Unbound 1.8.0rc1 pre-release

Wed Sep 5 12:48:07 UTC 2018

On test server runs ok. Will test on Windows today.

04.09.2018 15:09, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.8.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1.tar.gz
> sha256 9baa68a9aedc163ea2ad23787e396bf47ae5af1e4b1e86d6801e5fda0e9909a6
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1.tar.gz.asc
>
> Windows zip files and setup.exe are also available,
> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1-w32.zip
> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1.zip
> https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0rc1-w32.exe
> https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0rc1.exe
>
> With pgp signatures
> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1-w32.zip.asc
> https://nlnetlabs.nl/downloads/unbound/unbound-1.8.0rc1.zip.asc
> https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0rc1-w32.exe.asc
> https://nlnetlabs.nl/downloads/unbound/unbound_setup_1.8.0rc1.exe.asc
>
>
> This is the pre-release for version 1.8.0rc1.
>
> This release has a number of bug fixes, a list of features added and
> some defaults changed.
>
> The defaults that are changed enable options that have been introduced
> in the past with an option that defaulted to off, but have proven to
> work, improve speed and resilience and we would now recommend to enable
> when configuring the server.  Still the option exists if you want to
> manually specify the feature.
>
> New features include options for unbound-control: auth_zone_reload,
> auth_zone_transfer.  New counters in the statistics output:
> num.queries.tls, num.query.subnet, num.query.subnet_cache.  New options
> in unbound.conf: dns64-ignore-aaaa, tcp-idle-timeout,
> edns-tcp-keepalive, edns-tcp-keepalive-timeout, tcp-connection-limit,
> stub-no-cache, forward-no-cache, log-servfail, log-local-actions,
> serve-expired-ttl, serve-expired-ttl-reset.  Commandline options -R (use
> direct queries) for unbound-anchor, -d (delay) for streamtcp.  There is
> support for RR type SMIMEA.  There is support for EDNS option EDNS
> KeepAlive.
>
> The libunbound library has gone up an api version increment because one
> of the callback signatures has changed.  New information is available to
> the callback, existing usage of the function could conceivable get an
> upgrade by ignoring the extra function call parameter.  For python
> scripts, a similar situation, where new information has been made
> available to the callback functions, in the form of extra function call
> parameters.  This information is also available to module callbacks
> internally.  For python the extra arguments functionality is used to
> extend the arguments.  The extra information is connection information,
> exposing the client's IP address to the callback function and whether
> the query failed because of rate limiting.
>
> There are a number of bug fixes for Qname minimisation, and a number of
> fixes for auth-zone functionality.  And there has been a fix in the
> processing of dns64 negative cache entries and a fix about fallthrough
> in the view local-zone processing functionality.
>
>
> Features
> - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
> - unbound-control auth_zone_transfer _zone_ option starts the probe
>   sequence for a master to transfer the zone from and transfers when
>   a new zone version is available.
> - num.queries.tls counter for queries over TLS.
> - log port number with err_addr logs.
> - dns64-ignore-aaaa: config option to list domain names for which the
>   existing AAAA is ignored and dns64 processing is used on the A
>   record.
> - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
>   if DNSSEC is not enabled.  New option -R allows fallback from
>   resolv.conf to direct queries.
> - Note RFC8162 support.  SMIMEA record type can be read in by the
>   zone record parser.
> - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
> - Add config tcp-idle-timeout (default 30s). This applies to
>   client connections only; the timeout on TCP connections upstream
>   is unaffected.
> - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
>   and implement option in client responses.
> - Add delay parameter to streamtcp, -d secs.
>   To be used when testing idle timeout.
> - Expose if a query (or a subquery) was ratelimited (not src IP
>   ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
>   This also introduces a change to 'ub_event_callback_type' in
>   libunbound/unbound-event.h.
> - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
>   This limits the number of simultaneous TCP client connections
>   from a nominated netblock.
> - Fix #4142: unbound.service.in: improvements and fixes.
>   Add unit dependency ordering (based on systemd-resolved).
>   Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
>   about missing privileges during startup). Add 'AF_INET6' to
>   'RestrictAddressFamilies' (without it IPV6 can't work). From
>   Guido Shanahan.
> - unbound-checkconf checks if modules exist and prints if they are
>   not compiled in the name of the wrong module.
> - Patch for stub-no-cache and forward-no-cache options that disable
>   caching for the contents of that stub or forward, for when you
>   want immediate changes visible, from Bjoern A. Zeeb.
> - Upgraded crosscompile script to include libunbound DLL in the
>   zipfile.
> - Set libunbound to increase current, because the libunbound change
>   to the event callback function signature.  That needs programs,
>   that use it, to recompile against the new header definition.
