Unbound 1.24.0rc1 pre-release

Yuri yvoinov at gmail.com
Thu Sep 11 16:34:56 UTC 2025 

Built and runs smoothly.

11.09.2025 13:02, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.24.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.24.0rc1.tar.gz
> sha256 27baedd2e5c764cb9b949810b8974a2c0ae88ee0040ed49eb5adb7573d8e0b96
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.24.0rc1.tar.gz.asc
>
> This release features increased defaults, num.valops statistic,
> unbound-control cache_lookup, and bug fixes.
>
> The default value increase for num-queries-per-thread is to make
> saturation of the task queue more resource intensive and less
> practical. Thanks to Shiming Liu, Network and Information Security
> Lab, Tsinghua University for the report.
>
> The default value increase for so-sndbuf is to mitigate a cross-layer
> issue where the UDP socket send buffers are exhausted waiting for
> ARP/NDP resolution. Thanks to Reflyable for the report.
>
> Various cache -slabs options are auto-configured if not specified
> in the config file. It uses a power of two close to the number of
> threads. When the option is specified in the config file that value
> is used instead.
>
> An extra statistic is added to track the number of signature validation
> operations by the validator, `num.valops`.
>
> The unbound-control `cache_lookup` command prints cache information for
> names in the domain given. This prints similar to dump_cache, but only
> names under the zone(s) specified. Because of that it locks the caches
> for a much shorter time, and this is good for server responsiveness.
>
> The `sock-queue-timeout` option is adapted to work on FreeBSD as well
> as Linux.
>
> Features
> - Increase default to `num-queries-per-thread: 2048`, when unbound is
>   compiled with libevent. It makes saturation of the task queue more
>   resource intensive and less practical. Thanks to Shiming Liu,
>   Network and Information Security Lab, Tsinghua University for the
>   report.
> - Merge #1276: Auto-configure '-slabs' values.
> - Change default for so-sndbuf to 1m, to mitigate a cross-layer
>   issue where the UDP socket send buffers are exhausted waiting
>   for ARP/NDP resolution. Thanks to Reflyable for the report.
> - Adjusted so-sndbuf default to 4m.
> - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
>   track the number of signature validation operations.
>   Adds 'num.valops' to extended statistics.
> - Fix #1303: [FR] Disable TLSv1.2.
> - unbound-control cache_lookup <domains> prints the cached rrsets
>   and messages for those.
> - unbound-control cache_lookup +t allows tld and root names. And
>   subnet cache contents are printed.
> - Fix #1319: [FR] zone status for Unbound auth-zones.
>
> Bug Fixes
> - Fix #1272: assertion failure testcode/unitverify.c:202.
> - Merge #1275: Use macros for the fr_check_changed* functions.
> - Fix for parallel build of dnstap protoc-c output.
> - Fix dnstap to use protoc.
> - Sync unbound and unbound-checkconf log output for unknown modules.
> - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
>   in 1.23.0, but worked in 1.22.0.
> - Fix #1283: Unsafe usage of atoi() while parsing the configuration
>   file.
> - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
>   broken auth zones that include unsigned out of zone (above apex)
>   data. Could lead to hang while trying to prove a wildcard answer.
> - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
>   by adding a log_assert() to safeguard future development.
> - Fix #1282: log-destaddr fail on long ipv6 addresses.
> - Fix config of slab values when there is no config file.
> - Fix for cname chain length with qtype ANY and qname minimisation.
>   Thanks to Jim Greenwood from Nominet for the report.
> - Merge #1285:  RST man pages. It introduces restructuredText man pages
>   to sync the online and source code man page documentation.
>   The templated man pages (*.in) are still part of the repo but
>   generated with docutils from their .rst counterpart.
>   Documentation on how to generate those (mainly for core developers)
>   is in README.man.
> - Add more checks about respip in unbound-checkconf.
>   Also fixes #310: unbound-checkconf not reporting RPZ configuration
>   error.
> - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
>   program.
> - Small manpage corrections for the 'disable-dnssec-lame-check' option.
> - Fix unbound-anchor certificate file read for line ends and end of
>   file.
> - Fix comment for the dname_remove_label_limit_len function.
> - iana portlist updated.
> - Fix bitwise operators in conditional expressions with parentheses.
