-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.4.11 is released, bugfixes and small features. http://unbound.net/downloads/unbound-1.4.11.tar.gz sha1: 3dbd7854b05b1e48fcc088be50e4c7aafc8d7306 sha256: 19e44dd7a737de678456885483002c6cd84147d334c7323cb3674d2012c82b4b It has small and happy changes: querylog option, ignore-cdflag for support of (win) legacy servers, lto optimization for speedup, - --enable-allsymbols to have smaller install size. The control port number has been registered with IANA. The unbound-control sends a version number in its header, so its protocol has changed and you need to update unbound(server) and unbound-control(client). This version of unbound does DNSSEC validation also for queries received with CD flag (from downstream validators). It returns the answer regardless (it continues to support CD flag). But the DNSSEC validation protects its cache from bogus data with failover to other authority servers; this means that a downstream validator is more likely to find 'good' data here. Features * log-queries: yesno option, default is no, prints querylog. * ignore-cd-flag: yesno to provide dnssec to legacy servers. * Use -flto compiler flag for link time optimization, if supported. * unbound-control has version number in the header, and uses port number registered with IANA, 8953. Bug Fixes * Fix Makefile for U in environment, since wrong U is more common than deansification necessity. * defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure. * [bugzilla: 386 ] --enable-allsymbols option links all binaries to libunbound and reduces install size significantly. * Fix TTL of SOA so negative TTL is separately cached from normal TTL. * configure created with newer autoconf 2.66. * [bugzilla: 378 ] Fix that configure checks for ldns_get_random presence. * queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators. * val-override-date: -1 ignores dates entirely, for NTP usage. * harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec. * statistics-interval prints the number of jostled queries to log. * IPv6 service address for d.root-servers.net (2001:500:2D::D). * updated ldns tarball to 1.6.10rc2 snapshot * iana portlist updated. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJODDcwAAoJEJ9vHC1+BF+NL3cP/03yFkiE5vdIWdIWQjvcoESV S9nPWyEut55CXl+obeT2V77XMYew/6JrCN/sW3KZncpi8SdSXtkfC+Ayfk5X4gc/ 7GbcZ8HJzFc3G+VmeU/YZ5hFTZWx/VwY+8nfE9VMhD0rcWqLa0JVqz6Am7a0aO5U tRMV2uLfO/TjIeh1lJXkEv0BUNjoBf0e60NdvIQJAPaJ2yXYIwJAbojB6v6aC+Hk 4VVRzGvJ13kMK+2nflG3Orgks9pScBavdG3rwFY/cUU5eQHi23O37TMIDzyDtX1B 7RFKCo0qC4DbYk/AfRxumNdppZI7gq5rVwrUMGmiHcL6XGfR88HZ4QOcLWOO2mx3 UwcdhVtyA3RP2cJZDmKEONT0550WbUx1kGlvKf89vnvSyctnuHywgkauwTnYiGos +ZzvSNfm2gtve9KOBYYX1GOwv2zEG8dpah9CMRRd9N5bWf2ZGrm8S0pV6YBXyWxr LXxCO/rA8sp44XguwcZF7Wl5iIMBwngGR+mC55oVypOQkv1FxoogodNLY1b6g0zz Ua+caWF1RzguuII0jq3kbpDoW88oVs0xpLFT561FYfA9nxu+CBE1h83z4Pd2PjWR 0pv1xIVhxssAkCSr1xE9YXi/ioDN2P9a0fDnn1rybJvqdJW9zMAPTbX7BSU9Jtyb hEXLDsosZT8EQZZ0Wrem =XMsS -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
