Unbound 1.23.0rc2 pre-release

[Wouter Wijngaards]

Hi,

Unbound 1.23.0rc2 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc2.tar.gz
sha256 7a075af0b87895ec608c3077338a3e7baa2c67af89bdb5a21de978cac24a078e
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc2.tar.gz.asc

This is RC2 of the 1.23.0rc2 pre-release of Unbound.

The RC2 has fixes for building on Solaris and portability to Windows,
and fixes a memory leak for DoH.

Bug Fixes:
- Update to the manpage for the fast_reload part.
- Fix fast_reload to print chroot with config file name.
- Fix to detect if atomic_store links in configure.
- Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
- Fix for print of connection type in log-replies for dot and doh.
- Merge #1265: Fix WSAPoll.

Best regards, Wouter

On 08/04/2025 09:38, Wouter Wijngaards via maintainers wrote:
> Hi,
> 
> Unbound 1.23.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc1.tar.gz
> sha256 8e97900e7446e98fb1ffc51dda2febd3d15405dd721c234f3351515484ced6f4
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.23.0rc1.tar.gz.asc
> 
> This release features changed defaults, fast reload, redis replica,
> DNS Error Reporting, and bug fixes.
> 
> The fast reload is a feature that is listed as experimental. With
> `unbound-control fast_reload` the server can read the new config in
> a thread, and when done only briefly pauses the server to update the
> settings. This uses double memory, for like zones from disk or config
> that is loaded. It only pauses the server, for like less than a second,
> so DNS service is not interrupted by the reload of config. A lot of
> config items can be changed, but not all. It has options to print
> more information, or memory usage, and there is a list of config
> options in the man page.
> 
> The redis replica support allows for a redis backend to use a redis
> replica. The read commands are sent to the redis replica host, while
> the write commands are sent to the redis server. So with several
> replicas there can be more readers that all write to the redis server.
> 
> With DNS error reporting, RFC9567, enabled with
> `dns-error-reporting: yes`, this uses the error reporting agent to send
> failure reports to. The number of error reporting queries is output in
> the statistics as `num.dns_error_reports`.
> 
> Some defaults are changed in this release. The `resolver.arpa.` and
> `service.arpa.` zones are added to the default locally served zones,
> this can be disabled with a nodefault local zone. The default for
> `max-global-quota` has changed to 200, after operational feedback.
> The defaults from RFC8767 are used by `serve-expired-client-timeout`
> on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If
> Unbound is compiled with edns subnet, the default for module-config
> is no longer altered, so that compilation with subnet does not
> interfere when the server does not use subnet. When edns subnet needs
> to be enabled, `module-config: "subnetcache validator iterator"` should
> be explicitly set as configuration in the `server:` section.
> 
> If edns subnet is enabled, the default for
> module-config is no longer altered, so that compilation with subnet
> does not interfere when the server does not use subnet. When edns subnet
> is in use, also `module-config: "subnetcache validator iterator"` should
> be set as configuration in the `server:` section.
> 
> Features
> - Increase the default of max-global-quota to 200 from 128 after
>    operational feedback. Still keeping the possible amplification
>    factor (CAMP related issues) in the hundreds.
> - Fix #1175: serve-expired does not adhere to secure-by-default
>    principle. The default value of serve-expired-client-timeout
>    is set to 1800 as suggested by RFC8767.
> - For #1175, the default value of serve-expired-ttl is set to 86400
>    (1 day) as suggested by RFC8767.
> - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
>    LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
> - Add resolver.arpa and service.arpa to the default locally served
>    zones.
> - Merge #1042: Fast Reload. The unbound-control fast_reload is added.
>    It reads changed config in a thread, then only briefly pauses the
>    service threads, that keep running. DNS service is only interrupted
>    briefly, less than a second.
> - Merge #1019: Redis read-only replica support.
>    Introduces new 'redis-replica-*' options for the Redis cache backend.
> - Merge #902: DNS Error Reporting (RFC 9567). Introduces new
>    configuration option 'dns-error-reporting' and new statistics for
>    'num.dns_error_reports'.
> 
> Bug Fixes
> - Fix #1154: Tag Incorrectly Applying for Other Interfaces
>    Using the Same IP. This fix is not for 1.22.0.
> - Fix #1163: Typos in unbound.conf documentation.
> - Merge #1159: Stats for discard-timeout and wait-limit.
> - Add test case for #1159.
> - Some clean up for stat_values.test.
> - Merge #1170 from Melroy van den Berg, Fix chroot manpage
>    description.
> - Merge #1157 from Liang Zhu, Fix heap corruption when calling
>    ub_ctx_delete in Windows.
> - Fix redis that during a reload it does not fail if the redis
>    server does not connect or does not respond. It still logs the
>    errors and if the server is up checks expiration features.
> - Merge #1167: Makefile.in: fix occasional parallel build failures
>    around bison rule.
> - Fix SETEX check during Redis (re)initialization.
> - Fix for the serve expired DNSSEC information fix, it would not allow
>    current delegation information be updated in cache. The fix allows
>    current delegation and validation recursion information to be
>    updated, but as a consequence no longer has certain expired
>    information around for later dnssec valid expired responses.
> - Fix to log redis timeout error string on failure.
