1 2 November 2023: Wouter
2 - Set version number to 1.19.0.
3 - Tag for 1.19.0rc1 release.
5 1 November 2023: George
6 - Mention flex and bison in README.md when building from repository
9 1 November 2023: Wouter
10 - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
11 - Fix SSL compile failure for other missing definitions in
12 log_crypto_err_io_code_arg.
13 - Fix compilation without openssl, remove unused function warning.
15 31 October 2023: George
16 - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
17 suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
19 30 October 2023: George
20 - Merge #930 from Stuart Henderson: add void to
21 log_ident_revert_to_default declaration.
23 30 October 2023: Wouter
26 24 October 2023: George
27 - Clearer configure text for missing protobuf-c development libraries.
29 20 October 2023: Wouter
30 - Merge #951: Cachedb no store. The cachedb-no-store: yes option is
31 used to stop cachedb from writing messages to the backend storage.
32 It reads messages when data is available from the backend. The
35 19 October 2023: Wouter
36 - Fix to print detailed errors when an SSL IO routine fails via
39 18 October 2023: George
40 - Mailing list patches from Daniel Gröber for DNS64 fallback to plain
41 AAAA when no A record exists for synthesis, and minor DNS64 code
42 refactoring for better readability.
43 - Fixes for the DNS64 patches.
44 - Update the dns64_lookup.rpl test for the DNS64 fallback patch.
45 - Merge #955 from buevsan: fix ipset wrong behavior.
46 - Update testdata/ipset.tdir test for ipset fix.
48 17 October 2023: Wouter
49 - Fix #954: Inconsistent RPZ handling for A record returned along with
52 16 October 2023: George
53 - Expose the script filename in the Python module environment 'mod_env'
54 instead of the config_file structure which includes the linked list
55 of scripts in a multi Python module setup; fixes #79.
56 - Expose the configured listening and outgoing interfaces, if any, as
57 a list of strings in the Python 'config_file' class instead of the
58 current Swig object proxy; fixes #79.
59 - For multi Python module setups, clean previously parsed module
60 functions in __main__'s dictionary, if any, so that only current
61 module functions are registered.
63 13 October 2023: George
64 - Better fix for infinite loop when reading multiple lines of input on
65 a broken remote control socket, by treating a zero byte line the
66 same as transmission end. Addesses #947 and #948.
68 12 October 2023: Wouter
69 - Merge #944: Disable EDNS DO.
70 Disable the EDNS DO flag in upstream requests. This can be helpful
71 for devices that cannot handle DNSSEC information. But it should not
72 be enabled otherwise, because that would stop DNSSEC validation. The
73 DNSSEC validation would not work for Unbound itself, and also not
74 for downstream users. Default is no. The option
75 is disable-edns-do: no
77 11 October 2023: George
78 - Fix #850: [FR] Ability to use specific database in Redis, with new
79 redis-logical-db configuration option.
81 11 October 2023: Wouter
82 - Fix #949: "could not create control compt".
83 - Fix that cachedb does not warn when serve-expired is disabled about
84 use of serve-expired-reply-ttl and serve-expired-client-timeout.
85 - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
87 10 October 2023: George
88 - Fix infinite loop when reading multiple lines of input on a broken
89 remote control socket. Addesses #947 and #948.
91 9 October 2023: Wouter
92 - Fix edns subnet so that queries with a source prefix of zero cause
93 the recursor send no edns subnet option to the upstream.
94 - Fix that printout of EDNS options shows the EDNS cookie option by
97 4 October 2023: Wouter
98 - Fix #946: Forwarder returns servfail on upstream response noerror no
101 3 October 2023: George
102 - Merge #881: Generalise the proxy protocol code.
104 2 October 2023: George
105 - Fix misplaced comment.
107 22 September 2023: Wouter
108 - Fix #942: 1.18.0 libunbound DNS regression when built without
111 18 September 2023: Wouter
112 - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
114 15 September 2023: Wouter
115 - Merge #936: Check for c99 with autoconf versions prior to 2.70.
116 - Fix to remove two c99 notations.
118 14 September 2023: Wouter
119 - Fix authority zone answers for obscured DNAMEs and delegations.
121 8 September 2023: Wouter
122 - Fix send of udp retries when ENOBUFS is returned. It stops looping
123 and also waits for the condition to go away. Reported by Florian
126 7 September 2023: Wouter
127 - Fix to scrub resource records of type A and AAAA that have an
128 inappropriate size. They are removed from responses.
129 - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
130 - Fix to add EDE text when RRs have been removed due to length.
131 - Fix to set ede match in unit test for rr length removal.
132 - Fix to print EDE text in readable form in output logs.
134 6 September 2023: Wouter
135 - Merge #931: Prevent warnings from -Wmissing-prototypes.
137 31 August 2023: Wouter
138 - Fix autoconf 2.69 warnings in configure.
139 - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
141 30 August 2023: Wouter
142 - Fix for WKS call to getservbyname that creates allocation on exit
143 in unit test by testing numbers first and testing from the services
146 28 August 2023: Wouter
147 - Fix for version generation race condition that ignored changes.
149 25 August 2023: Wouter
150 - Fix compile error on NetBSD in util/netevent.h.
152 23 August 2023: Wouter
153 - Tag for 1.18.0rc1 release. This became the 1.18.0 release on
154 30 aug 2023, with the fix from 25 aug, fix compile on NetBSD
155 included. The repository continues with version 1.18.1.
157 22 August 2023: Wouter
158 - Set version number to 1.18.0.
160 21 August 2023: Wouter
161 - Debug Windows ci workflow.
162 - Fix windows ci workflow to install bison and flex.
163 - Fix for #925: unbound.service: Main process exited, code=killed,
164 status=11/SEGV. Fixes cachedb configuration handling.
165 - Fix #923: processQueryResponse() THROWAWAY should be mindful of
167 - Fix unit test for unbound-control to work when threads are disabled,
168 and fix cache dump check.
170 18 August 2023: Wouter
171 - Fix for iter_dec_attempts that could cause a hang, part of
172 capsforid and qname minimisation, depending on the settings.
173 - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
174 - Fix stat_values test to work with dig that enables DNS cookies.
176 17 August 2023: Wouter
177 - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
178 RFC9018. Create server cookies for clients that send client cookies.
179 This needs to be explicitly turned on in the config file with:
180 `answer-cookie: yes`. A `cookie-secret:` can be configured for
181 anycast setups. Without one, a random cookie secret is generated.
182 The acl option `allow_cookie` allows queries with either a valid
183 cookie or over a stateful transport. The statistics output has
184 `queries_cookie_valid` and `queries_cookie_client` and
185 `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
186 value determines a rate limit for queries with cookies, if desired.
187 - Fix regional_alloc_init for potential unaligned source of the copy.
188 - Fix ip_ratelimit test to work with dig that enables DNS cookies.
190 2 August 2023: George
191 - Move a cache reply callback in worker.c closer to the cache reply
194 1 August 2023: George
195 - Merge #911 from natalie-reece: Exclude EDE before other EDNS options
196 when there isn't enough space.
197 - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
198 altogether) before giving up on attaching EDE options.
199 - More braces and formatting for Fix for EDNS EDE size calculation to
201 - Fix to use the now cached EDE, if any, for CD_bit queries.
203 1 August 2023: Wouter
204 - Fix for EDNS EDE size calculation.
207 - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
211 - iana portlist update.
214 - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
217 - Fix unused variable compile warning for kernel timestamps in
221 - Merge #857 from eaglegai: fix potential memory leaks when errors
223 - For #857: fix mixed declarations and code.
224 - Merge #118 from mibere: Changed verbosity level for Redis init &
226 - Merge #390 from Frank Riley: Add missing callbacks to the python
228 - Cleaner failure code for callback functions in interface.i.
229 - Merge #889 from borisVanhoof: Free memory in error case + remove
231 - For #889: use netcat-openbsd instead of netcat-traditional.
232 - For #889: Account for num_detached_states before possible
233 mesh_state_delete when erroring out.
236 - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
237 CLASSXX representation.
238 - For #909: Fix return values.
239 - Merge #901 from Sergei Trofimovich: config: improve handling of
243 - For #909: Fix RR class comparison.
