-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The version 1.1.0 of unbound is released. Get it here: http://unbound.net/downloads/unbound-1.1.0.tar.gz sha1 is fb7a4421c64812d3acfa48409360ec232197a2f9 sha256 b98421c97089dfcf7d7798d7148886c0a8672476dc44dd2b43d62ba5e3be27b5 On the website, additional HowTos are available: http://unbound.net/documentation/howto_setup.html http://unbound.net/documentation/howto_optimise.html http://unbound.net/documentation/howto_statistics.html The long feature list is below. The big features are: DLV 'rndc' remote control load-store cache contents experimental full forgery resistance extended statistics (nice pictures on the howto). RSASHA256 and RSASHA512 support. DNS rebinding attack blocking. And bug fixes. Features * DLV support * contrib update-anchor.sh neatly updates keys for DLV or root or others and only restarts the nameserver when keys have changed. exits 0 when a restart is needed, other values if not. So, update-anchor.sh -d mydir && /etc/rc.d/unbound restart can restart unbound exactly when needed. Use -b for BIND mode. * Negative caching for NSEC, NSEC3 for DLV lookups, as well as for securely insecure delegations. * Filter out overreaching NSEC records * dev/log(syslog) opened before chroot * use setresuid/setresgid, more secure. * logfile message classification as notice, info, debug. * harden-referral-path option implements draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations. Default is off, because of added load it generates, and experimental status. * disallow nonrecursive queries for cache snooping by default. You can allow it using access-control: subnet allow_snoop. The defaults do allow access to authoritative data without RD bit. * DoS resistance implementation. Half of queries run-to-completion. Other half are a lifo where old entries are overwritten if 200 msec old. * Block DNS rebinding attacks. This disallows domains from the public internet from pretending to have internet addresses in your own netblock. Use the private-address and private-domain statements (see unbound.conf(5) man page for details). We may consider turning this on by default for rfc1918 (local subnet) addresses. * remote control feature, unbound-control. Remotely (using SSL) stop, change redirections, flush cache, load cache, store cache, or get statistics * extended statistics (off by default). Put Howto documentation on website. * munin example plugin to draw statistics added to contrib * hosts that drop EDNS packets are detected, eventually. * fixed recursion servers deployed as authoritative detection, so that as a last resort, a +RD query is sent there to get the correct answer. * RSASHA256 and RSASHA512 support, using experimental protocol numbers from draft. * stubs work much more intuitively, but can be configure for old and new behaviour with new option stub-prime. This makes stubs on localhost on a different port number work. * dns-0x20 fallback code implemented * IPv4 and IPv6 PTR shorthand local-data-ptr: "1.2.3.4 www.ex.com" * code refactored for domain, address tree lookups. * unbound-control-setup.sh script to set up (selfsigned) certificates. * spoof nearmiss indicator, when extended statistics are enabled, unbound-control stats prints out unwanted_replies count. * if server selection is faced with only bad choices, it will attempt to get more options to be fetched. * changed bogus-ttl default value from 900 to 60 seconds. In anticipation that operator caused failures are more likely than actual attacks at this time. And thus repeated validation helps the operators get the problem fixed sooner. It makes validation failures go away sooner (60 seconds after the zone is fixed). Also it is likely to try different nameserver targets every minute, so that if a zone is bad on one server but not another, it is likely to pick up the 'correct' one after a couple minutes, and if the TTL is big enough that solves validation for the zone. * do not query bogus nameservers. It is as-if nameservers that have the NS or A or AAAA record bogus are listed as donotquery. * CFLAGS are picked up by configure from the environment. * silenced EHOSTDOWN, verbosity 2 and higher show it. * configure check for ldns version 1.4.0 or later Bug Fixes * Fixed rrset security updated overwriting rfc2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. * [bugzilla: 217 ] Fixed setreuid on MacOSX 10.4 * Fixed so make realclean works better, by Rober Edmonds * [bugzilla: 208 ] extra rc.d unbound flexibility for freebsd/nanobsd. * [bugzilla: 203 ] nicer do-auto log message when user sets incompatible options. DLV implemented. * [bugzilla: 204 ] variable name ameliorated in log.c. * [bugzilla: 206 ] in iana_update, no egrep, but awk use. * [bugzilla: 199 ] fixed, pidfile can be outside chroot. openlog is done before chroot and drop permissions. logfile is created with correct permissions again. Some errors are not written to logfile (pidfile writing, forking), and these are only visible by using the -d commandline flag. * Fix update-anchor.sh to work both in BSD shell and bash. * Fix so unsigned additionals are not marked bogus, they are left unchecked, since signatures may have fallen off due to message size. Unchecked items are removed from the additional just like bogus is for that message. Defers validation for those rrsets. * Fix assertion fail on bogus key handling * Fix so dnssec lameness detection works on first query at trust apex. * Fix compilation without pthreads on linux. * builtin iana assigned portlist updated * ldns snapshot inside source tarball updated to 1.4.0 * Fix NSEC_AT_APEX classification for short typemaps. * Fix nonblocking and timeouts on TCP sockets * Fix for multiple simultaneous timeout back offs. Could cause trouble for forwarders * Fix SHA256 DS downgrade, no longer possible to downgrade to SHA1. * Fix negative TTL values appearing (reported by Attila Nagy) * detect if libssl needs libdl. For static linking with libssl. * Fix build process for Mac OSX linker * Fix possible memory leak in key_entry_key deletion. Would leak a couple bytes when trust anchors were replaced. * DNAMEs used from cache have their synthesized CNAMEs initialized properly. * Fix file descriptor leak for localzone type deny (for TCP). * Fix memleak for the keyword 'nodefault' when reading config. Would leak bytes per reload command received. * Fix listen to closed fd, would log a message with "bad file descriptor" * Fix for problem reported on mailing list, If a delegation point has no A but only AAAA and do-ip6 is no, resolution would fail. Fixed to ask for the A and AAAA records. It has to ask for both always, so that it can fail quietly, from TLD perspective, when a zone is only reachable on one transport. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkiu4YACgkQkDLqNwOhpPhZ3wCfXqhGLME/0y7vYBenFNWs407a WjAAn11DiKcceHroZ2jcrQaBwrF84/2d =7XUs -----END PGP SIGNATURE-----