
|
|
|
- Fix #782: Segmentation fault in stats.c:404.
|
|
|
|
|
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
|
|
|
|
|
- Clear documentation for interactivity between the subnet module
|
|
|
|
|
and the serve-expired and prefetch configuration options.
|
|
|
|
|
- Fix #773: When used with systemd-networkd, unbound does not start
|
|
|
|
|
until systemd-networkd-wait-online.service times out.
|
|
|
|
|
- Merge #808: Wrap Makefile script's directory variables in quotes.
|
|
|
|
|
- Fix to wrap Makefile scripts directory in quotes for uninstall.
|
|
|
|
|
- Fix windows compile for libunbound subprocess reap comm point closes.
|
|
|
|
|
- Update github workflows to use checkout v3.
|
|
|
|
|
- Fix wildcard in hyperlocal zone service degradation, reported
|
|
|
|
|
by Sergey Kacheev.
|
|
|
|
|
* Add signature and keyring files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 29 18:12:29 UTC 2022 - Wolfgang Frisch <wolfgang.frisch@suse.com>
|
|
|
|
|
|
|
|
|
|
- Tighten permissions (boo#1173619)
|
|
|
|
|
- Add missing dependency: unbound-control-setup needs /usr/bin/openssl.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 13 17:08:56 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.17.0
|
|
|
|
|
* Features
|
|
|
|
|
- Merge #753: ACL per interface. (New interface-* configuration
|
|
|
|
|
options).
|
|
|
|
|
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
|
|
|
|
|
configuration option).
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- Fix #728: alloc_reg_obtain() core dump. Stop double
|
|
|
|
|
alloc_reg_release when serviced_create fails.
|
|
|
|
|
- Fix edns subnet so that scope 0 answers only match sourcemask 0
|
|
|
|
|
queries for answers from cache if from a query with sourcemask 0.
|
|
|
|
|
- Fix unittest for edns subnet change.
|
|
|
|
|
- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
|
|
|
|
|
to unsupported IPV6_USER_MTU socket option being set.
|
|
|
|
|
- Fix ratelimit inconsistency, for ip-ratelimits the value is the
|
|
|
|
|
amount allowed, like for ratelimits.
|
|
|
|
|
- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
|
|
|
|
|
errors.
|
|
|
|
|
- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
|
|
|
|
|
per 10 seconds. Also log accept failures when no slow down is used.
|
|
|
|
|
- Fix to avoid process wide fcntl calls mixed with nonblocking
|
|
|
|
|
operations after a blocked write.
|
|
|
|
|
- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
|
|
|
|
|
operations, so that instruction reordering does not cause mistakenly
|
|
|
|
|
blocking socket operations.
|
|
|
|
|
- Fix to wait for blocked write on UDP sockets, with a timeout if it
|
|
|
|
|
takes too long the packet is dropped.
|
|
|
|
|
- Fix for wait for udp send to stop when packet is successfully sent.
|
|
|
|
|
- Fix #741: systemd socket activation fails on IPv6.
|
|
|
|
|
- Fix to update config tests to fix checking if nonblocking sockets
|
|
|
|
|
work on OpenBSD.
|
|
|
|
|
- Slow down log frequency of write wait failures.
|
|
|
|
|
- Fix to set out of file descriptor warning to operational verbosity.
|
|
|
|
|
- Fix to log a verbose message at operational notice level if a
|
|
|
|
|
thread is not responding, to stats requests. It is logged with
|
|
|
|
|
thread identifiers.
|
|
|
|
|
- Remove include that was there for debug purposes.
|
|
|
|
|
- Fix to check pthread_t size after pthread has been detected.
|
|
|
|
|
- Convert tdir tests to use the new skip_test functionality.
|
|
|
|
|
- Remove unused testcode/mini_tpkg.sh file.
|
|
|
|
|
- Better output for skipped tdir tests.
|
|
|
|
|
- Fix doxygen warning in respip.h.
|
|
|
|
|
- Fix to remove erroneous TC flag from TCP upstream.
|
|
|
|
|
- Fix test tdir skip report printout.
|
|
|
|
|
- Fix windows compile, the identifier interface is defined in headers.
|
|
|
|
|
- Fix to close errno block in comm_point_tcp_handle_read outside of
|
|
|
|
|
ifdef.
|
|
|
|
|
- Fix static analysis report to remove dead code from the
|
|
|
|
|
rpz_callback_from_iterator_module function.
|
|
|
|
|
- Fix to clean up after the acl_interface unit test.
|
|
|
|
|
- Merge #764: Leniency for target discovery when under load (for
|
|
|
|
|
NRDelegation changes).
|
|
|
|
|
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
|
|
|
|
|
- Fix string comparison in mini_tdir.sh.
|
|
|
|
|
- Make ede.tdir test more predictable by using static data.
|
|
|
|
|
- Fix checkconf test for dnscrypt and proxy port.
|
|
|
|
|
- Fix dnscrypt compile for proxy protocol code changes.
|
|
|
|
|
- Fix to stop responses with TC flag from resulting in partial
|
|
|
|
|
responses. It retries to fetch the data elsewhere, or fails the
|
|
|
|
|
query and in depth fix removes the TC flag from the cached item.
|
|
|
|
|
- Fix proxy length debug output printout typecasts.
|
|
|
|
|
- Fix to stop possible loops in the tcp reuse code (write_wait list
|
|
|
|
|
and tcp_wait list). Based on analysis and patch from Prad Seniappan
|
|
|
|
|
and Karthik Umashankar.
|
|
|
|
|
- Fix PROXYv2 header read for TCP connections when no proxied addresses
|
|
|
|
|
are provided.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 21 18:36:29 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.16.3
|
|
|
|
|
fixes Non-Responsive Delegation Attack (CVE-2022-3204)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 1 13:05:10 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.16.2 (boo#1202031 boo#1202033)
|
|
|
|
|
* Features
|
|
|
|
|
- Merge #718: Introduce infra-cache-max-rtt option to config max
|
|
|
|
|
retransmit timeout.
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
|
|
|
|
|
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
|
|
|
|
|
one loop pass'.
|
|
|
|
|
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
|
|
|
|
|
outbound tcp sockets.
|
|
|
|
|
- Fix verbose EDE error printout.
|
|
|
|
|
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
|
|
|
|
|
- For windows crosscompile, fix setting the IPV6_MTU socket option
|
|
|
|
|
equivalent (IPV6_USER_MTU); allows cross compiling with latest
|
|
|
|
|
cross-compiler versions.
|
|
|
|
|
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
|
|
|
|
|
And fixup the lock code.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Update documentation for 'outbound-msg-retry:'.
|
|
|
|
|
- Tests for ghost domain fixes.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 11 10:03:06 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.16.1
|
|
|
|
|
* Features
|
|
|
|
|
- Fix #704: [FR] Statistics counter for number of outgoing UDP queries
|
|
|
|
|
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
|
|
|
|
|
command.
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
|
|
|
|
|
- Fix for edns client subnet to respect not looking in its cache when
|
|
|
|
|
instructed to do so (e.g., prefetch).
|
|
|
|
|
- Merge PR #688: Rpz url notify issue.
|
|
|
|
|
- Note in the unbound.conf text that NOTIFY is allowed from the url:
|
|
|
|
|
addresses for auth and rpz zones.
|
|
|
|
|
- Remove unused LDNS function check for GOST Engine unloading.
|
|
|
|
|
- Fix for loading locally stored zones that have lines with blanks or
|
|
|
|
|
blanks and comments.
|
|
|
|
|
- Fix #663: use after free issue with edns options.
|
|
|
|
|
- Clarify -v flag manpage entry (#705)
|
|
|
|
|
- Fix test program dohclient close to use portability routine.
|
|
|
|
|
- Show the output of the exact .rpl run that failed with 'make test'.
|
|
|
|
|
- Fix for cached 0 TTL records to not trigger prefetching when
|
|
|
|
|
serve-expired-client-timeout is set.
|
|
|
|
|
- Add debug option to the mini_tdir.sh test code.
|
|
|
|
|
- Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
|
|
|
|
|
- Allow fallback to the parent side when MAX_TARGET_NX is reached.
|
|
|
|
|
This will also allow MAX_TARGET_NX more NXDOMAINs.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Fix detection of libz on windows compile with static option.
|
|
|
|
|
- Fix compile warning for windows compile.
|
|
|
|
|
- Merge PR #706: NXNS fallback.
|
|
|
|
|
- From #706: Cached NXDOMAIN does not increase the target nx
|
|
|
|
|
responses.
|
|
|
|
|
- From #706: Don't generate parent side queries if we already
|
|
|
|
|
have the lame records in cache.
|
|
|
|
|
- From #706: When a lame address is the best choice, don't try to
|
|
|
|
|
generate target queries when the missing targets are all lame.
|
|
|
|
|
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
|
|
|
|
|
mode on openssl3.
|
|
|
|
|
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
|
|
|
|
|
- For #660: formatting, less verbose logging, add EDE information.
|
|
|
|
|
- Fix for correct openssl error when adding windows CA certificates to
|
|
|
|
|
the openssl trust store.
|
|
|
|
|
- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
|
|
|
|
|
- Reintroduce documentation and more EDE support for
|
|
|
|
|
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
|
|
|
|
|
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
|
|
|
|
|
one loop pass'.
|
|
|
|
|
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
|
|
|
|
|
outbound tcp sockets.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 2 11:54:13 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.16.0
|
|
|
|
|
* Features
|
|
|
|
|
- Merge PR #604: Add basic support for EDE (RFC8914).
|
|
|
|
|
* Bug Fixes
|
|
|
|
|
- Fix #412: cache invalidation issue with CNAME+A.
|
|
|
|
|
- Fix that TCP interface does not use TLS when TLS is also configured.
|
|
|
|
|
- Fix #624: Unable to stop Unbound in Windows console (does not
|
|
|
|
|
respond to CTRL+C command).
|
|
|
|
|
- Fix #618: enabling interface-automatic disables DNS-over-TLS.
|
|
|
|
|
Adds the option to list interface-automatic-ports.
|
|
|
|
|
- Remove debug info from #618 fix.
|
|
|
|
|
- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
|
|
|
|
|
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
|
|
|
|
|
- Fix that address not available is squelched from the logs for
|
|
|
|
|
udp connect failures. It is visible on verbosity 4 and more.
|
|
|
|
|
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
|
|
|
|
|
ERR_GET_REASON.
|
|
|
|
|
- Fix to detect that no IPv6 support means that IPv6 addresses are
|
|
|
|
|
useless for delegation point lookups.
|
|
|
|
|
- update Makefile dependencies.
|
|
|
|
|
- Fix check interface existence for support detection in remote lookup.
|
|
|
|
|
- Fix #633: Document unix domain socket support for unbound-control.
|
|
|
|
|
- Fix for #633: updated fix with new text.
|
|
|
|
|
- Fix edns client subnet to add the option based on the option list,
|
|
|
|
|
so that it is not state dependent, after the state fix of #605 for
|
|
|
|
|
double EDNS options.
|
|
|
|
|
- Fix for edns client subnet option add fix in removal code, from review.
|
|
|
|
|
- Fix #630: Unify the RPZ log messages.
|
|
|
|
|
- Merge #623 from rex4539: Fix typos.
|
|
|
|
|
- Fix pythonmod for change in iter_dp_is_useless function prototype.
|
|
|
|
|
- Fix compile warnings for printf ll format on mingw compile.
|
|
|
|
|
- Merge PR #632 from scottrw93: Match cnames in ipset.
|
|
|
|
|
- Various fixes for #632: variable initialisation, convert the qinfo
|
|
|
|
|
to str once, accept trailing dot in the local-zone ipset option.
|
|
|
|
|
- Fix #637: Integer Overflow in sldns_str2period function.
|
|
|
|
|
- Fix for #637: fix integer overflow checks in sldns_str2period.
|
|
|
|
|
- Fix configure for python to use sysutils, because distutils is
|
|
|
|
|
deprecated. It uses sysutils when available, distutils otherwise.
|
|
|
|
|
- Merge #644: Make `install-lib` make target install the pkg-config
|
|
|
|
|
file.
|
|
|
|
|
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
|
|
|
|
|
- Fix to describe auth-zone and other configuration at the local-zone
|
|
|
|
|
configuration option, to allow for more broadly view of the options.
|
|
|
|
|
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
|
|
|
|
|
'unbound-control stats_shm'.
|
|
|
|
|
- Fix #651: [FR] Better logging for refused queries.
|
|
|
|
|
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
|
|
|
|
|
- Fix zonemd check to allow unsupported algorithms to load.
|
|
|
|
|
If there are only unsupported algorithms, or unsupported schemes,
|
|
|
|
|
and no failed or successful other ZONEMD records, or malformed
|
|
|
|
|
or bad ZONEMD records, the unsupported records allow the zone load.
|
|
|
|
|
- Fix zonemd unsupported algo check.
|
|
|
|
|
- Fix zonemd unsupported algo check reason to not copy to next record,
|
|
|
|
|
and check for success for debug printout.
|
|
|
|
|
- Fix zonemd unsupported algo check to print unsupported reason before
|
|
|
|
|
zeroing it.
|
|
|
|
|
- Fix zonemd unsupported algo check to set reason to NULL before the
|
|
|
|
|
check routine, but after malformed checks, to get the correct NULL
|
|
|
|
|
output when the digest matches.
|
|
|
|
|
- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
|
|
|
|
|
OpenBSD 7.1.
|
|
|
|
|
- Fix Python build in non-source directory; based on patch by
|
|
|
|
|
Michael Tokarev.
|
|
|
|
|
- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
|
|
|
|
|
host.
|
|
|
|
|
- Merge #677: Allow using system certificates not only on Windows,
|
|
|
|
|
from pemensik.
|
|
|
|
|
- For #677: Added tls-system-cert to config parser and documentation.
|
|
|
|
|
- Fix #417: prefetch and ECS causing cache corruption when used
|
|
|
|
|
together.
|
|
|
|
|
- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
|
|
|
|
|
by updating unbound-control's documentation.
|
|
|
|
|
- Fix typos in config_set_option for the 'num-threads' and
|
|
|
|
|
'ede-serve-expired' options.
|
|
|
|
|
- Fix to silence test for ede error output to the console from the
|
|
|
|
|
test setup script.
|
|
|
|
|
- Fix ede test to not use default pidfile, and use local interface.
|
|
|
|
|
- Fix some lint type warnings.
|
|
|
|
|
- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
|
|
|
|
|
(and possibly other distributions)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- spec-cleaner
|
|
|
|
|
- update to 1.15.0
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.15.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Fix #596: unset the RA bit when a query is blocked by an unbound
|
|
|
|
|
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
|
|
|
|
|
signal that a domain is externally blocked to clients when it
|
|
|
|
|
is blocked with NXDOMAIN by unsetting RA.
|
|
|
|
|
- Add rpz: for-downstream: yesno option, where the RPZ zone is
|
|
|
|
|
authoritatively answered for, so the RPZ zone contents can be
|
|
|
|
|
checked with DNS queries directed at the RPZ zone.
|
|
|
|
|
- Merge PR #616: Update ratelimit logic. It also introduces
|
|
|
|
|
ratelimit-backoff and ip-ratelimit-backoff configuration options.
|
|
|
|
|
- Change aggressive-nsec default to yes.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix compile warning for if_nametoindex on windows 64bit.
|
|
|
|
|
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
|
|
|
|
|
warnings in rpz.
|
|
|
|
|
- Fix validator debug output about DS support, print correct algorithm.
|
|
|
|
|
- Add code similar to fix for ldns for tab between strings, for
|
|
|
|
|
consistency, the test case was not broken.
|
|
|
|
|
- Allow local-data for classes other than IN to inherit a configured
|
|
|
|
|
local-zone's type if possible, instead of defaulting to type
|
|
|
|
|
transparent as per the implicit rule.
|
|
|
|
|
- Fix to pick up other class local zone information before unlock.
|
|
|
|
|
- Add missing configure flags for optional features in the
|
|
|
|
|
documentation.
|
|
|
|
|
- Fix Unbound capitalization in the documentation.
|
|
|
|
|
- Fix #591: Unbound-anchor manpage links to non-existent license file.
|
|
|
|
|
- contrib/aaaa-filter-iterator.patch file renewed diff content to
|
|
|
|
|
apply cleanly to the current coderepo for the current code version.
|
|
|
|
|
- Fix to add test for rpz-signal-nxdomain-ra.
|
|
|
|
|
- Fix #596: only unset RA when NXDOMAIN is signalled.
|
|
|
|
|
- Fix that RPZ does not set RD flag on replies, it should be copied
|
|
|
|
|
from the query.
|
|
|
|
|
- Fix for #596: fix that rpz return message is returned and not just
|
|
|
|
|
the rcode from the iterator return path. This fixes signal unset RA
|
|
|
|
|
after a CNAME.
|
|
|
|
|
- Fix unit tests for rpz now that the AA flag returns successfully from
|
|
|
|
|
the iterator loop.
|
|
|
|
|
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
|
|
|
|
|
- Fix for #596: add unit test for nsip trigger and signal unset RA.
|
|
|
|
|
- Fix #598: Fix unbound-checkconf fatal error: module conf
|
|
|
|
|
'respip dns64 validator iterator' is not known to work.
|
|
|
|
|
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
|
|
|
|
|
triggered operation.
|
|
|
|
|
- Merge #600 from pemensik: Change file mode before changing file
|
|
|
|
|
owner.
|
|
|
|
|
- Fix prematurely terminated TCP queries when a reply has the same ID.
|
|
|
|
|
- For #602: Allow the module-config "subnetcache validator cachedb
|
|
|
|
|
iterator".
|
|
|
|
|
- Fix EDNS to upstream where the same option could be attached
|
|
|
|
|
more than once.
|
|
|
|
|
- Add a region to serviced_query for allocations.
|
|
|
|
|
- For dnstap, do not wakeupnow right there. Instead zero the timer to
|
|
|
|
|
force the wakeup callback asap.
|
|
|
|
|
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
|
|
|
|
|
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
|
|
|
|
|
serviced_udp_callback.
|
|
|
|
|
- Merge PR #612: TCP race condition.
|
|
|
|
|
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
|
|
|
|
|
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
|
|
|
|
|
document.
|
|
|
|
|
- Fix tls-* and ssl-* documented alternate syntax to also be available
|
|
|
|
|
through remote-control and unbound-checkconf.
|
|
|
|
|
- Better cleanup on failed DoT/DoH listening socket creation.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Fix review comment for use-after-free when failing to send UDP out.
|
|
|
|
|
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
|
|
|
|
|
internals.
|
|
|
|
|
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
|
|
|
|
|
- Merge PR #617: Update stub/forward-host notation to accept port and
|
|
|
|
|
tls-auth-name.
|
|
|
|
|
- Update stream_ssl.tdir test to also use the new forward-host
|
|
|
|
|
notation.
|
|
|
|
|
- Fix header comment for doxygen for authextstrtoaddr.
|
|
|
|
|
- please clang analyzer for loop in test code.
|
|
|
|
|
- Fix docker splint test to use more portable uname.
|
|
|
|
|
- Update contrib/aaaa-filter-iterator.patch with diff for current
|
|
|
|
|
software version.
|
|
|
|
|
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.14.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Merge #401: RPZ triggers. This add additional RPZ triggers,
|
|
|
|
|
unbound supports a full set of rpz triggers, and this now
|
|
|
|
|
includes nsdname, nsip and clientip triggers. Also actions
|
|
|
|
|
are fully supported, and this now includes the tcp-only action.
|
|
|
|
|
- Merge #519: Support for selective enabling tcp-upstream for
|
|
|
|
|
stub/forward zones.
|
|
|
|
|
- Merge PR #514, from ziollek: Docker environment for run tests.
|
|
|
|
|
- Support using system-wide crypto policies.
|
|
|
|
|
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
|
|
|
|
|
location of a different openssl version.
|
|
|
|
|
- Merged #41 from Moritz Schneider: made outbound-msg-retry
|
|
|
|
|
configurable.
|
|
|
|
|
- Implement RFC8375: Special-Use Domain 'home.arpa.'.
|
|
|
|
|
- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
|
|
|
|
|
link-local addresses.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Add test tool readzone to .gitignore.
|
|
|
|
|
- Merge #521: Update mini_event.c.
|
|
|
|
|
- Merge #523: fix: free() call more than once with the same pointer.
|
|
|
|
|
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
|
|
|
|
|
the example configuration file.
|
|
|
|
|
- For #519: yacc and lex. And fix python bindings, and test program
|
|
|
|
|
unbound-dnstap-socket.
|
|
|
|
|
- For #519: fix comments for doxygen.
|
|
|
|
|
- Fix to print error from unbound-anchor for writing to the key
|
|
|
|
|
file, also when not verbose.
|
|
|
|
|
- For #514: generate configure.
|
|
|
|
|
- Fix for #431: Squelch permission denied errors for udp connect,
|
|
|
|
|
and udp send, they are visible at higher verbosity settings.
|
|
|
|
|
- Fix zonemd verification of key that is not in DNS but in the zone
|
|
|
|
|
and needs a chain of trust.
|
|
|
|
|
- zonemd, fix order of bogus printout string manipulation.
|
|
|
|
|
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
|
|
|
|
|
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
|
|
|
|
|
static.
|
|
|
|
|
- Fix #527: not sending quad9 cert to syslog (and may be more).
|
|
|
|
|
- Fix sed script in ssldir split handling.
|
|
|
|
|
- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
|
|
|
|
|
undefined.
|
|
|
|
|
- Fix #531: Fix: passed to proc after free.
|
|
|
|
|
- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
|
|
|
|
|
to insert into RPZ.
|
|
|
|
|
- Fix the stream wait stream_wait_count_lock and http2 buffer locks
|
|
|
|
|
setup and desetup from race condition.
|
|
|
|
|
- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
|
|
|
|
|
zone does not find the zone. Readlock the clientip that is found
|
|
|
|
|
for ipbased triggers. Unlock the nsdname zone lock when done.
|
|
|
|
|
Unlock zone and ip in rpz nsip and nsdname callback. Unlock
|
|
|
|
|
authzone and localzone if clientip found in rpz worker call.
|
|
|
|
|
- Fix compile warning in libunbound for listen desetup routine.
|
|
|
|
|
- Fix asynclook unit test for setup of lockchecks before log.
|
|
|
|
|
- Fix #533: Negative responses get cached even when setting
|
|
|
|
|
cache-max-negative-ttl: 1
|
|
|
|
|
- Fix tcp fastopen failure when disabled, try normal connect instead.
|
|
|
|
|
- Fix #538: Fix subnetcache statistics.
|
|
|
|
|
- Small fixes for #41: changelog, conflicts resolved,
|
|
|
|
|
processQueryResponse takes an iterator env argument like other
|
|
|
|
|
functions in the iterator, no colon in string for set_option,
|
|
|
|
|
and some whitespace style, to make it similar to the rest.
|
|
|
|
|
- Fix for #41: change outbound retry to int to fix signed comparison
|
|
|
|
|
warnings.
|
|
|
|
|
- Fix root_anchor test to check with new icannbundle date.
|
|
|
|
|
- Fix initialisation errors reported by gcc sanitizer.
|
|
|
|
|
- Fix lock debug code for gcc sanitizer reports.
|
|
|
|
|
- Fix more initialisation errors reported by gcc sanitizer.
|
|
|
|
|
- Fix crosscompile on windows to work with openssl 3.0.0 the
|
|
|
|
|
link with ws2_32 needs -l:libssp.a for __strcpy_chk.
|
|
|
|
|
Also copy results from lib64 directory if needed.
|
|
|
|
|
- For crosscompile on windows, detect 64bit stackprotector library.
|
|
|
|
|
- Fix crosscompile shell syntax.
|
|
|
|
|
- Fix crosscompile windows to use libssp when it exists.
|
|
|
|
|
- For the windows compile script disable gost.
|
|
|
|
|
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
|
|
|
|
|
BIO_set_callback.
|
|
|
|
|
- Fix crosscompile script for the shared build flags.
|
|
|
|
|
- Fix to add example.conf note for outbound-msg-retry.
|
|
|
|
|
- Fix chaos replies to have truncation for short message lengths,
|
|
|
|
|
or long reply strings.
|
|
|
|
|
- Fix to protect custom regional create against small values.
|
|
|
|
|
- Fix #552: Unbound assumes index.html exists on RPZ host.
|
|
|
|
|
- Fix that forward-zone name is documented as the full name of the
|
|
|
|
|
zone. It is not relative but a fully qualified domain name.
|
|
|
|
|
- Fix analyzer review failure in rpz action override code to not
|
|
|
|
|
crash on unlocking the local zone lock.
|
|
|
|
|
- Fix to remove unused code from rpz resolve client and action
|
|
|
|
|
function.
|
|
|
|
|
- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
|
|
|
|
|
- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
|
|
|
|
|
reclaimed more than once during callbacks.
|
|
|
|
|
- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
|
|
|
|
|
- Improve EDNS option handling, now also works for synthesised
|
|
|
|
|
responses such as local-data and server.id CH TXT responses.
|
|
|
|
|
- Merge PR #570 from rex4539: Fix typos.
|
|
|
|
|
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
|
|
|
|
|
- Fix to make python module opt_list use opt_list_in.
