Unbound 1.18.0rc1 pre-release
Wouter Wijngaards
wouter at nlnetlabs.nl
Mon Aug 28 11:35:45 UTC 2023
Hi RayG,
The commit
https://github.com/NLnetLabs/unbound/commit/85ee5284f55713b86199ad3f1c80e7f904ce8b7a
should fix the issue. The version number was ignored, but otherwise no
issues from it. Only a text change, and that should be fixed. Thanks for
the report!
Best regards, Wouter
On 8/24/23 17:00, RayG wrote:
> Hi Wouter,
>
> I downloaded the Windows 64bit version from: https://nlnetlabs.nl/downloads/unbound/
>
> unbound_setup_1.18.0rc1-w32.exe.asc 2023-08-23 10:28 833
> unbound_setup_1.18.0rc1-w32.exe.sha1 2023-08-23 10:28 41
> unbound_setup_1.18.0rc1-w32.exe.sha256 2023-08-23 10:28 65
>>>>> unbound_setup_1.18.0rc1.exe 2023-08-23 10:28 21M
> unbound_setup_1.18.0rc1.exe.asc 2023-08-23 10:28 833
> unbound_setup_1.18.0rc1.exe.sha1 2023-08-23 10:28 41
> unbound_setup_1.18.0rc1.exe.sha256 2023-08-23 10:28 65
>
> Which I though was the correct place.
>
> Ray
>
> -----Original Message-----
> From: Wouter Wijngaards <wouter at nlnetlabs.nl>
> Sent: Thursday, August 24, 2023 9:00 AM
> To: RayG <rgsub1 at btinternet.com>; unbound-users at lists.nlnetlabs.nl; maintainers at lists.nlnetlabs.nl
> Subject: Re: Unbound 1.18.0rc1 pre-release
>
> Hi RayG,
>
> Thanks for letting me know that it works! That is good to hear.
>
> After a lot of searching I see no failures to put the version string as '1.18.0rc1' in the distributed files. Unless you installed from the github repo, the version in there, and also the github snapshot file from the snapshot page on the github website, has 1.18.0 as the version string because that is what is the source repo. For the release, that is the version, the rc part is added to the distribution files that are put on the nlnetlabs.nl website.
>
> Best regards, Wouter
>
> On 8/23/23 17:09, RayG wrote:
>> Hi Wouter,
>>
>> Initial thing I noticed was In the log file the version is shown as:
>>
>> start of service (unbound 1.18.0)
>>
>> Its missing the RC* status
>>
>> Other than that just a straight install no changes to my config file
>> (yet) all seems to be working 😊
>>
>> Ray
>>
>> -----Original Message-----
>> From: Wouter Wijngaards <wouter at nlnetlabs.nl>
>> Sent: Wednesday, August 23, 2023 9:46 AM
>> To: unbound-users at lists.nlnetlabs.nl; maintainers at lists.nlnetlabs.nl
>> Subject: Unbound 1.18.0rc1 pre-release
>>
>> Hi,
>>
>> Unbound 1.18.0rc1 pre-release is available:
>>
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.18.0rc1.tar.gz
>> <https://nlnetlabs.nl/downloads/unbound/unbound-1.18.0rc1.tar.gz>
>>
>> sha256
>> 70dfbd2915c08d04e3ed20ff848157aa885f82ec080d86863b333c5f2a0238ef
>>
>> pgp
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.18.0rc1.tar.gz.asc
>> <https://nlnetlabs.nl/downloads/unbound/unbound-1.18.0rc1.tar.gz.asc>
>>
>> This release adds DNS cookies downstream, support to respond with EDE
>> error codes from cache, NAT64 support, and the capability to use a
>> socket queue timeout to discard old packets, and other features and
>> bug fixes.
>>
>> The downstream DNS server cookies are from RFC7873 and RFC9018, it is
>> turned on with `answer-cookie: yes`. It generates a random cookie
>> secret, but for anycast setups the cookie secret can be configured
>> with
>>
>> `cookie-secret: "128bithex"` with the same value as the other instances.
>>
>> Non cookie traffic can be disallowed with the `allow_cookie` acl
>> option for access-control. Queries with valid cookie bypass the
>> ordinary ratelimit, but a ratelimit can be configured for cookie
>> queries with
>> `ip-ratelimit-cookie: 100`. The statistics has counters for
>> `query_cookie_valid` and `query_cookie_client` and `query_cookie_invalid`.
