Unbound Downloads
The latest version of unbound (currently 1.4.6) can always be downloaded from
http://www.unbound.net/downloads/unbound-latest.tar.gz
Current version
Source:
unbound-1.4.6.tar.gz
SHA1 checksum: b0d7c58f173c5c80cc81345f6766555f96bde20d
SHA256 checksum: 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de
License: BSD
Doc: man-page
Linux and *BSD sources and binaries can easily be obtained
using (your favorite) package manager or ports collection.
Windows 32-bit version compiled from the source.
Installer:
unbound_setup_1.4.6.exe
Binaries (no install):
unbound-1.4.6.zip
Doc: README,
manual(pdf)
Unbound 1.4.6
Download: unbound-1.4.6.tar.gz
SHA1 checksum: b0d7c58f173c5c80cc81345f6766555f96bde20d
SHA256 checksum: 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de
Date: 3 August, 2010Features
- Builtin root hints contain AAAA for I.ROOT-SERVERS.NET.
- unbound.h has extern "C" statement for easier include in c++.
- added feature to print configure date, target and options with -h.
- added feature to print event backend system details with -h.
- (ports and works on Minix 3.1.7). On Minix,
add /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar
and gmake.
- GOST enabled if SSL is recent and ldns has GOST enabled too.
Bug Fixes
- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
- Fix to use one pointer less for iterator query state store_parent_NS.
- Max referral count from 30 to 130, because 128 one character domains is valid DNS.
- added documentation for the histogram printout to syslog.
- Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong.
- updated ldns tarball.
- iana portlist updated.
- Unbound reports libev or libevent correctly in logs in verbose mode.
- Fix handling of corner case reply from lame server, follows rfc2308.
It could lead to a nodata reply getting into the cache if the search
for a non-lame server turned up other misconfigured servers.
- Fix jostle list bug found by Vince (luoce at cnnic), it caused the qps
in overload situations to be about 5 qps for the class of shortly
serviced queries. The capacity of the resolver is then
about (numqueriesperthread / 2) / (average time for such long queries) qps
for long queries. And about (numqueriesperthread / 2)/(jostletimeout in
whole seconds) qps for short queries, per thread.
- Fix the max number of reply-address count to be applied for duplicate
queries, and not for new query list entries. This raises the memory
usage to a max of (16+1)*numqueriesperthread reply addresses.
- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
must be signed with all algorithms from the DS rrset at the parent.
This is now checked and becomes bogus if not.
- Fix validation of qtype DNSKEY when a key-cache entry exists but
no rr-cache entry is used (it expired or prefetch), it then goes
back up to the DS or trust-anchor to validate the DNSKEY.
- log if a server is skipped because it is on the donotquery list,
at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
- failure to chown the pidfile is not fatal any more.
- Neat function prototypes, unshadowed local declarations.
- Fix integer underflow in prefetch ttl creation from cache. This
fixes a potential negative prefetch ttl.
- Changed the defaults for num-queries-per-thread/outgoing-range.
For builtin-select: 512/960, for libevent 1024/4096 and for
windows 24/48 (because of win api). This makes the ratio this way
to improve resilience under heavy load. For high performance, use
libevent and possibly higher numbers.
Older versions
Unbound 1.4.5
Download: unbound-1.4.5.tar.gz
SHA1 checksum: c1f227b95448cdfd0006d6d00b3d4354500d7564
SHA256 checksum: 905685836715ac715098909ae5268504322f0f226c957d18ed32895c76d8224c
Date: 3 June, 2010Features
- unbound-control get_option domain-insecure shows config file items.
- Autotrust anchor file can be initialized with a ZSK key as well (if the domain's DNSKEY set is signed with that ZSK).
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
- Contribution from Migiel de Vos (Surfnet): nagios patch for
unbound-host, in contrib/ (in the source tarball). Makes unbound-host
suitable for monitoring dnssec(-chain) status.
- GOST disabled-by-default, the algorithm number is allocated but the
RFC is still has to pass AUTH48 at the IETF.
Bug Fixes
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
- Fix fetch from blacklisted dnssec lame servers as last resort. The
server's IP address is then given in validator errors as well.
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
CPPFLAGS during configure process.
- Fix if libev is installed on the base system (not libevent), detect
it from the event.h header file and link with -lev.
- Fix configlexer.lex gets config.h, and configyyrename.h added by make,
no more double include.
- More strict scrubber (Thanks to George Barwood for the idea): NS set
must be pertinent to the query.
-
In 0x20 backoff fix fallback so the number of
outstanding queries does not become -1 and block the request.
Fixed handling of recursion-lame in combination with 0x20 fallback. Fix so
RRsets are compared canonicalized and sorted if the immediate comparison
fails, this makes the 0x20 option work around round-robin sites.
- Fix retry sequence if prime hints are recursion-lame.
- Fix so harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the
target-fetch-policy, this increases the depth to which is checked.
- Fix detection of GOST support in ldns (reported by Chris Smith).
- Fix for dnssec lameness detection to use the key cache.
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
- Fix dnssec-missing detection that was turned off by server selection.
-
Fix spelling error in variable name in parser and lexer.
- Fix various compiler warnings from the clang llvm compiler.
- Fix comments in iter_utils:dp_is_useless.
- EDNS timeout code will not fire if EDNS status already known.
- EDNS failure not stored if EDNS status known to work.
- Parent-child disagreement approach altered. Older fixes are removed
in place of a more exhaustive search for misconfigured data available via
the parent of a delegation. This is designed to be throttled by cache
entries, with TTL from the parent if possible. Additionally the loop-counter
is used. It also tests for NS RRset differences between parent and child.
The fetch of misconfigured data should be more reliable and thorough. It
should work reliably even with no or only partial data in cache. Data
received from the child (as always) is deemed more authoritative than
information received from the delegation parent. The search for
misconfigured data is not performed normally.
- Fix AD flag handling, it could in some cases mistakenly copy the AD
flag from upstream servers.
- Ignore Z flag in incoming messages too.
- alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
- Parentside names are dispreferred but not said to be dnssec-lame.
- Fix parentside and querytargets modulestate, for dump_requestlist.
- unbound-control-setup makes keys -rw-r--- so not all users permitted.
- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
- Fix compile warning if compiled without threads.
- iana portlist updated.
- included ldns tarball updated.
- Fix bug where a long loop could be entered, now cycle detection
has a loop-counter and maximum search amount.
Unbound 1.4.4
Download: unbound-1.4.4.tar.gz
SHA1 checksum: 2cb4c34ece87e43c9acc8da85d2ea1c8ea1ffe66
SHA256 checksum: 0ed08d9a60670730f906a571cbd0ed8b5b78deca9417161b5df8296d77ad7f5f
Date: 22 April, 2010Features
- Experimental ECC-GOST algorithm support, needs openssl-1.0.0
and currently needs ldns from svn trunk. Uses ECC-GOST algorithm
number 12 (assigned by IANA). As the RFC is written, we intend to make it
optional, because a dependency on openssl-1.0.0 is hard across distributions
right now.
