c7307c6222
update to 1.14.0 OBS-URL: https://build.opensuse.org/request/show/937761 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=143
3181 lines
152 KiB
Plaintext
3181 lines
152 KiB
Plaintext
-------------------------------------------------------------------
|
||
Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.14.0
|
||
|
||
Features
|
||
- Merge #401: RPZ triggers. This add additional RPZ triggers,
|
||
unbound supports a full set of rpz triggers, and this now
|
||
includes nsdname, nsip and clientip triggers. Also actions
|
||
are fully supported, and this now includes the tcp-only action.
|
||
- Merge #519: Support for selective enabling tcp-upstream for
|
||
stub/forward zones.
|
||
- Merge PR #514, from ziollek: Docker environment for run tests.
|
||
- Support using system-wide crypto policies.
|
||
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
|
||
location of a different openssl version.
|
||
- Merged #41 from Moritz Schneider: made outbound-msg-retry
|
||
configurable.
|
||
- Implement RFC8375: Special-Use Domain 'home.arpa.'.
|
||
- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
|
||
link-local addresses.
|
||
|
||
Bug Fixes
|
||
- Add test tool readzone to .gitignore.
|
||
- Merge #521: Update mini_event.c.
|
||
- Merge #523: fix: free() call more than once with the same pointer.
|
||
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
|
||
the example configuration file.
|
||
- For #519: yacc and lex. And fix python bindings, and test program
|
||
unbound-dnstap-socket.
|
||
- For #519: fix comments for doxygen.
|
||
- Fix to print error from unbound-anchor for writing to the key
|
||
file, also when not verbose.
|
||
- For #514: generate configure.
|
||
- Fix for #431: Squelch permission denied errors for udp connect,
|
||
and udp send, they are visible at higher verbosity settings.
|
||
- Fix zonemd verification of key that is not in DNS but in the zone
|
||
and needs a chain of trust.
|
||
- zonemd, fix order of bogus printout string manipulation.
|
||
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
|
||
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
|
||
static.
|
||
- Fix #527: not sending quad9 cert to syslog (and may be more).
|
||
- Fix sed script in ssldir split handling.
|
||
- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
|
||
undefined.
|
||
- Fix #531: Fix: passed to proc after free.
|
||
- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
|
||
to insert into RPZ.
|
||
- Fix the stream wait stream_wait_count_lock and http2 buffer locks
|
||
setup and desetup from race condition.
|
||
- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
|
||
zone does not find the zone. Readlock the clientip that is found
|
||
for ipbased triggers. Unlock the nsdname zone lock when done.
|
||
Unlock zone and ip in rpz nsip and nsdname callback. Unlock
|
||
authzone and localzone if clientip found in rpz worker call.
|
||
- Fix compile warning in libunbound for listen desetup routine.
|
||
- Fix asynclook unit test for setup of lockchecks before log.
|
||
- Fix #533: Negative responses get cached even when setting
|
||
cache-max-negative-ttl: 1
|
||
- Fix tcp fastopen failure when disabled, try normal connect instead.
|
||
- Fix #538: Fix subnetcache statistics.
|
||
- Small fixes for #41: changelog, conflicts resolved,
|
||
processQueryResponse takes an iterator env argument like other
|
||
functions in the iterator, no colon in string for set_option,
|
||
and some whitespace style, to make it similar to the rest.
|
||
- Fix for #41: change outbound retry to int to fix signed comparison
|
||
warnings.
|
||
- Fix root_anchor test to check with new icannbundle date.
|
||
- Fix initialisation errors reported by gcc sanitizer.
|
||
- Fix lock debug code for gcc sanitizer reports.
|
||
- Fix more initialisation errors reported by gcc sanitizer.
|
||
- Fix crosscompile on windows to work with openssl 3.0.0 the
|
||
link with ws2_32 needs -l:libssp.a for __strcpy_chk.
|
||
Also copy results from lib64 directory if needed.
|
||
- For crosscompile on windows, detect 64bit stackprotector library.
|
||
- Fix crosscompile shell syntax.
|
||
- Fix crosscompile windows to use libssp when it exists.
|
||
- For the windows compile script disable gost.
|
||
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
|
||
BIO_set_callback.
|
||
- Fix crosscompile script for the shared build flags.
|
||
- Fix to add example.conf note for outbound-msg-retry.
|
||
- Fix chaos replies to have truncation for short message lengths,
|
||
or long reply strings.
|
||
- Fix to protect custom regional create against small values.
|
||
- Fix #552: Unbound assumes index.html exists on RPZ host.
|
||
- Fix that forward-zone name is documented as the full name of the
|
||
zone. It is not relative but a fully qualified domain name.
|
||
- Fix analyzer review failure in rpz action override code to not
|
||
crash on unlocking the local zone lock.
|
||
- Fix to remove unused code from rpz resolve client and action
|
||
function.
|
||
- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
|
||
- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
|
||
reclaimed more than once during callbacks.
|
||
- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
|
||
- Improve EDNS option handling, now also works for synthesised
|
||
responses such as local-data and server.id CH TXT responses.
|
||
- Merge PR #570 from rex4539: Fix typos.
|
||
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
|
||
- Fix to make python module opt_list use opt_list_in.
|
||
- Fix #574: unbound-checkconf reports fatal error if interface names
|
||
are used as value for interfaces:
|
||
- Fix #574: Review fixes for it.
|
||
- Fix #576: [FR] UB_* error codes in unbound.h
|
||
- Fix #574: Review fix for spelling.
|
||
- Fix to remove git tracking and ci information from release tarballs.
|
||
- iana portlist update.
|
||
- Merge PR #511 from yan12125: Reduce unnecessary linking.
|
||
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
|
||
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
|
||
- Merge PR #522 from sibeream: memory management violations fixed.
|
||
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
|
||
- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
|
||
- Fix #574: Review fixes for size allocation.
|
||
- Fix doc/unbound.doxygen to remove obsolete tag warning.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 16 10:34:52 UTC 2021 - Togan Muftuoglu <toganm@opensuse.org>
|
||
|
||
- Fix pidfile location
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 12 18:02:18 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.13.2
|
||
|
||
Features
|
||
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
|
||
ZONEMD records are checked for zones loaded as auth-zone,
|
||
with DNSSEC if available. There is an added option
|
||
zonemd-permissive-mode that makes it log but not fail wrong zones.
|
||
With zonemd-reject-absence for an auth-zone the presence of a
|
||
zonemd can be mandated for specific zones.
|
||
- Fix: Resolve interface names on control-interface too.
|
||
- Merge #470 from edevil: Allow configuration of persistent TCP
|
||
connections.
|
||
- Fix #474: always_null and others inside view.
|
||
- Add that log-servfail prints an IP address and more information
|
||
about one of the last failures for that query.
|
||
- Merge #478: Allow configuration of TCP timeout while waiting for
|
||
response.
|
||
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
|
||
- Move the NSEC3 max iterations count in line with the 150 value
|
||
used by BIND, Knot and PowerDNS. This sets the default value
|
||
for it in the configuration to 150 for all key sizes.
|
||
- zonemd-check: yesno option, default no, enables the processing
|
||
of ZONEMD records for that zone.
|
||
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
|
||
- Merge PR #491: Add SVCB and HTTPS types and handling according to
|
||
draft-ietf-dnsop-svcb-https.
|
||
- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
|
||
|
||
Bug Fixes
|
||
- Fix for Python 3.9, no longer use deprecated functions of
|
||
PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
|
||
none), PyParser_SimpleParseFile (now Py_CompileString).
|
||
- Merge PR #420 from dyunwei: DOH not responsing with
|
||
"http2_query_read_done failure" logged.
|
||
- Fix #422: IPv6 fallback issues when IPv6 is not properly
|
||
enabled/configured.
|
||
- Fix to make tests work with support indicators set for iterator.
|
||
- Fix build on Python 3.10.
|
||
- Fix doxygen and pydoc warnings.
|
||
- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
|
||
- rpz skip nsec3param records, and nicer log for unsupported actions.
|
||
- Fix #431: Squelch permission denied errors for tcp connect
|
||
and udp connect from the logs, unless at high verbosity.
|
||
- Fix for zonemd, that nxdomain for the chain of trust is allowed
|
||
for island zones, it is treated as an insecure zone for verification.
|
||
- Fix for zonemd, that domain-insecure zones work without dnssec.
|
||
- Fix for zonemd, do not reject insecure result from trust anchor
|
||
validation step in dnssec chain of trust.
|
||
- On startup of unbound it checks if rlimits on memory size look
|
||
sufficient for the configured cache size, and logs warning if not.
|
||
- Fix function documentation.
|
||
- Fix unit test for added ulimit checks.
|
||
- spelling fix in header.
|
||
- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
|
||
log message.
|
||
- ipsecmod: Better logging for detecting a cycle when attaching the
|
||
A/AAAA subquery.
|
||
- Merge PR #367 : DNSTAP log local address. With code from PR #365
|
||
and fixes #368 : dnstap does not log the DNS message ID for
|
||
FORWARDER_QUERY.
|
||
- Fix to allow rpz with wildcard that applies to all TLDs at once.
|
||
- Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
|
||
- Fix spurious errors about "Could not generate request: out of
|
||
memory". The mesh detect cycle routine no longer wrongly stops
|
||
the check when the calling mesh state is unique.
|
||
- Workaround for #439: prevent loops in the reuse rbtree.
|
||
- Debug output for #411 and #439: printout internal error and details.
|
||
- Fix parse of LOC RR type for decimetres.
|
||
- Fix #441: Minimal NSEC range not accepted for top level domains.
|
||
- Fix for #447: squelch connection refused tcp connection failures
|
||
from the log, unless verbosity is high.
|
||
- Merge #449 from orbea: build: Add missing linker flags.
|
||
- Comment out nonworking OSX and IOS travis tests, vm fails to start.
|
||
- Fix compile error in listen_dnsport on Android.
|
||
- Fix memory leak reported by asan in rpz SOA record query name.
|
||
- Fix unused-function warning when compiling with --enable-dnscrypt.
|
||
- Fix for #367: fix memory leak when cannot bind to listening port.
|
||
- Reformat pythonmod/pythonmod_utils.{c,h}.
|
||
- Travis enable all tests again. Clang analyzer only a couple times,
|
||
when there is a difference. homebrew updates disabled, so it does
|
||
not hang. removed trailing slashes from configure paths. Moved iOS
|
||
tests to allow-failure.
|
||
- travis, analyzer disabled on test without debug, that does not
|
||
run anway. Turn off failing tests except one. Update iOS test
|
||
to xcode image 12.2.
|
||
- Fix deprecation test to work for iOS TVOS and WatchOS, it uses
|
||
CFLAGS and CPPFLAGS and also checks if the item is unavailable.
|
||
- Travis, fix script to fail when tasks fail.
|
||
- Travis, fix warning in ubsan compile.
|
||
- Fix configure Targetconfiditionals.h header check, to use compile.
|
||
- Fix that cachedb does not produce empty object files when disabled.
|
||
- Fix #429: Also fix end of transfer for http download of auth zones.
|
||
- Disable the use of stack-protector for cross compiled 32-bit windows
|
||
builds; relates to #444.
|
||
- Fix stack-protector change to not override other CFLAGS options.
|
||
- Clean makedist.sh.
|
||
- Merge #460 from orbea: build: Link with the libtool archive.
|
||
- Fix to stop IPv6 PMTU discovery.
|
||
- Fix for #411: Depth protect for crash on deleted element timeout.
|
||
- rebuild configure to set EXTRALINK to libunbound.la for #460.
|
||
- Fix permission denied sendto log, squelch the log messages
|
||
unless high verbosity is set.
|
||
- Fix (increase) verbosity level for iterator error log in
|
||
processQueryTargets().
|
||
- Fix that nxdomain synthesis does not happen above the stub or
|
||
forward definition.
|
||
- Fix documentation comment for files previously residing in checkconf/.
|
||
- Remove unused functions worker_handle_reply and libworker_handle_reply.
|
||
- Merge #466 from FGasper: Support OpenSSLs that lack
|
||
SSL_get0_alpn_selected.
|
||
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
|
||
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
|
||
OpenSSL 1.0.1.
|
||
- Fix that testcode dohclient has OpenSSL initialisation calls.
|
||
- Fix compiler warning for signed/unsigned comparison for
|
||
max_reuse_tcp_queries.
|
||
- Fix #481: Fix comment in configuration file.
|
||
- Fix to squelch tcp socket bind failures when the interface is gone.
|
||
- Rerun flex and bison.
|
||
- Fix for #367: only attempt to get the interface for queries that are no
|
||
longer on the tcp_waiting_list.
|
||
- Add more logging for out-of-memory cases.
|
||
- Fix #485: Unbound occasionally reports broken stats.
|
||
- Remove case fallthrough from deprecate-rsa-1024 code.
|
||
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
|
||
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
|
||
- Fix #489: Compile using MSYS2 MinGW 64-bit.
|
||
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
|
||
between TCP streams.
|
||
- Refactor for uniform way to produce random DNS message IDs.
|
||
- Test code has -q option for quiet output.
|
||
- Fix #492: module-config respip missing in unbound.conf.5.in man
|
||
page. Merges #494 from he32.
|
||
- For #492: Fix font highlighting for the man page on emacs.
|
||
- Merge #496 from banburybill: Use build system endianness if
|
||
available, otherwise try to work it out.
|
||
- Fix test for zonemd-check option.
|
||
- Merge #448 from shoeper: Update unbound-control.8.in, fix
|
||
rpz_disable typo.
|
||
- Fix #425: Document auth-zone supports communication with DNS
|
||
primary on nondefault port.
|
||
- Fix unused variable warning when compiling with --enable-dnstap.
|
||
- Generated lexer and parser for #486; updated example.conf.
|
||
- Fix #413 (based on patch by k-ronny): unbound: does not compile
|
||
on macOS 11.1-x86_64 host.
|
||
- Use host_os instead of target_os in configure for Darwin8 build.
|
||
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
|
||
unable to build RPM from source.
|
||
- Fix contrib/unbound.spec, fixed url and comment.
|
||
- Fix configure nonblocking test and onmingw test to use host.
|
||
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
|
||
- Fix a number of warnings reported by the gcc analyzer.
|
||
- Fix #495: Documentation or implementation of "verbosity" option.
|
||
- Fix #503: DNS over HTTPS response truncated.
|
||
- Fix warnings reported by the gcc analyzer.
|
||
- Add analyzer and port compile github workflow.
|
||
- Fix up permissions on rpl data file in tests.
|
||
- Fix testbound newline treatment in moment_read and tempfile write.
|
||
- Fix configure grep for reuseport default for failure.
|
||
- Fix compat ctime_r return value
|
||
- Fix configure does not require pkg-config if not needed.
|
||
- Fix unit test in the ctime_r calls for autotrust and in testbound.
|
||
- Fix auth zone download on windows to unlink before rename.
|
||
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
|
||
Unhandled Exception.
|
||
- Fix Wunused-result compile warnings.
|
||
- Fix compiler warnings for #491.
|
||
- Fix clang-analysis warnings for testcode/readzone.c.
|
||
- Merge #510 from ndptech: Don't call a function which hasn't been
|
||
defined.
|
||
- Fix for #510: in depth, use ifdefs for windows api event calls.
|
||
- Fix spelling in doc/unbound.doxygen comment.
|
||
- Fix spelling in localzone.h comment.
|
||
- Fix unbound-control local_data and local_datas to print detailed
|
||
syntax errors.
|
||
- review fix to remove duplicate error printout.
|
||
- Insert header into testcode/readzone.c, it was missing.
|
||
- Fix from lint for ignored return value.
|
||
- Fix for older parsers for function call in serve expired get cached.
|
||
- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
|
||
line after a comment.
|
||
- Merge #512: unbound.service.in: upgrade hardening to latest
|
||
standards.
|
||
- Fix readzone unknown type print for memory resize.
|
||
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
|
||
introduces a couple of fixes for the stream reuse functionality
|
||
that could result in broken internal structures.
|
||
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
|
||
build unbound.
|
||
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
|
||
SSL_get_peer_certificate.
|
||
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
|
||
- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
|
||
keyraw functions to produce EVP_PKEY results.
|
||
- Move RSA and DSA to use OpenSSL 3.0.0 API.
|
||
- Move ECDSA functions to use OpenSSL 3.0.0 API.
|
||
- iana portlist update.
|
||
- Fix verbose printout failure in tcp reuse unit test.
|
||
- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
|
||
function that need to reuse the dns answer.
|
||
- Annotate assertion into error printout; we think it may be an
|
||
error, but the situation looks harmless.
|
||
- Fix sign comparison warning on FreeBSD.
|
||
- Listen to read or write events after the SSL handshake.
|
||
Sticky events on windows would stick on read when write was needed.
|
||
- Merge PR #415 from sibeream: Use
|
||
/proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
|
||
ports. (New --enable-linux-ip-local-port-range configuration option)
|
||
- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
|
||
allows longer CNAME chains in Unbound.
|
||
- In unit test use openssl set security level to allow keys in test.
|
||
- Fix static analysis warnings about localzone locks that are unused.
|
||
- Fix missing locks in zonemd unit test.
|
||
- Fix readzone compile under debug config.
|
||
- Fix out of sourcedir run of zonemd unit tests.
|
||
- Fix libnettle zonemd unit test.
|
||
- Fix unit test zonemd_reload for use in run_vm.
|
||
- Fix #520: Unbound 1.13.2rc1 fails to build python module.
|
||
|
||
-------------------------------------------------------------------------------------
|
||
Tue May 11 21:57:51 UTC 2021 - Cristian Rodríguez <crrodriguez@opensuse.org>
|
||
|
||
- Use --disable-explicit-port-randomisation, the linux kernel
|
||
has source port randomization by default if port is 0 since ages.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 9 10:56:09 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.13.1
|
||
|
||
Features
|
||
- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
|
||
to unbound-control.
|
||
- Merge PR #391 from fhriley: Add start_time to reply callbacks so
|
||
modules can compute the response time.
|
||
- Fix #397: [Feature request] add new type always_null to local-zone
|
||
similar to always_nxdomain.
|
||
- Support for RFC5001: DNS Name Server Identifier (NSID) Option
|
||
with the nsid: option in unbound.conf
|
||
- Padding of queries and responses with DNS over TLS as specified in
|
||
RFC7830 and RFC8467.
|
||
- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
|
||
original instead of a decrementing TTL ('serve-original-ttl')
|
||
|
||
Bug Fixes
|
||
- Fix #358: Squelch udp connect 'no route to host' errors on low
|
||
verbosity.
|
||
- Fix #360: for the additionally reported TCP Fast Open makes TCP
|
||
connections fail, in that case we print a hint that this is
|
||
happening with the error in the logs.
|
||
- Fix #356: deadlock when listening tcp.
|
||
- Fix unbound-dnstap-socket to not use log routine from interrupt
|
||
handler and not print so frequently when invoked in sequence.
|
||
- Fix on windows to ignore connection failure on UDP, unless verbose.
|
||
- make depend.
