Hi RayG,
We had a fix that may also solve the issue getting the rpz zonefile via
url in windows
(https://github.com/NLnetLabs/unbound/commit/bc4bdbabeab1388e41ce64714203b4fd3fab18be).
I have prepared the following for you to try on windows:
https://nlnetlabs.nl/~george/unbound_setup_1.13.2_20210222.exe
https://nlnetlabs.nl/~george/unbound-1.13.2_20210222.zip
Let me know how it goes,
-- George
On 03/02/2021 16:08, RayG wrote:
Hi George,
Ok Thanks - I was rather hoping the next update to v1.13.0 would have addressed
the issue. Any Ideas when?
Thanks
RayG
-----Original Message-----
From: George Thessalonikefs <geo...@nlnetlabs.nl>
Sent: 03 February 2021 14:43
To: unbound-users@lists.nlnetlabs.nl
Subject: Re: Unbound 1.13.1rc1 pre-release
Hi RayG,
The RPZ issue on windows is still ongoing.
The error as I see it is that TLS handshake to the server is not completed and
thus you don't get the zonefile to apply the rules.
This is still an ongoing issue.
Best regards,
-- George
On 03/02/2021 15:29, RayG via Unbound-users wrote:
Hi Wouter,
Thanks for the info, in that case RPZ is not working because I see no:
info: RPZ applied
entries in the log file and that would be confirmed as the data from:
https://urlhaus.abuse.ch/downloads/rpz
when I select any item and use DIG returns an IP address rather than NXDOMAIN.
So sorry Response Policy Zones is not working for me.
I look forward to hearing your reply.
Thanks
RayG
-----Original Message-----
From: Wouter Wijngaards <wou...@nlnetlabs.nl>
Sent: 03 February 2021 10:45
To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl
Subject: Re: Unbound 1.13.1rc1 pre-release
Hi RayG,
From the unit test, a sample output if rpz-log is enabled:
info: RPZ applied [rpz.example.com] a. nxdomain 127.0.0.1@53 a. TXT IN
It is applied to the query 'a' here, of type txt, from localhost. And the
action, or action-override, is nxdomain.
With rpz-log enabled, verbosity 0 is enough to see that, or more. So verbosity
does not matter.
Best regards, Wouter
On 02/02/2021 18:06, RayG wrote:
Hi Wouter,
I am assuming that the RPZ issue I had on v1.13.0 is included in the fixes but
I could not see something that registered with me in the notes you put out.
Given that when I look at the URLHaus web site and pick a few names at random
from the list I do get an NXDOMAIN response from Unbound.
I was expecting the when this happened I would see in the log file some
reference to the fact the NXDOMAIN was returned due to an RPZ entry?
If this is correct what verbosity level is required to see the entries?
Do you have any log examples to show it is working correctly please?
rpz: # MyResponsePolicyZones.conf
name: "URLHaus"
zonefile: "C:\ProgramData\Unbound\Logs\urlhaus.zone"
url: "https://urlhaus.abuse.ch/downloads/rpz/";
rpz-log: yes
rpz-log-name: "URLHausRPZ"
rpz-action-override: nxdomain
Thanks
RayG
-----Original Message-----
From: RayG <rgs...@btinternet.com>
Sent: 02 February 2021 16:31
To: 'Wouter Wijngaards' <wou...@nlnetlabs.nl>;
unbound-us...@nlnetlabs.nl
Subject: RE: Unbound 1.13.1rc1 pre-release
Hi Wouter,
OK that seems to have fixed things - we are now running - lets see what happens
now...
Thanks for the quick fixes.
RayG
-----Original Message-----
From: Wouter Wijngaards <wou...@nlnetlabs.nl>
Sent: 02 February 2021 16:27
To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl
Subject: Re: Unbound 1.13.1rc1 pre-release
Hi RayG,
Fixed this in the commit
https://github.com/NLnetLabs/unbound/commit/46939294710d24a37f9f83814
1
f26e6b063b01f3
Thanks for the report! I updated the link with the installer to a new
installer with a root.key file that has the right contents.
www.nlnetlabs.nl/~wouter/unbound_setup_1.13.1_20210202.exe
www.nlnetlabs.nl/~wouter/unbound-1.13.1_20210202.zip
Best regards, Wouter
On 02/02/2021 16:38, RayG wrote:
Hi Wouter,
A bit further forward but it still will not run.
The reason being that the root.key file has a zero length. It has the correct
info when 1.13.0 is running.
unbound_setup_1.13.1_20210202 corrupts the file.
C:\Program Files\Unbound>unbound-checkconf.exe
[1612280164] unbound-checkconf[9652:0] error: failed to read
C:\Program Files\Unbound\root.key [1612280164]
unbound-checkconf[9652:0] error: error reading auto-trust-anchor-file:
C:\Program Files\Unbound\root.key [1612280164] unbound-checkconf[9652:0] error:
validator: error in trustanchors config [1612280164] unbound-checkconf[9652:0]
error: validator: could not apply configuration settings.
[1612280164] unbound-checkconf[9652:0] fatal error: bad config for
validator module
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
notice: init module 0: respip
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
notice: init module 1: validator
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
error: failed to read C:\Program Files\Unbound\root.key
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
error: error reading auto-trust-anchor-file: C:\Program
Files\Unbound\root.key
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
error: validator: error in trustanchors config
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] error:
validator: could not apply configuration settings.
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
error: module init for module validator failed
02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0]
fatal
error: failed to setup modules
RayG
-----Original Message-----
From: Wouter Wijngaards <wou...@nlnetlabs.nl>
Sent: 02 February 2021 15:17
To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl
Subject: Re: Unbound 1.13.1rc1 pre-release
Hi RayG,
Here is a build for today's fix
www.nlnetlabs.nl/~wouter/unbound_setup_1.13.1_20210202.exe
www.nlnetlabs.nl/~wouter/unbound-1.13.1_20210202.zip
and .asc pgp signature and .sha256 sum files.
Best regards, Wouter
On 02/02/2021 15:44, RayG wrote:
Hi Wouter,
Thanks
I'll have to wait until you next build the Windows installer.
RayG
-----Original Message-----
From: Wouter Wijngaards <wou...@nlnetlabs.nl>
Sent: 02 February 2021 14:09
To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl;
maintain...@nlnetlabs.nl
Subject: Re: Unbound 1.13.1rc1 pre-release
Hi RayG,
This seems to be because of a default stack protector in mingw.
Fix includes libssp in the libunbound/ directory of the zipfile,
and attempts to statically link with it in the unbound executable.
It is applied to the repository in commits
https://github.com/NLnetLabs/unbound/commit/aa8dfe94d31e11c19897444
b
9
5
5af6ac10aec1cd
https://github.com/NLnetLabs/unbound/commit/f9a1ac3f0b1a415d8085e11
3
d
4
4797e62c436a52
https://github.com/NLnetLabs/unbound/commit/18840665bcbb28c9de07bc3
b
2
0
157a0dde13f8fd
Best regards, Wouter
On 02/02/2021 13:39, RayG wrote:
V1.13.1rc1 will not run on Windows X64 (20H2)
The error is:
"the code execution cannot proceed because libssp-0.dll was not found"
Reinstalling the application does not help,
Reverting to v1.13.0
RayG
-----Original Message-----
From: Wouter Wijngaards <wou...@nlnetlabs.nl>
Sent: 02 February 2021 07:47
To: unbound-us...@nlnetlabs.nl; maintain...@nlnetlabs.nl
Subject: Unbound 1.13.1rc1 pre-release
Hi,
Unbound 1.13.1rc1 pre-release is available
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.1rc1.tar.gz
sha256
c652c0a35165c97962f0cd503902b95096b3f3252d1bf9cefe5ab9e4910e4fec
pgp
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.1rc1.tar.gz.as
c
This release contains a number of bug fixes. There is added support for the
EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID option (RFC 5001).
Unbound control has added commands to enable and disable rpz processing.
Reply callbacks have a start time passed to them that can be used to calculate
time, these are callbacks for response processing. With the option
serve-original-ttl the TTL served in responses is the original, not counted
down, value, for when in front of authority service.
Features
- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
to unbound-control.
- Merge PR #391 from fhriley: Add start_time to reply callbacks so
modules can compute the response time.
- Fix #397: [Feature request] add new type always_null to local-zone
similar to always_nxdomain.
- Support for RFC5001: DNS Name Server Identifier (NSID) Option
with the nsid: option in unbound.conf
- Padding of queries and responses with DNS over TLS as specified in
RFC7830 and RFC8467.
- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
original instead of a decrementing TTL ('serve-original-ttl')
Bug Fixes
- Fix #358: Squelch udp connect 'no route to host' errors on low
verbosity.
- Fix #360: for the additionally reported TCP Fast Open makes TCP
connections fail, in that case we print a hint that this is
happening with the error in the logs.
- Fix #356: deadlock when listening tcp.
- Fix unbound-dnstap-socket to not use log routine from interrupt
handler and not print so frequently when invoked in sequence.
- Fix on windows to ignore connection failure on UDP, unless verbose.
- make depend.
- Fix #371: unbound-control timeout when Unbound is not running.
- Fix to squelch permission denied and other errors from remote host,
they are logged at higher verbosity but not on low verbosity.
- Merge PR #335 from fobser: Sprinkle in some static to prevent
missing prototype warnings.
- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
is a GNU extension.
- Fix missing prototypes in the code.
- Fix error cases when udp-connect is set and send() returns an error
(modified patch from Xin Li @delphij).
- For #376: Fix that comm point event is not double removed or double
added to event map.
- iana portlist updated.
- Fix #385: autoconf 2.70 impacts unbound build
- Fix #379: zone loading over HTTP appears to have buffer issues.
- Merge PR #395 from mptre: add missing null check.
- Fix #387: client-subnet-always-forward seems to effectively bypass
any caching?
- For #391: use struct timeval* start_time for callback information.
- For #391: fix indentation.
- For #391: more double casts in python start time calculation.
- Add comment documentation.
- Fix clang analysis warning.
- Fix so local zone types always_nodata and always_deny can be used
from the config file.
- Merge #399 from xiangbao227: The lock of lruhash table should
unlocked after markdel entry.
- Fix for #93: dynlibmodule link fix for Windows.
- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
- Merge #402 from fobser: Implement IPv4-Embedded addresses according
to RFC6052.
- Fix #404: DNS query with small edns bufsize fail.
- Fix declaration before statement and signed comparison warning in
dns64.
- Fix TTL of SOA record for negative answers (localzone and
authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
- Fix compile of unbound-dnstap-socket without dnstap installed.
- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
static data.
- Ignore cache blacklisting when trying to reply with expired data from
cache (#394).
- Merge PR #408 from fobser: Prevent a few more yacc clashes.
- Annotate that we ignore the return value of if_indextoname.
- Fix to use correct type for label count in rpz routine.
- Fix empty clause warning in config_file nsid parse.
- Fix to use correct type for label count in ipdnametoaddr rpz routine.
- Fix empty clause warning in edns pass for padding.
- Fix for doxygen 1.8.20 compatibility.
- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
Best regards, Wouter
