Hi, Unbound 1.6.4 is available: https://unbound.net/downloads/unbound-1.6.4.tar.gz sha256 df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed pgp https://unbound.net/downloads/unbound-1.6.4.tar.gz.asc
This release contains key tag signaling RFC8145 support. B root is renumbered in the default root hints. The dnscrypt code supports the chacha cipher. The Unbound DNSSEC validator supports the ED25519 algorithm. The redirect-bogus patch in contrib can send validation failure users to a landing page. Source tarball, pgp signatures and windows binaries available here: https://www.unbound.net/download.html Features: - Implemented trust anchor signaling using key tag query. - unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt. - unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames. - Implemented opportunistic IPsec support module (ipsecmod). - Added redirect-bogus.patch to contrib directory. - Support for the ED25519 algorithm with openssl (from openssl 1.1.1). - renumbering B-Root's IPv6 address to 2001:500:200::b. - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher. - Fix #1277: disable domain ratelimit by setting value to 0. - Added fastrpz patch to contrib Bug Fixes: - Added ECS unit test (from Manu Bretelle). - ECS documentation fix (from Manu Bretelle). - Fix #1252: more indentation inconsistencies. - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit(). - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). - iana portlist update - Based on #1257: check parse limit before t increment in sldns RR string parse routine. - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86). - Fix #1259: "--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c". - iana portlist update - Added test for leak of stub information. - Fix sldns wire2str printout of RR type CAA tags. - Fix sldns int16_data parse. - Fix sldns parse and printout of TSIG RRs. - sldns SMIMEA and AVC definitions, same as getdns definitions. - Fix tcp-mss failure printout text. - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations). - Add 'c' to getopt() in testbound. - Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there. - Fix queries for nameservers under a stub leaking to the internet. - document trust-anchor-signaling in example config file. - updated configure, dependencies and flex output. - better module memory lookup, fix of unbound-control shm names for module memory printout of statistics. - Fix type AVC sldns rrdef. - Some whitespace fixup. - Fix #1265: contrib/unbound.service contains hardcoded path. - Fix #1265 to use /bin/kill. - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL. - Fix #1268: SIGSEGV after log_reopen. - exec_prefix is by default equal to prefix. - printout localzone for duplicate local-zone warnings. - Fix assertion for low buffer size and big edns payload when worker overrides udpsize. - Support for openssl EVP_DigestVerify. - Fix #1269: inconsistent use of built-in local zones with views. - Add defaults for new local-zone trees added to views using unbound-control. - Fix #1273: cachedb.c doesn't compile with -Wextra. - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. - Also use global local-zones when there is a matching view that does not have any local-zone specified. - Fix fastopen EPIPE fallthrough to perform connect. - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle). - Fix #1275: cached data in cachedb is never used. - Fix that unbound-control can set val_clean_additional and val_permissive_mode. - Add dnscrypt XChaCha20 tests. - Detect chacha for dnscrypt at configure time. - dnscrypt unit tests with chacha. - Added domain name based ECS whitelist. - Fix #1278: Incomplete wildcard proof. - Fix #1279: Memory leak on reload when python module is enabled. - Fix #1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly. - More fixes in depth for buffer checks in 0x20 qname checks. - Fix stub zone queries leaking to the internet for harden-referral-path ns checks. - Fix query for refetch_glue of stub leaking to internet. - Fix #1301: memory leak in respip and tests. - Free callback in edns-subnetmod on exit and restart. - Fix memory leak in sldns_buffer_new_frm_data. - Fix memory leak in dnscrypt config read. - Fix dnscrypt chacha cert support ifdefs. - Fix dnscrypt chacha cert unit test escapes in grep. - Fix to unlock view in view test. - Fix warning in pythonmod under clang compiler. - Fix lintian typo. - Fix #1316: heap read buffer overflow in parse_edns_options. Best regards, Wouter
signature.asc
Description: OpenPGP digital signature
