Unbound 1.23.0rc1 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Apr 8 07:38:21 UTC 2025 

Hi,

Unbound 1.23.0rc1 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc1.tar.gz
sha256 8e97900e7446e98fb1ffc51dda2febd3d15405dd721c234f3351515484ced6f4
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc1.tar.gz.asc

This release features changed defaults, fast reload, redis replica,
DNS Error Reporting, and bug fixes.

The fast reload is a feature that is listed as experimental. With
`unbound-control fast_reload` the server can read the new config in
a thread, and when done only briefly pauses the server to update the
settings. This uses double memory, for like zones from disk or config
that is loaded. It only pauses the server, for like less than a second,
so DNS service is not interrupted by the reload of config. A lot of
config items can be changed, but not all. It has options to print
more information, or memory usage, and there is a list of config
options in the man page.

The redis replica support allows for a redis backend to use a redis
replica. The read commands are sent to the redis replica host, while
the write commands are sent to the redis server. So with several
replicas there can be more readers that all write to the redis server.

With DNS error reporting, RFC9567, enabled with
`dns-error-reporting: yes`, this uses the error reporting agent to send
failure reports to. The number of error reporting queries is output in
the statistics as `num.dns_error_reports`.

Some defaults are changed in this release. The `resolver.arpa.` and
`service.arpa.` zones are added to the default locally served zones,
this can be disabled with a nodefault local zone. The default for
`max-global-quota` has changed to 200, after operational feedback.
The defaults from RFC8767 are used by `serve-expired-client-timeout`
on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If
Unbound is compiled with edns subnet, the default for module-config
is no longer altered, so that compilation with subnet does not
interfere when the server does not use subnet. When edns subnet needs
to be enabled, `module-config: "subnetcache validator iterator"` should
be explicitly set as configuration in the `server:` section.

If edns subnet is enabled, the default for
module-config is no longer altered, so that compilation with subnet
does not interfere when the server does not use subnet. When edns subnet
is in use, also `module-config: "subnetcache validator iterator"` should
be set as configuration in the `server:` section.

Features
- Increase the default of max-global-quota to 200 from 128 after
   operational feedback. Still keeping the possible amplification
   factor (CAMP related issues) in the hundreds.
- Fix #1175: serve-expired does not adhere to secure-by-default
   principle. The default value of serve-expired-client-timeout
   is set to 1800 as suggested by RFC8767.
- For #1175, the default value of serve-expired-ttl is set to 86400
   (1 day) as suggested by RFC8767.
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
   LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
- Add resolver.arpa and service.arpa to the default locally served
   zones.
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
   It reads changed config in a thread, then only briefly pauses the
   service threads, that keep running. DNS service is only interrupted
   briefly, less than a second.
- Merge #1019: Redis read-only replica support.
   Introduces new 'redis-replica-*' options for the Redis cache backend.
- Merge #902: DNS Error Reporting (RFC 9567). Introduces new
   configuration option 'dns-error-reporting' and new statistics for
   'num.dns_error_reports'.