- unbound-host disables use-syslog from config file so that the
config file for the main server can be used more easily.
- Include less in config.h and include per code file for ldns, ssl.
Bug Fixes
-
pkt_dname_tolower could read beyond end of buffer or
get into an endless loop, if 0x20 was enabled, and buffers are small or
particular broken packets are received.
- Fix chain of trust with CNAME at an intermediate step, for the DS
processing proof.
- Fix validation of queries with wildcard names (*.example).
- Fix EDNS probe for .de DNSSEC testbed failure, where the infra cache
timeout coincided with a server update, the current EDNS backoff is less
sensitive, and does not cache the backoff unless the backoff actually
works and the domain is not expecting DNSSEC.
- unbound control flushed items are not counted when flushed again.
- iana portlist updated.
-
unbound-checkconf could not parse interface
'0.0.0.0@5353', even though unbound itself worked fine.
- Fixed random numbers for port, interface and server selection.
Removed very small bias.
- Refer to the listing in unbound-control man page in the extended
statistics entry in the unbound.conf man page.
- Fix interface-automatic for OpenBSD: msg.controllen was too small,
also assertions on ancillary data buffer.
- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
- for NSEC3 check if signatures are cached.
- Reordered configure checks so fork and -lnsl -lsocket checks are
earlier, and thus later checks benefit from and do not hinder them.
- ldns tarball updated.
- Fix python use when multithreaded.
- Fix solaris python compile.
- spelling fix in validation error involving cnames.
Unbound 1.4.3
Download: unbound-1.4.3.tar.gz
SHA1 checksum: 4b4b979683993452359eccf4f60cf9404600da9d
SHA256 checksum: 7c212228234547af776d51067a04a8c32f572e5db493e16a269370da4413070f
Date: 11 March, 2010Bug Fixes
- Fix for memory alignment in struct sock_list allocation. This is
a remote denial of service vulnerability, as it could make unbound crash
on 64bit systems if triggered.
- Fix for MacPorts ldns without ssl default, unbound checks if ldns
has dnssec functionality and uses the builtin if not.
- Fix daemonize on Solaris 10, it did not detach from terminal.
Unbound 1.4.2
Download: unbound-1.4.2.tar.gz
SHA1 checksum: bad6b453924c853b177234890522a05904b2e5f9
SHA256 checksum: 9b2821eeb9fee3145ac04c7dc648ea1ae7d9a600de6b0a1ffacebe7643b913e1
Date: 9 March, 2010Features
- unbound-control list_stubs, list_forwards, list_local_zones, list_local_data, log_reopen, set_option and get_option.
- libunbound ub_ctx_get_option() added.
- --enable-checking: enables assertions but does not look nonproduction.
- nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with nxdomain and nodata distinguished.
- prefetch-key option that performs DNSKEY queries earlier in the validation process, and that could halve the latency on DNSSEC queries. It takes some extra processing (CPU, a cache is needed).
- prefetch option that prefetches popular queries before they expire.
- change unbound-control-setup from 1024(sha1) to 1536(sha256).
Bug Fixes
- Re-query pattern changed on validation failure. To protect troubled
authority servers, unbound caches a failure for the DNSKEY or DS records
for the entire zone, and only retries that 900 seconds later. This
implies that only a handful of packets are sent extra to the authority
if the zone fails. We made the choice to send out more conservatively,
protecting against an aggregate effect more than protecting a single user
(from their own folly, perhaps in case of misconfig).
- Fix crash in control channel code.
- iana portlist updated.
- make install depends on make all.
- Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
- ldns tarball updated: long label length syntax error fix, libdl compile fix.
- --disable-rpath fixed for libtool not found errors.
- Fixup prototype for lexer cleanup in daemon code.
- Fix scrubber bug that potentially let NS records through. Reported by Amanda Constant.
- Also delete potential poison references from additional.
- Fix: no classification of a forwarder as lame, throwaway instead.
- More strict DS scrubbing.
- No more blacklisting of unresponsive servers, a 2 minute timeout is backed off to.
- RD flag not enabled for dnssec-blacklisted tries, unless necessary.
- log 'tcp connect: connection timed out' only in high verbosity.
- Disregard DNSKEY from authority section for chain of trust. DS records that are irrelevant to a referral scrubbed. Anti-poison.
- Check for 'no space left on device' (or other errors) when writing updated autotrust anchors and print errno to log.
- Fixup in compat snprintf routine, %f 1.02 and %g support.
- include math.h for testbound test compile portability.
- Updated url of IANA itar, interim trust anchor repository, in script.
- configure test for memcmp portability.
- removed warning on format string in validator error log statement.
- libtool finish the install of unbound python dynamic library.
- Fixup lookup trouble for parent-child domains on the first query.
- Fixup ldns detection to also check for header files.
- Fix unbound-checkconf for auto-trust-anchor-file present checks.
- Fix for parent-child disagreement code which could have trouble when (a) ipv6 was disabled and (b) the TTL for parent and child were different. There were two bugs, the parent-side information is fixed to no longer block lookup of child side information and the iterator is fixed to no longer attempt to get ipv6 when it is not enabled and then give up in failure.
- Fixup python documentation (thanks Leo Vandewoestijne).
-
DNS wireformat max is 255. dname_valid allowed 256 length.
- verbose output includes parent-side-address notion for lameness.
- documented val-log-level: 2 setting in example.conf and man page.
Unbound 1.4.1
Download: unbound-1.4.1.tar.gz
SHA1 checksum: a7bfcc057e4d242bfced847f587a71f8eaa236d7
SHA256 checksum: 2573db422d7a856a3783b96698f2d5ca18a849d0bd6f0e36eb37a4f0a65b60e2
Date: 17 December, 2009Features
- Bind the same interface multiple times at different ports. Use multiple interface: lines with an @port suffix.
Bug Fixes
- Fix libtool version to 2 because of why_bogus change in 1.4.0.
-
fix parse of # without end-of-line at end-of-file.
- Fix crash with module-config "iterator".
-
Fix segfault when unbound-control remove nonexistent
local data. And an update of ldns tarball with fix for parse
errors generated for domain names like '.example.com'.
- Fix for lookup of parent-child disagreement domains, where the
parent-side glue works but it does not provide proper NS, A or AAAA
for itself, fixing motorcaravanners.eu.
- Fix negative cache lookup of closestencloser check of DS type bit.
- Fix SOA excluded from negative DS responses. Reported by Hauke
Lampe.
- Fix that verify_rrsig routine checks expiration last.
- on IPv4 UDP turn off DF flag.
- Fix qclass=ANY queries, with class IN contents.
