Unbound 1.9.1rc1 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Mar 5 09:37:16 UTC 2019


Unbound 1.9.1rc1 pre-release is available:
sha256 d632c8690291c709e4bc73eea7e8146e1bdc6896be5072e5ba1cb8add48bce6f
pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.9.1rc1.tar.gz.asc

And also pgp with .asc appended.  And sha256 with .sha256 appended.

This release contains bug fixes for two issues in the out of order
processing introduced in 1.9.0, one where the wrong answer was returned
and a crash bug in file descriptor handling.

There are fixes for compile on Windows with pythonmod support.  You need
to compile the source for that with the option enabled.  Start with, eg.
compile on windows itself (with gcc or clang), or crosscompile with
mingw64-configure as the start of the compile run and enable the
pythonmod configure option.

There is also a fix for qname minimisation, that could have skipped a
label-fetch-step when it should not have.  This was caused by certain
recursion situations and the subsequent qname minimisation continuation.
 Qname minimisation in Unbound is designed to sometimes add several
labels at a time, instead of just adding one label at a time and
performing lookups until the full qname is reached, because certain
names are very long, especially in the IPv6 reverse space.  Unbound
performs short steps near the top, in root and TLDs, but then makes
longer label add steps when the name is very long, near the left side of
the qname.  This is to keep the lookup latency short.

A new type of local-zone is added, inform_redirect, this acts like both
type inform and type redirect are both used.  The answer is logged and
the content of the answer is like type redirect.

For 0x20 capsforid, a canonical sort is used to compare faulty replies.
This removes some cases where the fallback could not figure out the
reply is genuine in several retries.

To make ratelimiting easier, the ratelimit logs print the query name
that triggered the ratelimit message.  Not all query names are
supposedly the same, but the query name of the query that made the
ratelimit exceed is printed, and this gives (a single name of) insight
into the nature of the traffic employed.  Also the IP-address of the
sender of the query that triggered the upstream ratelimit is printed.
If a recursion exceeds ratelimit, it does not print the IP-address of
the query ultimately responsible for the recursive lookup.

Unbound has ratelimiting for both the clients (the downstream side) and
for traffic sent by unbound to the wider internet (the upstream side).
The ip-ratelimit options limit traffic in packets per client IP.  The
ratelimit options limit traffic towards a domain name.  The new logging
prints extra information with the log messages for both of them, so that
an inkling of information on some of that traffic is visible straight away.

- Add local-zone type inform_redirect, which logs like type inform,
  and redirects like type redirect.
- Perform canonical sort for 0x20 capsforid compare of replies,
  this sorts rrsets in the authority and additional section before
  comparison, so that out of order rrsets do not cause failure.
- Print query name with ip_ratelimit exceeded log lines.
  Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.

Bug Fixes
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
- Fix locking for libunbound context setup with broken port config.
- Fix case in which query timeout can result in marking delegation
  as edns_lame_known.
- Set ub_ctx_set_tls call signature in ltrace config file for
  libunbound in contrib/libunbound.so.conf.
- improve documentation for tls-service-key and forward-first.
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
  conditional section, fixes systemd builds, from Enrico Scholz.
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
  still supports the set_id_callback previous API.  And for 1.1.0
  no locking callbacks are needed.
- #8: Fix OpenSSL without ENGINE support compilation.
- Wipe TLS session key data from memory on exit.
- Fix that log-replies prints the correct name for local-alias
  names, for names that have a CNAME in local-data configuration.
  It logs the original query name, not the target of the CNAME.
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
- Fix that qname minimisation does not skip a label when missing
  nameserver targets need to be fetched.
- Fix #4225: clients seem to erroneously receive no answer with
  DNS-over-TLS and qname-minimisation.
- Note default for module-config in man page.
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
  cert name matching, from man page.
- Fix capsforid canonical sort qsort callback.
- Fix pythonmod include and sockaddr_un ifdefs for compile on
  Windows, and for libunbound.
- Fix the error for unknown module in module-config is understandable,
  and explains it was not compiled in and where to see the list.
- In example.conf explain where to put cachedb module in module-config.
- In man page and example config explain that most modules have to
  be listed at the start of module-config.
- Fix #4227: pair event del and add for libevent for tcp_req_info.
- Fix #4229: Unbound man pages lack information, about access-control
  order and local zone tags, and elements in views.
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
  before copying.
- Fix for python module on Windows, fix fopen.
- Remove memory leak on pythonmod python2 script file init.
- Remove swig gcc8 python function cast warnings, they are ignored.
- Print correct module that failed when module-config is wrong.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190305/9c4ea645/attachment.bin>

More information about the Unbound-users mailing list