Unbound 1.7.1 release

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu May 3 09:39:22 UTC 2018


Hi,

Unbound 1.7.1 is available for download:
https://www.unbound.net/downloads/unbound-1.7.1.tar.gz
sha256 56e085ef582c5372a20207de179d0edb4e541e59f87be7d4ee1d00d12008628d
pgp https://www.unbound.net/downloads/unbound-1.7.1.tar.gz.asc

Note: The NLnet Labs website has been updated, and now integrates
Unbound and the release can be viewed there as well:
https://nlnetlabs.nl/projects/unbound/
https://nlnetlabs.nl/downloads/unbound/unbound-1.7.1.tar.gz
In the future we plan to redirect the old website to the new one.


This release has root key sentinel support, default on, from draft
draft-ietf-dnsop-kskroll-sentinel.  The root key sentinel helps the root
key rollover process by providing insight into the distribution of the
key material over the resolver population.  For that, the resolver gives
responses indicating which keys are in use by the resolver.

Crypto support for ED448 has been added.  ED25519 was already supported
in a previous release.  The crypto algorithm code is default turned on
if support is detected at configure time.  The openssl 1.1.1 beta
versions have ED448, and also ED25519 support.

For DNS over TLS, the tcp length is sent in the same packet as the tcp
content, for the TLS connections, providing a speed up.  Also TLS
authentication can be enabled by specifying the TLS auth name in
unbound.conf.  An example config for large public cloud dns over tls
resolvers is this.
server:
  tls-cert-bundle: "ca-bundle.pem"
forward-zone:
  name: "."
  forward-addr: "9.9.9.9#dns.quad9.net"
  forward-addr: "1.1.1.1#cloudflare-dns.com"
  forward-tls-upstream: yes

It is possible to have unbound as a TLS server serve TLS on different
ports, with additional-tls-port.  Use this to set up dns over tls
service on both ports 853 and 443.

For fast server selection, there are new options low-rtt and
low-rtt-pct.  For example set low-rtt-pct: 900 to enable it.
These options are experimental at this time.  We are interested in
user experiences, and are intending to look at the expressiveness that
is desired for ease of use and applicability. Also, the "pct" part of
low-rtt-pct is technically the wrong term and we intend to replace it
with "promille" (likely in a future release, together with user
experience feedback changes).

There is hiredis support for the cachedb module.

Monitoring of the new agrressive NSEC and auth zone root local copy
features is possible with statistics counters for agressive NSEC and for
auth zone usage.  Auth zone supports incoming NOTIFYs, from masters and
from allow-notify hosts.  Auth zones can be listed from unbound-control
with their SOA serial number.

Unbound-control set_option and get_option needed different ':'
placement, the current release allows with and without ':' syntax.


Features
- Add --with-libhiredis, unbound support for a new cachedb
  backend that uses a Redis server as the storage.  This
  implementation depends on the hiredis client library
  (https://redislabs.com/lp/hiredis/).
  And unbound should be built with both --enable-cachedb and
  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
  should exist).  Patch from Jinmei Tatuya (Infoblox).
- Create additional tls service interfaces by opening them on other
  portnumbers and listing the portnumbers as additional-tls-port: nr.
- ED448 support.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Accept both option names with and without colon for get_option
  and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
  of fast servers for some percentage of the time.
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
  statistics counters.
- allow-notify: config statement for auth-zones.
- Can set tls authentication with forward-addr: IP#tls.auth.name
  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
  such as forward-addr: 9.9.9.9 at 853#dns.quad9.net or
  1.1.1.1 at 853#cloudflare-dns.com
- list_auth_zones unbound-control command.
- Added root-key-sentinel support

Bug Fixes
- Fix #3727: Protocol name is TLS, options have been renamed but
  documentation is not consistent.
- Check IXFR start serial.
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
  flushed with serve-expired on.
- Fix #3817: core dump happens in libunbound delete, when queued
  servfail hits deleted message queue.
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
- iana port update.
- Do not use cached NSEC records to generate negative answers for
  domains under DNSSEC Negative Trust Anchors.
- Fix unbound-control get_option aggressive-nsec
- Check "result" in dup_all(), by Florian Obser.
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
  failing with a forwarder set.  Now, auth-zone is only used for
  answers (not referrals) when a forwarder is set.
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
  tls_choose_sigalg routine does not allow the ciphers for the pipe,
  so use TLSv1.2.
- Fix that flush_zone sets prefetch ttl expired, so that with
  serve-expired enabled it'll start prefetching those entries.
- Fix downstream auth zone, only fallback when auth zone fails to
  answer and fallback is enabled.
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
  auth zone gets stopped, before trying to send there.
- Fix auth zone target lookup iterator.
- Fix auth-zone retry timer to be on schedule with retry timeout,
  with backoff.  Also time a refresh at the zone expiry.
- Fix #658: unbound using TLS in a forwarding configuration does not
  verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
  with the previous contents.
- Delete auth zone when removed from config.
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
  config_set_option.
- auth zone http download stores exact copy of downloaded file,
  including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
  callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
- Fix memory leak when caching wildcard records for aggressive NSEC use
- Fix for crash in daemon_cleanup with dnstap during reload,
  from Saksham Manchanda.
- Also that for dnscrypt.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180503/4432b825/attachment.bin>


More information about the Unbound-users mailing list