W.C.A. Wijngaards
2015-02-12 13:54:24 UTC
Hi,
Unbound 1.5.2rc1 release candidate 1 is available:
http://www.unbound.net/downloads/unbound-1.5.2rc1.tar.gz
sha1 ab2ec77e7abafda40151c4255a527e6fb8bbc47e
sha256 6c4b51cae92a088567eb243c00cee2b7841922f39482fdf8df41981993bf3f6f
http://www.unbound.net/downloads/unbound-1.5.2rc1.zip
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.
Features
- - local-zone: example.com inform makes unbound log a message with
client IP for queries in that zone. Eg. for finding infected hosts.
- - patch from Stephane Lapie that adds to the python API, that
exposes struct delegpt, and adds the find_delegation function.
- - Updated contrib warmup.cmd/sh to support two modes - load from
pre-defined list of domains or (with filename as argument) load from
user-specified list of domains, and updated contrib
unbound_cache.sh/cmd to support loading/save/reload cache to/from
default path or (with secondary argument) arbitrary path/filename,
from Yuri Voinov.
- - patch for remote control over local sockets, from Dag-Erling
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
control-use-cert: no.
- - unbound-checkconf -f prints chroot with pidfile path.
- - infra-cache-min-rtt patch from Florian Riehm, for expected long
uplink roundtrip times.
Bug Fixes
- - config.guess and config.sub update from libtoolize.
- - getauxval test for ppc64 linux compatibility.
- - make strip works for unbound-host and unbound-anchor.
- - print query name when max target count is exceeded.
- - patch from Stuart Henderson that fixes DESTDIR in
unbound-control-setup for installs where config is not in the prefix
location.
- - [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS 3.14.X,
ignores missing IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
- - Patch from Philip Paeps to contrib/unbound_munin_ that uses type
ABSOLUTE. Allows munin.conf: [idleserver.example.net]
unbound_munin_hits.graph_period minute
- - Fix pyunbound ord call, portable for python 2 and 3.
- - Fix unintended use of gcc extension for incomplete enum types,
compile with pedantic c99 compliance (from Daniel Dickman).
- - Fix pyunbound byte string representation for python3.
- - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
section changes.
- - Fix validation failure in case upstream forwarder (ISC BIND) does
not have the same trust anchors and decides to insert unsigned NS
record in authority section.
- - Fix scrubber with harden-glue turned off to reject NS (and other
not-address) records.
- - iana portlist update.
Best regards,
Wouter
Unbound 1.5.2rc1 release candidate 1 is available:
http://www.unbound.net/downloads/unbound-1.5.2rc1.tar.gz
sha1 ab2ec77e7abafda40151c4255a527e6fb8bbc47e
sha256 6c4b51cae92a088567eb243c00cee2b7841922f39482fdf8df41981993bf3f6f
http://www.unbound.net/downloads/unbound-1.5.2rc1.zip
This release fixes a DNSSEC validation issue when an upstream server
with different trust anchors introduces unsigned records in messages.
Harden-glue when turned off allows potentially poisonous records in
the cache in the hopes of that enabling DNS resolution for 'impossible
to resolve' domains, it is fixed to have 'less cache poisoning',
quotes added because it is by definition not secure to turn off
harden-glue. New features are that "inform" can be used to see which
IPs lookup a domain, and unbound-control can use named unix pipes.
Features
- - local-zone: example.com inform makes unbound log a message with
client IP for queries in that zone. Eg. for finding infected hosts.
- - patch from Stephane Lapie that adds to the python API, that
exposes struct delegpt, and adds the find_delegation function.
- - Updated contrib warmup.cmd/sh to support two modes - load from
pre-defined list of domains or (with filename as argument) load from
user-specified list of domains, and updated contrib
unbound_cache.sh/cmd to support loading/save/reload cache to/from
default path or (with secondary argument) arbitrary path/filename,
from Yuri Voinov.
- - patch for remote control over local sockets, from Dag-Erling
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
control-use-cert: no.
- - unbound-checkconf -f prints chroot with pidfile path.
- - infra-cache-min-rtt patch from Florian Riehm, for expected long
uplink roundtrip times.
Bug Fixes
- - config.guess and config.sub update from libtoolize.
- - getauxval test for ppc64 linux compatibility.
- - make strip works for unbound-host and unbound-anchor.
- - print query name when max target count is exceeded.
- - patch from Stuart Henderson that fixes DESTDIR in
unbound-control-setup for installs where config is not in the prefix
location.
- - [bugzilla: 634 ] Fix #634: fix fail to start on Linux LTS 3.14.X,
ignores missing IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
- - Patch from Philip Paeps to contrib/unbound_munin_ that uses type
ABSOLUTE. Allows munin.conf: [idleserver.example.net]
unbound_munin_hits.graph_period minute
- - Fix pyunbound ord call, portable for python 2 and 3.
- - Fix unintended use of gcc extension for incomplete enum types,
compile with pedantic c99 compliance (from Daniel Dickman).
- - Fix pyunbound byte string representation for python3.
- - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
section changes.
- - Fix validation failure in case upstream forwarder (ISC BIND) does
not have the same trust anchors and decides to insert unsigned NS
record in authority section.
- - Fix scrubber with harden-glue turned off to reject NS (and other
not-address) records.
- - iana portlist update.
Best regards,
Wouter