Unbound 1.4.0
Download: unbound-1.4.0.tar.gz
SHA1 checksum: ad5fe28826bfc0baa5b63988361dda7e8dabfb4d
SHA256 checksum: 3f67ecda501d74d8cc9e5c0aa0bcd25c4e03f09ad8e339de643333307ced9c30
Date: 26 November, 2009Features
- RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
Please use openssl 0.9.8 or later, that provide sha256 and sha512.
- included ldns tarball updated (which also enables rsasha256 support).
- val-log-level: 2 shows extended error information for validation
failures, one line per failure. For example:
validation failure <example.com. DNSKEY IN>: signature expired from
192.0.2.4 for trust anchor example.com. while building chain of trust
- Made new validator error string available from libunbound for
applications. It is in result->why_bogus, a zero-terminated string.
unbound-host prints it by default if a result is bogus.
Also the errinf is public in module_qstate (for other modules).
- retry on DNSSEC failures, query other servers, unbound works harder
to get valid DNSSEC data.
- so-rcvbuf: 4m option added. Set this on large busy servers to not
drop the occasional packet in spikes due to full socket buffers.
netstat -su keeps a counter of UDP dropped due to full buffers.
- auto-trust-anchor-file option with RFC5011 support, code from the
NLnet Labs autotrust project(BSD license), is incorporated. In this way
unbound can support trust anchor revocation properly, even revocation
back to the unsigned state. It can read normal anchor files or autotrust
files initially, after probing the file is written to in a format specific
to unbound.
- use linebuffering for log-file: output, this can be significantly
faster than the previous fflush method and enable some class of
resolvers to use high verbosity (for short periods).
Not on windows, because line buffering does not work there.
- Patch from Zdenek Vasicek and Attila Nagy for using the source IP
from python scripts. See pythonmod/examples/resip.py.
- Got a patch from Luca Bruno for libunbound support on windows to
pick up the system resolvconf nameservers and hosts there.
- call OPENSSL_config() in unbound and unit test so that the
operator can use openssl.cnf for configuration options.
- Experimental support (disabled by default) for GOST for unofficial
algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to work
with openssl-1.0.0beta and correct for examples in -01 draft.
- edns-buffer-size option, default 4096. Can be set to 1480 in case
of DNS UDP fragments not arriving from authority servers.
- iana portlist updated.
- contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the IANA ITAR into individual key files that can be tracked with auto-trust-anchor-file.
Bug Fixes
- fixed do-udp: no (only TCP is used).
- removed abort on prealloc failure, error still printed but softfail.
- Fix bug where autotrust does not work when started with a DS.
- Fix double time subtraction in negative cache reported by
Amanda Constant and Hugh Mahon.
- fix unbound-host so -d can be given before -C.
- fix DNSSEC-missing-signature detection for minimal responses
for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
- fix compile of unbound-host when --enable-alloc-checks.
- Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
- Manual page fixes reported by Tony Finch.
- Fix memory leak reported by Tao Ma.
- increased MAXSYSLOGLEN so .bg key can be printed in debug output.
- Fix bug where DNSSEC-bogus messages were marked with too high TTL.
The RRsets would still expire at the normal time, but this would
keep messages bogus in the cache for too long.
- documented that load_cache is meant for debugging.
- fixup printing errors when load_cache, they were printed to the
SSL connection which had just broken, now to the log.
- Changes to make unbound work with libevent-2.0.3 alpha. (in
configure detection due to new ssl dependency in libevent).
- do not call sphinx for documentation when python is disabled.
- remove EV_PERSIST from libevent timeout code to make the code
compatible with the libevent-2.0. Works with older libevent too.
- fix memory leak in python code.
- makefile fix for parallel makes.
- fixup unbound-control lookup to print forward and stub servers.
- fixup memleak in trust anchor unsupported algorithm check.
- free all memory on program exit, fix for ssl and flex.
- fixup DS lookup at anchor point with unsigned parent.
- fixup DLV lookup for DS queries to unsigned domains.
- Fix so that servers are only blacklisted if they fail to reply
to 16 queries in a row and the timeout gets above 2 minutes.
- unbound-control lookup prints out infra cache information, like RTT.
- Fix bug in DLV lookup reported by Amanda from Secure64.
It could sometimes wrongly classify a domain as unsigned, which
does not give the AD bit on replies.
- Thanks to Surfnet found bug in new dnssec-retry code that failed
to combine well when combined with DLV and then a validation failure.
- removed small memory leak from config file reader.
- fix manpage errors reported by debian lintian.
- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
- unbound-host does not fail on type ANY.
- Fixed wireparse failure to put RRSIGs together with data in some
long ANY mix cases, which fixes validation failures.
- Fixed signer detection of CNAME responses without signatures.
-
Fixed libunbound memleak on error condition by Eric Sesterhenn.
Unbound 1.3.4
Download: unbound-1.3.4.tar.gz
SHA1 checksum: 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07
SHA256 checksum: 5a7f658b12c311f3c131d315b135956eeaa3bd7caa94b25b4777638ee7ce583f
Date: 7 October, 2009Bug Fixes
- Fixed bug in NSEC3 validation handling code: Under specific
circumstances checks of signatures over NSEC3 records are not done. As a
result carefully crafted delegation responses (created through exploiting
general DNS vulnerabilities such as DNS packet spoofing) can be used to
downgrade an existing secure delegation to insecure. Unbound users who
depend on DNSSEC validation are advised to upgrade.
- iana portlist updated.
Unbound 1.3.3
Download: unbound-1.3.3.tar.gz
SHA1 checksum: 4124d3b70a38d72a1ad47bf2a9e5aee9498ae439
SHA256 checksum: da2b24b87706a92c4b1e447cdcac26e851eb1bcaf4536e9dda1a64acb7ad92b8
Date: 4 August, 2009Features
- feature val-log-level: 1 prints validation failures so you can
keep track of them during dnssec deployment.
- contrib/update-anchor.sh has -r option for root-hints.
- crosscompile possible
- verified that --enable-sha2 works with draft rsasha256-14
Bug Fixes
- nicer warning when algorithm not supported, tells you to upgrade.
- Updated unbound-cacti contribution from Dmitriy Demidov, with
the queue statistics displayed in its own graph.
- Fix bug found by Michael Tokarev where unbound would try to prime
the root servers even though forwarders are configured for the root.
- Ignore transient sendto errors, no route to host, and host, net
down.
- Fix server selection, so that it waits for open target queries when
faced with lameness.
- iana portlist updated.
- Updated ldns tarball for solaris x64 compile assistance.
- Fixed to not use RAND_MAX on windows, so all 16 ID bits are used.
Unbound 1.3.2
Download: unbound-1.3.2.tar.gz
SHA1 checksum: 6aafdc87a70430f3aab54026bab5c901da2dba86
SHA256 checksum: 5acee05d7ec642e031e0fd392c2b476dfec5b872c7099e0e4d98a7acb5742ad1
Date: 13 July, 2009Bug Fixes
-
Fix for crash at start on Windows.