>>
>> When queries come in with CD flag, a DNSSEC validation EDE can be
>> returned, with information regarding a failure. EDE error information
>> is also stored in the cache with the query responses. There is also
>> EDE error information stored for the cachedb and the subnetcache.
>>
>> There is NAT64 support, that is enabled with `do-nat64: yes`. The
>>
>> NAT64 prefix can be configured too, if not the default
>>
>> `nat64-prefix: 64:ff9b::0/96`. This is useful for an IPv6 only host
>> where Unbound is running, so that Unbound can use NAT64 to connect to
>> IPv4 servers.
>>
>> The new default for the maximum UDP response size is 1232, with
>>
>> `max-udp-size: 1232`. This is similar to other resolvers. The new
>> default is smaller and that makes it harder to get large responses.
>>
>> Thanks to Xiang Li, from NISL Lab, Tsinghua University.
>>
>> There is a new option `harden-unknown-additional: yes`. This removes
>> unknown records from the authority and additional section. This stops
>> unknown records from being copied from the upstream to the downstream
>> client, potentially exposing those clients to the extra records.
>> Default is no, because it could hamper future protocol developments
>> that want to add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University.
>>
>> With the `sock-queue-timeout: 3` option kernel timestamps are turned
>> on for UDP queries, and old packets are dropped. Queries that have
>> waited in the socket buffer for a long time are then discarded, and is
>> useful if the host was not running for a while. The statistics has
>> `num.queries_timed_out` and `query.queue_time_us.max` counters.
>>
>> The local-zone type `block_a` is for when queries to IPv4 have to be
>> stopped to force IPv6 usage. It stops type A queries with nodata, and
>> transparently allows other queries.
>>
>> The redis server can be contacted over a unix socket with
>>
>> `redis-server-path: "/var/lib/redis/redis-server.sock"`. The redis
>> server password can be configured with
>>
>> `redis-server-password: "password"`.
>>
>> The number of hashtable collisions is logged in the statistics
>> counters `msg.cache.max_collisions` and `rrset.cache.max_collisions`.
>> It can be used to monitor for mistakes where the wrong or same hash
>> value occurs too frequently.
>>
>> The repository does not have the bison and flex generated output in
>> it, so these tools are necessary to compile from a checkout, the
>> tarball distribution contains pregenerated files and can use either
>> those files or bison and flex tools on the compile system.
>>
>> If kernel timestamps are enabled, with the sock-queue-timeout option,
>> they are also used to set the time for dnstap logs.
>>
>> There is a yocto compatible init script available in the contrib
>> directory of the source code, `unbound.init_yocto`.
>>
>> The number of cachedb hits from cache is output in `num.query.cachedb`.
>>
>> There is support for the dohpath parameter for the SVCB record type.
>>
>> Prefetch is supported for subnet cache entries.
>>
>> Detection of the python paths on the system has been expanded.
>>
>> Features
>>
>> - Merge #826: Аdd a metric about the maximum number of collisions in
>>
>> lrushah.
>>
>> - Set max-udp-size default to 1232. This is the same default value as
>>
>> the default value for edns-buffer-size. It restricts client edns
>>
>> buffer size choices, and makes unbound behave similar to other DNS
>>
>> resolvers. The new choice, down from 4096 means it is harder to get
>>
>> large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
>>
>> Tsinghua University.
>>
>> - Add harden-unknown-additional option. It removes
>>
>> unknown records from the authority section and additional section.
>>
>> Thanks to Xiang Li, from NISL Lab, Tsinghua University.
>>
>> - Merge #819: Added new static zone type block_a to suppress all A
>>
>> queries for specific zones.
>>
>> - Fix #835: [FR] Ability to use Redis unix sockets.
>>
>> - Fix #833: [FR] Ability to set the Redis password.
>>
>> - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
>>
>> sock-queue-timeout option that drops packets that have been in the
>>
>> socket queue for too long. Added statistics num.queries_timed_out
>>
>> and query.queue_time_us.max that track the socket queue timeouts.
>>
>> - Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
>>
>> - Fix #888: [FR] Use kernel timestamps for dnstap.
>>
>> - Merge #903: contrib: add yocto compatible init script.
>>
>> - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
>>
>> a new statistical counter.
>>
>> - Merge #739: Add SVCB dohpath support.
>>
>> - Merge #802: add validation EDEs to queries where the CD bit is set.
>>
>> - Merge #664 from tilan7763: Add prefetch support for subnet cache
>>
>> entries.
>>
>> - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
>>
>> - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
>>
>> and subnetcache.