246 - More clear description of the different auth-zone behaviors on the
250 - Merge #880 from chipitsine: services/authzone.c: remove redundant
254 - Merge #664 from tilan7763: Add prefetch support for subnet cache
256 - For #664: Easier code flow for subnetcache prefetching.
257 - For #664: Add testcase.
258 - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
259 differentiate from the new subnet prefetch support.
262 - Merge #739: Add SVCB dohpath support.
263 - Code cleanup for sldns_str2wire_svcparam_key_lookup.
264 - Merge #802: add validation EDEs to queries where the CD bit is set.
265 - For #802: Cleanup comments and add RCODE check for CD bit test case.
266 - Skip the 00-lint test. splint is not maintained; it either does not
267 work or produces false positives. Static analysis is handled in the
271 - Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
272 - Fix dereference of NULL variable warning in mesh_do_callback.
275 - More fixes for reference counting for python module and clean up
277 - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
278 which causes memory leaks.
281 - Fix python modules with multiple scripts, by incrementing reference
285 - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
286 a new statistical counter.
287 - Remove warning about unknown cast-function-type warning pragma.
290 - Merge #903: contrib: add yocto compatible init script.
293 - Fix for issue #887 (Timeouts to forward servers on BSD based
295 - Probably fixes #516 (Stream reuse does not work on Windows) as well
298 - Properly handle all return values of worker_check_request during
300 - Do not check the incoming request more than once.
303 - Merge #896: Fix: #895: pythonmodule: add all site-packages
304 directories to sys.path.
305 - Fix #895: python + sysconfig gives ANOTHER path comparing to
307 - Fix for uncertain unit test for doh buffer size events.
310 - Fix unbound-dnstap-socket printout when no query is present.
311 - Fix unbound-dnstap-socket time fraction conversion for printout.
314 - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
315 - Fix to remove unused variables from RPZ clientip data structure.
318 - Fix #888: [FR] Use kernel timestamps for dnstap.
319 - Fix to print debug log for ancillary data with correct IP address.
322 - Fix warning in windows compile, in set_recvtimestamp.
325 - Fix #885: Error: util/configlexer.c: No such file or directory,
326 adds error messages explaining to install flex and bison.
327 - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
328 - Fix doxygen in addr_to_nat64 header definition.
331 - Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
332 - For #722: minor fixes, formatting, refactoring.
335 - Fix RPZ IP responses with trigger rpz-drop on cache entries, that
338 26 April 2023: Philip
339 - Fix issue #860: Bad interaction with 0 TTL records and serve-expired
341 26 April 2023: Wouter
342 - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
343 sock-queue-timeout option that drops packets that have been in the
344 socket queue for too long. Added statistics num.queries_timed_out
345 and query.queue_time_us.max that track the socket queue timeouts.
346 - Fix for #882: small changes, date updated in Copyright for
347 util/timeval_func.c and util/timeval_func.h. Man page entries and
349 - Fix for #882: document variable to stop doxygen warning.
351 19 April 2023: Wouter
352 - Fix for #878: Invalid IP address in unbound.conf causes Segmentation
355 14 April 2023: Wouter
356 - Merge #875: change obsolete txt URL in unbound-anchor.c to point
357 to RFC 7958, and Fix #874.
359 13 April 2023: Wouter
360 - Fix build badge, from failing travis link to github ci action link.
363 - Fix for #870: Add test case for the qname minimisation and CNAME.
366 - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
369 24 March 2023: Philip
370 - Fix issue #676: Unencrypted query is sent when
371 forward-tls-upstream: yes is used without tls-cert-bundle
372 - Extra consistency check to make sure that when TLS is requested,
373 either we set up a TLS connection or we return an error.
375 21 March 2023: Philip
376 - Fix issue #851: reserved identifier violation
378 20 March 2023: Wouter
379 - iana portlist update.
381 17 March 2023: George
382 - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
383 to ignore the unexpected eof while reading in openssl >= 3.
385 16 March 2023: Wouter
386 - Fix ssl.h include brackets, instead of quotes.
388 14 March 2023: Wouter
389 - Fix unbound-dnstap-socket test program to reply the finish frame
390 over a TLS connection correctly.
392 23 February 2023: Wouter
393 - Fix for #852: Completion of error handling.
395 21 February 2023: Philip
396 - Fix #825: Unexpected behavior with client-subnet-always-forward
399 10 February 2023: George
400 - Clean up iterator/iterator.c::error_response_cache() and allow for
401 better interaction with serve-expired, prefetch and cached error
404 9 February 2023: George
405 - Allow TTL refresh of expired error responses.
406 - Add testcase for refreshing expired error responses.
408 9 February 2023: Wouter
409 - Fix to ignore entirely empty responses, and try at another authority.
410 This turns completely empty responses, a type of noerror/nodata into
411 a servfail, but they do not conform to RFC2308, and the retry can
412 fetch improved content.
413 - Fix unit tests for spurious empty messages.
414 - Fix consistency of unit test without roundrobin answers for the
415 cnametooptout unit test.
416 - Fix to git ignore the library symbol file that configure can create.
418 8 February 2023: Wouter
419 - Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
421 30 January 2023: George
422 - Add duration variable for speed_local.test.
424 26 January 2023: Wouter
425 - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
427 23 January 2023: George
428 - Fix #833: [FR] Ability to set the Redis password.
430 23 January 2023: Wouter
431 - Fix #835: [FR] Ability to use Redis unix sockets.
433 20 January 2023: Wouter
434 - Merge #819: Added new static zone type block_a to suppress all A
435 queries for specific zones.
437 19 January 2023: Wouter
438 - Set max-udp-size default to 1232. This is the same default value as
439 the default value for edns-buffer-size. It restricts client edns
440 buffer size choices, and makes unbound behave similar to other DNS
441 resolvers. The new choice, down from 4096 means it is harder to get
442 large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
444 - Add harden-unknown-additional option. It removes
445 unknown records from the authority section and additional section.
446 Thanks to Xiang Li, from NISL Lab, Tsinghua University.
447 - Set default for harden-unknown-additional to no. So that it does
448 not hamper future protocol developments.
449 - Fix test for new default.
451 18 January 2023: Wouter
452 - Fix not following cleared RD flags potentially enables amplification
453 DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
454 Tsinghua University. The fix stops query loops, by refusing to send
455 RD=0 queries to a forwarder, they still get answered from cache.
457 13 January 2023: Wouter
458 - Merge #826: Аdd a metric about the maximum number of collisions in
460 - Improve documentation for #826, describe the large collisions amount.
462 9 January 2023: Wouter
463 - Fix python module install path detection.
464 - Fix python version detection in configure.
466 6 January 2023: Wouter
467 - Fix #823: Response change to NODATA for some ANY queries since
468 1.12, tested on 1.16.1.
469 - Fix wildcard in hyperlocal zone service degradation, reported
470 by Sergey Kacheev. This fix is included in 1.17.1rc2.
471 That became 1.17.1 on 12 Jan 2023, the code repo continues
472 with 1.17.2. 1.17.1 excludes fix #823, it is included forwards.
474 5 January 2023: Wouter
475 - Tag for 1.17.1 release.
477 2 January 2023: Wouter
478 - Fix windows compile for libunbound subprocess reap comm point closes.
479 - Update github workflows to use checkout v3.
481 14 December 2022: George
482 - Merge #569 from JINMEI Tatuya: add keep-cache option to
483 'unbound-control reload' to keep caches.
485 13 December 2022: George
486 - Expose 'statistics-inhibit-zero' as a configuration option; the
487 default value retains Unbound's behavior.
488 - Expose 'max-sent-count' as a configuration option; the
489 default value retains Unbound's behavior.
490 - Merge #461 from Christian Allred: Add max-query-restarts option.
491 Exposes an internal configuration but the default value retains
494 13 December 2022: Wouter
495 - Merge #808: Wrap Makefile script's directory variables in quotes.
496 - Fix to wrap Makefile scripts directory in quotes for uninstall.
498 1 December 2022: Wouter
499 - Fix #773: When used with systemd-networkd, unbound does not start
500 until systemd-networkd-wait-online.service times out.
