Maintained by: NLnet Labs

[Unbound-users] Release of unbound 1.4.0

W.C.A. Wijngaards
Thu Nov 26 14:18:26 CET 2009

Hash: SHA1


The new version of unbound 1.4.0 is available:
SHA1 ad5fe28826bfc0baa5b63988361dda7e8dabfb4d
SHA256 3f67ecda501d74d8cc9e5c0aa0bcd25c4e03f09ad8e339de643333307ced9c30

It has a number of new features and a number of bugfixes.  It has
RSASHA256 and RSASHA512 support.

It supports RFC5011 updating of trust anchors, auto-trust-anchor-file:
that may be a good way to setup trust anchors so they are kept up to
date.  (Note it needs one domain per file, as it writes the domain back
to the file when it changes).  Understand that RFC5011-tracking needs
the (server) up and connected to the internet about once per week.

Unbound 1.4.0 tries a lot harder to obtain valid dnssec data - trying
other servers and so on, and it can print out error messages
(val-log-level: 2) that pinpoint where the validation failure happened
in unbound's processing.  unbound-host is useful in that given keys it
prints out this diagnostic on the console for you.

The so-rcvbuf option is good for high-performance servers, it handles
short traffic spikes more easily.

edns-buffer-size option for possible MTU trouble, set it to 1480 or 1220
if your site cannot handle large (fragmented) replies.


    * RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
Please use openssl 0.9.8 or later, that provide sha256 and sha512.
    * included ldns tarball updated (which also enables rsasha256 support).
    * val-log-level: 2 shows extended error information for validation
failures, one line per failure. For example: validation failure
< DNSKEY IN>: signature expired from for trust
anchor while building chain of trust
    * Made new validator error string available from libunbound for
applications. It is in result->why_bogus, a zero-terminated string.
unbound-host prints it by default if a result is bogus. Also the errinf
is public in module_qstate (for other modules).
    * retry on DNSSEC failures, query other servers, unbound works
harder to get valid DNSSEC data.
    * so-rcvbuf: 4m option added. Set this on large busy servers to not
drop the occasional packet in spikes due to full socket buffers. netstat
- -su keeps a counter of UDP dropped due to full buffers.
    * auto-trust-anchor-file option with RFC5011 support, code from the
NLnet Labs autotrust project(BSD license), is incorporated. In this way
unbound can support trust anchor revocation properly, even revocation
back to the unsigned state. It can read normal anchor files or autotrust
files initially, after probing the file is written to in a format
specific to unbound.
    * use linebuffering for log-file: output, this can be significantly
faster than the previous fflush method and enable some class of
resolvers to use high verbosity (for short periods). Not on windows,
because line buffering does not work there.
    * Patch from Zdenek Vasicek and Attila Nagy for using the source IP
from python scripts. See pythonmod/examples/
    * Got a patch from Luca Bruno for libunbound support on windows to
pick up the system resolvconf nameservers and hosts there.
    * call OPENSSL_config() in unbound and unit test so that the
operator can use openssl.cnf for configuration options.
    * Experimental support (disabled by default) for GOST for unofficial
algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to
work with openssl-1.0.0beta and correct for examples in -01 draft.
    * edns-buffer-size option, default 4096. Can be set to 1480 in case
of DNS UDP fragments not arriving from authority servers.
    * iana portlist updated.
    * contrib/ from Tom Hendrikx to split from
the IANA ITAR into individual key files that can be tracked with

Bug Fixes

    * fixed do-udp: no (only TCP is used).
    * removed abort on prealloc failure, error still printed but softfail.
    * Fix bug where autotrust does not work when started with a DS.
    * Fix double time subtraction in negative cache reported by Amanda
Constant and Hugh Mahon.
    * fix unbound-host so -d can be given before -C.
    * fix DNSSEC-missing-signature detection for minimal responses for
qtype DNSKEY (assumes DNSKEY occurs at zone apex).
    * fix compile of unbound-host when --enable-alloc-checks.
    * Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
    * Manual page fixes reported by Tony Finch.
    * Fix memory leak reported by Tao Ma.
    * increased MAXSYSLOGLEN so .bg key can be printed in debug output.
    * Fix bug where DNSSEC-bogus messages were marked with too high TTL.
The RRsets would still expire at the normal time, but this would keep
messages bogus in the cache for too long.
    * documented that load_cache is meant for debugging.
    * fixup printing errors when load_cache, they were printed to the
SSL connection which had just broken, now to the log.
    * Changes to make unbound work with libevent-2.0.3 alpha. (in
configure detection due to new ssl dependency in libevent).
    * do not call sphinx for documentation when python is disabled.
    * remove EV_PERSIST from libevent timeout code to make the code
compatible with the libevent-2.0. Works with older libevent too.
    * fix memory leak in python code.
    * makefile fix for parallel makes.
    * fixup unbound-control lookup to print forward and stub servers.
    * fixup memleak in trust anchor unsupported algorithm check.
    * free all memory on program exit, fix for ssl and flex.
    * fixup DS lookup at anchor point with unsigned parent.
    * fixup DLV lookup for DS queries to unsigned domains.
    * Fix so that servers are only blacklisted if they fail to reply to
16 queries in a row and the timeout gets above 2 minutes.
    * unbound-control lookup prints out infra cache information, like RTT.
    * Fix bug in DLV lookup reported by Amanda from Secure64. It could
sometimes wrongly classify a domain as unsigned, which does not give the
AD bit on replies.
    * Thanks to Surfnet found bug in new dnssec-retry code that failed
to combine well when combined with DLV and then a validation failure.
    * removed small memory leak from config file reader.
    * fix manpage errors reported by debian lintian.
    * Fixed validation failure for CNAME to optout NSEC3 nodata answer.
    * unbound-host does not fail on type ANY.
    * Fixed wireparse failure to put RRSIGs together with data in some
long ANY mix cases, which fixes validation failures.
    * Fixed signer detection of CNAME responses without signatures.
    * [bugzilla: 282 ]
      Fixed libunbound memleak on error condition by Eric Sesterhenn.

Best regards,
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -