Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.14 release

W.C.A. Wijngaards
Mon Dec 19 12:27:13 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Unbound 1.4.14 is release, get it here:
http://unbound.net/downloads/unbound-1.4.14.tar.gz
sha1 1435029abe63d0106213acb9f173b885183cf1d7
sha256 c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3

It contains a patch for VU#209659 CVE-2011-4528: Unbound denial of
service vulnerabilities from nonstandard redirection and denial of
existence.  http://www.unbound.net/downloads/CVE-2011-4528.txt

Therefore, 1.4.14 does not equal 1.4.14rc1, it has code changes (this
patch and some other fixes found during the review process).

Major changes are a new BSD-compatible makefile (with BSD-make).
SSL-wrapped query support (for dnssec-trigger, passing firewalls, it
does *not* check the actual SSL certificate at this time).

It stores timeouts per-zonename, for compatibility with servers that
drop out-of-served-zone queries.  It attempts EDNS1480 (or 12xx on
ip6) probes in case EDNS0 fails to workaround fragmentation issues
more easily.


Features
- -   Makefile changed for BSD make compatibility.
- -   dns over ssl support as a client, ssl-upstream yes turns it on. It
performs an SSL transaction for every DNS query.
- -   dns over ssl support as a server, ssl-service-pem and
ssl-service-key files can be given and then TCP queries are serviced
wrapped in SSL.
- -   lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- -   TCP-upstream calculates tcp-ping so server selection works if
there are alternatives.
- -   Unbound probes at EDNS1480 if there an EDNS0 timeout.

Bug Fixes
- -   Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- -   Fix for tcp-upstream and ssl-upstream for if a laptop sleeps,
causes SERVFAILs. Also fixed for UDP (but less likely).
- -   Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- -   Fix double free in unbound-host, reported by Steve Grubb.
- -   fix -flto detection on Lion for llvm-gcc.
- -   [bugzilla: 416 ] Infra cache stores information about ping and
lameness per IP, zone.
- -   [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com
with a fix for the server selection for choosing out of a (particular)
list of bad choices.
- -   Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to Matthew
Lee).
- -   fix unbound-anchor for broken strptime on OSX lion, detected in
configure.
- -   Detect if GOST really works, openssl1.0 on OSX fails.
- -   Implement ipv6%interface notation for scope_id usage.
- -   better documentation for inform_super (Thanks Yang Zhe).
- -   Fix for out-of-memory condition in libunbound (thanks Robert
Fleischman).
- -   Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur. The
feature is disabled on windows.
- -   updated contrib/unbound_munin_ to family=auto so that it works
with munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
- -   unbound.exe -w windows option for start and stop service.
- -   Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
- -   [bugzilla: 408 ] accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- -   fix various compiler warnings (reported by Paul Wouters).
- -   max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch
if sentcount > 3, stop query if sentcount > 16. Count is reset when
referral or CNAME happens. This makes unbound better at managing large
NS sets, they are explored when there is continued interest (in the
form of queries).
- -   remove uninit warning from cachedump code.
- -   Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
- -   fix infra cache comparison.
- -   Fix to constrain signer_name to be a parent of the lookupname.
- -   robust checks for next-closer NSEC3s.
- -   iana portlist updated.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO7x+RAAoJEJ9vHC1+BF+N790P+QGSMUXF5Lr7AR+TVKRXI8d0
aCtiwFu5XI4PUKAqxUguCTSTNlHcFPyrC7UtrW06NTFCuC1TZocMHS3rV5iccbdI
iFVK0xFkyHoCoiXHJ+SnquW3RkDSKkuJtrRzrHvsxyHlCgaXnwVrqgbq0QcY/n6M
5HgNOJvwnP1n1vfXde2PtpkhWicAj+1+QrO2NNx+dcFsLob4PC+7P+XNMxvtXiU8
DdM8kp2VV/QtKlqmlbe8IHCoHBflRx92iu/NTVp3ghIXz7bavJBr4qkKOxB2N+zn
jX+6NYlLpgJmtIUe6iBCW36dpG09z8w6TcMPq2n9BL5CfCKWlaetNI7H6Cz9kXxg
G0Rs95Gd4f8Hepqhl2v2XFClI9908gtArhoHlulAR/SqpuG1oM/gW/MSBU6sCDKo
BqXGnaOMjK0gx1uLZWwFmkjzMI+OHCa7C/ZJetoj++czOCXN58H0QUAHIT4Qo5fl
2S/Wl6fAgch4w8VV25LA6MZ3BGHNRNahtx57GlUdmaoZblBP9z9T59z7Lpf2xzBs
cBcfJl6Q4nfKLrzEusPAXrBl9qJTuh5+lqVxSBTAVLuSkfsjZzRkumtBx+9WrfgS
pa95LjpUYA6G8R/2hXt42WBAFLNKms1lGUU9aLpHtr1BfudKQGJcsn5XK9DgCTwJ
xiRPZQCQh6LymGrSd4Q/
=c5PG
-----END PGP SIGNATURE-----