|
||
- Fix #371: unbound-control timeout when Unbound is not running.
|
||
- Fix to squelch permission denied and other errors from remote host,
|
||
they are logged at higher verbosity but not on low verbosity.
|
||
- Merge PR #335 from fobser: Sprinkle in some static to prevent
|
||
missing prototype warnings.
|
||
- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
|
||
is a GNU extension.
|
||
- Fix missing prototypes in the code.
|
||
- Fix error cases when udp-connect is set and send() returns an error
|
||
(modified patch from Xin Li @delphij).
|
||
- For #376: Fix that comm point event is not double removed or double
|
||
added to event map.
|
||
- iana portlist updated.
|
||
- Fix #385: autoconf 2.70 impacts unbound build
|
||
- Fix #379: zone loading over HTTP appears to have buffer issues.
|
||
- Merge PR #395 from mptre: add missing null check.
|
||
- Fix #387: client-subnet-always-forward seems to effectively bypass
|
||
any caching?
|
||
- For #391: use struct timeval* start_time for callback information.
|
||
- For #391: fix indentation.
|
||
- For #391: more double casts in python start time calculation.
|
||
- Add comment documentation.
|
||
- Fix clang analysis warning.
|
||
- Fix so local zone types always_nodata and always_deny can be used
|
||
from the config file.
|
||
- Merge #399 from xiangbao227: The lock of lruhash table should
|
||
unlocked after markdel entry.
|
||
- Fix for #93: dynlibmodule link fix for Windows.
|
||
- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
|
||
- Merge #402 from fobser: Implement IPv4-Embedded addresses according
|
||
to RFC6052.
|
||
- Fix #404: DNS query with small edns bufsize fail.
|
||
- Fix declaration before statement and signed comparison warning in
|
||
dns64.
|
||
- Fix TTL of SOA record for negative answers (localzone and
|
||
authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
|
||
- Fix compile of unbound-dnstap-socket without dnstap installed.
|
||
- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
|
||
static data.
|
||
- Ignore cache blacklisting when trying to reply with expired data from
|
||
cache (#394).
|
||
- Merge PR #408 from fobser: Prevent a few more yacc clashes.
|
||
- Annotate that we ignore the return value of if_indextoname.
|
||
- Fix to use correct type for label count in rpz routine.
|
||
- Fix empty clause warning in config_file nsid parse.
|
||
- Fix to use correct type for label count in ipdnametoaddr rpz routine.
|
||
- Fix empty clause warning in edns pass for padding.
|
||
- Fix for doxygen 1.8.20 compatibility.
|
||
- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
|
||
- Fix dynlibmod link on rhel8 for -ldl inclusion.
|
||
- Fix windows dependency on libssp.dll because of default stack
|
||
protector in mingw.
|
||
- Fix indentation of root anchor for use by windows install script.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 3 11:26:17 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.13.0
|
||
|
||
Features
|
||
- Pass the comm_reply information to the inplace_cb_reply* functions
|
||
during the mesh state and update the documentation on that.
|
||
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
|
||
This adds the option http-notls-downstream: yesno to change that,
|
||
and the dohclient test code has the -n option.
|
||
- Merge PR #228 : infra-keep-probing option to probe hosts that are
|
||
down. Add infra-keep-probing: yes option. Hosts that are down are
|
||
probed more frequently.
|
||
With the option turned on, it probes about every 120 seconds,
|
||
eventually after exponential backoff, and that keeps that way. If
|
||
traffic keeps up for the domain. It probes with one at a time, eg.
|
||
one query is allowed to probe, other queries within that 120 second
|
||
interval are turned away.
|
||
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
|
||
edns-client-string option.
|
||
- Merge PR #283 : Stream reuse. This implements upstream stream
|
||
reuse for performing several queries over the same TCP or TLS
|
||
channel.
|
||
- Fix to connect() to UDP destinations, default turned on,
|
||
this lowers vulnerability to ICMP side channels.
|
||
Option to toggle udp-connect, default is enabled.
|
||
|
||
Bug Fixes
|
||
- Fix #319: potential memory leak on config failure, in rpz config.
|
||
- Fix dnstap socket and the chroot not applied properly to the dnstap
|
||
socket path.
|
||
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
|
||
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
|
||
if systemd support is build.
|
||
- Fix for python reply callback to see mesh state reply_list member,
|
||
it only removes it briefly for the commpoint call so that it does
|
||
not drop it and attempt to modify the reply list during reply.
|
||
- Fix that if there are on reply callbacks, those are called per
|
||
reply and a new message created if that was modified by the call.
|
||
- Free up auth zone parse region after use for lookup of host
|
||
- Merge PR #326 from netblue30: DoH: implement content-length
|
||
header field.
|
||
- DoH content length, simplify code, remove declaration after
|
||
statement and fix cast warning.
|
||
- Fix that if there are reply callbacks for the given rcode, those
|
||
are called per reply and a new message created if that was modified
|
||
by the call.
|
||
- Fix that the out of order TCP processing does not limit the
|
||
number of outstanding queries over a connection.
|
||
- Fix python documentation warning on functions.rst inplace_cb_reply.
|
||
- Log ip address when http session recv fails, eg. due to tls fail.
|
||
- Fix to set the tcp handler event toggle flag back to default when
|
||
the handler structure is reused.
|
||
- Clean the fix for out of order TCP processing limits on number
|
||
of queries. It was tested to work.
|
||
- Fix that http settings have colon in set_option, for
|
||
http-endpoint, http-max-streams, http-query-buffer-size,
|
||
http-response-buffer-size, and http-nodelay.
|
||
- Fix memory leak of https port string when reading config.
|
||
- local-zone regional allocations outside of chunk
|
||
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
|
||
unbound-control TLS certificates.
|
||
- Fix for PR #324 to attach the x509v3 extensions to the client
|
||
certificate.
|
||
- Fix #327: net/if.h check fails on some darwin versions; contribution
|
||
by Joshua Root.
|
||
- Fix #320: potential memory corruption due to size miscomputation upton
|
||
custom region alloc init.
|
||
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
|
||
Python Mod.
|
||
- Fix that minimal-responses does not remove addresses from a priming
|
||
query response.
|
||
- In man page note that tls-cert-bundle is read before permission
|
||
drop and chroot.
|
||
- Fix #341: fixing a possible memory leak.
|
||
- Fix memory leak after fix for possible memory leak failure.
|
||
- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
|
||
undeclared.
|
||
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
|
||
with chown of pidfile.
|
||
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
|
||
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
|
||
failed to list interfaces: getifaddrs: Address family not
|
||
supported by protocol.
|
||
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
|
||
address families.
|
||
- iana portlist updated.
|
||
- Fix crash when TLS connection is closed prematurely, when
|
||
reuse tree comparison is not properly identical to insertion.
|
||
- Fix padding of struct regional for 32bit systems.
|
||
- with udp-connect ignore connection refused with UDP timeouts.
|
||
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
|
||
- Better fix for reuse tree comparison for is-tls sockets. Where
|
||
the tree key identity is preserved after cleanup of the TLS state.
|
||
- Fix memory leak for edns client tag opcode config element.
|
||
- Attempt fix for libevent state in tcp reuse cases after a packet
|
||
is written.
|
||
- Fix readagain and writeagain callback functions for comm point
|
||
cleanup.
|
||
- Fix to omit UDP receive errors from log, if verbosity low.
|
||
These happen because of udp-connect.
|
||
- For #352: contrib/metrics.awk for Prometheus style metrics output.
|
||
- Fix that after failed read, the readagain cannot activate.
|
||
- Clear readagain upon decommission of pending tcp structure.
|
||
- Fix compile warning for type cast in http2_submit_dns_response.
|
||
- Fix when use free buffer to initialize rbtree for stream reuse.
|
||
- Fix compile warnings for windows.
|
||
- Fix compile warnings in rpz initialization.
|
||
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
|
||
- Fix assertion failure on double callback when iterator loses
|
||
interest in query at head of line that then has the tcp stream
|
||
not kept for reuse.
|
||
- Fix stream reuse and tcp fast open.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 8 08:39:40 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.12.0
|
||
|
||
Features
|
||
- DNS Flag Day 2020: change edns-buffer-size default to 1232.
|
||
- Merge PR #255: DNS-over-HTTPS support.
|
||
- Use inclusive language in configuration
|
||
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
|
||
The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
|
||
was advise to stop using it. The current code base does not contain
|
||
DLV code any more. The use of dlv options displays a warning.
|
||
- Similar to NSD PR#113, implement that interface names can be used,
|
||
eg. something like interface: eth0 is resolved at server start and
|
||
uses the IP addresses for that named interface.
|
||
- Merge PR #272: Add EDNS client tag functionality.
|
||
- Add edns-client-tag-opcode option
|
||
|
||
Bug Fixes
|
||
- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
|
||
- Merge PR #269, Fix python module len() implementations, by Torbjörn
|
||
Lönnemark
|
||
- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
|
||
March 2020, by and0x000.
|
||
- Fix doxygen comment for no ssl for tls session ticket key callback
|
||
routine.
|
||
- Fix mini_event.h on OpenBSD cannot find fd_set.
|
||
- Improve error log message when inserting rpz RR.
|
||
- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
|
||
definedness, by Felipe Gasper.
|
||
- contrib/aaaa-filter-iterator.patch file renewed diff content to
|
||
apply cleanly to the current coderepo for the current code version.
|
||
- Fix #287: doc typo: "Additionaly".
|
||
- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
|
||
by Vítězslav Čížek.
|
||
- Create and init edns tags data for libunbound.
|
||
- Fix stats double count issue (#289).
|
||
- Fix that dnstap reconnects do not spam the log with the repeated
|
||
attempts. Attempts on the timer are only logged on high verbosity,
|
||
if they produce a connection failure error.
|
||
- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
|
||
- Change configure to use EVP_sha256 instead of HMAC_Update for
|
||
openssl-3.0.0.
|
||
- Update documentation in python example code.
|
||
- Review fix interface, doxygen and assign null in case of error free.
|
||
- Merge PR #293: Add missing prototype. Also refactor to use the new
|
||
shorthand function to clean up the code.
|
||
- Refactor to use sock_strerr shorthand function.
|
||
- Fix #296: systemd nss-lookup.target is reached before unbound can
|
||
successfully answer queries. Changed contrib/unbound.service.in.
|
||
- Fix num.expired statistics output.
|
||
- Remove x file mode on ipset/ipset.c and h files.
|
||
- Spelling fix.
|
||
- Introduce test for statistics.
|
||
- Fix that prefer-ip4 and prefer-ip6 can be get and set with
|
||
unbound-control, with libunbound and the unbound-checkconf option
|
||
output function.
|
||
- Merge PR #311 by luismerino: Dynlibmod leak.
|
||
- Error message is logged for dynlibmod malloc failures.
|
||
- iana portlist updated.
|
||
- Fix #304: dnstap logging not recovering after dnstap process restarts
|
||
- Fix edns-client-tags get_option typo
|
||
- Fix #305: dnstap logging significantly affects unbound performance
|
||
(regression in 1.11).
|
||
- Fix #305: only wake up thread when threshold reached.
|
||
- Fix to ifdef fptr wlist item for dnstap.
|
||
- Fix memory leak of edns tags at libunbound context delete.
|
||
- Fix double loopexit for unbound-dnstap-socket after sigterm.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 27 10:48:36 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.11.0
|
||
|
||
Features
|
||
- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
|
||
KSK-2010 from the default list in unbound-anchor, now that the
|
||
revocation period is over. KSK-2017 is the only trust anchor in
|
||
the shipped default now.
|
||
- Merge PR #93: Add dynamic library support.
|
||
- Introduce 'include-toplevel:' configuration option.
|
||
- Change default value for 'rrset-roundrobin' to yes.
|
||
- Add SNI support on more TLS connections (fixes #193).
|
||
- Add SNI support to unbound-anchor.
|
||
- Merge PR #164: Framestreams, this branch implements dnstap
|
||
connectivity in unbound. This has a number of new features.
|
||
- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
|
||
using ipv4 filters, because the hosts ip6 netblock /64 is not owned
|
||
by one operator, and thus reputation is shared.
|
||
|
||
Bug Fixes
|
||
- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
|
||
different openssl versions.
|
||
- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
|
||
- Fix #169: Fix warning for daemon/remote.c output may be truncated
|
||
from snprintf.
|
||
- Fix #170: Fix gcc undefined sanitizer signed integer overflow
|
||
warning in signature expiry RFC1982 serial number arithmetic.
|
||
- Fix more undefined sanitizer issues, in respip copy_rrset null
|
||
dname, and in the client_info_compare routine for null memcmp.
|
||
- Merge PR #171: Add additional compilers and platforms to Travis
|
||
testing, by noloader.
|
||
- Merge PR #173: updated makedist.sh for config.guess and
|
||
config.sub and sha256 digest for gpg, by noloader.
|
||
- Merge PR #172: Add IBM s390x arch for testing, by noloader.
|
||
- Fix #177: dnstap does not build on macOS.
|
||
- Fix compiler warning in dns64/dns64.c
|
||
- Merge PR #174: Add Android to Travis testing, by noloader.
|
||
- Move android build scripts to contrib/ and allow android tests to fail.
|
||
- Fix #175, Merge PR #176: fix link error when OpenSSL is configured
|
||
with no-engine, thanks noloader.
|
||
- Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
|
||
- Merge PR #180 from noloader: Avoid calling exit in Travis script.
|
||
- Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
|
||
- Update README-Travis.md (from PR #179), by Jeffrey Walton.
|
||
- Fix PR #182 from noloader: Add iOS testing to Travis.
|
||
- Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
|
||
noloader
|
||
- Fix #188: unbound-control.c:882:6: error: 'execlp' is
|
||
unavailable: not available on tvOS.
|
||
- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
|
||
type, by noloader.
|
||
- Add check to make sure RPZ records are subdomains of configured
|
||
zone origin.
|
||
- Fix #192: In the unbound-checkconf tool, the module config of
|
||
dns64 subnetcache respip validator iterator is whitelisted, it was
|
||
reported it seems to work.
|
||
- Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
|
||
- Fix #158: open tls-session-ticket-keys as binary, for Windows. By
|
||
Daisuke HIGASHI.
|
||
- Merge PR#134, Allow the kernel to provide random source ports. By
|
||
Florian Obser.
|
||
- Log warning when using outgoing-port-permit and outgoing-port-avoid
|
||
while explicit port randomisation is disabled.
|
||
- Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
|
||
- Fix .travis.yml error, missing 'env' option.
|
||
- Merge PR #197 from fobser: Make log_ident_revert_to_default() a
|
||
proper prototype.
|
||
- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone()
|
||
static, it's only used in this file.
|
||
- Fix compile on Solaris for unbound-checkconf.
|
||
- Fix compile of test tools without protobuf.
|
||
- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
|
||
tag for outgoing packets.
|
||
- Travis fix for ios by omitting tools from install.
|
||
- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
|
||
- Fix RPZ concurrency issue when using auth_zone_reload.
|
||
- Make unbound-control error returned on missing domain name more user
|
||
friendly.
|
||
- Merge PR #203 from noloader: Update README-Travis.md with current
|
||
procedures.
|
||
- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
|
||
- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
|
||
transports.
|
||
- Merge PR #206: Redis TTL, by Talkabout.
|
||
- More documentation for redis-expire-records option.
|
||
- Keep track of number of timeouts. Use this counter to determine if
|
||
capsforid fallback should be started.
|
||
- Merge PR #214 from gearnode: unbound-control-setup recreate
|
||
certificates. With the -r option the certificates are created
|
||
again, without it, only the files that do not exist are created.
|
||
- Fix #220: auth-zone section in config may lead to segfault.
|
||
- Fix help return code in unbound-control-setup script.
|
||
- Fix for posix shell syntax for trap in nsd-control-setup.
|
||
- Fix for posix shell syntax for trap in run_msg.sh test script.
|
||
- Add doxygen documentation for DSCP.
|
||
- Fix #222: --enable-rpath, fails to rpath python lib.
|
||
- Fix for count of reply states in the mesh.
|
||
- Remove unneeded was_mesh_reply check.
|
||
- Explicitly use 'rrset-roundrobin: no' for test cases.
|
||
- Cache ECS answers with longest scope of CNAME chain.
|
||
- windows compile warnings removal for ip dscp option code.
|
||
- Fix for integer overflow when printing RDF_TYPE_TIME.
|
||
- Update contrib/aaaa-filter-iterator.patch for the recent
|
||
generate_sub_request() change and to apply cleanly.
|
||
- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
|
||
"Requires:".
|
||
- Mention tls name possible when tls is enabled for stub-addr in the
|
||
man page.
|
||
- Fix default explanation in man page for qname-minimisation-strict.
|
||
- Fix display of event loop method with libev.
|
||
- iana portlist updated.
|
||
- Move reply list clean for serve expired mesh callback to after
|
||
the reply is sent, so that script callbacks have reply_info.
|
||
- Also move reply list clean for mesh callbacks to the scrip callback
|
||
can see the reply_info.
|
||
- Fix for mesh accounting if the reply list already empty to begin
|
||
with.
|
||
- Fix for mesh accounting when rpz decides to drop a reply with a
|
||
tcp stream waiting for it.
|
||
- Review fix for number of detached states due to use of variable
|
||
after end of loop.
|
||
- Fix tcp req info drop due to size call into mesh accounting
|
||
removal of mesh state during mesh send reply.
|
||
- Fix #259: Fix unbound-checkconf does not check view existence.
|
||
unbound-checkconf checks access-control-view, access-control-tags,
|
||
access-control-tag-actions and access-control-tag-datas.
|
||
- Fix offset of error printout for access-control-tag-datas.
|
||
- Fix add missing DSA header, for compilation without deprecated
|
||
OpenSSL APIs.
|
||
- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
|
||
3.0.0-alpha4.
|
||
- Longer keys for the test set, this avoids weak crypto errors.
|
||
- Add bidirectional frame streams support.
|
||
- Fix check conf test for referencing installation paths.
|
||
- Fix unused variable warning for clang analyzer.
|
||
- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
|
||
Courrèges-Anglas.
|
||
- Fix PR #234 log_assert sizeof to use union buffer.
|
||
- Fix libnettle compile for session ticket key callback function
|
||
changes.
|
||
- Fix lock dependency cycle in rpz zone config setup.
|
||
- Fix streamtcp to print packet data to stdout. This makes the
|
||
stdout and stderr not mix together lines, when parsing its output.
|
||
- Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
|
||
due to added libdynmod, but it does not compile, it conflicts with
|
||
new rpz code.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 19 10:45:19 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.10.1 with security fixes
|
||
* CVE-2020-12662 Unbound can be tricked into amplifying an incoming
|
||
query into a large number of queries directed to a target.
|
||
* CVE-2020-12663 Malformed answers from upstream name servers can be
|
||
used to make Unbound unresponsive.
|
||
- removed unused unbound-1.10.1.tar.gz.asc for now
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 20 21:40:10 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.10.0
|
||
|
||
Features:
|
||
- Merge RPZ support into master. Only QNAME and Response IP triggers are
|
||
supported.
