Unbound 1.14.0rc1 pre-release

Yuri yvoinov at gmail.com
Fri Dec 3 02:03:46 UTC 2021 

Wow, less RSS. Running )))

02.12.2021 21:48, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.14.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.14.0rc1.tar.gz
> sha256 e1f4ffb7386007f52435b7d537b563afa002f8ddb2e4a35424865e573d5cf4cb
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.14.0rc1.tar.gz.asc
>
> This release contains bug fixes and a full set of RPZ triggers and
> actions that are supported. This works with RPZ zones, configured with
> `rpz:`.
>
> It is possible to selectively enable use of TCP for stub zones and
> forward zones, without having enable it server wide, by enabling it
> with the `stub-tcp-upstream: yes` and `forward-tcp-upstream: yes` options.
>
> The added contrib/Dockerfile.tests from ziollek can be used to setup
> a Docker environment to run tests in. The documentation is in the
> doc/README.tests file.
>
> If openssl it installed with different versions, you can set the
> location as `--with-ssl=/usr/include/openssl11` and it then detects the
> use of the lib dir split off in /usr/lib64/openssl11 with regex. This is
> useful if to pass to configure if openssl is installed in such a manner.
>
> The option `outbound-msg-retry` can be used to select the number of
> retries when a non-positive response is received. It is best left at
> default, but when the upstream is known to not need retries, it can be
> lowered, because in that case the upstream is performing the retry for
> non-positive responses.
>
> The domain `home.arpa.` is set by default as blocked, as per RFC8375. If
> you want to use it, unblock it with a local-zone nodefault statement, or
> use another type of local-zone to override it with your choice.
>
> In the config it is possible to enter IPv6 scope-id values with
> interface names, instead of a number, for link-local addresses.
>
> Features
> - Merge #401: RPZ triggers. This add additional RPZ triggers,
>    unbound supports a full set of rpz triggers, and this now
>    includes nsdname, nsip and clientip triggers. Also actions
>    are fully supported, and this now includes the tcp-only action.
> - Merge #519: Support for selective enabling tcp-upstream for
>    stub/forward zones.
> - Merge PR #514, from ziollek: Docker environment for run tests.
> - Support using system-wide crypto policies.
> - Fix that --with-ssl can use "/usr/include/openssl11" to pass the
>    location of a different openssl version.
> - Merged #41 from Moritz Schneider: made outbound-msg-retry
>    configurable.
> - Implement RFC8375: Special-Use Domain 'home.arpa.'.
> - Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
>    link-local addresses.
>
> Bug Fixes
> - Add test tool readzone to .gitignore.
> - Merge #521: Update mini_event.c.
> - Merge #523: fix: free() call more than once with the same pointer.
> - For #519: note stub-tcp-upstream and forward-tcp-upstream in
>    the example configuration file.
> - For #519: yacc and lex. And fix python bindings, and test program
>    unbound-dnstap-socket.
> - For #519: fix comments for doxygen.
> - Fix to print error from unbound-anchor for writing to the key
>    file, also when not verbose.
> - For #514: generate configure.
> - Fix for #431: Squelch permission denied errors for udp connect,
>    and udp send, they are visible at higher verbosity settings.
> - Fix zonemd verification of key that is not in DNS but in the zone
>    and needs a chain of trust.
> - zonemd, fix order of bogus printout string manipulation.
> - Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
> - Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
>    static.
> - Fix #527: not sending quad9 cert to syslog (and may be more).
> - Fix sed script in ssldir split handling.
> - Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
>    undefined.
> - Fix #531: Fix: passed to proc after free.
> - Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
>    to insert into RPZ.
> - Fix the stream wait stream_wait_count_lock and http2 buffer locks
>    setup and desetup from race condition.
> - Fix RPZ locks. Do not unlock zones lock if requested and rpz find
>    zone does not find the zone. Readlock the clientip that is found
>    for ipbased triggers. Unlock the nsdname zone lock when done.
>    Unlock zone and ip in rpz nsip and nsdname callback. Unlock
>    authzone and localzone if clientip found in rpz worker call.
> - Fix compile warning in libunbound for listen desetup routine.
> - Fix asynclook unit test for setup of lockchecks before log.
> - Fix #533: Negative responses get cached even when setting
>    cache-max-negative-ttl: 1
> - Fix tcp fastopen failure when disabled, try normal connect instead.
> - Fix #538: Fix subnetcache statistics.
> - Small fixes for #41: changelog, conflicts resolved,
>    processQueryResponse takes an iterator env argument like other
>    functions in the iterator, no colon in string for set_option,
>    and some whitespace style, to make it similar to the rest.
> - Fix for #41: change outbound retry to int to fix signed comparison
>    warnings.
> - Fix root_anchor test to check with new icannbundle date.
> - Fix initialisation errors reported by gcc sanitizer.
> - Fix lock debug code for gcc sanitizer reports.
> - Fix more initialisation errors reported by gcc sanitizer.
> - Fix crosscompile on windows to work with openssl 3.0.0 the
>    link with ws2_32 needs -l:libssp.a for __strcpy_chk.
>    Also copy results from lib64 directory if needed.
> - For crosscompile on windows, detect 64bit stackprotector library.
> - Fix crosscompile shell syntax.
> - Fix crosscompile windows to use libssp when it exists.
> - For the windows compile script disable gost.
> - Fix that on windows, use BIO_set_callback_ex instead of deprecated
>    BIO_set_callback.
> - Fix crosscompile script for the shared build flags.
> - Fix to add example.conf note for outbound-msg-retry.
> - Fix chaos replies to have truncation for short message lengths,
>    or long reply strings.
> - Fix to protect custom regional create against small values.
> - Fix #552: Unbound assumes index.html exists on RPZ host.
> - Fix that forward-zone name is documented as the full name of the
>    zone. It is not relative but a fully qualified domain name.
> - Fix analyzer review failure in rpz action override code to not
>    crash on unlocking the local zone lock.
> - Fix to remove unused code from rpz resolve client and action
>    function.
> - Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
> - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
>    reclaimed more than once during callbacks.
> - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
> - Improve EDNS option handling, now also works for synthesised
>    responses such as local-data and server.id CH TXT responses.
> - Merge PR #570 from rex4539: Fix typos.
> - Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
> - Fix to make python module opt_list use opt_list_in.
> - Fix #574: unbound-checkconf reports fatal error if interface names
>    are used as value for interfaces:
> - Fix #574: Review fixes for it.
> - Fix #576: [FR] UB_* error codes in unbound.h
> - Fix #574: Review fix for spelling.
> - Fix to remove git tracking and ci information from release tarballs.
> - iana portlist update.
> - Merge PR #511 from yan12125: Reduce unnecessary linking.
> - Merge PR #493 from Jaap: Fix generation of libunbound.pc.
> - Merge PR #562 from Willem: Reset keepalive per new tcp session.
> - Merge PR #522 from sibeream: memory management violations fixed.
> - Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
> - Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
> - Fix #574: Review fixes for size allocation.
> - Fix doc/unbound.doxygen to remove obsolete tag warning.
>
> Best regards, Wouter
>

More information about the Unbound-users mailing list