Unbound 1.13.2rc1 pre-release

[Yuri]

Runs ok on dev server. Seems memory leaks fixed - memory consumption 
looks stable.

05.08.2021 15:11, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.13.2rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.2rc1.tar.gz
> sha256 9627a85779eb9f812f725438ff5fa4c61baa649cb6da1560c8e5eaea606c3e02
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.2rc1.tar.gz.asc
>
> This release contains a number of bug fixes. There is a crash fix for
> broken internal structures in stream reuse, that is used when many TCP
> or TLS upstream connections are made. Also a number of features are added.
>
> The ZONEMD support allows verification of downloaded authority zone
> files with the zonemd hash. It can be enabled with the zonemd-check
> option. It implements RFC8976. With zonemd-permissive-mode it is
> possible to try out the functionality without withholding the zone if
> the checks fail. With zonemd-reject-absence the zonemd record becomes a
> requirement for a zone.
>
> It is possible to use interface names for the control-interface as well,
> it was already possible for the interface, but now also for the remote
> control functionality. It allows the user to config the interface with
> the interface name, like 'eth0', instead of an IP address.
>
> It is possible to configure the persistent TCP connection, with the
> options max-reuse-tcp-queries and tcp-reuse-timeout. These also apply to
> TLS reused connections.
>
> The local zone types always_null, always_nodata and always_deny work
> inside the local zones that are defined inside a view.
>
> The log servfail error message now includes more information, it
> attempts to add an IP address and information about the one of the last
> failures that is associated with that query.
>
> With the option tcp-auth-query-timeout, the time to wait for queries
> to upstream authority servers can be configured, for TCP and TLS queries.
>
> It is possible to configure unbound with --with-deprecate-rsa-1024, that
> stops the use of RSA 1024 keys. That makes unbound work with certain
> FIPS installations that do not allow such calls to the crypto API. If
> the option is enabled, Unbound treats RSA keys with an insufficiently
> sized key as not supported. Responses with unsupported crypto are marked
> insecure.
>
> The NSEC3 maximum iterations are lowered to 150. This is the new default
> setting. This puts this in line with other DNS implementations. If the
> iterations count is exceeded the response becomes insecure.
>
> The number of validator retries when there is a DNSSEC failure can be
> configured with the val-max-restart option.
>
> The RR types SVCB and HTTPS are supported according to the draft
> specification. The syntax can be used in local zones and zone files,
> and debug output. The types themselves were already supported on the
> wire the RFC3597 unknown RR type support.
>
> The HTTP user agent header can be configured or elided, to
> avoid printing the version of type of the software running on the
> server, with the options http-user-agent and hide-http-user-agent.
>
> Features
> - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
>    ZONEMD records are checked for zones loaded as auth-zone,
>    with DNSSEC if available.  There is an added option
>    zonemd-permissive-mode that makes it log but not fail wrong zones.
>    With zonemd-reject-absence for an auth-zone the presence of a
>    zonemd can be mandated for specific zones.
> - Fix: Resolve interface names on control-interface too.
> - Merge #470 from edevil: Allow configuration of persistent TCP
>    connections.
> - Fix #474: always_null and others inside view.
> - Add that log-servfail prints an IP address and more information
>    about one of the last failures for that query.
> - Merge #478: Allow configuration of TCP timeout while waiting for
>    response.
> - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
> - Move the NSEC3 max iterations count in line with the 150 value
>    used by BIND, Knot and PowerDNS. This sets the default value
>    for it in the configuration to 150 for all key sizes.
> - zonemd-check: yesno option, default no, enables the processing
>    of ZONEMD records for that zone.
> - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
> - Merge PR #491: Add SVCB and HTTPS types and handling according to
>    draft-ietf-dnsop-svcb-https.
> - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
>
> Bug Fixes
> - Fix for Python 3.9, no longer use deprecated functions of
>    PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
>    none), PyParser_SimpleParseFile (now Py_CompileString).
> - Merge PR #420 from dyunwei: DOH not responsing with
>    "http2_query_read_done failure" logged.
> - Fix #422: IPv6 fallback issues when IPv6 is not properly
>    enabled/configured.
> - Fix to make tests work with support indicators set for iterator.
> - Fix build on Python 3.10.
> - Fix doxygen and pydoc warnings.
> - Fix #429: rpz: url: with https: broken (regression in 1.13.1).
> - rpz skip nsec3param records, and nicer log for unsupported actions.
> - Fix #431: Squelch permission denied errors for tcp connect
>    and udp connect from the logs, unless at high verbosity.
