Created attachment 193019 [details]
patch to update
This release has root key sentinel support, default on, from draft
draft-ietf-dnsop-kskroll-sentinel. The root key sentinel helps the root
key rollover process by providing insight into the distribution of the
key material over the resolver population. For that, the resolver gives
responses indicating which keys are in use by the resolver.
Crypto support for ED448 has been added. ED25519 was already supported
in a previous release. The crypto algorithm code is default turned on
if support is detected at configure time. The openssl 1.1.1 beta
versions have ED448, and also ED25519 support.
For DNS over TLS, the tcp length is sent in the same packet as the tcp
content, for the TLS connections, providing a speed up. Also TLS
authentication can be enabled by specifying the TLS auth name in
unbound.conf. An example config for large public cloud dns over tls
resolvers is this.
It is possible to have unbound as a TLS server serve TLS on different
ports, with additional-tls-port. Use this to set up dns over tls
service on both ports r853 and 443.
For fast server selection, there are new options low-rtt and
low-rtt-pct. For example set low-rtt-pct: 900 to enable it.
These options are experimental at this time. We are interested in
user experiences, and are intending to look at the expressiveness that
is desired for ease of use and applicability. Also, the "pct" part of
low-rtt-pct is technically the wrong term and we intend to replace it
with "promille" (likely in a future release, together with user
experience feedback changes).
There is hiredis support for the cachedb module.
Monitoring of the new agrressive NSEC and auth zone root local copy
features is possible with statistics counters for agressive NSEC and for
auth zone usage. Auth zone supports incoming NOTIFYs, from masters and
from allow-notify hosts. Auth zones can be listed from unbound-control
with their SOA serial number.
Unbound-control set_option and get_option needed different ':'
placement, the current release allows with and without ':' syntax.
- Add --with-libhiredis, unbound support for a new cachedb
backend that uses a Redis server as the storage. This
implementation depends on the hiredis client library
And unbound should be built with both --enable-cachedb and
--with-libhiredis[=3DPATH] (where $PATH/include/hiredis/hiredis.h
should exist). Patch from Jinmei Tatuya (Infoblox).
- Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr.
- ED448 support.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Accept both option names with and without colon for get_option
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
of fast servers for some percentage of the time.
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
- allow-notify: config statement for auth-zones.
- Can set tls authentication with forward-addr: IP#tls.auth.name
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
such as forward-addr: 126.96.36.199@853#dns.quad9.net or
- list_auth_zones unbound-control command.
- Added root-key-sentinel support
- Fix #3727: Protocol name is TLS, options have been renamed but
documentation is not consistent.
- Check IXFR start serial.
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
flushed with serve-expired on.
- Fix #3817: core dump happens in libunbound delete, when queued
servfail hits deleted message queue.
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
- iana port update.
- Do not use cached NSEC records to generate negative answers for
domains under DNSSEC Negative Trust Anchors.
- Fix unbound-control get_option aggressive-nsec
- Check "result" in dup_all(), by Florian Obser.
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
failing with a forwarder set. Now, auth-zone is only used for
answers (not referrals) when a forwarder is set.
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
tls_choose_sigalg routine does not allow the ciphers for the pipe,
so use TLSv1.2.
- Fix that flush_zone sets prefetch ttl expired, so that with
serve-expired enabled it'll start prefetching those entries.
- Fix downstream auth zone, only fallback when auth zone fails to
answer and fallback is enabled.
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
auth zone gets stopped, before trying to send there.
- Fix auth zone target lookup iterator.
- Fix auth-zone retry timer to be on schedule with retry timeout,
with backoff. Also time a refresh at the zone expiry.
- Fix #658: unbound using TLS in a forwarding configuration does not
verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
with the previous contents.
- Delete auth zone when removed from config.
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
- auth zone http download stores exact copy of downloaded file,
including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
- Fix memory leak when caching wildcard records for aggressive NSEC use
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
A commit references this bug:
Date: Thu May 10 14:50:20 UTC 2018
New revision: 469556
- Update to 2.5.9
- Update WWW
Submitted by: maintainer
Sponsored by: iXsystems Inc.
Perhaps I should start a new pr(1).
But this pr references a bug that was supposed to be fixed:
- Fix unbound-control get_option aggressive-nsec
However, walking up the commits from 1.70, to 1.73
unbound-control stats always returns:
# unbound-control stats
unbound.conf:22: error: unknown keyword 'aggressive-nsec'
unbound.conf:22: error: stray ':'
unbound.conf:22: error: unknown keyword 'yes'
read unbound.conf failed: 3 errors in configuration file
 unbound-control[76861:0] fatal error: could not read config file
when unbound.conf(5) contains:
Any hopes of ever getting this fixed on FreeBSD?
I don't see any more evidence of this error in any of the other
commit messages, or pr(1)'s other than this.
P.S. happens on both 11 && 12 @ 1.70-1.73
(In reply to Chris Hutchinson from comment #2)
It seems you have configuration file which is not supported by the version you use.
Upgrade to a later version (1.8.1 is the latest).
And yes, consider a new pr rather adding to an old closed issue.