-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
The new version of unbound 1.4.0 is available: http://unbound.net/downloads/unbound-1.4.0.tar.gz SHA1 ad5fe28826bfc0baa5b63988361dda7e8dabfb4d SHA256 3f67ecda501d74d8cc9e5c0aa0bcd25c4e03f09ad8e339de643333307ced9c30 It has a number of new features and a number of bugfixes. It has RSASHA256 and RSASHA512 support. It supports RFC5011 updating of trust anchors, auto-trust-anchor-file: that may be a good way to setup trust anchors so they are kept up to date. (Note it needs one domain per file, as it writes the domain back to the file when it changes). Understand that RFC5011-tracking needs the (server) up and connected to the internet about once per week. Unbound 1.4.0 tries a lot harder to obtain valid dnssec data - trying other servers and so on, and it can print out error messages (val-log-level: 2) that pinpoint where the validation failure happened in unbound's processing. unbound-host is useful in that given keys it prints out this diagnostic on the console for you. The so-rcvbuf option is good for high-performance servers, it handles short traffic spikes more easily. edns-buffer-size option for possible MTU trouble, set it to 1480 or 1220 if your site cannot handle large (fragmented) replies. Features * RFC 5702: RSASHA256 and RSASHA512 support enabled by default. Please use openssl 0.9.8 or later, that provide sha256 and sha512. * included ldns tarball updated (which also enables rsasha256 support). * val-log-level: 2 shows extended error information for validation failures, one line per failure. For example: validation failure <example.com. DNSKEY IN>: signature expired from 192.0.2.4 for trust anchor example.com. while building chain of trust * Made new validator error string available from libunbound for applications. It is in result->why_bogus, a zero-terminated string. unbound-host prints it by default if a result is bogus. Also the errinf is public in module_qstate (for other modules). * retry on DNSSEC failures, query other servers, unbound works harder to get valid DNSSEC data. * so-rcvbuf: 4m option added. Set this on large busy servers to not drop the occasional packet in spikes due to full socket buffers. netstat - -su keeps a counter of UDP dropped due to full buffers. * auto-trust-anchor-file option with RFC5011 support, code from the NLnet Labs autotrust project(BSD license), is incorporated. In this way unbound can support trust anchor revocation properly, even revocation back to the unsigned state. It can read normal anchor files or autotrust files initially, after probing the file is written to in a format specific to unbound. * use linebuffering for log-file: output, this can be significantly faster than the previous fflush method and enable some class of resolvers to use high verbosity (for short periods). Not on windows, because line buffering does not work there. * Patch from Zdenek Vasicek and Attila Nagy for using the source IP from python scripts. See pythonmod/examples/resip.py. * Got a patch from Luca Bruno for libunbound support on windows to pick up the system resolvconf nameservers and hosts there. * call OPENSSL_config() in unbound and unit test so that the operator can use openssl.cnf for configuration options. * Experimental support (disabled by default) for GOST for unofficial algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to work with openssl-1.0.0beta and correct for examples in -01 draft. * edns-buffer-size option, default 4096. Can be set to 1480 in case of DNS UDP fragments not arriving from authority servers. * iana portlist updated. * contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the IANA ITAR into individual key files that can be tracked with auto-trust-anchor-file. Bug Fixes * fixed do-udp: no (only TCP is used). * removed abort on prealloc failure, error still printed but softfail. * Fix bug where autotrust does not work when started with a DS. * Fix double time subtraction in negative cache reported by Amanda Constant and Hugh Mahon. * fix unbound-host so -d can be given before -C. * fix DNSSEC-missing-signature detection for minimal responses for qtype DNSKEY (assumes DNSKEY occurs at zone apex). * fix compile of unbound-host when --enable-alloc-checks. * Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis. * Manual page fixes reported by Tony Finch. * Fix memory leak reported by Tao Ma. * increased MAXSYSLOGLEN so .bg key can be printed in debug output. * Fix bug where DNSSEC-bogus messages were marked with too high TTL. The RRsets would still expire at the normal time, but this would keep messages bogus in the cache for too long. * documented that load_cache is meant for debugging. * fixup printing errors when load_cache, they were printed to the SSL connection which had just broken, now to the log. * Changes to make unbound work with libevent-2.0.3 alpha. (in configure detection due to new ssl dependency in libevent). * do not call sphinx for documentation when python is disabled. * remove EV_PERSIST from libevent timeout code to make the code compatible with the libevent-2.0. Works with older libevent too. * fix memory leak in python code. * makefile fix for parallel makes. * fixup unbound-control lookup to print forward and stub servers. * fixup memleak in trust anchor unsupported algorithm check. * free all memory on program exit, fix for ssl and flex. * fixup DS lookup at anchor point with unsigned parent. * fixup DLV lookup for DS queries to unsigned domains. * Fix so that servers are only blacklisted if they fail to reply to 16 queries in a row and the timeout gets above 2 minutes. * unbound-control lookup prints out infra cache information, like RTT. * Fix bug in DLV lookup reported by Amanda from Secure64. It could sometimes wrongly classify a domain as unsigned, which does not give the AD bit on replies. * Thanks to Surfnet found bug in new dnssec-retry code that failed to combine well when combined with DLV and then a validation failure. * removed small memory leak from config file reader. * fix manpage errors reported by debian lintian. * Fixed validation failure for CNAME to optout NSEC3 nodata answer. * unbound-host does not fail on type ANY. * Fixed wireparse failure to put RRSIGs together with data in some long ANY mix cases, which fixes validation failures. * Fixed signer detection of CNAME responses without signatures. * [bugzilla: 282 ] Fixed libunbound memleak on error condition by Eric Sesterhenn. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksOgCEACgkQkDLqNwOhpPhxvACgqc1oYwArViqsMRWy6iiZW4sm O1EAn2yEsxeclb3QUUN6TaKIsB1j0Utm =5eA2 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
