Unbound 1.10.0rc2 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Feb 17 14:20:41 UTC 2020


Hi,

Unbound 1.10.0rc2 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc2.tar.gz
sha256 d34dc9b6261dbf187f2c2399b787a0fa520f2b97168cdcb9961b69d56e319402
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc2.tar.gz.asc

The release candidate 2 is there to fix unbound-checkconf from rejecting
the configuration.

Changes are:
- Fix spelling in unbound.conf.5.in.
- Stop unbound-checkconf from insisting that auth-zone and rpz
  zonefiles have to exist.  They can not exist, and download later.
- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
  in RPZ-Format, contributed by Andreas Schulze.
- Remove unused variable.
- Add respip to supported module-config options in unbound-checkconf.

Best regards, Wouter

On 2/13/20 1:41 PM, Wouter Wijngaards via maintainers wrote:
> Hi,
> 
> Unbound 1.10.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz
> sha256 cee1761b7801ae1f6e37f8a81f0646b93ad62bad565fe8459d46661073ca8440
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz.asc
> 
> This is the maintainers' pre-release.
> 
> The 1.10.0rc1 release has RPZ support and serve stale functionality
> according to draft draft-ietf-dnsop-serve-stale-10.  And a number of
> other, smaller, features, and bug fixes.
> 
> The DNS Response Policy Zones (RPZ) functionality makes it possible
> to express DNS response policies in a DNS zone. These zones can
> be loaded from file or transferred over DNS zone transfers or
> HTTP. The RPZ functionality in Unbound is implemented as specified in
> draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address
> triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA,
> PASSTHRU, DROP and Local Data.
> 
> Enabling the respip module using `module-config` is required to use
> RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses
> are applied in order of configuration.  Unbound can get the data from
> zone transfer, a zonefile or https url, and more options are documented
> in the man page.  A minimal RPZ configuration that will transfer the
> RPZ zone using AXFR and IXFR can look like:
> 
> server:
>   module-config: "respip validator iterator"
> 
> rpz:
>   name: "rpz.example.com" # name of the policy zone
>   master: 192.0.2.0	  # address of the name server to transfer from
> 
> The serve-stale functionality as described in
> draft-ietf-dnsop-serve-stale-10 is now supported in unbound.
> This allows unbound to first try and resolve a domain name before
> replying with expired data from cache.  This differs from unbound's
> initial serve-expired behavior which attempts to reply with expired
> entries from cache without waiting for the actual resolution to finish.
> Both behaviors are available and can be configured with the various
> serve-expired-* configuration options.  serve-expired-client-timeout is
> the option that enables one or the other.
> 
> The DSA algorithms have been disabled by default, this is because of
> RFC 8624.
> 
> There is a crash fix in the parse of text of type WKS, reported by
> X41 D-Sec.
> 
> In addition, neg and key caches can be shared with multiple
> libunbound contexts, a change that assists unwind.  The
> contrib/unbound_portable.service provides a systemd start file for a
> portable setup.  The configure --with-libbsd option allows the use
> of the bsd compatibility library so that it can use the arc4random
> from it.  The stats in contrib/unbound_munin_ have num.query.tls and
> num.query.tls.resume added to them.  For unbound-control the command
> view_local_datas_remove is added that removes data from a view.
> 
> 
> Features:
> - Merge RPZ support into master. Only QNAME and Response IP triggers are
>   supported.
> - Added serve-stale functionality as described in
>   draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
>   to configure the behavior.
> - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
> - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
>   come with a configurable TTL value (`serve-expired-reply-ttl`).
> - Merge #135 from Florian Obser: Use passed in neg and key cache
>   if non-NULL.
> - Fix #153: Disable validation for DSA algorithms.  RFC 8624 compliance.
> - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
>   and Frzk.  Updates the unbound.service systemd file and adds a portable
>   systemd service file.
> - Merge PR#154; Allow use of libbsd functions with configure option
>   --with-libbsd. By Robert Edmonds and Steven Chamberlain.
> - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
> - Merge PR#156 from Alexander Berkes; Added unbound-control
>   view_local_datas_remove command.
> 
> Bug Fixes:
> - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
>   Florian Obser
> - Update mailing list URL.
> - Fix #140: Document slave not downloading new zonefile upon update.
> - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
>   The dl_iterate_phdr() function introduced in newer versions raises
>   compilation errors on solaris 10.
> - Changes to compat/getentropy_solaris.c for,
>   ifdef stdint.h inclusion for older systems.  ifdef sha2.h inclusion
>   for older systems.
> - Fix 'make test' to work for --disable-sha1 configure option.
> - Fix out-of-bounds null-byte write in sldns_bget_token_par while
>   parsing type WKS, reported by Luis Merino from X41 D-Sec.
> - Updated sldns_bget_token_par fix for also space for the zero
>   delimiter after the character.  And update for more spare space.
> - Fix #138: stop binding pidfile inside chroot dir in systemd service
>   file.
> - Fix the relationship between serve-expired and prefetch options,
>   patch from Saksham Manchanda from Secure64.
> - Fix unreachable code in ssl set options code.
> - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
>   because dnscrypt-proxy (2.0.36) does not support the test setup
>   any more, and also the config file format does not seem to have the
>   appropriate keys to recreate that setup.
> - Fix crash after reload where a stats lookup could reference old key
>   cache and neg cache structures.
> - Fix for memory leak when edns subnet config options are read when
>   compiled without edns subnet support.
> - Fix auth zone support for NSEC3 records without salt.
> - Merge PR#150 from Frzk: Systemd unit without chroot.  It add
>   contrib/unbound_nochroot.service.in, a systemd file for use with
>   chroot: "", see comments in the file, it uses systemd protections
>   instead.  It was superceded by #151, the unbound_portable.service
>   file.
> - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
>   to Libs/Requires for crypto library dependencies.
> - iana portlist updated.
> - Fix to silence the tls handshake errors for broken pipe and reset
>   by peer, unless verbosity is set to 2 or higher.
> - Merge PR#147; change rfc reference for reserved top level dns names.
> - Fix #157: undefined reference to `htobe64'.
> - Fix subnet tests for disabled DSA algorithm by default.
> - Update contrib/fastrpz.patch for clean diff with current code.
> - updated .gitignore for added contrib file.
> - Add build rule for ipset to Makefile
> - Add getentropy_freebsd.o to Makefile dependencies.
> - Fix memory leak in error condition remote.c
> - Fix double free in error condition view.c
> - Fix memory leak in do_auth_zone_transfer on success
> - Stop working on socket when socket() call returns an error.
> - Check malloc return values in TLS session ticket code
> - Fix fclose on error in TLS session ticket code.
> - Add assertion to please static analyzer
> - Fixed stats when replying with cached, cname-aliased records.
> - Added missing default values for redis cachedb backend.
> - Fix num_reply_addr counting in mesh and tcp drop due to size
>   after serve_stale commit.
> - Fix to create and destroy rpz_lock in auth_zones structure.
> - Fix to lock zone before adding rpz qname trigger.
> - Fix to lock and release once in mesh_serve_expired_lookup.
> - Fix to put braces around empty if body when threading is disabled.
> - Fix num_reply_states and num_detached_states counting with
>   serve_expired_callback.
> - Cleaner code in mesh_serve_expired_lookup.
> - Document in unbound.conf manpage that configuration clauses can be
>   repeated in the configuration file.
> - Document 'ub_result.was_ratelimited' in libunbound.
> - Fix use after free on log-identity after a reload; Fixes #163.
> - Fix with libnettle make test with dsa disabled.
> - Fix contrib/fastrpz.patch to apply cleanly.  Fix for serve-stale
>   fixes, but it does not compile, conflicts with new rpz code.
> - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
> - Fix compile warning when threads disabled.
> 
> Best regards, Wouter
> 
> 
> _______________________________________________
> maintainers mailing list
> maintainers at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/maintainers
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200217/9809db77/attachment.bin>


More information about the Unbound-users mailing list