|
||
- Added serve-stale functionality as described in
|
||
draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
|
||
to configure the behavior.
|
||
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
|
||
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
|
||
come with a configurable TTL value (`serve-expired-reply-ttl`).
|
||
- Merge #135 from Florian Obser: Use passed in neg and key cache
|
||
if non-NULL.
|
||
- Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance.
|
||
- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
|
||
and Frzk. Updates the unbound.service systemd file and adds a portable
|
||
systemd service file.
|
||
- Merge PR#154; Allow use of libbsd functions with configure option
|
||
--with-libbsd. By Robert Edmonds and Steven Chamberlain.
|
||
- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
|
||
- Merge PR#156 from Alexander Berkes; Added unbound-control
|
||
view_local_datas_remove command.
|
||
|
||
Bug Fixes:
|
||
- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
|
||
Florian Obser
|
||
- Update mailing list URL.
|
||
- Fix #140: Document slave not downloading new zonefile upon update.
|
||
- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
|
||
The dl_iterate_phdr() function introduced in newer versions raises
|
||
compilation errors on solaris 10.
|
||
- Changes to compat/getentropy_solaris.c for,
|
||
ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion
|
||
for older systems.
|
||
- Fix 'make test' to work for --disable-sha1 configure option.
|
||
- Fix out-of-bounds null-byte write in sldns_bget_token_par while
|
||
parsing type WKS, reported by Luis Merino from X41 D-Sec.
|
||
- Updated sldns_bget_token_par fix for also space for the zero
|
||
delimiter after the character. And update for more spare space.
|
||
- Fix #138: stop binding pidfile inside chroot dir in systemd service
|
||
file.
|
||
- Fix the relationship between serve-expired and prefetch options,
|
||
patch from Saksham Manchanda from Secure64.
|
||
- Fix unreachable code in ssl set options code.
|
||
- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
|
||
because dnscrypt-proxy (2.0.36) does not support the test setup
|
||
any more, and also the config file format does not seem to have the
|
||
appropriate keys to recreate that setup.
|
||
- Fix crash after reload where a stats lookup could reference old key
|
||
cache and neg cache structures.
|
||
- Fix for memory leak when edns subnet config options are read when
|
||
compiled without edns subnet support.
|
||
- Fix auth zone support for NSEC3 records without salt.
|
||
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
|
||
contrib/unbound_nochroot.service.in, a systemd file for use with
|
||
chroot: "", see comments in the file, it uses systemd protections
|
||
instead. It was superceded by #151, the unbound_portable.service
|
||
file.
|
||
- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
|
||
to Libs/Requires for crypto library dependencies.
|
||
- iana portlist updated.
|
||
- Fix to silence the tls handshake errors for broken pipe and reset
|
||
by peer, unless verbosity is set to 2 or higher.
|
||
- Merge PR#147; change rfc reference for reserved top level dns names.
|
||
- Fix #157: undefined reference to `htobe64'.
|
||
- Fix subnet tests for disabled DSA algorithm by default.
|
||
- Update contrib/fastrpz.patch for clean diff with current code.
|
||
- updated .gitignore for added contrib file.
|
||
- Add build rule for ipset to Makefile
|
||
- Add getentropy_freebsd.o to Makefile dependencies.
|
||
- Fix memory leak in error condition remote.c
|
||
- Fix double free in error condition view.c
|
||
- Fix memory leak in do_auth_zone_transfer on success
|
||
- Stop working on socket when socket() call returns an error.
|
||
- Check malloc return values in TLS session ticket code
|
||
- Fix fclose on error in TLS session ticket code.
|
||
- Add assertion to please static analyzer
|
||
- Fixed stats when replying with cached, cname-aliased records.
|
||
- Added missing default values for redis cachedb backend.
|
||
- Fix num_reply_addr counting in mesh and tcp drop due to size
|
||
after serve_stale commit.
|
||
- Fix to create and destroy rpz_lock in auth_zones structure.
|
||
- Fix to lock zone before adding rpz qname trigger.
|
||
- Fix to lock and release once in mesh_serve_expired_lookup.
|
||
- Fix to put braces around empty if body when threading is disabled.
|
||
- Fix num_reply_states and num_detached_states counting with
|
||
serve_expired_callback.
|
||
- Cleaner code in mesh_serve_expired_lookup.
|
||
- Document in unbound.conf manpage that configuration clauses can be
|
||
repeated in the configuration file.
|
||
- Document 'ub_result.was_ratelimited' in libunbound.
|
||
- Fix use after free on log-identity after a reload; Fixes #163.
|
||
- Fix with libnettle make test with dsa disabled.
|
||
- Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
|
||
fixes, but it does not compile, conflicts with new rpz code.
|
||
- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
|
||
- Fix compile warning when threads disabled.
|
||
- Fix spelling in unbound.conf.5.in.
|
||
- Stop unbound-checkconf from insisting that auth-zone and rpz
|
||
zonefiles have to exist. They can not exist, and download later.
|
||
- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
|
||
in RPZ-Format, contributed by Andreas Schulze.
|
||
- Remove unused variable.
|
||
- Add respip to supported module-config options in unbound-checkconf.
|
||
- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
|
||
Unbound from Yuri Voinov.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 12 21:01:07 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.6
|
||
This release contains a number of security related fixes found in
|
||
a security audit
|
||
|
||
Features:
|
||
- The unbound.conf includes are sorted ascending, for include
|
||
statements with a '*' from glob.
|
||
- drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
|
||
queries, to stop random floods. Apply with
|
||
patch -p1 < contrib/drop-tld.diff and compile.
|
||
From Saksham Manchanda (Secure64). Please note that we think this
|
||
will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
|
||
lookups for downstream clients.
|
||
- Add new configure option `--enable-fully-static` to enable full static
|
||
build if requested; in relation to #91.
|
||
- Add make distclean that removes everything configure produced,
|
||
and make maintainer-clean that removes bison and flex output.
|
||
- unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
|
||
are 1:1 replacements for unbound-fuzzme.c that gets created after applying
|
||
the contrib/unbound-fuzzme.patch. They are contributed by
|
||
Eric Sesterhenn from X41 D-Sec.
|
||
|
||
Bug Fixes:
|
||
- Fix that pkg-config is setup before --enable-systemd needs it.
|
||
- Fix contrib/fastrpz.patch asprintf return value checks.
|
||
- ipset module #28: log that an address is added, when verbosity high.
|
||
- ipset: refactor long routine into three smaller ones.
|
||
- updated Makefile dependencies.
|
||
- squelch DNS over TLS errors 'ssl handshake failed crypto error'
|
||
on low verbosity, they show on verbosity 3 (query details), because
|
||
there is a high volume and the operator cannot do anything for the
|
||
remote failure. Specifically filters the high volume errors.
|
||
- Fix #71: fix openssl error squelch commit compilation error.
|
||
- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
|
||
LOG_DAEMON (as before) can set the syslog facility that the server
|
||
uses to log messages.
|
||
- Use explicit bzero for wiping clear buffer of hash in cachedb,
|
||
reported by Eric Sesterhenn from X41 D-Sec.
|
||
- Fix #78: Memory leak in outside_network.c.
|
||
- Merge pull request #76 from Maryse47: Improvements and fixes for
|
||
systemd unbound.service.
|
||
- oss-fuzz badge on README.md.
|
||
- Fix fix for #78 to also free service callback struct.
|
||
- Fix for oss-fuzz build warning.
|
||
- Fix wrong response ttl for prepended short CNAME ttls, this would
|
||
create a wrong zero_ttl response count with serve-expired enabled.
|
||
- Merge #80 from stasic: Improve wording in man page.
|
||
- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
|
||
in unbound.service.
|
||
- Merge #81 from Maryse47: Consistently use /dev/urandom instead
|
||
of /dev/random in scripts and docs.
|
||
- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
|
||
into the background.
|
||
- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
|
||
service file to fix that systemctl reload fails.
|
||
- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
|
||
Drop CAP_KILL, use + prefix for ExecReload= instead.
|
||
- Merge #90 from vcunat: fix build with nettle-3.5.
|
||
- Fix for CVE-2019-16866. That fix is also in 1.9.4.
|
||
- Merge #86 from psquarejho: Added -b source address option to
|
||
smallapp/unbound-anchor.c, from Lukas Wunner.
|
||
- Add doxygen comments to unbound-anchor source address code, in #86.
|
||
- Merge #97: manpage: Add missing word on unbound.conf,
|
||
from Erethon.
|
||
- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
|
||
- Fix #109: check number of arguments for stdin-pipes in
|
||
unbound-control and fail if too many arguments.
|
||
- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
|
||
- iana portlist updated.
|
||
- contrib/fastrpz.patch updated to apply for current code.
|
||
- fixes for splint cleanliness, long vs int in SSL set_mode.
|
||
- In unbound-host use separate variable for get_option to please
|
||
code checkers.
|
||
- update to bison output of 3.4.1 in code repository.
|
||
- Provide a prototype for compat malloc to remove compile warning.
|
||
- Portable grep usage for reuseport configure test.
|
||
- Check return type of HMAC_Init_ex for openssl 0.9.8.
|
||
- gitignore .source tempfile used for compatible make.
|
||
- Fix for CVE-2019-18934, shell execution in ipsecmod.
|
||
This fix is also in 1.9.5.
|
||
- Fix authzone printout buffer length check.
|
||
- Fixes to please lint checks.
|
||
- Fix Integer Overflow in Regional Allocator,
|
||
reported by X41 D-Sec.
|
||
- Fix Unchecked NULL Pointer in dns64_inform_super()
|
||
and ipsecmod_new(), reported by X41 D-Sec.
|
||
- Fix Out-of-bounds Read in rr_comment_dnskey(),
|
||
reported by X41 D-Sec.
|
||
- Fix Integer Overflows in Size Calculations,
|
||
reported by X41 D-Sec.
|
||
- Fix Integer Overflow to Buffer Overflow in
|
||
sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
|
||
- Fix Out of Bounds Read in sldns_str2wire_dname(),
|
||
reported by X41 D-Sec.
|
||
- Fix Out of Bounds Write in sldns_bget_token_par(),
|
||
reported by X41 D-Sec.
|
||
- Fix Out of Bounds Read in rrinternal_get_owner(),
|
||
reported by X41 D-Sec.
|
||
- Fix Race Condition in autr_tp_create(),
|
||
reported by X41 D-Sec.
|
||
- Fix Shared Memory World Writeable,
|
||
reported by X41 D-Sec.
|
||
- Adjust unbound-control to make stats_shm a read only operation.
|
||
- Fix Weak Entropy Used For Nettle,
|
||
reported by X41 D-Sec.
|
||
- Fix Randomness Error not Handled Properly,
|
||
reported by X41 D-Sec.
|
||
- Fix Out-of-Bounds Read in dname_valid(),
|
||
reported by X41 D-Sec.
|
||
- Fix Config Injection in create_unbound_ad_servers.sh,
|
||
reported by X41 D-Sec.
|
||
- Fix Local Memory Leak in cachedb_init(),
|
||
reported by X41 D-Sec.
|
||
- Fix Integer Underflow in Regional Allocator,
|
||
reported by X41 D-Sec.
|
||
- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
|
||
- Synchronize compat/getentropy_win.c with version 1.5 from
|
||
OpenBSD, no changes but makes the file, comments, identical.
|
||
- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
|
||
- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
|
||
- Changes to compat/getentropy files for,
|
||
no link to openssl if using nettle, and hence config.h for
|
||
HAVE_NETTLE variable.
|
||
compat definition of MAP_ANON, for older systems.
|
||
ifdef stdint.h inclusion for older systems.
|
||
ifdef sha2.h inclusion for older systems.
|
||
- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
|
||
- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
|
||
- Fix Terminating Quotes not Written, reported by X41 D-Sec.
|
||
- Fix Useless memset() in validator, reported by X41 D-Sec.
|
||
- Fix Unrequired Checks, reported by X41 D-Sec.
|
||
- Fix Enum Name not Used, reported by X41 D-Sec.
|
||
- Fix NULL Pointer Dereference via Control Port,
|
||
reported by X41 D-Sec.
|
||
- Fix Bad Randomness in Seed, reported by X41 D-Sec.
|
||
- Fix python examples/calc.py for eval, reported by X41 D-Sec.
|
||
- Fix comments for doxygen in dns64.
|
||
- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
|
||
- Fix compiler warnings.
|
||
- Merge pull request #122 from he32: In tcp_callback_writer(),
|
||
don't disable time-out when changing to read.
|
||
- Merge pull request #124 from rmetrich: Changed log lock
|
||
from 'quick' to 'basic' because this is an I/O lock.
|
||
- Fix text around serial arithmatic used for RRSIG times to refer
|
||
to correct RFC number.
|
||
- Fix Assert Causing DoS in synth_cname(),
|
||
reported by X41 D-Sec.
|
||
- Fix similar code in auth_zone synth cname to add the extra checks.
|
||
- Fix Assert Causing DoS in dname_pkt_copy(),
|
||
reported by X41 D-Sec.
|
||
- Fix OOB Read in sldns_wire2str_dname_scan(),
|
||
reported by X41 D-Sec.
|
||
- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
|
||
reported by X41 D-Sec.
|
||
- Fix Out of Bounds Write in sldns_b64_pton(),
|
||
fixed by check in sldns_str2wire_int16_data_buf(),
|
||
reported by X41 D-Sec.
|
||
- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
|
||
reported by X41 D-Sec.
|
||
- Fix Out of Bound Write Compressed Names in rdata_copy(),
|
||
reported by X41 D-Sec.
|
||
- Fix Hang in sldns_wire2str_pkt_scan(),
|
||
reported by X41 D-Sec.
|
||
This further lowers the max to 256.
|
||
- Fix snprintf() supports the n-specifier,
|
||
reported by X41 D-Sec.
|
||
- Fix Bad Indentation, in dnscrypt.c,
|
||
reported by X41 D-Sec.
|
||
- Fix Client NONCE Generation used for Server NONCE,
|
||
reported by X41 D-Sec.
|
||
- Fix compile error in dnscrypt.
|
||
- Fix _vfixed not Used, removed from sbuffer code,
|
||
reported by X41 D-Sec.
|
||
- Fix Hardcoded Constant, reported by X41 D-Sec.
|
||
- make depend
|
||
- Fix lock type for memory purify log lock deletion.
|
||
- Fix testbound for alloccheck runs, memory purify and lock checks.
|
||
- update contrib/fastrpz.patch to apply more cleanly.
|
||
- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
|
||
reported by X41 D-Sec.
|
||
- Fix ipsecmod compile
|
||
- Fix Makefile.in for ipset module compile, from Adi Prasaja.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Nov 19 20:16:14 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.5
|
||
Fix for CVE-2019-18934
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 3 14:14:06 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.4
|
||
security fix for CVE-2019-16866 (error in parsing NOTIFY queries)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 27 18:33:04 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.3
|
||
|
||
Features:
|
||
- PR #28: IPSet module, by Kevin Chou. Created a module to support
|
||
the ipset that could add the domain's ip to a list easily.
|
||
Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
|
||
- Merge PR #6: Python module: support multiple instances
|
||
- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
|
||
- Merge PR #4: Python module: assign something useful to the
|
||
per-query data store 'qdata'
|
||
- Introduce `-V` option to print the version number and build options.
|
||
Previously reported build options like linked libs and linked modules
|
||
are now moved from `-h` to `-V` as well for consistency.
|
||
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
|
||
|
||
Bug Fixes:
|
||
- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
|
||
- Fix for #24: Fix abort due to scan of auth zone masters using old
|
||
address from previous scan.
|
||
- Fix to omit RRSIGs from addition to the ipset.
|
||
- Fix to make unbound-control with ipset, remove unused variable,
|
||
use unsigned type because of comparison, and assign null instead
|
||
of compare with it. Remade lex and yacc output.
|
||
- make depend
|
||
- Added documentation to the ipset files (for doxygen output).
|
||
- Fix python dict reference and double free in config.
|
||
- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
|
||
- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
|
||
when do-not-query-localhost is turned on, or at default on,
|
||
unbound-checkconf prints a warning if it is found in forward-addr or
|
||
stub-addr statements.
|
||
- Fix for possible assertion failure when answering respip CNAME from
|
||
cache.
|
||
- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
|
||
call made it impossible to go up the tree when the matching netmask is
|
||
too specific.
|
||
- Fix #48: Unbound returns additional records on NODATA response,
|
||
if minimal-responses is enabled, also the additional for negative
|
||
responses is removed.
|
||
- Fix #49: Set no renegotiation on the SSL context to stop client
|
||
session renegotiation.
|
||
- Fix question section mismatch in local zone redirect.
|
||
- Add verbose log message when auth zone file is written, at level 4.
|
||
- Add hex print of trust anchor pointer to trust anchor file temp
|
||
name to make it unique, for libunbound created multiple contexts.
|
||
- For #52 #53, second context does not close logfile override.
|
||
- Fix #52 #53, fix for example fail program.
|
||
- Fix to return after failed auth zone http chunk write.
|
||
- Fix to remove unused test for task_probe existance.
|
||
- Fix to timeval_add for remaining second in microseconds.
|
||
- Check repinfo in worker_handle_request, if null, drop it.
|
||
- Generate configlexer with newer flex.
|
||
- Fix warning for unused variable for compilation without systemd.
|
||
- Fix #59, when compiled with systemd support check that we can properly
|
||
communicate with systemd through the `NOTIFY_SOCKET`.
|
||
- iana portlist updated.
|
||
- Fix autotrust temp file uniqueness windows compile.
|
||
- avoid warning about upcast on 32bit systems for autotrust.
|
||
- escape commandline contents for -V.
|
||
- Fix character buffer size in ub_ctx_hosts.
|
||
- Option -V prints if TCP fastopen is available.
|
||
- Fix unittest valgrind false positive uninitialised value report,
|
||
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
|
||
issues an uninitialised value for the token buffer at the str2wire.c
|
||
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
|
||
straight character comparisons removes the false positive. Also
|
||
valgrinds --expensive-definedness-checks=yes can stop this false
|
||
positive.
|
||
- Please doxygen's parser for "@" occurrence in doxygen comment.
|
||
- Fixup contrib/fastrpz.patch
|
||
- Remove warning about unknown cast-function-type warning pragma.
|
||
- Document limitation of pidfile removal outside of chroot directory.
|
||
- Fix log_dns_msg to log irrespective of minimal responses config.
|
||
- Fix that pkg-config is setup before --enable-systemd needs it.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jul 29 11:34:13 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- Update the Conflict in libunbound-devel-mini after the library
|
||
package name from libunbound2 to libunbond8.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 17 17:21:10 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.2
|
||
|
||
Features
|
||
- add type CAA to libpyunbound (accessing libunbound from python).
|
||
- Fix #17: Add python module example from Jan Janak, that is a
|
||
plugin for the Unbound DNS resolver to resolve DNS records in
|
||
multicast DNS [RFC 6762] via Avahi. The plugin communicates
|
||
with Avahi via DBus. The comment section at the beginning of
|
||
the file contains detailed documentation.