502 30 November 2022: George
503 - Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
504 - Clear documentation for interactivity between the subnet module and
505 the serve-expired and prefetch configuration options.
507 30 November 2022: Wouter
508 - Fix #782: Segmentation fault in stats.c:404.
510 28 November 2022: Wouter
511 - Fix for the ignore of tcp events for closed comm points, preserve
512 the use after free protection features.
514 23 November 2022: Philip
515 - Merge #720 from jonathangray: fix use after free when
516 WSACreateEvent() fails.
518 22 November 2022: George
519 - Ignore expired error responses.
521 11 November 2022: Wouter
522 - Fix #779: [doc] Missing documention in ub_resolve_event() for
523 callback parameter was_ratelimited.
525 9 November 2022: George
526 - Complementary fix for distutils.sysconfig deprecation in Python 3.10
527 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
529 8 November 2022: Wouter
530 - Fix to ignore tcp events for closed comm points.
531 - Fix to make sure to not read again after a tcp comm point is closed.
532 - Fix #775: libunbound: subprocess reap causes parent process reap
534 - iana portlist update.
536 21 October 2022: George
537 - Merge #767 from jonathangray: consistently use IPv4/IPv6 in
540 21 October 2022: Wouter
541 - Fix that cachedb does not store failures in the external cache.
543 18 October 2022: George
544 - Clarify the use of MAX_SENT_COUNT in the iterator code.
546 17 October 2022: Wouter
547 - testcode/dohclient sets log identity to its name.
549 14 October 2022: Wouter
550 - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
552 - In unit test, print python script name list correctly.
554 13 October 2022: Wouter
555 - Tag for 1.17.0 release. The code repository continues with 1.17.1.
557 11 October 2022: George
558 - Fix PROXYv2 header read for TCP connections when no proxied addresses
561 7 October 2022: Wouter
562 - Tag for 1.17.0rc1 release.
564 7 October 2022: George
565 - Fix to stop possible loops in the tcp reuse code (write_wait list
566 and tcp_wait list). Based on analysis and patch from Prad Seniappan
567 and Karthik Umashankar.
568 - Fix unit test to properly test the reuse_write_wait_pop function.
570 6 October 2022: Wouter
571 - Fix to stop responses with TC flag from resulting in partial
572 responses. It retries to fetch the data elsewhere, or fails the
573 query and in depth fix removes the TC flag from the cached item.
574 - Fix proxy length debug output printout typecasts.
576 5 October 2022: Wouter
577 - Fix dnscrypt compile for proxy protocol code changes.
579 5 October 2022: George
580 - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
581 - Fix string comparison in mini_tdir.sh.
582 - Make ede.tdir test more predictable by using static data.
583 - Fix checkconf test for dnscrypt and proxy port.
585 4 October 2022: George
586 - Merge #764: Leniency for target discovery when under load (for
587 NRDelegation changes).
589 4 October 2022: Wouter
590 - Fix static analysis report to remove dead code from the
591 rpz_callback_from_iterator_module function.
592 - Fix to clean up after the acl_interface unit test.
594 3 October 2022: George
595 - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
596 configuration option).
598 3 October 2022: Wouter
599 - Fix to remove erroneous TC flag from TCP upstream.
600 - Fix test tdir skip report printout.
601 - Fix windows compile, the identifier interface is defined in headers.
602 - Fix to close errno block in comm_point_tcp_handle_read outside of
605 26 September 2022: George
606 - Better output for skipped tdir tests.
608 21 September 2022: Wouter
609 - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
610 - This patch was released in 1.16.3, the code repository continues
611 with the previous features and fixes for 1.17.0.
612 - Fix doxygen warning in respip.h.
614 20 September 2022: George
615 - Convert tdir tests to use the new skip_test functionality.
616 - Remove unused testcode/mini_tpkg.sh file.
618 16 September 2022: George
619 - Merge #753: ACL per interface. (New interface-* configuration
622 2 September 2022: Wouter
623 - Remove include that was there for debug purposes.
624 - Fix to check pthread_t size after pthread has been detected.
626 1 September 2022: Wouter
627 - Fix to update config tests to fix checking if nonblocking sockets
629 - Slow down log frequency of write wait failures.
630 - Fix to set out of file descriptor warning to operational verbosity.
631 - Fix to log a verbose message at operational notice level if a
632 thread is not responding, to stats requests. It is logged with
635 31 August 2022: Wouter
636 - Fix to avoid process wide fcntl calls mixed with nonblocking
637 operations after a blocked write.
638 - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
639 operations, so that instruction reordering does not cause mistakenly
640 blocking socket operations.
641 - Fix to wait for blocked write on UDP sockets, with a timeout if it
642 takes too long the packet is dropped.
643 - Fix for wait for udp send to stop when packet is successfully sent.
645 22 August 2022: Wouter
646 - Fix #741: systemd socket activation fails on IPv6.
648 12 August 2022: Wouter
649 - Fix to log accept error ENFILE and EMFILE errno, but slowly, once
650 per 10 seconds. Also log accept failures when no slow down is used.
652 5 August 2022: Wouter
653 - Fix #734 [FR] enable unbound-checkconf to detect more (basic)
656 4 August 2022: Wouter
657 - Fix ratelimit inconsistency, for ip-ratelimits the value is the
658 amount allowed, like for ratelimits.
660 2 August 2022: Wouter
661 - Fix edns subnet so that scope 0 answers only match sourcemask 0
662 queries for answers from cache if from a query with sourcemask 0.
663 - Fix unittest for edns subnet change.
664 - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
665 to unsupported IPV6_USER_MTU socket option being set.
667 1 August 2022: Wouter
668 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
669 - Tests for ghost domain fixes.
670 - Tag for 1.16.2 release. The code repo continues with 1.16.3.
671 - Fix #728: alloc_reg_obtain() core dump. Stop double
672 alloc_reg_release when serviced_create fails.
675 - Update documentation for 'outbound-msg-retry:'.
678 - Merge #718: Introduce infra-cache-max-rtt option to config max
682 - Merge PR 714: Avoid treat normal hosts as unresponsive servers.
683 And fixup the lock code.
684 - iana portlist update.
687 - For windows crosscompile, fix setting the IPV6_MTU socket option
688 equivalent (IPV6_USER_MTU); allows cross compiling with latest
689 cross-compiler versions.
692 - Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
695 - Fix verbose EDE error printout.
698 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
700 - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
701 outbound tcp sockets.
704 - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
705 The code repo continues with version 1.16.2 under development.
708 - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
710 - Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
711 - For #660: formatting, less verbose logging, add EDE information.
712 - Fix for correct openssl error when adding windows CA certificates to
713 the openssl trust store.
714 - Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
715 - Reintroduce documentation and more EDE support for
716 val_sigcrypt.c::dnskeyset_verify_rrset_sig.
719 - Merge PR #706: NXNS fallback.
720 - From #706: Cached NXDOMAIN does not increase the target nx
722 - From #706: Don't generate parent side queries if we already
723 have the lame records in cache.
724 - From #706: When a lame address is the best choice, don't try to
725 generate target queries when the missing targets are all lame.
728 - iana portlist update.
729 - Fix detection of libz on windows compile with static option.
730 - Fix compile warning for windows compile.
733 - Add debug option to the mini_tdir.sh test code.
734 - Fix #704: [FR] Statistics counter for number of outgoing UDP queries
735 sent; introduces 'num.query.udpout' to the 'unbound-control stats'
737 - Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
738 - Allow fallback to the parent side when MAX_TARGET_NX is reached.
739 This will also allow MAX_TARGET_NX more NXDOMAINs.
742 - Show the output of the exact .rpl run that failed with 'make test'.
743 - Fix for cached 0 TTL records to not trigger prefetching when
744 serve-expired-client-timeout is set.
747 - Fix test program dohclient close to use portability routine.
750 - Clarify -v flag manpage entry (#705)
753 - Fix #663: use after free issue with edns options.
756 - Fix for loading locally stored zones that have lines with blanks or
760 - Remove unused LDNS function check for GOST Engine unloading.
763 - Merge PR #688: Rpz url notify issue.
764 - Note in the unbound.conf text that NOTIFY is allowed from the url:
765 addresses for auth and rpz zones.
