forked from NLnetLabs/unbound
/
Changelog
4754 lines (4001 loc) · 183 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
13 April 2012: Wouter
- ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
openssl.
10 April 2012: Wouter
- Applied patch from Daisuke HIGASHI for rrset-roundrobin and
minimal-responses features.
- iana portlist updated.
5 April 2012: Wouter
- fix bug #443: --with-chroot-dir not honoured by configure.
- fix bug #444: setusercontext was called too late (thanks Bjorn
Ketelaars).
27 March 2012: Wouter
- fix bug #442: Fix that Makefile depends on pythonmod headers
even using --without-pythonmodule.
22 March 2012: Wouter
- contrib/validation-reporter follows rotated log file (patch from
Augie Schwer).
21 March 2012: Wouter
- new approach to NS fetches for DS lookup that works with
cornercases, and is more robust and considers forwarders.
19 March 2012: Wouter
- iana portlist updated.
- fix to locate nameservers for DS lookup with NS fetches.
16 March 2012: Wouter
- Patch for access to full DNS packet data in unbound python module
from Ondrej Mikle.
9 March 2012: Wouter
- Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
2 March 2012: Wouter
- flush_infra cleans timeouted servers from the cache too.
- removed warning from --enable-ecdsa.
1 March 2012: Wouter
- forward-first option. Tries without forward if a query fails.
Also stub-first option that is similar.
28 February 2012: Wouter
- Fix from code review, if EINPROGRESS not defined chain if statement
differently.
27 February 2012: Wouter
- Fix bug#434: on windows check registry for config file location
for unbound-control.exe, and unbound-checkconf.exe.
23 February 2012: Wouter
- Fix to squelch 'network unreachable' errors from tcp connect in
logs, high verbosity will show them.
16 February 2012: Wouter
- iter_hints is now thread-owned in module env, and thus threadsafe.
- Fix prefetch and sticky NS, now the prefetch works. It picks
nameservers that 'would be valid in the future', and if this makes
the NS timeout, it updates that NS by asking delegation from the
parent again. If child NS has longer TTL, that TTL does not get
refreshed from the lookup to the child nameserver.
15 February 2012: Wouter
- Fix forward-zone memory, uses malloc and frees original root dp.
- iter hints (stubs) uses malloc inside for more dynamicity.
- unbound-control forward_add, forward_remove, stub_add, stub_remove
can modify stubs and forwards for running unbound (on mobile computer)
they can also add and remove domain-insecure for the zone.
14 February 2012: Wouter
- Fix sticky NS (ghost domain problem) if prefetch is yes.
- iter forwards uses malloc inside for more dynamicity.
13 February 2012: Wouter
- RT#2955. Fix for cygwin compilation.
- iana portlist updated.
10 February 2012: Wouter
- Slightly smaller critical region in one case in infra cache.
- Fix timeouts to keep track of query type, A, AAAA and other, if
another has caused timeout blacklist, different type can still probe.
- unit test fix for nomem_cnametopos.rpl race condition.
9 February 2012: Wouter
- Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
8 February 2012: Wouter
- implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
implementation is experimental at this time and not recommended
for use on the public internet (the protocol numbers have not
been assigned). Needs recent ldns with --enable-ecdsa.
- fix memory leak in errorcase for DSA signatures.
- iana portlist updated.
- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
3 February 2012: Wouter
- fix for windows, rename() is not posix compliant on windows.
2 February 2012: Wouter
- 1.4.16 release tag.
- svn trunk is 1.4.17 in development.
- iana portlist updated.
1 February 2012: Wouter
- Fix validation failures (like: validation failure xx: no NSEC3
closest encloser from yy for DS zz. while building chain of trust,
because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
for an NSEC3. Now it does not change rdata, and fixes TTL.
30 January 2012: Wouter
- Fix version-number in libtool to be version-info so it produces
libunbound.so.2 like it should.
