Unbound 1.9.2 released

Chris Public2 at xymox1.com
Tue Jun 18 03:23:01 UTC 2019 

AWESOME !  NEW TOY !

On 6/17/2019 2:38 AM, Wouter Wijngaards via Unbound-users wrote:
> Hi,
>
> Unbound 1.9.2 is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.2.tar.gz
> sha256 6f7acec5cf451277fcda31729886ae7dd62537c4f506855603e3aa153fcb6b95
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.2.tar.gz.asc
>
>
> This release contains a number of bug fixes for crashes introduced in
> 1.9, session ticket code, stream pipeline code, auth zone code and it
> also fixes qname minimisation packet scrub failures.
>
> There is a new python module example.  This is an example of a module
> that is loaded into unbound that changes DNS messages, and how Unbound
> processes them.  The example resolves records in multicast DNS, with Avahi.
>
> AXFR over TLS is supported.  This uses TLS to connect to the master and
> download the AXFR or IXFR.  Enable by loading certificates (just like
> for other DNS over TLS), and syntax like master: "ip#authname" in
> unbound.conf for the auth-zone where you want to use this.
>
>
> Features
> - add type CAA to libpyunbound (accessing libunbound from python).
> - Fix #17: Add python module example from Jan Janak, that is a
>    plugin for the Unbound DNS resolver to resolve DNS records in
>    multicast DNS [RFC 6762] via Avahi.  The plugin communicates
>    with Avahi via DBus. The comment section at the beginning of
>    the file contains detailed documentation.
> - travis build file.
> - PR #16: XoT support, AXFR over TLS, turn it on with
>    master: <ip>#<authname> in unbound.conf.  This uses TLS to
>    download the AXFR (or IXFR).
>
> Bug Fixes
> - Fix for #4233: guard use of NDEBUG, so that it can be passed in
>    CFLAGS into configure.
> - Add log message, at verbosity 4, that says the query is encrypted
>    with TLS, if that is enabled for the query.
> - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
> - Fix #4240: Fix whitespace cleanup in example.conf.
> - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
>    disables the tls session ticker key calls into the OpenSSL API.
> - Fix crash if tls-servic-pem not filled in when necessary.
> - Fix auth-zone NSEC3 response for empty nonterminals with exact
>    match nsec3 records.
> - Fix for out of bounds integers, thanks to OSTIF audit.  It is in
>    allocation debug code.
> - Fix for auth zone nsec3 ent fix for wildcard nodata.
> - Move goto label in answer_from_cache to the end of the function
>    where it is more visible.
> - Fix auth-zone NSEC3 response for wildcard nodata answers,
>    include the closest encloser in the answer.
> - Fix spelling error in log output for event method.
> - Fix to reinit event structure for accepted TCP (and TLS) sockets.
> - Fix to use event_assign with libevent for thread-safety.
> - verbose information about auth zone lookup process, also lookup
>    start, timeout and fail.
> - Fix to wipe ssl ticket keys from memory with explicit_bzero,
>    if available.
> - Fix that auth zone uses correct network type for sockets for
>    SOA serial probes.  This fixes that probes fail because earlier
>    probe addresses are unreachable.
> - Fix that auth zone fails over to next master for timeout in tcp.
> - Squelch SSL read and write connection reset by peer and broken pipe
>    messages.  Verbosity 2 and higher enables them.
> - Update python documentation for init_standard().
> - Typos.
> - Fix tls write event for read state change to re-call SSL_write and
>    not resume the TLS handshake.
> - Better braces in if statement in TCP fastopen code.
> - iana portlist updated.
> - Scrub RRs from answer section when reusing NXDOMAIN message for
>    subdomain answers.
> - For harden-below-nxdomain: do not consider a name to be non-exitent
>    when message contains a CNAME record.
> - Fix wrong query name in local zone redirect answers with a CNAME,
>    the copy of the local alias is in unpacked form.
> - contrib/fastrpz.patch updated for code changes, and with git diff.
> - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
> - Fix #30: AddressSanitizer finding in lookup3.c.  This sets the
>    hash function to use a slower but better auditable code that does
>    not read beyond array boundaries.  This makes code better security
>    checkable, and is better for security.  It is fixed to be slower,
>    but not read outside of the array.
> - Fix edns-subnet locks, in error cases the lock was not unlocked.
> - Fix doxygen output error on readme markdown vignettes.
> - Squelch log messages from tcp send about connection reset by peer.
>    They can be enabled with verbosity at higher values for diagnosing
>    network connectivity issues.
> - Attempt to fix malformed tcp response.
> - Fix #31: swig 4.0 and python module.
> - Note that so-reuseport at extreme load is better turned off,
>    otherwise queries are not distributed evenly, on Linux 4.4.x.
> - Fix that spoolbuf is not used to store tcp pipelined response
>    between mesh send and callback end.
> - Fix double file close in tcp pipelined response code.
> - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
> - Fix to guard _OPENBSD_SOURCE from redefinition.
> - Fix that fixes the Fix that spoolbuf is not used to store tcp
>    pipelined response between mesh send and callback end, this fixes
>    error cases that did not use the correct spoolbuf.
> - Fix that fixes the Fix that spoolbuf is not used to store tcp
>    pipelined response between mesh send and callback end, this fixes
>    error cases that did not use the correct spoolbuf.
> - Fix another spoolbuf storage code point, in prefetch.
>
> Best regards, Wouter
>

More information about the Unbound-users mailing list