Software Update: Unbound 1.8.3

When you perform a dns lookup, a recursor initially starts by asking the lookup query to a dns root server. This can then redirect to other servers, from where it can redirect to other servers and so on, until finally a server is reached that knows the answer or knows that the look-up is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. Unbound is a dns recursor with support for modern standards such as Query Name Minimization, Aggressive Use of Dnssec-Validated Cache and authority zones. The developers recently released version 1.8.3 with the following changes:

Version 1.8.3

• Fix dns64 allocation in wrong region for returned internal queries.

Version 1.8.2

Features

• Add fast-server-permil and fast-server-num options.
• Deprecate low-rtt and low-rtt-permil options.
• Change fast-server-num default to 3.
• Fix #4154: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
• Fix #4190: Please create a “ANY” deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY.
• Fix #4126: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem.
• Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
• Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf.
• Add unbound-control view_local_datas command, like local_datas.

Bug Fixes

• dnscrypt.c removed sizeof to get array bounds.
• Fix testlock code to set noreturn on error routine.
• Remove unused variable from contrib fastrpz/rpz.c and remove unused diagnostic pragmas that themselves generate warnings
• clang analyze test is used only when assertions are enabled.
• Squelch EADDRNOTAVAIL errors when the interface goes away, this omits ‘can’t assign requested address’ errors unless verbosity is set to a high value.
• Set default for so-reuseport to no for FreeBSD. It is enabled by default for Linux and DragonFlyBSD. The setting can be configured in unbound.conf to override the default.
• iana port update.
• Squelch log of failed to tcp initiate after TCP Fastopen failure.
• Fix #4192: unbound-control-setup generates keys not readable by group.
• check that the dnstap socket file can be opened and exists, print error if not.
• Add markdel function to ECS slabhash.
• Limit ECS scope returned to client to the scope used for caching.
• Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
• Fix #4141: More randomness to rrset-roundrobin.
• Fix #4132: Openness/closeness or RANGE intervals in rpl files.
• remade makefile dependencies.
• Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
• Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache.
• Scrub NS records from NODATA responses as well.
• Add patch from Jan Vcelak for pythonmod, add sockaddr_storage getters, add support for query callbacks, allow raw address access via comm_reply and update API documentation.
• Removed compile warnings in pythonmod sockaddr routines.
• With ./configure –with-pyunbound –with-pythonmodule PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests succeed for the python module.
• pythonmod logs the python error and traceback on failure.
• ignore debug python module for test in doxygen output.
• review fixes for python module.
• Fix #4209: Crash in libunbound when called from getdns.
• auth zone zonefiles can be in a chroot, the chroot directory components are removed before use.
• Fix that empty zonefile means the zonefile is not set and not used.
• Fix to not set GLOB_NOSORT so the unbound.conf include: files are sorted and in a predictable order.
• Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL.
• Fix DNS64 to not store intermediate results in cache, this avoids other threads from picking up the wrong data. The module restores the previous no_cache_store setting when the the module is finished.
• Fix #4208: ‘stub-no-cache’ and ‘forward-no-cache’ not work.
• New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL.
• auth-zone give SERVFAIL when expired, fallback activates when expired, and this is documented in the man page.
• stat count SERVFAIL downstream auth-zone queries for expired zones.
• Put new logos into windows installer.
• Fix windows compile for new rrset roundrobin fix.
• Update contrib fastrpz patch for latest release.
• Fix chroot auth-zone fix to remove chroot prefix.
• windows icon updated.