26 January 2012: Wouter
- Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
- trunk 1.4.16; includes changes memset testcode, #424 openindiana,
and keyfile write fixup.
- applied patch to support outgoing-interface with ub_ctx_set_option.
23 January 2012: Wouter
- Fix memset in test code.
20 January 2012: Wouter
- Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
19 January 2012: Wouter
- Fix to write key files completely to a temporary file, and if that
succeeds, replace the real key file. So failures leave a useful file.
18 January 2012: Wouter
- tag 1.4.15rc1 created
- updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
17 January 2012: Wouter
- Fix bug where canonical_compare of RRSIG did not downcase the
signer-name. This is mostly harmless because RRSIGs do not have
to be sorted in canonical order, usually.
12 January 2012: Wouter
- bug#428: add ub_version() call to libunbound. API version increase,
with (binary) backwards compatibility for the previous version.
10 January 2012: Wouter
- Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
that would be permissible by the RFCs but it is not the TTL in the
cache.
- iana portlist updated.
- uninitialised variable in reprobe for rtt blocked domains fixed.
- lintfix and new flex output.
2 January 2012: Wouter
- Fix to randomize hash function, based on 28c3 congress, reported
by Peter van Dijk.
24 December 2011: Wouter
- Fix for memory leak (about 20 bytes when a tcp or udp send operation
towards authority servers failed, takes about 50.000 such failures to
leak one Mb, such failures are also usually logged), reported by
Robert Fleischmann.
- iana portlist updated.
19 December 2011: Wouter
- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- robust checks for next-closer NSEC3s.
- tag 1.4.14 created.
- trunk has 1.4.15 in development.
15 December 2011: Wouter
- remove uninit warning from cachedump code.
- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
13 December 2011: Wouter
- iana portlist updated.
- svn tag 1.4.14rc1
- fix infra cache comparison.
- Fix to constrain signer_name to be a parent of the lookupname.
5 December 2011: Wouter
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- Fix warning unused in compat/strptime.c.
- Fix malloc detection and double defintion.
2 December 2011: Wouter
- configure generated with autoconf 2.68.
30 November 2011: Wouter
- Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
SERVFAILs. Also fixed for UDP (but less likely).
28 November 2011: Wouter
- Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- iana ports updated.
11 November 2011: Wouter
- Makefile compat with SunOS make, BSD make and GNU make.
- iana ports updated.
10 November 2011: Wouter
- Makefile changed for BSD make compatibility.
9 November 2011: Wouter
- added unit test for SSL service and SSL-upstream.
8 November 2011: Wouter
- can configure ssl service to one port number, and not on others.
- fixup windows compile with ssl support.
- Fix double free in unbound-host, reported by Steve Grubb.
- iana portlist updated.
1 November 2011: Wouter
- dns over ssl support as a client, ssl-upstream yes turns it on.
It performs an SSL transaction for every DNS query (250 msec).
- documentation for new options: ssl-upstream, ssl-service-key and
ssl-service.pem.
- iana portlist updated.
- fix -flto detection on Lion for llvm-gcc.
31 October 2011: Wouter
- dns over ssl support, ssl-service-pem and ssl-service-key files
can be given and then TCP queries are serviced wrapped in SSL.
27 October 2011: Wouter
- lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- fix iana-update for changing gzip compression of results.
- fix export-all-symbols on OSX.
26 October 2011: Wouter
- iana portlist updated.
- Infra cache stores information about ping and lameness per IP, zone.
This fixes bug #416.
- fix iana_update target for gzipped file on iana site.
24 October 2011: Wouter
- Fix resolve of partners.extranet.microsoft.com with a fix for the
server selection for choosing out of a (particular) list of bad
choices. (bug#415)
- Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to
Matthew Lee).
21 October 2011: Wouter
- fix --enable-allsymbols, fptr wlist is disabled on windows with this
option enabled because of memory layout exe vs dll.
19 October 2011: Wouter
- fix unbound-anchor for broken strptime on OSX lion, detected
in configure.
- Detect if GOST really works, openssl1.0 on OSX fails.
- Implement ipv6%interface notation for scope_id usage.
17 October 2011: Wouter
- better documentation for inform_super (Thanks Yang Zhe).
14 October 2011: Wouter
- Fix for out-of-memory condition in libunbound (thanks
Robert Fleischman).
13 October 2011: Wouter
- Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur.
12 October 2011: Wouter
- updated contrib/unbound_munin_ to family=auto so that it works with
munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
27 September 2011: Wouter
- unbound.exe -w windows option for start and stop service.
23 September 2011: Wouter
- TCP-upstream calculates tcp-ping so server selection works if there
are alternatives.
20 September 2011: Wouter
- Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
16 September 2011: Wouter
- fix bug #408: accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- iana portlist updated.
- fix EDNS1480 change memleak and TCP fallback.
- fix various compiler warnings (reported by Paul Wouters).
- max sent count. EDNS1480 only for rtt < 5000. No promiscuous
fetch if sentcount > 3, stop query if sentcount > 16. Count is
reset when referral or CNAME happens. This makes unbound better
at managing large NS sets, they are explored when there is continued
interest (in the form of queries).
15 September 2011: Wouter
- release 1.4.13.
- trunk contains 1.4.14 in development.
- Unbound probes at EDNS1480 if there an EDNS0 timeout.
12 September 2011: Wouter
- Reverted dns EDNS backoff fix, it did not help and needs
fragmentation fixes instead.
- tag 1.4.13rc2
7 September 2011: Wouter
- Fix operation in ipv6 only (do-ip4: no) mode.
6 September 2011: Wouter
- fedora specfile updated.
5 September 2011: Wouter
- tag 1.4.13rc1
2 September 2011: Wouter
- iana portlist updated.
26 August 2011: Wouter
- Fix num-threads 0 does not segfault, reported by Simon Deziel.
- Fix validation failures due to EDNS backoff retries, the retry
for fetch of data has want_dnssec because the iter_indicate_dnssec
function returns true when validation failure retry happens, and
then the serviced query code does not fallback to noEDNS, even if
the cache says it has this. This helps for DLV deployment when
the DNSSEC status is not known for sure before the lookup concludes.
24 August 2011: Wouter
- Applied patch from Karel Slany that fixes a memory leak in the
unbound python module, in string conversions.
22 August 2011: Wouter
- Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
Zhang and Luo Ce). Unbound responds with the RR types that are
available at the name for qtype ANY and validates those RR types.
It does not test for completeness (i.e. with NSEC or NSEC3 query),
and it does not follow the CNAME or DNAME to another name (with
even more data for the already large response).
- Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
- Documented the options that work with control set_option command.
- tcp-upstream yes/no option (works with set_option) for tunnels.
18 August 2011: Wouter
- fix autoconf call in makedist crosscompile to RC or snapshot.
17 August 2011: Wouter
- Fix validation of . DS query.
- new xml format at IANA, new awk for iana_update.
- iana portlist updated.
10 August 2011: Wouter
- Fix python site-packages path to /usr/lib64.
- updated patch from Tom.
- fix memory and fd leak after out-of-memory condition.
9 August 2011: Wouter
- patch from Tom Hendrikx fixes load of python modules.
8 August 2011: Wouter
- make clean had ldns-src reference, removed.
1 August 2011: Wouter
- Fix autoconf 2.68 warnings
14 July 2011: Wouter
- Unbound implements RFC6303 (since version 1.4.7).
- tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
meantime, those are for 1.4.13).
- iana portlist updated.
13 July 2011: Wouter
- Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
11 July 2011: Wouter
- Fix wildcard expansion no-data reply under an optout NSEC3 zone is
validated as insecure, reported by Jia Li (lijia@cnnic.cn).
