Unbound 1.6.4 release

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Jun 27 10:51:08 UTC 2017


Hi,

Unbound 1.6.4 is available:
https://unbound.net/downloads/unbound-1.6.4.tar.gz
sha256 df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed
pgp https://unbound.net/downloads/unbound-1.6.4.tar.gz.asc


This release contains key tag signaling RFC8145 support.  B root is
renumbered in the default root hints.  The dnscrypt code supports the
chacha cipher.  The Unbound DNSSEC validator supports the ED25519
algorithm.  The redirect-bogus patch in contrib can send validation
failure users to a landing page.

Source tarball, pgp signatures and windows binaries available here:
https://www.unbound.net/download.html


Features:
- Implemented trust anchor signaling using key tag query.
- unbound-checkconf -o allows query of dnstap config variables.
  Also unbound-control get_option.  Also for dnscrypt.
- unbound.h exports the shm stats structures.  They use
  type long long and no ifdefs, and ub_ before the typenames.
- Implemented opportunistic IPsec support module (ipsecmod).
- Added redirect-bogus.patch to contrib directory.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
- Fix #1277: disable domain ratelimit by setting value to 0.
- Added fastrpz patch to contrib

Bug Fixes:
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
- Based on #1257: check parse limit before t increment in sldns RR
  string parse routine.
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
  and fix that 64bit getting installed in C:\Program Files (x86).
- Fix #1259: "--disable-ecdsa" argument overwritten
  by "#ifdef SHA256_DIGEST_LENGTH at daemon/remote.c".
- iana portlist update
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
  connect limited tcp connections.  With the option tcp connections
  can share the same source port (for different destinations).
- Add 'c' to getopt() in testbound.
- Adjust servfail by iterator to not store in cache when serve-expired
  is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
  module memory printout of statistics.
- Fix type AVC sldns rrdef.
- Some whitespace fixup.
- Fix #1265: contrib/unbound.service contains hardcoded path.
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
  and compatibility with BoringSSL.
- Fix #1268: SIGSEGV after log_reopen.
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
- Fix assertion for low buffer size and big edns payload when worker
  overrides udpsize.
- Support for openssl EVP_DigestVerify.
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
  unbound-control.
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
- Also use global local-zones when there is a matching view that does
  not have any local-zone specified.
- Fix fastopen EPIPE fallthrough to perform connect.
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
  (from Manu Bretelle).
- Fix #1275: cached data in cachedb is never used.
- Fix that unbound-control can set val_clean_additional and
  val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
- Added domain name based ECS whitelist.
- Fix #1278: Incomplete wildcard proof.
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
  contains malformed qname.  When 0x20 caps-for-id is enabled, when
  assertions are not enabled the malformed qname is handled correctly.
- More fixes in depth for buffer checks in 0x20 qname checks.
- Fix stub zone queries leaking to the internet for
  harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Fix to unlock view in view test.
- Fix warning in pythonmod under clang compiler.
- Fix lintian typo.
- Fix #1316: heap read buffer overflow in parse_edns_options.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170627/5b67adc2/attachment.bin>


More information about the Unbound-users mailing list