Best Technology Stuff from Around the World

Unbound 1.9.2

If you perform a DNS look-up, a recursor initially starts by asking the look-up question to a DNS root server. This can then be redirected to other servers, from where you can be redirected to other servers and so on, until finally a server is reached that knows the answer or knows that the look-up is not possible. The latter can occur if the name does not exist or the servers do not respond. The process of passing through various authoritative servers is called recursion. Unbound is a dns recursor with support for modern standards such as Query Name Minimization, Aggressive Use or Dnssec-Validated Cache and authority zones. The developers have released version 1.9.2 with the following changes:


  • add type CAA to libpyunbound (accessing libunbound from python).
  • Fix # 17: Add python module example from Jan Janak, that’s a plugin for the Unbound DNS resolver to resolve DNS records in multicast DNS [RFC 6762] via Avahi. The plugin communicates with Avahi via DBus. The comment section at the beginning of the file contains detailed documentation.
  • travis build file.
  • PR # 16: XoT support, AXFR over TLS, turn it on with master: <ip> # <authname> in unbound.conf. This uses TLS to download the AXFR (or IXFR).

Bug Fixes

  • Fix for # 4233: guard use of NDEBUG, so that it can be passed in CFLAGS into configure.
  • Add log message, at verbosity 4, that says the query is encrypted with TLS, if that’s enabled for the query.
  • Fix # 4239: set NOTIMPL when deny-any is enabled, for RFC8482.
  • Fix # 4240: Fix whitespace cleanup in example.conf.
  • Fix that tls session ticket keys: “” on its own in unbound.conf disables the tls session ticker key calls into the OpenSSL API.
  • Fix crash if tls-servic-pem not filled in when necessary.
  • Fix auth zone NSEC3 response for empty non-terminals with exact match nsec3 records.
  • Fix for out of bounds integers, thanks to OSTIF audit. It is in allocation debug code.
  • Fix for auth zone nsec3 and fix for wildcard nodata.
  • Move goto label in answer_from_cache to the end of the function where it is more visible.
  • Fix auth zone NSEC3 response for wildcard nodata answers, including the closest encloser in the answer.
  • Fix spelling error in log output for event method.
  • Fix to reinit event structure for accepted TCP (and TLS) sockets.
  • Fix to use event_assign with libevent for thread safety.
  • verbose information about auth zone lookup process, also lookup start, timeout and fail.
  • Fix to wipe ssl ticket keys from memory with explicit_bzero, if available.
  • Fix that auth zone uses correct network type for sockets for SOA serial probes. This fixes that probes fail because earlier probe addresses are unreachable.
  • Fix that auth zone fails over to next master for timeout in TCP.
  • Squelch SSL read and write connection reset by peer and broken pipe messages. Verbosity 2 and higher enable them.
  • Update python documentation for init_standard ().
  • Typos.
  • Fix tls write event for read state change to re-call SSL_write and not resume the TLS handshake.
  • Better braces in if statement in TCP fastopen code.
  • iana portlist updated.
  • Scrub RRs from answer section when reusing NXDOMAIN message for subdomain answers.
  • For harden-below-nxdomain: don’t consider a name to be non-exit when message contains a CNAME record
  • Fix wrong query name in local zone redirect answers with CNAME, the copy of the local alias is in unpacked form.
  • contrib / fastrpz.patch updated for code changes, and with git diff.
  • Fix # 29: Solaris 11.3 and missing symbols be64toh, htobe64.
  • Fix # 30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security, and is better for security. It is fixed to be slower, but not read outside of the array.
  • Fix edns subnet locks, the lock was not unlocked in error cases.
  • Fix doxygen output error on readme markdown vignettes.
  • Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values ​​for diagnosing network connectivity issues.
  • Attempt to fix malformed TCP response.
  • Fix # 31: swig 4.0 and python module.
  • Note that so-giant report at extreme load is better turned off, otherwise queries are not distributed evenly, on Linux 4.4.x.
  • Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end.
  • Fix double file close in tcp pipelined response code.
  • Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
  • Fix to guard _OPENBSD_SOURCE from redefinition.
  • Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that didn’t use the correct spoolbuf.
  • Fix another spoolbuf storage code point, in prefetch.
Version number 1.9.2
Release Status Final
Operating systems Linux, BSD, macOS, Solaris, Windows Server 2012, Windows Server 2016
Website NLnet Labs
License type Conditions (GNU / BSD / etc.)


You might also like