> - More descriptive text for 'harden-algo-downgrade'.
> - Complete fix for max-global-quota to 200.
> - Fix #1183: the data being used is released in method
>    nsec3_hash_test_entry.
> - Fix for #1183: release nsec3 hashes per test file.
> - Merge #1169 from Sergey Kacheev, fix: lock-free counters for
>    auth_zone up/down queries.
> - Fix comparison to help static analyzer.
> - For #1175, update serve-expired tests.
> - Merge #1189: Fix the dname_str method to cause conversion errors
>    when the domain name length is 255.
> - Merge #1197: dname_str() fixes.
> - Merge #1198: Fix log-servfail with serve expired and no useful cache
>    contents.
> - Safeguard alias loop while looking in the cache for expired answers.
> - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
>    drop.
> - Fix typo in log_servfail.tdir test.
> - Merge #1204: ci: set persist-credentials: false for actions/checkout
>    per zizmor suggestion.
> - Merge #1174: Serve expired cache update fixes. Fixes a regression bug
>    with serve-expired that appeared in 1.22.0 and would not allow the
>    iterator to update the cache with not-yet-validated entries resulting
>    in increased outgoing traffic.
> - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
>    handshake.
> - Fix #1213: Misleading error message on default access control causing
>    refuse.
> - Merge #1221: Consider auth zones when checking for forwarders.
> - Merge #1222: Unique DoT and DoH SSL contexts to allow for different
>    ALPN.
> - Create the quic SSL listening context only when needed.
> - Fix compile of interface check code when dnscrypt or quic is
>    disabled.
> - Fix encoding of RR type ATMA.
> - Fix to check length in ATMA string to wire.
> - Merge #1229: check before use daemon->shm_info.
> - Use the same interface listening port discovery code for all needed
>    protocols.
> - Port to string only when needed before getaddrinfo().
> - Do not open unencrypted channels next to encrypted ones on the same
>    port.
> - Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
>    set.
> - Merge #1220 from Petr Menšík, Add unbound members group access to
>    control key.
> - Make the default value of module-config "validator iterator"
>    regardless of compilation options. --enable-subnet would implicitly
>    change the value to enable the subnetcache module by default in the
>    past.
> - Fix #986: Resolving sas.com with dnssec-validation fails though
>    signed delegations seem to be (mostly) correct.
> - Consider reconfigurations when calculating the still_useful_timeout
>    for servers in the infrastructure cache.
> - Fix static analysis report about unhandled EOF on error conditions
>    when reading anchor key files.
> - Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
>    values.
> - Fix hash calculation for cachedb to ignore case. Previously, cached
>    records there were only relevant for same case queries (if not
>    already in Unbound's internal cache).
> - Merge #1243: Do not shadow tm on line 236.
> - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
>    Add --help output description for the SOURCE_DATE_EPOCH variable.
> - Fix 'unbound-control flush_negative' when reporting removed data;
>    reported by David 'eqvinox' Lamparter.
> - Fix representation of types GPOS and RESINFO, add rdf type for
>    unquoted str.
> - Fix #1251: WSAPoll first argument cannot be NULL.
> - Fix for windows compile create ssl contexts.
> - Fix print of RR type NSAP-PTR, it is an unquoted string.
> - Fix #1253: Cache entries fail to be removed from Redis cachedb
>    backend with unbound-control flush* +c.
> - Fix for #1253: Fix for redis cachedb backend to expect an integer
>    reply for the EXPIRE command.
> - Fix #1254: `send failed: Socket is not connected` and
>    `remote address is 0.0.0.0 port 53`.
> - Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
> - For #1255, for ios use an older expat version that does not require
>    C++11 language features.
> - For #1255, for ios disable building tests that require C++11.
> - For #1255, for ios try the latest expat version again.
> - Fix unit test dname log printout typecast.
> - Fix for ci test, expat is installed on the osx image.
> - iana portlist update.
> - Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
> - Fix escape more characters when printing an RR type with an unquoted
>    string.
> - Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
> - Fix unbound-control test so it counts the new flush_negative output,
>    also answers the _ta probe from testns and prints command output
>    and skip a thread specific test when no threads are available.
> - Fix that ub_event has the facility to deal with callbacks for
>    fast reload, doq, windows-stop and dnstap.
> - Fix fast reload test to check if pid exists before acting on it.
> - Merge #1262 from markyang92, fix build with
>    'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
> - For #1262, ifdef is no longer needed.
> - Fix #1263: Exempt loopback addresses from wait-limit.
> - Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
>    to allow two arguments.
> - Fix ub_event and include dnstap and win_svc headers.
> - Fix test for stat_values for wait limit defaults for localhost.
> - Fix parameter unused warning in net_help.c.
> - Fix mesh_copy_client_info to omit null contents from copy.
> - Fix comment name in the rpz nsdname test.
> - Fix nettle compile for warnings and ticket keys.
> - Fix redis_replica test for unused option defaults and log printout.
> - Fix test to speed up common.sh script kill_pid.
> - Fix to update common.sh for speed of kill_pid.
> 
> Best regards, Wouter
> 
> _______________________________________________
> maintainers mailing list
> maintainers at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/maintainers