Unbound 1.3.1
Download: unbound-1.3.1.tar.gz
SHA1 checksum: 19fd5aaddfce7de9e05bb5d6720707f98c1f649a
SHA256 checksum: 55961c23c6cde824adef8de8d83dae7dcd40528333960d5c3d5028904d799e87
Date: 9 July, 2009Features
- unbound_munin_ in contrib uses ps to show total memory rss if sbrk
hack does not work.
- Added build-unbound-localzone-from-hosts.pl to contrib, from
Dennis DeDonatis. It converts /etc/hosts into config statements.
Bug Fixes
- Fixup potential wrong NSEC picked out of the cache.
- If unfulfilled callbacks are deleted they are called with an error.
- fwd above stub in configuration works.
-
removed random whitespace from example.conf.
- Fixed bug where cached responses would lose their security status
on second validation, which especially impacted dlv lookups. Reported
by Hauke Lampe.
- Fixup opportunistic target query generation to it does not
generate queries that are known to fail.
- harden-referral-path: handle cases where NS is in answer section.
- updated fedora specfile in contrib from Paul Wouters.
- Fix EDNS fallback when EDNS works for short answers but long answers
are dropped.
- On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
avoid dropped packets at routers.
- Fix of message parse bug where (specifically) an NSEC and RRSIG in
the wrong order would be parsed, but put wrongly into internal structures
so that later validation would fail.
- Queries for type DS when forward or stub zones are there. They are
performed to higherup domains, and thus treated as if going to higher
zones when looking up the right forward or stub server. This makes a stub
pointing to a local server that has a local view of example.com signed
with the same keys as are publicly used work. Reported by Johan Ihren.
- same thing fixed for forward-zone and DS, chain of trust from
public internet into the forward-zone works now.
- flush_type and flush_name remove message cache entries as well, so
they remove errors from the cache as well
- delegationpoint bogus flag copied fix
-
openssl key files are opened 'apache-style', from
user root and before the chroot. This makes permissions on remote-control
key files easier.
- fail to configure with python if swig is not found.
- Fix of empty -L during linking
- updated ldns tarball to latest
- updated iana portlist
Unbound 1.3.0
Download: unbound-1.3.0.tar.gz
SHA1 checksum: 67fe06f087083fd24b0175b68e624efc375a3e0f
SHA256 checksum: ebaed25422a32a7f13386982485d9d01b65cf3aefbebdcf4add6a4d7c71a4610
Date: 11 June, 2009Features
- Major features are Windows port, and Python contribution. Previous
releases accidentally enabled experimental rsasha256 algorithms, fixed,
see below. There are minor features and bug fixes too.
- initgroups(3) is called to drop secondary group permissions, if
this OS functionality is available.
- daemon(3) posix call is used when available
- configure option --with-ldns-builtin forces the use of the
inluded ldns package with the unbound source. The -I include
is put before the others, so it avoids bad include files from
an older ldns install.
- --enable-sha2 option for rsasha256 and rsasha512 support (experimental
because it is still in working group draft stage). Default is off.
Previous releases accidentally enabled this feature when lib openssl supported
SHA256. It then used algorithms 8, 9 for RSASHA256 and 10, 11 for RSASHA512
(using four numbers as was according to the draft spec at that time).
The earlier versions support NSEC and NSEC3 for all these algorithm numbers.
People with these earlier versions may also have earlier openssl
versions (0.9.7), and therefore the experimental feature is disabled.
As long as these signing algorithm code points are not allocated, there is
no problem. You are advised to upgrade to the current version to
avoid surprises.
- new option log-time-ascii: yes if you enable it prints timestamps
in the log file as Feb 06 13:45:26 (like syslog does).
- verbosity level 5 logs customer IP for new requestlist
entries.
- contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
- call setusercontext() if available (on BSD)
- Added stats_noreset feature for unbound-control.
- Added flush_requestlist feature for unbound-control.
- unbound-control status shows if root forwarding is in use.
- Added forward command for unbound control to change forwarders to use
on the fly.
- unbound-checkconf and unbound server print warnings when trust anchors
have unsupported algorithms.
- Added contrib/update-itar.sh This script is similar to
update-anchor.sh, and updates from the IANA ITAR repository.
You can provide your own PGP key and trust repo, or can use the
builtin. The program uses wget and gpg to work.
- Support spaces and backslashes in configure default paths
- register and deregister util programs for unbound.exe into the
windows service control manager. Works on XP and with Vista UAC.
- unbound can work as a service on windows, for the registry settings
and default program location and so on, see the windows manual.
- installer for unbound on windows. uninstalls too. Menu entries
optional. Can install DLV anchor with updater application (anchor-update.exe,
works a bit like update-anchor.sh) to enable DNSSEC
easily. Uses the NSIS open source installer system.
- Added contrib/unbound_cacti for statistics support in cacti,
contributed by Dmitriy Demidov.
- domain-insecure: "example.com" statement added. Sets domain
insecure regardless of chain of trust DSs or DLVs. The inverse
of a trust-anchor.
- use _beginthreadex() when available (performs stack alignment
on mingw)
- added launchd plist example file for MacOSX to contrib.
- reworked configure scripts to be neater.
- python contribution from Zdenek Vasicek and Marek Vavrusa.
(Sponsored by cz.nic for 'summer of code' development).
This contains support to use libunbound from python code.
And support to create unbound modules written in python that perform
custom processing of queries. The code is disabled by default and
needs to be enabled by passing options to configure. Installs the
following files: /usr/lib/python2.x/site-packages/ unboundmodule.py
unbound.py and _unbound.so*. The script examples are not installed. Sphinx
docs can be built with make doc (if sphinx-build is available).
- new libunbound calls to manage local data more easily
- read /dev/random before chroot
- suppress errors when trying to contact authority servers that gave
ipv6 AAAA records for their nameservers with ipv4 mapped contents.
Still tries to do so, higher verbosity shows the error.
- clock skew checks in unbound, config statements.
- Added cache-min-ttl option.
-
Added dump_requestlist feature for unbound-control.
-
Added flush_stats feature for unbound-control.
-
Added unbound-checkconf -o option, that prints that
value from config file. Useful for scripting in management scripts
and the like.
Bug Fixes
- fix for threadsafety in solaris thr_key_create() in tests.
- fixes for porting the python code to BSD and Darwin
- fix for openssl-1.0.0beta, use of STRING #define, libdl linking.
- Fix reentrant in minievent handler for unix. Could have resulted
in spurious event callbacks.
-
fix munin plugin, perform cleanup of stale
lockfiles.
- Fix for removal of RSASHA256_NSEC3 protonumber from ldns. Also new
rsasha512 (interim) algorithm number.
- Detect FreeBSD jail without ipv6 addresses assigned.
