Unbound 1.7.1rc1 pre-release

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Apr 26 09:11:08 UTC 2018


For the fast server selection options, the added note needs to be there
that these options are experimental at this time.  We are interested in
user experiences, and are intending to look at the expressiveness that
is desired for ease of use and applicability.

Also, the "pct" part of low-rtt-pct is technically the wrong term and we
intend to replace it with "promille" (likely in a future release,
together with user experience feedback changes).

Best regards, Wouter

On 26/04/18 10:09, W.C.A. Wijngaards via Unbound-users wrote:
> Hi,
> Unbound 1.7.1rc1 pre-release is available:
> https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz
> sha256 46f48ef7c1dde9363d647edbb0f2bdee48be3ef0f53dbc1169f1076aae6ff4e6
> pgp https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz.asc
> This is the maintainers pre-release.
> This release has root key sentinel support, default on, from draft
> draft-ietf-dnsop-kskroll-sentinel.  The root key sentinel helps the root
> key rollover process by providing insight into the distribution of the
> key material over the resolver population.  For that, the resolver gives
> responses indicating which keys are in use by the resolver.
> Crypto support for ED448 has been added.  ED25519 was already supported
> in a previous release.  The crypto algorithm code is default turned on
> if support is detected at configure time.  The openssl 1.1.1 beta
> versions have ED448, and also ED25519 support.
> For DNS over TLS, the tcp length is sent in the same packet as the tcp
> content, for the TLS connections, providing a speed up.  Also TLS
> authentication can be enabled by specifying the TLS auth name in
> unbound.conf.  An example config for large public cloud dns over tls
> resolvers is this.
> server:
>   tls-cert-bundle: "ca-bundle.pem"
> forward-zone:
>   name: "."
>   forward-addr: ""
>   forward-addr: ""
>   forward-tls-upstream: yes
> It is possible to have unbound as a TLS server serve TLS on different
> ports, with additional-tls-port.  Use this to set up dns over tls
> service on both ports 853 and 443.
> For fast server selection, there are new options low-rtt and
> low-rtt-pct.  For example set low-rtt-pct: 900 to enable it.
> There is hiredis support for the cachedb module.
> Monitoring of the new agrressive NSEC and auth zone root local copy
> features is possible with statistics counters for agressive NSEC and for
> auth zone usage.  Auth zone supports incoming NOTIFYs, from masters and
> from allow-notify hosts.  Auth zones can be listed from unbound-control
> with their SOA serial number.
> Unbound-control set_option and get_option needed different ':'
> placement, the current release allows with and without ':' syntax.
> Features
> - Add --with-libhiredis, unbound support for a new cachedb
>   backend that uses a Redis server as the storage.  This
>   implementation depends on the hiredis client library
>   (https://redislabs.com/lp/hiredis/).
>   And unbound should be built with both --enable-cachedb and
>   --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
>   should exist).  Patch from Jinmei Tatuya (Infoblox).
> - Create additional tls service interfaces by opening them on other
>   portnumbers and listing the portnumbers as additional-tls-port: nr.
> - ED448 support.
> - num.query.authzone.up and num.query.authzone.down statistics counters.
> - Accept both option names with and without colon for get_option
>   and set_option.
> - low-rtt and low-rtt-pct in unbound.conf enable the server selection
>   of fast servers for some percentage of the time.
> - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
>   statistics counters.
> - allow-notify: config statement for auth-zones.
> - Can set tls authentication with forward-addr: IP#tls.auth.name
>   And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
>   such as forward-addr: at 853#dns.quad9.net or
> at 853#cloudflare-dns.com
> - list_auth_zones unbound-control command.
> - Added root-key-sentinel support
> Bug Fixes
> - Fix #3727: Protocol name is TLS, options have been renamed but
>   documentation is not consistent.
> - Check IXFR start serial.
> - Fix typo in documentation.
> - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
>   flushed with serve-expired on.
> - Fix #3817: core dump happens in libunbound delete, when queued
>   servfail hits deleted message queue.
> - corrected a minor typo in the changelog.
> - move htobe64/be64toh portability code to cachedb.c.
> - iana port update.
> - Do not use cached NSEC records to generate negative answers for
>   domains under DNSSEC Negative Trust Anchors.
> - Fix unbound-control get_option aggressive-nsec
> - Check "result" in dup_all(), by Florian Obser.
> - Fix #4043: make test fails due to v6 presentation issue in macOS.
> - Fix unable to resolve after new WLAN connection, due to auth-zone
>   failing with a forwarder set.  Now, auth-zone is only used for
>   answers (not referrals) when a forwarder is set.
> - Combine write of tcp length and tcp query for dns over tls.
> - nitpick fixes in example.conf.
> - Fix above stub queries for type NS and useless delegation point.
> - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
>   tls_choose_sigalg routine does not allow the ciphers for the pipe,
>   so use TLSv1.2.
> - Fix that flush_zone sets prefetch ttl expired, so that with
>   serve-expired enabled it'll start prefetching those entries.
> - Fix downstream auth zone, only fallback when auth zone fails to
>   answer and fallback is enabled.
> - Fix for max include depth for authzones.
> - Fix memory free on fail for $INCLUDE in authzone.
> - Fix that an internal error to look up the wrong rr type for
>   auth zone gets stopped, before trying to send there.
> - Fix auth zone target lookup iterator.
> - Fix auth-zone retry timer to be on schedule with retry timeout,
>   with backoff.  Also time a refresh at the zone expiry.
> - Fix #658: unbound using TLS in a forwarding configuration does not
>   verify the server's certificate (RFC 8310 support).
> - For addr with #authname and no @port notation, the default is 853.
> - man page documentation for dns-over-tls forward-addr '#' notation.
> - removed free from failed parse case.
> - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
>   with the previous contents.
> - Delete auth zone when removed from config.
> - makedist uses bz2 for expat code, instead of tar.gz.
> - Fix #4092: libunbound: use-caps-for-id lacks colon in
>   config_set_option.
> - auth zone http download stores exact copy of downloaded file,
>   including comments in the file.
> - Fix sldns parse failure for CDS alternate delete syntax empty hex.
> - Attempt for auth zone fix; add of callback in mesh gets from
>   callback does not skip callback of result.
> - Fix cname classification with qname minimisation enabled.
> - Fix contrib/fastrpz.patch for this release.
> - Fix auth https for libev.
> - Fix memory leak when caching wildcard records for aggressive NSEC use
> - Fix for crash in daemon_cleanup with dnstap during reload,
>   from Saksham Manchanda.
> - Also that for dnscrypt.
> Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180426/7fb814bc/attachment.bin>

More information about the Unbound-users mailing list