> - Fix conditional expressions with parentheses for bitwise and.
> - Fix header return value description for skip_pkt_rrs and
>   parse_edns_from_query_pkt.
> - Fix to check control-interface addresses in unbound-checkconf.
> - Fix #1295: Windows 32-bit binaries download seems to be missing dll
>   dependency.
> - Fix for consistent use of local zone CNAME alias for configured auth
>   zones. Now it also applies to downstream configured auth zones.
> - Fix #1296: DNS over QUIC depends on a very outdated version of
>   ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
> - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
> - Fix rrset cache create allocation failure case.
> - Fix #1293: EDE 6 is attached to insecure cached answers when client
>   sends the CD bit.
> - Fix #1247: forward-first: ssl handshake failed on root nameservers.
> - For #1247, turn off fetch-policy for delegation when looking into
>   parent side name servers that may not update the addresses and hit
>   NXNS limits.
> - For #1247, replay test (added tcp_transport to
>   outnet_serviced_query).
> - Merge #1299: Fix typos.
> - Generate ltmain.sh and configure again.
> - Fix #1300: Is 'sock-queue-timeout' a linux only feature.
> - For #1300: implement sock-queue-timeout for FreeBSD as well.
> - Fix layout of comm_point_udp_ancil_callback.
> - Fix to improve dnstap discovery on Fedora.
> - Fix detection of SSL_CTX_set_tmp_ecdh function.
> - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
> - For #1289: test num.valops in existing stat_values.tdir.
> - For #1289: add num.valops in the unbound-control man page.
> - Add unit tests for non-ecs aggregation.
> - Fix to not set rlimits in the unit tests.
> - iana portlist updated.
> - Redis checks for server down and throttles reconnects.
> - Fix redis cachedb module gettimeofday init failure.
> - Fix testbound test program to accurately output packets from hex.
> - Fix #1309: incorrectly reclaimed tcp handler can cause data
>   corruption and segfault.
> - Fix to use assertions for consistency checks in #1309 reclaimed
>   tcp handlers.
> - Fix edns subnet, so that the subquery without subnet is stored in
>   global cache if the querier used 0.0.0.0/0 and the name and address
>   do not receive subnet treatment. If the name and address are
>   configured for subnet, it is stored in the subnet cache.
> - Fix dname_str for printout of long names. Thanks to Jan Komissar
>   for the fix.
> - Fix that edns-subnet failure to create a subquery errors as
>   servfail, and not formerror.
> - Fix to whitespace in dname_str.
> - Fix that unbound-control dump_cache releases the cache locks
>   every so often, so that the server stays responsive.
> - Fix to remove debug from cache_lookup.
> - Fix to unlock cache_lookup message for malformed records.
> - Fix to increase responsiveness of dump_cache.
> - Fix to decouple file descriptor activity and cache lookups in
>   dump_cache.
> - Fix cache_lookup subnet printout to wipe zero part of the prefix.
> - Fix cache_lookup subnet print to not print messages without rrsets
>   and perform in-depth check on node in the addrtree.
> - Fix to check for extraneous command arguments for unbound-control,
>   when the command takes no arguments but there are arguments present.
> - Fix #1317: Unbound starts too early. Add
>   Wants=network-online.target under [Unit] in unbound.service.
> - Fix for #1317: Fix contrib/unbound.service comment path for
>   systemd network configuration.
> - For #1318: Fix compile warnings for DoH compile on windows.
> - Fix sha1 enable environment variable in test code on windows.
> - Fix that the zone acquired timestamp is set after the
>   zonefile is read.
> - Fix ports workflow to install expat for macos.
> - Fix unbound-control dump_cache for double unlock of lruhash table.
> - Fix setup_listen_sslctx warning for nettle compile.
> - Limit the number of consecutive reads on an HTTP/2 session.
>   Thanks to Gal Bar Nahum for exposing the possibility of infinite
>   reads on the session.
> - Fix for #1324: Fix to free edns options scratch in ratelimit case.
> - Fix #1235: Outdated Python2 code in
>   unbound/pythonmod/examples/log.py.
> - Fix #1324: Memory leak in 'msgparse.c' in
>   'parse_edns_options_from_query(...)'.
> - Fix indentation in tcp-mss option parsing.
> - For #1328: make depend.
> - Update documentation for using "SET ... EX" in Redis.
> - Document max buffer sizes for Redis commands.
> - Update man pages.
> - Fix #1332: CNAME chains are sometimes not followed when RPZs add a
>   local CNAME rewrite.
>
> Best regards, Wouter

More information about the Unbound-users mailing list