- Fixed a bug that caused messages to be stored in the cache too
long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
targets have been more vulnerable to the TTL miscalculation bug.
- fixed bug in unbound-control flush_zone where it would not flush
every message in the target domain. This especially impacted
NXDOMAIN messages which could remain in the cache regardless.
- Fixup so no non-absolute rpaths are added.
- Fixup validation of RRSIG queries, they are let through.
- fix util/configlexer.c and solaris -std=c99 flag.
- deprecation test for daemon(3) (on MacOSX).
-
module-config entries order is important. Documented.
- Fix for and test for unknown algorithms in a trust anchor
definition. Trust anchors with no supported algos are ignored.
This means a (higher)DS or DLV entry for them could succeed, and
otherwise they are treated as insecure.
- Added tests, unknown algorithms become insecure. fallback works.
- fixed so queries do not fail on opportunistic target queries.
- munin plugin fix benign locking error printout.
- fixup --export-symbols to be -export-symbls for libtool.
This should fix extraneous symbols exported from libunbound.
Thanks to Ondrej Sury and Robert Edmonds for finding it.
- document FAQ entry on stub/forward zones and default blocking.
- Remove fwrite warning on Ubuntu
- Added more cycle detection. Also for target queries.
- Fixup bug where during deletion of the mesh queries the callbacks
that were reentrant caused assertion failures. Keep the mesh in
a reentrant safe state. Affected libunbound, reload of server,
on quit and flush_requestlist.
- documented that unbound-host reads no config file by default.
- slightly nicer memory management in iter-fwd code.
- small refactor of stats clearing.
- fixup EOL in include directive (reported by Paul Wouters).
- config parser changed. Gives some syntax errors closer to where they
occurred. Does not enforce a space after keyword anymore.
Does not allow literal newlines inside quoted strings anymore.
- detect event_base_new() in libevent-1.4.1 and later and use it.
- MacOSX Leopard cleaner text output from configure.
- change in libunbound API: ub_cancel can return an error, that
the async_id did not exist, or that it was already delivered.
The result could have been delivered just before the cancel
routine managed to acquire the lock, so a caller may get the
result at the same time they call cancel. For this case,
ub_cancel tries to return an error code.
Fixes race condition in use of ub_cancel() libunbound function.
- Fixup assertion failure (thanks to Brett Carr).
- Fix detection of no ipv6 on XP (with different error code).
- Fixup a crash-on-exit which was triggered by a very long queue.
- Fixed bug that could cause a crash if root prime failed when there
were message backlogs.
- fixup documentation-bug in README reported by Matthew Dempsky.
- Fixup bad free() when wrongly encoded DSA signature is seen. Reported
by Paul Wouters.
- updated ldns tarball to latest
- updated iana portlist
Unbound 1.2.1
Download: unbound-1.2.1.tar.gz
SHA1 checksum: 996aea210b24f8c4bd1aa7a9584bc5b70b989b1b
SHA256 checksum: 1f95ca2904dfb813bf52f15156a8c769b365deb92fa7b995344062dea966dc29
Date: 10 February, 2009Features
- negative caching for failed queries. Queries that failed (because
the entire domain is down) are cached for a very short time (seconds),
this lowers the load generated by the failed queries.
If the failure is local, like out of memory, it is not cached.
- stop resolving AAAAs promiscuously when they are in the
negative cache, together with the negative caching feature (just above)
this dampens the spikiness of the requestlist size.
- unbound-host -4 and -6 options. Stops annoying ipv6 errors when
debugging with unbound-host -4 -d ...
- honor QUIET=no on make commandline (or QUIET=yes ).
Bug Fixes
- Fixed server deadlock. Added cycle detection for NS-check, addr-check,
root-prime and stub-prime queries in the iterator.
-
fixup configure checks for compilation with Solaris
sun studio cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
- fixup warnings emitted by sun studio compiler.
- the TTL comparison for the cache used different comparisons, causing
many cache responses that used the iterator and validator state
machines unnecessarily. Fixed.
- Fixed occasional SERVFAIL response when EDNS traffic is dropped
for a domain. Set retry from 4 to 5 so that EDNS drop retry is part of
the first query resolve attempt, and cached error does not stop EDNS
fallback.
- removed debug prints in code that protects against bad referrals.
- fix bug where unbound could crash using libevent 1.3 and older.
- more quiet about ipv6 network failures, i.e. when ipv6 is not
available (network unreachable). Debug still printed on high verbosity.
- printout more detailed errors on ssl certificate loading failures.
- builtin IANA allocated portlist updated (these ports are avoided).
Unbound 1.2.0
Download: unbound-1.2.0.tar.gz
SHA1 checksum: 2c1cef70669dcfa13f4db4306cd7b8eeca6892aa
SHA256 checksum: 88e480bdfb23855656a70cb879b231414d2322fb6c0b7dd594628c7482358784
Date: 14 January, 2009Features
- Wildcard support for trusted-keys-file: "/etc/keys/*.key"
- unbound-control status command.
- extended statistics has a number of ipv6 queries counter.
contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
- SElinux policy files in contrib/selinux for the unbound daemon,
by Paul Wouters and Adam Tkac.
Bug Fixes
- The long standing bug with libevent use is fixed. It turns out to be
a race condition in the calls to libevent.
The builtin mini-event did not have a problem being called
like this, but libevent and libev usage is now fixed. Libevent 1.1 is
reported to still give problems, but 1.4.5 and 1.4.8 seem fine.
- Certain packets could cause an assertion failure. Resulting in a
denial-of-service vector if the server was compiled with --enable-debug
(assertions enabled). This is fixed.
- fixed bug reported by Duane Wessels: error in DLV lookup, would make
some zones that had correct DLV keys as insecure.
-
fix lame marking. security fix that resolves denial
of service that could be triggered by an unusual configuration. Thanks to
Mark Zealey for reporting.
-
no more race condition in makefile during built with
high -j inside included libldns version.
- iana portlist updated to most recent, avoids allocated ports.
- L root server AAAA record added to builtin root hints.
- removed possible race condition in unit test for race conditions.
- fixup reported problem with transparent local-zone data where
queries with different type could get nxdomain. Now queries
with a different name get resolved normally, with different type
get a correct NOERROR/NODATA answer.
- HINFO no longer downcased for validation, making unbound compatible
with bind and ldns.
- fix reading included config files when chrooted.
Give full path names for include files.
Relative path names work if the start dir equals the working dir.
- fix libunbound message transport when no packet buffer is available.
- fixup getaddrinfo failure handling for remote control port.
- fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
- ldns tarball updated with 1.4.1rc for DLV unit test.
- fixup BSD port for infra host storage. It hashed wrongly.
- follow ldns rc makedist name generation.
- snapshot version uses _ not - to help rpm distinguish the
version number.
- do not reopen syslog to avoid dev/log dependency. This makes chroot
environments easier.