|
||
- travis build file.
|
||
- PR #16: XoT support, AXFR over TLS, turn it on with
|
||
master: <ip>#<authname> in unbound.conf. This uses TLS to
|
||
download the AXFR (or IXFR).
|
||
|
||
Bug Fixes
|
||
- Fix for #4233: guard use of NDEBUG, so that it can be passed in
|
||
CFLAGS into configure.
|
||
- Add log message, at verbosity 4, that says the query is encrypted
|
||
with TLS, if that is enabled for the query.
|
||
- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
|
||
- Fix #4240: Fix whitespace cleanup in example.conf.
|
||
- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
|
||
disables the tls session ticker key calls into the OpenSSL API.
|
||
- Fix crash if tls-servic-pem not filled in when necessary.
|
||
- Fix auth-zone NSEC3 response for empty nonterminals with exact
|
||
match nsec3 records.
|
||
- Fix for out of bounds integers, thanks to OSTIF audit. It is in
|
||
allocation debug code.
|
||
- Fix for auth zone nsec3 ent fix for wildcard nodata.
|
||
- Move goto label in answer_from_cache to the end of the function
|
||
where it is more visible.
|
||
- Fix auth-zone NSEC3 response for wildcard nodata answers,
|
||
include the closest encloser in the answer.
|
||
- Fix spelling error in log output for event method.
|
||
- Fix to reinit event structure for accepted TCP (and TLS) sockets.
|
||
- Fix to use event_assign with libevent for thread-safety.
|
||
- verbose information about auth zone lookup process, also lookup
|
||
start, timeout and fail.
|
||
- Fix to wipe ssl ticket keys from memory with explicit_bzero,
|
||
if available.
|
||
- Fix that auth zone uses correct network type for sockets for
|
||
SOA serial probes. This fixes that probes fail because earlier
|
||
probe addresses are unreachable.
|
||
- Fix that auth zone fails over to next master for timeout in tcp.
|
||
- Squelch SSL read and write connection reset by peer and broken pipe
|
||
messages. Verbosity 2 and higher enables them.
|
||
- Update python documentation for init_standard().
|
||
- Typos.
|
||
- Fix tls write event for read state change to re-call SSL_write and
|
||
not resume the TLS handshake.
|
||
- Better braces in if statement in TCP fastopen code.
|
||
- iana portlist updated.
|
||
- Scrub RRs from answer section when reusing NXDOMAIN message for
|
||
subdomain answers.
|
||
- For harden-below-nxdomain: do not consider a name to be non-exitent
|
||
when message contains a CNAME record.
|
||
- Fix wrong query name in local zone redirect answers with a CNAME,
|
||
the copy of the local alias is in unpacked form.
|
||
- contrib/fastrpz.patch updated for code changes, and with git diff.
|
||
- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
|
||
- Fix #30: AddressSanitizer finding in lookup3.c. This sets the
|
||
hash function to use a slower but better auditable code that does
|
||
not read beyond array boundaries. This makes code better security
|
||
checkable, and is better for security. It is fixed to be slower,
|
||
but not read outside of the array.
|
||
- Fix edns-subnet locks, in error cases the lock was not unlocked.
|
||
- Fix doxygen output error on readme markdown vignettes.
|
||
- Squelch log messages from tcp send about connection reset by peer.
|
||
They can be enabled with verbosity at higher values for diagnosing
|
||
network connectivity issues.
|
||
- Attempt to fix malformed tcp response.
|
||
- Fix #31: swig 4.0 and python module.
|
||
- Note that so-reuseport at extreme load is better turned off,
|
||
otherwise queries are not distributed evenly, on Linux 4.4.x.
|
||
- Fix that spoolbuf is not used to store tcp pipelined response
|
||
between mesh send and callback end.
|
||
- Fix double file close in tcp pipelined response code.
|
||
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
|
||
- Fix to guard _OPENBSD_SOURCE from redefinition.
|
||
- Fix that fixes the Fix that spoolbuf is not used to store tcp
|
||
pipelined response between mesh send and callback end, this fixes
|
||
error cases that did not use the correct spoolbuf.
|
||
- Fix that fixes the Fix that spoolbuf is not used to store tcp
|
||
pipelined response between mesh send and callback end, this fixes
|
||
error cases that did not use the correct spoolbuf.
|
||
- Fix another spoolbuf storage code point, in prefetch.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 18 12:16:58 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.9.1
|
||
|
||
Features
|
||
- Add local-zone type inform_redirect, which logs like type inform,
|
||
and redirects like type redirect.
|
||
- Perform canonical sort for 0x20 capsforid compare of replies,
|
||
this sorts rrsets in the authority and additional section before
|
||
comparison, so that out of order rrsets do not cause failure.
|
||
- Print query name with ip_ratelimit exceeded log lines.
|
||
Spaces instead of tabs in that log message.
|
||
- Print query name and IP address when domain rate limit exceeded.
|
||
|
||
Bug Fixes
|
||
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
|
||
- Fix locking for libunbound context setup with broken port config.
|
||
- Fix case in which query timeout can result in marking delegation
|
||
as edns_lame_known.
|
||
- Set ub_ctx_set_tls call signature in ltrace config file for
|
||
libunbound in contrib/libunbound.so.conf.
|
||
- improve documentation for tls-service-key and forward-first.
|
||
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
|
||
conditional section, fixes systemd builds, from Enrico Scholz.
|
||
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
|
||
still supports the set_id_callback previous API. And for 1.1.0
|
||
no locking callbacks are needed.
|
||
- #8: Fix OpenSSL without ENGINE support compilation.
|
||
- Wipe TLS session key data from memory on exit.
|
||
- Fix that log-replies prints the correct name for local-alias
|
||
names, for names that have a CNAME in local-data configuration.
|
||
It logs the original query name, not the target of the CNAME.
|
||
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
|
||
- Fix that qname minimisation does not skip a label when missing
|
||
nameserver targets need to be fetched.
|
||
- Fix #4225: clients seem to erroneously receive no answer with
|
||
DNS-over-TLS and qname-minimisation.
|
||
- Note default for module-config in man page.
|
||
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
|
||
cert name matching, from man page.
|
||
- Fix capsforid canonical sort qsort callback.
|
||
- Fix pythonmod include and sockaddr_un ifdefs for compile on
|
||
Windows, and for libunbound.
|
||
- Fix the error for unknown module in module-config is understandable,
|
||
and explains it was not compiled in and where to see the list.
|
||
- In example.conf explain where to put cachedb module in module-config.
|
||
- In man page and example config explain that most modules have to
|
||
be listed at the start of module-config.
|
||
- Fix #4227: pair event del and add for libevent for tcp_req_info.
|
||
- Fix #4229: Unbound man pages lack information, about access-control
|
||
order and local zone tags, and elements in views.
|
||
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
|
||
before copying.
|
||
- Fix for python module on Windows, fix fopen.
|
||
- Remove memory leak on pythonmod python2 script file init.
|
||
- Remove swig gcc8 python function cast warnings, they are ignored.
|
||
- Print correct module that failed when module-config is wrong.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 28 17:16:01 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
||
|
||
- Reorder scriptlet %if guards so that no empty scriptlets are
|
||
emitted. Add one missing %if %{with systemd}.
|
||
- Replace %__-type macro indirections.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 11 19:59:00 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.8.3 fixes crash bug introduced in 1.8.2
|
||
in the dns64 processing.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 5 11:12:42 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.8.2
|
||
|
||
Features
|
||
- Add fast-server-permil and fast-server-num options.
|
||
- Deprecate low-rtt and low-rtt-permil options.
|
||
- Change fast-server-num default to 3.
|
||
- Fix #4154: make ECS_MAX_TREESIZE configurable, with
|
||
the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
|
||
- Fix #4190: Please create a "ANY" deny option, adds the option
|
||
deny-any: yes in unbound.conf. This responds with an empty message
|
||
to queries of type ANY.
|
||
- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
|
||
adds the option unknown-server-time-limit to unbound.conf that
|
||
can be increased to avoid the problem.
|
||
- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
|
||
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
|
||
option in unbound.conf.
|
||
- Add unbound-control view_local_datas command, like local_datas.
|
||
|
||
Bug Fixes
|
||
- dnscrypt.c removed sizeof to get array bounds.
|
||
- Fix testlock code to set noreturn on error routine.
|
||
- Remove unused variable from contrib fastrpz/rpz.c and
|
||
remove unused diagnostic pragmas that themselves generate warnings
|
||
- clang analyze test is used only when assertions are enabled.
|
||
- Squelch EADDRNOTAVAIL errors when the interface goes away,
|
||
this omits 'can't assign requested address' errors unless
|
||
verbosity is set to a high value.
|
||
- Set default for so-reuseport to no for FreeBSD. It is enabled
|
||
by default for Linux and DragonFlyBSD. The setting can
|
||
be configured in unbound.conf to override the default.
|
||
- iana port update.
|
||
- Squelch log of failed to tcp initiate after TCP Fastopen failure.
|
||
- Fix #4192: unbound-control-setup generates keys not readable by
|
||
group.
|
||
- check that the dnstap socket file can be opened and exists, print
|
||
error if not.
|
||
- Add markdel function to ECS slabhash.
|
||
- Limit ECS scope returned to client to the scope used for caching.
|
||
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
|
||
- Fix #4141: More randomness to rrset-roundrobin.
|
||
- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
|
||
- remade makefile dependencies.
|
||
- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
|
||
- Scrub NS records from NXDOMAIN responses to stop fragmentation
|
||
poisoning of the cache.
|
||
- Scrub NS records from NODATA responses as well.
|
||
- Add patch from Jan Vcelak for pythonmod,
|
||
add sockaddr_storage getters, add support for query callbacks,
|
||
allow raw address access via comm_reply and update API documentation.
|
||
- Removed compile warnings in pythonmod sockaddr routines.
|
||
- With ./configure --with-pyunbound --with-pythonmodule
|
||
PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
|
||
succeed for the python module.
|
||
- pythonmod logs the python error and traceback on failure.
|
||
- ignore debug python module for test in doxygen output.
|
||
- review fixes for python module.
|
||
- Fix #4209: Crash in libunbound when called from getdns.
|
||
- auth zone zonefiles can be in a chroot, the chroot directory
|
||
components are removed before use.
|
||
- Fix that empty zonefile means the zonefile is not set and not used.
|
||
- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
|
||
sorted and in a predictable order.
|
||
- Fix #4193: Fix that prefetch failure does not overwrite valid cache
|
||
entry with SERVFAIL.
|
||
- Fix DNS64 to not store intermediate results in cache, this avoids
|
||
other threads from picking up the wrong data. The module restores
|
||
the previous no_cache_store setting when the the module is finished.
|
||
- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
|
||
- New and better fix for Fix #4193: Fix that prefetch failure does
|
||
not overwrite valid cache entry with SERVFAIL.
|
||
- auth-zone give SERVFAIL when expired, fallback activates when
|
||
expired, and this is documented in the man page.
|
||
- stat count SERVFAIL downstream auth-zone queries for expired zones.
|
||
- Update contrib fastrpz patch for latest release.
|
||
- Fix chroot auth-zone fix to remove chroot prefix.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 16 15:01:15 UTC 2018 - Karol Babioch <kbabioch@suse.com>
|
||
|
||
- Removed intermediate certificates from certificate bundle (bsc#1112033)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Oct 8 13:42:15 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
||
|
||
- update to 1.8.1:
|
||
Number of bug fixes, a list of features added and some defaults changed.
|
||
|
||
Features:
|
||
- Perform TLS SNI indication of the host that is being contacted
|
||
for DNS over TLS service. It sets the configured tls auth name.
|
||
This is useful for hosts that apart from the DNS over TLS services
|
||
also provide other (web) services.
|
||
Bug Fixes:
|
||
- More explicitly mention the type of ratelimit when applying
|
||
ip-ratelimit.
|
||
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
|
||
- iana port update.
|
||
- Fixed unused return value warnings in contrib/fastrpz.patch for
|
||
asprintf.
|
||
- Fix to squelch respip warning in unit test, it is printed at
|
||
higher verbosity settings.
|
||
- Fix spelling errors.
|
||
- Fix initialisation in remote.c
|
||
- Fix seed for random backup code to use explicit zero when wiped.
|
||
- exit log routine is annotated as noreturn function.
|
||
- free memory leaks in config strlist and str2list insert functions.
|
||
- do not move unused argv variable after getopt.
|
||
- Remove unused if clause in testcode.
|
||
- in testcode, free async ids, initialise array, and check for null
|
||
pointer during test of the test. And use exit for return to note
|
||
irregular program stop.
|
||
- Free memory leak in config strlist append.
|
||
- make sure nsec3 comparison salt is initialized.
|
||
- unit test has clang analysis.
|
||
- remove unused variable assignment from iterator scrub routine.
|
||
- check for null in delegation point during iterator refetch
|
||
in forward zone.
|
||
- neater pointer cast in libunbound context quit routine.
|
||
- initialize statistics totals for printout.
|
||
- in authzone check that node exists before adding rrset.
|
||
- in unbound-anchor, use readwrite memory BIO.
|
||
- assertion in autotrust that packed rrset is formed correctly.
|
||
- Fix memory leak when message parse fails partway through copy.
|
||
- remove unused udpsize assignment in message encode.
|
||
- nicer bio free code in unbound-anchor.
|
||
- annotate exit functions with noreturn in unbound-control.
|
||
- Fix compile on Mac for unbound, provide explicit_bzero when libc
|
||
does not have it.
|
||
- Fix unbound for openssl in FIPS mode, it uses the digests with
|
||
the EVP call contexts.
|
||
- Fix that with harden-below-nxdomain and qname minisation enabled
|
||
some iterator states for nonresponsive domains can get into a
|
||
state where they waited for an empty list.
|
||
- Stop UDP to TCP failover after timeouts that causes the ping count
|
||
to be reset by the TCP time measurement (that exists for TLS),
|
||
because that causes the UDP part to not be measured as timeout.
|
||
- Fix #4156: Fix systemd service manager state change notification.
|
||
- Fix #4149: Add SSL cleanup for tcp timeout.
|
||
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
|
||
qname minimisation with a forwarder when connectivity has issues
|
||
from rejecting responses.
|
||
- fastrpz.patch fixed.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 17 17:00:00 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.8.0:
|
||
Number of bug fixes, a list of features added and some defaults changed.
|
||
|
||
Features
|
||
- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
|
||
- unbound-control auth_zone_transfer _zone_ option starts the probe
|
||
sequence for a master to transfer the zone from and transfers when
|
||
a new zone version is available.
|
||
- num.queries.tls counter for queries over TLS.
|
||
- log port number with err_addr logs.
|
||
- dns64-ignore-aaaa: config option to list domain names for which the
|
||
existing AAAA is ignored and dns64 processing is used on the A
|
||
record.
|
||
- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
|
||
if DNSSEC is not enabled. New option -R allows fallback from
|
||
resolv.conf to direct queries.
|
||
- Note RFC8162 support. SMIMEA record type can be read in by the
|
||
zone record parser.
|
||
- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
|
||
- Add config tcp-idle-timeout (default 30s). This applies to
|
||
client connections only; the timeout on TCP connections upstream
|
||
is unaffected.
|
||
- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
|
||
and implement option in client responses.
|
||
- Add delay parameter to streamtcp, -d secs.
|
||
To be used when testing idle timeout.
|
||
- Expose if a query (or a subquery) was ratelimited (not src IP
|
||
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
|
||
This also introduces a change to 'ub_event_callback_type' in
|
||
libunbound/unbound-event.h.
|
||
- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
|
||
This limits the number of simultaneous TCP client connections
|
||
from a nominated netblock.
|
||
- Fix #4142: unbound.service.in: improvements and fixes.
|
||
Add unit dependency ordering (based on systemd-resolved).
|
||
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
|
||
about missing privileges during startup). Add 'AF_INET6' to
|
||
'RestrictAddressFamilies' (without it IPV6 can't work). From
|
||
Guido Shanahan.
|
||
- unbound-checkconf checks if modules exist and prints if they are
|
||
not compiled in the name of the wrong module.
|
||
- Patch for stub-no-cache and forward-no-cache options that disable
|
||
caching for the contents of that stub or forward, for when you
|
||
want immediate changes visible, from Bjoern A. Zeeb.
|
||
- Upgraded crosscompile script to include libunbound DLL in the
|
||
zipfile.
|
||
- Set libunbound to increase current, because the libunbound change
|
||
to the event callback function signature. That needs programs,
|
||
that use it, to recompile against the new header definition.
|
||
- log-servfail: yes prints log lines that say why queries are
|
||
returning SERVFAIL to clients.
|
||
- log-local-actions: yes option for unbound.conf that logs all the
|
||
local zone actions, a patch from Saksham Manchanda (Secure64).
|
||
- #4146: num.query.subnet and num.query.subnet_cache counters.
|
||
- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
|
||
gives access to reply information for the client's communication
|
||
point when the callback is called before the mesh state (modules).
|
||
Changes to C and Python's inplace_callback signatures were also
|
||
necessary.
|
||
- Set defaults to yes for a number of options to increase speed and
|
||
resilience of the server. The so-reuseport, harden-below-nxdomain,
|
||
and minimal-responses options are enabled by default. They used
|
||
to be disabled by default, waiting to make sure they worked. They
|
||
are enabled by default now, and can be disabled explicitly by
|
||
setting them to "no" in the unbound.conf config file. The reuseport
|
||
and minimal options increases speed of the server, and should be
|
||
otherwise harmless. The harden-below-nxdomain option works well
|
||
together with the recently default enabled qname minimisation, this
|
||
causes more fetches to use information from the cache.
|
||
- Added serve-expired-ttl and serve-expired-ttl-reset options.
|
||
|
||
Bug Fixes
|
||
- Windows example service.conf edited with more windows specific
|
||
configuration.
|
||
- #4108: systemd reload hang fix.
|
||
- Fix usage printout for unbound-host, hostname has to be last
|
||
argument on BSDs and Windows.
|
||
- Partial fix for permission denied on IPv6 address on FreeBSD.
|
||
- Fix that auth-zone master reply with current SOA serial does not
|
||
stop scan of masters for an updated zone.
|
||
- Fix that auth-zone does not start the wait timer without checking
|
||
if the wait timer has already been started.
|
||
- #4109: Fix that package config depends on python unconditionally.
|
||
- Patch, do not export python from pkg-config, from Petr Menšík.
|
||
- Fix checking for libhiredis printout in configure output.
|
||
- Fix typo on man page in ip-address description.
|
||
- Update libunbound/python/examples/dnssec_test.py example code to
|
||
also set the 20326 trust anchor for the root in the example code.
|
||
- Better documentation for unblock-lan-zones and insecure-lan-zones
|
||
config statements.
|
||
- Fix permission denied printed for auth zone probe random port nrs.
|
||
- Fix documentation ambiguity for tls-win-cert in tls-upstream and
|
||
forward-tls-upstream docs.
|
||
- iana port update.
|
||
- Fix round robin for failed addresses with prefer-ip6: yes
|
||
- Note in documentation that the cert name match code needs
|
||
OpenSSL 1.1.0 or later to be enabled.
|
||
- Fix to improve systemd socket activation code file descriptor
|
||
assignment.
|
||
- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
|
||
easily changed to adjust default rtt assumptions.
|
||
- Fix #4127 unbound -h does not list -p help.
|
||
- Print error if SSL name verification configured but not available
|
||
in the ssl library.
|
||
- Fix that ratelimit and ip-ratelimit are applied after reload of
|
||
changed config file.
|
||
- Resize ratelimit and ip-ratelimit caches if changed on reload.
|
||
- Fix #4129 unbound-control error message with wrong cert permissions
|
||
is too cryptic.
|
||
- Fix #4130: print text describing -dd and unbound-checkconf on
|
||
config file read error at startup, the errors may have been moved
|
||
away by the startup process.
|
||
- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
|
||
- Fix use-systemd readiness signalling, only when use-systemd is yes
|
||
and not in signal handler.
|
||
- Fix #4135: 64-bit Windows Installer Creates Entries Under The
|
||
Wrong Registry Key, reported by Brian White.
|
||
- Fix man page, say that chroot is enabled by default.
|
||
- Sort out test runs when the build directory isn't the project
|
||
root directory.
|
||
- Error if EDNS Keepalive received over UDP.
|
||
- Correct and expand manual page entries for keepalive and idle timeout.
|
||
- Implement progressive backoff of TCP idle/keepalive timeout.
|
||
- Fix 'make depend' to work when build dir is not project root.
|
||
- Fix #4139: Fix unbound-host leaks memory on ANY.
|
||
- Fix to remove systemd sockaddr function check, that is not
|
||
always present. Make socket activation more lenient. But not
|
||
different when socket activation is not used.
|
||
- Fix #4136: insufficiency from mismatch of FLEX capability between
|
||
released tarball and build host. Fix to unconditionally call
|
||
destroy in daemon.c.
|
||
- Make capsforid fallback QNAME minimisation aware.
|
||
- document --enable-subnet in doc/README.
|
||
- Fix #4144: dns64 module caches wrong (negative) information.
|
||
- Fix that printout of error for cycle targets is a verbosity 4
|
||
printout and does not wrongly print it is a memory error.
|
||
- Fix segfault in auth-zone read and reorder of RRSIGs.
|
||
- Fix contrib/fastrpz.patch.
|
||
- Fix warning on compile without threads.
|
||
- print servfail info to log as error.
|
||
- added more servfail printout statements, to the iterator.
|
||
- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
|
||
enabled.
|
||
- Fix only misc failure from log-servfail when val-log-level is not
|
||
enabled.
|
||
- Fix lintflags for lint on FreeBSD.
|
||
- Fix that a local-zone with a local-zone-type that is transparent
|
||
in a view with view-first, makes queries check for answers from the
|
||
local-zones defined outside of views.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 21 09:19:02 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.7.3
|
||
|
||
Features
|
||
- #4102 for NSD, but for Unbound. Named unix pipes do not use
|
||
certificate and key files, access can be restricted with file and
|
||
directory permissions. The option control-use-cert is no longer
|
||
used, and ignored if found in unbound.conf.
|
||
- Rename tls-additional-ports to tls-additional-port, because every
|
||
line adds one port.
|
||
|
||
Bug Fixes
|
||
- Don't count CNAME response types received during qname minimisation
|
||
as query restart.
|
||
- #4100: Fix stub reprime when it becomes useless.
|
||
- Fix crash if ratelimit taken into use with unbound-control
|
||
instead of with unbound.conf.
|
||
- Patch to fix openwrt for mac os build darwin detection in configure.
|
||
- #4103: Fix that auth-zone does not insist on SOA record first in
|
||
file for url downloads.
|
||
- Fix that first control-interface determines if TLS is used. Warn
|
||
when IP address interfaces are used without TLS.
|
||
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
|
||
- Fix unbound-checkconf for control-use-cert.
|
||
- Fix for unbound-control on Windows and set TCP socket parameters
|
||
more closely.
|
||
- Fix windows unbound-control no cert bad file descriptor error.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 11 13:05:51 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.7.2
|
||
* This release fixes bugs in DNS-over-TLS for windows, and adds the option
|
||
for windows users to use the CA certificates from the Windows cert
|
||
stores, tls-win-cert: yes in unbound.conf.
|
||
* The code has been updated with a speed up that improves performance for
|
||
large numbers of incoming TCP and TLS connections.
|
||
* There is an option to allow to ignore an unset RD bit for access control
|
||
subnets and always allow recursion to the request.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 3 16:38:07 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.7.1
|
||
|
||
Features
|
||
- Add --with-libhiredis, unbound support for a new cachedb
|
||
backend that uses a Redis server as the storage. This
|
||
implementation depends on the hiredis client library
|
||
(https://redislabs.com/lp/hiredis/).
|
||
And unbound should be built with both --enable-cachedb and
|
||
--with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
|
||
should exist). Patch from Jinmei Tatuya (Infoblox).
|
||
- Create additional tls service interfaces by opening them on other
|
||
portnumbers and listing the portnumbers as additional-tls-port: nr.
|
||
- ED448 support.
|
||
- num.query.authzone.up and num.query.authzone.down statistics counters.
|
||
- Accept both option names with and without colon for get_option
|
||
and set_option.
|
||
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
|
||
of fast servers for some percentage of the time.
|
||
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
|
||
statistics counters.
|
||
- allow-notify: config statement for auth-zones.
|
||
- Can set tls authentication with forward-addr: IP#tls.auth.name
|
||
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
|
||
such as forward-addr: 9.9.9.9@853#dns.quad9.net or
|
||
1.1.1.1@853#cloudflare-dns.com
|
||
- list_auth_zones unbound-control command.
|
||
- Added root-key-sentinel support
|
||
|
||
Bug Fixes
|
||
- Fix #3727: Protocol name is TLS, options have been renamed but
|
||
documentation is not consistent.
|
||
- Check IXFR start serial.
|
||
- Fix typo in documentation.
|
||
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
|
||
flushed with serve-expired on.
|
||
- Fix #3817: core dump happens in libunbound delete, when queued
|
||
servfail hits deleted message queue.
|
||
- corrected a minor typo in the changelog.
|
||
- move htobe64/be64toh portability code to cachedb.c.
|
||
- iana port update.
|
||
- Do not use cached NSEC records to generate negative answers for
|
||
domains under DNSSEC Negative Trust Anchors.
|
||
- Fix unbound-control get_option aggressive-nsec
|
||
- Check "result" in dup_all(), by Florian Obser.
|
||
- Fix #4043: make test fails due to v6 presentation issue in macOS.
|
||
- Fix unable to resolve after new WLAN connection, due to auth-zone
|
||
failing with a forwarder set. Now, auth-zone is only used for
|
||
answers (not referrals) when a forwarder is set.
|
||
- Combine write of tcp length and tcp query for dns over tls.
|
||
- nitpick fixes in example.conf.
|
||
- Fix above stub queries for type NS and useless delegation point.
|
||
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
|
||
tls_choose_sigalg routine does not allow the ciphers for the pipe,
|
||
so use TLSv1.2.
|
||
- Fix that flush_zone sets prefetch ttl expired, so that with
|
||
serve-expired enabled it'll start prefetching those entries.
|
||
- Fix downstream auth zone, only fallback when auth zone fails to
|
||
answer and fallback is enabled.
|
||
- Fix for max include depth for authzones.
|
||
- Fix memory free on fail for $INCLUDE in authzone.
|
||
- Fix that an internal error to look up the wrong rr type for
|
||
auth zone gets stopped, before trying to send there.
|
||
- Fix auth zone target lookup iterator.
|
||
- Fix auth-zone retry timer to be on schedule with retry timeout,
|
||
with backoff. Also time a refresh at the zone expiry.
|
||
- Fix #658: unbound using TLS in a forwarding configuration does not
|
||
verify the server's certificate (RFC 8310 support).
|
||
- For addr with #authname and no @port notation, the default is 853.
|
||
- man page documentation for dns-over-tls forward-addr '#' notation.
|
||
- removed free from failed parse case.
|
||
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
|
||
with the previous contents.
|
||
- Delete auth zone when removed from config.
|
||
- makedist uses bz2 for expat code, instead of tar.gz.
|
||
- Fix #4092: libunbound: use-caps-for-id lacks colon in
|
||
config_set_option.
|
||
- auth zone http download stores exact copy of downloaded file,
|
||
including comments in the file.
|
||
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
|
||
- Attempt for auth zone fix; add of callback in mesh gets from
|
||
callback does not skip callback of result.
|
||
- Fix cname classification with qname minimisation enabled.
|
||
- Fix contrib/fastrpz.patch for this release.
|
||
- Fix auth https for libev.
|
||
- Fix memory leak when caching wildcard records for aggressive NSEC use
|
||
- Fix for crash in daemon_cleanup with dnstap during reload,
|
||
from Saksham Manchanda.
|
||
- Also that for dnscrypt.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Apr 22 19:26:03 UTC 2018 - michael@stroeder.com
|
||
|
||
- Commented configuration directive dlv-anchor-file: in unbound.conf
|
||
(see bsc#1055060). The DLV key file is deliberately still
|
||
shipped in the package so users could easily re-enable this.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 4 11:54:01 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.7.0
|
||
|
||
Features
|
||
- auth-zone provides a way to configure RFC7706 from unbound.conf,
|
||
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
|
||
fallback-enabled: yes and masters or a zonefile with data.
|
||
- Aggressive use of NSEC implementation. Use cached NSEC records to
|
||
generate NXDOMAIN, NODATA and positive wildcard answers.
|
||
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
|
||
also recognized and means the same. Also for tls-port,
|
||
tls-service-key, tls-service-pem, stub-tls-upstream and
|
||
forward-tls-upstream.
|
||
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
|
||
from Manu Bretelle.
|
||
This option allows handling multiple cert/key pairs while only
|
||
distributing some of them.
|
||
In order to reliably match a client magic with a given key without
|
||
strong assumption as to how those were generated, we need both key and
|
||
cert. Likewise, in order to know which ES version should be used.
|
||
On the other hand, when rotating a cert, it can be desirable to only
|
||
serve the new cert but still be able to handle clients that are still
|
||
using the old certs's public key.
|
||
The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
|
||
publish the cert as part of the DNS's provider_name's TXT answer.
|
||
- Update B root ipv4 address.
|
||
- make ip-transparent option work on OpenBSD.
|
||
- Fix #2801: Install libunbound.pc.
|
||
- ltrace.conf file for libunbound in contrib.
|
||
- Fix #3598: Fix swig build issue on rhel6 based system.
|
||
configure --disable-swig-version-check stops the swig version check.
|
||
|
||
Bug Fixes
|
||
- Fix #1749: With harden-referral-path: performance drops, due to
|
||
circular dependency in NS and DS lookups.
|
||
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
|
||
duplicates
|
||
- Better documentation for cache-max-negative-ttl.
|
||
- Fixed libunbound manual typo.
|
||
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
|
||
- Fix #2031: Double included headers
|
||
- Document that errno is left informative on libunbound config read
|
||
fail.
|
||
- iana port update.
|
||
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
|
||
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
|
||
- Fix #2034 - Autoconf and -flto.
|
||
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
|
||
a message and exit.
|
||
- Fix #2492: Documentation libunbound.
|
||
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
|
||
set for stub zone. It no longer searches for DNSSEC information.
|
||
- Fix #3299 - forward CNAME daisy chain is not working
|
||
- Fix link failure on OmniOS.
|
||
- Check whether --with-libunbound-only is set when using --with-nettle
|
||
or --with-nss.
|
||
- Fix qname-minimisation documentation (A QTYPE, not NS)
|
||
- Fix that DS queries with referral replies are answered straight
|
||
away, without a repeat query picking the DS from cache.
|
||
The correct reply should have been an answer, the reply is fixed
|
||
by the scrubber to have the answer in the answer section.
|
||
- Fix that expiration date checks don't fail with clang -O2.
|
||
- Fix queries being leaked above stub when refetching glue.
|
||
- Copy query and correctly set flags on REFUSED answers when cache
|
||
snooping is not allowed.
|
||
- make depend: code dependencies updated in Makefile.
|
||
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
|
||
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
|
||
the middle of a cname chain, a result without the DNAME could
|
||
be returned.
|
||
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
|
||
for startup scripts to get the full pathname(s) of anchor file(s).
|
||
- Print fatal errors about remote control setup before log init,
|
||
so that it is printed to console.
|
||
- Use NSEC with longest ce to prove wildcard absence.
|
||
- Only use *.ce to prove wildcard absence, no longer names.
|
||
- Fix unfreed locks in log and arc4random at exit of unbound.
|
||
- Fix lock race condition in dns cache dname synthesis.
|
||
- Fix #3451: dnstap not building when you have a separate build dir.
|
||
And removed protoc warning, set dnstap.proto syntax to proto2.
|
||
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
|
||
- Unit test for auth zone https url download.
|
||
- tls-cert-bundle option in unbound.conf enables TLS authentication.
|
||
- Fixes for clang static analyzer, the missing ; in
|
||
edns-subnet/addrtree.c after the assert made clang analyzer
|
||
produce a failure to analyze it.
|
||
- Fix #3505: Documentation for default local zones references
|
||
wrong RFC.
|
||
- Fix #3494: local-zone noview can be used to break out of the view
|
||
to the global local zone contents, for queries for that zone.
|
||
- Fix for more maintainable code in localzone.
|
||
- more robust cachedump rrset routine.
|
||
- Save wildcard RRset from answer with original owner for use in
|
||
aggressive NSEC.
|
||
- Fixup contrib/fastrpz.patch so that it applies.
|
||
- Fix compile without threads, and remove unused variable.
|
||
- Fix compile with staticexe and python module.
|
||
- Fix nettle compile.
|
||
- Fix to check define of DSA for when openssl is without deprecated.
|
||
- iana port update.
|
||
- Fix #3582: Squelch address already in use log when reuseaddr option
|
||
causes same port to be used twice for tcp connections.
|
||
- Reverted fix for #3512, this may not be the best way forward;
|
||
although it could be changed at a later time, to stay similar to
|
||
other implementations.
|
||
- Fix for windows compile.
|
||
- Fixed contrib/fastrpz.patch, even though this already applied
|
||
cleanly for me, now also for others.
|
||
- patch to log creates keytag queries, from A. Schulze.
|
||
- patch suggested by Debian lintian: allow to -> allow one to, from
|
||
A. Schulze.
|
||
- Attempt to remove warning about trailing whitespace.
|
||
- Added documentation for aggressive-nsec: yes.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 19 10:34:41 UTC 2018 - michael@stroeder.com
|
||
|
||
- update to 1.6.8
|
||
patch for CVE-2017-15105: vulnerability in the processing of
|
||
wildcard synthesized NSEC records.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 10 08:20:16 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.7
|
||
|
||
Features:
|
||
- Set trust-anchor-signaling default to yes
|
||
- Fix #1440: [dnscrypt] client nonce cache.
|
||
- Fix #1435: Please allow UDP to be disabled separately upstream and
|
||
downstream.
|
||
|
||
Bug fixes:
|
||
- Fix that looping modules always stop the query, and don't pass
|
||
control.
|
||
- Fix unbound-host to report error for DNSSEC state of failed lookups.
|
||
- Spelling fixes, from Josh Soref.
|
||
- Fix #1400: allowing use of global cache on ECS-forwarding unless
|
||
always-forward.
|
||
- use a cachedb answer even if it's "expired" when serve-expired is yes
|
||
(patch from Jinmei Tatuya).
|
||
- trigger refetching of the answer in that case (this will bypass
|
||
cachedb lookup)
|
||
- allow storing a 0-TTL answer from cachedb in the in-memory message
|
||
cache when serve-expired is yes
|
||
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
|
||
- Log name of looping module
|
||
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
|
||
(by Danilo G. Baio).
|
||
- Fix param unused warning for windows exportsymbol compile.
|
||
- Use RCODE from A query on DNS64 synthesized answer.
|
||
- Fix trust-anchor-signaling works in libunbound.
|
||
- Fix spelling in unbound-control man page.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 4 16:17:44 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.6
|
||
|
||
Features:
|
||
- unbound-control dump_infra prints port number for address if not 53.
|
||
- Fix #1344: RFC6761-reserved domains: test. and invalid.
|
||
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
|
||
With the -p option unbound does not create a pidfile.
|
||
- Added stats for queries that have been ratelimited by domain
|
||
recursion.
|
||
- Patch to show DNSCrypt status in help output, from Carsten
|
||
Strotmann.
|
||
- Fix #1407: Add ECS options check to unbound-checkconf.
|
||
- Fix #1415: [dnscrypt] shared secret cache, patch from
|
||
Manu Bretelle.
|
||
|
||
Bug Fixes:
|
||
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
|
||
- First fix for zero b64 and hex text zone format in sldns.
|
||
- Better fixup of dnscrypt_cert_chacha test for different escapes.
|
||
- Fix that infra cache host hash does not change after reconfig.
|
||
- Fix python example0 return module wait instead of error for pass.
|
||
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
|
||
security settings.
|
||
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
|
||
on.
|
||
- Fix #1331: libunbound segfault in threaded mode when context is
|
||
deleted.
|
||
- Fix pythonmod link line option flag.
|
||
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
|
||
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
|
||
- Redirect all localhost names to localhost address for RFC6761.
|
||
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
|
||
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
|
||
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
|
||
config.sub(2016-09-05).
|
||
- annotate case statement fallthrough for gcc 7.1.1.
|
||
- flex output from flex 2.6.1.
|
||
- snprintf of thread number does not warn about truncated string.
|
||
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
|
||
unless verbosity is high.
|
||
- remove warning from windows compile.
|
||
- Fix compile with libnettle
|
||
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
|
||
- Fix #1365: Add Ed25519 support using libnettle.
|
||
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
|
||
- Remove unused iter_env member (ip6arpa_dname)
|
||
- Do not reset rrset.bogus stats when called using stats_noreset.
|
||
- Do not add rrset_bogus and query ratelimiting stats per thread, these
|
||
module stats are global.
|
||
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
|
||
- Fix #1398: make cachedb secret configurable.
|
||
- Remove spaces from Makefile.
|
||
- Fix issue on macOX 10.10 where TCP fast open is detected but not
|
||
implemented causing TCP to fail. The fix allows fallback to regular
|
||
TCP in this case and is also more robust for cases where connectx()
|
||
fails for some reason.
|
||
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
|
||
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
|
||
allocation failure.
|
||
- Fix #1415: patch to free dnscrypt environment on reload.
|
||
- iana portlist update
|
||
- Small fixes for the shared secret cache patch.
|
||
- Fix WKS records on kvm autobuild host, with default protobyname
|
||
entries for udp and tcp.
|
||
- Fix #1414: fix segfault on parse failure and log_replies.
|
||
- zero qinfo in handle_request, this zeroes local_alias and also the
|
||
qname member.
|
||
- new keys and certs for dnscrypt tests.
|
||
- fixup WKS test on buildhost without servicebyname.
|
||
- updated contrib/fastrpz.patch to apply with configparser changes.
|
||
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
|
||
- Fix #1424: cachedb:testframe is not thread safe.
|
||
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
|
||
dnscrypt is not enabled. And cache size configuration option.
|
||
- Fix #1418: [ip ratelimit] initialize slabhash using
|
||
ip-ratelimit-slabs.
|
||
- Recommend 1472 buffer size in unbound.conf
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 21 10:38:49 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.5
|
||
* Fix install of trust anchor when two anchors are present, makes both
|
||
valid. Checks hash of DS but not signature of new key. This fixes
|
||
installs between sep11 and oct11 2017.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 8 19:02:38 UTC 2017 - jengelh@inai.de
|
||
|
||
- RPM group fix. Do not suppress user/group creation problems.
|
||
Replace %__ type macro indirections.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 27 11:13:31 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.4
|
||
|
||
Features:
|
||
- Implemented trust anchor signaling using key tag query.
|
||
- unbound-checkconf -o allows query of dnstap config variables.
|
||
Also unbound-control get_option. Also for dnscrypt.
|
||
- unbound.h exports the shm stats structures. They use
|
||
type long long and no ifdefs, and ub_ before the typenames.
|
||
- Implemented opportunistic IPsec support module (ipsecmod).
|
||
- Added redirect-bogus.patch to contrib directory.
|
||
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
|
||
- renumbering B-Root's IPv6 address to 2001:500:200::b.
|
||
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
|
||
- Fix #1277: disable domain ratelimit by setting value to 0.
|
||
- Added fastrpz patch to contrib
|
||
|
||
Bug Fixes:
|
||
- Added ECS unit test (from Manu Bretelle).
|
||
- ECS documentation fix (from Manu Bretelle).
|
||
- Fix #1252: more indentation inconsistencies.
|
||
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
|
||
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
|
||
- iana portlist update
|
||
- Based on #1257: check parse limit before t increment in sldns RR
|
||
string parse routine.
|
||
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
|
||
and fix that 64bit getting installed in C:\Program Files (x86).
|
||
- Fix #1259: "--disable-ecdsa" argument overwritten
|
||
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
|
||
- iana portlist update
|
||
- Added test for leak of stub information.
|
||
- Fix sldns wire2str printout of RR type CAA tags.
|
||
- Fix sldns int16_data parse.
|
||
- Fix sldns parse and printout of TSIG RRs.
|
||
- sldns SMIMEA and AVC definitions, same as getdns definitions.
|
||
- Fix tcp-mss failure printout text.
|
||
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
|
||
connect limited tcp connections. With the option tcp connections
|
||
can share the same source port (for different destinations).
|
||
- Add 'c' to getopt() in testbound.
|
||
- Adjust servfail by iterator to not store in cache when serve-expired
|
||
is enabled, to avoid overwriting useful information there.
|
||
- Fix queries for nameservers under a stub leaking to the internet.
|
||
- document trust-anchor-signaling in example config file.
|
||
- updated configure, dependencies and flex output.
|
||
- better module memory lookup, fix of unbound-control shm names for
|
||
module memory printout of statistics.
|
||
- Fix type AVC sldns rrdef.
|
||
- Some whitespace fixup.
|
||
- Fix #1265: contrib/unbound.service contains hardcoded path.
|
||
- Fix #1265 to use /bin/kill.
|
||
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
|
||
and compatibility with BoringSSL.
|
||
- Fix #1268: SIGSEGV after log_reopen.
|
||
- exec_prefix is by default equal to prefix.
|
||
- printout localzone for duplicate local-zone warnings.
|
||
- Fix assertion for low buffer size and big edns payload when worker
|
||
overrides udpsize.
|
||
- Support for openssl EVP_DigestVerify.
|
||
- Fix #1269: inconsistent use of built-in local zones with views.
|
||
- Add defaults for new local-zone trees added to views using
|
||
unbound-control.
|
||
- Fix #1273: cachedb.c doesn't compile with -Wextra.
|
||
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
|
||
- Also use global local-zones when there is a matching view that does
|
||
not have any local-zone specified.
|
||
- Fix fastopen EPIPE fallthrough to perform connect.
|
||
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
|
||
(from Manu Bretelle).
|
||
- Fix #1275: cached data in cachedb is never used.
|
||
- Fix that unbound-control can set val_clean_additional and
|
||
val_permissive_mode.
|
||
- Add dnscrypt XChaCha20 tests.
|
||
- Detect chacha for dnscrypt at configure time.
|
||
- dnscrypt unit tests with chacha.
|
||
- Added domain name based ECS whitelist.
|
||
- Fix #1278: Incomplete wildcard proof.
|
||
- Fix #1279: Memory leak on reload when python module is enabled.
|
||
- Fix #1280: Unbound fails assert when response from authoritative
|
||
contains malformed qname. When 0x20 caps-for-id is enabled, when
|
||
assertions are not enabled the malformed qname is handled correctly.
|
||
- More fixes in depth for buffer checks in 0x20 qname checks.
|
||
- Fix stub zone queries leaking to the internet for
|
||
harden-referral-path ns checks.
|
||
- Fix query for refetch_glue of stub leaking to internet.
|
||
- Fix #1301: memory leak in respip and tests.
|
||
- Free callback in edns-subnetmod on exit and restart.
|
||
- Fix memory leak in sldns_buffer_new_frm_data.
|
||
- Fix memory leak in dnscrypt config read.
|
||
- Fix dnscrypt chacha cert support ifdefs.
|
||
- Fix dnscrypt chacha cert unit test escapes in grep.
|
||
- Fix to unlock view in view test.
|
||
- Fix warning in pythonmod under clang compiler.
|
||
- Fix lintian typo.
|
||
- Fix #1316: heap read buffer overflow in parse_edns_options.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 14 10:22:38 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.3
|
||
|
||
Bug Fixes
|
||
- Fix #1280: Unbound fails assert when response from authoritative
|
||
contains malformed qname. When 0x20 caps-for-id is enabled, when
|
||
assertions are not enabled the malformed qname is handled correctly.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 24 15:54:02 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.2
|
||
|
||
Features
|
||
- Add trustanchor.unbound CH TXT that gets a response with a number
|
||
of TXT RRs with a string like "example.com. 2345 1234" with
|
||
the trust anchors and their keytags.
|
||
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
|
||
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
|
||
- Patch from Luiz Fernando Softov for Stats Shared Memory.
|
||
- unbound-control stats_shm command prints stats using shared memory,
|
||
which uses less cpu.
|
||
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
|
||
DS records. NSEC3 is not disabled.
|
||
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
|
||
enabled in the config file from Manu Bretelle.
|
||
- Merge EDNS Client subnet implementation from feature branch into main
|
||
branch, using new EDNS processing framework.
|
||
- harden-algo-downgrade: no also makes unbound more lenient about
|
||
digest algorithms in DS records.
|
||
|
||
Bug fixes
|
||
- sldns has ED25519 and ED448 algorithm number and name for display.
|
||
- sldns updated for vfixed and buffer resize indication from getdns.
|
||
- iana portlist update
|
||
- Fix #1224: Fix that defaults should not fall back to "Program Files
|
||
(x86) if Unbound is 64bit by default on windows.
|
||
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
|
||
redirect.
|
||
- make depend, autoconf, doxygen and lint fixed up.
|
||
- include sys/time.h for new shm code on NetBSD.
|
||
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
|
||
- Fix #1226: provide official 32bit binary for windows.
|
||
- For #1227: if we have sha256, set the cipher list to have no
|
||
known vulns.
|
||
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
|
||
record.
|
||
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
|
||
- Fix #1230: swig version 2.0.1 is required for pythonmod, with
|
||
1.3.40 it crashes when running repeatly unbound-control reload.
|
||
- fix enum conversion warnings
|
||
- fake-sha1 test option; print warning if used. To make unit tests.
|
||
- unbound-control list local zone and data commands listed in the
|
||
help output.
|
||
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
|
||
in ANSWER section.
|
||
- testbound understands Deckard MATCH rcode question answer commands.
|
||
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
|
||
of YXDOMAIN + query loop, reported by Petr Spacek.
|
||
- Fix that SHM is not inited if not enabled.
|
||
- Fix that looped DNAMEs do not cause unbound to spend effort.
|
||
- trustanchor tags are sorted. reusable routine to fetch taglist.
|
||
- Fix #1237 - Wrong resolving in chain, for norec queries that get
|
||
SERVFAIL returned.
|
||
- make depend, autoconf, remove warnings about statement before var.
|
||
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
|
||
- fixup for lruhash (whitespace and header file comment).
|
||
- dnscrypt tests.
|
||
- Fix doxygen for dnscrypt files.
|
||
- Fix #1238: segmentation fault when adding through the remote
|
||
interface a per-view local zone to a view with no previous
|
||
(configured) local zones.
|
||
- Fix #1229: Systemd service sandboxing, options in wrong sections.
|
||
- Fix #1239: configure fails to find python distutils if python
|
||
prints warning.
|
||
- Fix to prevent non-referal query from being cached as referal when the
|
||
no_cache_store flag was set.
|
||
- Remove (now unused) event2 include from dnscrypt code.
|
||
- Fix #1217: Add metrics to unbound-control interface showing
|
||
crypted, cert request, plaintext and malformed queries (from
|
||
Manu Bretelle).
|
||
- Do not add current time twice to TTL before ECS cache store.
|
||
- Do not touch rrset cache after ECS cache message generation.
|
||
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
|
||
- Fix #1244: document that use of chroot requires trust anchor file to
|
||
be under chroot.
|
||
- Small fixup for documentation.
|
||
- Fix respip for braces when locks arent used.
|
||
- Fix pythonmod for cb changes.
|
||
- Generalise inplace callback (de)registration
|
||
- (de)register inplace callbacks for module id
|
||
- No unbound-control set_option for ECS options
|
||
- Deprecated client-subnet-opcode config option
|
||
- Introduced client-subnet-always-forward config option
|
||
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
|
||
- Removed extern ECS config options
|
||
- module_restart_next now calls clear on all following modules
|
||
- Also create ECS module qstate on module_event_pass event
|
||
- remove malloc from inplace_cb_register
|
||
- Unlock view in respip unit test
|
||
- Some whitespace fixup.
|
||
- Remove ECS option after REFUSED answer.
|
||
- Fix small memory leak in edns_opt_copy_alloc.
|
||
- Respip dereference after NULL check.
|
||
- Zero initialize addrtree allocation.
|
||
- Use correct identifier for SHM destroy.
|
||
- Display ECS module memory usage.
|
||
- Fix #1247: unbound does not shorten source prefix length when
|
||
forwarding ECS.
|
||
- Properly check for allocation failure in local_data_find_tag_datas.
|
||
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
|
||
- Set SHM ECS memory usage to 0 when module not loaded.
|
||
- subnet mem value is available in shm, also when not enabled,
|
||
to make the struct easier to memmap by other applications,
|
||
independent of the configuration of unbound.
|
||
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 21 21:34:22 UTC 2017 - michael@stroeder.com
|
||
|
||
- update to 1.6.1
|
||
|
||
Features
|
||
* configure --enable-systemd and lets unbound use systemd sockets if you
|
||
enable use-systemd: yes in unbound.conf. Also there are
|
||
contrib/unbound.socket and contrib/unbound.service: systemd files for
|
||
unbound, install them in /usr/lib/systemd/system. Contributed by Sami
|
||
Kerola and Pavel Odintsov.
|
||
* [bugzilla: 1185 ]
|
||
Source IP rate limiting, patch from Larissa Feng.
|
||
* [bugzilla: 1184 ]
|
||
Log DNS replies. This includes the same logging information that DNS
|
||
queries and response code and response size, patch from Larissa Feng.
|
||
* Include root trust anchor id 20326 in unbound-anchor.
|
||
* 64bit is default for windows builds.
|
||
|
||
Bug Fixes
|
||
* [bugzilla: 1176 ]
|
||
Fix stack size too small for Alpine Linux.
|
||
* Fix unbound-control and ipv6 only.
|
||
[bugzilla: 1182 ]
|
||
* Fix Resource leak (socket), at startup.
|
||
[bugzilla: 1178 ]
|
||
* Fix attempt to fix setup error at end, pop result values at end of
|
||
install.
|
||
* iana portlist update
|
||
* Fix inet_ntop and inet_pton warnings in windows compile.
|
||
* [bugzilla: 1191 ]
|
||
Fix remove comment about view deletion.
|
||
* [bugzilla: 1188 ]
|
||
Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
|
||
* [bugzilla: 1190 ]
|
||
Fix to not echo back EDNS options in local-zone error response.
|
||
* [bugzilla: 1194 ]
|
||
Fix if cross build fails when $host isn't `uname` for getentropy.
|
||
* Fix reload chdir failure when also chrooted to that directory.
|
||
* Fix to return formerr for queries for meta-types, to avoid packet
|
||
amplification if this meta-type is sent on to upstream.
|
||
* [bugzilla: 1201 ]
|
||
Fix missing unlock in answer_from_cache error condition.
|
||
* [bugzilla: 1202 ]
|
||
Fix code comment that packed_rrset_data is not always 'packed'.
|
||
* Fix to also block meta types 128 through to 248 with formerr.
|
||
* [bugzilla: 1206 ]
|
||
Fix that some view-related commands are missing from 'unbound-control -h'
|
||
* Fix to rename ub_callback_t to ub_callback_type, because POSIX
|
||
reserves _t typedefs.
|
||
* Fix to rename internally used types from _t to _type, because _t type
|
||
names are reserved by POSIX.
|
||
* Increase MAX_MODULE to 16.
|
||
* [bugzilla: 1211 ]
|
||
Fix can't enable interface-automatic if no IPv6 with more helpful
|
||
error message.
|
||
* fix root_anchor test for updated icannbundle.pem lower certificates.
|
||
* Fix compile on solaris of the fix to use $host detect.
|
||
* Fix for type name change and fix warning on windows compile.
|
||
* Fix pythonmod for typedef changes.
|
||
* Fix dnstap for warning of set but not used.
|
||
* Fix autoconf of systemd check for lack of pkg-config.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 15 16:28:44 UTC 2016 - michael@stroeder.com
|
||
|
||
- update to 1.6.0
|
||
|
||
Features
|
||
* Added generic EDNS code for registering known EDNS option codes,
|
||
bypassing the cache response stage and uniquifying mesh states. Four
|
||
EDNS option lists were added to module_qstate
|
||
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
|
||
* Added two flags to module_qstate (no_cache_lookup, no_cache_store)
|
||
that control the modules' cache interactions.
|
||
* Added code for registering inplace callback functions. The registered
|
||
functions can be called just before replying with local data or Chaos,
|
||
replying from cache, replying with SERVFAIL, replying with a resolved
|
||
query, sending a query to a nameserver. The functions can inspect the
|
||
available data and maybe change response/query related data (i.e. append
|
||
EDNS options).
|
||
* Updated Python module for the above.
|
||
* Updated Python documentation.
|
||
* Added views functionality.
|
||
* Added qname-minimisation-strict config option.
|
||
* Patch that resolves CNAMEs entered in local-data conf statements that
|
||
point to data on the internet, from Jinmei Tatuya (Infoblox).
|
||
* serve-expired config option: serve expired responses with TTL 0.
|
||
* .gitattributes line for githubs code language display.
|
||
* log-identity: config option to set sys log identity, patch from "Robin
|
||
H. Johnson" (robbat2@gentoo.org).
|
||
* Added stub-ssl-upstream and forward-ssl-upstream options.
|
||
* Added local-zones and local-data bulk addition and removal
|
||
functionality in unbound-control (local_zones, local_zones_remove,
|
||
local_datas and local_datas_remove).
|
||
* g.root-servers.net has AAAA address.
|
||
|
||
Bug Fixes
|
||
* Fix #836: unbound could echo back EDNS options in an error response.
|
||
* Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
|
||
* Fix #839: Memory grows unexpectedly with large RPZ files.
|
||
* Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
|
||
* Fix #841: big local-zone's make it consume large amounts of memory.
|
||
* Fix dnstap relaying "random" messages instead of resolver/forwarder
|
||
responses, from Nikolay Edigaryev.
|
||
* Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
|
||
* Fix #1117: spelling errors, from Robert Edmonds.
|
||
* iana portlist update.
|
||
* fix memoryleak logfile when in debug mode.
|
||
* Re-fix #839 from view commit overwrite.
|
||
* Fixup const void cast warning.
|
||
* Removed patch comments from acllist.c and msgencode.c
|
||
* Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
|
||
Jinmei Tatuya (Infoblox).
|
||
* Fix #1125: unbound could reuse an answer packet incorrectly for
|
||
clients with different EDNS parameters, from Jinmei Tatuya.
|
||
* Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
|
||
* Added Requires line to libunbound.pc
|
||
* Fix #1130: whitespace in example.conf.in more consistent.
|
||
* suppress compile warning in lex files.
|
||
* init lzt variable, for older gcc compiler warnings.
|
||
* fix --enable-dsa to work, instead of copying ecdsa enable.
|
||
* Fix DNSSEC validation of query type ANY with DNAME answers.
|
||
* Fixup query_info local_alias init.
|
||
* Ported tests for local_cname unit test to testbound framework.
|
||
* Fix #1134: unbound-control set_option -- val-override-date: -1 works
|
||
immediately to ignore datetime, or back to 0 to enable it again. The --
|
||
is to ignore the '-1' as an option flag.
|
||
* Patch for server.num.zero_ttl stats for count of expired replies, from
|
||
Pavel Odintsov.
|
||
* Fix failure to build on arm64 with no sbrk.
|
||
* Set OpenSSL security level to 0 when using aNULL ciphers.
|
||
* configure detects ssl security level API function in the autoconf
|
||
manner. Every function on its own, so that other libraries (eg.
|
||
LibreSSL) can develop their API without hindrance.
|
||
* Fix #1154: segfault when reading config with duplicate zones.
|
||
* Note that for harden-below-nxdomain the nxdomain must be secure, this
|
||
means nsec3 with optout is insufficient.
|
||
* Fix #1155: test status code of unbound-control in 04-checkconf, not
|
||
the status code from the tee command.
|
||
* Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
|
||
Underneath" for the harden-below-nxdomain option.
|
||
* patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
|
||
* Make access-control-tag-data RDATA absolute. This makes the RDATA
|
||
origin consistent between local-data and access-control-tag-data.
|
||
* Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
|
||
subdomain of the NSEC owner.
|
||
* QNAME minimisation uses QTYPE=A, therefore always check cache for this
|
||
type in harden-below-nxdomain functionality.
|
||
* Added unit test for QNAME minimisation + harden below nxdomain synergy.
|
||
* Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
|
||
no encryption over the unix socket.
|
||
* hyphen as minus fix, by Andreas Schulze
|
||
* Fix #1170: document that 'inform' local-zone uses local-data.
|
||
* Fix #1173: differ local-zone type deny from unset tag_actions element.
|
||
* Add DSA support for OpenSSL 1.1.0
|
||
* Fix remote control without cert for LibreSSL
|
||
* Fix downcast warnings from visual studio in sldns code.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 27 12:41:57 UTC 2016 - michael@stroeder.com
|
||
|
||
- update to 1.5.10
|
||
|
||
Features
|
||
* Create a pkg-config file for libunbound in contrib.
|
||
* TCP Fast open patch from Sara Dickinson.
|
||
* Finegrained localzone control with define-tag, access-control-tag,
|
||
access-control-tag-action, access-control-tag-data, local-zone-tag, and
|
||
local-zone-override. And added types always_transparent, always_refuse,
|
||
always_nxdomain with that.
|
||
* If more than half of tcp connections are in use, a shorter timeout
|
||
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
|
||
* [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6
|
||
option to use linux freebind to use 64bits of entropy for every query
|
||
with random local part.
|
||
* For #787: prefer-ip6 option for unbound.conf prefers to send
|
||
upstream queries to ipv6 servers.
|
||
* Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
|
||
* keep debug symbols in windows build.
|
||
|
||
Bug Fixes
|
||
* [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref).
|
||
* Fix unbound-anchor.exe file location defaults to Program Files with
|
||
(x86) appended.
|
||
* Fix to not ignore return value of chown() in daemon startup.
|
||
* Better help text from -h (from Ray Griffith).
|
||
* [bugzilla: 773 ] Fix Non-standard Python location build failure with
|
||
pyunbound.
|
||
* Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
|
||
* Revert fix for NetworkService account on windows due to breakage it
|
||
causes.
|
||
* Fix that windows install will not overwrite existing service.conf
|
||
file (and ignore gui config choices if it exists).
|
||
* And delete service.conf.shipped on uninstall.
|
||
* In unbound.conf directory: dir immediately changes to that
|
||
directory, so that include: file below that is relative to that
|
||
directory. With chroot, make the directory an absolute path inside chroot.
|
||
* do not delete service.conf on windows uninstall.
|
||
* document directory immediate fix and allow EXECUTABLE syntax in it
|
||
on windows.
|
||
* Fix directory: fix for unbound-checkconf, it restores cwd.
|
||
* Use QTYPE=A for QNAME minimisation.
|
||
* Keep track of number of time-outs when performing QNAME
|
||
minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE
|
||
pair is more than three.
|
||
* [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on
|
||
windows, ignore null delete for wsaevent.
|
||
* Fix spelling in freebind option man page text.
|
||
* Fix windows link of ssl with crypt32.
|
||
* [bugzilla: 779 ] Fix Union casting is non-portable.
|
||
* [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31.
|
||
* [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call.
|
||
* Decrease dp attempts at each QNAME minimisation iteration
|
||
* [bugzilla: 784 ] Fix Build configure assumess that having getpwnam
|
||
means there is endpwent function available.
|
||
* Updated repository with newer flex and bison output.
|
||
* Fix static compile on windows missing gdi32.
|
||
* Fix dynamic link of anchor-update.exe on windows.
|
||
* Fix detect of mingw for MXE package build.
|
||
* Fixes for 64bit windows compile.
|
||
* [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >=
|
||
3.0 and --with-libunbound-only --with-nettle.
|
||
* Fixed unbound.doxygen for 1.8.11.
|
||
* [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux).
|
||
* [bugzilla: 801 ] Fix missing error condition handling in
|
||
daemon_create_workers().
|
||
* [bugzilla: 802 ] Fix workaround for function parameters that are
|
||
"unused" without log_assert.
|
||
* [bugzilla: 803 ] Fix confusing (and incorrect) code comment in
|
||
daemon_cleanup().
|
||
* [bugzilla: 806 ] Fix wrong comment removed.
|
||
* use sendmsg instead of sendto for TFO.
|
||
* [bugzilla: 807 ] Fix workaround for possible some "unused" function
|
||
parameters in test code, from Jinmei Tatuya.
|
||
* Note that OPENPGPKEY type is RFC 7929.
|
||
* [bugzilla: 804 ] Fix #804: unbound stops responding after outage.
|
||
Fixes queries that attempt to wait for an empty list of subqueries.
|
||
* Fix for #804: lower num_target_queries for iterator also for failed
|
||
lookups.
|
||
* [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len
|
||
parameter in each iteration in find_tag_datas().
|
||
* [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility, patch from
|
||
Sebastian A. Siewior.
|
||
* RFC 7958 is now out, updated docs for unbound-anchor.
|
||
* Fix for compile without warnings with openssl 1.1.0.
|
||
* [bugzilla: 826 ] Fix refuse_non_local could result in a broken response.
|
||
* iana portlist update.
|
||
* Fix compile with openssl 1.1.0 with api=1.1.0.
|
||
* [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value
|
||
has an off-by-one typo, from Jinmei Tatuya (Infoblox).
|
||
* Fix incomplete prototypes reported by Dag-Erling Smørgrav.
|
||
* [bugzilla: 828 ] Fix missing type in access-control-tag-action
|
||
redirect results in NXDOMAIN.
|
||
* Take configured minimum TTL into consideration when reducing TTL to
|
||
original TTL from RRSIG.
|
||
* [bugzilla: 831 ] Fix workaround for spurious fread_chk warning
|
||
against petal.c
|
||
* Silenced flex-generated sign-unsigned warning print with gcc
|
||
diagnostic pragma.
|
||
* Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
|
||
* fix potential memory leak in daemon/remote.c and nullpointer
|
||
dereference in validator/autotrust.
|
||
* [bugzilla: 883 ] Fix error for duplicate local zone entry.
|
||
* [bugzilla: 835 ] Fix --disable-dsa with nettle verify.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jun 4 14:26:35 UTC 2016 - michael@stroeder.com
|
||
|
||
- update to 1.5.9
|
||
|
||
Features
|
||
* generic edns option parse and store code.
|
||
* Updated L root IPv6 address.
|
||
* User defined pluggable event API for libunbound
|
||
* ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for binding
|
||
to an IP address while the interface or address is down.
|
||
* OpenSSL 1.1.0 portability, --disable-dsa configure option.
|
||
* disable-dnssec-lame-check config option from Charles Walker.
|
||
|
||
Bug Fixes
|
||
* [bugzilla: 745 ]
|
||
* Fix unbound.py - idn2dname throws UnicodeError when idnname contains
|
||
trailing dot.
|
||
* configure tests for the weak attribute support by the compiler.
|
||
* [bugzilla: 747 ]
|
||
* Fix assert in outnet_serviced_query_stop.
|
||
* Updated configure and ltmain.sh.
|
||
* Fixup of compile fix for pluggable event API from P.Y. Adi Prasaja.
|
||
* Fixup backend2str for libev.
|
||
* Fix libev usage of dispatch return value.
|
||
* No side effects in tolower() call, in case it is a macro.
|
||
* Fix warnings in ifdef corner case, older or unknown libevent.
|
||
* Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
|
||
* Fix ip-transparent for tcp on freebsd.
|
||
* [bugzilla: 746 ]
|
||
* Fix unbound sets CD bit on all forwards. If no trust anchors, it'll not
|
||
set CD bit when forwarding to another server. If a trust anchor, no CD
|
||
bit on the first attempt to a forwarder, but CD bit thereafter on
|
||
repeated attempts to get DNSSEC.
|
||
* Limit number of QNAME minimisation iterations.
|
||
* Validate QNAME minimised NXDOMAIN responses.
|
||
* If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
|
||
harden-below-nxdomain.
|
||
* Fix compile of getentropy_linux for SLES11 servicepack 4.
|
||
* Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
|
||
* Fix test for openssl to use HMAC_Update for 1.1.0.
|
||
* ERR_remove_state deprecated since openssl 1.0.0.
|
||
* OPENSSL_config is deprecated, removing.
|
||
* Document permit-small-holddown for 5011 debug.
|
||
* [bugzilla: 749 ]
|
||
* Fix unbound-checkconf gets SIGSEGV when use against a malformatted
|
||
conf file.
|
||
* [bugzilla: 753 ]
|
||
* Fix document dump_requestlist is for first thread.
|
||
* Fix some malformed reponses to edns queries get fallback to nonedns.
|
||
* [bugzilla: 759 ]
|
||
* Fix 0x20 capsforid no longer checks type PTR, for compatibility with
|
||
cisco dns guard. This lowers false positives.
|
||
* Fix sldns with static checking fixes copied from getdns.
|
||
* Fix memory leak in out-of-memory conditions of local zone add.
|
||
* [bugzilla: 761 ]
|
||
* Fix DNSSEC LAME false positive resolving nic.club.
|
||
* [bugzilla: 766 ]
|
||
* Fix dns64 should synthesize results on timeout/errors.
|
||
* No QNAME minimisation fall-back for NXDOMAIN answers from
|
||
DNSSEC signed zones.
|
||
* [bugzilla: 767 ]
|
||
* Fix Reference to an expired Internet-Draft in harden-below-nxdomain
|
||
documentation.
|
||
* remove memory leak from lame-check patch.
|
||
* [bugzilla: 770 ]
|
||
* Fix Small subgroup attack on DH used in unix pipe on localhost if
|
||
unbound control uses a unix local named pipe.
|
||
* Document write permission to directory of trust anchor needed.
|
||
* [bugzilla: 768 ]
|
||
* Fix Unbound Service Sometimes Can Not Shutdown Completely, WER Report
|
||
Shown Up. Close handle before closing WSA.
|
||
* Fix time in case answer comes from cache in ub_resolve_event().
|
||
* Fix windows service to be created run with limited rights, as a network
|
||
service account, from Mario Turschmann.
|
||
* [bugzilla: 752 ]
|
||
* Fix retry resource temporarily unavailable on control pipe.
|
||
* iana ports fetched via https.
|
||
* iana portlist update.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 25 10:07:47 UTC 2016 - michael@stroeder.com
|
||
|
||
- update to 1.5.8
|
||
|
||
Features
|
||
* ip-transparent option for FreeBSD with IP_BINDANY socket option.
|
||
* insecure-lan-zones: yesno config option, patch from Dag-Erling
|
||
Smørgrav.
|
||
* RR Type CSYNC support RFC 7477, in debug printout and config input.
|
||
* RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
|
||
* [bugzilla: 731 ] tcp-mss, outgoing-tcp-mss options for unbound.conf,
|
||
patch from Daisuke Higashi.
|
||
* Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
|
||
by default, and can be unblocked with "nodefault" localzone config.
|
||
* ub_ctx_set_stub() function for libunbound to config stub zones.
|
||
|
||
Bug Fixes
|
||
* Fix that NSEC3 negative cache is used when there is no salt.
|
||
* sorted ubsyms.def file with exported libunbound functions.
|
||
* Print understandable debug log when unusable DS record is seen.
|
||
* load gost algorithm if digest is seen before key algorithm.
|
||
* Fix that "make install" fails due to "text file busy" error.
|
||
* Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
|
||
* wait for sendto to drain socket buffers when they are full.
|
||
* Neater cmdline_verbose increment patch from Edgar Pettijohn.
|
||
* Made netbsd sendmsg test nonfatal, in case of false positives.
|
||
* [bugzilla: 741 ] Fix: log message for dnstap socket connection is
|
||
more clear.
|
||
* [bugzilla: 734 ] Fix: chown the pidfile if it resides inside the
|
||
chroot.
|
||
* Fix cmsg alignment for argument to sendmsg on NetBSD.
|
||
* Fix that unbound complains about unimplemented IP_PKTINFO for
|
||
sendmsg on NetBSD (for interface-automatic).
|
||
* [bugzilla: 738 ] Fix: Swig should not be invoked with CPPFLAGS.
|
||
* Squelch 'cannot assign requested address' log messages unless
|
||
verbosity is high, it was spammed after network down.
|
||
* Fix to simplify empty string checking from Michael McConville.
|
||
* [bugzilla: 734 ] Fix: Do not log an error when the PID file cannot
|
||
be chown'ed. Patch from Simon Deziel.
|
||
* Fix test if -pthreads unused to use better grep for portability.
|
||
* Fix mingw crosscompile for recent mingw.
|
||
* Update aclocal, autoconf output with new versions (1.15, 2.4.6).
|
||
* Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
|
||
for Linux glibc 2.20.
|
||
* Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
|
||
source code, so it applies cleanly again. Removed unused variable
|
||
warnings.
|
||
* [bugzilla: 729 ] Fix: omit use of escape sequences in echo since
|
||
they are not portable (unbound-control-setup).
|
||
* remove NULL-checks before free, patch from Michael McConville.
|
||
* updated ax_pthread.m4 to version 21 with clang support, this removes
|
||
a warning from compilation.
|
||
* OSX portability, detect if sbrk is deprecated.
|
||
* OSX clang, stop -pthread unused during link stage warnings.
|
||
* OSX clang new flto check.
|
||
* iana portlist update.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 23 16:03:46 UTC 2016 - mrueckert@suse.de
|
||
|
||
- also conflict the shlib package
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 22 15:22:05 UTC 2016 - mrueckert@suse.de
|
||
|
||
- add libunbound-devel-mini-rpmlintrc as source
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 17 15:55:34 UTC 2016 - mrueckert@suse.de
|
||
|
||
- revert the previous change which would not solve the problem as
|
||
the library package requires the unbound-anchor package
|
||
instead introduce a libunbound-devel-mini package which holds the
|
||
shared library and devel files with a minimal build requires.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 4 13:01:35 UTC 2016 - meissner@suse.com
|
||
|
||
- split off a libunbound package with less buildrequires to
|
||
allow shorter buildcycles when built by gnutls. bsc#964346
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 10 11:48:46 UTC 2015 - michael@stroeder.com
|
||
|
||
- update to 1.5.7
|
||
|
||
Features
|
||
* Fix #594. libunbound: optionally use libnettle for crypto.
|
||
Contributed by Luca Bruno. Added --with-nettle for use with
|
||
--with-libunbound-only.
|
||
* Implemented qname minimisation
|
||
|
||
Bug Fixes
|
||
* Fix #712: unbound-anchor appears to not fsync root.key.
|
||
* Fix #714: Document config to block private-address for IPv4
|
||
mapped IPv6 addresses.
|
||
* portability, replace snprintf if return value broken
|
||
* portability fixes.
|
||
* detect libexpat without xml_StopParser function.
|
||
* isblank() compat implementation.
|
||
* patch from Doug Hogan for SSL_OP_NO_SSLvx options.
|
||
* Fix #716: nodata proof with empty non-terminals and wildcards.
|
||
* Fix #718: Fix unbound-control-setup with support for env
|
||
without HEREDOC bash support.
|
||
* ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
||
* Change example.conf: ftp.internic.net to https://www.internic.net
|
||
* Fix for lenient accept of reverse order DNAME and CNAME.
|
||
* spelling fixes from Igor Sobrado Delgado.
|
||
* Fix that malformed EDNS query gets a response without malformed EDNS.
|
||
* Added assert on rrset cache correctness.
|
||
* Fix #720: add windows scripts to zip bundle,
|
||
and fix unbound-control-setup windows batch file.
|
||
* Fix for #724: conf syntax to read files from run dir (on Windows).
|
||
And fix PCA prompt for unbound-service-install.exe.
|
||
And add Changelog to windows binary dist.
|
||
* .gitignore for git users.
|
||
* iana portlist update.
|
||
* Removed unneeded whitespace from example.conf.
|
||
* Do not minimise forwarded requests.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 15 19:31:43 UTC 2015 - michael@stroeder.com
|
||
|
||
- update to 1.5.6
|
||
Features
|
||
- Default for ssl-port is port 853, the temporary port assignment for
|
||
secure domain name system traffic. If you used to rely on the older
|
||
default of port 443, you have to put a clause in unbound.conf for
|
||
that. The new value is likely going to be the standardised port number
|
||
for this traffic.
|
||
- ANY responses include DNAME records if present, as per Evan Hunt's
|
||
remark in dnsop.
|
||
|
||
Bug Fixes
|
||
- Fix segfault in the dns64 module in the formaterror error path.
|
||
- Fix manpage to suggest using SIGTERM to terminate the server.
|
||
- iana portlist update.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 10 09:31:40 UTC 2015 - michael@stroeder.com
|
||
|
||
- ignore absence of the systemd-tmpfiles command
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Oct 6 14:21:00 UTC 2015 - mrueckert@suse.de
|
||
|
||
- update to 1.5.5
|
||
Features
|
||
- Change default of harden-algo-downgrade to off. This is lenient
|
||
for algorithm rollover.
|
||
- Added permit-small-holddown config to debug fast 5011 rollover.
|
||
- Allow certificate chain files to allow for intermediate
|
||
certificates. (thanks Daniel Kahn Gillmor)
|
||
- Enable ECDHE for servers. Where available, use
|
||
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations
|
||
to enable ECDHE. Otherwise, manually offer curve p256. Client
|
||
connections should automatically use ECDHE when available.
|
||
(thanks Daniel Kahn Gillmor)
|
||
- Feature --enable-pie option to that builds PIE binary.
|
||
[bugzilla: 699 ]
|
||
- Feature --enable-relro-now option that enables full read-only
|
||
relocation. [bugzilla: 700 ]
|
||
- New IPs for for h.root-servers.net. [bugzilla: 702 ]
|
||
Bug Fixes
|
||
- Fix setting forwarders with unbound-control forward implicitly
|
||
turns on forward-first. [bugzilla: 681 ]
|
||
- Fix that reload fails when so-reuseport is yes after changing
|
||
num-threads. [bugzilla: 690 ]
|
||
- please afl-gcc (llvm) for uninitialised variable warning.
|
||
- Fix mktime in unbound-anchor not using UTC.
|
||
- Fix 5011 anchor update timer after reload.
|
||
- 5011 implementation does not insist on all algorithms, when
|
||
harden-algo-downgrade is turned off.
|
||
- Document in the manual more text about configuring locally
|
||
served zones.
|
||
- Document that local-zone nodefault matches exactly and
|
||
transparent can be used to release a subzone.
|
||
- Fix that configure script does not detect LibreSSL 2.2.2
|
||
[bugzilla: 694 ]
|
||
- Fix deadlock for local data add and zone add when
|
||
unbound-control list_local_data printout is interrupted.
|
||
- Fix get PY_MAJOR_VERSION failure at configure for python 2.4 to
|
||
2.6. [bugzilla: 697 ]
|
||
- changed windows setup compression to be more transparent.
|
||
- Fix config globbed include chroot treatment, this fixes reload
|
||
of globs (patch from Dag-Erling Smørgrav).
|
||
- Fix ub_ctx_set_fwd() return value mishandled on windows.
|
||
[bugzilla: 705 ]
|
||
- Fix minor error in unbound.conf.5.in.
|
||
- Fix unbound.conf(5) access-control description for precedence
|
||
and default.
|
||
- Fix unbound-control flush that does not succeed in removing
|
||
data.
|
||
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
|
||
failures.
|
||
- iana portlist update.
