Unbound 1.13.0rc1 pre-release
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Nov 24 15:02:32 UTC 2020
Hi Yuri,
Can you tell me what the logs look like with verbosity 5 or so?
I do not recall your previous configuration, was there anything
particular about it?
Best regards, Wouter
On 24/11/2020 15:59, Yuri via Unbound-users wrote:
> Hmmmm.
>
> Built successfully, but not work.
>
> dig ya.ru
>
> ; <<>> DiG 9.11.13 <<>> ya.ru
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> With previous configuration.
>
>
> 24.11.2020 20:28, Wouter Wijngaards via Unbound-users пишет:
>> Hi,
>>
>> Unbound 1.13.0rc1 pre-release is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz
>> sha256 a55e8b5dfc290867017e7fbb75f1023ee2f6234943f870a5c24694b0908d7c17
>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz.asc
>>
>>
>> This version has fixes to connect for UDP sockets, slowing down
>> potential ICMP side channel leakage. The fix can be controlled with the
>> option udp-connect: yes, it is enabled by default.
>>
>> Additionally CVE-2020-28935 is fixed, this solves a problem where the
>> pidfile is altered by a symlink, and fails if a symlink is encountered.
>> See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more
>> information.
>>
>> New features are upstream TCP and TLS query reuse, where a channel is
>> reused for several queries. And http-notls-downstream: yesno for
>> unencrypted DoH, useful for back end support servers. The option
>> infra-keep-probing can be used to probe hosts that are down more
>> frequently.
>>
>> The options edns-client-string and edns-client-string-opcode can be used
>> to add an EDNS option with the specified string in queries towards
>> servers, with the servers specified by IP address. It replaces the
>> edns-client-tag option.
>>
>> Features
>> - Pass the comm_reply information to the inplace_cb_reply* functions
>> during the mesh state and update the documentation on that.
>> - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
>> This adds the option http-notls-downstream: yesno to change that,
>> and the dohclient test code has the -n option.
>> - Merge PR #228 : infra-keep-probing option to probe hosts that are
>> down. Add infra-keep-probing: yes option. Hosts that are down are
>> probed more frequently.
>> With the option turned on, it probes about every 120 seconds,
>> eventually after exponential backoff, and that keeps that way. If
>> traffic keeps up for the domain. It probes with one at a time, eg.
>> one query is allowed to probe, other queries within that 120 second
>> interval are turned away.
>> - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
>> edns-client-string option.
>> - Merge PR #283 : Stream reuse. This implements upstream stream
>> reuse for performing several queries over the same TCP or TLS
>> channel.
>> - Fix to connect() to UDP destinations, default turned on,
>> this lowers vulnerability to ICMP side channels.
>> Option to toggle udp-connect, default is enabled.
>>
>> Bug Fixes
>> - Fix #319: potential memory leak on config failure, in rpz config.
>> - Fix dnstap socket and the chroot not applied properly to the dnstap
>> socket path.
>> - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
>> - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
>> if systemd support is build.
>> - Fix for python reply callback to see mesh state reply_list member,
>> it only removes it briefly for the commpoint call so that it does
>> not drop it and attempt to modify the reply list during reply.
>> - Fix that if there are on reply callbacks, those are called per
>> reply and a new message created if that was modified by the call.
>> - Free up auth zone parse region after use for lookup of host
>> - Merge PR #326 from netblue30: DoH: implement content-length
>> header field.
>> - DoH content length, simplify code, remove declaration after
>> statement and fix cast warning.
>> - Fix that if there are reply callbacks for the given rcode, those
>> are called per reply and a new message created if that was modified
>> by the call.
>> - Fix that the out of order TCP processing does not limit the
>> number of outstanding queries over a connection.
>> - Fix python documentation warning on functions.rst inplace_cb_reply.
>> - Log ip address when http session recv fails, eg. due to tls fail.
>> - Fix to set the tcp handler event toggle flag back to default when
>> the handler structure is reused.
>> - Clean the fix for out of order TCP processing limits on number
>> of queries. It was tested to work.
>> - Fix that http settings have colon in set_option, for
>> http-endpoint, http-max-streams, http-query-buffer-size,
>> http-response-buffer-size, and http-nodelay.
>> - Fix memory leak of https port string when reading config.
>> - local-zone regional allocations outside of chunk
>> - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
>> unbound-control TLS certificates.
>> - Fix for PR #324 to attach the x509v3 extensions to the client
>> certificate.
>> - Fix #327: net/if.h check fails on some darwin versions; contribution by
>> Joshua Root.
>> - Fix #320: potential memory corruption due to size miscomputation upton
>> custom region alloc init.
>> - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
>> Python Mod.
>> - Fix that minimal-responses does not remove addresses from a priming
>> query response.
>> - In man page note that tls-cert-bundle is read before permission
>> drop and chroot.
>> - Fix #341: fixing a possible memory leak.
>> - Fix memory leak after fix for possible memory leak failure.
>> - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
>> undeclared.
>> - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
>> with chown of pidfile.
>> - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
>> - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
>> failed to list interfaces: getifaddrs: Address family not
>> supported by protocol.
>> - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
>> address families.
>> - iana portlist updated.
>>
>> Best regards, Wouter
>>
More information about the Unbound-users
mailing list