768 - Fix for edns client subnet to respect not looking in its cache when
769 instructed to do so (e.g., prefetch).
772 - makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
775 - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions)
776 - Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
777 became release 1.16.0 on 2 June 2022. The source code branch
778 continues with version 1.16.1 under development.
781 - Fix to silence test for ede error output to the console from the
783 - Fix ede test to not use default pidfile, and use local interface.
784 - Fix some lint type warnings.
787 - Fix typos in config_set_option for the 'num-threads' and
788 'ede-serve-expired' options.
791 - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
792 by updating unbound-control's documentation.
795 - Fix #417: prefetch and ECS causing cache corruption when used
799 - Merge #677: Allow using system certificates not only on Windows,
801 - For #677: Added tls-system-cert to config parser and documentation.
804 - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
808 - Fix Python build in non-source directory; based on patch by
812 - Merge PR #604: Add basic support for EDE (RFC8914).
814 28 April 2022: Wouter
815 - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
819 - Fix zonemd check to allow unsupported algorithms to load.
820 If there are only unsupported algorithms, or unsupported schemes,
821 and no failed or successful other ZONEMD records, or malformed
822 or bad ZONEMD records, the unsupported records allow the zone load.
823 - Fix zonemd unsupported algo check.
824 - Fix zonemd unsupported algo check reason to not copy to next record,
825 and check for success for debug printout.
826 - Fix zonemd unsupported algo check to print unsupported reason before
828 - Fix zonemd unsupported algo check to set reason to NULL before the
829 check routine, but after malformed checks, to get the correct NULL
830 output when the digest matches.
832 25 March 2022: Wouter
833 - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
835 23 March 2022: Wouter
836 - Fix #651: [FR] Better logging for refused queries.
838 18 March 2022: George
839 - Merge PR #648 from eaglegai: fix -q doesn't work when use with
840 'unbound-control stats_shm'.
842 17 March 2022: Wouter
843 - Fix to describe auth-zone and other configuration at the local-zone
844 configuration option, to allow for more broadly view of the options.
846 16 March 2022: Wouter
847 - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
850 - Merge #644: Make `install-lib` make target install the pkg-config
854 - Fix configure for python to use sysutils, because distutils is
855 deprecated. It uses sysutils when available, distutils otherwise.
858 - Fix #637: Integer Overflow in sldns_str2period function.
859 - Fix for #637: fix integer overflow checks in sldns_str2period.
862 - Merge PR #632 from scottrw93: Match cnames in ipset.
863 - Various fixes for #632: variable initialisation, convert the qinfo
864 to str once, accept trailing dot in the local-zone ipset option.
867 - Fix compile warnings for printf ll format on mingw compile.
870 - Fix pythonmod for change in iter_dp_is_useless function prototype.
872 28 February 2022: George
873 - Fix #630: Unify the RPZ log messages.
874 - Merge #623 from rex4539: Fix typos.
876 28 February 2022: Wouter
877 - Fix #633: Document unix domain socket support for unbound-control.
878 - Fix for #633: updated fix with new text.
879 - Fix edns client subnet to add the option based on the option list,
880 so that it is not state dependent, after the state fix of #605 for
882 - Fix for edns client subnet option add fix in removal code, from review.
884 25 February 2022: Wouter
885 - Fix to detect that no IPv6 support means that IPv6 addresses are
886 useless for delegation point lookups.
887 - update Makefile dependencies.
888 - Fix check interface existence for support detection in remote lookup.
890 18 February 2022: Wouter
891 - Fix that address not available is squelched from the logs for
892 udp connect failures. It is visible on verbosity 4 and more.
893 - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
896 16 February 2022: Wouter
897 - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
899 15 February 2022: Wouter
900 - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
902 11 February 2022: Wouter
903 - Fix #624: Unable to stop Unbound in Windows console (does not
904 respond to CTRL+C command).
905 - Fix #618: enabling interface-automatic disables DNS-over-TLS.
906 Adds the option to list interface-automatic-ports.
907 - Remove debug info from #618 fix.
909 7 February 2022: Wouter
910 - Fix that TCP interface does not use TLS when TLS is also configured.
912 4 February 2022: Wouter
913 - Fix #412: cache invalidation issue with CNAME+A.
915 3 February 2022: Wouter
916 - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
917 - Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
918 The repository continues with version 1.15.1.
920 2 February 2022: George
921 - Merge PR #532 from Shchelk: Fix: buffer overflow bug.
922 - Merge PR #616: Update ratelimit logic. It also introduces
923 ratelimit-backoff and ip-ratelimit-backoff configuration options.
924 - Change aggressive-nsec default to yes.
925 - Merge PR #617: Update stub/forward-host notation to accept port and
927 - Update stream_ssl.tdir test to also use the new forward-host
930 2 February 2022: Wouter
931 - Update version number in repo to 1.15.0 for upcoming release,
932 since it changes the aggressive-nsec default and the ratelimit change.
933 - Fix header comment for doxygen for authextstrtoaddr.
934 - please clang analyzer for loop in test code.
935 - Fix docker splint test to use more portable uname.
936 - Update contrib/aaaa-filter-iterator.patch with diff for current
939 1 February 2022: George
940 - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
943 31 January 2022: George
944 - Fix review comment for use-after-free when failing to send UDP out.
946 31 January 2022: Wouter
947 - iana portlist update.
949 29 January 2022: George
950 - Fix tls-* and ssl-* documented alternate syntax to also be available
951 through remote-control and unbound-checkconf.
952 - Better cleanup on failed DoT/DoH listening socket creation.
954 26 January 2022: George
955 - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
958 26 January 2022: Wouter
959 - Test for NSID in SERVFAIL response due to DNSSEC bogus.
961 25 January 2022: George
962 - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
963 serviced_udp_callback.
964 - Merge PR #612: TCP race condition.
966 25 January 2022: Wouter
967 - Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
969 19 January 2022: George
970 - For dnstap, do not wakeupnow right there. Instead zero the timer to
971 force the wakeup callback asap.
973 14 January 2022: George
975 - Fix EDNS to upstream where the same option could be attached
977 - Add a region to serviced_query for allocations.
979 14 January 2022: Wouter
980 - Add rpz: for-downstream: yesno option, where the RPZ zone is
981 authoritatively answered for, so the RPZ zone contents can be
982 checked with DNS queries directed at the RPZ zone.
983 - For #602: Allow the module-config "subnetcache validator cachedb
986 11 January 2022: George
987 - Fix prematurely terminated TCP queries when a reply has the same ID.
989 7 January 2022: Wouter
990 - Merge #600 from pemensik: Change file mode before changing file
993 5 January 2022: Wouter
994 - Fix for #596: fix that rpz return message is returned and not just
995 the rcode from the iterator return path. This fixes signal unset RA
997 - Fix unit tests for rpz now that the AA flag returns successfully from
999 - Fix for #596: add unit test for nsdname trigger and signal unset RA.
1000 - Fix for #596: add unit test for nsip trigger and signal unset RA.
1001 - Fix #598: Fix unbound-checkconf fatal error: module conf
1002 'respip dns64 validator iterator' is not known to work.
1003 - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
1004 triggered operation.
1006 4 January 2022: Wouter
1007 - Fix #596: unset the RA bit when a query is blocked by an unbound
1008 RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
1009 signal that a domain is externally blocked to clients when it
1010 is blocked with NXDOMAIN by unsetting RA.
1011 - Fix to add test for rpz-signal-nxdomain-ra.
1012 - Fix #596: only unset RA when NXDOMAIN is signalled.
1013 - Fix that RPZ does not set RD flag on replies, it should be copied
1016 22 December 2021: George
1017 - contrib/aaaa-filter-iterator.patch file renewed diff content to
1018 apply cleanly to the current coderepo for the current code version.
1020 20 December 2021: George
1021 - Fix #591: Unbound-anchor manpage links to non-existent license file.
1023 13 December 2021: George
1024 - Add missing configure flags for optional features in the
1026 - Fix Unbound capitalization in the documentation.
1028 13 December 2021: Wouter
1029 - Fix to pick up other class local zone information before unlock.
1031 10 December 2021: George
1032 - Allow local-data for classes other than IN to inherit a configured
1033 local-zone's type if possible, instead of defaulting to type
1034 transparent as per the implicit rule.
