Maintained by: NLnet Labs

[Unbound-users] unbound release 1.4.21

W.C.A. Wijngaards
Thu Sep 19 14:45:14 CEST 2013

Hash: SHA1


Unbound 1.4.21 is available for download:
sha1 3ef4ea626e5284368d48ab618fe2207d43f2cee1
sha256 502f817a72721f78243923eb1d6187029639f7a8bdcc33a6ce0819bbb2a80970

The release has a new max udp size feature that is primarily useful
for people that have full resolvers that are publicly accessible and
want to throttle reflection, by setting max-udp-size: 512 ; this
reduces amplification and sends TC (for TCP fallback) for larger replies.

Negative trust anchors can be added and removed with unbound-control.

The unbound.conf include files can have 100.000 includes in * or

There is a bugfix for year 2038 for 32bits time, unbound now uses
time_t so that if the OS defines time_t as 64bits long long (eg. with
OpenBSD) unbound should be y2038k compliant.

* Implement max-udp-size config option, default 4096 (thanks Daisuke
Higashi), with fix#524 for nonEDNS0 queries.
* add unbound-control insecure_add and insecure_remove for the
administration of negative trust anchors.
* install copy of unbound-control.8 man page for unbound-control-setup.
* code improve for minimal responses, small speed increase.
* max include of 100.000 files (depth and globbed at one time). This
is to preserve system memory in bug cases, or endless cases.
* unbound.h header file has UNBOUND_VERSION_MAJOR define.
* get_option, set_option, unbound-checkconf -o and libunbound
getoption() and setoption() support cache-min-ttl and cache-max-ttl.
Also log-time-ascii, python-script, val-sig-skew-min and
val-sig-skew-max. log-time-ascii takes effect immediately. The others
are mostly useful for libunbound users.
* configure --disable-flto option (from Robert Edmonds).
* streamtcp man page, contributed by Tomas Hozza.
* Make reverse zones easier by documenting the nodefault statements
commented-out in the example config file.

Bug Fixes
* committed libunbound version 4:1:2 for binary API updated in 1.4.20
* Fix for 2038, with time_t instead of uint32_t.
* Fix resolve of names that use a mix of public and private addresses.
* [bugzilla: 492 ]
  Fix endianness detection, revert to older lookup3.c detection and
put new detect lines after previous tests, to avoid regressions but
allow new detections to succeed. And add detection for
machine/endian.h to it.
* Fix queries leaking up for stubs and forwards, if the configured
nameservers all fail to answer.
* unbound-anchor review: BIO_write can return 0 successfully if it has
successfully appended a zero length string.
* Fix so that for a configuration line of include: "*.conf" it is not
an error if there are no files matching the glob pattern.
* own implementation of compat/snprintf.c.
* [bugzilla: 491 ]
  pick program name (0th argument) as syslog identity.
* Fixup snprintf return value usage, fixed libunbound_get_option.
* Robust checks on dname validity from rdata for dname compare.
* iana portlist update.
* Fix round-robin doesn't work with some Windows clients (from Ilya
* [bugzilla: 500 ]
  use on non-initialised values on socket bind failures.
* [bugzilla: 499 ]
  use-after-free in out-of-memory handling code (thanks Jake Montgomery).
* Explain bogus and secure flags in libunbound more.
* Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
patch to it to not fail when -Werror is also specified, from the
* Fixup manpage syntax.
* Fix for const string literals in C++ for libunbound, from Karel Slany.
* Squelch sendto-permission denied errors when the network is not
connected, to avoid spamming syslog.
* libunbound documentation on how to avoid openssl race conditions.
* [bugzilla: 512 ]
  NSS returned arrays out of setup function to be statics.
* [bugzilla: 516 ]
  dnssec lameness detection for answers that are improper.
* [bugzilla: 519 ]
  ub_ctx_delete may hang in some scenarios (libunbound).
* [bugzilla: 520 ]
  Errors found by static analysis from Tomas Hozza(redhat).

Best regards,
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -