-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.4.13 is released with bug fixes: http://unbound.nlnetlabs.nl/downloads/unbound-1.4.13.tar.gz SHA1 checksum: 834ccfd1cb41a44f53b33f8338a8f9cc68febaf7 SHA256: 83c7dc2756c488ab5bfcb9b25b81236a4ec42fb3d505267fcaf005555f3a2313 Important change is the different answer for QTYPE ANY with a CNAME in the answer section, where the format of the answer is now different, but it DNSSEC validates properly. This is a change in answers from the previous unbound versions. If applications act differently this would be interesting to know. The response is meant for debugging (by RFC) and should have partial contents from cache normally, thus the current implementation is according to spec (but delivers a different subset of the available data). Interesting option is tcp-upstream for tunneling DNS over TCP. For difficult deployment situations. And miscellaneous bugs and patches (thanks to the contributers!) More details below, Best regards, Wouter Features * Note that Unbound implements RFC6303 (since version 1.4.7). * tcp-upstream yes/no option (works with set_option) for tunnels. * The format of answers to the qtype ANY with a CNAME have changed, so that there can be proper validated DNSSEC answers for them. This is for queries with qtype ANY where the domain name has a CNAME. Now an answer is returned, where before it resulted in SERVFAIL due to validation failure. When DNSSEC validation is disabled, the contents of the response have changed: the CNAME is not followed, and the correct contents of the RRsets at the initial name are included (where previously only partial contents of the initial names could have been included but the CNAME was followed). The qtype ANY is a query for debug where the resolver is to fill in relevant data that happens to be at hand from the cache. Bug Fixes * Fix validation of qtype ANY responses with CNAMEs (thanks Cathy Zhang and Luo Ce). Unbound responds with the RR types that are available at the name for qtype ANY and validates those RR types. It does not test for completeness (i.e. with NSEC or NSEC3 query), and it does not follow the CNAME or DNAME to another name (with even more data for the already large response) * Documented the options that work with control set_option command. * Fix that internally, CNAMEs with NXDOMAIN have that as rcode. * Fix validation of . DS query. * Fix wildcard expansion no-data reply under an optout NSEC3 zone is validated as insecure, reported by Jia Li (lijia cnnic.cn). * Fix python site-packages path to /usr/lib64. * fix memory and fd leak after out-of-memory condition. * patch from Tom Hendrikx fixes load of python modules. * Applied patch from Karel Slany that fixes a memory leak in the unbound python module, in string conversions. * Fix num-threads 0 does not segfault, reported by Simon Deziel. * fix autoconf 2.68 warnings * iana portlist updated -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOcbw9AAoJEJ9vHC1+BF+NctcP/21I1yyW7fgj1L7YZEmdikRg YYhnyPMul2J2fy+mgzilcXsxvHT6AkSSv4Gj843TxXj9DrArofS/N1Af4tfmOBMr rxYcCAU7jS4C4AVPTGbmCllUvqqeIM2HVttsWnTKH0YHoYygytCtsRys3KW01l9e e/H1IMEmOSFXNH1wzj1strhnkXdgqp8LbZr525rrDLtJp3MW0ZxrZ5s2s8qsFau8 ZfVzxPVusNakg/ceXX9ZEkBCr78Wg/kRBUEnlBH7wX006LsFgH0t2dZKvKicN/xu MFKr6CSb7H34GteMqTZK1vhnvYxFyUCQL8TxkT940fWwSc1OqPl2LhdVoMyG7CG/ xk1Y1PbCQbDmT5QOaWZVuo3Au5hj+EsEAsqoIbCZ32mvVi2OPCXn166FVAiKConC AetAVNVZNRkINdskvixEkWbMfDPEJaM3Rv/KNVkcpFu5GQuWEP1DSwV+VjcODDUA TzNOPSu8IMHyaipWtfWevRhz6Q+5QgNuYPvWZObXlxhwvqqfQFhuxxSAhHbnXzNP v1mSenFY9vucuRAVJtBYhuc6ZCt12A36PAGnilw5DhRHDx4PyxBg/0mqw8EYGKHH 9VKJa0MLReMjyen9z5PGnAvF1ozccV8oNPPSVJedGvVonqT8UpoM3veqq8FSE9u0 5Dy9vDty58GJBFfQiZOC =zkAO -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