> - log-servfail: yes prints log lines that say why queries are
>   returning SERVFAIL to clients.
> - log-local-actions: yes option for unbound.conf that logs all the
>   local zone actions, a patch from Saksham Manchanda (Secure64).
> - #4146: num.query.subnet and num.query.subnet_cache counters.
> - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
>   gives access to reply information for the client's communication
>   point when the callback is called before the mesh state (modules).
>   Changes to C and Python's inplace_callback signatures were also
>   necessary.
> - Set defaults to yes for a number of options to increase speed and
>   resilience of the server.  The so-reuseport, harden-below-nxdomain,
>   and minimal-responses options are enabled by default.  They used
>   to be disabled by default, waiting to make sure they worked.  They
>   are enabled by default now, and can be disabled explicitly by
>   setting them to "no" in the unbound.conf config file.  The reuseport
>   and minimal options increases speed of the server, and should be
>   otherwise harmless.  The harden-below-nxdomain option works well
>   together with the recently default enabled qname minimisation, this
>   causes more fetches to use information from the cache.
> - Added serve-expired-ttl and serve-expired-ttl-reset options.
>
>
> Bug Fixes
> - Windows example service.conf edited with more windows specific
>   configuration.
> - #4108: systemd reload hang fix.
> - Fix usage printout for unbound-host, hostname has to be last
>   argument on BSDs and Windows.
> - Partial fix for permission denied on IPv6 address on FreeBSD.
> - Fix that auth-zone master reply with current SOA serial does not
>   stop scan of masters for an updated zone.
> - Fix that auth-zone does not start the wait timer without checking
>   if the wait timer has already been started.
> - #4109: Fix that package config depends on python unconditionally.
> - Patch, do not export python from pkg-config, from Petr Menšík.
> - Fix checking for libhiredis printout in configure output.
> - Fix typo on man page in ip-address description.
> - Update libunbound/python/examples/dnssec_test.py example code to
>   also set the 20326 trust anchor for the root in the example code.
> - Better documentation for unblock-lan-zones and insecure-lan-zones
>   config statements.
> - Fix permission denied printed for auth zone probe random port nrs.
> - Fix documentation ambiguity for tls-win-cert in tls-upstream and
>   forward-tls-upstream docs.
> - iana port update.
> - Fix round robin for failed addresses with prefer-ip6: yes
> - Note in documentation that the cert name match code needs
>   OpenSSL 1.1.0 or later to be enabled.
> - Fix to improve systemd socket activation code file descriptor
>   assignment.
> - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
>   easily changed to adjust default rtt assumptions.
> - Fix #4127 unbound -h does not list -p help.
> - Print error if SSL name verification configured but not available
>   in the ssl library.
> - Fix that ratelimit and ip-ratelimit are applied after reload of
>   changed config file.
> - Resize ratelimit and ip-ratelimit caches if changed on reload.
> - Fix #4129 unbound-control error message with wrong cert permissions
>   is too cryptic.
> - Fix #4130: print text describing -dd and unbound-checkconf on
>   config file read error at startup, the errors may have been moved
>   away by the startup process.
> - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
> - Fix use-systemd readiness signalling, only when use-systemd is yes
>   and not in signal handler.
> - Fix #4135: 64-bit Windows Installer Creates Entries Under The
>   Wrong Registry Key, reported by Brian White.
> - Fix man page, say that chroot is enabled by default.
> - Sort out test runs when the build directory isn't the project
>   root directory.
> - Error if EDNS Keepalive received over UDP.
> - Correct and expand manual page entries for keepalive and idle timeout.
> - Implement progressive backoff of TCP idle/keepalive timeout.
> - Fix 'make depend' to work when build dir is not project root.
> - Fix #4139: Fix unbound-host leaks memory on ANY.
> - Fix to remove systemd sockaddr function check, that is not
>   always present.  Make socket activation more lenient.  But not
>   different when socket activation is not used.
> - Fix #4136: insufficiency from mismatch of FLEX capability between
>   released tarball and build host.  Fix to unconditionally call
>   destroy in daemon.c.
> - Make capsforid fallback QNAME minimisation aware.
> - document --enable-subnet in doc/README.
> - Fix #4144: dns64 module caches wrong (negative) information.
> - Fix that printout of error for cycle targets is a verbosity 4
>   printout and does not wrongly print it is a memory error.
> - Fix segfault in auth-zone read and reorder of RRSIGs.
> - Fix contrib/fastrpz.patch.
> - Fix warning on compile without threads.
> - print servfail info to log as error.
> - added more servfail printout statements, to the iterator.
> - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
>   enabled.
> - Fix only misc failure from log-servfail when val-log-level is not
>   enabled.
> - Fix lintflags for lint on FreeBSD.
> - Fix that a local-zone with a local-zone-type that is transparent
>   in a view with view-first, makes queries check for answers from the
>   local-zones defined outside of views.
>
>
> Best regards, Wouter
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180905/f11e7ae1/attachment.bin>