Hi,
Unbound 1.7.0rc3 maintainers prerelease is available:
https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz
sha256 209e94c1da10c839f52e04b79ab4ea8b6fc3d88bbe544d9053b96d330538170c
pgp https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz.asc
It was updated from rc3, because some people patch configure.ac, but
autoconf in older versions refuses to create correct output for this
version's configure.ac, and to solve that there is an added option to
the configure script, --disable-swig-version-check.
Changes:
- Fix #3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
- Added documentation for aggressive-nsec: yes.
Best regards, Wouter
On 08/03/18 14:59, W.C.A. Wijngaards wrote:
> Hi,
>
> Unbound 1.7.0rc2 maintainers prerelease is available:
> https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz
> sha256 ed5e4529af6b1e70abaa835ec667db2a8b47ae479563b5f3b25b7a034eed
> pgp https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz.asc
>
> It was updated from rc1 because the patch for fastrpz did not work for
> some, there is a new patch in rc2.
>
> Changes:
> - Fixed contrib/fastrpz.patch, even though this already applied
> cleanly for me, now also for others.
> - patch to log creates keytag queries, from A. Schulze.
> - patch suggested by Debian lintian: allow to -> allow one to, from
> A. Schulze.
> - Attempt to remove warning about trailing whitespace.
>
> Best regards, Wouter
>
> On 06/03/18 11:02, W.C.A. Wijngaards wrote:
>> Hi,
>>
>> Unbound 1.7.0rc1 maintainers prerelease is available:
>> https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz
>> sha256 eb9e57e44f7bb6e68879c8672c9a9b15273cece250d1ed85964b9620e736521a
>> pgp https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz.asc
>>
>> This release adds authority zones, for a local copy of the root zone,
>> and also aggressive NSEC processing, for denial of nxdomain floods.
>>
>> Features
>> - auth-zone provides a way to configure RFC7706 from unbound.conf,
>> eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
>> fallback-enabled: yes and masters or a zonefile with data.
>> - Aggressive use of NSEC implementation. Use cached NSEC records to
>> generate NXDOMAIN, NODATA and positive wildcard answers.
>> - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
>> also recognized and means the same. Also for tls-port,
>> tls-service-key, tls-service-pem, stub-tls-upstream and
>> forward-tls-upstream.
>> - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
>> from Manu Bretelle.
>> This option allows handling multiple cert/key pairs while only
>> distributing some of them.
>> In order to reliably match a client magic with a given key without
>> strong assumption as to how those were generated, we need both key and
>> cert. Likewise, in order to know which ES version should be used.
>> On the other hand, when rotating a cert, it can be desirable to only
>> serve the new cert but still be able to handle clients that are still
>> using the old certs's public key.
>> The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
>> publish the cert as part of the DNS's provider_name's TXT answer.
>> - Update B root ipv4 address.
>> - make ip-transparent option work on OpenBSD.
>> - Fix #2801: Install libunbound.pc.
>> - ltrace.conf file for libunbound in contrib.
>>
>> Bug Fixes
>> - Fix #1749: With harden-referral-path: performance drops, due to
>> circular dependency in NS and DS lookups.
>> - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
>> duplicates
>> - Better documentation for cache-max-negative-ttl.
>> - Fixed libunbound manual typo.
>> - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
>> - Fix #2031: Double included headers
>> - Document that errno is left informative on libunbound config read
>> fail.
>> - iana port update.
>> - Fix #1913: ub_ctx_config is under circumstances thread-safe.
>> - Fix #2362: TLS1.3/openssl-1.1.1 not working.
>> - Fix #2034 - Autoconf and -flto.
>> - Fix #2141 - for libsodium detect lack of entropy in chroot, print
>> a message and exit.
>> - Fix #2492: Documentation libunbound.
>> - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
>> set for stub zone. It no longer searches for DNSSEC information.
>> - Fix #3299 - forward CNAME daisy chain is not working
>> - Fix link failure on OmniOS.
>> - Check whether --with-libunbound-only is set when using --with-nettle
>> or --with-nss.
>> - Fix qname-minimisation documentation (A QTYPE, not NS)
>> - Fix that DS queries with referral replies are answered straight
>> away, without a repeat query picking the DS from cache.
>> The correct reply should have been an answer, the reply is fixed
>> by the scrubber to have the answer in the answer section.
>> - Fix that expiration date checks don't fail with clang -O2.
>> - Fix queries
