From 1140e5bca5fab508e22b38bb6604b6a6f90eaf71 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 18 Jun 2018 19:36:34 +0200 Subject: [PATCH] unbound: Update version from 1.7.0 to 1.7.2 [Release notes][1]: > ## Unbound 1.7.1 ## > > ### Features ### > > * Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox). > * Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. > * ED448 support. > * num.query.authzone.up and num.query.authzone.down statistics counters. > * Accept both option names with and without colon for get_option and set_option. > * low-rtt and low-rtt-pct in unbound.conf enable the server selection of fast servers for some percentage of the time. > * num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics counters. > * allow-notify: config statement for auth-zones. > * Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@853#dns.quad9.net or 1.1.1.1@853#cloudflare-dns.com > * list_auth_zones unbound-control command. > * Added root-key-sentinel support > > ### Bug Fixes ### > > * Fix #3727: Protocol name is TLS, options have been renamed but documentation is not consistent. > * Check IXFR start serial. > * Fix typo in documentation. > * Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually flushed with serve-expired on. > * Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. > * corrected a minor typo in the changelog. > * move htobe64/be64toh portability code to cachedb.c. > * iana port update. > * Do not use cached NSEC records to generate negative answers for domains under DNSSEC Negative Trust Anchors. > * Fix unbound-control get_option aggressive-nsec > * Check "result" in dup_all(), by Florian Obser. > * Fix #4043: make test fails due to v6 presentation issue in macOS. > * Fix unable to resolve after new WLAN connection, due to auth-zone failing with a forwarder set. Now, auth-zone is only used for answers (not referrals) when a forwarder is set. > * Combine write of tcp length and tcp query for dns over tls. > * nitpick fixes in example.conf. > * Fix above stub queries for type NS and useless delegation point. > * Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3 tls_choose_sigalg routine does not allow the ciphers for the pipe, so use TLSv1.2. > * Fix that flush_zone sets prefetch ttl expired, so that with serve-expired enabled it'll start prefetching those entries. > * Fix downstream auth zone, only fallback when auth zone fails to answer and fallback is enabled. > * Fix for max include depth for authzones. > * Fix memory free on fail for $INCLUDE in authzone. > * Fix that an internal error to look up the wrong rr type for auth zone gets stopped, before trying to send there. > * Fix auth zone target lookup iterator. > * Fix auth-zone retry timer to be on schedule with retry timeout, with backoff. Also time a refresh at the zone expiry. > * Fix #658: unbound using TLS in a forwarding configuration does not verify the server's certificate (RFC 8310 support). > * For addr with #authname and no @port notation, the default is 853. > * man page documentation for dns-over-tls forward-addr '#' notation. > * removed free from failed parse case. > * Fix #4091: Fix that reload of auth-zone does not merge the zonefile with the previous contents. > * Delete auth zone when removed from config. > * makedist uses bz2 for expat code, instead of tar.gz. > * Fix #4092: libunbound: use-caps-for-id lacks colon in config_set_option. > * auth zone http download stores exact copy of downloaded file, including comments in the file. > * Fix sldns parse failure for CDS alternate delete syntax empty hex. > * Attempt for auth zone fix; add of callback in mesh gets from callback does not skip callback of result. > * Fix cname classification with qname minimisation enabled. > * Fix contrib/fastrpz.patch for this release. > * Fix auth https for libev. > * Fix memory leak when caching wildcard records for aggressive NSEC use > * Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. > * Also that for dnscrypt. > > ## Unbound 1.7.2 ## > > ### Features ### > > * Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand. > * Qname minimisation default changed to yes. > * Use accept4 to speed up incoming TCP (and TLS) connections, available on Linux, FreeBSD and OpenBSD. > * tls-win-cert option that adds the system certificate store for authenticating DNS-over-TLS connections. It can be used instead of the tls-cert-bundle option, or with it to add certificates. > * Patch from Syzdek: Add ability to ignore RD bit and treat all requests as if the RD bit is set. > * Rename additional-tls-port to tls-additional-ports. The older name is accepted for backwards compatibility. > > ### Bug Fixes ### > > * Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. > * Also that for dnscrypt. > * Fix spelling error in man page and note defaults as no instead of off. > * Fix that unbound-control reload frees the rrset keys and returns the memory pages to the system. > * Fix fail to reject dead peers in forward-zone, with ssl-upstream. > * Fix that configure --with-libhiredis also turns on cachedb. > * Fix gcc 8 buffer warning in testcode. > * Fix function type cast warning in libunbound context callback type. > * Fix windows to not have sticky TLS events for TCP. > * Fix read of DNS over TLS length and data in one read call. > * Fix mesh state assertion failure due to callback removal. > * Fix contrib/libunbound.pc for libssl libcrypto references, from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914 > * Fix that libunbound can do DNS-over-TLS, when configured. > * Fix that windows unbound service can use DNS-over-TLS. > * unbound-host initializes ssl (for potential DNS-over-TLS usage inside libunbound), when ssl upstream or a cert-bundle is configured. > * For TCP and TLS connections that don't establish, perform address update in infra cache, so future selections can exclude them. > * Fix that tcp sticky events are removed for closed fd on windows. > * Fix close events for tcp only. > * Fix windows tcp and tls spin on events. > * Add routine from getdns to add windows cert store to the SSL_CTX. > * in compat/arc4random call getentropy_urandom when getentropy fails with ENOSYS. > * Fix that fallback for windows port. > * Fix deadlock caused by incoming notify for auth-zone. [1]: http://www.unbound.net/download.html --- unbound.be0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbound.be0 b/unbound.be0 index 19afd0d81..fb36683d3 100755 --- a/unbound.be0 +++ b/unbound.be0 @@ -1,6 +1,6 @@ #!/usr/bin/env beesh -# BEE_VERSION unbound-1.7.0-0 +# BEE_VERSION unbound-1.7.2-0 ## this file was created by bee init and should be executed to build a ## bee-package. (Additional hints are located at the end of this file.)