Hi, Unbound 1.7.0rc2 maintainers prerelease is available: https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz sha256 ed5e4529af6b1e70abaa8999935ec667db2a8b47ae479563b5f3b25b7a034eed pgp https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz.asc
It was updated from rc1 because the patch for fastrpz did not work for some, there is a new patch in rc2. Changes: - Fixed contrib/fastrpz.patch, even though this already applied cleanly for me, now also for others. - patch to log creates keytag queries, from A. Schulze. - patch suggested by Debian lintian: allow to -> allow one to, from A. Schulze. - Attempt to remove warning about trailing whitespace. Best regards, Wouter On 06/03/18 11:02, W.C.A. Wijngaards wrote: > Hi, > > Unbound 1.7.0rc1 maintainers prerelease is available: > https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz > sha256 eb9e57e44f7bb6e68879c8672c9a9b15273cece250d1ed85964b9620e736521a > pgp https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz.asc > > This release adds authority zones, for a local copy of the root zone, > and also aggressive NSEC processing, for denial of nxdomain floods. > > Features > - auth-zone provides a way to configure RFC7706 from unbound.conf, > eg. with auth-zone: name: "." for-downstream: no for-upstream: yes > fallback-enabled: yes and masters or a zonefile with data. > - Aggressive use of NSEC implementation. Use cached NSEC records to > generate NXDOMAIN, NODATA and positive wildcard answers. > - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is > also recognized and means the same. Also for tls-port, > tls-service-key, tls-service-pem, stub-tls-upstream and > forward-tls-upstream. > - [dnscrypt] introduce dnscrypt-provider-cert-rotated option, > from Manu Bretelle. > This option allows handling multiple cert/key pairs while only > distributing some of them. > In order to reliably match a client magic with a given key without > strong assumption as to how those were generated, we need both key and > cert. Likewise, in order to know which ES version should be used. > On the other hand, when rotating a cert, it can be desirable to only > serve the new cert but still be able to handle clients that are still > using the old certs's public key. > The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not > publish the cert as part of the DNS's provider_name's TXT answer. > - Update B root ipv4 address. > - make ip-transparent option work on OpenBSD. > - Fix #2801: Install libunbound.pc. > - ltrace.conf file for libunbound in contrib. > > Bug Fixes > - Fix #1749: With harden-referral-path: performance drops, due to > circular dependency in NS and DS lookups. > - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert > duplicates > - Better documentation for cache-max-negative-ttl. > - Fixed libunbound manual typo. > - Fix #1949: [dnscrypt] make provider name mismatch more obvious. > - Fix #2031: Double included headers > - Document that errno is left informative on libunbound config read > fail. > - iana port update. > - Fix #1913: ub_ctx_config is under circumstances thread-safe. > - Fix #2362: TLS1.3/openssl-1.1.1 not working. > - Fix #2034 - Autoconf and -flto. > - Fix #2141 - for libsodium detect lack of entropy in chroot, print > a message and exit. > - Fix #2492: Documentation libunbound. > - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is > set for stub zone. It no longer searches for DNSSEC information. > - Fix #3299 - forward CNAME daisy chain is not working > - Fix link failure on OmniOS. > - Check whether --with-libunbound-only is set when using --with-nettle > or --with-nss. > - Fix qname-minimisation documentation (A QTYPE, not NS) > - Fix that DS queries with referral replies are answered straight > away, without a repeat query picking the DS from cache. > The correct reply should have been an answer, the reply is fixed > by the scrubber to have the answer in the answer section. > - Fix that expiration date checks don't fail with clang -O2. > - Fix queries being leaked above stub when refetching glue. > - Copy query and correctly set flags on REFUSED answers when cache > snooping is not allowed. > - make depend: code dependencies updated in Makefile. > - Fix #3397: Fix that cachedb could return a partial CNAME chain. > - Fix #3397: Fix that when the cache contains an unsigned DNAME in > the middle of a cname chain, a result without the DNAME could > be returned. > - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file > for startup scripts to get the full pathname(s) of anchor file(s). > - Print fatal errors about remote control setup before log init, > so that it is printed to console. > - Use NSEC with longest ce to prove wildcard absence. > - Only use *.ce to prove wildcard absence, no longer names. > - Fix unfreed locks in log and arc4random at exit of unbound. > - Fix lock race condition in dns cache dname synthesis. > - Fix #3451: dnstap not building when you have a separate build dir. > And removed protoc warning, set dnstap.proto syntax to proto2. > - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test) > - Unit test for auth zone https url download. > - tls-cert-bundle option in unbound.conf enables TLS authentication. > - Fixes for clang static analyzer, the missing ; in > edns-subnet/addrtree.c after the assert made clang analyzer > produce a failure to analyze it. > - Fix #3505: Documentation for default local zones references > wrong RFC. > - Fix #3494: local-zone noview can be used to break out of the view > to the global local zone contents, for queries for that zone. > - Fix for more maintainable code in localzone. > - more robust cachedump rrset routine. > - Save wildcard RRset from answer with original owner for use in > aggressive NSEC. > - Fixup contrib/fastrpz.patch so that it applies. > - Fix compile without threads, and remove unused variable. > - Fix compile with staticexe and python module. > - Fix nettle compile. > - Fix to check define of DSA for when openssl is without deprecated. > - iana port update. > - Fix #3582: Squelch address already in use log when reuseaddr option > causes same port to be used twice for tcp connections. > - Reverted fix for #3512, this may not be the best way forward; > although it could be changed at a later time, to stay similar to > other implementations. > - Fix for windows compile. > > Best regards, Wouter > > > > _______________________________________________ > maintainers mailing list > maintain...@nlnetlabs.nl > https://nlnetlabs.nl/mailman/listinfo/maintainers >
signature.asc
Description: OpenPGP digital signature