Bug Fixes
- Fix #1154: Tag Incorrectly Applying for Other Interfaces
   Using the Same IP. This fix is not for 1.22.0.
- Fix #1163: Typos in unbound.conf documentation.
- Merge #1159: Stats for discard-timeout and wait-limit.
- Add test case for #1159.
- Some clean up for stat_values.test.
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
   description.
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
   ub_ctx_delete in Windows.
- Fix redis that during a reload it does not fail if the redis
   server does not connect or does not respond. It still logs the
   errors and if the server is up checks expiration features.
- Merge #1167: Makefile.in: fix occasional parallel build failures
   around bison rule.
- Fix SETEX check during Redis (re)initialization.
- Fix for the serve expired DNSSEC information fix, it would not allow
   current delegation information be updated in cache. The fix allows
   current delegation and validation recursion information to be
   updated, but as a consequence no longer has certain expired
   information around for later dnssec valid expired responses.
- Fix to log redis timeout error string on failure.
- More descriptive text for 'harden-algo-downgrade'.
- Complete fix for max-global-quota to 200.
- Fix #1183: the data being used is released in method
   nsec3_hash_test_entry.
- Fix for #1183: release nsec3 hashes per test file.
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
   auth_zone up/down queries.
- Fix comparison to help static analyzer.
- For #1175, update serve-expired tests.
- Merge #1189: Fix the dname_str method to cause conversion errors
   when the domain name length is 255.
- Merge #1197: dname_str() fixes.
- Merge #1198: Fix log-servfail with serve expired and no useful cache
   contents.
- Safeguard alias loop while looking in the cache for expired answers.
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
   drop.
- Fix typo in log_servfail.tdir test.
- Merge #1204: ci: set persist-credentials: false for actions/checkout
   per zizmor suggestion.
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
   with serve-expired that appeared in 1.22.0 and would not allow the
   iterator to update the cache with not-yet-validated entries resulting
   in increased outgoing traffic.
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
   handshake.
- Fix #1213: Misleading error message on default access control causing
   refuse.
- Merge #1221: Consider auth zones when checking for forwarders.
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
   ALPN.
- Create the quic SSL listening context only when needed.
- Fix compile of interface check code when dnscrypt or quic is
   disabled.
- Fix encoding of RR type ATMA.
- Fix to check length in ATMA string to wire.
- Merge #1229: check before use daemon->shm_info.
- Use the same interface listening port discovery code for all needed
   protocols.
- Port to string only when needed before getaddrinfo().
- Do not open unencrypted channels next to encrypted ones on the same
   port.
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
   set.
- Merge #1220 from Petr Menšík, Add unbound members group access to
   control key.
- Make the default value of module-config "validator iterator"
   regardless of compilation options. --enable-subnet would implicitly
   change the value to enable the subnetcache module by default in the
   past.
- Fix #986: Resolving sas.com with dnssec-validation fails though
   signed delegations seem to be (mostly) correct.
- Consider reconfigurations when calculating the still_useful_timeout
   for servers in the infrastructure cache.
- Fix static analysis report about unhandled EOF on error conditions
   when reading anchor key files.
- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
   values.
- Fix hash calculation for cachedb to ignore case. Previously, cached
   records there were only relevant for same case queries (if not
   already in Unbound's internal cache).
- Merge #1243: Do not shadow tm on line 236.
- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
   Add --help output description for the SOURCE_DATE_EPOCH variable.
- Fix 'unbound-control flush_negative' when reporting removed data;
   reported by David 'eqvinox' Lamparter.
- Fix representation of types GPOS and RESINFO, add rdf type for
   unquoted str.
- Fix #1251: WSAPoll first argument cannot be NULL.
- Fix for windows compile create ssl contexts.
- Fix print of RR type NSAP-PTR, it is an unquoted string.
- Fix #1253: Cache entries fail to be removed from Redis cachedb
   backend with unbound-control flush* +c.
- Fix for #1253: Fix for redis cachedb backend to expect an integer
   reply for the EXPIRE command.
- Fix #1254: `send failed: Socket is not connected` and
   `remote address is 0.0.0.0 port 53`.
- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
- For #1255, for ios use an older expat version that does not require
   C++11 language features.
- For #1255, for ios disable building tests that require C++11.
- For #1255, for ios try the latest expat version again.
- Fix unit test dname log printout typecast.
- Fix for ci test, expat is installed on the osx image.
- iana portlist update.
- Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
- Fix escape more characters when printing an RR type with an unquoted
   string.
- Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
- Fix unbound-control test so it counts the new flush_negative output,
   also answers the _ta probe from testns and prints command output
   and skip a thread specific test when no threads are available.
- Fix that ub_event has the facility to deal with callbacks for
   fast reload, doq, windows-stop and dnstap.
- Fix fast reload test to check if pid exists before acting on it.
- Merge #1262 from markyang92, fix build with
   'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
- For #1262, ifdef is no longer needed.
- Fix #1263: Exempt loopback addresses from wait-limit.
- Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
   to allow two arguments.
- Fix ub_event and include dnstap and win_svc headers.
- Fix test for stat_values for wait limit defaults for localhost.
- Fix parameter unused warning in net_help.c.
- Fix mesh_copy_client_info to omit null contents from copy.
- Fix comment name in the rpz nsdname test.
- Fix nettle compile for warnings and ticket keys.
- Fix redis_replica test for unused option defaults and log printout.
- Fix test to speed up common.sh script kill_pid.
- Fix to update common.sh for speed of kill_pid.

Best regards, Wouter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250408/6116ea27/attachment.bin>

More information about the Unbound-users mailing list