-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.4.2 is released, get it here: http://www.unbound.net/downloads/unbound-1.4.2.tar.gz SHA1 checksum: bad6b453924c853b177234890522a05904b2e5f9 SHA256 9b2821eeb9fee3145ac04c7dc648ea1ae7d9a600de6b0a1ffacebe7643b913e1 Most significant is a number of bugfixes. As well as the fix that lowers the query-pattern in case of DNSSEC bogus zones. See also http://unbound.net/pipermail/unbound-users/2010-February/001031.html Features * unbound-control list_stubs, list_forwards, list_local_zones, list_local_data, log_reopen, set_option and get_option. * libunbound ub_ctx_get_option() added. * --enable-checking: enables assertions but does not look nonproduction. * nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with nxdomain and nodata distinguished. * prefetch-key option that performs DNSKEY queries earlier in the validation process, and that could halve the latency on DNSSEC queries. It takes some extra processing (CPU, a cache is needed). * prefetch option that prefetches popular queries before they expire. * change unbound-control-setup from 1024(sha1) to 1536(sha256). Bug Fixes * Re-query pattern changed on validation failure. To protect troubled authority servers, unbound caches a failure for the DNSKEY or DS records for the entire zone, and only retries that 900 seconds later. This implies that only a handful of packets are sent extra to the authority if the zone fails. We made the choice to send out more conservatively, protecting against an aggregate effect more than protecting a single user (from their own folly, perhaps in case of misconfig). * Fix crash in control channel code. * iana portlist updated. * make install depends on make all. * Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs. * ldns tarball updated: long label length syntax error fix, libdl compile fix. * --disable-rpath fixed for libtool not found errors. * Fixup prototype for lexer cleanup in daemon code. * Fix scrubber bug that potentially let NS records through. Reported by Amanda Constant. * Also delete potential poison references from additional. * Fix: no classification of a forwarder as lame, throwaway instead. * More strict DS scrubbing. * No more blacklisting of unresponsive servers, a 2 minute timeout is backed off to. * RD flag not enabled for dnssec-blacklisted tries, unless necessary. * log 'tcp connect: connection timed out' only in high verbosity. * Disregard DNSKEY from authority section for chain of trust. DS records that are irrelevant to a referral scrubbed. Anti-poison. * Check for 'no space left on device' (or other errors) when writing updated autotrust anchors and print errno to log. * Fixup in compat snprintf routine, %f 1.02 and %g support. * include math.h for testbound test compile portability. * Updated url of IANA itar, interim trust anchor repository, in script. * configure test for memcmp portability. * removed warning on format string in validator error log statement. * libtool finish the install of unbound python dynamic library. * Fixup lookup trouble for parent-child domains on the first query. * Fixup ldns detection to also check for header files. * Fix unbound-checkconf for auto-trust-anchor-file present checks. * Fix for parent-child disagreement code which could have trouble when (a) ipv6 was disabled and (b) the TTL for parent and child were different. There were two bugs, the parent-side information is fixed to no longer block lookup of child side information and the iterator is fixed to no longer attempt to get ipv6 when it is not enabled and then give up in failure. * Fixup python documentation (thanks Leo Vandewoestijne). * [bugzilla: 291 ] DNS wireformat max is 255. dname_valid allowed 256 length. * verbose output includes parent-side-address notion for lameness. * documented val-log-level: 2 setting in example.conf and man page. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuWDCcACgkQkDLqNwOhpPhJewCfVjWyXtMbon1dHIAR/XECkV+e K5IAn1ZzV6AIOibHlqguFhge0cnzTsXQ =rpgK -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
