Created attachment 194164 [details]
patch to upgrade
This release fixes bugs in DNS-over-TLS for windows, and adds the option
for windows users to use the CA certificates from the Windows cert
stores, tls-win-cert: yes in unbound.conf.
The code has been updated with a speed up that improves performance for
large numbers of incoming TCP and TLS connections.
There is an option to allow to ignore an unset RD bit for access control
subnets and always allow recursion to the request.
Windows unbound 1.7.2 download links, 64 and then 32bit:
And .asc pgp signatures.
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
- Qname minimisation default changed to yes.
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- Fix spelling error in man page and note defaults as no instead of
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
- Fix contrib/libunbound.pc for libssl libcrypto references,
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- in compat/arc4random call getentropy_urandom when getentropy fails
- Fix that fallback for windows port.
- Fix deadlock caused by incoming notify for auth-zone.
A commit references this bug:
Date: Thu Jun 14 23:22:22 UTC 2018
New revision: 472412
dns/unbound: upgrade to 1.7.2
Submitted by: jaap@NLnetLabs.nl (maintainer)