4 July 2011: Wouter
- 1.4.12rc1 tag created.
1 July 2011: Wouter
- version number in example config file.
- fix that --enable-static-exe does not complain about it unknown.
30 June 2011: Wouter
- tag relase 1.4.11, trunk is 1.4.12 development.
- iana portlist updated.
- fix bug#395: id bits of other query may leak out under conditions
- fix replyaddr count wrong after jostled queries, which leads to
eventual starvation where the daemon has no replyaddrs left to use.
- fix comment about rndc port, that referred to the old port number.
- fix that the listening socket is not closed when too many remote
control connections are made at the same time.
- removed ldns-src tarball inside the unbound tarball.
23 June 2011: Wouter
- Changed -flto check to support clang compiler.
- tag 1.4.11rc3 created.
17 June 2011: Wouter
- tag 1.4.11rc1 created.
- remove warning about signed/unsigned from flex (other flex version).
- updated aclocal.m4 and libtool to match.
- tag 1.4.11rc2 created.
16 June 2011: Wouter
- log-queries: yesno option, default is no, prints querylog.
- version is 1.4.11.
14 June 2011: Wouter
- Use -flto compiler flag for link time optimization, if supported.
- iana portlist updated.
12 June 2011: Wouter
- IPv6 service address for d.root-servers.net (2001:500:2D::D).
10 June 2011: Wouter
- unbound-control has version number in the header,
UBCT[version]_space_ is the header sent by the client now.
- Unbound control port number is registered with IANA:
ub-dns-control 8953/tcp unbound dns nameserver control
This is the new default for the control-port config setting.
- statistics-interval prints the number of jostled queries to log.
30 May 2011: Wouter
- Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
- iana portlist updated.
- updated ldns tarball to 1.6.10rc2 snapshot of today.
25 May 2011: Wouter
- Fix assertion failure when unbound generates an empty error reply
in response to a query, CVE-2011-1922 VU#531342.
- This fix is in tag 1.4.10.
- defense in depth against the above bug, an error is printed to log
instead of an assertion failure.
10 May 2011: Wouter
- bug#386: --enable-allsymbols option links all binaries to libunbound
and reduces install size significantly.
- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
- iana portlist updated.
- Fix TTL of SOA so negative TTL is separately cached from normal TTL.
14 April 2011: Wouter
- configure created with newer autoconf 2.66.
12 April 2011: Wouter
- bug#378: Fix that configure checks for ldns_get_random presence.
8 April 2011: Wouter
- iana portlist updated.
- queries with CD flag set cause DNSSEC validation, but the answer is
not withheld if it is bogus. Thus, unbound will retry if it is bad
and curb the TTL if it is bad, thus protecting the cache for use by
downstream validators.
- val-override-date: -1 ignores dates entirely, for NTP usage.
29 March 2011: Wouter
- harden-below-nxdomain: changed so that it activates when the
cached nxdomain is dnssec secure. This avoids backwards
incompatibility because those old servers do not have dnssec.
24 March 2011: Wouter
- iana portlist updated.
- release 1.4.9.
- trunk is 1.5.0
17 March 2011: Wouter
- bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
Applied but did not do the --disable-gost.
10 March 2011: Wouter
- tag 1.4.9 release candidate 1 created.
3 March 2011: Wouter
- updated ldns to today.
1 March 2011: Wouter
- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
- give config parse error for multiple names on a stub or forward zone.
- updated ldns tarball to 1.6.9(todays snapshot).
24 February 2011: Wouter
- bug #361: Fix, time.elapsed variable not reset with stats_noreset.
23 February 2011: Wouter
- iana portlist updated.
- common.sh to version 3.
18 February 2011: Wouter
- common.sh in testdata updated to version 2.
15 February 2011: Wouter
- Added explicit note on unbound-anchor usage:
Please note usage of unbound-anchor root anchor is at your own risk
and under the terms of our LICENSE (see that file in the source).