|
|
|
|
|
- Fix #574: unbound-checkconf reports fatal error if interface names
|
|
|
|
|
are used as value for interfaces:
|
|
|
|
|
- Fix #574: Review fixes for it.
|
|
|
|
|
- Fix #576: [FR] UB_* error codes in unbound.h
|
|
|
|
|
- Fix #574: Review fix for spelling.
|
|
|
|
|
- Fix to remove git tracking and ci information from release tarballs.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Merge PR #511 from yan12125: Reduce unnecessary linking.
|
|
|
|
|
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
|
|
|
|
|
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
|
|
|
|
|
- Merge PR #522 from sibeream: memory management violations fixed.
|
|
|
|
|
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
|
|
|
|
|
- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
|
|
|
|
|
- Fix #574: Review fixes for size allocation.
|
|
|
|
|
- Fix doc/unbound.doxygen to remove obsolete tag warning.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 16 10:34:52 UTC 2021 - Togan Muftuoglu <toganm@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Fix pidfile location
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 12 18:02:18 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.13.2
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
|
|
|
|
|
ZONEMD records are checked for zones loaded as auth-zone,
|
|
|
|
|
with DNSSEC if available. There is an added option
|
|
|
|
|
zonemd-permissive-mode that makes it log but not fail wrong zones.
|
|
|
|
|
With zonemd-reject-absence for an auth-zone the presence of a
|
|
|
|
|
zonemd can be mandated for specific zones.
|
|
|
|
|
- Fix: Resolve interface names on control-interface too.
|
|
|
|
|
- Merge #470 from edevil: Allow configuration of persistent TCP
|
|
|
|
|
connections.
|
|
|
|
|
- Fix #474: always_null and others inside view.
|
|
|
|
|
- Add that log-servfail prints an IP address and more information
|
|
|
|
|
about one of the last failures for that query.
|
|
|
|
|
- Merge #478: Allow configuration of TCP timeout while waiting for
|
|
|
|
|
response.
|
|
|
|
|
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
|
|
|
|
|
- Move the NSEC3 max iterations count in line with the 150 value
|
|
|
|
|
used by BIND, Knot and PowerDNS. This sets the default value
|
|
|
|
|
for it in the configuration to 150 for all key sizes.
|
|
|
|
|
- zonemd-check: yesno option, default no, enables the processing
|
|
|
|
|
of ZONEMD records for that zone.
|
|
|
|
|
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
|
|
|
|
|
- Merge PR #491: Add SVCB and HTTPS types and handling according to
|
|
|
|
|
draft-ietf-dnsop-svcb-https.
|
|
|
|
|
- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix for Python 3.9, no longer use deprecated functions of
|
|
|
|
|
PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
|
|
|
|
|
none), PyParser_SimpleParseFile (now Py_CompileString).
|
|
|
|
|
- Merge PR #420 from dyunwei: DOH not responsing with
|
|
|
|
|
"http2_query_read_done failure" logged.
|
|
|
|
|
- Fix #422: IPv6 fallback issues when IPv6 is not properly
|
|
|
|
|
enabled/configured.
|
|
|
|
|
- Fix to make tests work with support indicators set for iterator.
|
|
|
|
|
- Fix build on Python 3.10.
|
|
|
|
|
- Fix doxygen and pydoc warnings.
|
|
|
|
|
- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
|
|
|
|
|
- rpz skip nsec3param records, and nicer log for unsupported actions.
|
|
|
|
|
- Fix #431: Squelch permission denied errors for tcp connect
|
|
|
|
|
and udp connect from the logs, unless at high verbosity.
|
|
|
|
|
- Fix for zonemd, that nxdomain for the chain of trust is allowed
|
|
|
|
|
for island zones, it is treated as an insecure zone for verification.
|
|
|
|
|
- Fix for zonemd, that domain-insecure zones work without dnssec.
|
|
|
|
|
- Fix for zonemd, do not reject insecure result from trust anchor
|
|
|
|
|
validation step in dnssec chain of trust.
|
|
|
|
|
- On startup of unbound it checks if rlimits on memory size look
|
|
|
|
|
sufficient for the configured cache size, and logs warning if not.
|
|
|
|
|
- Fix function documentation.
|
|
|
|
|
- Fix unit test for added ulimit checks.
|
|
|
|
|
- spelling fix in header.
|
|
|
|
|
- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
|
|
|
|
|
log message.
|
|
|
|
|
- ipsecmod: Better logging for detecting a cycle when attaching the
|
|
|
|
|
A/AAAA subquery.
|
|
|
|
|
- Merge PR #367 : DNSTAP log local address. With code from PR #365
|
|
|
|
|
and fixes #368 : dnstap does not log the DNS message ID for
|
|
|
|
|
FORWARDER_QUERY.
|
|
|
|
|
- Fix to allow rpz with wildcard that applies to all TLDs at once.
|
|
|
|
|
- Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
|
|
|
|
|
- Fix spurious errors about "Could not generate request: out of
|
|
|
|
|
memory". The mesh detect cycle routine no longer wrongly stops
|
|
|
|
|
the check when the calling mesh state is unique.
|
|
|
|
|
- Workaround for #439: prevent loops in the reuse rbtree.
|
|
|
|
|
- Debug output for #411 and #439: printout internal error and details.
|
|
|
|
|
- Fix parse of LOC RR type for decimetres.
|
|
|
|
|
- Fix #441: Minimal NSEC range not accepted for top level domains.
|
|
|
|
|
- Fix for #447: squelch connection refused tcp connection failures
|
|
|
|
|
from the log, unless verbosity is high.
|
|
|
|
|
- Merge #449 from orbea: build: Add missing linker flags.
|
|
|
|
|
- Comment out nonworking OSX and IOS travis tests, vm fails to start.
|
|
|
|
|
- Fix compile error in listen_dnsport on Android.
|
|
|
|
|
- Fix memory leak reported by asan in rpz SOA record query name.
|
|
|
|
|
- Fix unused-function warning when compiling with --enable-dnscrypt.
|
|
|
|
|
- Fix for #367: fix memory leak when cannot bind to listening port.
|
|
|
|
|
- Reformat pythonmod/pythonmod_utils.{c,h}.
|
|
|
|
|
- Travis enable all tests again. Clang analyzer only a couple times,
|
|
|
|
|
when there is a difference. homebrew updates disabled, so it does
|
|
|
|
|
not hang. removed trailing slashes from configure paths. Moved iOS
|
|
|
|
|
tests to allow-failure.
|
|
|
|
|
- travis, analyzer disabled on test without debug, that does not
|
|
|
|
|
run anway. Turn off failing tests except one. Update iOS test
|
|
|
|
|
to xcode image 12.2.
|
|
|
|
|
- Fix deprecation test to work for iOS TVOS and WatchOS, it uses
|
|
|
|
|
CFLAGS and CPPFLAGS and also checks if the item is unavailable.
|
|
|
|
|
- Travis, fix script to fail when tasks fail.
|
|
|
|
|
- Travis, fix warning in ubsan compile.
|
|
|
|
|
- Fix configure Targetconfiditionals.h header check, to use compile.
|
|
|
|
|
- Fix that cachedb does not produce empty object files when disabled.
|
|
|
|
|
- Fix #429: Also fix end of transfer for http download of auth zones.
|
|
|
|
|
- Disable the use of stack-protector for cross compiled 32-bit windows
|
|
|
|
|
builds; relates to #444.
|
|
|
|
|
- Fix stack-protector change to not override other CFLAGS options.
|
|
|
|
|
- Clean makedist.sh.
|
|
|
|
|
- Merge #460 from orbea: build: Link with the libtool archive.
|
|
|
|
|
- Fix to stop IPv6 PMTU discovery.
|
|
|
|
|
- Fix for #411: Depth protect for crash on deleted element timeout.
|
|
|
|
|
- rebuild configure to set EXTRALINK to libunbound.la for #460.
|
|
|
|
|
- Fix permission denied sendto log, squelch the log messages
|
|
|
|
|
unless high verbosity is set.
|
|
|
|
|
- Fix (increase) verbosity level for iterator error log in
|
|
|
|
|
processQueryTargets().
|
|
|
|
|
- Fix that nxdomain synthesis does not happen above the stub or
|
|
|
|
|
forward definition.
|
|
|
|
|
- Fix documentation comment for files previously residing in checkconf/.
|
|
|
|
|
- Remove unused functions worker_handle_reply and libworker_handle_reply.
|
|
|
|
|
- Merge #466 from FGasper: Support OpenSSLs that lack
|
|
|
|
|
SSL_get0_alpn_selected.
|
|
|
|
|
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
|
|
|
|
|
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
|
|
|
|
|
OpenSSL 1.0.1.
|
|
|
|
|
- Fix that testcode dohclient has OpenSSL initialisation calls.
|
|
|
|
|
- Fix compiler warning for signed/unsigned comparison for
|
|
|
|
|
max_reuse_tcp_queries.
|
|
|
|
|
- Fix #481: Fix comment in configuration file.
|
|
|
|
|
- Fix to squelch tcp socket bind failures when the interface is gone.
|
|
|
|
|
- Rerun flex and bison.
|
|
|
|
|
- Fix for #367: only attempt to get the interface for queries that are no
|
|
|
|
|
longer on the tcp_waiting_list.
|
|
|
|
|
- Add more logging for out-of-memory cases.
|
|
|
|
|
- Fix #485: Unbound occasionally reports broken stats.
|
|
|
|
|
- Remove case fallthrough from deprecate-rsa-1024 code.
|
|
|
|
|
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
|
|
|
|
|
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
|
|
|
|
|
- Fix #489: Compile using MSYS2 MinGW 64-bit.
|
|
|
|
|
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
|
|
|
|
|
between TCP streams.
|
|
|
|
|
- Refactor for uniform way to produce random DNS message IDs.
|
|
|
|
|
- Test code has -q option for quiet output.
|
|
|
|
|
- Fix #492: module-config respip missing in unbound.conf.5.in man
|
|
|
|
|
page. Merges #494 from he32.
|
|
|
|
|
- For #492: Fix font highlighting for the man page on emacs.
|
|
|
|
|
- Merge #496 from banburybill: Use build system endianness if
|
|
|
|
|
available, otherwise try to work it out.
|
|
|
|
|
- Fix test for zonemd-check option.
|
|
|
|
|
- Merge #448 from shoeper: Update unbound-control.8.in, fix
|
|
|
|
|
rpz_disable typo.
|
|
|
|
|
- Fix #425: Document auth-zone supports communication with DNS
|
|
|
|
|
primary on nondefault port.
|
|
|
|
|
- Fix unused variable warning when compiling with --enable-dnstap.
|
|
|
|
|
- Generated lexer and parser for #486; updated example.conf.
|
|
|
|
|
- Fix #413 (based on patch by k-ronny): unbound: does not compile
|
|
|
|
|
on macOS 11.1-x86_64 host.
|
|
|
|
|
- Use host_os instead of target_os in configure for Darwin8 build.
|
|
|
|
|
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
|
|
|
|
|
unable to build RPM from source.
|
|
|
|
|
- Fix contrib/unbound.spec, fixed url and comment.
|
|
|
|
|
- Fix configure nonblocking test and onmingw test to use host.
|
|
|
|
|
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
|
|
|
|
|
- Fix a number of warnings reported by the gcc analyzer.
|
|
|
|
|
- Fix #495: Documentation or implementation of "verbosity" option.
|
|
|
|
|
- Fix #503: DNS over HTTPS response truncated.
|
|
|
|
|
- Fix warnings reported by the gcc analyzer.
|
|
|
|
|
- Add analyzer and port compile github workflow.
|
|
|
|
|
- Fix up permissions on rpl data file in tests.
|
|
|
|
|
- Fix testbound newline treatment in moment_read and tempfile write.
|
|
|
|
|
- Fix configure grep for reuseport default for failure.
|
|
|
|
|
- Fix compat ctime_r return value
|
|
|
|
|
- Fix configure does not require pkg-config if not needed.
|
|
|
|
|
- Fix unit test in the ctime_r calls for autotrust and in testbound.
|
|
|
|
|
- Fix auth zone download on windows to unlink before rename.
|
|
|
|
|
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
|
|
|
|
|
Unhandled Exception.
|
|
|
|
|
- Fix Wunused-result compile warnings.
|
|
|
|
|
- Fix compiler warnings for #491.
|
|
|
|
|
- Fix clang-analysis warnings for testcode/readzone.c.
|
|
|
|
|
- Merge #510 from ndptech: Don't call a function which hasn't been
|
|
|
|
|
defined.
|
|
|
|
|
- Fix for #510: in depth, use ifdefs for windows api event calls.
|
|
|
|
|
- Fix spelling in doc/unbound.doxygen comment.
|
|
|
|
|
- Fix spelling in localzone.h comment.
|
|
|
|
|
- Fix unbound-control local_data and local_datas to print detailed
|
|
|
|
|
syntax errors.
|
|
|
|
|
- review fix to remove duplicate error printout.
|
|
|
|
|
- Insert header into testcode/readzone.c, it was missing.
|
|
|
|
|
- Fix from lint for ignored return value.
|
|
|
|
|
- Fix for older parsers for function call in serve expired get cached.
|
|
|
|
|
- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
|
|
|
|
|
line after a comment.
|
|
|
|
|
- Merge #512: unbound.service.in: upgrade hardening to latest
|
|
|
|
|
standards.
|
|
|
|
|
- Fix readzone unknown type print for memory resize.
|
|
|
|
|
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
|
|
|
|
|
introduces a couple of fixes for the stream reuse functionality
|
|
|
|
|
that could result in broken internal structures.
|
|
|
|
|
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
|
|
|
|
|
build unbound.
|
|
|
|
|
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
|
|
|
|
|
SSL_get_peer_certificate.
|
|
|
|
|
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
|
|
|
|
|
- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
|
|
|
|
|
keyraw functions to produce EVP_PKEY results.
|
|
|
|
|
- Move RSA and DSA to use OpenSSL 3.0.0 API.
|
|
|
|
|
- Move ECDSA functions to use OpenSSL 3.0.0 API.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- Fix verbose printout failure in tcp reuse unit test.
|
|
|
|
|
- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
|
|
|
|
|
function that need to reuse the dns answer.
|
|
|
|
|
- Annotate assertion into error printout; we think it may be an
|
|
|
|
|
error, but the situation looks harmless.
|
|
|
|
|
- Fix sign comparison warning on FreeBSD.
|
|
|
|
|
- Listen to read or write events after the SSL handshake.
|
|
|
|
|
Sticky events on windows would stick on read when write was needed.
|
|
|
|
|
- Merge PR #415 from sibeream: Use
|
|
|
|
|
/proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
|
|
|
|
|
ports. (New --enable-linux-ip-local-port-range configuration option)
|
|
|
|
|
- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
|
|
|
|
|
allows longer CNAME chains in Unbound.
|
|
|
|
|
- In unit test use openssl set security level to allow keys in test.
|
|
|
|
|
- Fix static analysis warnings about localzone locks that are unused.
|
|
|
|
|
- Fix missing locks in zonemd unit test.
|
|
|
|
|
- Fix readzone compile under debug config.
|
|
|
|
|
- Fix out of sourcedir run of zonemd unit tests.
|
|
|
|
|
- Fix libnettle zonemd unit test.
|
|
|
|
|
- Fix unit test zonemd_reload for use in run_vm.
|
|
|
|
|
- Fix #520: Unbound 1.13.2rc1 fails to build python module.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------------------------
|
|
|
|
|
Tue May 11 21:57:51 UTC 2021 - Cristian Rodríguez <crrodriguez@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Use --disable-explicit-port-randomisation, the linux kernel
|
|
|
|
|
has source port randomization by default if port is 0 since ages.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 9 10:56:09 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.13.1
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
|
|
|
|
|
to unbound-control.
|
|
|
|
|
- Merge PR #391 from fhriley: Add start_time to reply callbacks so
|
|
|
|
|
modules can compute the response time.
|
|
|
|
|
- Fix #397: [Feature request] add new type always_null to local-zone
|
|
|
|
|
similar to always_nxdomain.
|
|
|
|
|
- Support for RFC5001: DNS Name Server Identifier (NSID) Option
|
|
|
|
|
with the nsid: option in unbound.conf
|
|
|
|
|
- Padding of queries and responses with DNS over TLS as specified in
|
|
|
|
|
RFC7830 and RFC8467.
|
|
|
|
|
- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
|
|
|
|
|
original instead of a decrementing TTL ('serve-original-ttl')
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #358: Squelch udp connect 'no route to host' errors on low
|
|
|
|
|
verbosity.
|
|
|
|
|
- Fix #360: for the additionally reported TCP Fast Open makes TCP
|
|
|
|
|
connections fail, in that case we print a hint that this is
|
|
|
|
|
happening with the error in the logs.
|
|
|
|
|
- Fix #356: deadlock when listening tcp.
|
|
|
|
|
- Fix unbound-dnstap-socket to not use log routine from interrupt
|
|
|
|
|
handler and not print so frequently when invoked in sequence.
|
|
|
|
|
- Fix on windows to ignore connection failure on UDP, unless verbose.
|
|
|
|
|
- make depend.
|
|
|
|
|
- Fix #371: unbound-control timeout when Unbound is not running.
|
|
|
|
|
- Fix to squelch permission denied and other errors from remote host,
|
|
|
|
|
they are logged at higher verbosity but not on low verbosity.
|
|
|
|
|
- Merge PR #335 from fobser: Sprinkle in some static to prevent
|
|
|
|
|
missing prototype warnings.
|
|
|
|
|
- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
|
|
|
|
|
is a GNU extension.
|
|
|
|
|
- Fix missing prototypes in the code.
|
|
|
|
|
- Fix error cases when udp-connect is set and send() returns an error
|
|
|
|
|
(modified patch from Xin Li @delphij).
|
|
|
|
|
- For #376: Fix that comm point event is not double removed or double
|
|
|
|
|
added to event map.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Fix #385: autoconf 2.70 impacts unbound build
|
|
|
|
|
- Fix #379: zone loading over HTTP appears to have buffer issues.
|
|
|
|
|
- Merge PR #395 from mptre: add missing null check.
|
|
|
|
|
- Fix #387: client-subnet-always-forward seems to effectively bypass
|
|
|
|
|
any caching?
|
|
|
|
|
- For #391: use struct timeval* start_time for callback information.
|
|
|
|
|
- For #391: fix indentation.
|
|
|
|
|
- For #391: more double casts in python start time calculation.
|
|
|
|
|
- Add comment documentation.
|
|
|
|
|
- Fix clang analysis warning.
|
|
|
|
|
- Fix so local zone types always_nodata and always_deny can be used
|
|
|
|
|
from the config file.
|
|
|
|
|
- Merge #399 from xiangbao227: The lock of lruhash table should
|
|
|
|
|
unlocked after markdel entry.
|
|
|
|
|
- Fix for #93: dynlibmodule link fix for Windows.
|
|
|
|
|
- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
|
|
|
|
|
- Merge #402 from fobser: Implement IPv4-Embedded addresses according
|
|
|
|
|
to RFC6052.
|
|
|
|
|
- Fix #404: DNS query with small edns bufsize fail.
|
|
|
|
|
- Fix declaration before statement and signed comparison warning in
|
|
|
|
|
dns64.
|
|
|
|
|
- Fix TTL of SOA record for negative answers (localzone and
|
|
|
|
|
authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
|
|
|
|
|
- Fix compile of unbound-dnstap-socket without dnstap installed.
|
|
|
|
|
- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
|
|
|
|
|
static data.
|
|
|
|
|
- Ignore cache blacklisting when trying to reply with expired data from
|
|
|
|
|
cache (#394).
|
|
|
|
|
- Merge PR #408 from fobser: Prevent a few more yacc clashes.
|
|
|
|
|
- Annotate that we ignore the return value of if_indextoname.
|
|
|
|
|
- Fix to use correct type for label count in rpz routine.
|
|
|
|
|
- Fix empty clause warning in config_file nsid parse.
|
|
|
|
|
- Fix to use correct type for label count in ipdnametoaddr rpz routine.
|
|
|
|
|
- Fix empty clause warning in edns pass for padding.
|
|
|
|
|
- Fix for doxygen 1.8.20 compatibility.
|
|
|
|
|
- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
|
|
|
|
|
- Fix dynlibmod link on rhel8 for -ldl inclusion.
|
|
|
|
|
- Fix windows dependency on libssp.dll because of default stack
|
|
|
|
|
protector in mingw.
|
|
|
|
|
- Fix indentation of root anchor for use by windows install script.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 3 11:26:17 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.13.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Pass the comm_reply information to the inplace_cb_reply* functions
|
|
|
|
|
during the mesh state and update the documentation on that.
|
|
|
|
|
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
|
|
|
|
|
This adds the option http-notls-downstream: yesno to change that,
|
|
|
|
|
and the dohclient test code has the -n option.
|
|
|
|
|
- Merge PR #228 : infra-keep-probing option to probe hosts that are
|
|
|
|
|
down. Add infra-keep-probing: yes option. Hosts that are down are
|
|
|
|
|
probed more frequently.
|
|
|
|
|
With the option turned on, it probes about every 120 seconds,
|
|
|
|
|
eventually after exponential backoff, and that keeps that way. If
|
|
|
|
|
traffic keeps up for the domain. It probes with one at a time, eg.
|
|
|
|
|
one query is allowed to probe, other queries within that 120 second
|
|
|
|
|
interval are turned away.
|
|
|
|
|
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
|
|
|
|
|
edns-client-string option.
|
|
|
|
|
- Merge PR #283 : Stream reuse. This implements upstream stream
|
|
|
|
|
reuse for performing several queries over the same TCP or TLS
|
|
|
|
|
channel.
|
|
|
|
|
- Fix to connect() to UDP destinations, default turned on,
|
|
|
|
|
this lowers vulnerability to ICMP side channels.
|
|
|
|
|
Option to toggle udp-connect, default is enabled.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #319: potential memory leak on config failure, in rpz config.
|
|
|
|
|
- Fix dnstap socket and the chroot not applied properly to the dnstap
|
|
|
|
|
socket path.
|
|
|
|
|
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
|
|
|
|
|
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
|
|
|
|
|
if systemd support is build.
|
|
|
|
|
- Fix for python reply callback to see mesh state reply_list member,
|
|
|
|
|
it only removes it briefly for the commpoint call so that it does
|
|
|
|
|
not drop it and attempt to modify the reply list during reply.
|
|
|
|
|
- Fix that if there are on reply callbacks, those are called per
|
|
|
|
|
reply and a new message created if that was modified by the call.
|
|
|
|
|
- Free up auth zone parse region after use for lookup of host
|
|
|
|
|
- Merge PR #326 from netblue30: DoH: implement content-length
|
|
|
|
|
header field.
|
|
|
|
|
- DoH content length, simplify code, remove declaration after
|
|
|
|
|
statement and fix cast warning.
|
|
|
|
|
- Fix that if there are reply callbacks for the given rcode, those
|
|
|
|
|
are called per reply and a new message created if that was modified
|
|
|
|
|
by the call.
|
|
|
|
|
- Fix that the out of order TCP processing does not limit the
|
|
|
|
|
number of outstanding queries over a connection.
|
|
|
|
|
- Fix python documentation warning on functions.rst inplace_cb_reply.
|
|
|
|
|
- Log ip address when http session recv fails, eg. due to tls fail.
|
|
|
|
|
- Fix to set the tcp handler event toggle flag back to default when
|
|
|
|
|
the handler structure is reused.
|
|
|
|
|
- Clean the fix for out of order TCP processing limits on number
|
|
|
|
|
of queries. It was tested to work.
|
|
|
|
|
- Fix that http settings have colon in set_option, for
|
|
|
|
|
http-endpoint, http-max-streams, http-query-buffer-size,
|
|
|
|
|
http-response-buffer-size, and http-nodelay.
|
|
|
|
|
- Fix memory leak of https port string when reading config.
|
|
|
|
|
- local-zone regional allocations outside of chunk
|
|
|
|
|
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
|
|
|
|
|
unbound-control TLS certificates.
|
|
|
|
|
- Fix for PR #324 to attach the x509v3 extensions to the client
|
|
|
|
|
certificate.
|
|
|
|
|
- Fix #327: net/if.h check fails on some darwin versions; contribution
|
|
|
|
|
by Joshua Root.
|
|
|
|
|
- Fix #320: potential memory corruption due to size miscomputation upton
|
|
|
|
|
custom region alloc init.
|
|
|
|
|
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
|
|
|
|
|
Python Mod.
|
|
|
|
|
- Fix that minimal-responses does not remove addresses from a priming
|
|
|
|
|
query response.
|
|
|
|
|
- In man page note that tls-cert-bundle is read before permission
|
|
|
|
|
drop and chroot.
|
|
|
|
|
- Fix #341: fixing a possible memory leak.
|
|
|
|
|
- Fix memory leak after fix for possible memory leak failure.
|
|
|
|
|
- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
|
|
|
|
|
undeclared.
|
|
|
|
|
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
|
|
|
|
|
with chown of pidfile.
|
|
|
|
|
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
|
|
|
|
|
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
|
|
|
|
|
failed to list interfaces: getifaddrs: Address family not
|
|
|
|
|
supported by protocol.
|
|
|
|
|
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
|
|
|
|
|
address families.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Fix crash when TLS connection is closed prematurely, when
|
|
|
|
|
reuse tree comparison is not properly identical to insertion.