> - Fix for zonemd, that nxdomain for the chain of trust is allowed
>    for island zones, it is treated as an insecure zone for verification.
> - Fix for zonemd, that domain-insecure zones work without dnssec.
> - Fix for zonemd, do not reject insecure result from trust anchor
>    validation step in dnssec chain of trust.
> - On startup of unbound it checks if rlimits on memory size look
>    sufficient for the configured cache size, and logs warning if not.
> - Fix function documentation.
> - Fix unit test for added ulimit checks.
> - spelling fix in header.
> - Fix #384: (1) A minor request to improve the log (2) A minor bug in one
>    log message.
> - ipsecmod: Better logging for detecting a cycle when attaching the
>    A/AAAA subquery.
> - Merge PR #367 : DNSTAP log local address.  With code from PR #365
>    and fixes #368 : dnstap does not log the DNS message ID for
>    FORWARDER_QUERY.
> - Fix to allow rpz with wildcard that applies to all TLDs at once.
> - Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
> - Fix spurious errors about "Could not generate request: out of
>    memory".  The mesh detect cycle routine no longer wrongly stops
>    the check when the calling mesh state is unique.
> - Workaround for #439: prevent loops in the reuse rbtree.
> - Debug output for #411 and #439: printout internal error and details.
> - Fix parse of LOC RR type for decimetres.
> - Fix #441: Minimal NSEC range not accepted for top level domains.
> - Fix for #447: squelch connection refused tcp connection failures
>    from the log, unless verbosity is high.
> - Merge #449 from orbea: build: Add missing linker flags.
> - Comment out nonworking OSX and IOS travis tests, vm fails to start.
> - Fix compile error in listen_dnsport on Android.
> - Fix memory leak reported by asan in rpz SOA record query name.
> - Fix unused-function warning when compiling with --enable-dnscrypt.
> - Fix for #367: fix memory leak when cannot bind to listening port.
> - Reformat pythonmod/pythonmod_utils.{c,h}.
> - Travis enable all tests again. Clang analyzer only a couple times,
>    when there is a difference. homebrew updates disabled, so it does
>    not hang. removed trailing slashes from configure paths. Moved iOS
>    tests to allow-failure.
> - travis, analyzer disabled on test without debug, that does not
>    run anway.  Turn off failing tests except one.  Update iOS test
>    to xcode image 12.2.
> - Fix deprecation test to work for iOS TVOS and WatchOS, it uses
>    CFLAGS and CPPFLAGS and also checks if the item is unavailable.
> - Travis, fix script to fail when tasks fail.
> - Travis, fix warning in ubsan compile.
> - Fix configure Targetconfiditionals.h header check, to use compile.
> - Fix that cachedb does not produce empty object files when disabled.
> - Fix #429: Also fix end of transfer for http download of auth zones.
> - Disable the use of stack-protector for cross compiled 32-bit windows
>    builds; relates to #444.
> - Fix stack-protector change to not override other CFLAGS options.
> - Clean makedist.sh.
> - Merge #460 from orbea: build: Link with the libtool archive.
> - Fix to stop IPv6 PMTU discovery.
> - Fix for #411: Depth protect for crash on deleted element timeout.
> - rebuild configure to set EXTRALINK to libunbound.la for #460.
> - Fix permission denied sendto log, squelch the log messages
>    unless high verbosity is set.
> - Fix (increase) verbosity level for iterator error log in
>    processQueryTargets().
> - Fix that nxdomain synthesis does not happen above the stub or
>    forward definition.
> - Fix documentation comment for files previously residing in checkconf/.
> - Remove unused functions worker_handle_reply and libworker_handle_reply.
> - Merge #466 from FGasper: Support OpenSSLs that lack
>    SSL_get0_alpn_selected.
> - Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
> - Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
>    OpenSSL 1.0.1.
> - Fix that testcode dohclient has OpenSSL initialisation calls.
> - Fix compiler warning for signed/unsigned comparison for
>    max_reuse_tcp_queries.
> - Fix #481: Fix comment in configuration file.
> - Fix to squelch tcp socket bind failures when the interface is gone.
> - Rerun flex and bison.
> - Fix for #367: only attempt to get the interface for queries that are no
>    longer on the tcp_waiting_list.
> - Add more logging for out-of-memory cases.
> - Fix #485: Unbound occasionally reports broken stats.
> - Remove case fallthrough from deprecate-rsa-1024 code.
> - Merge PR #487: ifdef RLIMIT_AS in recently added check.
