Created attachment 177987 [details]
Path to update to 1.6.0
Unbound 1.6.0 has a number of features and bugfixes. More extensible
EDNS support. Views and local-zone tags provide for more feature rich
filtering options, with CNAME support. SSL configuration features to
turn on dns over tls for particular parts of the namespace.
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS option lists were added to module_qstate
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that control the modules' cache interactions.
- Added code for registering inplace callback functions. The
registered functions can be called just before replying with local
data or Chaos, replying from cache, replying with SERVFAIL,
replying with a resolved query, sending a query to a nameserver.
The functions can inspect the available data and maybe change
response/query related data (i.e. append EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements
that point to data on the internet, from Jinmei Tatuya (Infoblox).
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" (email@example.com).
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: \-1
works immediately to ignore datetime, or back to 0 to enable it
again. The -- is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies, from
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
this means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf,
not the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to
be a subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache
for this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
using no encryption over the unix socket.
- hyphen as minus fix, by Andreas Schulze
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code.
Best regards, Wouter
A commit references this bug:
Date: Sat Dec 17 13:20:19 UTC 2016
New revision: 428760
- Update to 1.6.0
- Do not silence installation message
- While I'm here:
- Move LIB_DEPENDS upwards
- Use = instead of += for CONFIGURE_ARGS and USES
- Convert to options helper
- Use TEST_TARGET
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)