Unbound 1.11.0rc1 pre-release

Yuri yvoinov at gmail.com
Mon Jul 20 18:56:59 UTC 2020

Built and runs ok (Solaris 10u13).

20.07.2020 18:04, Wouter Wijngaards via Unbound-users пишет:
> Hi,
> Unbound 1.11.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.11.0rc1.tar.gz
> sha256 d7fbea076c7f5d37d7a6a8203c2eefb31d2207039f53f3fb98b25e1216152d79
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.11.0rc1.tar.gz.asc
> This is the maintainer's pre-release.
> This release contains a number of bug fixes.  Also new features are
> introduced.  The configure --with-dynlibmodule enables dynamic library
> support that can have code modules function like the python library
> scripts.  It allows to load multiple dynlib instances.  The new
> `include-toplevel: <file or wildcard>` configuration option allows to
> include a directory with config files where every config file does not
> modify the config section for the later files so that the include order
> is idempotent.  This makes it much easier to drop files into a config
> snippet directory in etc and manage that set of config files, without
> for example one config file starting a stub section and creating parse
> errors in another config file with server options.
> The `rrset-roundrobin` option is now default to yes.  This is more in
> line with what users expect.  The KSK-2010 has been removed from our
> default key set output.  The option `prefer-ip4` can be used to prefer
> ip4 over ip6 when reputation for the ip6 netblock is shared with other
> users.
> There is also a dnstap implementation inside Unbound.  This removes the
> dependency on the libfstrm library.  The protobuf library is still used.
> The fstrm protocol code resides in `dnstap/dnstap_fstrm.h` and
> `dnstap/dnstap_fstrm.c`. This contains a brief definition of what
> unbound needs.
> The `make unbound-dnstap-socket` builds a debug tool,
> unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and
> print information. Commandline options control it.
> Unbound can reconnect if the unix domain socket file socket is closed.
> This uses exponential backoff after which it uses a one second timer to
> throttle cpu down. There is also support to use TCP and TLS for
> connecting to the log server. There are new config options to turn them
> on, in the `dnstap` section in the man page and example config file.
> `dnstap-ip` with IP address of server for TCP or TLS use. `dnstap-tls`
> to turn on TLS. And `dnstap-tls-server-name`, `dnstap-tls-cert-bundle`,
> `dnstap-tls-client-key-file` and `dnstap-tls-client-cert-file` to
> configure the certificates for server authentication and client
> authentication, or leave at `""` to not use that.  With
> `dnstap-bidirectional` the frame streams can be set to bidirectional or
> unidirectional connection mode.
> Features
> - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
>   KSK-2010 from the default list in unbound-anchor, now that the
>   revocation period is over.  KSK-2017 is the only trust anchor in
>   the shipped default now.
> - Merge PR #93: Add dynamic library support.
> - Introduce 'include-toplevel:' configuration option.
> - Change default value for 'rrset-roundrobin' to yes.
> - Add SNI support on more TLS connections (fixes #193).
> - Add SNI support to unbound-anchor.
> - Merge PR #164: Framestreams, this branch implements dnstap
>   connectivity in unbound. This has a number of new features.
> - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
>   using ipv4 filters, because the hosts ip6 netblock /64 is not owned
>   by one operator, and thus reputation is shared.
> Bug Fixes
> - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
>   different openssl versions.
> - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
> - Fix #169: Fix warning for daemon/remote.c output may be truncated
>   from snprintf.
> - Fix #170: Fix gcc undefined sanitizer signed integer overflow
>   warning in signature expiry RFC1982 serial number arithmetic.
> - Fix more undefined sanitizer issues, in respip copy_rrset null
>   dname, and in the client_info_compare routine for null memcmp.
> - Merge PR #171: Add additional compilers and platforms to Travis
>   testing, by noloader.
> - Merge PR #173: updated makedist.sh for config.guess and
>   config.sub and sha256 digest for gpg, by noloader.
> - Merge PR #172: Add IBM s390x arch for testing, by noloader.
> - Fix #177: dnstap does not build on macOS.
> - Fix compiler warning in dns64/dns64.c
> - Merge PR #174: Add Android to Travis testing, by noloader.
> - Move android build scripts to contrib/ and allow android tests to fail.
> - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
>   with no-engine, thanks noloader.
> - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
> - Merge PR #180 from noloader: Avoid calling exit in Travis script.
> - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
> - Update README-Travis.md (from PR #179), by Jeffrey Walton.
> - Fix PR #182 from noloader: Add iOS testing to Travis.
> - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
>   noloader
> - Fix #188: unbound-control.c:882:6: error: 'execlp' is
>   unavailable: not available on tvOS.
> - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
>   type, by noloader.
> - Add check to make sure RPZ records are subdomains of configured
>   zone origin.
> - Fix #192: In the unbound-checkconf tool, the module config of
>   dns64 subnetcache respip validator iterator is whitelisted, it was
>   reported it seems to work.
> - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
> - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
>   Daisuke HIGASHI.
> - Merge PR#134, Allow the kernel to provide random source ports. By
>   Florian Obser.
> - Log warning when using outgoing-port-permit and outgoing-port-avoid
>   while explicit port randomisation is disabled.
> - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
> - Fix .travis.yml error, missing 'env' option.
> - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
>   proper prototype.
> - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone()
>   static, it's only used in this file.
> - Fix compile on Solaris for unbound-checkconf.
> - Fix compile of test tools without protobuf.
> - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
>   tag for outgoing packets.
> - Travis fix for ios by omitting tools from install.
> - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
> - Fix RPZ concurrency issue when using auth_zone_reload.
> - Make unbound-control error returned on missing domain name more user
>   friendly.
> - Merge PR #203 from noloader: Update README-Travis.md with current
>   procedures.
> - Merge PR #207: Clarify if-automatic listens on and ::
> - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
>   transports.
> - Merge PR #206: Redis TTL, by Talkabout.
> - More documentation for redis-expire-records option.
> - Keep track of number of timeouts. Use this counter to determine if
>   capsforid fallback should be started.
> - Merge PR #214 from gearnode: unbound-control-setup recreate
>   certificates.  With the -r option the certificates are created
>   again, without it, only the files that do not exist are created.
> - Fix #220: auth-zone section in config may lead to segfault.
> - Fix help return code in unbound-control-setup script.
> - Fix for posix shell syntax for trap in nsd-control-setup.
> - Fix for posix shell syntax for trap in run_msg.sh test script.
> - Add doxygen documentation for DSCP.
> - Fix #222: --enable-rpath, fails to rpath python lib.
> - Fix for count of reply states in the mesh.
> - Remove unneeded was_mesh_reply check.
> - Explicitly use 'rrset-roundrobin: no' for test cases.
> - Cache ECS answers with longest scope of CNAME chain.
> - windows compile warnings removal for ip dscp option code.
> - Fix for integer overflow when printing RDF_TYPE_TIME.
> - Update contrib/aaaa-filter-iterator.patch for the recent
>   generate_sub_request() change and to apply cleanly.
> - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
>   "Requires:".
> - Mention tls name possible when tls is enabled for stub-addr in the
>   man page.
> - Fix default explanation in man page for qname-minimisation-strict.
> - Fix display of event loop method with libev.
> - iana portlist updated.
> - Move reply list clean for serve expired mesh callback to after
>   the reply is sent, so that script callbacks have reply_info.
> - Also move reply list clean for mesh callbacks to the scrip callback
>   can see the reply_info.
> - Fix for mesh accounting if the reply list already empty to begin
>   with.
> - Fix for mesh accounting when rpz decides to drop a reply with a
>   tcp stream waiting for it.
> - Review fix for number of detached states due to use of variable
>   after end of loop.
> - Fix tcp req info drop due to size call into mesh accounting
>   removal of mesh state during mesh send reply.
> - Fix #259: Fix unbound-checkconf does not check view existence.
>   unbound-checkconf checks access-control-view, access-control-tags,
>   access-control-tag-actions and access-control-tag-datas.
> - Fix offset of error printout for access-control-tag-datas.
> - Fix add missing DSA header, for compilation without deprecated
>   OpenSSL APIs.
> - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
>   3.0.0-alpha4.
> - Longer keys for the test set, this avoids weak crypto errors.
> - Add bidirectional frame streams support.
> - Fix check conf test for referencing installation paths.
> - Fix unused variable warning for clang analyzer.
> - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
>   Courrèges-Anglas.
> - Fix PR #234 log_assert sizeof to use union buffer.
> - Fix libnettle compile for session ticket key callback function
>   changes.
> - Fix lock dependency cycle in rpz zone config setup.
> - Fix streamtcp to print packet data to stdout.  This makes the
>   stdout and stderr not mix together lines, when parsing its output.
> - Fix contrib/fastrpz.patch to apply cleanly.  It fixes for changes
>   due to added libdynmod, but it does not compile, it conflicts with
>   new rpz code.
> Best regards, Wouter
"C++ seems like a language suitable for firing other people's legs."

* C++20 : Bug to the future *

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200721/b73bc258/attachment-0001.bin>

More information about the Unbound-users mailing list