1036 10 December 2021: Wouter
1037 - Add code similar to fix for ldns for tab between strings, for
1038 consistency, the test case was not broken.
1040 6 December 2021: Wouter
1041 - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
1043 - Fix validator debug output about DS support, print correct algorithm.
1045 3 December 2021: Wouter
1046 - Fix compile warning for if_nametoindex on windows 64bit.
1048 1 December 2021: Wouter
1049 - configure is set to 1.14.0, and release branch.
1050 This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
1051 fix below included. The main branch continues as 1.14.1.
1052 - Fix doc/unbound.doxygen to remove obsolete tag warning.
1054 1 December 2021: George
1055 - Merge PR #511 from yan12125: Reduce unnecessary linking.
1056 - Merge PR #493 from Jaap: Fix generation of libunbound.pc.
1057 - Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
1058 link-local addresses.
1059 - Merge PR #562 from Willem: Reset keepalive per new tcp session.
1060 - Merge PR #522 from sibeream: memory management violations fixed.
1061 - Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
1062 - Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
1063 - Fix #574: Review fixes for size allocation.
1065 30 November 2021: Wouter
1066 - Fix to remove git tracking and ci information from release tarballs.
1067 - iana portlist update.
1069 29 November 2021: Wouter
1070 - Merge PR #570 from rex4539: Fix typos.
1071 - Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
1072 - Fix to make python module opt_list use opt_list_in.
1073 - Fix #574: unbound-checkconf reports fatal error if interface names
1074 are used as value for interfaces:
1075 - Fix #574: Review fixes for it.
1076 - Fix #576: [FR] UB_* error codes in unbound.h
1077 - Fix #574: Review fix for spelling.
1079 15 November 2021: Tom
1080 - Improve EDNS option handling, now also works for synthesised
1081 responses such as local-data and server.id CH TXT responses.
1083 5 November 2021: George
1084 - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
1085 reclaimed more than once during callbacks.
1086 - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
1088 5 November 2021: Wouter
1089 - Fix that forward-zone name is documented as the full name of the
1090 zone. It is not relative but a fully qualified domain name.
1091 - Fix analyzer review failure in rpz action override code to not
1092 crash on unlocking the local zone lock.
1093 - Fix to remove unused code from rpz resolve client and action
1095 - Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
1097 2 November 2021: Wouter
1098 - Fix #552: Unbound assumes index.html exists on RPZ host.
1100 11 October 2021: Wouter
1101 - Fix chaos replies to have truncation for short message lengths,
1102 or long reply strings.
1103 - Fix to protect custom regional create against small values.
1105 4 October 2021: Wouter
1106 - Fix to add example.conf note for outbound-msg-retry.
1108 27 September 2021: Wouter
1109 - Implement RFC8375: Special-Use Domain 'home.arpa.'.
1111 21 September 2021: Wouter
1112 - For crosscompile on windows, detect 64bit stackprotector library.
1113 - Fix crosscompile shell syntax.
1114 - Fix crosscompile windows to use libssp when it exists.
1115 - For the windows compile script disable gost.
1116 - Fix that on windows, use BIO_set_callback_ex instead of deprecated
1118 - Fix crosscompile script for the shared build flags.
1120 20 September 2021: Wouter
1121 - Fix crosscompile on windows to work with openssl 3.0.0 the
1122 link with ws2_32 needs -l:libssp.a for __strcpy_chk.
1123 Also copy results from lib64 directory if needed.
1125 10 September 2021: Wouter
1126 - Fix initialisation errors reported by gcc sanitizer.
1127 - Fix lock debug code for gcc sanitizer reports.
1128 - Fix more initialisation errors reported by gcc sanitizer.
1130 8 September 2021: Wouter
1131 - Merged #41 from Moritz Schneider: made outbound-msg-retry
1133 - Small fixes for #41: changelog, conflicts resolved,
1134 processQueryResponse takes an iterator env argument like other
1135 functions in the iterator, no colon in string for set_option,
1136 and some whitespace style, to make it similar to the rest.
1137 - Fix for #41: change outbound retry to int to fix signed comparison
1139 - Fix root_anchor test to check with new icannbundle date.
1141 3 September 2021: Wouter
1142 - Fix #538: Fix subnetcache statistics.
1144 1 September 2021: Wouter
1145 - Fix tcp fastopen failure when disabled, try normal connect instead.
1147 27 August 2021: Wouter
1148 - Fix #533: Negative responses get cached even when setting
1149 cache-max-negative-ttl: 1
1151 25 August 2021: Wouter
1152 - Merge #401: RPZ triggers. This add additional RPZ triggers,
1153 unbound supports a full set of rpz triggers, and this now
1154 includes nsdname, nsip and clientip triggers. Also actions
1155 are fully supported, and this now includes the tcp-only action.
1156 - Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
1158 - Fix the stream wait stream_wait_count_lock and http2 buffer locks
1159 setup and desetup from race condition.
1160 - Fix RPZ locks. Do not unlock zones lock if requested and rpz find
1161 zone does not find the zone. Readlock the clientip that is found
1162 for ipbased triggers. Unlock the nsdname zone lock when done.
1163 Unlock zone and ip in rpz nsip and nsdname callback. Unlock
1164 authzone and localzone if clientip found in rpz worker call.
1165 - Fix compile warning in libunbound for listen desetup routine.
1166 - Fix asynclook unit test for setup of lockchecks before log.
1168 20 August 2021: Wouter
1169 - Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
1171 - Fix #531: Fix: passed to proc after free.
1173 17 August 2021: Wouter
1174 - Fix that --with-ssl can use "/usr/include/openssl11" to pass the
1175 location of a different openssl version.
1176 - Fix #527: not sending quad9 cert to syslog (and may be more).
1177 - Fix sed script in ssldir split handling.
1179 16 August 2021: George
1180 - Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
1183 16 August 2021: Wouter
1184 - Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
1186 13 August 2021: Wouter
1187 - Support using system-wide crypto policies.
1188 - Fix for #431: Squelch permission denied errors for udp connect,
1189 and udp send, they are visible at higher verbosity settings.
1190 - Fix zonemd verification of key that is not in DNS but in the zone
1191 and needs a chain of trust.
1192 - zonemd, fix order of bogus printout string manipulation.
1194 12 August 2021: George
1195 - Merge PR #514, from ziollek: Docker environment for run tests.
1196 - For #514: generate configure.
1198 12 August 2021: Wouter
1199 - And 1.13.2rc1 became the 1.13.2 with the fix for the python module
1200 build. The current code repository continues with version 1.13.3.
1201 - Add test tool readzone to .gitignore.
1202 - Merge #521: Update mini_event.c.
1203 - Merge #523: fix: free() call more than once with the same pointer.
1204 - Merge #519: Support for selective enabling tcp-upstream for
1206 - For #519: note stub-tcp-upstream and forward-tcp-upstream in
1207 the example configuration file.
1208 - For #519: yacc and lex. And fix python bindings, and test program
1209 unbound-dnstap-socket.
1210 - For #519: fix comments for doxygen.
1211 - Fix to print error from unbound-anchor for writing to the key
1212 file, also when not verbose.
1214 5 August 2021: Wouter
1215 - Tag for 1.13.2rc1 release.
1216 - Fix #520: Unbound 1.13.2rc1 fails to build python module.
1218 4 August 2021: George
1219 - Merge PR #415 from sibeream: Use
1220 /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
1221 ports. (New --enable-linux-ip-local-port-range configuration option)
1222 - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
1223 allows longer CNAME chains in Unbound.
1225 4 August 2021: Wouter
1226 - In unit test use openssl set security level to allow keys in test.
1227 - Fix static analysis warnings about localzone locks that are unused.
1228 - Fix missing locks in zonemd unit test.
1229 - Fix readzone compile under debug config.
1230 - Fix out of sourcedir run of zonemd unit tests.
1231 - Fix libnettle zonemd unit test.
1232 - Fix unit test zonemd_reload for use in run_vm.
1234 3 August 2021: George
1235 - Listen to read or write events after the SSL handshake.
