[Unbound-users] unbound 1.4.6 released

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Aug 3 11:45:00 UTC 2010

Hash: SHA1


Unbound 1.4.6 source code is at
sha1   b0d7c58f173c5c80cc81345f6766555f96bde20d
sha256 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de

For maintainers, this is the same as the rc1 release candidate, but for
the updated ldns tarball inside (which contains some recent bugfixes
that should not impact unbound).

Mostly bugfixes, with this release prompted by the RFC for GOST.  GOST
is enabled if the SSL and ldns support it.  Otherwise, unbound acts as
if GOST is not supported (it becomes insecure).

Also a fix for a corner case misconfiguration and fixes for high load
situations.  It looks like num-queries-per-thread about half of the
outgoing-range is a good setting for overload situations, and the
HOWTO-optimise is adjusted for this.  The defaults have changed too.

    * Builtin root hints contain AAAA for I.ROOT-SERVERS.NET.
    * unbound.h has extern "C" statement for easier include in c++.
    * added feature to print configure date, target and options with -h.
    * added feature to print event backend system details with -h.
    * (ports and works on Minix 3.1.7). On Minix, add /usr/gnu/bin to
PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
    * GOST enabled if SSL is recent and ldns has GOST enabled too.

Bug Fixes
    * Fix TCPreply on systems with no writev, if just 1 byte could be sent.
    * Fix to use one pointer less for iterator query state store_parent_NS.
    * Max referral count from 30 to 130, because 128 one character
domains is valid DNS.
    * added documentation for the histogram printout to syslog.
    * Fix assertion failure reported by Kai Storbeck from XS4ALL, the
assertion was wrong.
    * updated ldns tarball.
    * iana portlist updated.
    * Unbound reports libev or libevent correctly in logs in verbose mode.
    * Fix handling of corner case reply from lame server, follows
rfc2308. It could lead to a nodata reply getting into the cache if the
search for a non-lame server turned up other misconfigured servers.
    * Fix jostle list bug found by Vince (luoce at cnnic), it caused the
qps in overload situations to be about 5 qps for the class of shortly
serviced queries. The capacity of the resolver is then about
(numqueriesperthread / 2) / (average time for such long queries) qps for
long queries. And about (numqueriesperthread / 2)/(jostletimeout in
whole seconds) qps for short queries, per thread.
    * Fix the max number of reply-address count to be applied for
duplicate queries, and not for new query list entries. This raises the
memory usage to a max of (16+1)*numqueriesperthread reply addresses.
    * Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
must be signed with all algorithms from the DS rrset at the parent. This
is now checked and becomes bogus if not.
    * Fix validation of qtype DNSKEY when a key-cache entry exists but
no rr-cache entry is used (it expired or prefetch), it then goes back up
to the DS or trust-anchor to validate the DNSKEY.
    * log if a server is skipped because it is on the donotquery list,
at verbosity 4, to enable diagnosis why no queries to
    * failure to chown the pidfile is not fatal any more.
    * Neat function prototypes, unshadowed local declarations.
    * Fix integer underflow in prefetch ttl creation from cache. This
fixes a potential negative prefetch ttl.
    * Changed the defaults for num-queries-per-thread/outgoing-range.
For builtin-select: 512/960, for libevent 1024/4096 and for windows
24/48 (because of win api). This makes the ratio this way to improve
resilience under heavy load. For high performance, use libevent and
possibly higher numbers.

Best regards,
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list