Unbound 1.13.2 released

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Aug 12 08:00:00 UTC 2021 

Hi,

Unbound 1.13.2 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.2.tar.gz
sha256 0a13b547f3b92a026b5ebd0423f54c991e5718037fd9f72445817f6a040e1a83
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.2.tar.gz.asc

The release contains a bugfix to fix the make install of the python
module after build changes introduced in this release RC1.

This release contains a number of bug fixes. There is a crash fix for
broken internal structures in stream reuse, that is used when many TCP
or TLS upstream connections are made. Also a number of features are added.

The ZONEMD support allows verification of downloaded authority zone
files with the zonemd hash. It can be enabled with the zonemd-check
option. It implements RFC8976. With zonemd-permissive-mode it is
possible to try out the functionality without withholding the zone if
the checks fail. With zonemd-reject-absence the zonemd record becomes a
requirement for a zone.

It is possible to use interface names for the control-interface as well,
it was already possible for the interface, but now also for the remote
control functionality. It allows the user to config the interface with
the interface name, like 'eth0', instead of an IP address.

It is possible to configure the persistent TCP connection, with the
options max-reuse-tcp-queries and tcp-reuse-timeout. These also apply to
TLS reused connections.

The local zone types always_null, always_nodata and always_deny work
inside the local zones that are defined inside a view.

The log servfail error message now includes more information, it
attempts to add an IP address and information about the one of the last
failures that is associated with that query.

With the option tcp-auth-query-timeout, the time to wait for queries
to upstream authority servers can be configured, for TCP and TLS queries.

It is possible to configure unbound with --with-deprecate-rsa-1024, that
stops the use of RSA 1024 keys. That makes unbound work with certain
FIPS installations that do not allow such calls to the crypto API. If
the option is enabled, Unbound treats RSA keys with an insufficiently
sized key as not supported. Responses with unsupported crypto are marked
insecure.

The NSEC3 maximum iterations are lowered to 150. This is the new default
setting. This puts this in line with other DNS implementations. If the
iterations count is exceeded the response becomes insecure.

The number of validator retries when there is a DNSSEC failure can be
configured with the val-max-restart option.

The RR types SVCB and HTTPS are supported according to the draft
specification. The syntax can be used in local zones and zone files,
and debug output. The types themselves were already supported on the
wire the RFC3597 unknown RR type support.

The HTTP user agent header can be configured or elided, to
avoid printing the version of type of the software running on the
server, with the options http-user-agent and hide-http-user-agent.

Features
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
  ZONEMD records are checked for zones loaded as auth-zone,
  with DNSSEC if available.  There is an added option
  zonemd-permissive-mode that makes it log but not fail wrong zones.
  With zonemd-reject-absence for an auth-zone the presence of a
  zonemd can be mandated for specific zones.
- Fix: Resolve interface names on control-interface too.
- Merge #470 from edevil: Allow configuration of persistent TCP
  connections.
- Fix #474: always_null and others inside view.
- Add that log-servfail prints an IP address and more information
  about one of the last failures for that query.
- Merge #478: Allow configuration of TCP timeout while waiting for
  response.
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
- Move the NSEC3 max iterations count in line with the 150 value
  used by BIND, Knot and PowerDNS. This sets the default value
  for it in the configuration to 150 for all key sizes.
- zonemd-check: yesno option, default no, enables the processing
  of ZONEMD records for that zone.
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
- Merge PR #491: Add SVCB and HTTPS types and handling according to
  draft-ietf-dnsop-svcb-https.
- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.