-
better fix for bug #219: use LOG_NDELAY with
openlog() call. Thanks to Tamas Tevesz.
-
fixed: unbound checkconf checks if key files exist if
remote control is enabled. Also fixed NULL printf when not chrooted.
- Fix problem reported by Jaco Engelbrecht where unbound-control stats
freezes up unbound if this was compiled without threading, and
was using multiple processes.
- test for remote control with interprocess communication.
- created command distribution mechanism so that remote control
commands other than 'stats' work on all processes in a nonthreaded
compiled version. dump/load cache work, on the first process.
- fixup remote control local_data addition memory corruption bug.
-
configure complains when --without-ssl is given,
fixed.
- blacklisted servers are polled at a low rate (1%) to see if they
come back up. But not if there is some other working server.
- documented that the user of the server daemon needs read privileges
on the keys and certificates generated by unbound-control-setup.
This is different per system or distribution, usually, running the
script under the same username as the server uses suffices.
i.e. sudo -u unbound unbound-control-setup
- unbound-control-setup.sh removes read/write permissions other
from the keys it creates (as suggested by Dmitriy Demidov).
- fixed tcp accept, errors were printed when they should not.
- fixup fatal error due to faulty error checking after tcp accept.
- add check in rlimit code to avoid integer underflow.
- rlimit check with new formula; better estimate for number
interfaces.
Unbound 1.1.1
Download: unbound-1.1.1.tar.gz
SHA1 checksum: 8c80e892232a05459923826f266afb770d3f7d73
SHA256 checksum: ab6c701f44aeef11a1a8370495749b9b630004597af38dc04094ad5687e73981
Date: 20 November, 2008Bug Fixes
-
Fixed syslog with chroot, glibc syslog opens only
on demand so a log line has to be printed before chroot.
- fixup fatal error due to faulty error checking after tcp accept.
- rlimit check on startup integer underflow fixup, also makes a
more accurate estimate
Unbound 1.1.0
Download: unbound-1.1.0.tar.gz
SHA1 checksum: fb7a4421c64812d3acfa48409360ec232197a2f9
SHA256 checksum: b98421c97089dfcf7d7798d7148886c0a8672476dc44dd2b43d62ba5e3be27b5
Date: 11 November, 2008Features
- DLV support
- contrib update-anchor.sh neatly updates keys for DLV or root or
others and only restarts the nameserver when keys have changed.
exits 0 when a restart is needed, other values if not.
So, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
can restart unbound exactly when needed. Use -b for BIND mode.
- Negative caching for NSEC, NSEC3 for DLV lookups, as well as for
securely insecure delegations.
- Filter out overreaching NSEC records
- dev/log(syslog) opened before chroot
- use setresuid/setresgid, more secure.
- logfile message classification as notice, info, debug.
- harden-referral-path option implements draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations. Default is off, because of added load it generates, and experimental status.
- disallow nonrecursive queries for cache snooping by default.
You can allow it using access-control: subnet allow_snoop.
The defaults do allow access to authoritative data without RD bit.
- DoS resistance implementation. Half of queries run-to-completion.
Other half are a lifo where old entries are overwritten if 200 msec old.
- Block DNS rebinding attacks. This disallows domains from the
public internet from pretending to have internet addresses in your own
netblock. Use the private-address and private-domain statements (see
unbound.conf(5) man page for details). We may consider turning this on
by default for rfc1918 (local subnet) addresses.
- remote control feature, unbound-control. Remotely (using SSL)
stop, change redirections, flush cache, load cache, store cache, or
get statistics
- extended statistics (off by default). Put Howto documentation on website.
- munin example plugin to draw statistics added to contrib
- hosts that drop EDNS packets are detected, eventually.
- fixed recursion servers deployed as authoritative detection, so
that as a last resort, a +RD query is sent there to get the correct
answer.
- RSASHA256 and RSASHA512 support, using experimental protocol numbers from draft.
- stubs work much more intuitively, but can be configure for old and
new behaviour with new option stub-prime. This makes stubs on localhost on a different port number work.
- dns-0x20 fallback code implemented
- IPv4 and IPv6 PTR shorthand local-data-ptr: "1.2.3.4 www.ex.com"
- code refactored for domain, address tree lookups.
- unbound-control-setup.sh script to set up (selfsigned) certificates.
- spoof nearmiss indicator, when extended statistics are enabled, unbound-control stats prints out unwanted_replies count.
- if server selection is faced with only bad choices, it will
attempt to get more options to be fetched.
- changed bogus-ttl default value from 900 to 60 seconds.
In anticipation that operator caused failures are more likely than
actual attacks at this time. And thus repeated validation helps
the operators get the problem fixed sooner. It makes validation
failures go away sooner (60 seconds after the zone is fixed).
Also it is likely to try different nameserver targets every minute,
so that if a zone is bad on one server but not another, it is
likely to pick up the 'correct' one after a couple minutes,
and if the TTL is big enough that solves validation for the zone.
- do not query bogus nameservers. It is as-if nameservers that have
the NS or A or AAAA record bogus are listed as donotquery.
- CFLAGS are picked up by configure from the environment.
- silenced EHOSTDOWN, verbosity 2 and higher show it.
- configure check for ldns version 1.4.0 or later
- Fix for problem reported on mailing list, If a delegation point
has no A but only AAAA and do-ip6 is no, resolution would fail. Fixed to
ask for the A and AAAA records. It has to ask for both always, so that
it can fail quietly, from TLD perspective, when a zone is only reachable
on one transport.
Bug Fixes
- Fixed rrset security updated overwriting rfc2181 trust status.
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
-
Fixed setreuid on MacOSX 10.4
- Fixed so make realclean works better, by Rober Edmonds
-
extra rc.d unbound flexibility for freebsd/nanobsd.
-
nicer do-auto log message when user sets incompatible options. DLV implemented.
-
variable name ameliorated in log.c.
-
in iana_update, no egrep, but awk use.
-
fixed, pidfile can be outside chroot. openlog is done
before chroot and drop permissions. logfile is created with correct
permissions again. Some errors are not written to logfile (pidfile writing,
forking), and these are only visible by using the -d commandline flag.
- Fix update-anchor.sh to work both in BSD shell and bash.
- Fix so unsigned additionals are not marked bogus, they are left
unchecked, since signatures may have fallen off due to message size.
Unchecked items are removed from the additional just like bogus is for
that message. Defers validation for those rrsets.
- Fix assertion fail on bogus key handling
- Fix so dnssec lameness detection works on first query at trust apex.
- Fix compilation without pthreads on linux.
- builtin iana assigned portlist updated
- ldns snapshot inside source tarball updated to 1.4.0
- Fix NSEC_AT_APEX classification for short typemaps.
- Fix nonblocking and timeouts on TCP sockets
- Fix for multiple simultaneous timeout back offs. Could cause trouble
for forwarders
- Fix SHA256 DS downgrade, no longer possible to downgrade to SHA1.