|
|
|
|
|
- Fix padding of struct regional for 32bit systems.
|
|
|
|
|
- with udp-connect ignore connection refused with UDP timeouts.
|
|
|
|
|
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
|
|
|
|
|
- Better fix for reuse tree comparison for is-tls sockets. Where
|
|
|
|
|
the tree key identity is preserved after cleanup of the TLS state.
|
|
|
|
|
- Fix memory leak for edns client tag opcode config element.
|
|
|
|
|
- Attempt fix for libevent state in tcp reuse cases after a packet
|
|
|
|
|
is written.
|
|
|
|
|
- Fix readagain and writeagain callback functions for comm point
|
|
|
|
|
cleanup.
|
|
|
|
|
- Fix to omit UDP receive errors from log, if verbosity low.
|
|
|
|
|
These happen because of udp-connect.
|
|
|
|
|
- For #352: contrib/metrics.awk for Prometheus style metrics output.
|
|
|
|
|
- Fix that after failed read, the readagain cannot activate.
|
|
|
|
|
- Clear readagain upon decommission of pending tcp structure.
|
|
|
|
|
- Fix compile warning for type cast in http2_submit_dns_response.
|
|
|
|
|
- Fix when use free buffer to initialize rbtree for stream reuse.
|
|
|
|
|
- Fix compile warnings for windows.
|
|
|
|
|
- Fix compile warnings in rpz initialization.
|
|
|
|
|
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
|
|
|
|
|
- Fix assertion failure on double callback when iterator loses
|
|
|
|
|
interest in query at head of line that then has the tcp stream
|
|
|
|
|
not kept for reuse.
|
|
|
|
|
- Fix stream reuse and tcp fast open.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 8 08:39:40 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.12.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- DNS Flag Day 2020: change edns-buffer-size default to 1232.
|
|
|
|
|
- Merge PR #255: DNS-over-HTTPS support.
|
|
|
|
|
- Use inclusive language in configuration
|
|
|
|
|
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
|
|
|
|
|
The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
|
|
|
|
|
was advise to stop using it. The current code base does not contain
|
|
|
|
|
DLV code any more. The use of dlv options displays a warning.
|
|
|
|
|
- Similar to NSD PR#113, implement that interface names can be used,
|
|
|
|
|
eg. something like interface: eth0 is resolved at server start and
|
|
|
|
|
uses the IP addresses for that named interface.
|
|
|
|
|
- Merge PR #272: Add EDNS client tag functionality.
|
|
|
|
|
- Add edns-client-tag-opcode option
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
|
|
|
|
|
- Merge PR #269, Fix python module len() implementations, by Torbjörn
|
|
|
|
|
Lönnemark
|
|
|
|
|
- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
|
|
|
|
|
March 2020, by and0x000.
|
|
|
|
|
- Fix doxygen comment for no ssl for tls session ticket key callback
|
|
|
|
|
routine.
|
|
|
|
|
- Fix mini_event.h on OpenBSD cannot find fd_set.
|
|
|
|
|
- Improve error log message when inserting rpz RR.
|
|
|
|
|
- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
|
|
|
|
|
definedness, by Felipe Gasper.
|
|
|
|
|
- contrib/aaaa-filter-iterator.patch file renewed diff content to
|
|
|
|
|
apply cleanly to the current coderepo for the current code version.
|
|
|
|
|
- Fix #287: doc typo: "Additionaly".
|
|
|
|
|
- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
|
|
|
|
|
by Vítězslav Čížek.
|
|
|
|
|
- Create and init edns tags data for libunbound.
|
|
|
|
|
- Fix stats double count issue (#289).
|
|
|
|
|
- Fix that dnstap reconnects do not spam the log with the repeated
|
|
|
|
|
attempts. Attempts on the timer are only logged on high verbosity,
|
|
|
|
|
if they produce a connection failure error.
|
|
|
|
|
- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
|
|
|
|
|
- Change configure to use EVP_sha256 instead of HMAC_Update for
|
|
|
|
|
openssl-3.0.0.
|
|
|
|
|
- Update documentation in python example code.
|
|
|
|
|
- Review fix interface, doxygen and assign null in case of error free.
|
|
|
|
|
- Merge PR #293: Add missing prototype. Also refactor to use the new
|
|
|
|
|
shorthand function to clean up the code.
|
|
|
|
|
- Refactor to use sock_strerr shorthand function.
|
|
|
|
|
- Fix #296: systemd nss-lookup.target is reached before unbound can
|
|
|
|
|
successfully answer queries. Changed contrib/unbound.service.in.
|
|
|
|
|
- Fix num.expired statistics output.
|
|
|
|
|
- Remove x file mode on ipset/ipset.c and h files.
|
|
|
|
|
- Spelling fix.
|
|
|
|
|
- Introduce test for statistics.
|
|
|
|
|
- Fix that prefer-ip4 and prefer-ip6 can be get and set with
|
|
|
|
|
unbound-control, with libunbound and the unbound-checkconf option
|
|
|
|
|
output function.
|
|
|
|
|
- Merge PR #311 by luismerino: Dynlibmod leak.
|
|
|
|
|
- Error message is logged for dynlibmod malloc failures.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Fix #304: dnstap logging not recovering after dnstap process restarts
|
|
|
|
|
- Fix edns-client-tags get_option typo
|
|
|
|
|
- Fix #305: dnstap logging significantly affects unbound performance
|
|
|
|
|
(regression in 1.11).
|
|
|
|
|
- Fix #305: only wake up thread when threshold reached.
|
|
|
|
|
- Fix to ifdef fptr wlist item for dnstap.
|
|
|
|
|
- Fix memory leak of edns tags at libunbound context delete.
|
|
|
|
|
- Fix double loopexit for unbound-dnstap-socket after sigterm.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 27 10:48:36 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.11.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
|
|
|
|
|
KSK-2010 from the default list in unbound-anchor, now that the
|
|
|
|
|
revocation period is over. KSK-2017 is the only trust anchor in
|
|
|
|
|
the shipped default now.
|
|
|
|
|
- Merge PR #93: Add dynamic library support.
|
|
|
|
|
- Introduce 'include-toplevel:' configuration option.
|
|
|
|
|
- Change default value for 'rrset-roundrobin' to yes.
|
|
|
|
|
- Add SNI support on more TLS connections (fixes #193).
|
|
|
|
|
- Add SNI support to unbound-anchor.
|
|
|
|
|
- Merge PR #164: Framestreams, this branch implements dnstap
|
|
|
|
|
connectivity in unbound. This has a number of new features.
|
|
|
|
|
- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
|
|
|
|
|
using ipv4 filters, because the hosts ip6 netblock /64 is not owned
|
|
|
|
|
by one operator, and thus reputation is shared.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
|
|
|
|
|
different openssl versions.
|
|
|
|
|
- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
|
|
|
|
|
- Fix #169: Fix warning for daemon/remote.c output may be truncated
|
|
|
|
|
from snprintf.
|
|
|
|
|
- Fix #170: Fix gcc undefined sanitizer signed integer overflow
|
|
|
|
|
warning in signature expiry RFC1982 serial number arithmetic.
|
|
|
|
|
- Fix more undefined sanitizer issues, in respip copy_rrset null
|
|
|
|
|
dname, and in the client_info_compare routine for null memcmp.
|
|
|
|
|
- Merge PR #171: Add additional compilers and platforms to Travis
|
|
|
|
|
testing, by noloader.
|
|
|
|
|
- Merge PR #173: updated makedist.sh for config.guess and
|
|
|
|
|
config.sub and sha256 digest for gpg, by noloader.
|
|
|
|
|
- Merge PR #172: Add IBM s390x arch for testing, by noloader.
|
|
|
|
|
- Fix #177: dnstap does not build on macOS.
|
|
|
|
|
- Fix compiler warning in dns64/dns64.c
|
|
|
|
|
- Merge PR #174: Add Android to Travis testing, by noloader.
|
|
|
|
|
- Move android build scripts to contrib/ and allow android tests to fail.
|
|
|
|
|
- Fix #175, Merge PR #176: fix link error when OpenSSL is configured
|
|
|
|
|
with no-engine, thanks noloader.
|
|
|
|
|
- Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
|
|
|
|
|
- Merge PR #180 from noloader: Avoid calling exit in Travis script.
|
|
|
|
|
- Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
|
|
|
|
|
- Update README-Travis.md (from PR #179), by Jeffrey Walton.
|
|
|
|
|
- Fix PR #182 from noloader: Add iOS testing to Travis.
|
|
|
|
|
- Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
|
|
|
|
|
noloader
|
|
|
|
|
- Fix #188: unbound-control.c:882:6: error: 'execlp' is
|
|
|
|
|
unavailable: not available on tvOS.
|
|
|
|
|
- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
|
|
|
|
|
type, by noloader.
|
|
|
|
|
- Add check to make sure RPZ records are subdomains of configured
|
|
|
|
|
zone origin.
|
|
|
|
|
- Fix #192: In the unbound-checkconf tool, the module config of
|
|
|
|
|
dns64 subnetcache respip validator iterator is whitelisted, it was
|
|
|
|
|
reported it seems to work.
|
|
|
|
|
- Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
|
|
|
|
|
- Fix #158: open tls-session-ticket-keys as binary, for Windows. By
|
|
|
|
|
Daisuke HIGASHI.
|
|
|
|
|
- Merge PR#134, Allow the kernel to provide random source ports. By
|
|
|
|
|
Florian Obser.
|
|
|
|
|
- Log warning when using outgoing-port-permit and outgoing-port-avoid
|
|
|
|
|
while explicit port randomisation is disabled.
|
|
|
|
|
- Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
|
|
|
|
|
- Fix .travis.yml error, missing 'env' option.
|
|
|
|
|
- Merge PR #197 from fobser: Make log_ident_revert_to_default() a
|
|
|
|
|
proper prototype.
|
|
|
|
|
- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone()
|
|
|
|
|
static, it's only used in this file.
|
|
|
|
|
- Fix compile on Solaris for unbound-checkconf.
|
|
|
|
|
- Fix compile of test tools without protobuf.
|
|
|
|
|
- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
|
|
|
|
|
tag for outgoing packets.
|
|
|
|
|
- Travis fix for ios by omitting tools from install.
|
|
|
|
|
- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
|
|
|
|
|
- Fix RPZ concurrency issue when using auth_zone_reload.
|
|
|
|
|
- Make unbound-control error returned on missing domain name more user
|
|
|
|
|
friendly.
|
|
|
|
|
- Merge PR #203 from noloader: Update README-Travis.md with current
|
|
|
|
|
procedures.
|
|
|
|
|
- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
|
|
|
|
|
- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
|
|
|
|
|
transports.
|
|
|
|
|
- Merge PR #206: Redis TTL, by Talkabout.
|
|
|
|
|
- More documentation for redis-expire-records option.
|
|
|
|
|
- Keep track of number of timeouts. Use this counter to determine if
|
|
|
|
|
capsforid fallback should be started.
|
|
|
|
|
- Merge PR #214 from gearnode: unbound-control-setup recreate
|
|
|
|
|
certificates. With the -r option the certificates are created
|
|
|
|
|
again, without it, only the files that do not exist are created.
|
|
|
|
|
- Fix #220: auth-zone section in config may lead to segfault.
|
|
|
|
|
- Fix help return code in unbound-control-setup script.
|
|
|
|
|
- Fix for posix shell syntax for trap in nsd-control-setup.
|
|
|
|
|
- Fix for posix shell syntax for trap in run_msg.sh test script.
|
|
|
|
|
- Add doxygen documentation for DSCP.
|
|
|
|
|
- Fix #222: --enable-rpath, fails to rpath python lib.
|
|
|
|
|
- Fix for count of reply states in the mesh.
|
|
|
|
|
- Remove unneeded was_mesh_reply check.
|
|
|
|
|
- Explicitly use 'rrset-roundrobin: no' for test cases.
|
|
|
|
|
- Cache ECS answers with longest scope of CNAME chain.
|
|
|
|
|
- windows compile warnings removal for ip dscp option code.
|
|
|
|
|
- Fix for integer overflow when printing RDF_TYPE_TIME.
|
|
|
|
|
- Update contrib/aaaa-filter-iterator.patch for the recent
|
|
|
|
|
generate_sub_request() change and to apply cleanly.
|
|
|
|
|
- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
|
|
|
|
|
"Requires:".
|
|
|
|
|
- Mention tls name possible when tls is enabled for stub-addr in the
|
|
|
|
|
man page.
|
|
|
|
|
- Fix default explanation in man page for qname-minimisation-strict.
|
|
|
|
|
- Fix display of event loop method with libev.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Move reply list clean for serve expired mesh callback to after
|
|
|
|
|
the reply is sent, so that script callbacks have reply_info.
|
|
|
|
|
- Also move reply list clean for mesh callbacks to the scrip callback
|
|
|
|
|
can see the reply_info.
|
|
|
|
|
- Fix for mesh accounting if the reply list already empty to begin
|
|
|
|
|
with.
|
|
|
|
|
- Fix for mesh accounting when rpz decides to drop a reply with a
|
|
|
|
|
tcp stream waiting for it.
|
|
|
|
|
- Review fix for number of detached states due to use of variable
|
|
|
|
|
after end of loop.
|
|
|
|
|
- Fix tcp req info drop due to size call into mesh accounting
|
|
|
|
|
removal of mesh state during mesh send reply.
|
|
|
|
|
- Fix #259: Fix unbound-checkconf does not check view existence.
|
|
|
|
|
unbound-checkconf checks access-control-view, access-control-tags,
|
|
|
|
|
access-control-tag-actions and access-control-tag-datas.
|
|
|
|
|
- Fix offset of error printout for access-control-tag-datas.
|
|
|
|
|
- Fix add missing DSA header, for compilation without deprecated
|
|
|
|
|
OpenSSL APIs.
|
|
|
|
|
- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
|
|
|
|
|
3.0.0-alpha4.
|
|
|
|
|
- Longer keys for the test set, this avoids weak crypto errors.
|
|
|
|
|
- Add bidirectional frame streams support.
|
|
|
|
|
- Fix check conf test for referencing installation paths.
|
|
|
|
|
- Fix unused variable warning for clang analyzer.
|
|
|
|
|
- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
|
|
|
|
|
Courrèges-Anglas.
|
|
|
|
|
- Fix PR #234 log_assert sizeof to use union buffer.
|
|
|
|
|
- Fix libnettle compile for session ticket key callback function
|
|
|
|
|
changes.
|
|
|
|
|
- Fix lock dependency cycle in rpz zone config setup.
|
|
|
|
|
- Fix streamtcp to print packet data to stdout. This makes the
|
|
|
|
|
stdout and stderr not mix together lines, when parsing its output.
|
|
|
|
|
- Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
|
|
|
|
|
due to added libdynmod, but it does not compile, it conflicts with
|
|
|
|
|
new rpz code.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 19 10:45:19 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.10.1 with security fixes
|
|
|
|
|
* CVE-2020-12662 Unbound can be tricked into amplifying an incoming
|
|
|
|
|
query into a large number of queries directed to a target.
|
|
|
|
|
* CVE-2020-12663 Malformed answers from upstream name servers can be
|
|
|
|
|
used to make Unbound unresponsive.
|
|
|
|
|
- removed unused unbound-1.10.1.tar.gz.asc for now
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 20 21:40:10 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.10.0
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- Merge RPZ support into master. Only QNAME and Response IP triggers are
|
|
|
|
|
supported.
|
|
|
|
|
- Added serve-stale functionality as described in
|
|
|
|
|
draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
|
|
|
|
|
to configure the behavior.
|
|
|
|
|
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
|
|
|
|
|
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
|
|
|
|
|
come with a configurable TTL value (`serve-expired-reply-ttl`).
|
|
|
|
|
- Merge #135 from Florian Obser: Use passed in neg and key cache
|
|
|
|
|
if non-NULL.
|
|
|
|
|
- Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance.
|
|
|
|
|
- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
|
|
|
|
|
and Frzk. Updates the unbound.service systemd file and adds a portable
|
|
|
|
|
systemd service file.
|
|
|
|
|
- Merge PR#154; Allow use of libbsd functions with configure option
|
|
|
|
|
--with-libbsd. By Robert Edmonds and Steven Chamberlain.
|
|
|
|
|
- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
|
|
|
|
|
- Merge PR#156 from Alexander Berkes; Added unbound-control
|
|
|
|
|
view_local_datas_remove command.
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
|
|
|
|
|
Florian Obser
|
|
|
|
|
- Update mailing list URL.
|
|
|
|
|
- Fix #140: Document slave not downloading new zonefile upon update.
|
|
|
|
|
- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
|
|
|
|
|
The dl_iterate_phdr() function introduced in newer versions raises
|
|
|
|
|
compilation errors on solaris 10.
|
|
|
|
|
- Changes to compat/getentropy_solaris.c for,
|
|
|
|
|
ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion
|
|
|
|
|
for older systems.
|
|
|
|
|
- Fix 'make test' to work for --disable-sha1 configure option.
|
|
|
|
|
- Fix out-of-bounds null-byte write in sldns_bget_token_par while
|
|
|
|
|
parsing type WKS, reported by Luis Merino from X41 D-Sec.
|
|
|
|
|
- Updated sldns_bget_token_par fix for also space for the zero
|
|
|
|
|
delimiter after the character. And update for more spare space.
|
|
|
|
|
- Fix #138: stop binding pidfile inside chroot dir in systemd service
|
|
|
|
|
file.
|
|
|
|
|
- Fix the relationship between serve-expired and prefetch options,
|
|
|
|
|
patch from Saksham Manchanda from Secure64.
|
|
|
|
|
- Fix unreachable code in ssl set options code.
|
|
|
|
|
- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
|
|
|
|
|
because dnscrypt-proxy (2.0.36) does not support the test setup
|
|
|
|
|
any more, and also the config file format does not seem to have the
|
|
|
|
|
appropriate keys to recreate that setup.
|
|
|
|
|
- Fix crash after reload where a stats lookup could reference old key
|
|
|
|
|
cache and neg cache structures.
|
|
|
|
|
- Fix for memory leak when edns subnet config options are read when
|
|
|
|
|
compiled without edns subnet support.
|
|
|
|
|
- Fix auth zone support for NSEC3 records without salt.
|
|
|
|
|
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
|
|
|
|
|
contrib/unbound_nochroot.service.in, a systemd file for use with
|
|
|
|
|
chroot: "", see comments in the file, it uses systemd protections
|
|
|
|
|
instead. It was superceded by #151, the unbound_portable.service
|
|
|
|
|
file.
|
|
|
|
|
- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
|
|
|
|
|
to Libs/Requires for crypto library dependencies.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Fix to silence the tls handshake errors for broken pipe and reset
|
|
|
|
|
by peer, unless verbosity is set to 2 or higher.
|
|
|
|
|
- Merge PR#147; change rfc reference for reserved top level dns names.
|
|
|
|
|
- Fix #157: undefined reference to `htobe64'.
|
|
|
|
|
- Fix subnet tests for disabled DSA algorithm by default.
|
|
|
|
|
- Update contrib/fastrpz.patch for clean diff with current code.
|
|
|
|
|
- updated .gitignore for added contrib file.
|
|
|
|
|
- Add build rule for ipset to Makefile
|
|
|
|
|
- Add getentropy_freebsd.o to Makefile dependencies.
|
|
|
|
|
- Fix memory leak in error condition remote.c
|
|
|
|
|
- Fix double free in error condition view.c
|
|
|
|
|
- Fix memory leak in do_auth_zone_transfer on success
|
|
|
|
|
- Stop working on socket when socket() call returns an error.
|
|
|
|
|
- Check malloc return values in TLS session ticket code
|
|
|
|
|
- Fix fclose on error in TLS session ticket code.
|
|
|
|
|
- Add assertion to please static analyzer
|
|
|
|
|
- Fixed stats when replying with cached, cname-aliased records.
|
|
|
|
|
- Added missing default values for redis cachedb backend.
|
|
|
|
|
- Fix num_reply_addr counting in mesh and tcp drop due to size
|
|
|
|
|
after serve_stale commit.
|
|
|
|
|
- Fix to create and destroy rpz_lock in auth_zones structure.
|
|
|
|
|
- Fix to lock zone before adding rpz qname trigger.
|
|
|
|
|
- Fix to lock and release once in mesh_serve_expired_lookup.
|
|
|
|
|
- Fix to put braces around empty if body when threading is disabled.
|
|
|
|
|
- Fix num_reply_states and num_detached_states counting with
|
|
|
|
|
serve_expired_callback.
|
|
|
|
|
- Cleaner code in mesh_serve_expired_lookup.
|
|
|
|
|
- Document in unbound.conf manpage that configuration clauses can be
|
|
|
|
|
repeated in the configuration file.
|
|
|
|
|
- Document 'ub_result.was_ratelimited' in libunbound.
|
|
|
|
|
- Fix use after free on log-identity after a reload; Fixes #163.
|
|
|
|
|
- Fix with libnettle make test with dsa disabled.
|
|
|
|
|
- Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
|
|
|
|
|
fixes, but it does not compile, conflicts with new rpz code.
|
|
|
|
|
- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
|
|
|
|
|
- Fix compile warning when threads disabled.
|
|
|
|
|
- Fix spelling in unbound.conf.5.in.
|
|
|
|
|
- Stop unbound-checkconf from insisting that auth-zone and rpz
|
|
|
|
|
zonefiles have to exist. They can not exist, and download later.
|
|
|
|
|
- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
|
|
|
|
|
in RPZ-Format, contributed by Andreas Schulze.
|
|
|
|
|
- Remove unused variable.
|
|
|
|
|
- Add respip to supported module-config options in unbound-checkconf.
|
|
|
|
|
- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
|
|
|
|
|
Unbound from Yuri Voinov.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 12 21:01:07 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.6
|
|
|
|
|
This release contains a number of security related fixes found in
|
|
|
|
|
a security audit
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- The unbound.conf includes are sorted ascending, for include
|
|
|
|
|
statements with a '*' from glob.
|
|
|
|
|
- drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
|
|
|
|
|
queries, to stop random floods. Apply with
|
|
|
|
|
patch -p1 < contrib/drop-tld.diff and compile.
|
|
|
|
|
From Saksham Manchanda (Secure64). Please note that we think this
|
|
|
|
|
will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
|
|
|
|
|
lookups for downstream clients.
|
|
|
|
|
- Add new configure option `--enable-fully-static` to enable full static
|
|
|
|
|
build if requested; in relation to #91.
|
|
|
|
|
- Add make distclean that removes everything configure produced,
|
|
|
|
|
and make maintainer-clean that removes bison and flex output.
|
|
|
|
|
- unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
|
|
|
|
|
are 1:1 replacements for unbound-fuzzme.c that gets created after applying
|
|
|
|
|
the contrib/unbound-fuzzme.patch. They are contributed by
|
|
|
|
|
Eric Sesterhenn from X41 D-Sec.