11 February 2011: Wouter
- iana portlist updated.
- tpkg updated with common.sh for common functionality.
7 February 2011: Wouter
- Added regression test for addition of a .net DS to the root, and
cache effects with different TTL for glue and DNSKEY.
- iana portlist updated.
28 January 2011: Wouter
- Fix remove private address does not throw away entire response.
24 January 2011: Wouter
- release 1.4.8
19 January 2011: Wouter
- fix bug#349: no -L/usr for ldns.
18 January 2011: Wouter
- ldns 1.6.8 tarball included.
- release 1.4.8rc1.
17 January 2011: Wouter
- add get and set option for harden-below-nxdomain feature.
- iana portlist updated.
14 January 2011: Wouter
- Fix so a changed NS RRset does not get moved name stuck on old
server, for type NS the TTL is not increased.
13 January 2011: Wouter
- Fix prefetch so it does not get stuck on old server for moved names.
12 January 2011: Wouter
- iana portlist updated.
11 January 2011: Wouter
- Fix insecure CNAME sequence marked as secure, reported by Bert
Hubert.
10 January 2011: Wouter
- faster lruhash get_mem routine.
4 January 2011: Wouter
- bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
- iana portlist updated.
23 December 2010: Wouter
- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
21 December 2010: Wouter
- algorithm compromise protection using the algorithms signalled in
the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
and thus, if you have multiple algorithms in your trust-anchor-file
then it will now behave different than before. Also, 5011 rollover
for algorithms needs to be double-signature until the old algorithm
is revoked.
It is not an option, because I see no use to turn the security off.
- iana portlist updated.
17 December 2010: Wouter
- squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
- fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
16 December 2010: Wouter
- Fix our 'BDS' license (typo reported by Xavier Belanger).
10 December 2010: Wouter
- iana portlist updated.
- review changes for unbound-anchor.
2 December 2010: Wouter
- feature typetransparent localzone, does not block other RR types.
1 December 2010: Wouter
- Fix bug#338: print address when socket creation fails.
30 November 2010: Wouter
- Fix storage of EDNS failures in the infra cache.
- iana portlist updated.
18 November 2010: Wouter
- harden-below-nxdomain option, default off (because very old
software may be incompatible). We could enable it by default in
the future.
17 November 2010: Wouter
- implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
- make test output nicer.
15 November 2010: Wouter
- silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
- iana portlist updated.
- so-sndbuf option for very busy servers, a bit like so-rcvbuf.
9 November 2010: Wouter
- unbound-anchor compiles with openssl 0.9.7.
8 November 2010: Wouter
- release tag 1.4.7.
- trunk is version 1.4.8.
- Be lenient and accept imgw.pl malformed packet (like BIND).
5 November 2010: Wouter
- do not synthesize a CNAME message from cache for qtype DS.
4 November 2010: Wouter
- Use central entropy to seed threads.
3 November 2010: Wouter
- Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
2 November 2010: Wouter
- tag 1.4.7rc1.
- code review.
1 November 2010: Wouter
- GOST code enabled by default (RFC 5933).
27 October 2010: Wouter
- Fix uninit value in dump_infra print.
- Fix validation failure for parent and child on same server with an
insecure childzone and a CNAME from parent to child.
- Configure detects libev-4.00.
26 October 2010: Wouter
- dump_infra and flush_infra commands for unbound-control.
- no timeout backoff if meanwhile a query succeeded.
- Change of timeout code. No more lost and backoff in blockage.
At 12sec timeout (and at least 2x lost before) one probe per IP
is allowed only. At 120sec, the IP is blocked. After 15min, a
120sec entry has a single retry packet.
25 October 2010: Wouter
- Configure errors if ldns is not found.
22 October 2010: Wouter
- Windows 7 fix for the installer.