Bug Fixes
- Fix for Python 3.9, no longer use deprecated functions of
  PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
  none), PyParser_SimpleParseFile (now Py_CompileString).
- Merge PR #420 from dyunwei: DOH not responsing with
  "http2_query_read_done failure" logged.
- Fix #422: IPv6 fallback issues when IPv6 is not properly
  enabled/configured.
- Fix to make tests work with support indicators set for iterator.
- Fix build on Python 3.10.
- Fix doxygen and pydoc warnings.
- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
- rpz skip nsec3param records, and nicer log for unsupported actions.
- Fix #431: Squelch permission denied errors for tcp connect
  and udp connect from the logs, unless at high verbosity.
- Fix for zonemd, that nxdomain for the chain of trust is allowed
  for island zones, it is treated as an insecure zone for verification.
- Fix for zonemd, that domain-insecure zones work without dnssec.
- Fix for zonemd, do not reject insecure result from trust anchor
  validation step in dnssec chain of trust.
- On startup of unbound it checks if rlimits on memory size look
  sufficient for the configured cache size, and logs warning if not.
- Fix function documentation.
- Fix unit test for added ulimit checks.
- spelling fix in header.
- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
  log message.
- ipsecmod: Better logging for detecting a cycle when attaching the
  A/AAAA subquery.
- Merge PR #367 : DNSTAP log local address.  With code from PR #365
  and fixes #368 : dnstap does not log the DNS message ID for
  FORWARDER_QUERY.
- Fix to allow rpz with wildcard that applies to all TLDs at once.
- Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
- Fix spurious errors about "Could not generate request: out of
  memory".  The mesh detect cycle routine no longer wrongly stops
  the check when the calling mesh state is unique.
- Workaround for #439: prevent loops in the reuse rbtree.
- Debug output for #411 and #439: printout internal error and details.
- Fix parse of LOC RR type for decimetres.
- Fix #441: Minimal NSEC range not accepted for top level domains.
- Fix for #447: squelch connection refused tcp connection failures
  from the log, unless verbosity is high.
- Merge #449 from orbea: build: Add missing linker flags.
- Comment out nonworking OSX and IOS travis tests, vm fails to start.
- Fix compile error in listen_dnsport on Android.
- Fix memory leak reported by asan in rpz SOA record query name.
- Fix unused-function warning when compiling with --enable-dnscrypt.
- Fix for #367: fix memory leak when cannot bind to listening port.
- Reformat pythonmod/pythonmod_utils.{c,h}.
- Travis enable all tests again. Clang analyzer only a couple times,
  when there is a difference. homebrew updates disabled, so it does
  not hang. removed trailing slashes from configure paths. Moved iOS
  tests to allow-failure.
- travis, analyzer disabled on test without debug, that does not
  run anway.  Turn off failing tests except one.  Update iOS test
  to xcode image 12.2.
- Fix deprecation test to work for iOS TVOS and WatchOS, it uses
  CFLAGS and CPPFLAGS and also checks if the item is unavailable.
- Travis, fix script to fail when tasks fail.
- Travis, fix warning in ubsan compile.
- Fix configure Targetconfiditionals.h header check, to use compile.
- Fix that cachedb does not produce empty object files when disabled.
- Fix #429: Also fix end of transfer for http download of auth zones.
- Disable the use of stack-protector for cross compiled 32-bit windows
  builds; relates to #444.
- Fix stack-protector change to not override other CFLAGS options.
- Clean makedist.sh.
- Merge #460 from orbea: build: Link with the libtool archive.
- Fix to stop IPv6 PMTU discovery.
- Fix for #411: Depth protect for crash on deleted element timeout.
- rebuild configure to set EXTRALINK to libunbound.la for #460.
- Fix permission denied sendto log, squelch the log messages
  unless high verbosity is set.
- Fix (increase) verbosity level for iterator error log in
  processQueryTargets().
- Fix that nxdomain synthesis does not happen above the stub or
  forward definition.
- Fix documentation comment for files previously residing in checkconf/.
- Remove unused functions worker_handle_reply and libworker_handle_reply.
- Merge #466 from FGasper: Support OpenSSLs that lack
  SSL_get0_alpn_selected.
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
  OpenSSL 1.0.1.
- Fix that testcode dohclient has OpenSSL initialisation calls.
- Fix compiler warning for signed/unsigned comparison for
  max_reuse_tcp_queries.
- Fix #481: Fix comment in configuration file.
- Fix to squelch tcp socket bind failures when the interface is gone.
- Rerun flex and bison.
- Fix for #367: only attempt to get the interface for queries that are no
  longer on the tcp_waiting_list.
