Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.17 release

W.C.A. Wijngaards
Thu May 24 10:51:49 CEST 2012

Hash: SHA1


There is a new version of unbound: 1.4.17.
It is available here:
sha1 fea4d812c03af4737ef671ac30b7b7400d346516
sha256 2637d6bda4065d7abf1cd11ee25bfc8e916241153c2d331de99ab6c63df5e3d3
windows port (and exe)

This release has hotly wanted (and debated) features, and a list of
bug fixes.  Features included are more unbound-control commands,
round-robin option, minimal-response option, ECDSA, forward-first.

Maintainers, this release implements ECDSA (elliptic curve) signature
functions for DNSSEC, it is enabled by default.  This needs openssl
0.9.8 or later and ldns compiled with ecdsa support (1.6.13rc1 is just
out that does this).  Although unbound's ECDSA implementation will
work with openssl 0.9.8, the workaround is not implemented inside ldns
which will just compile --with-ecdsa with openssl 0.9.8 (it works
enough with 0.9.8 to support unbound, though).  This is because of a
bug in the openssl EVP API with mixed algorithms that is fixed in
openssl 1.0.0.

o   unbound-control forward_add, forward_remove, stub_add, stub_remove
    can modify stubs and forwards for running unbound they can also add
    and remove domain-insecure for the zone. This is to support
    reconfiguration of a DNSSEC validator on a computer that changes
    networks and has to enable new network config for the new location.
o   new approach to NS fetches for DS lookup that works with
    cornercases, and is more robust and considers forwarders.
o   contrib/validation-reporter follows rotated log file (patch from
    Augie Schwer).
o   Applied patch from Daisuke HIGASHI for rrset-roundrobin and minimal-
    responses features (new options, enable in unbound.conf to use).
o   ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
o   Patch for access to full DNS packet data in unbound python module
    from Ondrej Mikle.
o   forward-first option. Tries without forward if a query fails. Also
    stub-first option that is similar.

Bug Fixes
o   Fix possible uninitialised variable in windows pipe implementation.
o   Fix alignment problem in util/random on sparc64/freebsd.
o   Fix for accept spinning reported by OpenBSD.
o   Fix validation of nodata for DS query in NSEC zones, reported by
    Ondrej Mikle.
o   [bugzilla: 444 ] Fix that setusercontext was called too late
    (thanks Bjorn Ketelaars).
o   [bugzilla: 443 ] Fix --with-chroot-dir not honoured by configure.
o   [bugzilla: 442 ] Fix that Makefile depends on pythonmod
    headers even using --without-pythonmodule.
o   Fix to locate nameservers for DS lookup with NS fetches.
o   Applied line-buffer patch from Augie Schwer to
o   flush_infra cleans timeouted servers from the cache too.
o   Fix from code review, if EINPROGRESS not defined chain if
    statement differently.
o   [bugzilla: 434 ]
    Fix windows port to check registry for config file location for
    unbound-control.exe, and unbound-checkconf.exe.
o   Fix to squelch 'network unreachable' errors from tcp connect in
    logs, high verbosity will show them.
o   Fix prefetch and sticky NS ghost domain. It picks nameservers that
    'would be valid in the future', and if this makes the NS timeout,
    it updates that NS by asking delegation from the parent again. If
    child NS has longer TTL, that TTL does not get refreshed from the
    lookup to the child nameserver.
o   RT#2955 Fix for cygwin compilation.
o   Slightly smaller critical region in one case in infra cache.
o   Fix timeouts to keep track of query type, A, AAAA and other, if
o   another has caused timeout blacklist, different type can still
o   unit test fix for nomem_cnametopos.rpl race condition.
o   fix memory leak in errorcase for DSA signatures.
o   workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
o   fix for windows, rename() is not posix compliant on windows.
o   iana portlist updated

Best regards,
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -