On 2019/01/30 22:55, Stuart Henderson wrote:
> Diff against /usr/src/usr.sbin/unbound if anyone is interested in testing
> the release candidate (there have been a couple of small fixes since).
> Release due approximately Friday.

1.9.0 is out, the only change since the rc1 diff is a spelling fix in
example.conf.in (which we don't install anyway) so I won't bother to
re-attach, https://junkpile.org/unbound-1.9.0.diff if anyone wants
the full thing.

Any tests / OKs?

> This release contains the DNS Flag Day changes for Unbound.  See the
> reference here, https://dnsflagday.net/ .   Or this presentation:
> https://indico.dns-oarc.net/event/29/contributions/662/attachments/634/1063/EDNS_Flag_Day_-_OARC29.pdf
> .   The EDNS timeouts are not used to fallback to nonEDNS queries.
> 
> Out of order processing is implemented, for TCP and TLS.  It can be
> configured with a maximum amount of memory to use to store pending
> answers, and the current memory usage is in the statistics output.  This
> is with stream-wait-size in unbound.conf and mem.streamwait in
> unbound-control stats output.  Streams that cause the total memory
> counted to exceed the maximum are dropped, but it is possible to get a
> number of responses with little memory used.
> 
> There is also TLS session resumption support, that can be enabled with
> the tls-session-ticket-keys option.  Together with the already existing
> TCP fast open, enabled with --enable-tfo-server --enable-tfo-client,
> that enables zero RTT stream reconnections to the server.  Make sure to
> also increase incoming-num-tcp if you expect a lot of TCP and TLS users.
> 
> Options are added to set the TLS ciphers and TLS ciphersuites from
> unbound.conf.  This can be done with the tls-chiphers and
> tls-ciphersuites options.
> 
> TLS can be used from libunbound, with the ub_ctx_set_tls config call,
> use that together with ub_ctx_set_fwd to select DNS over TLS transport.
> 
> 
> Features
> - log-tag-queryreply: yes in unbound.conf tags the log-queries and
>   log-replies in the log file for easier log filter maintenance.
> - ip-ratelimit-factor of 1 allows all traffic through, instead of the
>   previous blocking everything.
> - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
>   alongside the 1.1.0 and later support that is already there.
> - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
>   the patch adds a program used for fuzzing.
> - streamtcp option -a send queries consecutively and prints answers
>   as they arrive.
> - out-of-order processing for TCP and TLS.
> - Add stream-wait-size: 4m config option to limit the maximum
>   memory used by waiting tcp and tls stream replies.  This avoids
>   a denial of service where these replies use up all of the memory.
> - unbound-control stats has mem.streamwait that counts TCP and TLS
>   waiting result buffers.
> - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
>   options for unbound.conf.
> - Patch for TLS session resumption from Manabu Sonoda,
>   enable with tls-session-ticket-keys in unbound.conf.
> - ub_ctx_set_tls call for libunbound that enables DoT for the machines
>   set with ub_ctx_set_fwd.  Patch from Florian Obser.
> 
> Bug Fixes
> - Fix that unbound-checkconf does not complains if the config file
>   is not placed inside the chroot.
> - Refuse to start with no ports.
> - Remove clang analysis warnings.
> - Patch for typo in unbound.conf man page.
> - Fix icon, no ragged edges and nicer resolutions available, for eg.
>   Win 7 and Windows 10 display.
> - cache-max-ttl also defines upperbound of initial TTL in response.
> - Fix config parser memory leaks.
> - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
> - Fixup openssl 1.0.2 compile
> - Fix for crash in dns64 module if response is null.
> - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
>   and server tcp fastopen is enabled at compile time.
> - Document interaction between the tls-upstream option in the server
>   section and forward-tls-upstream option in the forward-zone sections.
> - Fix syntax in comment of local alias processing.
> - Fix NSEC3 record that is returned in wildcard replies from
>   auth-zone zones with NSEC3 and wildcards.
> - Log query name for looping module errors.
> - For caps-for-id fallback, use the whitelist to avoid timeout
>   starting a fallback sequence for it.
> - increase mesh max activation count for capsforid long fetches.
> - Fix for #4219: secondaries not updated after serial change, unbound
>   falls back to AXFR after IXFR gives several timeout failures.
> - Fix that auth zone after IXFR fallback tries the same master.
> - Fix for IXFR fallback to reset counter when IXFR does not timeout.
> - Newer aclocal and libtoolize used for generating configure scripts,
>   aclocal 1.16.1 and libtoolize 2.4.6.
> - Fix unit test for python 3.7 new keyword 'async'.
> - clang analysis fixes, assert arc4random buffer in init,
>   no check for already checked delegation pointer in iterator,
>   in testcode check for NULL packet matches, in perf do not copy
>   from NULL start list when growing capacity.  Adjust host and file
>   only when present in test header read to please checker.  In
>   testcode for unknown macro operand give zero result. Initialise the
>   passed argv array in test code.  In test code add EDNS data
>   segment copy only when nonempty.
> - Patch from Florian Obser fixes some compiler warnings:
>   include mini_event.h to have a prototype for mini_ev_cmp
>   include edns.h to have a prototype for apply_edns_options
>   sldns_wire2str_edns_keepalive_print is only called in the wire2str,
>   module declare it static to get rid of compiler warning:
>   no previous prototype for function
>   infra_find_ip_ratedata() is only called in the infra module,
>   declare it static to get rid of compiler warning:
>   no previous prototype for function
>   do not shadow local variable buf in authzone
>   auth_chunks_delete and az_nsec3_findnode are only called in the
>   authzone module, declare them static to get rid of compiler warning:
>   no previous prototype for function...
>   copy_rrset() is only called in the respip module, declare it
>   static to get rid of compiler warning:
>   no previous prototype for function 'copy_rrset'
>   no need for another variable "r"; gets rid of compiler warning:
>   declaration shadows a local variable in libunbound.c
>   no need for another variable "ns"; gets rid of compiler warning:
>   declaration shadows a local variable in iterator.c
> - Moved includes and make depend.
> - updated contrib/fastrpz.patch to cleanly diff.
> - remove compile warnings from libnettle compile.
> - output of newer lex 2.6.1 and bison 3.0.5.
> - Set build system for added call in the libunbound API.
> - List example config for root zone copy locally hosted with auth-zone
>   as suggested from draft-ietf-dnsop-7706-bis-02.  But with updated
>   B root address.

Reply via email to