- Add more logging for out-of-memory cases.
- Fix #485: Unbound occasionally reports broken stats.
- Remove case fallthrough from deprecate-rsa-1024 code.
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
- Fix #489: Compile using MSYS2 MinGW 64-bit.
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
  between TCP streams.
- Refactor for uniform way to produce random DNS message IDs.
- Test code has -q option for quiet output.
- Fix #492: module-config respip missing in unbound.conf.5.in man
  page. Merges #494 from he32.
- For #492: Fix font highlighting for the man page on emacs.
- Merge #496 from banburybill: Use build system endianness if
  available, otherwise try to work it out.
- Fix test for zonemd-check option.
- Merge #448 from shoeper: Update unbound-control.8.in, fix
  rpz_disable typo.
- Fix #425: Document auth-zone supports communication with DNS
  primary on nondefault port.
- Fix unused variable warning when compiling with --enable-dnstap.
- Generated lexer and parser for #486; updated example.conf.
- Fix #413 (based on patch by k-ronny): unbound: does not compile
  on macOS 11.1-x86_64 host.
- Use host_os instead of target_os in configure for Darwin8 build.
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
  unable to build RPM from source.
- Fix contrib/unbound.spec, fixed url and comment.
- Fix configure nonblocking test and onmingw test to use host.
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
- Fix a number of warnings reported by the gcc analyzer.
- Fix #495: Documentation or implementation of "verbosity" option.
- Fix #503: DNS over HTTPS response truncated.
- Fix warnings reported by the gcc analyzer.
- Add analyzer and port compile github workflow.
- Fix up permissions on rpl data file in tests.
- Fix testbound newline treatment in moment_read and tempfile write.
- Fix configure grep for reuseport default for failure.
- Fix compat ctime_r return value
- Fix configure does not require pkg-config if not needed.
- Fix unit test in the ctime_r calls for autotrust and in testbound.
- Fix auth zone download on windows to unlink before rename.
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
  Unhandled Exception.
- Fix Wunused-result compile warnings.
- Fix compiler warnings for #491.
- Fix clang-analysis warnings for testcode/readzone.c.
- Merge #510 from ndptech: Don't call a function which hasn't been
  defined.
- Fix for #510: in depth, use ifdefs for windows api event calls.
- Fix spelling in doc/unbound.doxygen comment.
- Fix spelling in localzone.h comment.
- Fix unbound-control local_data and local_datas to print detailed
  syntax errors.
- review fix to remove duplicate error printout.
- Insert header into testcode/readzone.c, it was missing.
- Fix from lint for ignored return value.
- Fix for older parsers for function call in serve expired get cached.
- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
  line after a comment.
- Merge #512: unbound.service.in: upgrade hardening to latest
  standards.
- Fix readzone unknown type print for memory resize.
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
  introduces a couple of fixes for the stream reuse functionality
  that could result in broken internal structures.
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
  build unbound.
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
  SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
  keyraw functions to produce EVP_PKEY results.
- Move RSA and DSA to use OpenSSL 3.0.0 API.
- Move ECDSA functions to use OpenSSL 3.0.0 API.
- iana portlist update.
- Fix verbose printout failure in tcp reuse unit test.
- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
  function that need to reuse the dns answer.
- Annotate assertion into error printout; we think it may be an
  error, but the situation looks harmless.
- Fix sign comparison warning on FreeBSD.
- Listen to read or write events after the SSL handshake.
  Sticky events on windows would stick on read when write was needed.
- Merge PR #415 from sibeream: Use
  /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
  ports. (New --enable-linux-ip-local-port-range configuration option)
- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
  allows longer CNAME chains in Unbound.
- In unit test use openssl set security level to allow keys in test.
- Fix static analysis warnings about localzone locks that are unused.
- Fix missing locks in zonemd unit test.
- Fix readzone compile under debug config.
- Fix out of sourcedir run of zonemd unit tests.
- Fix libnettle zonemd unit test.
- Fix unit test zonemd_reload for use in run_vm.
- Fix #520: Unbound 1.13.2rc1 fails to build python module.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210812/1f6da20a/attachment.bin>

More information about the Unbound-users mailing list