[Unbound-users] unbound 1.4.8 release
wouter at NLnetLabs.nl
Mon Jan 24 14:47:02 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Unbound 1.4.8 is available:
One major change in this release is fixed algorithm treatment. This is
fixed after long discussions on dnsext (IETF workgroup), it is more
lenient to allow easier key algorithm rollover, but at the same time
unbound still checks that the algorithms advertised (via trust anchor or
DS record) really work. In actual deployments changes happen if you have
multiple DNSKEY algorithms in trust anchors or published DS RRsets. It
would be good for our users to pick up this fix, and implement it, so
that key algorithm rollover becomes easier on the internet.
Also Fixed is 'imgw.pl', many people reported this, now unbound has
'bind-like' lenience for this.
o harden-below-nxdomain config option, default off (because very old
software may be incompatible). We could enable it by default in
the future. From draft-vixie-dnsext-resimprove-00.
o typetransparent localzone: does not block other RR types.
o so-sndbuf option for very busy servers, a bit like so-rcvbuf.
o Fix so a changed NS RRset does not get moved name stuck on old
server, for type NS the TTL is not increased.
o Fix prefetch so it does not get stuck on old server for moved names.
o Fix insecure CNAME sequence marked as secure, reported by Bert
o faster lruhash get_mem routine.
o #346: remove ITAR scripts from contrib, the service is discontinued.
o Fix in infra cache that could cause rto larger than TOP_TIMEOUT
o algorithm compromise protection using the algorithms signalled in
the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
and thus, if you have multiple algorithms in your trust-anchor-file
then it will now behave different than before. Also, 5011 rollover
for algorithms needs to be double-signature until the old algorithm
o squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see
o fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
o Fix our 'BDS' license (typo reported by Xavier Belanger).
o #338: print address when socket creation fails.
o Fix storage of EDNS failures in the infra cache.
o silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
o unbound-anchor compiles with openssl 0.9.7.
o Be lenient and accept imgw.pl malformed packet (like BIND).
o the included ldns tarball is updated (to 1.6.8)
o iana portlist updated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users