Here's an update to the release candidate for 1.6.1. Tests/feedback welcome.
Diff is 600K so it's at https://junkpile.org/unbound-1.6.1rc1.diff rather
than inline.
Small change compared to upstream, we don't install the library so
autoconf has been edited to avoid requiring contrib/libunbound.pc.in.
Here's the changelog since the last version we have (1.5.9), there were
one or two things backported already but not much.
9 February 2017: Wouter
- tag 1.6.1rc1.
8 February 2017: Wouter
- Fix for type name change and fix warning on windows compile.
7 February 2017: Wouter
- Include root trust anchor id 20326 in unbound-anchor.
6 February 2017: Wouter
- Fix compile on solaris of the fix to use $host detect.
4 February 2017: Wouter
- fix root_anchor test for updated icannbundle.pem lower certificates.
26 January 2017: Wouter
- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
more helpful error message.
20 January 2017: Wouter
- Increase MAX_MODULE to 16.
19 January 2017: Wouter
- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t
type names are reserved by POSIX.
- iana portlist update
12 January 2017: Wouter
- Fix to also block meta types 128 through to 248 with formerr.
- Fix #1206: Some view-related commands are missing from
'unbound-control -h'
9 January 2017: Wouter
- Fix #1202: Fix code comment that packed_rrset_data is not always
'packed'.
6 January 2017: Wouter
- Fix #1201: Fix missing unlock in answer_from_cache error condition.
5 January 2017: Wouter
- Fix to return formerr for queries for meta-types, to avoid
packet amplification if this meta-type is sent on to upstream.
- Fix #1184: Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
patch from Larissa Feng.
- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
3 January 2017: Wouter
- configure --enable-systemd and lets unbound use systemd sockets if
you enable use-systemd: yes in unbound.conf.
Also there are contrib/unbound.socket and contrib/unbound.service:
systemd files for unbound, install them in /usr/lib/systemd/system.
Contributed by Sami Kerola and Pavel Odintsov.
- Fix reload chdir failure when also chrooted to that directory.
2 January 2017: Wouter
- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
23 December 2016: Ralph
- Fix #1190: Do not echo back EDNS options in local-zone error response.
- iana portlist update
21 December 2016: Ralph
- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
with Nettle
19 December 2016: Ralph
- Fix #1191: remove comment about view deletion.
15 December 2016: Wouter
- iana portlist update
- 64bit is default for windows builds.
- Fix inet_ntop and inet_pton warnings in windows compile.
14 December 2016: Wouter
- Fix #1178: attempt to fix setup error at end, pop result values
at end of install.
13 December 2016: Wouter
- Fix #1182: Fix Resource leak (socket), at startup.
- Fix unbound-control and ipv6 only.
9 December 2016: Wouter
- Fix #1176: stack size too small for Alpine Linux.
8 December 2016: Wouter
- Fix downcast warnings from visual studio in sldns code.
- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
7 December 2016: Ralph
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
6 December 2016: George
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS
option lists were added to module_qstate (module_qstate.edns_opts_*)
to
store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that
control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e.
append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
5 December 2016: Ralph
- Fix #1173: differ local-zone type deny from unset
tag_actions element.
5 December 2016: Wouter
- Fix #1170: document that 'inform' local-zone uses local-data.
1 December 2016: Ralph
- hyphen as minus fix, by Andreas Schulze
30 November 2016: Ralph
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- iana portlist update
29 November 2016: Wouter
- version 1.6.0 is in the development branch.
- braces in view.c around lock statements.
28 November 2016: Wouter
- new install-sh.
25 November 2016: Wouter
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
using no encryption over the unix socket.
22 Novenber 2016: Ralph
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for
this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain
synergy.
22 November 2016: Wouter
- iana portlist update.
- Fix unit tests for DS hash processing for fake-dsa test option.
- patch from Dag-Erling Smorgrav that removes code that relies
on sbrk().
21 November 2016: Wouter
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
10 November 2016: Ralph
- Fix #1155: test status code of unbound-control in 04-checkconf,
not the status code from the tee command.
4 November 2016: Ralph
- Added stub-ssl-upstream and forward-ssl-upstream options.
4 November 2016: Wouter
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
this means nsec3 with optout is insufficient.
3 November 2016: Ralph
- Set OpenSSL security level to 0 when using aNULL ciphers.
3 November 2016: Wouter
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" <[email protected]>
2 November 2016: Wouter
- iana portlist update.
31 October 2016: Wouter
- Fix failure to build on arm64 with no sbrk.
- iana portlist update.
28 October 2016: Wouter
- Patch for server.num.zero_ttl stats for count of expired replies,
from Pavel Odintsov.
26 October 2016: Wouter
- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
with the undocumented switch 'fake-dsa'. It logs a warning.
25 October 2016: Wouter
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again.
The -- is to ignore the '-1' as an option flag.
24 October 2016: Wouter
- serve-expired config option: serve expired responses with TTL 0.
- g.root-servers.net has AAAA address.
21 October 2016: Wouter
- Ported tests for local_cname unit test to testbound framework.
20 October 2016: Wouter
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
19 October 2016: Wouter
- Fix #1130: whitespace in example.conf.in more consistent.
18 October 2016: Wouter
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Please doxygen by modifying mesh.h
17 October 2016: Wouter
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
12 October 2016: Ralph
- Free view config elements.
11 October 2016: Ralph
- Added qname-minimisation-strict config option.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
5 October 2016: Ralph
- Added views functionality.
- Fix #1117: spelling errors, from Robert Edmonds.
30 September 2016: Wouter
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
29 September 2016: Wouter
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
27 September 2016: Wouter
- tag for 1.5.10 release
- trunk contains 1.5.11 in development.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix #836: unbound could echo back EDNS options in an error response.
20 September 2016: Wouter
- iana portlist update.
- Fix #835: fix --disable-dsa with nettle verify.
- tag for 1.5.10rc1 release.
15 September 2016: Wouter
- Fix 883: error for duplicate local zone entry.
- Test for openssl init_crypto and init_ssl functions.
15 September 2016: Ralph
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
- iana portlist update.
13 September 2016: Wouter
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
9 September 2016: Wouter
- Fix #831: workaround for spurious fread_chk warning against petal.c
5 September 2016: Ralph
- Take configured minimum TTL into consideration when reducing TTL
to original TTL from RRSIG.
5 September 2016: Wouter
- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
off-by-one typo, from Jinmei Tatuya (Infoblox).
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- Fix #828: missing type in access-control-tag-action redirect results
in NXDOMAIN.
2 September 2016: Wouter
- Fix compile with openssl 1.1.0 with api=1.1.0.
1 September 2016: Wouter
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
- Fix #826: Fix refuse_non_local could result in a broken response.
- iana portlist update.
29 August 2016: Wouter
- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
Siewior.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
25 August 2016: Ralph
- Clarify local-zone-override entry in unbound.conf.5
25 August 2016: Wouter
- 64bit build option for makedist windows compile, -w64.
24 August 2016: Ralph
- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
in each iteration in find_tag_datas().
- unbound.conf.5 entries for define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override.
23 August 2016: Wouter
- Fix #804: unbound stops responding after outage. Fixes queries
that attempt to wait for an empty list of subqueries.
- Fix #804: lower num_target_queries for iterator also for failed
lookups.
8 August 2016: Wouter
- Note that OPENPGPKEY type is RFC 7929.
4 August 2016: Wouter
- Fix #807: workaround for possible some "unused" function parameters
in test code, from Jinmei Tatuya.
3 August 2016: Wouter
- use sendmsg instead of sendto for TFO.
28 July 2016: Wouter
- Fix #806: wrong comment removed.
26 July 2016: Wouter
- nicer ratelimit-below-domain explanation.
22 July 2016: Wouter
- Fix #801: missing error condition handling in
daemon_create_workers().
- Fix #802: workaround for function parameters that are "unused"
without log_assert.
- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
20 July 2016: Wouter
- Fix typo in unbound.conf.
18 July 2016: Wouter
- Fix #798: Client-side TCP fast open fails (Linux).
14 July 2016: Wouter
- TCP Fast open patch from Sara Dickinson.
- Fixed unbound.doxygen for 1.8.11.
7 July 2016: Wouter
- access-control-tag-data implemented. verbose(4) prints tag debug.
5 July 2016: Wouter
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
--with-libunbound-only --with-nettle.
4 July 2016: Wouter
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
freebind to use 64bits of entropy for every query with random local
part.
30 June 2016: Wouter
- Document always_transparent, always_refuse, always_nxdomain types.
29 June 2016: Wouter
- Fix static compile on windows missing gdi32.
28 June 2016: Wouter
- Create a pkg-config file for libunbound in contrib.
27 June 2016: Wouter
- Fix #784: Build configure assumess that having getpwnam means there
is endpwent function available.
- Updated repository with newer flex and bison output.
24 June 2016: Ralph
- Possibility to specify local-zone type for an acl/tag pair
- Possibility to specify (override) local-zone type for a source address
block
16 June 2016: Ralph
- Decrease dp attempts at each QNAME minimisation iteration
16 June 2016: Wouter
- Fix tcp timeouts in tv.usec.
15 June 2016: Wouter
- TCP_TIMEOUT is specified in milliseconds.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
14 June 2016: Ralph
- QNAME minimisation unit test for dropped QTYPE=A queries.
14 June 2016: Wouter
- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
- Fix 779: Union casting is non-portable.
- Fix 780: MAP_ANON not defined in HP-UX 11.31.
- Fix 781: prealloc() is an HP-UX system library call.
13 June 2016: Ralph
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME minimisation.
@@ -6,12 +424,57 @@
13 June 2016: Wouter
- Fix #778: unbound 1.5.9: -h segfault (null deref).
- Fix directory: fix for unbound-checkconf, it restores cwd.
10 June 2016: Wouter
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that directory,
so that include: file below that is relative to that directory.
With chroot, make the directory an absolute path inside chroot.
- keep debug symbols in windows build.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
9 June 2016: Wouter
- Trunk is called 1.5.10 (with previous fixes already in there to 2
june).
- Revert fix for NetworkService account on windows due to breakage
it causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
7 June 2016: Ralph
- Lookup localzones by taglist from acl.
- Possibility to lookup local_zone, regardless the taglist.
- Added local_zone/taglist/acl unit test.
7 June 2016: Wouter
- Fix #773: Non-standard Python location build failure with pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6 June 2016: Wouter
- Better help text from -h (from Ray Griffith).
- access-control-tag config directive.
- local-zone-override config directive.
- access-control-tag-action and access-control-tag-data config
directives.
- free acl-tags, acltag-action and acltag-data config lists during
initialisation to free up memory for more entries.
3 June 2016: Wouter
- Fix to not ignore return value of chown() in daemon startup.