>>
>> - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
>>
>> RFC9018. Create server cookies for clients that send client cookies.
>>
>> This needs to be explicitly turned on in the config file with:
>>
>> `answer-cookie: yes`. A `cookie-secret:` can be configured for
>>
>> anycast setups. Without one, a random cookie secret is generated.
>>
>> The acl option `allow_cookie` allows queries with either a valid
>>
>> cookie or over a stateful transport. The statistics output has
>>
>> `queries_cookie_valid` and `queries_cookie_client` and
>>
>> `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
>>
>> value determines a rate limit for queries with cookies, if desired.
>>
>> Bug Fixes
>>
>> - Fix #823: Response change to NODATA for some ANY queries since
>>
>> 1.12, tested on 1.16.1.
>>
>> - Fix python module install path detection.
>>
>> - Fix python version detection in configure.
>>
>> - Improve documentation for #826, describe the large collisions amount.
>>
>> - Fix not following cleared RD flags potentially enables amplification
>>
>> DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
>>
>> Tsinghua University. The fix stops query loops, by refusing to send
>>
>> RD=0 queries to a forwarder, they still get answered from cache.
>>
>> - Set default for harden-unknown-additional to no. So that it does
>>
>> not hamper future protocol developments.
>>
>> - Fix test for new default.
>>
>> - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
>>
>> - Add duration variable for speed_local.test.
>>
>> - Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
>>
>> - Fix to ignore entirely empty responses, and try at another authority.
>>
>> This turns completely empty responses, a type of noerror/nodata
>> into
>>
>> a servfail, but they do not conform to RFC2308, and the retry can
>>
>> fetch improved content.
>>
>> - Fix unit tests for spurious empty messages.
>>
>> - Fix consistency of unit test without roundrobin answers for the
>>
>> cnametooptout unit test.
>>
>> - Fix to git ignore the library symbol file that configure can create.
>>
>> - Allow TTL refresh of expired error responses.
>>
>> - Add testcase for refreshing expired error responses.
>>
>> - Clean up iterator/iterator.c::error_response_cache() and allow for
>>
>> better interaction with serve-expired, prefetch and cached error
>>
>> responses.
>>
>> - Fix #825: Unexpected behavior with client-subnet-always-forward
>>
>> and serve-expired
>>
>> - Fix for #852: Completion of error handling.
>>
>> - Fix unbound-dnstap-socket test program to reply the finish frame
>>
>> over a TLS connection correctly.
>>
>> - Fix ssl.h include brackets, instead of quotes.
>>
>> - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
>>
>> to ignore the unexpected eof while reading in openssl >= 3.
>>
>> - iana portlist update.
>>
>> - Fix issue #851: reserved identifier violation
>>
>> - Fix issue #676: Unencrypted query is sent when
>>
>> forward-tls-upstream: yes is used without tls-cert-bundle
>>
>> - Extra consistency check to make sure that when TLS is requested,
>>
>> either we set up a TLS connection or we return an error.
>>
>> - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
>>
>> CNAME record.
>>
>> - Fix for #870: Add test case for the qname minimisation and CNAME.
>>
>> - Fix build badge, from failing travis link to github ci action link.
>>
>> - Merge #875: change obsolete txt URL in unbound-anchor.c to point
>>
>> to RFC 7958, and Fix #874.
>>
>> - Fix for #878: Invalid IP address in unbound.conf causes Segmentation
>>
>> Fault on OpenBSD.
>>
>> - Fix for #882: small changes, date updated in Copyright for
>>
>> util/timeval_func.c and util/timeval_func.h. Man page entries and
>>
>> example entry.
>>
>> - Fix for #882: document variable to stop doxygen warning.
>>
>> - Fix issue #860: Bad interaction with 0 TTL records and serve-expired
>>
>> - Fix RPZ IP responses with trigger rpz-drop on cache entries, that
>>
>> they are dropped.
>>
>> - For #722: minor fixes, formatting, refactoring.
>>
>> - Fix #885: Error: util/configlexer.c: No such file or directory,
>>
>> adds error messages explaining to install flex and bison.
>>
>> - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
>>
>> - Fix doxygen in addr_to_nat64 header definition.
>>
>> - Fix warning in windows compile, in set_recvtimestamp.
>>
>> - Fix to print debug log for ancillary data with correct IP address.
>>
>> - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
>>
>> - Fix to remove unused variables from RPZ clientip data structure.
>>
>> - Fix unbound-dnstap-socket printout when no query is present.
