-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.3.0 is released. http://unbound.net/downloads/unbound-1.3.0.tar.gz SHA1 67fe06f087083fd24b0175b68e624efc375a3e0f SHA256 ebaed25422a32a7f13386982485d9d01b65cf3aefbebdcf4add6a4d7c71a4610 For port maintainers - this version has changes compared to rc1. Windows is supported in this version. There is a friendly installer that gives the daemon with all the same configuration options. Or you can compile yourself with mingw/msys. Python support was contributed by Zdenek Vasicek and Marek Vavrusa. Previous releases accidentally enabled experimental rsasha256 algorithms, fixed here, more details are documented below. And smaller features as well as bug fixes for your upgrading pleasure. Details: Features * Major features are Windows port, and Python contribution. Previous releases accidentally enabled experimental rsasha256 algorithms, fixed, see below. There are minor features and bug fixes too. * initgroups(3) is called to drop secondary group permissions, if this OS functionality is available. * daemon(3) posix call is used when available * configure option --with-ldns-builtin forces the use of the inluded ldns package with the unbound source. The -I include is put before the others, so it avoids bad include files from an older ldns install. * --enable-sha2 option for rsasha256 and rsasha512 support (experimental because it is still in working group draft stage). Default is off. Previous releases accidentally enabled this feature when lib openssl supported SHA256. It then used algorithms 8, 9 for RSASHA256 and 10, 11 for RSASHA512 (using four numbers as was according to the draft spec at that time). The earlier versions support NSEC and NSEC3 for all these algorithm numbers. People with these earlier versions may also have earlier openssl versions (0.9.7), and therefore the experimental feature is disabled. As long as these signing algorithm code points are not allocated, there is no problem. You are advised to upgrade to the current version to avoid surprises. * new option log-time-ascii: yes if you enable it prints timestamps in the log file as Feb 06 13:45:26 (like syslog does). * verbosity level 5 logs customer IP for new requestlist entries. * contrib contains specfile for fedora 1.2.1 (from Paul Wouters). * call setusercontext() if available (on BSD) * Added stats_noreset feature for unbound-control. * Added flush_requestlist feature for unbound-control. * unbound-control status shows if root forwarding is in use. * Added forward command for unbound control to change forwarders to use on the fly. * unbound-checkconf and unbound server print warnings when trust anchors have unsupported algorithms. * Added contrib/update-itar.sh This script is similar to update-anchor.sh, and updates from the IANA ITAR repository. You can provide your own PGP key and trust repo, or can use the builtin. The program uses wget and gpg to work. * Support spaces and backslashes in configure default paths * register and deregister util programs for unbound.exe into the windows service control manager. Works on XP and with Vista UAC. * unbound can work as a service on windows, for the registry settings and default program location and so on, see the windows manual. * installer for unbound on windows. uninstalls too. Menu entries optional. Can install DLV anchor with updater application (anchor-update.exe, works a bit like update-anchor.sh) to enable DNSSEC easily. Uses the NSIS open source installer system. * Added contrib/unbound_cacti for statistics support in cacti, contributed by Dmitriy Demidov. * domain-insecure: "example.com" statement added. Sets domain insecure regardless of chain of trust DSs or DLVs. The inverse of a trust-anchor. * use _beginthreadex() when available (performs stack alignment on mingw) * added launchd plist example file for MacOSX to contrib. * reworked configure scripts to be neater. * python contribution from Zdenek Vasicek and Marek Vavrusa. This contains support to use libunbound from python code. And support to create unbound modules written in python that perform custom processing of queries. The code is disabled by default and needs to be enabled by passing options to configure. Installs the following files: /usr/lib/python2.x/site-packages/ unboundmodule.py unbound.py and _unbound.so*. The script examples are not installed. Sphinx docs can be built with make doc (if sphinx-build is available). * new libunbound calls to manage local data more easily * read /dev/random before chroot * suppress errors when trying to contact authority servers that gave ipv6 AAAA records for their nameservers with ipv4 mapped contents. Still tries to do so, higher verbosity shows the error. * clock skew checks in unbound, config statements. * Added cache-min-ttl option. * [bugzilla: 226 ] Added dump_requestlist feature for unbound-control. * [bugzilla: 227 ] Added flush_stats feature for unbound-control. * [bugzilla: 231 ] Added unbound-checkconf -o option, that prints that value from config file. Useful for scripting in management scripts and the like. Bug Fixes * fix for threadsafety in solaris thr_key_create() in tests. * fixes for porting the python code to BSD and Darwin * fix for openssl-1.0.0beta, use of STRING #define, libdl linking. * Fix reentrant in minievent handler for unix. Could have resulted in spurious event callbacks. * [bugzilla: 245 ] fix munin plugin, perform cleanup of stale lockfiles. * Fix for removal of RSASHA256_NSEC3 protonumber from ldns. Also new rsasha512 (interim) algorithm number. * Detect FreeBSD jail without ipv6 addresses assigned. * Fixed a bug that caused messages to be stored in the cache too long. Hard to trigger, but NXDOMAINs for nameservers or CNAME targets have been more vulnerable to the TTL miscalculation bug. * fixed bug in unbound-control flush_zone where it would not flush every message in the target domain. This especially impacted NXDOMAIN messages which could remain in the cache regardless. * Fixup so no non-absolute rpaths are added. * Fixup validation of RRSIG queries, they are let through. * fix util/configlexer.c and solaris -std=c99 flag. * deprecation test for daemon(3) (on MacOSX). * [bugzilla: 239 ] module-config entries order is important. Documented. * Fix for and test for unknown algorithms in a trust anchor definition. Trust anchors with no supported algos are ignored. This means a (higher)DS or DLV entry for them could succeed, and otherwise they are treated as insecure. * Added tests, unknown algorithms become insecure. fallback works. * fixed so queries do not fail on opportunistic target queries. * munin plugin fix benign locking error printout. * fixup --export-symbols to be -export-symbls for libtool. This should fix extraneous symbols exported from libunbound. Thanks to Ondrej Sury and Robert Edmonds for finding it. * document FAQ entry on stub/forward zones and default blocking. * Remove fwrite warning on Ubuntu * Added more cycle detection. Also for target queries. * Fixup bug where during deletion of the mesh queries the callbacks that were reentrant caused assertion failures. Keep the mesh in a reentrant safe state. Affected libunbound, reload of server, on quit and flush_requestlist. * documented that unbound-host reads no config file by default. * slightly nicer memory management in iter-fwd code. * small refactor of stats clearing. * fixup EOL in include directive (reported by Paul Wouters). * config parser changed. Gives some syntax errors closer to where they occurred. Does not enforce a space after keyword anymore. Does not allow literal newlines inside quoted strings anymore. * detect event_base_new() in libevent-1.4.1 and later and use it. * MacOSX Leopard cleaner text output from configure. * change in libunbound API: ub_cancel can return an error, that the async_id did not exist, or that it was already delivered. The result could have been delivered just before the cancel routine managed to acquire the lock, so a caller may get the result at the same time they call cancel. For this case, ub_cancel tries to return an error code. Fixes race condition in use of ub_cancel() libunbound function. * Fixup assertion failure (thanks to Brett Carr). * Fix detection of no ipv6 on XP (with different error code). * Fixup a crash-on-exit which was triggered by a very long queue. * Fixed bug that could cause a crash if root prime failed when there were message backlogs. * fixup documentation-bug in README reported by Matthew Dempsky. * Fixup bad free() when wrongly encoded DSA signature is seen. Reported by Paul Wouters. * updated ldns tarball to latest * updated iana portlist Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkow5GEACgkQkDLqNwOhpPjQPQCdEZUasTH21V+6DMhveeYdhp9O jvIAoLJ6X7I8QvqB3MYHJJtRd3P/n1bh =ubr2 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