- Fix negative TTL values appearing (reported by Attila Nagy)
- detect if libssl needs libdl. For static linking with libssl.
- Fix build process for Mac OSX linker
- Fix possible memory leak in key_entry_key deletion.
Would leak a couple bytes when trust anchors were replaced.
- DNAMEs used from cache have their synthesized CNAMEs initialized
properly.
- Fix file descriptor leak for localzone type deny (for TCP).
- Fix memleak for the keyword 'nodefault' when reading config. Would
leak bytes per reload command received.
- Fix listen to closed fd, would log a message with
"bad file descriptor"
Unbound 1.0.2
Download: unbound-1.0.2.tar.gz
SHA1 checksum: 93faa7b76cf7681b8c7b0c5187aaf84c36b6670b
SHA256 checksum: e6bbc4bb850c211e97ee7b5bc1827f59eb5222d295b715bda4551775766240ac
Date: 7 August, 2008Features
- Stricter filtering of messages. This means that CNAMEs and DNAMEs
are handled with more paranoia, as well as the removal of more
irrelevant rrsets. More discussion at patch 1.0.2 announcement.
Bug Fixes
- Fixup qtype DS validation code
-
Fix for nicer entropy warning message, OS hints in manpage.
-
Fix segfault on exit cleanup of the app if packets were
still waiting for udp port numbers.
Unbound 1.0.1
Download: unbound-1.0.1.tar.gz
SHA1 checksum: 3a863376c8a2e805903aa4d9a32648b9f4c80ef1
SHA256 checksum: 95d3124b5e2a357848b84413a2f78e5896d41636278ed490dcf13bf89683f395
Date: 16 July, 2008Features
- This version features bugfixes to compile on various distributions,
some options necessary to assist packaging and distribution of unbound,
a couple of fixes for looking up corner cases (badly operated domains),
and a cleanup of code for config file reading.
- contrib unbound.spec from Patrick Vande Walle
- mingw port with basic functionality on Windows XP and Windows Vista
(single threaded, UDP, TCP, IPv4, IPv6, validation)
- Added IPv6 example prefix to AS112 default blocklist
Bug Fixes
- fixup fedora 9 compilation (in6_pktinfo definition)
- CREDITS fixup of history
- ldns-1.2.2 is ignored if installed, and builtin 1.3.0 ldns used
- lex input and unput functions not generated (compile warnings)
- update of ldns tarball to latest ldns svn.
- update of avoided ports to latest IANA allocated portlist
- fixed up statements of the form local-zone: "30.172.in-addr.arpa."
nodefault, so that the trailing dot is not required.
- reported by Robert Edmonds (akamai zones), fixed so that if multiple
CNAME records for a name are returned, the first is used.
- reported by Richard Doty for mail.opusnet.com, check lameness more
cautiously, first check SOA record, before looking at NS record, then,
additionally, check the AA bit.
- reported for newegg.com, more detailed lameness
checking to distinguish AAAA lameness from qtype A lameness.
- fixup compiling on eeepc xandros linux
- fixup memory leak in root hints file reading
- fixup validation for qtype DS queries with trust anchor for the
same name
- libunbound ub_resolve, fix handling of error condition during setup.
- lowered log_hex blocksize to fit through BSD syslog linesize.
-
make test checks for ldns-testns requirement of tcp_sigpipe test
-
call tzset before chroot to have correct timestamps in system log
-
fixed compilation failure on opensuse, the
--disable-static configure flag caused problems.
Patch from Klaus Singvogel
-
fixed unportable shell usage in configure (relied on bash)
-
same fix as 177.
-
fixed buffer overflow in unbound-checkconf use of strncat
-
fixed buffer overflow in ldns (called by unbound to parse config file parts)
-
pidfile, rundir, and chroot configure options. Also the example.conf and
manual pages get the configured defaults. You can use: (or accept the
defaults to /usr/local/etc/unbound/) --with-conf-file=filename
--with-pidfile=filename --with-run-dir=path --with-chroot-dir=path
-
-r option for unbound-host, read resolv.conf.
-
--disable-shared not passed along to ldns included with
unbound. Fixed so that configure parameters are passed to the
subdir configure script.
Fixed that ./libtool is used always, you can still override
manually with ./configure libtool=mylibtool or set $libtool in
the environment.
Unbound 1.0.0
Download: unbound-1.0.0.tar.gz
SHA1 checksum: a837407d866f0918547c6122f8f654c219b4b51f
SHA256 checksum: 48e27905cb2cbde604252fbdd19dcd915a3b970c55f2ba2a033dac02048de1fe
Date: 20 May, 2008Features
- This code is the public release
- Honors $DESTDIR during make install and make uninstall, useful for rpm and deb packaging.
- contrib .spec file to build RPMs with
- iana port list updated
- added IPv6 addresses for builtin root hints
Bug Fixes
- Fixup no-IPv4 problem in error callback
- No linking with -lrt if not needed
- library version now has proper version-info (Thanks Ondrej Sury)
- configure --disable-rpath performs libtool fixup
- MacOSX 10.5 /etc/hosts lines ending in %lo0 are skipped (Thanks John Dickinson)
Unbound 0.11
Download: unbound-0.11.tar.gz
SHA1 checksum: c74028b6a815fd5840f6ecbd6c1ec65afff67de2
SHA256 checksum: f6c44ccae56398273c1f03485f2e2b8e4b612663d501d89c82c8cf9f23422d9f
Date: 24 Apr, 2008Features
- This code is public beta and ready for deployment.
- Default file locations changed to /usr/local/etc/unbound
- RTT banding (draft-forgery-resilience)
- query name checks (draft-forgery-resilience)
- random ports improved (draft-forgery-resilience)
- AD bit signaling (AD bit in query requests AD bit in reply)
- unbound tries to set ulimit(fds) if it needs to
- stats to rrdtool script in contrib (Thanks Kai Storbeck)
- FEATURES document
Bug Fixes
- Fixed so works with libevent-1.4.3+
- iterator logs spelling fixed (Thanks Koji Kobayashi)
- RFC2181 compliance improved (Thanks Jinmei Tatuya)
- DSA EVP signature decoding fixed
- chroot functionality better documented and checked (Thanks Randy Bush)
- ignore SIGPIPE from dns clients (Thanks Kai Storbeck)
Unbound 0.10
Download: unbound-0.10.tar.gz
SHA1 checksum: c8af5e1721b00c0a776bce06e624d037a332e993
SHA256 checksum: 08d2290b0ed8b10a4bb2fae34bba809692674dcaf6eca489c1b7ca88bdcc1b01
Date: 3 Mar, 2008Features
- This code is public beta and ready for deployment.
- updated ldns-tarball inside source from trunk for latest NSEC3
type codes
- installation to /usr/local/sbin by default now, like other servers do
- libunbound returns the full answer packet (with signatures,
additional data, NSECs ...)
- option 'use-caps-for-id: yesno', experimental implementation of
draft-dns-0x20.
- default configure uses builtin event mechanism, since it is faster
and usually good enough. Use libevent when you use huge outgoing port
ranges.
- Various optimisations
- make test shows an indication of cache speed
- unbound-host patch (from Jan-Piet Mens) to read config file
- added contrib/ dir with an /etc/rc.d script for FreeBSD
Bug Fixes
- --prefix option for configure also changes directory: pidfile:
and chroot: defaults in config file.
- fixed so you can start without a config file (will complain, but
start with defaults).
- fixed read of empty lines in /etc/hosts by libunbound
- fix to install all manual pages (unbound-host and libunbound pages
too)
- fixed memory leaks in libunbound (during cancellation and ub_wait).
Unbound 0.9
Download: unbound-0.9.tar.gz
SHA1 checksum: 73eb8706e1a3aab767bbe3ef62c53deb085f57c7
SHA256 checksum: 729857e323ae8a85e57a70ed441748456f0eabc390060b1551d0eb459a064dad
Date: Feb 08, 2008Features
- This code is beta and not recommended for operational
deployment.
- Remade verbosity levels, new level 2.
- can answer multiple queries over one TCP stream.
- library libunbound offers a validating stub implementation.
- unbound-host uses library to validate and lookup like host
- statistics-interval: seconds option added.
- interface-automatic: option added. Experimental, uses socket options to guarantee correct source address on UDP replies. Useful for multihomed hosts.
- Memory sizes in config can be given with k, m, or g
- Prints approximation of the median from histogram
- unbound-checkconf checks for local-net misconfigurations
Bug Fixes
- Fixed roothints and keyfiles access from chrooted daemon.
- Random generator uses less entropy.
Unbound 0.8
Download: unbound-0.8.tar.gz
SHA1 checksum: 252a84026dc1c5508cb28ea5ce6e485b304c2695
SHA256 checksum: e04f661ab2eb774b53d727d40b48931371b3dd7f39bdab8b2c60026925b018e8
Date: Feb 07, 2008Features
- Local zone data - serve authoritative data
- Access control list - ips that have recursion allowed
- by default blocks AS 112 (reverse local net) queries
- This code is pre-beta and not recommended for operational
deployment.
- per rfc2308, replaced default max-ttl value with 1 day.
Bug Fixes
- Validation works now for non RD queries
- duplicate checking for NSECs and NSEC3s after CNAMEs
- do not downcase NSEC and RRSIG for verification. Follows
draft-ietf-dnsext-dnssec-bis-updates-06.txt.
Unbound 0.7.2
Download: unbound-0.7.2.tar.gz
SHA1 checksum: 2fa26e8bb7b691c80f4146b00a0eef7e0352ae91
SHA256 checksum: fdf28fb02326b15ce8c56b282c6cd26369b111f2e89e18391fbf7c4ff396cd80
Date: Jan 09, 2008Features
- bugfixes for closed beta test version, not recommended for widespread deployment
Bug Fixes
- Fixup building the source from another directory.
- Fixup failure on start due to lack of entropy.
Unbound 0.7.1
Download: unbound-0.7.1.tar.gz
SHA1 checksum: f0d50a5c7505b138c23f1fbeddda0ecc44430806
SHA256 checksum: 260f1a30ba62654436c55b59fc8d43251995d59a19dc9199cd6ede4279cb2bf1
Date: Nov 19, 2007Features
- bugfixes for closed beta test version, not recommended for widespread deployment
Bug Fixes
- Fixes in make test to kill daemons more thoroughly after test
- NSEC/RRSIG not downcased, from dnssec-bis-updates draft-06
- libevent not found error nicer
- README discusses GNU make needs
Unbound 0.7
Download: unbound-0.7.tar.gz
SHA1 checksum: f3baa63b522b50124c07769fadd89e8644b4f306
SHA256 checksum: d68ad1572d75c849c7e3e16aba42146d670648c1ba488b3505caf402dd9d7dbb
Date: Nov 16, 2007Features
- closed beta test version, not recommended for widespread deployment
- support branch for closed beta participants
Unbound 0.6
Download: unbound-0.6.tar.gz
SHA1 checksum: 5f603c04d64a98dadec2da6003808c41f6ecf3ec
SHA256 checksum: 08ff46c564341698ab06df3eb6552ee314ecdfd1514cf17078509e1113a76776
Date: Nov 16, 2007Features
-
Operational features.
-
Secured by default (chroot).
-
Memory leaks gone, lameness detection, corner cases and various fixes
- config file checker unbound-checkconf
- root hints file supported
- ldns library tarball included in source package for ease of installation
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.5
Download: unbound-0.5.tar.gz
SHA1 checksum: d722ebc164d3eaa0eb5a74e0589197e66bae19c2
SHA256 checksum: f2547026ed911f7068f28728c98e3b25df81e723d040231eb120607a4c2b2396
Date: Nov 2, 2007Features
-
Validation.
-
Fixes to recursive iterator code.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.4
Download: unbound-0.4.tar.gz
SHA1 checksum: c06d9dff0cecffb16bcf9dc42f439b62b872a19b
SHA256 checksum: 7adc910b345511d928b4dba9da98713c3941a7b72075404f2613a72e0a58fde7
Date: Sep 20, 2007Features
- Caching resolver.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.3
Download: unbound-0.3.tar.gz
SHA1 checksum: 9157eafad4ab04a5311bcb25da27ad158fa4c26b
SHA256 checksum: de014e54b3fb2d8f853afb6edc20344ffadf1964dbb68c384d2ccb643830de1d
Date: June 20, 2007Features
- Forwarder with RRset cache.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.2
Download: unbound-0.2.tar.gz
SHA1 checksum: faa348486670073f80b30bae00a4d221fe4c002e
SHA256 checksum: 4f2cb6ef18b1e5affcfa78e2a5e1ef15656975bb7c375f30dfa1e6efbdb0338c
Date: May 1, 2007Features
- Basic caching forwarder
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.1
Download: unbound-0.1.tar.gz
SHA1 checksum: e14826892d9e4a841c551df3fd902a2bcc94f069
SHA256 checksum: beb6c00750927425645780c26072e4de0e272004d0308c4a59b21d603861c50f
Date: Mar 28, 2007Features
- Threaded non-caching forwarder.
- This code is pre-beta and not recommended for operational
deployment.
Unbound 0.0
Download: unbound-0.0.tar.gz
SHA1 checksum: 967cdd2654b84335622842ee1f39984cfbb39f25
SHA256 checksum: b9b107b39b526cbdd93400f2ee343a0a571f82d84b91ee010aecd665445b29f5
Date: Feb 19, 2007Features
- Build environment, configure, make and a non-caching DNS
forwarder.
- This code is pre-beta and not recommended for operational
deployment.