> - Fix that auth-zone zonefiles use last TTL if no TTL is specified.
> - Fix #489: Compile using MSYS2 MinGW 64-bit.
> - Fix for #411, #439, #469: Reset the DNS message ID when moving queries
>    between TCP streams.
> - Refactor for uniform way to produce random DNS message IDs.
> - Test code has -q option for quiet output.
> - Fix #492: module-config respip missing in unbound.conf.5.in man
>    page. Merges #494 from he32.
> - For #492: Fix font highlighting for the man page on emacs.
> - Merge #496 from banburybill: Use build system endianness if
>    available, otherwise try to work it out.
> - Fix test for zonemd-check option.
> - Merge #448 from shoeper: Update unbound-control.8.in, fix
>    rpz_disable typo.
> - Fix #425: Document auth-zone supports communication with DNS
>    primary on nondefault port.
> - Fix unused variable warning when compiling with --enable-dnstap.
> - Generated lexer and parser for #486; updated example.conf.
> - Fix #413 (based on patch by k-ronny): unbound: does not compile
>    on macOS 11.1-x86_64 host.
> - Use host_os instead of target_os in configure for Darwin8 build.
> - Fix #500: SPEC file in version 1.13.1 references version 1.4;
>    unable to build RPM from source.
> - Fix contrib/unbound.spec, fixed url and comment.
> - Fix configure nonblocking test and onmingw test to use host.
> - Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
> - Fix a number of warnings reported by the gcc analyzer.
> - Fix #495: Documentation or implementation of "verbosity" option.
> - Fix #503: DNS over HTTPS response truncated.
> - Fix warnings reported by the gcc analyzer.
> - Add analyzer and port compile github workflow.
> - Fix up permissions on rpl data file in tests.
> - Fix testbound newline treatment in moment_read and tempfile write.
> - Fix configure grep for reuseport default for failure.
> - Fix compat ctime_r return value
> - Fix configure does not require pkg-config if not needed.
> - Fix unit test in the ctime_r calls for autotrust and in testbound.
> - Fix auth zone download on windows to unlink before rename.
> - Fix #506: Python Module Seems to Leak Memory if it Experiences an
>    Unhandled Exception.
> - Fix Wunused-result compile warnings.
> - Fix compiler warnings for #491.
> - Fix clang-analysis warnings for testcode/readzone.c.
> - Merge #510 from ndptech: Don't call a function which hasn't been
>    defined.
> - Fix for #510: in depth, use ifdefs for windows api event calls.
> - Fix spelling in doc/unbound.doxygen comment.
> - Fix spelling in localzone.h comment.
> - Fix unbound-control local_data and local_datas to print detailed
>    syntax errors.
> - review fix to remove duplicate error printout.
> - Insert header into testcode/readzone.c, it was missing.
> - Fix from lint for ignored return value.
> - Fix for older parsers for function call in serve expired get cached.
> - Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
>    line after a comment.
> - Merge #512: unbound.service.in: upgrade hardening to latest
>    standards.
> - Fix readzone unknown type print for memory resize.
> - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
>    introduces a couple of fixes for the stream reuse functionality
>    that could result in broken internal structures.
> - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
>    build unbound.
> - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
>    SSL_get_peer_certificate.
> - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
> - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
>    keyraw functions to produce EVP_PKEY results.
> - Move RSA and DSA to use OpenSSL 3.0.0 API.
> - Move ECDSA functions to use OpenSSL 3.0.0 API.
> - iana portlist update.
> - Fix verbose printout failure in tcp reuse unit test.
> - Merge PR #517 from dyunwei: #420 breaks the mesh reply list
>    function that need to reuse the dns answer.
> - Annotate assertion into error printout; we think it may be an
>    error, but the situation looks harmless.
> - Fix sign comparison warning on FreeBSD.
> - Listen to read or write events after the SSL handshake.
>    Sticky events on windows would stick on read when write was needed.
> - Merge PR #415 from sibeream: Use
>    /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
>    ports. (New --enable-linux-ip-local-port-range configuration option)
> - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
>    allows longer CNAME chains in Unbound.
> - In unit test use openssl set security level to allow keys in test.
> - Fix static analysis warnings about localzone locks that are unused.
> - Fix missing locks in zonemd unit test.
> - Fix readzone compile under debug config.
> - Fix out of sourcedir run of zonemd unit tests.
> - Fix libnettle zonemd unit test.
> - Fix unit test zonemd_reload for use in run_vm.
>
> Best regards, Wouter
>