[NLnet Labs Maintainers] Unbound 1.15.0 released

Fredrik Pettai pettai at sunet.se
Thu Feb 10 17:52:51 UTC 2022 

Hi Wouter,

It looks like with certain (dot?) configuration, 53/tcp becomes defunct on this version of unbound

Previous version worked:

pettai at bygg-server:~$ unbound -V
Version 1.14.0

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libhiredis --with-libnghttp2 --with-pythonmodule --enable-cachedb --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1  11 Sep 2018
Linked modules: dns64 python cachedb subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

pettai at bygg-server:~$ host -T www.sunet.se localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

www.sunet.se has address 37.156.192.50
www.sunet.se has address 37.156.192.51
www.sunet.se has IPv6 address 2001:6b0:60:c0::50
www.sunet.se has IPv6 address 2001:6b0:60:c0::51

Once upgraded to 1.15.0, it won’t work anymore:

pettai at bygg-server:~$ host -T www.sunet.se localhost
;; communications error to 127.0.0.1#53: connection reset

I noted this:

Feb 10 17:38:23 bygg-server unbound: [25885:0] error: ssl handshake failed crypto error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Feb 10 17:38:23 bygg-server unbound: [25885:0] notice: ssl handshake failed 127.0.0.1 port 58523

We had dot configured and working previously
After removing all of dot from the configuration, unbound started to answer on 53/tcp again.

     #tls-port: 853
     #tls-service-key: /etc/unbound/privkey.pem
     #tls-service-pem: /etc/unbound/fullchain.pem

Anyone else that had issus with this?

Re,
/P

> On 10 Feb 2022, at 09:52, Wouter Wijngaards via maintainers <maintainers at lists.nlnetlabs.nl> wrote:
> 
> Hi,
> 
> Unbound 1.15.0 is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.15.0.tar.gz
> sha256 a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.15.0.tar.gz.asc
> 
> This release has bug fixes for crashes that happened on heavy network
> usage. The default for the aggressive-nsec option has changed, it is now
> enabled.
> 
> The ratelimit logic had to be reworked for the crash fixes. As a result,
> there are new options to control the behaviour of ratelimiting.
> The ratelimit-backoff and ip-ratelimit-backoff options can be used to
> control how severe the backoff is when the ratelimit is exceeded.
> 
> The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
> NXDOMAIN answers from RPZ. That is used by some clients to detect that
> the domain is externally blocked. The RPZ option for-downstream can be
> used like for auth zones, this allows the RPZ zone information to be
> queried. That can be useful for monitoring scripts.
> 
> Features
> - Fix #596: unset the RA bit when a query is blocked by an unbound
>  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
>  signal that a domain is externally blocked to clients when it
>  is blocked with NXDOMAIN by unsetting RA.
> - Add rpz: for-downstream: yesno option, where the RPZ zone is
>  authoritatively answered for, so the RPZ zone contents can be
>  checked with DNS queries directed at the RPZ zone.
> - Merge PR #616: Update ratelimit logic. It also introduces
>  ratelimit-backoff and ip-ratelimit-backoff configuration options.
> - Change aggressive-nsec default to yes.
> 
> Bug Fixes
> - Fix compile warning for if_nametoindex on windows 64bit.
> - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
>  warnings in rpz.
> - Fix validator debug output about DS support, print correct algorithm.
> - Add code similar to fix for ldns for tab between strings, for
>  consistency, the test case was not broken.
> - Allow local-data for classes other than IN to inherit a configured
>  local-zone's type if possible, instead of defaulting to type
>  transparent as per the implicit rule.
> - Fix to pick up other class local zone information before unlock.
> - Add missing configure flags for optional features in the
>  documentation.
> - Fix Unbound capitalization in the documentation.
> - Fix #591: Unbound-anchor manpage links to non-existent license file.
> - contrib/aaaa-filter-iterator.patch file renewed diff content to
>  apply cleanly to the current coderepo for the current code version.
> - Fix to add test for rpz-signal-nxdomain-ra.
> - Fix #596: only unset RA when NXDOMAIN is signalled.
> - Fix that RPZ does not set RD flag on replies, it should be copied
>  from the query.
> - Fix for #596: fix that rpz return message is returned and not just
>  the rcode from the iterator return path. This fixes signal unset RA
>  after a CNAME.
> - Fix unit tests for rpz now that the AA flag returns successfully from
>  the iterator loop.
> - Fix for #596: add unit test for nsdname trigger and signal unset RA.
> - Fix for #596: add unit test for nsip trigger and signal unset RA.
> - Fix #598: Fix unbound-checkconf fatal error: module conf
>  'respip dns64 validator iterator' is not known to work.
> - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
>  triggered operation.
> - Merge #600 from pemensik: Change file mode before changing file
>  owner.
> - Fix prematurely terminated TCP queries when a reply has the same ID.
> - For #602: Allow the module-config "subnetcache validator cachedb
>  iterator".
> - Fix EDNS to upstream where the same option could be attached
>  more than once.
> - Add a region to serviced_query for allocations.
> - For dnstap, do not wakeupnow right there. Instead zero the timer to
>  force the wakeup callback asap.
> - Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
> - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
>  serviced_udp_callback.
> - Merge PR #612: TCP race condition.
> - Test for NSID in SERVFAIL response due to DNSSEC bogus.
> - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
>  document.
> - Fix tls-* and ssl-* documented alternate syntax to also be available
>  through remote-control and unbound-checkconf.
> - Better cleanup on failed DoT/DoH listening socket creation.
> - iana portlist update.
> - Fix review comment for use-after-free when failing to send UDP out.
> - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
>  internals.
> - Merge PR #532 from Shchelk: Fix: buffer overflow bug.
> - Merge PR #617: Update stub/forward-host notation to accept port and
>  tls-auth-name.
> - Update stream_ssl.tdir test to also use the new forward-host
>  notation.
> - Fix header comment for doxygen for authextstrtoaddr.
> - please clang analyzer for loop in test code.
> - Fix docker splint test to use more portable uname.
> - Update contrib/aaaa-filter-iterator.patch with diff for current
>  software version.
> - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
> 
> Best regards, Wouter
> _______________________________________________
> maintainers mailing list
> maintainers at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/maintainers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220210/bf74cecb/attachment.bin>

More information about the Unbound-users mailing list