1236 Sticky events on windows would stick on read when write was needed.
1238 3 August 2021: Wouter
1239 - Merge PR #517 from dyunwei: #420 breaks the mesh reply list
1240 function that need to reuse the dns answer.
1241 - Annotate assertion into error printout; we think it may be an
1242 error, but the situation looks harmless.
1243 - Fix sign comparison warning on FreeBSD.
1245 2 August 2021: Wouter
1246 - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
1247 keyraw functions to produce EVP_PKEY results.
1248 - Move RSA and DSA to use OpenSSL 3.0.0 API.
1249 - Move ECDSA functions to use OpenSSL 3.0.0 API.
1250 - iana portlist update.
1251 - Fix verbose printout failure in tcp reuse unit test.
1253 30 July 2021: Wouter
1254 - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
1256 - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
1257 SSL_get_peer_certificate.
1258 - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
1260 26 July 2021: George
1261 - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
1262 introduces a couple of fixes for the stream reuse functionality
1263 that could result in broken internal structures.
1265 26 July 2021: Wouter
1266 - Merge #512: unbound.service.in: upgrade hardening to latest
1268 - Fix readzone unknown type print for memory resize.
1270 21 July 2021: Wouter
1271 - Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
1272 line after a comment.
1274 16 July 2021: George
1275 - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
1277 16 July 2021: Wouter
1278 - Merge #510 from ndptech: Don't call a function which hasn't been
1280 - Fix for #510: in depth, use ifdefs for windows api event calls.
1281 - Fix spelling in doc/unbound.doxygen comment.
1282 - Fix spelling in localzone.h comment.
1283 - Fix unbound-control local_data and local_datas to print detailed
1285 - review fix to remove duplicate error printout.
1286 - Insert header into testcode/readzone.c, it was missing.
1287 - Fix from lint for ignored return value.
1288 - Fix for older parsers for function call in serve expired get cached.
1291 - iana portlist update.
1294 - Fix compiler warnings for #491.
1295 - Fix clang-analysis warnings for testcode/readzone.c.
1298 - Fix Wunused-result compile warnings.
1301 - Merge PR #491: Add SVCB and HTTPS types and handling according to
1302 draft-ietf-dnsop-svcb-https.
1305 - Fix #506: Python Module Seems to Leak Memory if it Experiences an
1306 Unhandled Exception.
1308 25 June 2021: Wouter
1309 - Fix up permissions on rpl data file in tests.
1310 - Fix testbound newline treatment in moment_read and tempfile write.
1311 - Fix configure grep for reuseport default for failure.
1312 - Fix compat ctime_r return value
1313 - Fix configure does not require pkg-config if not needed.
1314 - Fix unit test in the ctime_r calls for autotrust and in testbound.
1315 - Fix auth zone download on windows to unlink before rename.
1317 24 June 2021: Wouter
1318 - Add analyzer and port compile github workflow.
1320 23 June 2021: Wouter
1321 - Fix #503: DNS over HTTPS response truncated.
1322 - Fix warnings reported by the gcc analyzer.
1324 21 June 2021: George
1325 - Fix #495: Documentation or implementation of "verbosity" option.
1327 18 June 2021: Wouter
1328 - Fix a number of warnings reported by the gcc analyzer.
1330 15 June 2021: George
1331 - Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
1333 14 June 2021: Wouter
1334 - Fix configure nonblocking test and onmingw test to use host.
1336 10 June 2021: Wouter
1337 - Fix #500: SPEC file in version 1.13.1 references version 1.4;
1338 unable to build RPM from source.
1339 - Fix contrib/unbound.spec, fixed url and comment.
1342 - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
1343 - Generated lexer and parser for #486; updated example.conf.
1344 - Fix #413 (based on patch by k-ronny): unbound: does not compile
1345 on macOS 11.1-x86_64 host.
1346 - Use host_os instead of target_os in configure for Darwin8 build.
1349 - Fix unused variable warning when compiling with --enable-dnstap.
1352 - Merge #448 from shoeper: Update unbound-control.8.in, fix
1354 - Fix #425: Document auth-zone supports communication with DNS
1355 primary on nondefault port.
1358 - Fix test for zonemd-check option.
1361 - Merge #496 from banburybill: Use build system endianness if
1362 available, otherwise try to work it out.
1363 - zonemd-check: yesno option, default no, enables the processing
1364 of ZONEMD records for that zone.
1367 - Move the NSEC3 max iterations count in line with the 150 value
1368 used by BIND, Knot and PowerDNS. This sets the default value
1369 for it in the configuration to 150 for all key sizes.
1370 - Fix #492: module-config respip missing in unbound.conf.5.in man
1371 page. Merges #494 from he32.
1372 - For #492: Fix font highlighting for the man page on emacs.
1375 - Test code has -q option for quiet output.
1378 - Fix for #411, #439, #469: Reset the DNS message ID when moving queries
1379 between TCP streams.
1380 - Refactor for uniform way to produce random DNS message IDs.
1383 - Fix #489: Compile using MSYS2 MinGW 64-bit.
1386 - Fix that auth-zone zonefiles use last TTL if no TTL is specified.
1389 - Merge PR #487: ifdef RLIMIT_AS in recently added check.
1392 - Fix #485: Unbound occasionally reports broken stats.
1393 - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
1394 - Remove case fallthrough from deprecate-rsa-1024 code.
1397 - Fix for #367: only attempt to get the interface for queries that are no
1398 longer on the tcp_waiting_list.
1399 - Add more logging for out-of-memory cases.
1402 - Merge #478: Allow configuration of TCP timeout while waiting for
1404 - Fix to squelch tcp socket bind failures when the interface is gone.
1405 - Rerun flex and bison.
1408 - Fix #481: Fix comment in configuration file.
1410 29 April 2021: Wouter
1411 - Add that log-servfail prints an IP address and more information
1412 about one of the last failures for that query.
1414 28 April 2021: George
1415 - Fix compiler warning for signed/unsigned comparison for
1416 max_reuse_tcp_queries.
1418 28 April 2021: Wouter
1419 - Fix #474: always_null and others inside view.
1421 26 April 2021: Wouter
1422 - Merge #470 from edevil: Allow configuration of persistent TCP
1425 22 April 2021: Wouter
1426 - Merge #466 from FGasper: Support OpenSSLs that lack
1427 SSL_get0_alpn_selected.
1428 - Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
1429 - Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
1431 - Fix that testcode dohclient has OpenSSL initialisation calls.
1433 13 April 2021: George
1434 - Fix documentation comment for files previously residing in checkconf/.
1435 - Remove unused functions worker_handle_reply and libworker_handle_reply.
1437 13 April 2021: Wouter
1438 - Fix that nxdomain synthesis does not happen above the stub or
1441 12 April 2021: George
1442 - Fix (increase) verbosity level for iterator error log in
1443 processQueryTargets().
1445 12 April 2021: Wouter
1446 - Fix permission denied sendto log, squelch the log messages
1447 unless high verbosity is set.
1449 9 April 2021: Wouter
1450 - rebuild configure to set EXTRALINK to libunbound.la for #460.
1452 7 April 2021: Wouter
1453 - Fix for #411: Depth protect for crash on deleted element timeout.
1455 1 April 2021: Wouter
1456 - Merge #460 from orbea: build: Link with the libtool archive.
1457 - Fix to stop IPv6 PMTU discovery.
1459 31 March 2021: George
1460 - Clean makedist.sh.
1462 31 March 2021: Wouter
1463 - Fix stack-protector change to not override other CFLAGS options.
1465 30 March 2021: George
1466 - Disable the use of stack-protector for cross compiled 32-bit windows
1467 builds; relates to #444.
1469 25 March 2021: Wouter
1470 - Fix #429: Also fix end of transfer for http download of auth zones.
1472 24 March 2021: Wouter
1473 - Fix deprecation test to work for iOS TVOS and WatchOS, it uses
1474 CFLAGS and CPPFLAGS and also checks if the item is unavailable.
1475 - Travis, fix script to fail when tasks fail.
1476 - Travis, fix warning in ubsan compile.
1477 - Fix configure Targetconfiditionals.h header check, to use compile.
1478 - Fix that cachedb does not produce empty object files when disabled.
