-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
Unbound 1.5.4 is available: http://www.unbound.net/downloads/unbound-1.5.4.tar.gz sha1 ce0abc1563baa776a0f2c21516ffc13e6bff7d0f sha256 a1e1c1a578cf8447cb51f6033714035736a0f04444854a983123c094cc6fb137 Ratelimiting feature debuts, config for negative cache TTL, option to turn off algorithm strictness (requested to stop unbound from checking for algorithm rollover mistakes). Type ANY is answered from cache if a couple well-known types are available, for speed, it is not an exhaustive cache search. DLV is going to be decommissioned. Added advice to the documentation to stop using it. If the 5011-trust anchor file, fails to be writable unbound will exit (probably soon after startup, seconds); this to elicit rollover-operational issues beforehand. Additionally this version has better compatibility backoff for the 0x20 capsforid option, has integer overflow checks for safety, and the local-zone inform_deny option (write log and withhold access to domain). Features - - [bugzilla: 644 ] harden-algo-downgrade option, if turned off, fixes the reported excessive validation failure when multiple algorithms are present. If set to 'no', it allows the weakest algorithm to validate the zone. - - stats reports tcp usage, of incoming-num-tcp buffers. - - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal scripts. Contributed by Yuri Voinov. - - Add ip-transparent config option for bind to non-local addresses. - - Synthesize ANY responses from cache. Does not search exhaustively, but MX,A,AAAA,SOA,NS also CNAME. - - unbound-control list_insecure command shows the negative trust anchors currently configured, patch from Jelte Jansen. - - ratelimit feature, ratelimit: 1000, can be used to turn it on. It ratelimits recursion effort per zone. For particular names you can configure exceptions in unbound.conf. - - Ratelimit does not apply to prefetched queries, and ratelimit-factor is default 10. Repeated normal queries get resolved and with prefetch stay in the cache. - - unbound-control ratelimit_list lists high rate domains. - - caps-whitelist in unbound.conf allows whitelist of loadbalancers that cannot work with caps-for-id or its fallback. - - RFC 7553 RR type URI support, is now enabled by default. - - cache-max-negative-ttl config option, default 3600. - - Add local-zone type inform_deny, that logs query and drops answer. Bug Fixes - - Unbound exits with a fatal error when the auto-trust-anchor-file fails to be writable. This is seconds after startup. You can load a readonly auto-trust-anchor-file with trust-anchor-file. The file has to be writable to notice the trust anchor change, without it, a trust anchor change will be unnoticed and the system will then become inoperable. - - DLV is going to be decommissioned. Advice to stop using it, and put text in the example configuration and man page to that effect. - - Patch from Brad Smith that syncs compat/getentropy_linux with OpenBSD's version (2015-03-04). - - 0x20 fallback improved: servfail responses do not count as missing comparisons (except if all responses are errors), inability to find nameservers does not fail equality comparisons, many nameservers does not try to compare more than max-sent-count, parse failures start 0x20 fallback procedure. - - store caps_response with best response in case downgrade response happens to be the last one. - - Document that incoming-num-tcp increase is good for large servers. - - Fix lintian warning in unbound-checkconf man page (from Andreas Schulze). - - Updated default keylength in unbound-control-setup to 3k. - - Fixup compile on cygwin, more portable openssl thread id. - - Use reallocarray for integer overflow protection, patch submitted by Loganaden Velvindron. - - Fixed to add integer overflow checks on allocation (defense in depth ). - - Fix segfault on user not found at startup (from Maciej Soltysiak). - - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated CRYPTO_set_id_callback. - - If unknown trust anchor algorithm, and libressl is used, error message encourages upgrade of the libressl package. - - rename ldns subdirectory to sldns to avoid name collision. - - [bugzilla: 660 ] Fix interface-automatic broken in the presence of asymmetric routing. - - Libunbound skips dos-line-endings from etc/hosts. - - Fix crash in dnstap: Do not try to log TCP responses after timeout. - - Fix that get_option for cache-sizes does not print double newline. - - [bugzilla: 663 ] Fix that ssl handshake fails when using unix socket because dh size is too small. - - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas Hozza); Use print_function also for Python2. libunbound examples: produce sorted output. libunbound-Python: libldns is not used anymore. Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. - - Fix leaked dns64prefix configuration string. - - Removed contrib/unbound_unixsock.diff, because it has been integrated, use control-interface: /path in unbound.conf. - - Change syntax of particular validator error to be easier for machine parse, swap rrset and ip adres info so it looks like: validation failure <www.example.nl. TXT IN>: signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> - - Fix that unparseable error responses are ratelimited. - - SOA negative TTL is capped at minimumttl in its rdata section. - - [bugzilla: 674 ] Do not free pointers given by getenv. - - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked incorrectly and was therefore always synthesized (thanks to Valentin Dietrich). And fix DNAME responses from cache that failed internal chain test. - - iana portlist update. http://www.unbound.net/downloads/unbound-1.5.4.zip and http://www.unbound.net/downloads/unbound_setup_1.5.4.exe are also available. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVnkDkAAoJEJ9vHC1+BF+NSPIP/RrurBnSkP8qLW/7wHfyGFyP 33s2lhB2trmDk6/8W/rySa6xUbmb9V33PMWfHC/svZvQW07jB43Dv+KW0llfS+Vi bDI5U5yhkpQLRJrppLN8F1ZEaaGs29g7DkuG7M61b//d5sPx/wuPd0oSVnzjxmiJ aubLj8ZRQSMejyYYFqYynGnK8TSxo03D4LO4RQ8yD80D8I0xyEolvAi63ku/SsgR JOAZR/bnHvRWiXu3SIdSUz5YDmD1d6byr7v0Z3sqWKks5iz7JCMy68OUJXeialrJ SwbcmC2AmRLDQhh81KLGi0SeDSA1tt2aRYcweEgfCft0cQlAG2tJ+1b+mqZ7VD8q HAi21yTUA9KmRpe1mHdz5yHlDHTl1qC3AMzYHJgU040kW50ahaPBUpzuQAFnVwR3 N9/9BwZr9mcv11lZDdnM5ziWk6XI7eQLnTnoYeOj6JdHvuHGM/xcQ9yAcxht0A4y IQ+h4PNWwyzFqqwOhPYsG3TBGBU6IkK2jgzwKRyeMmITqK7BjNNgVX+iL8XoEqrc lsRkAaCQ0HipIpNJyHQ4xCVVc9Cpml2V6ar9pLH0Jux1r0Ww6oGGmpSyj6fJxv4d b3Cp4ne6+0fBvxxTrwsCinCM7dsBOEfuyXyE3wEZQlF1kI1NnfaSSqvNVvnBNIRG NGQLmtApT6iR/2eD/Zxt =0/Ar -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