|
||
- remove manual hacks for relro,now and pie and replace them with
|
||
official configure options.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 4 13:37:38 UTC 2015 - mrueckert@suse.de
|
||
|
||
- enable event api
|
||
- enable dnstap support
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 9 10:16:32 UTC 2015 - michael@stroeder.com
|
||
|
||
- update to 1.5.4
|
||
|
||
Features
|
||
- [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
|
||
fixes the reported excessive validation failure when multiple
|
||
algorithms are present. If set to 'no', it allows the weakest
|
||
algorithm to validate the zone.
|
||
- stats reports tcp usage, of incoming-num-tcp buffers.
|
||
- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
|
||
scripts. Contributed by Yuri Voinov.
|
||
- Add ip-transparent config option for bind to non-local addresses.
|
||
- Synthesize ANY responses from cache. Does not search exhaustively,
|
||
but MX,A,AAAA,SOA,NS also CNAME.
|
||
- unbound-control list_insecure command shows the negative trust
|
||
anchors currently configured, patch from Jelte Jansen.
|
||
- ratelimit feature, ratelimit: 1000, can be used to turn it on. It
|
||
ratelimits recursion effort per zone. For particular names you can
|
||
configure exceptions in unbound.conf.
|
||
- Ratelimit does not apply to prefetched queries, and
|
||
ratelimit-factor is default 10. Repeated normal queries get resolved
|
||
and with prefetch stay in the cache.
|
||
- unbound-control ratelimit_list lists high rate domains.
|
||
- caps-whitelist in unbound.conf allows whitelist of loadbalancers
|
||
that cannot work with caps-for-id or its fallback.
|
||
- RFC 7553 RR type URI support, is now enabled by default.
|
||
- cache-max-negative-ttl config option, default 3600.
|
||
- Add local-zone type inform_deny, that logs query and drops answer.
|
||
|
||
Bug Fixes
|
||
- Unbound exits with a fatal error when the auto-trust-anchor-file
|
||
fails to be writable. This is seconds after startup. You can load a
|
||
readonly auto-trust-anchor-file with trust-anchor-file. The file has
|
||
to be writable to notice the trust anchor change, without it, a trust
|
||
anchor change will be unnoticed and the system will then become
|
||
inoperable.
|
||
- DLV is going to be decommissioned. Advice to stop using it, and
|
||
put text in the example configuration and man page to that effect.
|
||
- Patch from Brad Smith that syncs compat/getentropy_linux with
|
||
OpenBSD's version (2015-03-04).
|
||
- 0x20 fallback improved: servfail responses do not count as missing
|
||
comparisons (except if all responses are errors), inability to find
|
||
nameservers does not fail equality comparisons, many nameservers does
|
||
not try to compare more than max-sent-count, parse failures start 0x20
|
||
fallback procedure.
|
||
- store caps_response with best response in case downgrade response
|
||
happens to be the last one.
|
||
- Document that incoming-num-tcp increase is good for large servers.
|
||
- Fix lintian warning in unbound-checkconf man page (from Andreas
|
||
Schulze).
|
||
- Updated default keylength in unbound-control-setup to 3k.
|
||
- Fixup compile on cygwin, more portable openssl thread id.
|
||
- Use reallocarray for integer overflow protection, patch submitted
|
||
by Loganaden Velvindron.
|
||
- Fixed to add integer overflow checks on allocation (defense in depth).
|
||
- Fix segfault on user not found at startup (from Maciej Soltysiak).
|
||
- [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
|
||
CRYPTO_set_id_callback.
|
||
- If unknown trust anchor algorithm, and libressl is used, error
|
||
message encourages upgrade of the libressl package.
|
||
- rename ldns subdirectory to sldns to avoid name collision.
|
||
- [bugzilla: 660 ] Fix interface-automatic broken in the presence of
|
||
asymmetric routing.
|
||
- Libunbound skips dos-line-endings from etc/hosts.
|
||
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
|
||
- Fix that get_option for cache-sizes does not print double newline.
|
||
- [bugzilla: 663 ] Fix that ssl handshake fails when using unix
|
||
socket because dh size is too small.
|
||
- [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
|
||
Hozza); Use print_function also for Python2. libunbound examples:
|
||
produce sorted output. libunbound-Python: libldns is not used anymore.
|
||
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
|
||
- Fix leaked dns64prefix configuration string.
|
||
- Removed contrib/unbound_unixsock.diff, because it has been
|
||
integrated, use control-interface: /path in unbound.conf.
|
||
- Change syntax of particular validator error to be easier for
|
||
machine parse, swap rrset and ip adres info so it looks like:
|
||
validation failure <www.example.nl. TXT IN>: signature crypto failed
|
||
from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
|
||
- Fix that unparseable error responses are ratelimited.
|
||
- SOA negative TTL is capped at minimumttl in its rdata section.
|
||
- [bugzilla: 674 ] Do not free pointers given by getenv.
|
||
- [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
|
||
incorrectly and was therefore always synthesized (thanks to Valentin
|
||
Dietrich). And fix DNAME responses from cache that failed internal
|
||
chain test.
|
||
- iana portlist update.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 24 13:53:53 UTC 2015 - michael@stroeder.com
|
||
|
||
- update to 1.5.3
|
||
- Bug Fixes
|
||
[bugzilla: 647 ]
|
||
Fix #647 crash in 1.5.2 because pwd.db no longer accessible after reload.
|
||
[bugzilla: 645 ]
|
||
Fix #645 Portability to Solaris 10, use AF_LOCAL.
|
||
[bugzilla: 646 ]
|
||
Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
|
||
Use the getrandom syscall introduced in Linux 3.17 (from Heiner Kallweit).
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Feb 19 23:35:58 UTC 2015 - mrueckert@suse.de
|
||
|
||
- update to 1.5.2
|
||
- Features
|
||
- local-zone: example.com inform makes unbound log a message
|
||
with client IP for queries in that zone. Eg. for finding
|
||
infected hosts.
|
||
- patch from Stephane Lapie that adds to the python API, that
|
||
exposes struct delegpt, and adds the find_delegation
|
||
function.
|
||
- Updated contrib warmup.cmd/sh to support two modes - load
|
||
from pre-defined list of domains or (with filename as
|
||
argument) load from user-specified list of domains, and
|
||
updated contrib unbound_cache.sh/cmd to support
|
||
loading/save/reload cache to/from default path or (with
|
||
secondary argument) arbitrary path/filename, from Yuri
|
||
Voinov.
|
||
- patch for remote control over local sockets, from Dag-Erling
|
||
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
|
||
control-use-cert: no.
|
||
- unbound-checkconf -f prints chroot with pidfile path.
|
||
- infra-cache-min-rtt patch from Florian Riehm, for expected
|
||
long uplink roundtrip times.
|
||
- Bug Fixes
|
||
- config.guess and config.sub update from libtoolize.
|
||
- getauxval test for ppc64 linux compatibility.
|
||
- make strip works for unbound-host and unbound-anchor.
|
||
- print query name when max target count is exceeded.
|
||
- patch from Stuart Henderson that fixes DESTDIR in
|
||
unbound-control-setup for installs where config is not in the
|
||
prefix location.
|
||
- [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS
|
||
3.14.X, ignores missing IP_MTU_DISCOVER OMIT option (fix from
|
||
Remi Gacogne).
|
||
- Patch from Philip Paeps to contrib/unbound_munin_ that uses
|
||
type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
|
||
unbound_munin_hits.graph_period minute
|
||
- Fix pyunbound ord call, portable for python 2 and 3.
|
||
- Fix unintended use of gcc extension for incomplete enum
|
||
types, compile with pedantic c99 compliance (from Daniel
|
||
Dickman).
|
||
- Fix pyunbound byte string representation for python3.
|
||
- Fix 0x20 capsforid fallback to omit gratuitous NS and
|
||
additional section changes.
|
||
- Fix validation failure in case upstream forwarder (ISC BIND)
|
||
does not have the same trust anchors and decides to insert
|
||
unsigned NS record in authority section.
|
||
- Fix scrubber with harden-glue turned off to reject NS (and
|
||
other not-address) records.
|
||
- iana portlist update.
|
||
- [bugzilla: 643 ] Fix doc/example.conf.in: unnecessary
|
||
whitespace.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 8 16:12:23 UTC 2014 - mrueckert@suse.de
|
||
|
||
- update to 1.5.1 (boo# 908990)
|
||
Features
|
||
- Patch from Stephane Lapie for ASAHI Net that implements
|
||
aaaa-filter, added to contrib/aaaa-filter-iterator.patch.
|
||
Bug Fixes
|
||
- Fix that CD flag disables DNS64 processing, returning the
|
||
DNSSEC signed AAAA denial.
|
||
- Fix compat/getentropy_win.c check if CryptGenRandom works and
|
||
no immediate exit on windows.
|
||
- Fix crash on multiple thread random usage on systems without
|
||
arc4random.
|
||
- Fix log at high verbosity and memory allocation failure.
|
||
- Fix libunbound undefined symbol errors for main.
|
||
- Patch from Robert Edmonds to build pyunbound python module
|
||
differently. No versioninfo, with -shared and without $(LIBS).
|
||
- Patch from Robert Edmonds fixes hyphens in unbound-anchor man
|
||
page.
|
||
- Removed 'increased limit open files' log message that is
|
||
written to console. It is only written on verbosity 4 and
|
||
higher. This keeps system bootup console cleaner.
|
||
- Patch from James Raftery, always print stats for rcodes 0..5.
|
||
- [bugzilla: 627 ] Fix SSL_CTX_load_verify_locations return code
|
||
not properly checked.
|
||
- Fix makefile for build from noexec source tree.
|
||
- Add include to getentropy_linux.c, fixing debian build.
|
||
- [bugzilla: 632 ] Fix that unbound fails to build on AArch64,
|
||
protects getentropy compat code from calling sysctl if it is
|
||
has been removed.
|
||
- Fix CVE-2014-8602: denial of service by making resolver chase
|
||
endless series of delegations.
|
||
- changes in 1.5.0
|
||
Features
|
||
- This release has DNS64, DNSTAP, better random numbers and
|
||
ub_ctx_add_ta_autr(), num.query.tcpout=value, flush_negative,
|
||
unblock-lan-zones conf.
|
||
- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
|
||
hints (patch from Anand Buddhdev).
|
||
- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
|
||
option for DNS fragmentation defense.
|
||
- unbound-control stats prints num.query.tcpout with number of
|
||
TCP outgoing queries made in the previous statistics interval.
|
||
- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
|
||
if available on the OS, it gets entropy from the OS.
|
||
- Add unbound-control flush_negative that flushed nxdomains,
|
||
nodata, and errors from the cache. For dnssec-trigger and
|
||
NetworkManager, fixes cases where network changes have
|
||
localdata that was already negatively cached from the previous
|
||
network.
|
||
- Contrib windows scripts from Yuri Voinov added to src/contrib:
|
||
create_unbound_ad_servers.cmd: enters anti-ad server lists.
|
||
unbound_cache.cmd: saves and loads the cache. Also warmup.cmd
|
||
(and .sh): warm up the DNS cache with your MRU domains.
|
||
- Added unbound-control-setup.cmd from Yuri Voinov to the windows
|
||
unbound distribution set. It requires openssl installed in
|
||
%PATH%.
|
||
- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
|
||
- Feature, unblock-lan-zones: yesno that you can use to make
|
||
unbound perform 10.0.0.0/8 and other reverse lookups normally,
|
||
for use if unbound is running service for localhost on localhost.
|
||
- unbound-host -D enabled dnssec and reads root trust anchor from
|
||
the default root key file that was compiled in.
|
||
- Add AAAA for B root server to default root hints.
|
||
- unbound-control status reports if so-reuseport was successful.
|
||
- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
|
||
- arc4random in compat/ and getentropy, explicit_bzero, chacha
|
||
for dependencies, from OpenBSD. arc4_lock and sha512 in compat.
|
||
This makes arc4random available on all platforms, except when
|
||
compiled with LIBNSS (it uses libNSS crypto random).
|
||
- Patch from Dag-Erling Smorgrav that implements that: unbound
|
||
-dd does not fork in the background and also logs to stderr.
|
||
- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
|
||
Initial commit of the patch from the FreeBSD base (with its
|
||
fixes). This adds a module (for module-config in unbound.conf)
|
||
dns64 that performs DNS64 processing, see README.DNS64.
|
||
- Patch add msg, rrset, infra and key cache sizes to stats
|
||
command from Maciej Soltysiak.
|
||
- DNSTAP support, with a patch from Farsight Security, written by
|
||
Robert Edmonds. The --enable-dnstap needs libfstrm and
|
||
protobuf-c. It is BSD licensed (see dnstap/dnstap.c). Also
|
||
--with-libfstrm and --with-protobuf-c configure options.
|
||
- type CDS and CDNSKEY types.
|
||
- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept
|
||
queue is longer and more tcp connections can be handled.
|
||
- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
|
||
tracked trust anchor to libunbound.
|
||
Bug Fixes
|
||
- Fix print filename of encompassing config file on read failure.
|
||
- Patch from Stuart Henderson to build unbound-host man from
|
||
.1.in.
|
||
- [bugzilla: 569] Fix do_tcp is do-tcp in unbound.conf man page.
|
||
- [bugzilla: 572] Fix unit test failure for systems with
|
||
different /etc/ services.
|
||
- iana portlist updated.
|
||
- [bugzilla: 574] Fix make test fails on Ubuntu 14.04. Disabled
|
||
remote-control in testbound scripts.
|
||
- Documented that dump_requestlist only prints queries from
|
||
thread 0.
|
||
- [bugzilla: 567] Fix unbound lists if forward zone is secure or
|
||
insecure with +i annotation in output of list_forwards, also
|
||
for list_stubs (for NetworkManager integration). And remove ':'
|
||
from output of stub and forward lists, this is easier to parse.
|
||
- [bugzilla: 554] Fix use unsigned long to print 64bit statistics
|
||
counters on 64bit systems.
|
||
- [bugzilla: 558] Fix failed prefetch lookup does not remove
|
||
cached response but delays next prefetch (in lieu of caching a
|
||
SERVFAIL).
|
||
- [bugzilla: 545] Fix improved logging, the ip address of the
|
||
error is printed on the same log-line as the error.
|
||
- [bugzilla: 502] Fix explain that do-ip6 disable does not stop
|
||
AAAA lookups, but it stops the use of the ipv6 transport layer
|
||
for DNS traffic.
|
||
- Fix compile with libevent2 on FreeBSD.
|
||
- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
|
||
- Fixup out-of-directory compile with unbound-control-setup.sh.in.
|
||
- Code cleanup patch from Dag-Erling Smorgrav, with compiler
|
||
issue fixes from FreeBSD's copy of Unbound, he notes: Generate
|
||
unbound-control-setup.sh at build time so it respects prefix
|
||
and sysconfdir from the configure script. Also fix the umask
|
||
to match the comment, and the comment to match the umask. Add
|
||
const and static where needed. Use unions instead of playing
|
||
pointer poker. Move declarations that are needed in multiple
|
||
source files into a shared header. Move sldns_bgetc() from
|
||
parse.c to buffer.c where it belongs. Introduce a new header
|
||
file, worker.h, which declares the callbacks that all workers
|
||
must define. Remove those declarations from libworker.h.
|
||
Include the correct headers in the correct places. Fix a few
|
||
dummy callbacks that don't match their prototype. Fix some
|
||
casts. Hide the sbrk madness behind #ifdef HAVE_SBRK. Remove a
|
||
useless printf which breaks reproducible builds. Get rid of
|
||
CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're no longer
|
||
used. Add unbound-control-setup.sh to the list of generated
|
||
files. The prototype for libworker_event_done_cb() needs to be
|
||
moved from libunbound/libworker.h to libunbound/worker.h.
|
||
- Fix caps-for-id fallback, and added fallback attempt when
|
||
servers drop 0x20 perturbed queries.
|
||
- [bugzilla: 593] Fix segfault or crash upon rotating logfile.
|
||
- fake-rfc2553 patch (thanks Benjamin Baier).
|
||
- LibreSSL provides compat items, check for that in configure.
|
||
- [bugzilla: 596] Bail out of unbound-control list_local_zones
|
||
when ssl write fails.
|
||
- Fix endian.h include for OpenBSD.
|
||
- [bugzilla: 603] Fix unbound-checkconf -o option should skip
|
||
verification checks.
|
||
- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
|
||
- Update unbound manpage with more explanation (from Florian Obser).
|
||
- Fix tcp timer waiting list removal code.
|
||
- patches to also build with Python 3.x (from Pavel Simerda).
|
||
- improve python configuration detection to build on Fedora 22.
|
||
- Fix swig and python examples for Python 3.x.
|
||
- Fix for mingw compile with openssl-1.0.1i.
|
||
- [bugzilla: 612] Fix create service with service.conf in present
|
||
directory and auto load it.
|
||
- [bugzilla: 613] Allow tab ws in var length last rdfs (in ldns
|
||
str2wire).
|
||
- [bugzilla: 614] Fix man page variable substitution bug.
|
||
- Whitespaces after $ORIGIN are not part of the origin dname
|
||
(ldns).
|
||
- $TTL's value starts at position 5 (ldns).
|
||
- Fix unbound-checkconf check for module config with dns64
|
||
module.
|
||
- Fix unbound capsforid fallback, it ignores TTLs in comparison.
|
||
- [bugzilla: 617] Fix in ldns in unbound, lowercase WKS services.
|
||
- Fix ctype invocation casts.
|
||
- Disabled use of SSLv3 in remote-control and ssl-upstream.
|
||
- Redefine internal minievent symbols to unique symbols that
|
||
helps linking on platforms where the linker leaks names across
|
||
modules.
|
||
- Fix bug where forward or stub addresses with same address but
|
||
different port number were not tried.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Nov 10 00:45:00 UTC 2014 - Led <ledest@gmail.com>
|
||
|
||
- fix bashisms in pre script
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Sep 5 13:32:55 UTC 2014 - darin@darins.net
|
||
|
||
- cleanup .spec
|
||
- removed unused packes
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Sep 2 13:21:55 UTC 2014 - darin@darins.net
|
||
|
||
- disable %check until https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=602 is fixed
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 20 13:34:00 UTC 2014 - darin@darins.net
|
||
|
||
- Added firewall service file
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 13 20:00:21 UTC 2014 - darin@darins.net
|
||
|
||
- upadte to 1.4.22
|
||
- use /run for pid to clear dir-or-file-in-var-run in factory
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 28 13:32:06 UTC 2013 - mrueckert@suse.de
|
||
|
||
- fixed the execstartpre for unbound so we actually call
|
||
unbound-anchor now.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 28 13:29:56 UTC 2013 - mrueckert@suse.de
|
||
|
||
- fixed a few rpmlint warnings
|
||
- added unbound-rpmlintrc: files duplicate on those man page
|
||
links
|
||
- changed symlink to /usr/sbin/service
|
||
- improved descriptions
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Dec 28 04:02:56 UTC 2013 - mrueckert@suse.de
|
||
|
||
- update to 1.4.21
|
||
merged lots of stuff from the fedora package
|
||
- added python/munin/shlib/anchor subpackages
|
||
- currently the package only supports systemd
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 21 03:50:15 CEST 2008 - mrueckert@suse.de
|
||
|
||
- initial package
|
||
|