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- Fix that pkg-config is setup before --enable-systemd needs it.
|
|
|
|
|
- Fix contrib/fastrpz.patch asprintf return value checks.
|
|
|
|
|
- ipset module #28: log that an address is added, when verbosity high.
|
|
|
|
|
- ipset: refactor long routine into three smaller ones.
|
|
|
|
|
- updated Makefile dependencies.
|
|
|
|
|
- squelch DNS over TLS errors 'ssl handshake failed crypto error'
|
|
|
|
|
on low verbosity, they show on verbosity 3 (query details), because
|
|
|
|
|
there is a high volume and the operator cannot do anything for the
|
|
|
|
|
remote failure. Specifically filters the high volume errors.
|
|
|
|
|
- Fix #71: fix openssl error squelch commit compilation error.
|
|
|
|
|
- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
|
|
|
|
|
LOG_DAEMON (as before) can set the syslog facility that the server
|
|
|
|
|
uses to log messages.
|
|
|
|
|
- Use explicit bzero for wiping clear buffer of hash in cachedb,
|
|
|
|
|
reported by Eric Sesterhenn from X41 D-Sec.
|
|
|
|
|
- Fix #78: Memory leak in outside_network.c.
|
|
|
|
|
- Merge pull request #76 from Maryse47: Improvements and fixes for
|
|
|
|
|
systemd unbound.service.
|
|
|
|
|
- oss-fuzz badge on README.md.
|
|
|
|
|
- Fix fix for #78 to also free service callback struct.
|
|
|
|
|
- Fix for oss-fuzz build warning.
|
|
|
|
|
- Fix wrong response ttl for prepended short CNAME ttls, this would
|
|
|
|
|
create a wrong zero_ttl response count with serve-expired enabled.
|
|
|
|
|
- Merge #80 from stasic: Improve wording in man page.
|
|
|
|
|
- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
|
|
|
|
|
in unbound.service.
|
|
|
|
|
- Merge #81 from Maryse47: Consistently use /dev/urandom instead
|
|
|
|
|
of /dev/random in scripts and docs.
|
|
|
|
|
- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
|
|
|
|
|
into the background.
|
|
|
|
|
- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
|
|
|
|
|
service file to fix that systemctl reload fails.
|
|
|
|
|
- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
|
|
|
|
|
Drop CAP_KILL, use + prefix for ExecReload= instead.
|
|
|
|
|
- Merge #90 from vcunat: fix build with nettle-3.5.
|
|
|
|
|
- Fix for CVE-2019-16866. That fix is also in 1.9.4.
|
|
|
|
|
- Merge #86 from psquarejho: Added -b source address option to
|
|
|
|
|
smallapp/unbound-anchor.c, from Lukas Wunner.
|
|
|
|
|
- Add doxygen comments to unbound-anchor source address code, in #86.
|
|
|
|
|
- Merge #97: manpage: Add missing word on unbound.conf,
|
|
|
|
|
from Erethon.
|
|
|
|
|
- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
|
|
|
|
|
- Fix #109: check number of arguments for stdin-pipes in
|
|
|
|
|
unbound-control and fail if too many arguments.
|
|
|
|
|
- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- contrib/fastrpz.patch updated to apply for current code.
|
|
|
|
|
- fixes for splint cleanliness, long vs int in SSL set_mode.
|
|
|
|
|
- In unbound-host use separate variable for get_option to please
|
|
|
|
|
code checkers.
|
|
|
|
|
- update to bison output of 3.4.1 in code repository.
|
|
|
|
|
- Provide a prototype for compat malloc to remove compile warning.
|
|
|
|
|
- Portable grep usage for reuseport configure test.
|
|
|
|
|
- Check return type of HMAC_Init_ex for openssl 0.9.8.
|
|
|
|
|
- gitignore .source tempfile used for compatible make.
|
|
|
|
|
- Fix for CVE-2019-18934, shell execution in ipsecmod.
|
|
|
|
|
This fix is also in 1.9.5.
|
|
|
|
|
- Fix authzone printout buffer length check.
|
|
|
|
|
- Fixes to please lint checks.
|
|
|
|
|
- Fix Integer Overflow in Regional Allocator,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Unchecked NULL Pointer in dns64_inform_super()
|
|
|
|
|
and ipsecmod_new(), reported by X41 D-Sec.
|
|
|
|
|
- Fix Out-of-bounds Read in rr_comment_dnskey(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Integer Overflows in Size Calculations,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Integer Overflow to Buffer Overflow in
|
|
|
|
|
sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bounds Read in sldns_str2wire_dname(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bounds Write in sldns_bget_token_par(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bounds Read in rrinternal_get_owner(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Race Condition in autr_tp_create(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Shared Memory World Writeable,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Adjust unbound-control to make stats_shm a read only operation.
|
|
|
|
|
- Fix Weak Entropy Used For Nettle,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Randomness Error not Handled Properly,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out-of-Bounds Read in dname_valid(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Config Injection in create_unbound_ad_servers.sh,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Local Memory Leak in cachedb_init(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Integer Underflow in Regional Allocator,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
|
|
|
|
|
- Synchronize compat/getentropy_win.c with version 1.5 from
|
|
|
|
|
OpenBSD, no changes but makes the file, comments, identical.
|
|
|
|
|
- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
|
|
|
|
|
- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
|
|
|
|
|
- Changes to compat/getentropy files for,
|
|
|
|
|
no link to openssl if using nettle, and hence config.h for
|
|
|
|
|
HAVE_NETTLE variable.
|
|
|
|
|
compat definition of MAP_ANON, for older systems.
|
|
|
|
|
ifdef stdint.h inclusion for older systems.
|
|
|
|
|
ifdef sha2.h inclusion for older systems.
|
|
|
|
|
- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
|
|
|
|
|
- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
|
|
|
|
|
- Fix Terminating Quotes not Written, reported by X41 D-Sec.
|
|
|
|
|
- Fix Useless memset() in validator, reported by X41 D-Sec.
|
|
|
|
|
- Fix Unrequired Checks, reported by X41 D-Sec.
|
|
|
|
|
- Fix Enum Name not Used, reported by X41 D-Sec.
|
|
|
|
|
- Fix NULL Pointer Dereference via Control Port,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Bad Randomness in Seed, reported by X41 D-Sec.
|
|
|
|
|
- Fix python examples/calc.py for eval, reported by X41 D-Sec.
|
|
|
|
|
- Fix comments for doxygen in dns64.
|
|
|
|
|
- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
|
|
|
|
|
- Fix compiler warnings.
|
|
|
|
|
- Merge pull request #122 from he32: In tcp_callback_writer(),
|
|
|
|
|
don't disable time-out when changing to read.
|
|
|
|
|
- Merge pull request #124 from rmetrich: Changed log lock
|
|
|
|
|
from 'quick' to 'basic' because this is an I/O lock.
|
|
|
|
|
- Fix text around serial arithmatic used for RRSIG times to refer
|
|
|
|
|
to correct RFC number.
|
|
|
|
|
- Fix Assert Causing DoS in synth_cname(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix similar code in auth_zone synth cname to add the extra checks.
|
|
|
|
|
- Fix Assert Causing DoS in dname_pkt_copy(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix OOB Read in sldns_wire2str_dname_scan(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bounds Write in sldns_b64_pton(),
|
|
|
|
|
fixed by check in sldns_str2wire_int16_data_buf(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Out of Bound Write Compressed Names in rdata_copy(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Hang in sldns_wire2str_pkt_scan(),
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
This further lowers the max to 256.
|
|
|
|
|
- Fix snprintf() supports the n-specifier,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Bad Indentation, in dnscrypt.c,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Client NONCE Generation used for Server NONCE,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix compile error in dnscrypt.
|
|
|
|
|
- Fix _vfixed not Used, removed from sbuffer code,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix Hardcoded Constant, reported by X41 D-Sec.
|
|
|
|
|
- make depend
|
|
|
|
|
- Fix lock type for memory purify log lock deletion.
|
|
|
|
|
- Fix testbound for alloccheck runs, memory purify and lock checks.
|
|
|
|
|
- update contrib/fastrpz.patch to apply more cleanly.
|
|
|
|
|
- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
|
|
|
|
|
reported by X41 D-Sec.
|
|
|
|
|
- Fix ipsecmod compile
|
|
|
|
|
- Fix Makefile.in for ipset module compile, from Adi Prasaja.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 19 20:16:14 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.5
|
|
|
|
|
Fix for CVE-2019-18934
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 3 14:14:06 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.4
|
|
|
|
|
security fix for CVE-2019-16866 (error in parsing NOTIFY queries)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 27 18:33:04 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.3
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- PR #28: IPSet module, by Kevin Chou. Created a module to support
|
|
|
|
|
the ipset that could add the domain's ip to a list easily.
|
|
|
|
|
Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
|
|
|
|
|
- Merge PR #6: Python module: support multiple instances
|
|
|
|
|
- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
|
|
|
|
|
- Merge PR #4: Python module: assign something useful to the
|
|
|
|
|
per-query data store 'qdata'
|
|
|
|
|
- Introduce `-V` option to print the version number and build options.
|
|
|
|
|
Previously reported build options like linked libs and linked modules
|
|
|
|
|
are now moved from `-h` to `-V` as well for consistency.
|
|
|
|
|
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
|
|
|
|
|
- Fix for #24: Fix abort due to scan of auth zone masters using old
|
|
|
|
|
address from previous scan.
|
|
|
|
|
- Fix to omit RRSIGs from addition to the ipset.
|
|
|
|
|
- Fix to make unbound-control with ipset, remove unused variable,
|
|
|
|
|
use unsigned type because of comparison, and assign null instead
|
|
|
|
|
of compare with it. Remade lex and yacc output.
|
|
|
|
|
- make depend
|
|
|
|
|
- Added documentation to the ipset files (for doxygen output).
|
|
|
|
|
- Fix python dict reference and double free in config.
|
|
|
|
|
- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
|
|
|
|
|
- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
|
|
|
|
|
when do-not-query-localhost is turned on, or at default on,
|
|
|
|
|
unbound-checkconf prints a warning if it is found in forward-addr or
|
|
|
|
|
stub-addr statements.
|
|
|
|
|
- Fix for possible assertion failure when answering respip CNAME from
|
|
|
|
|
cache.
|
|
|
|
|
- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
|
|
|
|
|
call made it impossible to go up the tree when the matching netmask is
|
|
|
|
|
too specific.
|
|
|
|
|
- Fix #48: Unbound returns additional records on NODATA response,
|
|
|
|
|
if minimal-responses is enabled, also the additional for negative
|
|
|
|
|
responses is removed.
|
|
|
|
|
- Fix #49: Set no renegotiation on the SSL context to stop client
|
|
|
|
|
session renegotiation.
|
|
|
|
|
- Fix question section mismatch in local zone redirect.
|
|
|
|
|
- Add verbose log message when auth zone file is written, at level 4.
|
|
|
|
|
- Add hex print of trust anchor pointer to trust anchor file temp
|
|
|
|
|
name to make it unique, for libunbound created multiple contexts.
|
|
|
|
|
- For #52 #53, second context does not close logfile override.
|
|
|
|
|
- Fix #52 #53, fix for example fail program.
|
|
|
|
|
- Fix to return after failed auth zone http chunk write.
|
|
|
|
|
- Fix to remove unused test for task_probe existance.
|
|
|
|
|
- Fix to timeval_add for remaining second in microseconds.
|
|
|
|
|
- Check repinfo in worker_handle_request, if null, drop it.
|
|
|
|
|
- Generate configlexer with newer flex.
|
|
|
|
|
- Fix warning for unused variable for compilation without systemd.
|
|
|
|
|
- Fix #59, when compiled with systemd support check that we can properly
|
|
|
|
|
communicate with systemd through the `NOTIFY_SOCKET`.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Fix autotrust temp file uniqueness windows compile.
|
|
|
|
|
- avoid warning about upcast on 32bit systems for autotrust.
|
|
|
|
|
- escape commandline contents for -V.
|
|
|
|
|
- Fix character buffer size in ub_ctx_hosts.
|
|
|
|
|
- Option -V prints if TCP fastopen is available.
|
|
|
|
|
- Fix unittest valgrind false positive uninitialised value report,
|
|
|
|
|
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
|
|
|
|
|
issues an uninitialised value for the token buffer at the str2wire.c
|
|
|
|
|
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
|
|
|
|
|
straight character comparisons removes the false positive. Also
|
|
|
|
|
valgrinds --expensive-definedness-checks=yes can stop this false
|
|
|
|
|
positive.
|
|
|
|
|
- Please doxygen's parser for "@" occurrence in doxygen comment.
|
|
|
|
|
- Fixup contrib/fastrpz.patch
|
|
|
|
|
- Remove warning about unknown cast-function-type warning pragma.
|
|
|
|
|
- Document limitation of pidfile removal outside of chroot directory.
|
|
|
|
|
- Fix log_dns_msg to log irrespective of minimal responses config.
|
|
|
|
|
- Fix that pkg-config is setup before --enable-systemd needs it.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 29 11:34:13 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Update the Conflict in libunbound-devel-mini after the library
|
|
|
|
|
package name from libunbound2 to libunbond8.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 17 17:21:10 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.2
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- add type CAA to libpyunbound (accessing libunbound from python).
|
|
|
|
|
- Fix #17: Add python module example from Jan Janak, that is a
|
|
|
|
|
plugin for the Unbound DNS resolver to resolve DNS records in
|
|
|
|
|
multicast DNS [RFC 6762] via Avahi. The plugin communicates
|
|
|
|
|
with Avahi via DBus. The comment section at the beginning of
|
|
|
|
|
the file contains detailed documentation.
|
|
|
|
|
- travis build file.
|
|
|
|
|
- PR #16: XoT support, AXFR over TLS, turn it on with
|
|
|
|
|
master: <ip>#<authname> in unbound.conf. This uses TLS to
|
|
|
|
|
download the AXFR (or IXFR).
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix for #4233: guard use of NDEBUG, so that it can be passed in
|
|
|
|
|
CFLAGS into configure.
|
|
|
|
|
- Add log message, at verbosity 4, that says the query is encrypted
|
|
|
|
|
with TLS, if that is enabled for the query.
|
|
|
|
|
- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
|
|
|
|
|
- Fix #4240: Fix whitespace cleanup in example.conf.
|
|
|
|
|
- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
|
|
|
|
|
disables the tls session ticker key calls into the OpenSSL API.
|
|
|
|
|
- Fix crash if tls-servic-pem not filled in when necessary.
|
|
|
|
|
- Fix auth-zone NSEC3 response for empty nonterminals with exact
|
|
|
|
|
match nsec3 records.
|
|
|
|
|
- Fix for out of bounds integers, thanks to OSTIF audit. It is in
|
|
|
|
|
allocation debug code.
|
|
|
|
|
- Fix for auth zone nsec3 ent fix for wildcard nodata.
|
|
|
|
|
- Move goto label in answer_from_cache to the end of the function
|
|
|
|
|
where it is more visible.
|
|
|
|
|
- Fix auth-zone NSEC3 response for wildcard nodata answers,
|
|
|
|
|
include the closest encloser in the answer.
|
|
|
|
|
- Fix spelling error in log output for event method.
|
|
|
|
|
- Fix to reinit event structure for accepted TCP (and TLS) sockets.
|
|
|
|
|
- Fix to use event_assign with libevent for thread-safety.
|
|
|
|
|
- verbose information about auth zone lookup process, also lookup
|
|
|
|
|
start, timeout and fail.
|
|
|
|
|
- Fix to wipe ssl ticket keys from memory with explicit_bzero,
|
|
|
|
|
if available.
|
|
|
|
|
- Fix that auth zone uses correct network type for sockets for
|
|
|
|
|
SOA serial probes. This fixes that probes fail because earlier
|
|
|
|
|
probe addresses are unreachable.
|
|
|
|
|
- Fix that auth zone fails over to next master for timeout in tcp.
|
|
|
|
|
- Squelch SSL read and write connection reset by peer and broken pipe
|
|
|
|
|
messages. Verbosity 2 and higher enables them.
|
|
|
|
|
- Update python documentation for init_standard().
|
|
|
|
|
- Typos.
|
|
|
|
|
- Fix tls write event for read state change to re-call SSL_write and
|
|
|
|
|
not resume the TLS handshake.
|
|
|
|
|
- Better braces in if statement in TCP fastopen code.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- Scrub RRs from answer section when reusing NXDOMAIN message for
|
|
|
|
|
subdomain answers.
|
|
|
|
|
- For harden-below-nxdomain: do not consider a name to be non-exitent
|
|
|
|
|
when message contains a CNAME record.
|
|
|
|
|
- Fix wrong query name in local zone redirect answers with a CNAME,
|
|
|
|
|
the copy of the local alias is in unpacked form.
|
|
|
|
|
- contrib/fastrpz.patch updated for code changes, and with git diff.
|
|
|
|
|
- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
|
|
|
|
|
- Fix #30: AddressSanitizer finding in lookup3.c. This sets the
|
|
|
|
|
hash function to use a slower but better auditable code that does
|
|
|
|
|
not read beyond array boundaries. This makes code better security
|
|
|
|
|
checkable, and is better for security. It is fixed to be slower,
|
|
|
|
|
but not read outside of the array.
|
|
|
|
|
- Fix edns-subnet locks, in error cases the lock was not unlocked.
|
|
|
|
|
- Fix doxygen output error on readme markdown vignettes.
|
|
|
|
|
- Squelch log messages from tcp send about connection reset by peer.
|
|
|
|
|
They can be enabled with verbosity at higher values for diagnosing
|
|
|
|
|
network connectivity issues.
|
|
|
|
|
- Attempt to fix malformed tcp response.
|
|
|
|
|
- Fix #31: swig 4.0 and python module.
|
|
|
|
|
- Note that so-reuseport at extreme load is better turned off,
|
|
|
|
|
otherwise queries are not distributed evenly, on Linux 4.4.x.
|
|
|
|
|
- Fix that spoolbuf is not used to store tcp pipelined response
|
|
|
|
|
between mesh send and callback end.
|
|
|
|
|
- Fix double file close in tcp pipelined response code.
|
|
|
|
|
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
|
|
|
|
|
- Fix to guard _OPENBSD_SOURCE from redefinition.
|
|
|
|
|
- Fix that fixes the Fix that spoolbuf is not used to store tcp
|
|
|
|
|
pipelined response between mesh send and callback end, this fixes
|
|
|
|
|
error cases that did not use the correct spoolbuf.
|
|
|
|
|
- Fix that fixes the Fix that spoolbuf is not used to store tcp
|
|
|
|
|
pipelined response between mesh send and callback end, this fixes
|
|
|
|
|
error cases that did not use the correct spoolbuf.
|
|
|
|
|
- Fix another spoolbuf storage code point, in prefetch.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 18 12:16:58 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.9.1
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Add local-zone type inform_redirect, which logs like type inform,
|
|
|
|
|
and redirects like type redirect.
|
|
|
|
|
- Perform canonical sort for 0x20 capsforid compare of replies,
|
|
|
|
|
this sorts rrsets in the authority and additional section before
|
|
|
|
|
comparison, so that out of order rrsets do not cause failure.
|
|
|
|
|
- Print query name with ip_ratelimit exceeded log lines.
|
|
|
|
|
Spaces instead of tabs in that log message.
|
|
|
|
|
- Print query name and IP address when domain rate limit exceeded.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
|
|
|
|
|
- Fix locking for libunbound context setup with broken port config.
|
|
|
|
|
- Fix case in which query timeout can result in marking delegation
|
|
|
|
|
as edns_lame_known.
|
|
|
|
|
- Set ub_ctx_set_tls call signature in ltrace config file for
|
|
|
|
|
libunbound in contrib/libunbound.so.conf.
|
|
|
|
|
- improve documentation for tls-service-key and forward-first.
|
|
|
|
|
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
|
|
|
|
|
conditional section, fixes systemd builds, from Enrico Scholz.
|
|
|
|
|
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
|
|
|
|
|
still supports the set_id_callback previous API. And for 1.1.0
|
|
|
|
|
no locking callbacks are needed.
|
|
|
|
|
- #8: Fix OpenSSL without ENGINE support compilation.
|
|
|
|
|
- Wipe TLS session key data from memory on exit.
|
|
|
|
|
- Fix that log-replies prints the correct name for local-alias
|
|
|
|
|
names, for names that have a CNAME in local-data configuration.
|
|
|
|
|
It logs the original query name, not the target of the CNAME.
|
|
|
|
|
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
|
|
|
|
|
- Fix that qname minimisation does not skip a label when missing
|
|
|
|
|
nameserver targets need to be fetched.
|
|
|
|
|
- Fix #4225: clients seem to erroneously receive no answer with
|
|
|
|
|
DNS-over-TLS and qname-minimisation.
|
|
|
|
|
- Note default for module-config in man page.
|
|
|
|
|
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
|
|
|
|
|
cert name matching, from man page.
|
|
|
|
|
- Fix capsforid canonical sort qsort callback.
|
|
|
|
|
- Fix pythonmod include and sockaddr_un ifdefs for compile on
|
|
|
|
|
Windows, and for libunbound.
|
|
|
|
|
- Fix the error for unknown module in module-config is understandable,
|
|
|
|
|
and explains it was not compiled in and where to see the list.
|
|
|
|
|
- In example.conf explain where to put cachedb module in module-config.
|
|
|
|
|
- In man page and example config explain that most modules have to
|
|
|
|
|
be listed at the start of module-config.
|
|
|
|
|
- Fix #4227: pair event del and add for libevent for tcp_req_info.
|
|
|
|
|
- Fix #4229: Unbound man pages lack information, about access-control
|
|
|
|
|
order and local zone tags, and elements in views.
|
|
|
|
|
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
|
|
|
|
|
before copying.
|
|
|
|
|
- Fix for python module on Windows, fix fopen.
|
|
|
|
|
- Remove memory leak on pythonmod python2 script file init.
|
|
|
|
|
- Remove swig gcc8 python function cast warnings, they are ignored.
|
|
|
|
|
- Print correct module that failed when module-config is wrong.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 28 17:16:01 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Reorder scriptlet %if guards so that no empty scriptlets are
|
|
|
|
|
emitted. Add one missing %if %{with systemd}.
|
|
|
|
|
- Replace %__-type macro indirections.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 11 19:59:00 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.8.3 fixes crash bug introduced in 1.8.2
|
|
|
|
|
in the dns64 processing.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 5 11:12:42 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.8.2
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Add fast-server-permil and fast-server-num options.
|
|
|
|
|
- Deprecate low-rtt and low-rtt-permil options.
|
|
|
|
|
- Change fast-server-num default to 3.
|
|
|
|
|
- Fix #4154: make ECS_MAX_TREESIZE configurable, with
|
|
|
|
|
the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
|
|
|
|
|
- Fix #4190: Please create a "ANY" deny option, adds the option
|
|
|
|
|
deny-any: yes in unbound.conf. This responds with an empty message
|
|
|
|
|
to queries of type ANY.
|
|
|
|
|
- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
|
|
|
|
|
adds the option unknown-server-time-limit to unbound.conf that
|
|
|
|
|
can be increased to avoid the problem.
|
|
|
|
|
- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
|
|
|
|
|
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
|
|
|
|
|
option in unbound.conf.
|
|
|
|
|
- Add unbound-control view_local_datas command, like local_datas.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- dnscrypt.c removed sizeof to get array bounds.
|
|
|
|
|
- Fix testlock code to set noreturn on error routine.
|
|
|
|
|
- Remove unused variable from contrib fastrpz/rpz.c and
|
|
|
|
|
remove unused diagnostic pragmas that themselves generate warnings
|
|
|
|
|
- clang analyze test is used only when assertions are enabled.
|
|
|
|
|
- Squelch EADDRNOTAVAIL errors when the interface goes away,
|
|
|
|
|
this omits 'can't assign requested address' errors unless
|
|
|
|
|
verbosity is set to a high value.
|
|
|
|
|
- Set default for so-reuseport to no for FreeBSD. It is enabled
|
|
|
|
|
by default for Linux and DragonFlyBSD. The setting can
|
|
|
|
|
be configured in unbound.conf to override the default.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Squelch log of failed to tcp initiate after TCP Fastopen failure.
|
|
|
|
|
- Fix #4192: unbound-control-setup generates keys not readable by
|
|
|
|
|
group.
|
|
|
|
|
- check that the dnstap socket file can be opened and exists, print
|
|
|
|
|
error if not.
|
|
|
|
|
- Add markdel function to ECS slabhash.
|
|
|
|
|
- Limit ECS scope returned to client to the scope used for caching.
|
|
|
|
|
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
|
|
|
|
|
- Fix #4141: More randomness to rrset-roundrobin.
|
|
|
|
|
- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
|
|
|
|
|
- remade makefile dependencies.
|
|
|
|
|
- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
|
|
|
|
|
- Scrub NS records from NXDOMAIN responses to stop fragmentation
|
|
|
|
|
poisoning of the cache.
|
|
|
|
|
- Scrub NS records from NODATA responses as well.
|
|
|
|
|
- Add patch from Jan Vcelak for pythonmod,
|
|
|
|
|
add sockaddr_storage getters, add support for query callbacks,
|
|
|
|
|
allow raw address access via comm_reply and update API documentation.
|
|
|
|
|
- Removed compile warnings in pythonmod sockaddr routines.
|
|
|
|
|
- With ./configure --with-pyunbound --with-pythonmodule
|
|
|
|
|
PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
|
|
|
|
|
succeed for the python module.
|
|
|
|
|
- pythonmod logs the python error and traceback on failure.
|
|
|
|
|
- ignore debug python module for test in doxygen output.
|
|
|
|
|
- review fixes for python module.
|
|
|
|
|
- Fix #4209: Crash in libunbound when called from getdns.
|
|
|
|
|
- auth zone zonefiles can be in a chroot, the chroot directory
|
|
|
|
|
components are removed before use.
|
|
|
|
|
- Fix that empty zonefile means the zonefile is not set and not used.
|
|
|
|
|
- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
|
|
|
|
|
sorted and in a predictable order.
|
|
|
|
|
- Fix #4193: Fix that prefetch failure does not overwrite valid cache
|
|
|
|
|
entry with SERVFAIL.
|
|
|
|
|
- Fix DNS64 to not store intermediate results in cache, this avoids
|
|
|
|
|
other threads from picking up the wrong data. The module restores
|
|
|
|
|
the previous no_cache_store setting when the the module is finished.
|
|
|
|
|
- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
|
|
|
|
|
- New and better fix for Fix #4193: Fix that prefetch failure does
|
|
|
|
|
not overwrite valid cache entry with SERVFAIL.
|
|
|
|
|
- auth-zone give SERVFAIL when expired, fallback activates when
|
|
|
|
|
expired, and this is documented in the man page.
|
|
|
|
|
- stat count SERVFAIL downstream auth-zone queries for expired zones.
|
|
|
|
|
- Update contrib fastrpz patch for latest release.
|
|
|
|
|
- Fix chroot auth-zone fix to remove chroot prefix.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 16 15:01:15 UTC 2018 - Karol Babioch <kbabioch@suse.com>
|
|
|
|
|
|
|
|
|
|
- Removed intermediate certificates from certificate bundle (bsc#1112033)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 8 13:42:15 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- update to 1.8.1:
|
|
|
|
|
Number of bug fixes, a list of features added and some defaults changed.
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- Perform TLS SNI indication of the host that is being contacted
|
|
|
|
|
for DNS over TLS service. It sets the configured tls auth name.
|
|
|
|
|
This is useful for hosts that apart from the DNS over TLS services
|
|
|
|
|
also provide other (web) services.
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- More explicitly mention the type of ratelimit when applying
|
|
|
|
|
ip-ratelimit.
|
|
|
|
|
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Fixed unused return value warnings in contrib/fastrpz.patch for
|
|
|
|
|
asprintf.
|
|
|
|
|
- Fix to squelch respip warning in unit test, it is printed at
|
|
|
|
|
higher verbosity settings.
|
|
|
|
|
- Fix spelling errors.
|
|
|
|
|
- Fix initialisation in remote.c
|
|
|
|
|
- Fix seed for random backup code to use explicit zero when wiped.
|
|
|
|
|
- exit log routine is annotated as noreturn function.
|
|
|
|
|
- free memory leaks in config strlist and str2list insert functions.
|
|
|
|
|
- do not move unused argv variable after getopt.
|
|
|
|
|
- Remove unused if clause in testcode.
|
|
|
|
|
- in testcode, free async ids, initialise array, and check for null
|
|
|
|
|
pointer during test of the test. And use exit for return to note
|
|
|
|
|
irregular program stop.
|
|
|
|
|
- Free memory leak in config strlist append.
|
|
|
|
|
- make sure nsec3 comparison salt is initialized.
|
|
|
|
|
- unit test has clang analysis.
|
|
|
|
|
- remove unused variable assignment from iterator scrub routine.
|
|
|
|
|
- check for null in delegation point during iterator refetch
|
|
|
|
|
in forward zone.
|
|
|
|
|
- neater pointer cast in libunbound context quit routine.
|
|
|
|
|
- initialize statistics totals for printout.
|
|
|
|
|
- in authzone check that node exists before adding rrset.
|
|
|
|
|
- in unbound-anchor, use readwrite memory BIO.
|
|
|
|
|
- assertion in autotrust that packed rrset is formed correctly.
|
|
|
|
|
- Fix memory leak when message parse fails partway through copy.
|
|
|
|
|
- remove unused udpsize assignment in message encode.
|
|
|
|
|
- nicer bio free code in unbound-anchor.
|
|
|
|
|
- annotate exit functions with noreturn in unbound-control.
|
|
|
|
|
- Fix compile on Mac for unbound, provide explicit_bzero when libc
|
|
|
|
|
does not have it.
|
|
|
|
|
- Fix unbound for openssl in FIPS mode, it uses the digests with
|
|
|
|
|
the EVP call contexts.
|
|
|
|
|
- Fix that with harden-below-nxdomain and qname minisation enabled
|
|
|
|
|
some iterator states for nonresponsive domains can get into a
|
|
|
|
|
state where they waited for an empty list.
|
|
|
|
|
- Stop UDP to TCP failover after timeouts that causes the ping count
|
|
|
|
|
to be reset by the TCP time measurement (that exists for TLS),
|
|
|
|
|
because that causes the UDP part to not be measured as timeout.
|
|
|
|
|
- Fix #4156: Fix systemd service manager state change notification.
|
|
|
|
|
- Fix #4149: Add SSL cleanup for tcp timeout.
|
|
|
|
|
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
|
|
|
|
|
qname minimisation with a forwarder when connectivity has issues
|
|
|
|
|
from rejecting responses.
|
|
|
|
|
- fastrpz.patch fixed.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 17 17:00:00 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.8.0:
|
|
|
|
|
Number of bug fixes, a list of features added and some defaults changed.
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
|
|
|
|
|
- unbound-control auth_zone_transfer _zone_ option starts the probe
|
|
|
|
|
sequence for a master to transfer the zone from and transfers when
|
|
|
|
|
a new zone version is available.
|
|
|
|
|
- num.queries.tls counter for queries over TLS.
|
|
|
|
|
- log port number with err_addr logs.
|
|
|
|
|
- dns64-ignore-aaaa: config option to list domain names for which the
|
|
|
|
|
existing AAAA is ignored and dns64 processing is used on the A
|
|
|
|
|
record.
|
|
|
|
|
- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
|
|
|
|
|
if DNSSEC is not enabled. New option -R allows fallback from
|
|
|
|
|
resolv.conf to direct queries.
|
|
|
|
|
- Note RFC8162 support. SMIMEA record type can be read in by the
|
|
|
|
|
zone record parser.
|
|
|
|
|
- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
|
|
|
|
|
- Add config tcp-idle-timeout (default 30s). This applies to
|
|
|
|
|
client connections only; the timeout on TCP connections upstream
|
|
|
|
|
is unaffected.
|
|
|
|
|
- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
|
|
|
|
|
and implement option in client responses.
|
|
|
|
|
- Add delay parameter to streamtcp, -d secs.
|
|
|
|
|
To be used when testing idle timeout.
|
|
|
|
|
- Expose if a query (or a subquery) was ratelimited (not src IP
|
|
|
|
|
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
|
|
|
|
|
This also introduces a change to 'ub_event_callback_type' in
|
|
|
|
|
libunbound/unbound-event.h.
|
|
|
|
|
- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
|
|
|
|
|
This limits the number of simultaneous TCP client connections
|
|
|
|
|
from a nominated netblock.
|
|
|
|
|
- Fix #4142: unbound.service.in: improvements and fixes.
|
|
|
|
|
Add unit dependency ordering (based on systemd-resolved).
|
|
|
|
|
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
|
|
|
|
|
about missing privileges during startup). Add 'AF_INET6' to
|
|
|
|
|
'RestrictAddressFamilies' (without it IPV6 can't work). From
|
|
|
|
|
Guido Shanahan.
|
|
|
|
|
- unbound-checkconf checks if modules exist and prints if they are
|
|
|
|
|
not compiled in the name of the wrong module.
|
|
|
|
|
- Patch for stub-no-cache and forward-no-cache options that disable
|
|
|
|
|
caching for the contents of that stub or forward, for when you
|
|
|
|
|
want immediate changes visible, from Bjoern A. Zeeb.
|
|
|
|
|
- Upgraded crosscompile script to include libunbound DLL in the
|
|
|
|
|
zipfile.
|
|
|
|
|
- Set libunbound to increase current, because the libunbound change
|
|
|
|
|
to the event callback function signature. That needs programs,
|
|
|
|
|
that use it, to recompile against the new header definition.
|
|
|
|
|
- log-servfail: yes prints log lines that say why queries are
|
|
|
|
|
returning SERVFAIL to clients.
|
|
|
|
|
- log-local-actions: yes option for unbound.conf that logs all the
|
|
|
|
|
local zone actions, a patch from Saksham Manchanda (Secure64).
|
|
|
|
|
- #4146: num.query.subnet and num.query.subnet_cache counters.
|
|
|
|
|
- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
|
|
|
|
|
gives access to reply information for the client's communication
|
|
|
|
|
point when the callback is called before the mesh state (modules).
|
|
|
|
|
Changes to C and Python's inplace_callback signatures were also
|
|
|
|
|
necessary.
|
|
|
|
|
- Set defaults to yes for a number of options to increase speed and
|
|
|
|
|
resilience of the server. The so-reuseport, harden-below-nxdomain,
|
|
|
|
|
and minimal-responses options are enabled by default. They used
|
|
|
|
|
to be disabled by default, waiting to make sure they worked. They
|
|
|
|
|
are enabled by default now, and can be disabled explicitly by
|
|
|
|
|
setting them to "no" in the unbound.conf config file. The reuseport
|
|
|
|
|
and minimal options increases speed of the server, and should be
|
|
|
|
|
otherwise harmless. The harden-below-nxdomain option works well
|
|
|
|
|
together with the recently default enabled qname minimisation, this
|
|
|
|
|
causes more fetches to use information from the cache.
|
|
|
|
|
- Added serve-expired-ttl and serve-expired-ttl-reset options.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Windows example service.conf edited with more windows specific
|
|
|
|
|
configuration.
|
|
|
|
|
- #4108: systemd reload hang fix.
|
|
|
|
|
- Fix usage printout for unbound-host, hostname has to be last
|
|
|
|
|
argument on BSDs and Windows.
|
|
|
|
|
- Partial fix for permission denied on IPv6 address on FreeBSD.
|
|
|
|
|
- Fix that auth-zone master reply with current SOA serial does not
|
|
|
|
|
stop scan of masters for an updated zone.
|
|
|
|
|
- Fix that auth-zone does not start the wait timer without checking
|
|
|
|
|
if the wait timer has already been started.
|
|
|
|
|
- #4109: Fix that package config depends on python unconditionally.
|
|
|
|
|
- Patch, do not export python from pkg-config, from Petr Menšík.
|
|
|
|
|
- Fix checking for libhiredis printout in configure output.
|
|
|
|
|
- Fix typo on man page in ip-address description.
|
|
|
|
|
- Update libunbound/python/examples/dnssec_test.py example code to
|
|
|
|
|
also set the 20326 trust anchor for the root in the example code.
|
|
|
|
|
- Better documentation for unblock-lan-zones and insecure-lan-zones
|
|
|
|
|
config statements.
|
|
|
|
|
- Fix permission denied printed for auth zone probe random port nrs.
|
|
|
|
|
- Fix documentation ambiguity for tls-win-cert in tls-upstream and
|
|
|
|
|
forward-tls-upstream docs.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Fix round robin for failed addresses with prefer-ip6: yes
|
|
|
|
|
- Note in documentation that the cert name match code needs
|
|
|
|
|
OpenSSL 1.1.0 or later to be enabled.
|
|
|
|
|
- Fix to improve systemd socket activation code file descriptor
|
|
|
|
|
assignment.
|
|
|
|
|
- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
|
|
|
|
|
easily changed to adjust default rtt assumptions.
|
|
|
|
|
- Fix #4127 unbound -h does not list -p help.
|
|
|
|
|
- Print error if SSL name verification configured but not available
|
|
|
|
|
in the ssl library.
|
|
|
|
|
- Fix that ratelimit and ip-ratelimit are applied after reload of
|
|
|
|
|
changed config file.
|
|
|
|
|
- Resize ratelimit and ip-ratelimit caches if changed on reload.
|
|
|
|
|
- Fix #4129 unbound-control error message with wrong cert permissions
|
|
|
|
|
is too cryptic.
|
|
|
|
|
- Fix #4130: print text describing -dd and unbound-checkconf on
|
|
|
|
|
config file read error at startup, the errors may have been moved
|
|
|
|
|
away by the startup process.
|
|
|
|
|
- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
|
|
|
|
|
- Fix use-systemd readiness signalling, only when use-systemd is yes
|
|
|
|
|
and not in signal handler.
|
|
|
|
|
- Fix #4135: 64-bit Windows Installer Creates Entries Under The
|
|
|
|
|
Wrong Registry Key, reported by Brian White.
|
|
|
|
|
- Fix man page, say that chroot is enabled by default.
|
|
|
|
|
- Sort out test runs when the build directory isn't the project
|
|
|
|
|
root directory.
|
|
|
|
|
- Error if EDNS Keepalive received over UDP.
|
|
|
|
|
- Correct and expand manual page entries for keepalive and idle timeout.
|
|
|
|
|
- Implement progressive backoff of TCP idle/keepalive timeout.
|
|
|
|
|
- Fix 'make depend' to work when build dir is not project root.
|
|
|
|
|
- Fix #4139: Fix unbound-host leaks memory on ANY.
|
|
|
|
|
- Fix to remove systemd sockaddr function check, that is not
|
|
|
|
|
always present. Make socket activation more lenient. But not
|
|
|
|
|
different when socket activation is not used.
|
|
|
|
|
- Fix #4136: insufficiency from mismatch of FLEX capability between
|
|
|
|
|
released tarball and build host. Fix to unconditionally call
|
|
|
|
|
destroy in daemon.c.
|
|
|
|
|
- Make capsforid fallback QNAME minimisation aware.
|
|
|
|
|
- document --enable-subnet in doc/README.
|
|
|
|
|
- Fix #4144: dns64 module caches wrong (negative) information.
|
|
|
|
|
- Fix that printout of error for cycle targets is a verbosity 4
|
|
|
|
|
printout and does not wrongly print it is a memory error.
|
|
|
|
|
- Fix segfault in auth-zone read and reorder of RRSIGs.
|
|
|
|
|
- Fix contrib/fastrpz.patch.
|
|
|
|
|
- Fix warning on compile without threads.
|
|
|
|
|
- print servfail info to log as error.
|
|
|
|
|
- added more servfail printout statements, to the iterator.
|
|
|
|
|
- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
|
|
|
|
|
enabled.
|
|
|
|
|
- Fix only misc failure from log-servfail when val-log-level is not
|
|
|
|
|
enabled.
|
|
|
|
|
- Fix lintflags for lint on FreeBSD.
|
|
|
|
|
- Fix that a local-zone with a local-zone-type that is transparent
|
|
|
|
|
in a view with view-first, makes queries check for answers from the
|
|
|
|
|
local-zones defined outside of views.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 21 09:19:02 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.7.3
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- #4102 for NSD, but for Unbound. Named unix pipes do not use
|
|
|
|
|
certificate and key files, access can be restricted with file and
|
|
|
|
|
directory permissions. The option control-use-cert is no longer
|
|
|
|
|
used, and ignored if found in unbound.conf.
|
|
|
|
|
- Rename tls-additional-ports to tls-additional-port, because every
|
|
|
|
|
line adds one port.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Don't count CNAME response types received during qname minimisation
|
|
|
|
|
as query restart.
|
|
|
|
|
- #4100: Fix stub reprime when it becomes useless.
|
|
|
|
|
- Fix crash if ratelimit taken into use with unbound-control
|
|
|
|
|
instead of with unbound.conf.
|
|
|
|
|
- Patch to fix openwrt for mac os build darwin detection in configure.
|
|
|
|
|
- #4103: Fix that auth-zone does not insist on SOA record first in
|
|
|
|
|
file for url downloads.
|
|
|
|
|
- Fix that first control-interface determines if TLS is used. Warn
|
|
|
|
|
when IP address interfaces are used without TLS.
|
|
|
|
|
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
|
|
|
|
|
- Fix unbound-checkconf for control-use-cert.
|
|
|
|
|
- Fix for unbound-control on Windows and set TCP socket parameters
|
|
|
|
|
more closely.
|
|
|
|
|
- Fix windows unbound-control no cert bad file descriptor error.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 11 13:05:51 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.7.2
|
|
|
|
|
* This release fixes bugs in DNS-over-TLS for windows, and adds the option
|
|
|
|
|
for windows users to use the CA certificates from the Windows cert
|
|
|
|
|
stores, tls-win-cert: yes in unbound.conf.
|
|
|
|
|
* The code has been updated with a speed up that improves performance for
|
|
|
|
|
large numbers of incoming TCP and TLS connections.
|
|
|
|
|
* There is an option to allow to ignore an unset RD bit for access control
|
|
|
|
|
subnets and always allow recursion to the request.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 3 16:38:07 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.7.1
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Add --with-libhiredis, unbound support for a new cachedb
|
|
|
|
|
backend that uses a Redis server as the storage. This
|
|
|
|
|
implementation depends on the hiredis client library
|
|
|
|
|
(https://redislabs.com/lp/hiredis/).
|
|
|
|
|
And unbound should be built with both --enable-cachedb and
|
|
|
|
|
--with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
|
|
|
|
|
should exist). Patch from Jinmei Tatuya (Infoblox).
|
|
|
|
|
- Create additional tls service interfaces by opening them on other
|
|
|
|
|
portnumbers and listing the portnumbers as additional-tls-port: nr.
|
|
|
|
|
- ED448 support.
|
|
|
|
|
- num.query.authzone.up and num.query.authzone.down statistics counters.
|
|
|
|
|
- Accept both option names with and without colon for get_option
|
|
|
|
|
and set_option.
|
|
|
|
|
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
|
|
|
|
|
of fast servers for some percentage of the time.
|
|
|
|
|
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
|
|
|
|
|
statistics counters.
|
|
|
|
|
- allow-notify: config statement for auth-zones.
|
|
|
|
|
- Can set tls authentication with forward-addr: IP#tls.auth.name
|
|
|
|
|
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
|
|
|
|
|
such as forward-addr: 9.9.9.9@853#dns.quad9.net or
|
|
|
|
|
1.1.1.1@853#cloudflare-dns.com
|
|
|
|
|
- list_auth_zones unbound-control command.
|
|
|
|
|
- Added root-key-sentinel support
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #3727: Protocol name is TLS, options have been renamed but
|
|
|
|
|
documentation is not consistent.
|
|
|
|
|
- Check IXFR start serial.
|
|
|
|
|
- Fix typo in documentation.
|
|
|
|
|
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
|
|
|
|
|
flushed with serve-expired on.
|
|
|
|
|
- Fix #3817: core dump happens in libunbound delete, when queued
|
|
|
|
|
servfail hits deleted message queue.
|
|
|
|
|
- corrected a minor typo in the changelog.
|
|
|
|
|
- move htobe64/be64toh portability code to cachedb.c.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Do not use cached NSEC records to generate negative answers for
|
|
|
|
|
domains under DNSSEC Negative Trust Anchors.
|
|
|
|
|
- Fix unbound-control get_option aggressive-nsec
|
|
|
|
|
- Check "result" in dup_all(), by Florian Obser.
|
|
|
|
|
- Fix #4043: make test fails due to v6 presentation issue in macOS.
|
|
|
|
|
- Fix unable to resolve after new WLAN connection, due to auth-zone
|
|
|
|
|
failing with a forwarder set. Now, auth-zone is only used for
|
|
|
|
|
answers (not referrals) when a forwarder is set.
|
|
|
|
|
- Combine write of tcp length and tcp query for dns over tls.
|
|
|
|
|
- nitpick fixes in example.conf.
|
|
|
|
|
- Fix above stub queries for type NS and useless delegation point.
|
|
|
|
|
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
|
|
|
|
|
tls_choose_sigalg routine does not allow the ciphers for the pipe,
|
|
|
|
|
so use TLSv1.2.
|
|
|
|
|
- Fix that flush_zone sets prefetch ttl expired, so that with
|
|
|
|
|
serve-expired enabled it'll start prefetching those entries.
|
|
|
|
|
- Fix downstream auth zone, only fallback when auth zone fails to
|
|
|
|
|
answer and fallback is enabled.
|
|
|
|
|
- Fix for max include depth for authzones.
|
|
|
|
|
- Fix memory free on fail for $INCLUDE in authzone.
|
|
|
|
|
- Fix that an internal error to look up the wrong rr type for
|
|
|
|
|
auth zone gets stopped, before trying to send there.
|
|
|
|
|
- Fix auth zone target lookup iterator.
|
|
|
|
|
- Fix auth-zone retry timer to be on schedule with retry timeout,
|
|
|
|
|
with backoff. Also time a refresh at the zone expiry.
|
|
|
|
|
- Fix #658: unbound using TLS in a forwarding configuration does not
|
|
|
|
|
verify the server's certificate (RFC 8310 support).
|
|
|
|
|
- For addr with #authname and no @port notation, the default is 853.
|
|
|
|
|
- man page documentation for dns-over-tls forward-addr '#' notation.
|
|
|
|
|
- removed free from failed parse case.
|
|
|
|
|
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
|
|
|
|
|
with the previous contents.
|
|
|
|
|
- Delete auth zone when removed from config.
|
|
|
|
|
- makedist uses bz2 for expat code, instead of tar.gz.
|
|
|
|
|
- Fix #4092: libunbound: use-caps-for-id lacks colon in
|
|
|
|
|
config_set_option.
|
|
|
|
|
- auth zone http download stores exact copy of downloaded file,
|
|
|
|
|
including comments in the file.
|
|
|
|
|
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
|
|
|
|
|
- Attempt for auth zone fix; add of callback in mesh gets from
|
|
|
|
|
callback does not skip callback of result.
|
|
|
|
|
- Fix cname classification with qname minimisation enabled.
|
|
|
|
|
- Fix contrib/fastrpz.patch for this release.
|
|
|
|
|
- Fix auth https for libev.
|
|
|
|
|
- Fix memory leak when caching wildcard records for aggressive NSEC use
|
|
|
|
|
- Fix for crash in daemon_cleanup with dnstap during reload,
|
|
|
|
|
from Saksham Manchanda.
|
|
|
|
|
- Also that for dnscrypt.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Apr 22 19:26:03 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Commented configuration directive dlv-anchor-file: in unbound.conf
|
|
|
|
|
(see bsc#1055060). The DLV key file is deliberately still
|
|
|
|
|
shipped in the package so users could easily re-enable this.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 4 11:54:01 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.7.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- auth-zone provides a way to configure RFC7706 from unbound.conf,
|
|
|
|
|
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
|
|
|
|
|
fallback-enabled: yes and masters or a zonefile with data.
|
|
|
|
|
- Aggressive use of NSEC implementation. Use cached NSEC records to
|
|
|
|
|
generate NXDOMAIN, NODATA and positive wildcard answers.
|
|
|
|
|
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
|
|
|
|
|
also recognized and means the same. Also for tls-port,
|
|
|
|
|
tls-service-key, tls-service-pem, stub-tls-upstream and
|
|
|
|
|
forward-tls-upstream.
|
|
|
|
|
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
|
|
|
|
|
from Manu Bretelle.
|
|
|
|
|
This option allows handling multiple cert/key pairs while only
|
|
|
|
|
distributing some of them.
|
|
|
|
|
In order to reliably match a client magic with a given key without
|
|
|
|
|
strong assumption as to how those were generated, we need both key and
|
|
|
|
|
cert. Likewise, in order to know which ES version should be used.
|
|
|
|
|
On the other hand, when rotating a cert, it can be desirable to only
|
|
|
|
|
serve the new cert but still be able to handle clients that are still
|
|
|
|
|
using the old certs's public key.
|
|
|
|
|
The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
|
|
|
|
|
publish the cert as part of the DNS's provider_name's TXT answer.
|
|
|
|
|
- Update B root ipv4 address.
|
|
|
|
|
- make ip-transparent option work on OpenBSD.
|
|
|
|
|
- Fix #2801: Install libunbound.pc.
|
|
|
|
|
- ltrace.conf file for libunbound in contrib.
|
|
|
|
|
- Fix #3598: Fix swig build issue on rhel6 based system.
|
|
|
|
|
configure --disable-swig-version-check stops the swig version check.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #1749: With harden-referral-path: performance drops, due to
|
|
|
|
|
circular dependency in NS and DS lookups.
|
|
|
|
|
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
|
|
|
|
|
duplicates
|
|
|
|
|
- Better documentation for cache-max-negative-ttl.
|
|
|
|
|
- Fixed libunbound manual typo.
|
|
|
|
|
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
|
|
|
|
|
- Fix #2031: Double included headers
|
|
|
|
|
- Document that errno is left informative on libunbound config read
|
|
|
|
|
fail.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
|
|
|
|
|
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
|
|
|
|
|
- Fix #2034 - Autoconf and -flto.
|
|
|
|
|
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
|
|
|
|
|
a message and exit.
|
|
|
|
|
- Fix #2492: Documentation libunbound.
|
|
|
|
|
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
|
|
|
|
|
set for stub zone. It no longer searches for DNSSEC information.
|
|
|
|
|
- Fix #3299 - forward CNAME daisy chain is not working
|
|
|
|
|
- Fix link failure on OmniOS.
|
|
|
|
|
- Check whether --with-libunbound-only is set when using --with-nettle
|
|
|
|
|
or --with-nss.
|
|
|
|
|
- Fix qname-minimisation documentation (A QTYPE, not NS)
|
|
|
|
|
- Fix that DS queries with referral replies are answered straight
|
|
|
|
|
away, without a repeat query picking the DS from cache.
|
|
|
|
|
The correct reply should have been an answer, the reply is fixed
|
|
|
|
|
by the scrubber to have the answer in the answer section.
|
|
|
|
|
- Fix that expiration date checks don't fail with clang -O2.
|
|
|
|
|
- Fix queries being leaked above stub when refetching glue.
|
|
|
|
|
- Copy query and correctly set flags on REFUSED answers when cache
|
|
|
|
|
snooping is not allowed.
|
|
|
|
|
- make depend: code dependencies updated in Makefile.
|
|
|
|
|
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
|
|
|
|
|
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
|
|
|
|
|
the middle of a cname chain, a result without the DNAME could
|
|
|
|
|
be returned.
|
|
|
|
|
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
|
|
|
|
|
for startup scripts to get the full pathname(s) of anchor file(s).
|
|
|
|
|
- Print fatal errors about remote control setup before log init,
|
|
|
|
|
so that it is printed to console.
|
|
|
|
|
- Use NSEC with longest ce to prove wildcard absence.
|
|
|
|
|
- Only use *.ce to prove wildcard absence, no longer names.
|
|
|
|
|
- Fix unfreed locks in log and arc4random at exit of unbound.
|
|
|
|
|
- Fix lock race condition in dns cache dname synthesis.
|
|
|
|
|
- Fix #3451: dnstap not building when you have a separate build dir.
|
|
|
|
|
And removed protoc warning, set dnstap.proto syntax to proto2.
|
|
|
|
|
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
|
|
|
|
|
- Unit test for auth zone https url download.
|
|
|
|
|
- tls-cert-bundle option in unbound.conf enables TLS authentication.
|
|
|
|
|
- Fixes for clang static analyzer, the missing ; in
|
|
|
|
|
edns-subnet/addrtree.c after the assert made clang analyzer
|
|
|
|
|
produce a failure to analyze it.
|
|
|
|
|
- Fix #3505: Documentation for default local zones references
|
|
|
|
|
wrong RFC.
|
|
|
|
|
- Fix #3494: local-zone noview can be used to break out of the view
|
|
|
|
|
to the global local zone contents, for queries for that zone.
|
|
|
|
|
- Fix for more maintainable code in localzone.
|
|
|
|
|
- more robust cachedump rrset routine.
|
|
|
|
|
- Save wildcard RRset from answer with original owner for use in
|
|
|
|
|
aggressive NSEC.
|
|
|
|
|
- Fixup contrib/fastrpz.patch so that it applies.
|
|
|
|
|
- Fix compile without threads, and remove unused variable.
|
|
|
|
|
- Fix compile with staticexe and python module.
|
|
|
|
|
- Fix nettle compile.
|
|
|
|
|
- Fix to check define of DSA for when openssl is without deprecated.
|
|
|
|
|
- iana port update.
|
|
|
|
|
- Fix #3582: Squelch address already in use log when reuseaddr option
|
|
|
|
|
causes same port to be used twice for tcp connections.
|
|
|
|
|
- Reverted fix for #3512, this may not be the best way forward;
|
|
|
|
|
although it could be changed at a later time, to stay similar to
|
|
|
|
|
other implementations.
|
|
|
|
|
- Fix for windows compile.
|
|
|
|
|
- Fixed contrib/fastrpz.patch, even though this already applied
|
|
|
|
|
cleanly for me, now also for others.
|
|
|
|
|
- patch to log creates keytag queries, from A. Schulze.
|
|
|
|
|
- patch suggested by Debian lintian: allow to -> allow one to, from
|
|
|
|
|
A. Schulze.
|
|
|
|
|
- Attempt to remove warning about trailing whitespace.
|
|
|
|
|
- Added documentation for aggressive-nsec: yes.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 19 10:34:41 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.8
|
|
|
|
|
patch for CVE-2017-15105: vulnerability in the processing of
|
|
|
|
|
wildcard synthesized NSEC records.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 10 08:20:16 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.7
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- Set trust-anchor-signaling default to yes
|
|
|
|
|
- Fix #1440: [dnscrypt] client nonce cache.
|
|
|
|
|
- Fix #1435: Please allow UDP to be disabled separately upstream and
|
|
|
|
|
downstream.
|
|
|
|
|
|
|
|
|
|
Bug fixes:
|
|
|
|
|
- Fix that looping modules always stop the query, and don't pass
|
|
|
|
|
control.
|
|
|
|
|
- Fix unbound-host to report error for DNSSEC state of failed lookups.
|
|
|
|
|
- Spelling fixes, from Josh Soref.
|
|
|
|
|
- Fix #1400: allowing use of global cache on ECS-forwarding unless
|
|
|
|
|
always-forward.
|
|
|
|
|
- use a cachedb answer even if it's "expired" when serve-expired is yes
|
|
|
|
|
(patch from Jinmei Tatuya).
|
|
|
|
|
- trigger refetching of the answer in that case (this will bypass
|
|
|
|
|
cachedb lookup)
|
|
|
|
|
- allow storing a 0-TTL answer from cachedb in the in-memory message
|
|
|
|
|
cache when serve-expired is yes
|
|
|
|
|
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
|
|
|
|
|
- Log name of looping module
|
|
|
|
|
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
|
|
|
|
|
(by Danilo G. Baio).
|
|
|
|
|
- Fix param unused warning for windows exportsymbol compile.
|
|
|
|
|
- Use RCODE from A query on DNS64 synthesized answer.
|
|
|
|
|
- Fix trust-anchor-signaling works in libunbound.
|
|
|
|
|
- Fix spelling in unbound-control man page.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 4 16:17:44 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.6
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- unbound-control dump_infra prints port number for address if not 53.
|
|
|
|
|
- Fix #1344: RFC6761-reserved domains: test. and invalid.
|
|
|
|
|
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
|
|
|
|
|
With the -p option unbound does not create a pidfile.
|
|
|
|
|
- Added stats for queries that have been ratelimited by domain
|
|
|
|
|
recursion.
|
|
|
|
|
- Patch to show DNSCrypt status in help output, from Carsten
|
|
|
|
|
Strotmann.
|
|
|
|
|
- Fix #1407: Add ECS options check to unbound-checkconf.
|
|
|
|
|
- Fix #1415: [dnscrypt] shared secret cache, patch from
|
|
|
|
|
Manu Bretelle.
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
|
|
|
|
|
- First fix for zero b64 and hex text zone format in sldns.
|
|
|
|
|
- Better fixup of dnscrypt_cert_chacha test for different escapes.
|
|
|
|
|
- Fix that infra cache host hash does not change after reconfig.
|
|
|
|
|
- Fix python example0 return module wait instead of error for pass.
|
|
|
|
|
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
|
|
|
|
|
security settings.
|
|
|
|
|
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
|
|
|
|
|
on.
|
|
|
|
|
- Fix #1331: libunbound segfault in threaded mode when context is
|
|
|
|
|
deleted.
|
|
|
|
|
- Fix pythonmod link line option flag.
|
|
|
|
|
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
|
|
|
|
|
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
|
|
|
|
|
- Redirect all localhost names to localhost address for RFC6761.
|
|
|
|
|
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
|
|
|
|
|
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
|
|
|
|
|
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
|
|
|
|
|
config.sub(2016-09-05).
|
|
|
|
|
- annotate case statement fallthrough for gcc 7.1.1.
|
|
|
|
|
- flex output from flex 2.6.1.
|
|
|
|
|
- snprintf of thread number does not warn about truncated string.
|
|
|
|
|
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
|
|
|
|
|
unless verbosity is high.
|
|
|
|
|
- remove warning from windows compile.
|
|
|
|
|
- Fix compile with libnettle
|
|
|
|
|
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
|
|
|
|
|
- Fix #1365: Add Ed25519 support using libnettle.
|
|
|
|
|
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
|
|
|
|
|
- Remove unused iter_env member (ip6arpa_dname)
|
|
|
|
|
- Do not reset rrset.bogus stats when called using stats_noreset.
|
|
|
|
|
- Do not add rrset_bogus and query ratelimiting stats per thread, these
|
|
|
|
|
module stats are global.
|
|
|
|
|
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
|
|
|
|
|
- Fix #1398: make cachedb secret configurable.
|
|
|
|
|
- Remove spaces from Makefile.
|
|
|
|
|
- Fix issue on macOX 10.10 where TCP fast open is detected but not
|
|
|
|
|
implemented causing TCP to fail. The fix allows fallback to regular
|
|
|
|
|
TCP in this case and is also more robust for cases where connectx()
|
|
|
|
|
fails for some reason.
|
|
|
|
|
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
|
|
|
|
|
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
|
|
|
|
|
allocation failure.
|
|
|
|
|
- Fix #1415: patch to free dnscrypt environment on reload.
|
|
|
|
|
- iana portlist update
|
|
|
|
|
- Small fixes for the shared secret cache patch.
|
|
|
|
|
- Fix WKS records on kvm autobuild host, with default protobyname
|
|
|
|
|
entries for udp and tcp.
|
|
|
|
|
- Fix #1414: fix segfault on parse failure and log_replies.
|
|
|
|
|
- zero qinfo in handle_request, this zeroes local_alias and also the
|
|
|
|
|
qname member.
|
|
|
|
|
- new keys and certs for dnscrypt tests.
|
|
|
|
|
- fixup WKS test on buildhost without servicebyname.
|
|
|
|
|
- updated contrib/fastrpz.patch to apply with configparser changes.
|
|
|
|
|
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
|
|
|
|
|
- Fix #1424: cachedb:testframe is not thread safe.
|
|
|
|
|
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
|
|
|
|
|
dnscrypt is not enabled. And cache size configuration option.
|
|
|
|
|
- Fix #1418: [ip ratelimit] initialize slabhash using
|
|
|
|
|
ip-ratelimit-slabs.
|
|
|
|
|
- Recommend 1472 buffer size in unbound.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 21 10:38:49 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.5
|
|
|
|
|
* Fix install of trust anchor when two anchors are present, makes both
|
|
|
|
|
valid. Checks hash of DS but not signature of new key. This fixes
|
|
|
|
|
installs between sep11 and oct11 2017.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 8 19:02:38 UTC 2017 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- RPM group fix. Do not suppress user/group creation problems.
|
|
|
|
|
Replace %__ type macro indirections.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 27 11:13:31 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.4
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- Implemented trust anchor signaling using key tag query.
|
|
|
|
|
- unbound-checkconf -o allows query of dnstap config variables.
|
|
|
|
|
Also unbound-control get_option. Also for dnscrypt.
|
|
|
|
|
- unbound.h exports the shm stats structures. They use
|
|
|
|
|
type long long and no ifdefs, and ub_ before the typenames.
|
|
|
|
|
- Implemented opportunistic IPsec support module (ipsecmod).
|
|
|
|
|
- Added redirect-bogus.patch to contrib directory.
|
|
|
|
|
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
|
|
|
|
|
- renumbering B-Root's IPv6 address to 2001:500:200::b.
|
|
|
|
|
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
|
|
|
|
|
- Fix #1277: disable domain ratelimit by setting value to 0.
|
|
|
|
|
- Added fastrpz patch to contrib
|
|
|
|
|
|
|
|
|
|
Bug Fixes:
|
|
|
|
|
- Added ECS unit test (from Manu Bretelle).
|
|
|
|
|
- ECS documentation fix (from Manu Bretelle).
|
|
|
|
|
- Fix #1252: more indentation inconsistencies.
|
|
|
|
|
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
|
|
|
|
|
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
|
|
|
|
|
- iana portlist update
|
|
|
|
|
- Based on #1257: check parse limit before t increment in sldns RR
|
|
|
|
|
string parse routine.
|
|
|
|
|
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
|
|
|
|
|
and fix that 64bit getting installed in C:\Program Files (x86).
|
|
|
|
|
- Fix #1259: "--disable-ecdsa" argument overwritten
|
|
|
|
|
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
|
|
|
|
|
- iana portlist update
|
|
|
|
|
- Added test for leak of stub information.
|
|
|
|
|
- Fix sldns wire2str printout of RR type CAA tags.
|
|
|
|
|
- Fix sldns int16_data parse.
|
|
|
|
|
- Fix sldns parse and printout of TSIG RRs.
|
|
|
|
|
- sldns SMIMEA and AVC definitions, same as getdns definitions.
|
|
|
|
|
- Fix tcp-mss failure printout text.
|
|
|
|
|
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
|
|
|
|
|
connect limited tcp connections. With the option tcp connections
|
|
|
|
|
can share the same source port (for different destinations).
|
|
|
|
|
- Add 'c' to getopt() in testbound.
|
|
|
|
|
- Adjust servfail by iterator to not store in cache when serve-expired
|
|
|
|
|
is enabled, to avoid overwriting useful information there.
|
|
|
|
|
- Fix queries for nameservers under a stub leaking to the internet.
|
|
|
|
|
- document trust-anchor-signaling in example config file.
|
|
|
|
|
- updated configure, dependencies and flex output.
|
|
|
|
|
- better module memory lookup, fix of unbound-control shm names for
|
|
|
|
|
module memory printout of statistics.
|
|
|
|
|
- Fix type AVC sldns rrdef.
|
|
|
|
|
- Some whitespace fixup.
|
|
|
|
|
- Fix #1265: contrib/unbound.service contains hardcoded path.
|
|
|
|
|
- Fix #1265 to use /bin/kill.
|
|
|
|
|
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
|
|
|
|
|
and compatibility with BoringSSL.
|
|
|
|
|
- Fix #1268: SIGSEGV after log_reopen.
|
|
|
|
|
- exec_prefix is by default equal to prefix.
|
|
|
|
|
- printout localzone for duplicate local-zone warnings.
|
|
|
|
|
- Fix assertion for low buffer size and big edns payload when worker
|
|
|
|
|
overrides udpsize.
|
|
|
|
|
- Support for openssl EVP_DigestVerify.
|
|
|
|
|
- Fix #1269: inconsistent use of built-in local zones with views.
|
|
|
|
|
- Add defaults for new local-zone trees added to views using
|
|
|
|
|
unbound-control.
|
|
|
|
|
- Fix #1273: cachedb.c doesn't compile with -Wextra.
|
|
|
|
|
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
|
|
|
|
|
- Also use global local-zones when there is a matching view that does
|
|
|
|
|
not have any local-zone specified.
|
|
|
|
|
- Fix fastopen EPIPE fallthrough to perform connect.
|
|
|
|
|
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
|
|
|
|
|
(from Manu Bretelle).
|
|
|
|
|
- Fix #1275: cached data in cachedb is never used.
|
|
|
|
|
- Fix that unbound-control can set val_clean_additional and
|
|
|
|
|
val_permissive_mode.
|
|
|
|
|
- Add dnscrypt XChaCha20 tests.
|
|
|
|
|
- Detect chacha for dnscrypt at configure time.
|
|
|
|
|
- dnscrypt unit tests with chacha.
|
|
|
|
|
- Added domain name based ECS whitelist.
|
|
|
|
|
- Fix #1278: Incomplete wildcard proof.
|
|
|
|
|
- Fix #1279: Memory leak on reload when python module is enabled.
|
|
|
|
|
- Fix #1280: Unbound fails assert when response from authoritative
|
|
|
|
|
contains malformed qname. When 0x20 caps-for-id is enabled, when
|
|
|
|
|
assertions are not enabled the malformed qname is handled correctly.
|
|
|
|
|
- More fixes in depth for buffer checks in 0x20 qname checks.
|
|
|
|
|
- Fix stub zone queries leaking to the internet for
|
|
|
|
|
harden-referral-path ns checks.
|
|
|
|
|
- Fix query for refetch_glue of stub leaking to internet.
|
|
|
|
|
- Fix #1301: memory leak in respip and tests.
|
|
|
|
|
- Free callback in edns-subnetmod on exit and restart.
|
|
|
|
|
- Fix memory leak in sldns_buffer_new_frm_data.
|
|
|
|
|
- Fix memory leak in dnscrypt config read.
|
|
|
|
|
- Fix dnscrypt chacha cert support ifdefs.
|
|
|
|
|
- Fix dnscrypt chacha cert unit test escapes in grep.
|
|
|
|
|
- Fix to unlock view in view test.
|
|
|
|
|
- Fix warning in pythonmod under clang compiler.
|
|
|
|
|
- Fix lintian typo.
|
|
|
|
|
- Fix #1316: heap read buffer overflow in parse_edns_options.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 14 10:22:38 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.3
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix #1280: Unbound fails assert when response from authoritative
|
|
|
|
|
contains malformed qname. When 0x20 caps-for-id is enabled, when
|
|
|
|
|
assertions are not enabled the malformed qname is handled correctly.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 24 15:54:02 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.2
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- Add trustanchor.unbound CH TXT that gets a response with a number
|
|
|
|
|
of TXT RRs with a string like "example.com. 2345 1234" with
|
|
|
|
|
the trust anchors and their keytags.
|
|
|
|
|
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
|
|
|
|
|
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
|
|
|
|
|
- Patch from Luiz Fernando Softov for Stats Shared Memory.
|
|
|
|
|
- unbound-control stats_shm command prints stats using shared memory,
|
|
|
|
|
which uses less cpu.
|
|
|
|
|
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
|
|
|
|
|
DS records. NSEC3 is not disabled.
|
|
|
|
|
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
|
|
|
|
|
enabled in the config file from Manu Bretelle.
|
|
|
|
|
- Merge EDNS Client subnet implementation from feature branch into main
|
|
|
|
|
branch, using new EDNS processing framework.
|
|
|
|
|
- harden-algo-downgrade: no also makes unbound more lenient about
|
|
|
|
|
digest algorithms in DS records.
|
|
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
|
- sldns has ED25519 and ED448 algorithm number and name for display.
|
|
|
|
|
- sldns updated for vfixed and buffer resize indication from getdns.
|
|
|
|
|
- iana portlist update
|
|
|
|
|
- Fix #1224: Fix that defaults should not fall back to "Program Files
|
|
|
|
|
(x86) if Unbound is 64bit by default on windows.
|
|
|
|
|
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
|
|
|
|
|
redirect.
|
|
|
|
|
- make depend, autoconf, doxygen and lint fixed up.
|
|
|
|
|
- include sys/time.h for new shm code on NetBSD.
|
|
|
|
|
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
|
|
|
|
|
- Fix #1226: provide official 32bit binary for windows.
|
|
|
|
|
- For #1227: if we have sha256, set the cipher list to have no
|
|
|
|
|
known vulns.
|
|
|
|
|
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
|
|
|
|
|
record.
|
|
|
|
|
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
|
|
|
|
|
- Fix #1230: swig version 2.0.1 is required for pythonmod, with
|
|
|
|
|
1.3.40 it crashes when running repeatly unbound-control reload.
|
|
|
|
|
- fix enum conversion warnings
|
|
|
|
|
- fake-sha1 test option; print warning if used. To make unit tests.
|
|
|
|
|
- unbound-control list local zone and data commands listed in the
|
|
|
|
|
help output.
|
|
|
|
|
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
|
|
|
|
|
in ANSWER section.
|
|
|
|
|
- testbound understands Deckard MATCH rcode question answer commands.
|
|
|
|
|
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
|
|
|
|
|
of YXDOMAIN + query loop, reported by Petr Spacek.
|
|
|
|
|
- Fix that SHM is not inited if not enabled.
|
|
|
|
|
- Fix that looped DNAMEs do not cause unbound to spend effort.
|
|
|
|
|
- trustanchor tags are sorted. reusable routine to fetch taglist.
|
|
|
|
|
- Fix #1237 - Wrong resolving in chain, for norec queries that get
|
|
|
|
|
SERVFAIL returned.
|
|
|
|
|
- make depend, autoconf, remove warnings about statement before var.
|
|
|
|
|
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
|
|
|
|
|
- fixup for lruhash (whitespace and header file comment).
|
|
|
|
|
- dnscrypt tests.
|
|
|
|
|
- Fix doxygen for dnscrypt files.
|
|
|
|
|
- Fix #1238: segmentation fault when adding through the remote
|
|
|
|
|
interface a per-view local zone to a view with no previous
|
|
|
|
|
(configured) local zones.
|
|
|
|
|
- Fix #1229: Systemd service sandboxing, options in wrong sections.
|
|
|
|
|
- Fix #1239: configure fails to find python distutils if python
|
|
|
|
|
prints warning.
|
|
|
|
|
- Fix to prevent non-referal query from being cached as referal when the
|
|
|
|
|
no_cache_store flag was set.
|
|
|
|
|
- Remove (now unused) event2 include from dnscrypt code.
|
|
|
|
|
- Fix #1217: Add metrics to unbound-control interface showing
|
|
|
|
|
crypted, cert request, plaintext and malformed queries (from
|
|
|
|
|
Manu Bretelle).
|
|
|
|
|
- Do not add current time twice to TTL before ECS cache store.
|
|
|
|
|
- Do not touch rrset cache after ECS cache message generation.
|
|
|
|
|
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
|
|
|
|
|
- Fix #1244: document that use of chroot requires trust anchor file to
|
|
|
|
|
be under chroot.
|
|
|
|
|
- Small fixup for documentation.
|
|
|
|
|
- Fix respip for braces when locks arent used.
|
|
|
|
|
- Fix pythonmod for cb changes.
|
|
|
|
|
- Generalise inplace callback (de)registration
|
|
|
|
|
- (de)register inplace callbacks for module id
|
|
|
|
|
- No unbound-control set_option for ECS options
|
|
|
|
|
- Deprecated client-subnet-opcode config option
|
|
|
|
|
- Introduced client-subnet-always-forward config option
|
|
|
|
|
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
|
|
|
|
|
- Removed extern ECS config options
|
|
|
|
|
- module_restart_next now calls clear on all following modules
|
|
|
|
|
- Also create ECS module qstate on module_event_pass event
|
|
|
|
|
- remove malloc from inplace_cb_register
|
|
|
|
|
- Unlock view in respip unit test
|
|
|
|
|
- Some whitespace fixup.
|
|
|
|
|
- Remove ECS option after REFUSED answer.
|
|
|
|
|
- Fix small memory leak in edns_opt_copy_alloc.
|
|
|
|
|
- Respip dereference after NULL check.
|
|
|
|
|
- Zero initialize addrtree allocation.
|
|
|
|
|
- Use correct identifier for SHM destroy.
|
|
|
|
|
- Display ECS module memory usage.
|
|
|
|
|
- Fix #1247: unbound does not shorten source prefix length when
|
|
|
|
|
forwarding ECS.
|
|
|
|
|
- Properly check for allocation failure in local_data_find_tag_datas.
|
|
|
|
|
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
|
|
|
|
|
- Set SHM ECS memory usage to 0 when module not loaded.
|
|
|
|
|
- subnet mem value is available in shm, also when not enabled,
|
|
|
|
|
to make the struct easier to memmap by other applications,
|
|
|
|
|
independent of the configuration of unbound.
|
|
|
|
|
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 21 21:34:22 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.1
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* configure --enable-systemd and lets unbound use systemd sockets if you
|
|
|
|
|
enable use-systemd: yes in unbound.conf. Also there are
|
|
|
|
|
contrib/unbound.socket and contrib/unbound.service: systemd files for
|
|
|
|
|
unbound, install them in /usr/lib/systemd/system. Contributed by Sami
|
|
|
|
|
Kerola and Pavel Odintsov.
|
|
|
|
|
* [bugzilla: 1185 ]
|
|
|
|
|
Source IP rate limiting, patch from Larissa Feng.
|
|
|
|
|
* [bugzilla: 1184 ]
|
|
|
|
|
Log DNS replies. This includes the same logging information that DNS
|
|
|
|
|
queries and response code and response size, patch from Larissa Feng.
|
|
|
|
|
* Include root trust anchor id 20326 in unbound-anchor.
|
|
|
|
|
* 64bit is default for windows builds.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* [bugzilla: 1176 ]
|
|
|
|
|
Fix stack size too small for Alpine Linux.
|
|
|
|
|
* Fix unbound-control and ipv6 only.
|
|
|
|
|
[bugzilla: 1182 ]
|
|
|
|
|
* Fix Resource leak (socket), at startup.
|
|
|
|
|
[bugzilla: 1178 ]
|
|
|
|
|
* Fix attempt to fix setup error at end, pop result values at end of
|
|
|
|
|
install.
|
|
|
|
|
* iana portlist update
|
|
|
|
|
* Fix inet_ntop and inet_pton warnings in windows compile.
|
|
|
|
|
* [bugzilla: 1191 ]
|
|
|
|
|
Fix remove comment about view deletion.
|
|
|
|
|
* [bugzilla: 1188 ]
|
|
|
|
|
Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
|
|
|
|
|
* [bugzilla: 1190 ]
|
|
|
|
|
Fix to not echo back EDNS options in local-zone error response.
|
|
|
|
|
* [bugzilla: 1194 ]
|
|
|
|
|
Fix if cross build fails when $host isn't `uname` for getentropy.
|
|
|
|
|
* Fix reload chdir failure when also chrooted to that directory.
|
|
|
|
|
* Fix to return formerr for queries for meta-types, to avoid packet
|
|
|
|
|
amplification if this meta-type is sent on to upstream.
|
|
|
|
|
* [bugzilla: 1201 ]
|
|
|
|
|
Fix missing unlock in answer_from_cache error condition.
|
|
|
|
|
* [bugzilla: 1202 ]
|
|
|
|
|
Fix code comment that packed_rrset_data is not always 'packed'.
|
|
|
|
|
* Fix to also block meta types 128 through to 248 with formerr.
|
|
|
|
|
* [bugzilla: 1206 ]
|
|
|
|
|
Fix that some view-related commands are missing from 'unbound-control -h'
|
|
|
|
|
* Fix to rename ub_callback_t to ub_callback_type, because POSIX
|
|
|
|
|
reserves _t typedefs.
|
|
|
|
|
* Fix to rename internally used types from _t to _type, because _t type
|
|
|
|
|
names are reserved by POSIX.
|
|
|
|
|
* Increase MAX_MODULE to 16.
|
|
|
|
|
* [bugzilla: 1211 ]
|
|
|
|
|
Fix can't enable interface-automatic if no IPv6 with more helpful
|
|
|
|
|
error message.
|
|
|
|
|
* fix root_anchor test for updated icannbundle.pem lower certificates.
|
|
|
|
|
* Fix compile on solaris of the fix to use $host detect.
|
|
|
|
|
* Fix for type name change and fix warning on windows compile.
|
|
|
|
|
* Fix pythonmod for typedef changes.
|
|
|
|
|
* Fix dnstap for warning of set but not used.
|
|
|
|
|
* Fix autoconf of systemd check for lack of pkg-config.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 15 16:28:44 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.6.0
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* Added generic EDNS code for registering known EDNS option codes,
|
|
|
|
|
bypassing the cache response stage and uniquifying mesh states. Four
|
|
|
|
|
EDNS option lists were added to module_qstate
|
|
|
|
|
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
|
|
|
|
|
* Added two flags to module_qstate (no_cache_lookup, no_cache_store)
|
|
|
|
|
that control the modules' cache interactions.
|
|
|
|
|
* Added code for registering inplace callback functions. The registered
|
|
|
|
|
functions can be called just before replying with local data or Chaos,
|
|
|
|
|
replying from cache, replying with SERVFAIL, replying with a resolved
|
|
|
|
|
query, sending a query to a nameserver. The functions can inspect the
|
|
|
|
|
available data and maybe change response/query related data (i.e. append
|
|
|
|
|
EDNS options).
