Unbound 1.10.0rc1 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Feb 13 12:41:53 UTC 2020


Unbound 1.10.0rc1 pre-release is available:
sha256 cee1761b7801ae1f6e37f8a81f0646b93ad62bad565fe8459d46661073ca8440
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz.asc

This is the maintainers' pre-release.

The 1.10.0rc1 release has RPZ support and serve stale functionality
according to draft draft-ietf-dnsop-serve-stale-10.  And a number of
other, smaller, features, and bug fixes.

The DNS Response Policy Zones (RPZ) functionality makes it possible
to express DNS response policies in a DNS zone. These zones can
be loaded from file or transferred over DNS zone transfers or
HTTP. The RPZ functionality in Unbound is implemented as specified in
draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address
triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA,
PASSTHRU, DROP and Local Data.

Enabling the respip module using `module-config` is required to use
RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses
are applied in order of configuration.  Unbound can get the data from
zone transfer, a zonefile or https url, and more options are documented
in the man page.  A minimal RPZ configuration that will transfer the
RPZ zone using AXFR and IXFR can look like:

  module-config: "respip validator iterator"

  name: "rpz.example.com" # name of the policy zone
  master:	  # address of the name server to transfer from

The serve-stale functionality as described in
draft-ietf-dnsop-serve-stale-10 is now supported in unbound.
This allows unbound to first try and resolve a domain name before
replying with expired data from cache.  This differs from unbound's
initial serve-expired behavior which attempts to reply with expired
entries from cache without waiting for the actual resolution to finish.
Both behaviors are available and can be configured with the various
serve-expired-* configuration options.  serve-expired-client-timeout is
the option that enables one or the other.

The DSA algorithms have been disabled by default, this is because of
RFC 8624.

There is a crash fix in the parse of text of type WKS, reported by
X41 D-Sec.

In addition, neg and key caches can be shared with multiple
libunbound contexts, a change that assists unwind.  The
contrib/unbound_portable.service provides a systemd start file for a
portable setup.  The configure --with-libbsd option allows the use
of the bsd compatibility library so that it can use the arc4random
from it.  The stats in contrib/unbound_munin_ have num.query.tls and
num.query.tls.resume added to them.  For unbound-control the command
view_local_datas_remove is added that removes data from a view.

- Merge RPZ support into master. Only QNAME and Response IP triggers are
- Added serve-stale functionality as described in
  draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
  to configure the behavior.
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
  come with a configurable TTL value (`serve-expired-reply-ttl`).
- Merge #135 from Florian Obser: Use passed in neg and key cache
  if non-NULL.
- Fix #153: Disable validation for DSA algorithms.  RFC 8624 compliance.
- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
  and Frzk.  Updates the unbound.service systemd file and adds a portable
  systemd service file.
- Merge PR#154; Allow use of libbsd functions with configure option
  --with-libbsd. By Robert Edmonds and Steven Chamberlain.
- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
- Merge PR#156 from Alexander Berkes; Added unbound-control
  view_local_datas_remove command.

Bug Fixes:
- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
  Florian Obser
- Update mailing list URL.
- Fix #140: Document slave not downloading new zonefile upon update.
- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
  The dl_iterate_phdr() function introduced in newer versions raises
  compilation errors on solaris 10.
- Changes to compat/getentropy_solaris.c for,
  ifdef stdint.h inclusion for older systems.  ifdef sha2.h inclusion
  for older systems.
- Fix 'make test' to work for --disable-sha1 configure option.
- Fix out-of-bounds null-byte write in sldns_bget_token_par while
  parsing type WKS, reported by Luis Merino from X41 D-Sec.
- Updated sldns_bget_token_par fix for also space for the zero
  delimiter after the character.  And update for more spare space.
- Fix #138: stop binding pidfile inside chroot dir in systemd service
- Fix the relationship between serve-expired and prefetch options,
  patch from Saksham Manchanda from Secure64.
- Fix unreachable code in ssl set options code.
- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
  because dnscrypt-proxy (2.0.36) does not support the test setup
  any more, and also the config file format does not seem to have the
  appropriate keys to recreate that setup.
- Fix crash after reload where a stats lookup could reference old key
  cache and neg cache structures.
- Fix for memory leak when edns subnet config options are read when
  compiled without edns subnet support.
- Fix auth zone support for NSEC3 records without salt.
- Merge PR#150 from Frzk: Systemd unit without chroot.  It add
  contrib/unbound_nochroot.service.in, a systemd file for use with
  chroot: "", see comments in the file, it uses systemd protections
  instead.  It was superceded by #151, the unbound_portable.service
- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
  to Libs/Requires for crypto library dependencies.
- iana portlist updated.
- Fix to silence the tls handshake errors for broken pipe and reset
  by peer, unless verbosity is set to 2 or higher.
- Merge PR#147; change rfc reference for reserved top level dns names.
- Fix #157: undefined reference to `htobe64'.
- Fix subnet tests for disabled DSA algorithm by default.
- Update contrib/fastrpz.patch for clean diff with current code.
- updated .gitignore for added contrib file.
- Add build rule for ipset to Makefile
- Add getentropy_freebsd.o to Makefile dependencies.
- Fix memory leak in error condition remote.c
- Fix double free in error condition view.c
- Fix memory leak in do_auth_zone_transfer on success
- Stop working on socket when socket() call returns an error.
- Check malloc return values in TLS session ticket code
- Fix fclose on error in TLS session ticket code.
- Add assertion to please static analyzer
- Fixed stats when replying with cached, cname-aliased records.
- Added missing default values for redis cachedb backend.
- Fix num_reply_addr counting in mesh and tcp drop due to size
  after serve_stale commit.
- Fix to create and destroy rpz_lock in auth_zones structure.
- Fix to lock zone before adding rpz qname trigger.
- Fix to lock and release once in mesh_serve_expired_lookup.
- Fix to put braces around empty if body when threading is disabled.
- Fix num_reply_states and num_detached_states counting with
- Cleaner code in mesh_serve_expired_lookup.
- Document in unbound.conf manpage that configuration clauses can be
  repeated in the configuration file.
- Document 'ub_result.was_ratelimited' in libunbound.
- Fix use after free on log-identity after a reload; Fixes #163.
- Fix with libnettle make test with dsa disabled.
- Fix contrib/fastrpz.patch to apply cleanly.  Fix for serve-stale
  fixes, but it does not compile, conflicts with new rpz code.
- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
- Fix compile warning when threads disabled.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200213/1a546cae/attachment.bin>

More information about the Unbound-users mailing list