Created attachment 177987 [details]
Path to update to 1.6.0

Unbound 1.6.0 has a number of features and bugfixes.  More extensible
EDNS support.  Views and local-zone tags provide for more feature rich
filtering options, with CNAME support.  SSL configuration features to
turn on dns over tls for particular parts of the namespace.


Features
- Added generic EDNS code for registering known EDNS option codes,
  bypassing the cache response stage and uniquifying mesh states. Four
  EDNS option lists were added to module_qstate
  (module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
  that control the modules' cache interactions.
- Added code for registering inplace callback functions. The
  registered functions can be called just before replying with local
  data or Chaos, replying from cache, replying with SERVFAIL,
  replying with a resolved query, sending a query to a nameserver.
  The functions can inspect the available data and maybe change
  response/query related data (i.e. append EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements
  that point to data on the internet, from Jinmei Tatuya (Infoblox).
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
  "Robin H. Johnson" (robbat2@gentoo.org).
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
  functionality in unbound-control (local_zones, local_zones_remove,
  local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.

Bug Fixes
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
  responses, from Nikolay Edigaryev.

- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
  from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
  clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: \-1
  works immediately to ignore datetime, or back to 0 to enable it
  again.  The -- is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies, from
  Pavel Odintsov.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
  manner. Every function on its own, so that other libraries (eg.
  LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
  this means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf,
  not the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
  Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on
  sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
  origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to
  be a subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache
  for this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
  using no encryption over the unix socket.
- hyphen as minus fix, by Andreas Schulze
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code.

Best regards, Wouter