On 2019/01/30 22:55, Stuart Henderson wrote: > Diff against /usr/src/usr.sbin/unbound if anyone is interested in testing > the release candidate (there have been a couple of small fixes since). > Release due approximately Friday.
1.9.0 is out, the only change since the rc1 diff is a spelling fix in example.conf.in (which we don't install anyway) so I won't bother to re-attach, https://junkpile.org/unbound-1.9.0.diff if anyone wants the full thing. Any tests / OKs? > This release contains the DNS Flag Day changes for Unbound. See the > reference here, https://dnsflagday.net/ . Or this presentation: > https://indico.dns-oarc.net/event/29/contributions/662/attachments/634/1063/EDNS_Flag_Day_-_OARC29.pdf > . The EDNS timeouts are not used to fallback to nonEDNS queries. > > Out of order processing is implemented, for TCP and TLS. It can be > configured with a maximum amount of memory to use to store pending > answers, and the current memory usage is in the statistics output. This > is with stream-wait-size in unbound.conf and mem.streamwait in > unbound-control stats output. Streams that cause the total memory > counted to exceed the maximum are dropped, but it is possible to get a > number of responses with little memory used. > > There is also TLS session resumption support, that can be enabled with > the tls-session-ticket-keys option. Together with the already existing > TCP fast open, enabled with --enable-tfo-server --enable-tfo-client, > that enables zero RTT stream reconnections to the server. Make sure to > also increase incoming-num-tcp if you expect a lot of TCP and TLS users. > > Options are added to set the TLS ciphers and TLS ciphersuites from > unbound.conf. This can be done with the tls-chiphers and > tls-ciphersuites options. > > TLS can be used from libunbound, with the ub_ctx_set_tls config call, > use that together with ub_ctx_set_fwd to select DNS over TLS transport. > > > Features > - log-tag-queryreply: yes in unbound.conf tags the log-queries and > log-replies in the log file for easier log filter maintenance. > - ip-ratelimit-factor of 1 allows all traffic through, instead of the > previous blocking everything. > - Fix #4206: support openssl 1.0.2 for TLS hostname verification, > alongside the 1.1.0 and later support that is already there. > - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, > the patch adds a program used for fuzzing. > - streamtcp option -a send queries consecutively and prints answers > as they arrive. > - out-of-order processing for TCP and TLS. > - Add stream-wait-size: 4m config option to limit the maximum > memory used by waiting tcp and tls stream replies. This avoids > a denial of service where these replies use up all of the memory. > - unbound-control stats has mem.streamwait that counts TCP and TLS > waiting result buffers. > - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites > options for unbound.conf. > - Patch for TLS session resumption from Manabu Sonoda, > enable with tls-session-ticket-keys in unbound.conf. > - ub_ctx_set_tls call for libunbound that enables DoT for the machines > set with ub_ctx_set_fwd. Patch from Florian Obser. > > Bug Fixes > - Fix that unbound-checkconf does not complains if the config file > is not placed inside the chroot. > - Refuse to start with no ports. > - Remove clang analysis warnings. > - Patch for typo in unbound.conf man page. > - Fix icon, no ragged edges and nicer resolutions available, for eg. > Win 7 and Windows 10 display. > - cache-max-ttl also defines upperbound of initial TTL in response. > - Fix config parser memory leaks. > - Fix for FreeBSD port make with dnscrypt and dnstap enabled. > - Fixup openssl 1.0.2 compile > - Fix for crash in dns64 module if response is null. > - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN, > and server tcp fastopen is enabled at compile time. > - Document interaction between the tls-upstream option in the server > section and forward-tls-upstream option in the forward-zone sections. > - Fix syntax in comment of local alias processing. > - Fix NSEC3 record that is returned in wildcard replies from > auth-zone zones with NSEC3 and wildcards. > - Log query name for looping module errors. > - For caps-for-id fallback, use the whitelist to avoid timeout > starting a fallback sequence for it. > - increase mesh max activation count for capsforid long fetches. > - Fix for #4219: secondaries not updated after serial change, unbound > falls back to AXFR after IXFR gives several timeout failures. > - Fix that auth zone after IXFR fallback tries the same master. > - Fix for IXFR fallback to reset counter when IXFR does not timeout. > - Newer aclocal and libtoolize used for generating configure scripts, > aclocal 1.16.1 and libtoolize 2.4.6. > - Fix unit test for python 3.7 new keyword 'async'. > - clang analysis fixes, assert arc4random buffer in init, > no check for already checked delegation pointer in iterator, > in testcode check for NULL packet matches, in perf do not copy > from NULL start list when growing capacity. Adjust host and file > only when present in test header read to please checker. In > testcode for unknown macro operand give zero result. Initialise the > passed argv array in test code. In test code add EDNS data > segment copy only when nonempty. > - Patch from Florian Obser fixes some compiler warnings: > include mini_event.h to have a prototype for mini_ev_cmp > include edns.h to have a prototype for apply_edns_options > sldns_wire2str_edns_keepalive_print is only called in the wire2str, > module declare it static to get rid of compiler warning: > no previous prototype for function > infra_find_ip_ratedata() is only called in the infra module, > declare it static to get rid of compiler warning: > no previous prototype for function > do not shadow local variable buf in authzone > auth_chunks_delete and az_nsec3_findnode are only called in the > authzone module, declare them static to get rid of compiler warning: > no previous prototype for function... > copy_rrset() is only called in the respip module, declare it > static to get rid of compiler warning: > no previous prototype for function 'copy_rrset' > no need for another variable "r"; gets rid of compiler warning: > declaration shadows a local variable in libunbound.c > no need for another variable "ns"; gets rid of compiler warning: > declaration shadows a local variable in iterator.c > - Moved includes and make depend. > - updated contrib/fastrpz.patch to cleanly diff. > - remove compile warnings from libnettle compile. > - output of newer lex 2.6.1 and bison 3.0.5. > - Set build system for added call in the libunbound API. > - List example config for root zone copy locally hosted with auth-zone > as suggested from draft-ietf-dnsop-7706-bis-02. But with updated > B root address.