|
|
|
|
|
* Updated Python module for the above.
|
|
|
|
|
* Updated Python documentation.
|
|
|
|
|
* Added views functionality.
|
|
|
|
|
* Added qname-minimisation-strict config option.
|
|
|
|
|
* Patch that resolves CNAMEs entered in local-data conf statements that
|
|
|
|
|
point to data on the internet, from Jinmei Tatuya (Infoblox).
|
|
|
|
|
* serve-expired config option: serve expired responses with TTL 0.
|
|
|
|
|
* .gitattributes line for githubs code language display.
|
|
|
|
|
* log-identity: config option to set sys log identity, patch from "Robin
|
|
|
|
|
H. Johnson" (robbat2@gentoo.org).
|
|
|
|
|
* Added stub-ssl-upstream and forward-ssl-upstream options.
|
|
|
|
|
* Added local-zones and local-data bulk addition and removal
|
|
|
|
|
functionality in unbound-control (local_zones, local_zones_remove,
|
|
|
|
|
local_datas and local_datas_remove).
|
|
|
|
|
* g.root-servers.net has AAAA address.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* Fix #836: unbound could echo back EDNS options in an error response.
|
|
|
|
|
* Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
|
|
|
|
|
* Fix #839: Memory grows unexpectedly with large RPZ files.
|
|
|
|
|
* Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
|
|
|
|
|
* Fix #841: big local-zone's make it consume large amounts of memory.
|
|
|
|
|
* Fix dnstap relaying "random" messages instead of resolver/forwarder
|
|
|
|
|
responses, from Nikolay Edigaryev.
|
|
|
|
|
* Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
|
|
|
|
|
* Fix #1117: spelling errors, from Robert Edmonds.
|
|
|
|
|
* iana portlist update.
|
|
|
|
|
* fix memoryleak logfile when in debug mode.
|
|
|
|
|
* Re-fix #839 from view commit overwrite.
|
|
|
|
|
* Fixup const void cast warning.
|
|
|
|
|
* Removed patch comments from acllist.c and msgencode.c
|
|
|
|
|
* Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
|
|
|
|
|
Jinmei Tatuya (Infoblox).
|
|
|
|
|
* Fix #1125: unbound could reuse an answer packet incorrectly for
|
|
|
|
|
clients with different EDNS parameters, from Jinmei Tatuya.
|
|
|
|
|
* Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
|
|
|
|
|
* Added Requires line to libunbound.pc
|
|
|
|
|
* Fix #1130: whitespace in example.conf.in more consistent.
|
|
|
|
|
* suppress compile warning in lex files.
|
|
|
|
|
* init lzt variable, for older gcc compiler warnings.
|
|
|
|
|
* fix --enable-dsa to work, instead of copying ecdsa enable.
|
|
|
|
|
* Fix DNSSEC validation of query type ANY with DNAME answers.
|
|
|
|
|
* Fixup query_info local_alias init.
|
|
|
|
|
* Ported tests for local_cname unit test to testbound framework.
|
|
|
|
|
* Fix #1134: unbound-control set_option -- val-override-date: -1 works
|
|
|
|
|
immediately to ignore datetime, or back to 0 to enable it again. The --
|
|
|
|
|
is to ignore the '-1' as an option flag.
|
|
|
|
|
* Patch for server.num.zero_ttl stats for count of expired replies, from
|
|
|
|
|
Pavel Odintsov.
|
|
|
|
|
* Fix failure to build on arm64 with no sbrk.
|
|
|
|
|
* Set OpenSSL security level to 0 when using aNULL ciphers.
|
|
|
|
|
* configure detects ssl security level API function in the autoconf
|
|
|
|
|
manner. Every function on its own, so that other libraries (eg.
|
|
|
|
|
LibreSSL) can develop their API without hindrance.
|
|
|
|
|
* Fix #1154: segfault when reading config with duplicate zones.
|
|
|
|
|
* Note that for harden-below-nxdomain the nxdomain must be secure, this
|
|
|
|
|
means nsec3 with optout is insufficient.
|
|
|
|
|
* Fix #1155: test status code of unbound-control in 04-checkconf, not
|
|
|
|
|
the status code from the tee command.
|
|
|
|
|
* Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
|
|
|
|
|
Underneath" for the harden-below-nxdomain option.
|
|
|
|
|
* patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
|
|
|
|
|
* Make access-control-tag-data RDATA absolute. This makes the RDATA
|
|
|
|
|
origin consistent between local-data and access-control-tag-data.
|
|
|
|
|
* Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
|
|
|
|
|
subdomain of the NSEC owner.
|
|
|
|
|
* QNAME minimisation uses QTYPE=A, therefore always check cache for this
|
|
|
|
|
type in harden-below-nxdomain functionality.
|
|
|
|
|
* Added unit test for QNAME minimisation + harden below nxdomain synergy.
|
|
|
|
|
* Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
|
|
|
|
|
no encryption over the unix socket.
|
|
|
|
|
* hyphen as minus fix, by Andreas Schulze
|
|
|
|
|
* Fix #1170: document that 'inform' local-zone uses local-data.
|
|
|
|
|
* Fix #1173: differ local-zone type deny from unset tag_actions element.
|
|
|
|
|
* Add DSA support for OpenSSL 1.1.0
|
|
|
|
|
* Fix remote control without cert for LibreSSL
|
|
|
|
|
* Fix downcast warnings from visual studio in sldns code.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 27 12:41:57 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.10
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* Create a pkg-config file for libunbound in contrib.
|
|
|
|
|
* TCP Fast open patch from Sara Dickinson.
|
|
|
|
|
* Finegrained localzone control with define-tag, access-control-tag,
|
|
|
|
|
access-control-tag-action, access-control-tag-data, local-zone-tag, and
|
|
|
|
|
local-zone-override. And added types always_transparent, always_refuse,
|
|
|
|
|
always_nxdomain with that.
|
|
|
|
|
* If more than half of tcp connections are in use, a shorter timeout
|
|
|
|
|
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
|
|
|
|
|
* [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6
|
|
|
|
|
option to use linux freebind to use 64bits of entropy for every query
|
|
|
|
|
with random local part.
|
|
|
|
|
* For #787: prefer-ip6 option for unbound.conf prefers to send
|
|
|
|
|
upstream queries to ipv6 servers.
|
|
|
|
|
* Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
|
|
|
|
|
* keep debug symbols in windows build.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref).
|
|
|
|
|
* Fix unbound-anchor.exe file location defaults to Program Files with
|
|
|
|
|
(x86) appended.
|
|
|
|
|
* Fix to not ignore return value of chown() in daemon startup.
|
|
|
|
|
* Better help text from -h (from Ray Griffith).
|
|
|
|
|
* [bugzilla: 773 ] Fix Non-standard Python location build failure with
|
|
|
|
|
pyunbound.
|
|
|
|
|
* Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
|
|
|
|
|
* Revert fix for NetworkService account on windows due to breakage it
|
|
|
|
|
causes.
|
|
|
|
|
* Fix that windows install will not overwrite existing service.conf
|
|
|
|
|
file (and ignore gui config choices if it exists).
|
|
|
|
|
* And delete service.conf.shipped on uninstall.
|
|
|
|
|
* In unbound.conf directory: dir immediately changes to that
|
|
|
|
|
directory, so that include: file below that is relative to that
|
|
|
|
|
directory. With chroot, make the directory an absolute path inside chroot.
|
|
|
|
|
* do not delete service.conf on windows uninstall.
|
|
|
|
|
* document directory immediate fix and allow EXECUTABLE syntax in it
|
|
|
|
|
on windows.
|
|
|
|
|
* Fix directory: fix for unbound-checkconf, it restores cwd.
|
|
|
|
|
* Use QTYPE=A for QNAME minimisation.
|
|
|
|
|
* Keep track of number of time-outs when performing QNAME
|
|
|
|
|
minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE
|
|
|
|
|
pair is more than three.
|
|
|
|
|
* [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on
|
|
|
|
|
windows, ignore null delete for wsaevent.
|
|
|
|
|
* Fix spelling in freebind option man page text.
|
|
|
|
|
* Fix windows link of ssl with crypt32.
|
|
|
|
|
* [bugzilla: 779 ] Fix Union casting is non-portable.
|
|
|
|
|
* [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31.
|
|
|
|
|
* [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call.
|
|
|
|
|
* Decrease dp attempts at each QNAME minimisation iteration
|
|
|
|
|
* [bugzilla: 784 ] Fix Build configure assumess that having getpwnam
|
|
|
|
|
means there is endpwent function available.
|
|
|
|
|
* Updated repository with newer flex and bison output.
|
|
|
|
|
* Fix static compile on windows missing gdi32.
|
|
|
|
|
* Fix dynamic link of anchor-update.exe on windows.
|
|
|
|
|
* Fix detect of mingw for MXE package build.
|
|
|
|
|
* Fixes for 64bit windows compile.
|
|
|
|
|
* [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >=
|
|
|
|
|
3.0 and --with-libunbound-only --with-nettle.
|
|
|
|
|
* Fixed unbound.doxygen for 1.8.11.
|
|
|
|
|
* [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux).
|
|
|
|
|
* [bugzilla: 801 ] Fix missing error condition handling in
|
|
|
|
|
daemon_create_workers().
|
|
|
|
|
* [bugzilla: 802 ] Fix workaround for function parameters that are
|
|
|
|
|
"unused" without log_assert.
|
|
|
|
|
* [bugzilla: 803 ] Fix confusing (and incorrect) code comment in
|
|
|
|
|
daemon_cleanup().
|
|
|
|
|
* [bugzilla: 806 ] Fix wrong comment removed.
|
|
|
|
|
* use sendmsg instead of sendto for TFO.
|
|
|
|
|
* [bugzilla: 807 ] Fix workaround for possible some "unused" function
|
|
|
|
|
parameters in test code, from Jinmei Tatuya.
|
|
|
|
|
* Note that OPENPGPKEY type is RFC 7929.
|
|
|
|
|
* [bugzilla: 804 ] Fix #804: unbound stops responding after outage.
|
|
|
|
|
Fixes queries that attempt to wait for an empty list of subqueries.
|
|
|
|
|
* Fix for #804: lower num_target_queries for iterator also for failed
|
|
|
|
|
lookups.
|
|
|
|
|
* [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len
|
|
|
|
|
parameter in each iteration in find_tag_datas().
|
|
|
|
|
* [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility, patch from
|
|
|
|
|
Sebastian A. Siewior.
|
|
|
|
|
* RFC 7958 is now out, updated docs for unbound-anchor.
|
|
|
|
|
* Fix for compile without warnings with openssl 1.1.0.
|
|
|
|
|
* [bugzilla: 826 ] Fix refuse_non_local could result in a broken response.
|
|
|
|
|
* iana portlist update.
|
|
|
|
|
* Fix compile with openssl 1.1.0 with api=1.1.0.
|
|
|
|
|
* [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value
|
|
|
|
|
has an off-by-one typo, from Jinmei Tatuya (Infoblox).
|
|
|
|
|
* Fix incomplete prototypes reported by Dag-Erling Smørgrav.
|
|
|
|
|
* [bugzilla: 828 ] Fix missing type in access-control-tag-action
|
|
|
|
|
redirect results in NXDOMAIN.
|
|
|
|
|
* Take configured minimum TTL into consideration when reducing TTL to
|
|
|
|
|
original TTL from RRSIG.
|
|
|
|
|
* [bugzilla: 831 ] Fix workaround for spurious fread_chk warning
|
|
|
|
|
against petal.c
|
|
|
|
|
* Silenced flex-generated sign-unsigned warning print with gcc
|
|
|
|
|
diagnostic pragma.
|
|
|
|
|
* Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
|
|
|
|
|
* fix potential memory leak in daemon/remote.c and nullpointer
|
|
|
|
|
dereference in validator/autotrust.
|
|
|
|
|
* [bugzilla: 883 ] Fix error for duplicate local zone entry.
|
|
|
|
|
* [bugzilla: 835 ] Fix --disable-dsa with nettle verify.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jun 4 14:26:35 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.9
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* generic edns option parse and store code.
|
|
|
|
|
* Updated L root IPv6 address.
|
|
|
|
|
* User defined pluggable event API for libunbound
|
|
|
|
|
* ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for binding
|
|
|
|
|
to an IP address while the interface or address is down.
|
|
|
|
|
* OpenSSL 1.1.0 portability, --disable-dsa configure option.
|
|
|
|
|
* disable-dnssec-lame-check config option from Charles Walker.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* [bugzilla: 745 ]
|
|
|
|
|
* Fix unbound.py - idn2dname throws UnicodeError when idnname contains
|
|
|
|
|
trailing dot.
|
|
|
|
|
* configure tests for the weak attribute support by the compiler.
|
|
|
|
|
* [bugzilla: 747 ]
|
|
|
|
|
* Fix assert in outnet_serviced_query_stop.
|
|
|
|
|
* Updated configure and ltmain.sh.
|
|
|
|
|
* Fixup of compile fix for pluggable event API from P.Y. Adi Prasaja.
|
|
|
|
|
* Fixup backend2str for libev.
|
|
|
|
|
* Fix libev usage of dispatch return value.
|
|
|
|
|
* No side effects in tolower() call, in case it is a macro.
|
|
|
|
|
* Fix warnings in ifdef corner case, older or unknown libevent.
|
|
|
|
|
* Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
|
|
|
|
|
* Fix ip-transparent for tcp on freebsd.
|
|
|
|
|
* [bugzilla: 746 ]
|
|
|
|
|
* Fix unbound sets CD bit on all forwards. If no trust anchors, it'll not
|
|
|
|
|
set CD bit when forwarding to another server. If a trust anchor, no CD
|
|
|
|
|
bit on the first attempt to a forwarder, but CD bit thereafter on
|
|
|
|
|
repeated attempts to get DNSSEC.
|
|
|
|
|
* Limit number of QNAME minimisation iterations.
|
|
|
|
|
* Validate QNAME minimised NXDOMAIN responses.
|
|
|
|
|
* If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
|
|
|
|
|
harden-below-nxdomain.
|
|
|
|
|
* Fix compile of getentropy_linux for SLES11 servicepack 4.
|
|
|
|
|
* Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
|
|
|
|
|
* Fix test for openssl to use HMAC_Update for 1.1.0.
|
|
|
|
|
* ERR_remove_state deprecated since openssl 1.0.0.
|
|
|
|
|
* OPENSSL_config is deprecated, removing.
|
|
|
|
|
* Document permit-small-holddown for 5011 debug.
|
|
|
|
|
* [bugzilla: 749 ]
|
|
|
|
|
* Fix unbound-checkconf gets SIGSEGV when use against a malformatted
|
|
|
|
|
conf file.
|
|
|
|
|
* [bugzilla: 753 ]
|
|
|
|
|
* Fix document dump_requestlist is for first thread.
|
|
|
|
|
* Fix some malformed reponses to edns queries get fallback to nonedns.
|
|
|
|
|
* [bugzilla: 759 ]
|
|
|
|
|
* Fix 0x20 capsforid no longer checks type PTR, for compatibility with
|
|
|
|
|
cisco dns guard. This lowers false positives.
|
|
|
|
|
* Fix sldns with static checking fixes copied from getdns.
|
|
|
|
|
* Fix memory leak in out-of-memory conditions of local zone add.
|
|
|
|
|
* [bugzilla: 761 ]
|
|
|
|
|
* Fix DNSSEC LAME false positive resolving nic.club.
|
|
|
|
|
* [bugzilla: 766 ]
|
|
|
|
|
* Fix dns64 should synthesize results on timeout/errors.
|
|
|
|
|
* No QNAME minimisation fall-back for NXDOMAIN answers from
|
|
|
|
|
DNSSEC signed zones.
|
|
|
|
|
* [bugzilla: 767 ]
|
|
|
|
|
* Fix Reference to an expired Internet-Draft in harden-below-nxdomain
|
|
|
|
|
documentation.
|
|
|
|
|
* remove memory leak from lame-check patch.
|
|
|
|
|
* [bugzilla: 770 ]
|
|
|
|
|
* Fix Small subgroup attack on DH used in unix pipe on localhost if
|
|
|
|
|
unbound control uses a unix local named pipe.
|
|
|
|
|
* Document write permission to directory of trust anchor needed.
|
|
|
|
|
* [bugzilla: 768 ]
|
|
|
|
|
* Fix Unbound Service Sometimes Can Not Shutdown Completely, WER Report
|
|
|
|
|
Shown Up. Close handle before closing WSA.
|
|
|
|
|
* Fix time in case answer comes from cache in ub_resolve_event().
|
|
|
|
|
* Fix windows service to be created run with limited rights, as a network
|
|
|
|
|
service account, from Mario Turschmann.
|
|
|
|
|
* [bugzilla: 752 ]
|
|
|
|
|
* Fix retry resource temporarily unavailable on control pipe.
|
|
|
|
|
* iana ports fetched via https.
|
|
|
|
|
* iana portlist update.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 25 10:07:47 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.8
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* ip-transparent option for FreeBSD with IP_BINDANY socket option.
|
|
|
|
|
* insecure-lan-zones: yesno config option, patch from Dag-Erling
|
|
|
|
|
Smørgrav.
|
|
|
|
|
* RR Type CSYNC support RFC 7477, in debug printout and config input.
|
|
|
|
|
* RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
|
|
|
|
|
* [bugzilla: 731 ] tcp-mss, outgoing-tcp-mss options for unbound.conf,
|
|
|
|
|
patch from Daisuke Higashi.
|
|
|
|
|
* Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
|
|
|
|
|
by default, and can be unblocked with "nodefault" localzone config.
|
|
|
|
|
* ub_ctx_set_stub() function for libunbound to config stub zones.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* Fix that NSEC3 negative cache is used when there is no salt.
|
|
|
|
|
* sorted ubsyms.def file with exported libunbound functions.
|
|
|
|
|
* Print understandable debug log when unusable DS record is seen.
|
|
|
|
|
* load gost algorithm if digest is seen before key algorithm.
|
|
|
|
|
* Fix that "make install" fails due to "text file busy" error.
|
|
|
|
|
* Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
|
|
|
|
|
* wait for sendto to drain socket buffers when they are full.
|
|
|
|
|
* Neater cmdline_verbose increment patch from Edgar Pettijohn.
|
|
|
|
|
* Made netbsd sendmsg test nonfatal, in case of false positives.
|
|
|
|
|
* [bugzilla: 741 ] Fix: log message for dnstap socket connection is
|
|
|
|
|
more clear.
|
|
|
|
|
* [bugzilla: 734 ] Fix: chown the pidfile if it resides inside the
|
|
|
|
|
chroot.
|
|
|
|
|
* Fix cmsg alignment for argument to sendmsg on NetBSD.
|
|
|
|
|
* Fix that unbound complains about unimplemented IP_PKTINFO for
|
|
|
|
|
sendmsg on NetBSD (for interface-automatic).
|
|
|
|
|
* [bugzilla: 738 ] Fix: Swig should not be invoked with CPPFLAGS.
|
|
|
|
|
* Squelch 'cannot assign requested address' log messages unless
|
|
|
|
|
verbosity is high, it was spammed after network down.
|
|
|
|
|
* Fix to simplify empty string checking from Michael McConville.
|
|
|
|
|
* [bugzilla: 734 ] Fix: Do not log an error when the PID file cannot
|
|
|
|
|
be chown'ed. Patch from Simon Deziel.
|
|
|
|
|
* Fix test if -pthreads unused to use better grep for portability.
|
|
|
|
|
* Fix mingw crosscompile for recent mingw.
|
|
|
|
|
* Update aclocal, autoconf output with new versions (1.15, 2.4.6).
|
|
|
|
|
* Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
|
|
|
|
|
for Linux glibc 2.20.
|
|
|
|
|
* Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
|
|
|
|
|
source code, so it applies cleanly again. Removed unused variable
|
|
|
|
|
warnings.
|
|
|
|
|
* [bugzilla: 729 ] Fix: omit use of escape sequences in echo since
|
|
|
|
|
they are not portable (unbound-control-setup).
|
|
|
|
|
* remove NULL-checks before free, patch from Michael McConville.
|
|
|
|
|
* updated ax_pthread.m4 to version 21 with clang support, this removes
|
|
|
|
|
a warning from compilation.
|
|
|
|
|
* OSX portability, detect if sbrk is deprecated.
|
|
|
|
|
* OSX clang, stop -pthread unused during link stage warnings.
|
|
|
|
|
* OSX clang new flto check.
|
|
|
|
|
* iana portlist update.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 23 16:03:46 UTC 2016 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- also conflict the shlib package
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 22 15:22:05 UTC 2016 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- add libunbound-devel-mini-rpmlintrc as source
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 17 15:55:34 UTC 2016 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- revert the previous change which would not solve the problem as
|
|
|
|
|
the library package requires the unbound-anchor package
|
|
|
|
|
instead introduce a libunbound-devel-mini package which holds the
|
|
|
|
|
shared library and devel files with a minimal build requires.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 4 13:01:35 UTC 2016 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
- split off a libunbound package with less buildrequires to
|
|
|
|
|
allow shorter buildcycles when built by gnutls. bsc#964346
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 10 11:48:46 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.7
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
* Fix #594. libunbound: optionally use libnettle for crypto.
|
|
|
|
|
Contributed by Luca Bruno. Added --with-nettle for use with
|
|
|
|
|
--with-libunbound-only.
|
|
|
|
|
* Implemented qname minimisation
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
* Fix #712: unbound-anchor appears to not fsync root.key.
|
|
|
|
|
* Fix #714: Document config to block private-address for IPv4
|
|
|
|
|
mapped IPv6 addresses.
|
|
|
|
|
* portability, replace snprintf if return value broken
|
|
|
|
|
* portability fixes.
|
|
|
|
|
* detect libexpat without xml_StopParser function.
|
|
|
|
|
* isblank() compat implementation.
|
|
|
|
|
* patch from Doug Hogan for SSL_OP_NO_SSLvx options.
|
|
|
|
|
* Fix #716: nodata proof with empty non-terminals and wildcards.
|
|
|
|
|
* Fix #718: Fix unbound-control-setup with support for env
|
|
|
|
|
without HEREDOC bash support.
|
|
|
|
|
* ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
|
|
|
|
* Change example.conf: ftp.internic.net to https://www.internic.net
|
|
|
|
|
* Fix for lenient accept of reverse order DNAME and CNAME.
|
|
|
|
|
* spelling fixes from Igor Sobrado Delgado.
|
|
|
|
|
* Fix that malformed EDNS query gets a response without malformed EDNS.
|
|
|
|
|
* Added assert on rrset cache correctness.
|
|
|
|
|
* Fix #720: add windows scripts to zip bundle,
|
|
|
|
|
and fix unbound-control-setup windows batch file.
|
|
|
|
|
* Fix for #724: conf syntax to read files from run dir (on Windows).
|
|
|
|
|
And fix PCA prompt for unbound-service-install.exe.
|
|
|
|
|
And add Changelog to windows binary dist.
|
|
|
|
|
* .gitignore for git users.
|
|
|
|
|
* iana portlist update.
|
|
|
|
|
* Removed unneeded whitespace from example.conf.
|
|
|
|
|
* Do not minimise forwarded requests.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 15 19:31:43 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.6
|
|
|
|
|
Features
|
|
|
|
|
- Default for ssl-port is port 853, the temporary port assignment for
|
|
|
|
|
secure domain name system traffic. If you used to rely on the older
|
|
|
|
|
default of port 443, you have to put a clause in unbound.conf for
|
|
|
|
|
that. The new value is likely going to be the standardised port number
|
|
|
|
|
for this traffic.
|
|
|
|
|
- ANY responses include DNAME records if present, as per Evan Hunt's
|
|
|
|
|
remark in dnsop.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix segfault in the dns64 module in the formaterror error path.
|
|
|
|
|
- Fix manpage to suggest using SIGTERM to terminate the server.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 10 09:31:40 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- ignore absence of the systemd-tmpfiles command
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 6 14:21:00 UTC 2015 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 1.5.5
|
|
|
|
|
Features
|
|
|
|
|
- Change default of harden-algo-downgrade to off. This is lenient
|
|
|
|
|
for algorithm rollover.
|
|
|
|
|
- Added permit-small-holddown config to debug fast 5011 rollover.
|
|
|
|
|
- Allow certificate chain files to allow for intermediate
|
|
|
|
|
certificates. (thanks Daniel Kahn Gillmor)
|
|
|
|
|
- Enable ECDHE for servers. Where available, use
|
|
|
|
|
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations
|
|
|
|
|
to enable ECDHE. Otherwise, manually offer curve p256. Client
|
|
|
|
|
connections should automatically use ECDHE when available.
|
|
|
|
|
(thanks Daniel Kahn Gillmor)
|
|
|
|
|
- Feature --enable-pie option to that builds PIE binary.
|
|
|
|
|
[bugzilla: 699 ]
|
|
|
|
|
- Feature --enable-relro-now option that enables full read-only
|
|
|
|
|
relocation. [bugzilla: 700 ]
|
|
|
|
|
- New IPs for for h.root-servers.net. [bugzilla: 702 ]
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix setting forwarders with unbound-control forward implicitly
|
|
|
|
|
turns on forward-first. [bugzilla: 681 ]
|
|
|
|
|
- Fix that reload fails when so-reuseport is yes after changing
|
|
|
|
|
num-threads. [bugzilla: 690 ]
|
|
|
|
|
- please afl-gcc (llvm) for uninitialised variable warning.
|
|
|
|
|
- Fix mktime in unbound-anchor not using UTC.
|
|
|
|
|
- Fix 5011 anchor update timer after reload.
|
|
|
|
|
- 5011 implementation does not insist on all algorithms, when
|
|
|
|
|
harden-algo-downgrade is turned off.
|
|
|
|
|
- Document in the manual more text about configuring locally
|
|
|
|
|
served zones.
|
|
|
|
|
- Document that local-zone nodefault matches exactly and
|
|
|
|
|
transparent can be used to release a subzone.
|
|
|
|
|
- Fix that configure script does not detect LibreSSL 2.2.2
|
|
|
|
|
[bugzilla: 694 ]
|
|
|
|
|
- Fix deadlock for local data add and zone add when
|
|
|
|
|
unbound-control list_local_data printout is interrupted.
|
|
|
|
|
- Fix get PY_MAJOR_VERSION failure at configure for python 2.4 to
|
|
|
|
|
2.6. [bugzilla: 697 ]
|
|
|
|
|
- changed windows setup compression to be more transparent.
|
|
|
|
|
- Fix config globbed include chroot treatment, this fixes reload
|
|
|
|
|
of globs (patch from Dag-Erling Smørgrav).
|
|
|
|
|
- Fix ub_ctx_set_fwd() return value mishandled on windows.
|
|
|
|
|
[bugzilla: 705 ]
|
|
|
|
|
- Fix minor error in unbound.conf.5.in.
|
|
|
|
|
- Fix unbound.conf(5) access-control description for precedence
|
|
|
|
|
and default.
|
|
|
|
|
- Fix unbound-control flush that does not succeed in removing
|
|
|
|
|
data.
|
|
|
|
|
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
|
|
|
|
|
failures.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- remove manual hacks for relro,now and pie and replace them with
|
|
|
|
|
official configure options.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 4 13:37:38 UTC 2015 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- enable event api
|
|
|
|
|
- enable dnstap support
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 9 10:16:32 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.4
|
|
|
|
|
|
|
|
|
|
Features
|
|
|
|
|
- [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
|
|
|
|
|
fixes the reported excessive validation failure when multiple
|
|
|
|
|
algorithms are present. If set to 'no', it allows the weakest
|
|
|
|
|
algorithm to validate the zone.
|
|
|
|
|
- stats reports tcp usage, of incoming-num-tcp buffers.
|
|
|
|
|
- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
|
|
|
|
|
scripts. Contributed by Yuri Voinov.
|
|
|
|
|
- Add ip-transparent config option for bind to non-local addresses.
|
|
|
|
|
- Synthesize ANY responses from cache. Does not search exhaustively,
|
|
|
|
|
but MX,A,AAAA,SOA,NS also CNAME.
|
|
|
|
|
- unbound-control list_insecure command shows the negative trust
|
|
|
|
|
anchors currently configured, patch from Jelte Jansen.
|
|
|
|
|
- ratelimit feature, ratelimit: 1000, can be used to turn it on. It
|
|
|
|
|
ratelimits recursion effort per zone. For particular names you can
|
|
|
|
|
configure exceptions in unbound.conf.
|
|
|
|
|
- Ratelimit does not apply to prefetched queries, and
|
|
|
|
|
ratelimit-factor is default 10. Repeated normal queries get resolved
|
|
|
|
|
and with prefetch stay in the cache.
|
|
|
|
|
- unbound-control ratelimit_list lists high rate domains.
|
|
|
|
|
- caps-whitelist in unbound.conf allows whitelist of loadbalancers
|
|
|
|
|
that cannot work with caps-for-id or its fallback.
|
|
|
|
|
- RFC 7553 RR type URI support, is now enabled by default.
|
|
|
|
|
- cache-max-negative-ttl config option, default 3600.
|
|
|
|
|
- Add local-zone type inform_deny, that logs query and drops answer.
|
|
|
|
|
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Unbound exits with a fatal error when the auto-trust-anchor-file
|
|
|
|
|
fails to be writable. This is seconds after startup. You can load a
|
|
|
|
|
readonly auto-trust-anchor-file with trust-anchor-file. The file has
|
|
|
|
|
to be writable to notice the trust anchor change, without it, a trust
|
|
|
|
|
anchor change will be unnoticed and the system will then become
|
|
|
|
|
inoperable.
|
|
|
|
|
- DLV is going to be decommissioned. Advice to stop using it, and
|
|
|
|
|
put text in the example configuration and man page to that effect.
|
|
|
|
|
- Patch from Brad Smith that syncs compat/getentropy_linux with
|
|
|
|
|
OpenBSD's version (2015-03-04).
|
|
|
|
|
- 0x20 fallback improved: servfail responses do not count as missing
|
|
|
|
|
comparisons (except if all responses are errors), inability to find
|
|
|
|
|
nameservers does not fail equality comparisons, many nameservers does
|
|
|
|
|
not try to compare more than max-sent-count, parse failures start 0x20
|
|
|
|
|
fallback procedure.
|
|
|
|
|
- store caps_response with best response in case downgrade response
|
|
|
|
|
happens to be the last one.
|
|
|
|
|
- Document that incoming-num-tcp increase is good for large servers.
|
|
|
|
|
- Fix lintian warning in unbound-checkconf man page (from Andreas
|
|
|
|
|
Schulze).
|
|
|
|
|
- Updated default keylength in unbound-control-setup to 3k.
|
|
|
|
|
- Fixup compile on cygwin, more portable openssl thread id.
|
|
|
|
|
- Use reallocarray for integer overflow protection, patch submitted
|
|
|
|
|
by Loganaden Velvindron.
|
|
|
|
|
- Fixed to add integer overflow checks on allocation (defense in depth).
|
|
|
|
|
- Fix segfault on user not found at startup (from Maciej Soltysiak).
|
|
|
|
|
- [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
|
|
|
|
|
CRYPTO_set_id_callback.
|
|
|
|
|
- If unknown trust anchor algorithm, and libressl is used, error
|
|
|
|
|
message encourages upgrade of the libressl package.
|
|
|
|
|
- rename ldns subdirectory to sldns to avoid name collision.
|
|
|
|
|
- [bugzilla: 660 ] Fix interface-automatic broken in the presence of
|
|
|
|
|
asymmetric routing.
|
|
|
|
|
- Libunbound skips dos-line-endings from etc/hosts.
|
|
|
|
|
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
|
|
|
|
|
- Fix that get_option for cache-sizes does not print double newline.
|
|
|
|
|
- [bugzilla: 663 ] Fix that ssl handshake fails when using unix
|
|
|
|
|
socket because dh size is too small.
|
|
|
|
|
- [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
|
|
|
|
|
Hozza); Use print_function also for Python2. libunbound examples:
|
|
|
|
|
produce sorted output. libunbound-Python: libldns is not used anymore.
|
|
|
|
|
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
|
|
|
|
|
- Fix leaked dns64prefix configuration string.
|
|
|
|
|
- Removed contrib/unbound_unixsock.diff, because it has been
|
|
|
|
|
integrated, use control-interface: /path in unbound.conf.
|
|
|
|
|
- Change syntax of particular validator error to be easier for
|
|
|
|
|
machine parse, swap rrset and ip adres info so it looks like:
|
|
|
|
|
validation failure <www.example.nl. TXT IN>: signature crypto failed
|
|
|
|
|
from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
|
|
|
|
|
- Fix that unparseable error responses are ratelimited.
|
|
|
|
|
- SOA negative TTL is capped at minimumttl in its rdata section.
|
|
|
|
|
- [bugzilla: 674 ] Do not free pointers given by getenv.
|
|
|
|
|
- [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
|
|
|
|
|
incorrectly and was therefore always synthesized (thanks to Valentin
|
|
|
|
|
Dietrich). And fix DNAME responses from cache that failed internal
|
|
|
|
|
chain test.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 24 13:53:53 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- update to 1.5.3
|
|
|
|
|
- Bug Fixes
|
|
|
|
|
[bugzilla: 647 ]
|
|
|
|
|
Fix #647 crash in 1.5.2 because pwd.db no longer accessible after reload.
|
|
|
|
|
[bugzilla: 645 ]
|
|
|
|
|
Fix #645 Portability to Solaris 10, use AF_LOCAL.
|
|
|
|
|
[bugzilla: 646 ]
|
|
|
|
|
Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
|
|
|
|
|
Use the getrandom syscall introduced in Linux 3.17 (from Heiner Kallweit).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 19 23:35:58 UTC 2015 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 1.5.2
|
|
|
|
|
- Features
|
|
|
|
|
- local-zone: example.com inform makes unbound log a message
|
|
|
|
|
with client IP for queries in that zone. Eg. for finding
|
|
|
|
|
infected hosts.
|
|
|
|
|
- patch from Stephane Lapie that adds to the python API, that
|
|
|
|
|
exposes struct delegpt, and adds the find_delegation
|
|
|
|
|
function.
|
|
|
|
|
- Updated contrib warmup.cmd/sh to support two modes - load
|
|
|
|
|
from pre-defined list of domains or (with filename as
|
|
|
|
|
argument) load from user-specified list of domains, and
|
|
|
|
|
updated contrib unbound_cache.sh/cmd to support
|
|
|
|
|
loading/save/reload cache to/from default path or (with
|
|
|
|
|
secondary argument) arbitrary path/filename, from Yuri
|
|
|
|
|
Voinov.
|
|
|
|
|
- patch for remote control over local sockets, from Dag-Erling
|
|
|
|
|
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
|
|
|
|
|
control-use-cert: no.
|
|
|
|
|
- unbound-checkconf -f prints chroot with pidfile path.
|
|
|
|
|
- infra-cache-min-rtt patch from Florian Riehm, for expected
|
|
|
|
|
long uplink roundtrip times.
|
|
|
|
|
- Bug Fixes
|
|
|
|
|
- config.guess and config.sub update from libtoolize.
|
|
|
|
|
- getauxval test for ppc64 linux compatibility.
|
|
|
|
|
- make strip works for unbound-host and unbound-anchor.
|
|
|
|
|
- print query name when max target count is exceeded.
|
|
|
|
|
- patch from Stuart Henderson that fixes DESTDIR in
|
|
|
|
|
unbound-control-setup for installs where config is not in the
|
|
|
|
|
prefix location.
|
|
|
|
|
- [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS
|
|
|
|
|
3.14.X, ignores missing IP_MTU_DISCOVER OMIT option (fix from
|
|
|
|
|
Remi Gacogne).
|
|
|
|
|
- Patch from Philip Paeps to contrib/unbound_munin_ that uses
|
|
|
|
|
type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
|
|
|
|
|
unbound_munin_hits.graph_period minute
|
|
|
|
|
- Fix pyunbound ord call, portable for python 2 and 3.
|
|
|
|
|
- Fix unintended use of gcc extension for incomplete enum
|
|
|
|
|
types, compile with pedantic c99 compliance (from Daniel
|
|
|
|
|
Dickman).
|
|
|
|
|
- Fix pyunbound byte string representation for python3.
|
|
|
|
|
- Fix 0x20 capsforid fallback to omit gratuitous NS and
|
|
|
|
|
additional section changes.
|
|
|
|
|
- Fix validation failure in case upstream forwarder (ISC BIND)
|
|
|
|
|
does not have the same trust anchors and decides to insert
|
|
|
|
|
unsigned NS record in authority section.
|
|
|
|
|
- Fix scrubber with harden-glue turned off to reject NS (and
|
|
|
|
|
other not-address) records.
|
|
|
|
|
- iana portlist update.
|
|
|
|
|
- [bugzilla: 643 ] Fix doc/example.conf.in: unnecessary
|
|
|
|
|
whitespace.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 8 16:12:23 UTC 2014 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 1.5.1 (boo# 908990)
|
|
|
|
|
Features
|
|
|
|
|
- Patch from Stephane Lapie for ASAHI Net that implements
|
|
|
|
|
aaaa-filter, added to contrib/aaaa-filter-iterator.patch.
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix that CD flag disables DNS64 processing, returning the
|
|
|
|
|
DNSSEC signed AAAA denial.
|
|
|
|
|
- Fix compat/getentropy_win.c check if CryptGenRandom works and
|
|
|
|
|
no immediate exit on windows.
|
|
|
|
|
- Fix crash on multiple thread random usage on systems without
|
|
|
|
|
arc4random.
|
|
|
|
|
- Fix log at high verbosity and memory allocation failure.
|
|
|
|
|
- Fix libunbound undefined symbol errors for main.
|
|
|
|
|
- Patch from Robert Edmonds to build pyunbound python module
|
|
|
|
|
differently. No versioninfo, with -shared and without $(LIBS).
|
|
|
|
|
- Patch from Robert Edmonds fixes hyphens in unbound-anchor man
|
|
|
|
|
page.
|
|
|
|
|
- Removed 'increased limit open files' log message that is
|
|
|
|
|
written to console. It is only written on verbosity 4 and
|
|
|
|
|
higher. This keeps system bootup console cleaner.
|
|
|
|
|
- Patch from James Raftery, always print stats for rcodes 0..5.
|
|
|
|
|
- [bugzilla: 627 ] Fix SSL_CTX_load_verify_locations return code
|
|
|
|
|
not properly checked.
|
|
|
|
|
- Fix makefile for build from noexec source tree.
|
|
|
|
|
- Add include to getentropy_linux.c, fixing debian build.
|
|
|
|
|
- [bugzilla: 632 ] Fix that unbound fails to build on AArch64,
|
|
|
|
|
protects getentropy compat code from calling sysctl if it is
|
|
|
|
|
has been removed.
|
|
|
|
|
- Fix CVE-2014-8602: denial of service by making resolver chase
|
|
|
|
|
endless series of delegations.
|
|
|
|
|
- changes in 1.5.0
|
|
|
|
|
Features
|
|
|
|
|
- This release has DNS64, DNSTAP, better random numbers and
|
|
|
|
|
ub_ctx_add_ta_autr(), num.query.tcpout=value, flush_negative,
|
|
|
|
|
unblock-lan-zones conf.
|
|
|
|
|
- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
|
|
|
|
|
hints (patch from Anand Buddhdev).
|
|
|
|
|
- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
|
|
|
|
|
option for DNS fragmentation defense.
|
|
|
|
|
- unbound-control stats prints num.query.tcpout with number of
|
|
|
|
|
TCP outgoing queries made in the previous statistics interval.
|
|
|
|
|
- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
|
|
|
|
|
if available on the OS, it gets entropy from the OS.
|
|
|
|
|
- Add unbound-control flush_negative that flushed nxdomains,
|
|
|
|
|
nodata, and errors from the cache. For dnssec-trigger and
|
|
|
|
|
NetworkManager, fixes cases where network changes have
|
|
|
|
|
localdata that was already negatively cached from the previous
|
|
|
|
|
network.
|
|
|
|
|
- Contrib windows scripts from Yuri Voinov added to src/contrib:
|
|
|
|
|
create_unbound_ad_servers.cmd: enters anti-ad server lists.
|
|
|
|
|
unbound_cache.cmd: saves and loads the cache. Also warmup.cmd
|
|
|
|
|
(and .sh): warm up the DNS cache with your MRU domains.
|
|
|
|
|
- Added unbound-control-setup.cmd from Yuri Voinov to the windows
|
|
|
|
|
unbound distribution set. It requires openssl installed in
|
|
|
|
|
%PATH%.
|
|
|
|
|
- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
|
|
|
|
|
- Feature, unblock-lan-zones: yesno that you can use to make
|
|
|
|
|
unbound perform 10.0.0.0/8 and other reverse lookups normally,
|
|
|
|
|
for use if unbound is running service for localhost on localhost.
|
|
|
|
|
- unbound-host -D enabled dnssec and reads root trust anchor from
|
|
|
|
|
the default root key file that was compiled in.
|
|
|
|
|
- Add AAAA for B root server to default root hints.
|
|
|
|
|
- unbound-control status reports if so-reuseport was successful.
|
|
|
|
|
- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
|
|
|
|
|
- arc4random in compat/ and getentropy, explicit_bzero, chacha
|
|
|
|
|
for dependencies, from OpenBSD. arc4_lock and sha512 in compat.
|
|
|
|
|
This makes arc4random available on all platforms, except when
|
|
|
|
|
compiled with LIBNSS (it uses libNSS crypto random).
|
|
|
|
|
- Patch from Dag-Erling Smorgrav that implements that: unbound
|
|
|
|
|
-dd does not fork in the background and also logs to stderr.
|
|
|
|
|
- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
|
|
|
|
|
Initial commit of the patch from the FreeBSD base (with its
|
|
|
|
|
fixes). This adds a module (for module-config in unbound.conf)
|
|
|
|
|
dns64 that performs DNS64 processing, see README.DNS64.
|
|
|
|
|
- Patch add msg, rrset, infra and key cache sizes to stats
|
|
|
|
|
command from Maciej Soltysiak.
|
|
|
|
|
- DNSTAP support, with a patch from Farsight Security, written by
|
|
|
|
|
Robert Edmonds. The --enable-dnstap needs libfstrm and
|
|
|
|
|
protobuf-c. It is BSD licensed (see dnstap/dnstap.c). Also
|
|
|
|
|
--with-libfstrm and --with-protobuf-c configure options.
|
|
|
|
|
- type CDS and CDNSKEY types.
|
|
|
|
|
- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept
|
|
|
|
|
queue is longer and more tcp connections can be handled.
|
|
|
|
|
- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
|
|
|
|
|
tracked trust anchor to libunbound.
|
|
|
|
|
Bug Fixes
|
|
|
|
|
- Fix print filename of encompassing config file on read failure.
|
|
|
|
|
- Patch from Stuart Henderson to build unbound-host man from
|
|
|
|
|
.1.in.
|
|
|
|
|
- [bugzilla: 569] Fix do_tcp is do-tcp in unbound.conf man page.
|
|
|
|
|
- [bugzilla: 572] Fix unit test failure for systems with
|
|
|
|
|
different /etc/ services.
|
|
|
|
|
- iana portlist updated.
|
|
|
|
|
- [bugzilla: 574] Fix make test fails on Ubuntu 14.04. Disabled
|
|
|
|
|
remote-control in testbound scripts.
|
|
|
|
|
- Documented that dump_requestlist only prints queries from
|
|
|
|
|
thread 0.
|
|
|
|
|
- [bugzilla: 567] Fix unbound lists if forward zone is secure or
|
|
|
|
|
insecure with +i annotation in output of list_forwards, also
|
|
|
|
|
for list_stubs (for NetworkManager integration). And remove ':'
|
|
|
|
|
from output of stub and forward lists, this is easier to parse.
|
|
|
|
|
- [bugzilla: 554] Fix use unsigned long to print 64bit statistics
|
|
|
|
|
counters on 64bit systems.
|
|
|
|
|
- [bugzilla: 558] Fix failed prefetch lookup does not remove
|
|
|
|
|
cached response but delays next prefetch (in lieu of caching a
|
|
|
|
|
SERVFAIL).
|
|
|
|
|
- [bugzilla: 545] Fix improved logging, the ip address of the
|
|
|
|
|
error is printed on the same log-line as the error.
|
|
|
|
|
- [bugzilla: 502] Fix explain that do-ip6 disable does not stop
|
|
|
|
|
AAAA lookups, but it stops the use of the ipv6 transport layer
|
|
|
|
|
for DNS traffic.
|
|
|
|
|
- Fix compile with libevent2 on FreeBSD.
|
|
|
|
|
- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
|
|
|
|
|
- Fixup out-of-directory compile with unbound-control-setup.sh.in.
|
|
|
|
|
- Code cleanup patch from Dag-Erling Smorgrav, with compiler
|
|
|
|
|
issue fixes from FreeBSD's copy of Unbound, he notes: Generate
|
|
|
|
|
unbound-control-setup.sh at build time so it respects prefix
|
|
|
|
|
and sysconfdir from the configure script. Also fix the umask
|
|
|
|
|
to match the comment, and the comment to match the umask. Add
|
|
|
|
|
const and static where needed. Use unions instead of playing
|
|
|
|
|
pointer poker. Move declarations that are needed in multiple
|
|
|
|
|
source files into a shared header. Move sldns_bgetc() from
|
|
|
|
|
parse.c to buffer.c where it belongs. Introduce a new header
|
|
|
|
|
file, worker.h, which declares the callbacks that all workers
|
|
|
|
|
must define. Remove those declarations from libworker.h.
|
|
|
|
|
Include the correct headers in the correct places. Fix a few
|
|
|
|
|
dummy callbacks that don't match their prototype. Fix some
|
|
|
|
|
casts. Hide the sbrk madness behind #ifdef HAVE_SBRK. Remove a
|
|
|
|
|
useless printf which breaks reproducible builds. Get rid of
|
|
|
|
|
CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're no longer
|
|
|
|
|
used. Add unbound-control-setup.sh to the list of generated
|
|
|
|
|
files. The prototype for libworker_event_done_cb() needs to be
|
|
|
|
|
moved from libunbound/libworker.h to libunbound/worker.h.
|
|
|
|
|
- Fix caps-for-id fallback, and added fallback attempt when
|
|
|
|
|
servers drop 0x20 perturbed queries.
|
|
|
|
|
- [bugzilla: 593] Fix segfault or crash upon rotating logfile.
|
|
|
|
|
- fake-rfc2553 patch (thanks Benjamin Baier).
|
|
|
|
|
- LibreSSL provides compat items, check for that in configure.
|
|
|
|
|
- [bugzilla: 596] Bail out of unbound-control list_local_zones
|
|
|
|
|
when ssl write fails.
|
|
|
|
|
- Fix endian.h include for OpenBSD.
|
|
|
|
|
- [bugzilla: 603] Fix unbound-checkconf -o option should skip
|
|
|
|
|
verification checks.
|
|
|
|
|
- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
|
|
|
|
|
- Update unbound manpage with more explanation (from Florian Obser).
|
|
|
|
|
- Fix tcp timer waiting list removal code.
|
|
|
|
|
- patches to also build with Python 3.x (from Pavel Simerda).
|
|
|
|
|
- improve python configuration detection to build on Fedora 22.
|
|
|
|
|
- Fix swig and python examples for Python 3.x.
|
|
|
|
|
- Fix for mingw compile with openssl-1.0.1i.
|
|
|
|
|
- [bugzilla: 612] Fix create service with service.conf in present
|
|
|
|
|
directory and auto load it.
|
|
|
|
|
- [bugzilla: 613] Allow tab ws in var length last rdfs (in ldns
|
|
|
|
|
str2wire).
|
|
|
|
|
- [bugzilla: 614] Fix man page variable substitution bug.
|
|
|
|
|
- Whitespaces after $ORIGIN are not part of the origin dname
|
|
|
|
|
(ldns).
|
|
|
|
|
- $TTL's value starts at position 5 (ldns).
|
|
|
|
|
- Fix unbound-checkconf check for module config with dns64
|
|
|
|
|
module.
|
|
|
|
|
- Fix unbound capsforid fallback, it ignores TTLs in comparison.
|
|
|
|
|
- [bugzilla: 617] Fix in ldns in unbound, lowercase WKS services.
|
|
|
|
|
- Fix ctype invocation casts.
|
|
|
|
|
- Disabled use of SSLv3 in remote-control and ssl-upstream.
|
|
|
|
|
- Redefine internal minievent symbols to unique symbols that
|
|
|
|
|
helps linking on platforms where the linker leaks names across
|
|
|
|
|
modules.
|
|
|
|
|
- Fix bug where forward or stub addresses with same address but
|
|
|
|
|
different port number were not tried.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 10 00:45:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
|
|
|
|
|
|
- fix bashisms in pre script
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 5 13:32:55 UTC 2014 - darin@darins.net
|
|
|
|
|
|
|
|
|
|
- cleanup .spec
|
|
|
|
|
- removed unused packes
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 2 13:21:55 UTC 2014 - darin@darins.net
|
|
|
|
|
|
|
|
|
|
- disable %check until https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=602 is fixed
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 20 13:34:00 UTC 2014 - darin@darins.net
|
|
|
|
|
|
|
|
|
|
- Added firewall service file
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 13 20:00:21 UTC 2014 - darin@darins.net
|
|
|
|
|
|
|
|
|
|
- upadte to 1.4.22
|
|
|
|
|
- use /run for pid to clear dir-or-file-in-var-run in factory
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 28 13:32:06 UTC 2013 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed the execstartpre for unbound so we actually call
|
|
|
|
|
unbound-anchor now.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 28 13:29:56 UTC 2013 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed a few rpmlint warnings
|
|
|
|
|
- added unbound-rpmlintrc: files duplicate on those man page
|
|
|
|
|
links
|
|
|
|
|
- changed symlink to /usr/sbin/service
|
|
|
|
|
- improved descriptions
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 28 04:02:56 UTC 2013 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 1.4.21
|
|
|
|
|
merged lots of stuff from the fedora package
|
|
|
|
|
- added python/munin/shlib/anchor subpackages
|
|
|
|
|
- currently the package only supports systemd
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 21 03:50:15 CEST 2008 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
- initial package
|
|
|
|
|
|