1480 23 March 2021: Wouter
1481 - Travis enable all tests again. Clang analyzer only a couple times,
1482 when there is a difference. homebrew updates disabled, so it does
1483 not hang. removed trailing slashes from configure paths. Moved iOS
1484 tests to allow-failure.
1485 - travis, analyzer disabled on test without debug, that does not
1486 run anway. Turn off failing tests except one. Update iOS test
1487 to xcode image 12.2.
1489 22 March 2021: George
1490 - Fix unused-function warning when compiling with --enable-dnscrypt.
1491 - Fix for #367: fix memory leak when cannot bind to listening port.
1492 - Reformat pythonmod/pythonmod_utils.{c,h}.
1494 22 March 2021: Wouter
1495 - Merge #449 from orbea: build: Add missing linker flags.
1496 - iana portlist update.
1497 - Comment out nonworking OSX and IOS travis tests, vm fails to start.
1498 - Fix compile error in listen_dnsport on Android.
1499 - Fix memory leak reported by asan in rpz SOA record query name.
1501 19 March 2021: Wouter
1502 - Fix for #447: squelch connection refused tcp connection failures
1503 from the log, unless verbosity is high.
1505 17 March 2021: Wouter
1506 - Fix #441: Minimal NSEC range not accepted for top level domains.
1508 11 March 2021: Wouter
1509 - Fix parse of LOC RR type for decimetres.
1511 5 March 2021: Wouter
1512 - Workaround for #439: prevent loops in the reuse rbtree.
1513 - Debug output for #411 and #439: printout internal error and details.
1515 4 March 2021: Wouter
1516 - iana portlist update.
1517 - Fix spurious errors about "Could not generate request: out of
1518 memory". The mesh detect cycle routine no longer wrongly stops
1519 the check when the calling mesh state is unique.
1521 26 February 2021: George
1522 - Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
1524 26 February 2021: Wouter
1525 - Fix: Resolve interface names on control-interface too.
1527 25 February 2021: Wouter
1528 - Merge PR #367 : DNSTAP log local address. With code from PR #365
1529 and fixes #368 : dnstap does not log the DNS message ID for
1531 - Fix to allow rpz with wildcard that applies to all TLDs at once.
1533 24 February 2021: George
1534 - Fix #384: (1) A minor request to improve the log (2) A minor bug in one
1536 - ipsecmod: Better logging for detecting a cycle when attaching the
1539 24 February 2021: Wouter
1540 - On startup of unbound it checks if rlimits on memory size look
1541 sufficient for the configured cache size, and logs warning if not.
1542 - Fix function documentation.
1543 - Fix unit test for added ulimit checks.
1544 - spelling fix in header.
1546 23 February 2021: Wouter
1547 - Fix for zonemd, that domain-insecure zones work without dnssec.
1548 - Fix for zonemd, do not reject insecure result from trust anchor
1549 validation step in dnssec chain of trust.
1551 22 February 2021: Wouter
1552 - Fix #431: Squelch permission denied errors for tcp connect
1553 and udp connect from the logs, unless at high verbosity.
1554 - Fix for zonemd, that nxdomain for the chain of trust is allowed
1555 for island zones, it is treated as an insecure zone for verification.
1557 18 February 2021: Wouter
1558 - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
1559 ZONEMD records are checked for zones loaded as auth-zone,
1560 with DNSSEC if available. There is an added option
1561 zonemd-permissive-mode that makes it log but not fail wrong zones.
1562 With zonemd-reject-absence for an auth-zone the presence of a
1563 zonemd can be mandated for specific zones.
1564 - Fix doxygen and pydoc warnings.
1565 - Fix #429: rpz: url: with https: broken (regression in 1.13.1).
1566 - rpz skip nsec3param records, and nicer log for unsupported actions.
1568 15 February 2021: Wouter
1569 - Fix #422: IPv6 fallback issues when IPv6 is not properly
1571 - Fix to make tests work with support indicators set for iterator.
1572 - Fix build on Python 3.10.
1574 10 February 2021: Wouter
1575 - Merge PR #420 from dyunwei: DOH not responsing with
1576 "http2_query_read_done failure" logged.
1578 9 February 2021: Wouter
1579 - Fix for Python 3.9, no longer use deprecated functions of
1580 PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
1581 none), PyParser_SimpleParseFile (now Py_CompileString).
1583 4 February 2021: Wouter
1584 - release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
1585 This became 1.13.1 release tag on 9 feb. The main branch is set
1588 2 February 2021: Wouter
1589 - branch-1.13.1 is created, with release-1.13.1rc1 tag.
1590 - Fix dynlibmod link on rhel8 for -ldl inclusion.
1591 - Fix windows dependency on libssp.dll because of default stack
1593 - Fix indentation of root anchor for use by windows install script.
1595 1 February 2021: George
1596 - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
1598 29 January 2021: Wouter
1599 - Fix for doxygen 1.8.20 compatibility.
1601 28 January 2021: Wouter
1602 - Annotate that we ignore the return value of if_indextoname.
1603 - Fix to use correct type for label count in rpz routine.
1604 - Fix empty clause warning in config_file nsid parse.
1605 - Fix to use correct type for label count in ipdnametoaddr rpz routine.
1606 - Fix empty clause warning in edns pass for padding.
1607 - Fix fwd ancil test post script when not supported.
1609 26 January 2021: George
1610 - Merge PR #408 from fobser: Prevent a few more yacc clashes.
1611 - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
1612 original instead of a decrementing TTL ('serve-original-ttl')
1613 - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
1615 - Ignore cache blacklisting when trying to reply with expired data from
1618 26 January 2021: Wouter
1619 - Fix compile of unbound-dnstap-socket without dnstap installed.
1621 22 January 2021: Willem
1622 - Padding of queries and responses with DNS over TLS as specified in
1623 RFC7830 and RFC8467.
1625 22 January 2021: George
1626 - Fix TTL of SOA record for negative answers (localzone and
1627 authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
1629 19 January 2021: Willem
1630 - Support for RFC5001: DNS Name Server Identifier (NSID) Option
1631 with the nsid: option in unbound.conf
1633 18 January 2021: Wouter
1634 - Fix #404: DNS query with small edns bufsize fail.
1635 - Fix declaration before statement and signed comparison warning in
1638 15 January 2021: Wouter
1639 - Merge #402 from fobser: Implement IPv4-Embedded addresses according
1642 14 January 2021: Wouter
1643 - Fix for #93: dynlibmodule import library is named libunbound.dll.a.
1645 13 January 2021: Wouter
1646 - Merge #399 from xiangbao227: The lock of lruhash table should
1647 unlocked after markdel entry.
1648 - Fix for #93: dynlibmodule link fix for Windows.
1650 12 January 2021: Wouter
1651 - Fix #397: [Feature request] add new type always_null to local-zone
1652 similar to always_nxdomain.
1653 - Fix so local zone types always_nodata and always_deny can be used
1654 from the config file.
1656 8 January 2021: Wouter
1657 - Merge PR #391 from fhriley: Add start_time to reply callbacks so
1658 modules can compute the response time.
1659 - For #391: use struct timeval* start_time for callback information.
1660 - For #391: fix indentation.
1661 - For #391: more double casts in python start time calculation.
1662 - Add comment documentation.
1663 - Fix clang analysis warning.
1665 6 January 2021: Wouter
1666 - Fix #379: zone loading over HTTP appears to have buffer issues.
1667 - Merge PR #395 from mptre: add missing null check.
1668 - Fix #387: client-subnet-always-forward seems to effectively bypass
1671 5 January 2021: Wouter
1672 - Fix #385: autoconf 2.70 impacts unbound build
1673 - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
1676 4 January 2021: Wouter
1677 - For #376: Fix that comm point event is not double removed or double
1679 - iana portlist updated.
1681 16 December 2020: George
1682 - Fix error cases when udp-connect is set and send() returns an error
1683 (modified patch from Xin Li @delphij).
1685 11 December 2020: Wouter
1686 - Fix #371: unbound-control timeout when Unbound is not running.
1687 - Fix to squelch permission denied and other errors from remote host,
1688 they are logged at higher verbosity but not on low verbosity.
1689 - Merge PR #335 from fobser: Sprinkle in some static to prevent
1690 missing prototype warnings.
