Unbound 1.19.3rc2 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Mar 11 10:49:32 UTC 2024 

Hi,

Unbound 1.19.3rc2 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc2.tar.gz
sha256 d5519cdd078d29c2b16bbebf7361374e356b79e8632e6e2c9f1dbe2532518eec
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc2.tar.gz.asc

This is RC2 of the 1.19.3rc2 pre-release of Unbound.

The changes in RC2 compared to RC1 are an update to the windows 
unbound-control-setup.cmd, so that it creates valid self-signed 
certificates for use with unbound-control. And a fix for the synthesized 
CNAME ttl value.

Bug Fixes:
- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
   are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
   like unbound-control-setup.sh has.

Best regards, Wouter

On 3/7/24 12:08, Wouter Wijngaards via maintainers wrote:
> Hi,
> 
> Unbound 1.19.3rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz
> sha256 9445dbb3a79c8155c6d25b72e6a0f85e1dc3b63f794e6b1f7a02d14588d905be
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz
> 
> This is the maintainer's pre-release of Unbound 1.19.3rc1.
> 
> This release has a number of bug fixes. The CNAME synthesized for a
> DNAME record uses the original TTL, of the DNAME record, and that means
> it can be cached for the TTL, instead of 0.
> 
> There is a fix that when a message was stored in cache, but one of the
> RRsets was not updated due to cache policy, it now restricts the message
> TTL if the cache version of the RRset has a shorter TTL. It avoids a
> bug where the message is not expired, but its contents is expired.
> 
> For dnstap, it logs type DoH and DoT correctly, if that is used for
> the message.
> 
> The b.root-servers.net address is updated in the default root hints.
> 
> When performing retries for failed sends, a retry at a smaller UDP size
> is now not performed when that attempt is not actually smaller, and at
> defaults, since the flag day changes, it is the same size. This makes
> it skip the step, it is useless because there is no reduction in size.
> 
> Clients with a valid DNS Cookie will bypass the ratelimit, if one is
> set. The value from ip-ratelimit-cookie is used for these queries.
> 
> Furthermore there is a fix to make correct EDE Prohibited answers for
> access control denials, and a fix for EDNS client subnet scope zero
> answers.
> 
> Features:
> - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
>    per RFC 6672.
> 
> Bug Fixes:
> - Fix unit test parse of origin syntax.
> - Use 127.0.0.1 explicitly in tests to avoid delays and errors on
>    newer systems.
> - Fix #964: config.h.in~ backup file in release tar balls.
> - Merge #968: Replace the obsolescent fgrep with grep -F in tests.
> - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
> - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
> - Fix dnstap that assertion failed on logging other than UDP and TCP
>    traffic. It lists it as TCP traffic.
> - Fix to sync the tests script file common.sh.
> - iana portlist update.
> - Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
> - Update test script file common.sh.
> - Fix tests to use new common.sh functions, wait_logfile and
>    kill_from_pidfile.
> - Fix #974: doc: default number of outgoing ports without libevent.
> - Merge #975: Fixed some syntax errors in rpl files.
> - Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
>    now that the root has a valid ZONEMD.
> - Update example.conf with cookie options.
> - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
>    for non-HTTP/2 DoH clients.
> - Merge #985: Add DoH and DoT to dnstap message.
> - Fix #983: Sha1 runtime insecure change was incomplete.
> - Remove unneeded newlines and improve indentation in remote control
>    code.
> - Merge #987: skip edns frag retry if advertised udp payload size is
>    not smaller.
> - Fix unit test for #987 change in udp1xxx retry packet send.
> - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
> - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
> - Fix to link with libssp for libcrypto and getaddrinfo check for
>    only header. Also update crosscompile to remove ssp for 32bit.
> - Merge #993: Update b.root-servers.net also in example config file.
> - Update workflow for ports to use newer openssl on windows compile.
> - Fix warning for windres on resource files due to redefinition.
> - Fix for #997: Print details for SSL certificate failure.
> - Update error printout for duplicate trust anchors to include the
>    trust anchor name (relates to #920).
> - Update message TTL when using cached RRSETs. It could result in
>    non-expired messages with expired RRSETs (non-usable messages by
>    Unbound).
> - Merge #999: Search for protobuf-c with pkg-config.
> - Fix #1006: Can't find protobuf-c package since #999.
> - Fix documentation for access-control in the unbound.conf man page.
> - Merge #1010: Mention REFUSED has the TC bit set with unmatched
>    allow_cookie acl in the manpage. It also fixes the code to match the
>    documentation about clients with a valid cookie that bypass the
>    ratelimit regardless of the allow_cookie acl.
> - Document the suspend argument for process_ds_response().
> - Move github workflows to use checkoutv4.
> - Fix edns subnet replies for scope zero answers to not get stored
>    in the global cache, and in cachedb, when the upstream replies
>    without an EDNS record.
> - Fix for #1022: Fix ede prohibited in access control refused answers.
> 
> Best regards, Wouter
> _______________________________________________
> maintainers mailing list
> maintainers at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/maintainers

More information about the Unbound-users mailing list