21 October 2010: Wouter
- Fix bug where fallback_tcp causes wrong roundtrip and edns
observation to be noted in cache. Fix bug where EDNSprobe halted
exponential backoff if EDNS status unknown.
- new unresponsive host method, exponentially increasing block backoff.
- iana portlist updated.
20 October 2010: Wouter
- interface automatic works for some people with ip6 disabled.
Therefore the error check is removed, so they can use the option.
19 October 2010: Wouter
- Fix for request list growth, if a server has long timeout but the
lost counter is low, then its effective rtt is the one without
exponential backoff applied. Because the backoff is not working.
The lost counter can then increase and the server is blacklisted,
or the lost counter does not increase and the server is working
for some queries.
18 October 2010: Wouter
- iana portlist updated.
13 October 2010: Wouter
- Fix TCP so it uses a random outgoing-interface.
- unbound-anchor handles ADDPEND keystate.
11 October 2010: Wouter
- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
the zone has a secure delegation hosted on the same server did not
verify as secure (it was insecure by mistake).
- iana portlist updated.
- ldns tarball updated (for reading cachedumps with bad RR data).
1 October 2010: Wouter
- test for unbound-anchor. fix for reading certs.
- Fix alloc_reg_release for longer uptime in out of memory conditions.
28 September 2010: Wouter
- unbound-anchor working, it creates or updates a root.key file.
Use it before you start the validator (e.g. at system boot time).
27 September 2010: Wouter
- iana portlist updated.
24 September 2010: Wouter
- bug#329: in example.conf show correct ipv4 link-local 169.254/16.
23 September 2010: Wouter
- unbound-anchor app, unbound requires libexpat (xml parser library).
22 September 2010: Wouter
- compliance with draft-ietf-dnsop-default-local-zones-14, removed
reverse ipv6 orchid prefix from builtin list.
- iana portlist updated.
17 September 2010: Wouter
- DLV has downgrade protection again, because the RFC says so.
- iana portlist updated.
16 September 2010: Wouter
- Algorithm rollover operational reality intrudes, for trust-anchor,
5011-store, and DLV-anchor if one key matches it's good enough.
- iana portlist updated.
- Fix reported validation error in out of memory condition.
15 September 2010: Wouter
- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
14 September 2010: Wouter
- increased mesh-max-activation from 1000 to 3000 for crazy domains
like _tcp.slb.com with 262 servers.
- iana portlist updated.
13 September 2010: Wouter
- bug#327: Fix for cannot access stub zones until the root is primed.
9 September 2010: Wouter
- unresponsive servers are not completely blacklisted (because of
firewalls), but also not probed all the time (because of the request
list size it generates). The probe rate is 1%.
- iana portlist updated.
20 August 2010: Wouter
- openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
iterator get_mem includes priv_get_mem. delegpt nodup removed.
listen_pushback, query_info_allocqname, write_socket, send_packet,
comm_point_set_cb_arg and listen_resume removed.
19 August 2010: Wouter
- Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
- example.conf notes how to do DNSSEC validation and track the root.
- iana portlist updated.
18 August 2010: Wouter
- Fix bug#322: configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
if use sun-cc, but some systems need different flags.
16 August 2010: Wouter
- Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
changes, uses m4_bpatsubst now.
- make test (or make check) should be more portable and run the unit
test and testbound scripts. (make longtest has special requirements).
13 August 2010: Wouter
- More pleasant remote control command parsing.
- documentation added for return values reported by doxygen 1.7.1.
- iana portlist updated.
9 August 2010: Wouter
- Fix name of rrset printed that failed validation.
5 August 2010: Wouter
- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
4 August 2010: Wouter
- Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
3 August 2010: Wouter
- updated ldns tarball with bugfixes.
- release tag 1.4.6.
- trunk becomes 1.4.7 develop.
- iana portlist updated.
22 July 2010: Wouter
- more error details on failed remote control connection.
15 July 2010: Wouter
- rlimit adjustments for select and ulimit can happen at the same time.
14 July 2010: Wouter
- Donation text added to README.
- Fix integer underflow in prefetch ttl creation from cache. This
fixes a potential negative prefetch ttl.
12 July 2010: Wouter
- Changed the defaults for num-queries-per-thread/outgoing-range.
For builtin-select: 512/960, for libevent 1024/4096 and for
windows 24/48 (because of win api). This makes the ratio this way
to improve resilience under heavy load. For high performance, use
libevent and possibly higher numbers.
10 July 2010: Wouter
- GOST enabled if SSL is recent and ldns has GOST enabled too.
- ldns tarball updated.
9 July 2010: Wouter
- iana portlist updated.
- Fix validation of qtype DNSKEY when a key-cache entry exists but
no rr-cache entry is used (it expired or prefetch), it then goes
back up to the DS or trust-anchor to validate the DNSKEY.
7 July 2010: Wouter
- Neat function prototypes, unshadowed local declarations.
6 July 2010: Wouter
- failure to chown the pidfile is not fatal any more.
- testbound uses UTC timezone.
- ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
/usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
5 July 2010: Wouter
- log if a server is skipped because it is on the donotquery list,
at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
- added feature to print configure date, target and options with -h.
- added feature to print event backend system details with -h.
- wdiff is not actually required by make test, updated requirements.
1 July 2010: Wouter
- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
must be signed with all algorithms from the DS rrset at the parent.
This is now checked and becomes bogus if not.
28 June 2010: Wouter
- Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
in overload situations to be about 5 qps for the class of shortly
serviced queries.
The capacity of the resolver is then about (numqueriesperthread / 2)
/ (average time for such long queries) qps for long queries.
And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
qps for short queries, per thread.
- Fix the max number of reply-address count to be applied for duplicate
queries, and not for new query list entries. This raises the memory
usage to a max of (16+1)*numqueriesperthread reply addresses.
25 June 2010: Wouter
- Fix handling of corner case reply from lame server, follows rfc2308.
It could lead to a nodata reply getting into the cache if the search
for a non-lame server turned up other misconfigured servers.
- unbound.h has extern "C" statement for easier include in c++.
23 June 2010: Wouter
- iana portlist updated.
- makedist upgraded cross compile openssl option, like this:
./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
22 June 2010: Wouter
- Unbound reports libev or libevent correctly in logs in verbose mode.
- Fix to unload gost dynamic library module for leak testing.
18 June 2010: Wouter
- iana portlist updated.
17 June 2010: Wouter
- Add AAAA to root hints for I.ROOT-SERVERS.NET.
16 June 2010: Wouter
- Fix assertion failure reported by Kai Storbeck from XS4ALL, the
assertion was wrong.
- updated ldns tarball.
15 June 2010: Wouter
- tag 1.4.5 created.
- trunk contains 1.4.6 in development.
- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
- Fix to use one pointer less for iterator query state store_parent_NS.
- makedist crosscompile to windows uses builtin ldns not host ldns.
- Max referral count from 30 to 130, because 128 one character domains
is valid DNS.
- added documentation for the histogram printout to syslog.
11 June 2010: Wouter
- When retry to parent the retrycount is not wiped, so failed
nameservers are not tried again.
- iana portlist updated.
10 June 2010: Wouter
- Fix bug where a long loop could be entered, now cycle detection
has a loop-counter and maximum search amount.
4 June 2010: Wouter
- iana portlist updated.
- 1.4.5rc1 tag created.
3 June 2010: Wouter
- ldns tarball updated, 1.6.5.
- review comments, split dependency cycle tracking for parentside
last resort lookups for A and AAAA so there are more lookup options.
2 June 2010: Wouter
- Fix compile warning if compiled without threads.
- updated ldns-tarball with current ldns svn (pre 1.6.5).
- GOST disabled-by-default, the algorithm number is allocated but the
RFC is still has to pass AUTH48 at the IETF.
1 June 2010: Wouter
- Ignore Z flag in incoming messages too.
- Fix storage of negative parent glue if that last resort fails.
- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
- new splint flags for newer splint install.
31 May 2010: Wouter
- Fix AD flag handling, it could in some cases mistakenly copy the AD
flag from upstream servers.
- alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
- parentside names are dispreferred but not said to be dnssec-lame.
- parentside check for cached newname glue.
- fix parentside and querytargets modulestate, for dump_requestlist.
- unbound-control-setup makes keys -rw-r--- so not all users permitted.
- fix parentside from cache to be marked dispreferred for bad names.
28 May 2010: Wouter
- iana portlist updated.
- parent-child disagreement approach altered. Older fixes are
removed in place of a more exhaustive search for misconfigured data
available via the parent of a delegation.
This is designed to be throttled by cache entries, with TTL from the
parent if possible. Additionally the loop-counter is used.
It also tests for NS RRset differences between parent and child.
The fetch of misconfigured data should be more reliable and thorough.
It should work reliably even with no or only partial data in cache.
Data received from the child (as always) is deemed more
authoritative than information received from the delegation parent.
The search for misconfigured data is not performed normally.
26 May 2010: Wouter
- Contribution from Migiel de Vos (Surfnet): nagios patch for
unbound-host, in contrib/ (in the source tarball). Makes
unbound-host suitable for monitoring dnssec(-chain) status.
21 May 2010: Wouter
- EDNS timeout code will not fire if EDNS status already known.
- EDNS failure not stored if EDNS status known to work.
19 May 2010: Wouter
- Fix resolution for domains like safesvc.com.cn. If the iterator
can not recurse further and it finds the delegation in a state
where it would otherwise have rejected it outhand if so received
from a cache lookup, then it can try to ask higherup (with loop
protection).
- Fix comments in iter_utils:dp_is_useless.
18 May 2010: Wouter
- Fix various compiler warnings from the clang llvm compiler.
- iana portlist updated.
6 May 2010: Wouter
- Fix bug#308: spelling error in variable name in parser and lexer.
4 May 2010: Wouter
- Fix dnssec-missing detection that was turned off by server selection.
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
29 April 2010: Wouter
- Fix for dnssec lameness detection to use the key cache.
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
28 April 2010: Wouter
- ldns tarball updated and GOST support is detected and then enabled.
- iana portlist updated.
- Fix detection of gost support in ldns (reported by Chris Smith).
27 April 2010: Wouter
- unbound-control get_option domain-insecure shows config file items.
- fix retry sequence if prime hints are recursion-lame.
- autotrust anchor file can be initialized with a ZSK key as well.
- harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the
target-fetch-policy, this increases the depth to which is checked.
26 April 2010: Wouter
- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
CPPFLAGS during configure process.
- if libev is installed on the base system (not libevent), detect
it from the event.h header file and link with -lev.
- configlexer.lex gets config.h, and configyyrename.h added by make,
no more double include.
- More strict scrubber (Thanks to George Barwood for the idea):
NS set must be pertinent to the query (qname subdomain nsname).
- Fix bug#307: In 0x20 backoff fix fallback so the number of
outstanding queries does not become -1 and block the request.
Fixed handling of recursion-lame in combination with 0x20 fallback.
Fix so RRsets are compared canonicalized and sorted if the immediate
comparison fails, this makes it work around round-robin sites.
23 April 2010: Wouter
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
- Fix to fetch data as last resort more tenaciously. When cycle
targets cause the server selection to believe there are more options
when they really are not there, the server selection is reinitiated.
- Fix fetch from blacklisted dnssec lame servers as last resort. The
server's IP address is then given in validator errors as well.
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
22 April 2010: Wouter
- tag 1.4.4.
- trunk contains 1.4.5 in development.
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.