>>
>> - Fix unbound-dnstap-socket time fraction conversion for printout.
>>
>> - Merge #896: Fix: #895: pythonmodule: add all site-packages
>>
>> directories to sys.path.
>>
>> - Fix #895: python + sysconfig gives ANOTHER path comparing to
>>
>> distutils.
>>
>> - Fix for uncertain unit test for doh buffer size events.
>>
>> - Properly handle all return values of worker_check_request during
>>
>> early EDE code.
>>
>> - Do not check the incoming request more than once.
>>
>> - Fix for issue #887 (Timeouts to forward servers on BSD based
>>
>> system with ASLR)
>>
>> - Probably fixes #516 (Stream reuse does not work on Windows) as well
>>
>> - Remove warning about unknown cast-function-type warning pragma.
>>
>> - Fix python modules with multiple scripts, by incrementing reference
>>
>> counts.
>>
>> - More fixes for reference counting for python module and clean up
>>
>> failure code.
>>
>> - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
>>
>> which causes memory leaks.
>>
>> - Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
>>
>> - Fix dereference of NULL variable warning in mesh_do_callback.
>>
>> - Code cleanup for sldns_str2wire_svcparam_key_lookup.
>>
>> - For #802: Cleanup comments and add RCODE check for CD bit test case.
>>
>> - Skip the 00-lint test. splint is not maintained; it either does not
>>
>> work or produces false positives. Static analysis is handled in the
>>
>> clang test.
>>
>> - For #664: Easier code flow for subnetcache prefetching.
>>
>> - For #664: Add testcase.
>>
>> - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
>>
>> differentiate from the new subnet prefetch support.
>>
>> - Merge #880 from chipitsine: services/authzone.c: remove redundant
>>
>> check.
>>
>> - More clear description of the different auth-zone behaviors on the
>>
>> man page.
>>
>> - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
>>
>> CLASSXX representation.
>>
>> - For #909: Fix return values.
>>
>> - Merge #901 from Sergei Trofimovich: config: improve handling of
>>
>> unknown modules.
>>
>> - For #909: Fix RR class comparison.
>>
>> - Merge #857 from eaglegai: fix potential memory leaks when errors
>>
>> happen.
>>
>> - For #857: fix mixed declarations and code.
>>
>> - Merge #118 from mibere: Changed verbosity level for Redis init &
>>
>> deinit.
>>
>> - Merge #390 from Frank Riley: Add missing callbacks to the python
>>
>> module.
>>
>> - Cleaner failure code for callback functions in interface.i.
>>
>> - Merge #889 from borisVanhoof: Free memory in error case + remove
>>
>> unused function.
>>
>> - For #889: use netcat-openbsd instead of netcat-traditional.
>>
>> - For #889: Account for num_detached_states before possible
>>
>> mesh_state_delete when erroring out.
>>
>> - Fix unused variable compile warning for kernel timestamps in
>>
>> netevent.c
>>
>> - Merge #911 from natalie-reece: Exclude EDE before other EDNS options
>>
>> when there isn't enough space.
>>
>> - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
>>
>> altogether) before giving up on attaching EDE options.
>>
>> - More braces and formatting for Fix for EDNS EDE size calculation to
>>
>> avoid future bugs.
>>
>> - Fix to use the now cached EDE, if any, for CD_bit queries.
>>
>> - Fix for EDNS EDE size calculation.
>>
>> - Move a cache reply callback in worker.c closer to the cache reply
>>
>> generation.
>>
>> - Fix regional_alloc_init for potential unaligned source of the copy.
>>
>> - Fix ip_ratelimit test to work with dig that enables DNS cookies.
>>
>> - Fix for iter_dec_attempts that could cause a hang, part of
>>
>> capsforid and qname minimisation, depending on the settings.
>>
>> - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
>>
>> - Fix stat_values test to work with dig that enables DNS cookies.
>>
>> - Debug Windows ci workflow.
>>
>> - Fix windows ci workflow to install bison and flex.
>>
>> - Fix for #925: unbound.service: Main process exited, code=killed,
>>
>> status=11/SEGV. Fixes cachedb configuration handling.
>>
>> - Fix #923: processQueryResponse() THROWAWAY should be mindful of
>>
>> fail_reply.
>>
>> - Fix unit test for unbound-control to work when threads are disabled,
>>
>> and fix cache dump check.
>>
>> Best regards, Wouter
>>
>
>
More information about the Unbound-users
mailing list