1691 - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
1693 - Fix missing prototypes in the code.
1695 3 December 2020: Wouter
1697 - iana portlist updated.
1699 2 December 2020: Wouter
1700 - Fix #360: for the additionally reported TCP Fast Open makes TCP
1701 connections fail, in that case we print a hint that this is
1702 happening with the error in the logs.
1703 - Fix #356: deadlock when listening tcp.
1704 - Fix unbound-dnstap-socket to not use log routine from interrupt
1705 handler and not print so frequently when invoked in sequence.
1706 - Fix on windows to ignore connection failure on UDP, unless verbose.
1707 - Fix for #283: fix stream reuse and tcp fast open.
1708 - Fix update, with write event check with streamreuse and fastopen.
1710 1 December 2020: Wouter
1711 - Fix #358: Squelch udp connect 'no route to host' errors on low
1714 30 November 2020: Wouter
1715 - Fix assertion failure on double callback when iterator loses
1716 interest in query at head of line that then has the tcp stream
1718 - tag for the 1.13.0rc4 release. This also became the 1.13.0
1719 release version on 3 dec 2020 with the streamreuse and fastopen
1720 fix from 2 dec 2020. The code repo continues for 1.13.1 in
1723 27 November 2020: Wouter
1724 - Fix compile warning for type cast in http2_submit_dns_response.
1725 - Fix when use free buffer to initialize rbtree for stream reuse.
1726 - Fix compile warnings for windows.
1727 - Fix compile warnings in rpz initialization.
1728 - Fix contrib/metrics.awk for FreeBSD awk compatibility.
1729 - tag for the 1.13.0rc3 release.
1731 26 November 2020: Wouter
1732 - Fix to omit UDP receive errors from log, if verbosity low.
1733 These happen because of udp-connect.
1734 - For #352: contrib/metrics.awk for Prometheus style metrics output.
1735 - Fix that after failed read, the readagain cannot activate.
1736 - Clear readagain upon decommission of pending tcp structure.
1738 25 November 2020: Wouter
1739 - with udp-connect ignore connection refused with UDP timeouts.
1740 - Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
1741 - Better fix for reuse tree comparison for is-tls sockets. Where
1742 the tree key identity is preserved after cleanup of the TLS state.
1743 - Remove debug commands from reuse tests.
1744 - Fix memory leak for edns client tag opcode config element.
1745 - Attempt fix for libevent state in tcp reuse cases after a packet
1747 - Fix readagain and writeagain callback functions for comm point
1749 - tag for the 1.13.0rc2 release.
1751 24 November 2020: Wouter
1752 - Merge PR #283 : Stream reuse. This implements upstream stream
1753 reuse for performing several queries over the same TCP or TLS
1755 - set version of main branch to 1.13.0 for upcoming release.
1756 - iana portlist updated.
1757 - Fix one port unit test for udp-connect.
1758 - tag for the 1.13.0rc1 release.
1759 - Fix crash when TLS connection is closed prematurely, when
1760 reuse tree comparison is not properly identical to insertion.
1761 - Fix padding of struct regional for 32bit systems.
1763 23 November 2020: George
1764 - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
1765 edns-client-string option.
1767 23 November 2020: Wouter
1768 - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
1770 - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
1771 failed to list interfaces: getifaddrs: Address family not
1772 supported by protocol.
1773 - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
1774 - Option to toggle udp-connect, default is enabled.
1775 - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
1776 with chown of pidfile.
1777 - Further fix for it and retvalue 0 fix for it.
1779 12 November 2020: Wouter
1780 - Fix to connect() to UDP destinations, default turned on,
1781 this lowers vulnerability to ICMP side channels.
1782 - Retry for interfaces with unused ports if possible.
1784 10 November 2020: Wouter
1785 - Fix #341: fixing a possible memory leak.
1786 - Fix memory leak after fix for possible memory leak failure.
1787 - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
1790 27 October 2020: Wouter
1791 - In man page note that tls-cert-bundle is read before permission
1794 22 October 2020: Wouter
1795 - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
1797 - Fix that minimal-responses does not remove addresses from a priming
1800 21 October 2020: George
1801 - Fix #327: net/if.h check fails on some darwin versions; contribution by
1803 - Fix #320: potential memory corruption due to size miscomputation upton
1804 custom region alloc init.
1806 21 October 2020: Wouter
1807 - Merge PR #228 : infra-keep-probing option to probe hosts that are
1808 down. Add infra-keep-probing: yes option. Hosts that are down are
1809 probed more frequently.
1810 With the option turned on, it probes about every 120 seconds,
1811 eventually after exponential backoff, and that keeps that way. If
1812 traffic keeps up for the domain. It probes with one at a time, eg.
1813 one query is allowed to probe, other queries within that 120 second
1814 interval are turned away.
1816 19 October 2020: George
1817 - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
1818 unbound-control TLS certificates.
1819 - Fix for PR #324 to attach the x509v3 extensions to the client
1822 19 October 2020: Ralph
1823 - local-zone regional allocations outside of chunk
1825 19 October 2020: Wouter
1826 - Fix that http settings have colon in set_option, for
1827 http-endpoint, http-max-streams, http-query-buffer-size,
1828 http-response-buffer-size, and http-nodelay.
1829 - Fix memory leak of https port string when reading config.
1830 - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
1831 This adds the option http-notls-downstream: yesno to change that,
1832 and the dohclient test code has the -n option.
1833 - Fix python documentation warning on functions.rst inplace_cb_reply.
1834 - Fix dnstap test to wait for log timer to see if queries are logged.
1835 - Log ip address when http session recv fails, eg. due to tls fail.
1836 - Fix to set the tcp handler event toggle flag back to default when
1837 the handler structure is reused.
1838 - Clean the fix for out of order TCP processing limits on number
1839 of queries. It was tested to work.
1841 16 October 2020: Wouter
1842 - Fix that the out of order TCP processing does not limit the
1843 number of outstanding queries over a connection.
1845 15 October 2020: George
1846 - Fix that if there are reply callbacks for the given rcode, those
1847 are called per reply and a new message created if that was modified
1849 - Pass the comm_reply information to the inplace_cb_reply* functions
1850 during the mesh state and update the documentation on that.
1852 15 October 2020: Wouter
1853 - Merge PR #326 from netblue30: DoH: implement content-length
1855 - DoH content length, simplify code, remove declaration after
1856 statement and fix cast warning.
1858 14 October 2020: Wouter
1859 - Fix for python reply callback to see mesh state reply_list member,
1860 it only removes it briefly for the commpoint call so that it does
1861 not drop it and attempt to modify the reply list during reply.
1862 - Fix that if there are on reply callbacks, those are called per
1863 reply and a new message created if that was modified by the call.
1864 - Free up auth zone parse region after use for lookup of host
1866 13 October 2020: Wouter
1867 - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
1868 if systemd support is build.
1870 9 October 2020: Wouter
1871 - Fix dnstap socket and the chroot not applied properly to the dnstap
1873 - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
1875 8 October 2020: Wouter
1876 - Tag for 1.12.0 release.
1877 - Current repo is version 1.12.1 in development.
1878 - Fix #319: potential memory leak on config failure, in rpz config.
1880 1 October 2020: Wouter
1881 - Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
1883 30 September 2020: Wouter
1884 - Fix doh tests when not compiled in.
1885 - Add dohclient test executable to gitignore.
1886 - Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
1887 alloc check debug output.
1888 - Easier kill of unbound-dnstap-socket tool in test.
1889 - Fix memory leak of edns tags at libunbound context delete.
1890 - Fix double loopexit for unbound-dnstap-socket after sigterm.
1892 29 September 2020: Ralph
1893 - DNS Flag Day 2020: change edns-buffer-size default to 1232.
1895 28 September 2020: Wouter
1896 - Fix unit test for dnstap changes, so that it waits for the timer.
1898 23 September 2020: Wouter
1899 - Fix #305: dnstap logging significantly affects unbound performance
1900 (regression in 1.11).
1901 - Fix #305: only wake up thread when threshold reached.
1902 - Fix to ifdef fptr wlist item for dnstap.
1904 23 September 2020: Ralph
1905 - Fix edns-client-tags get_option typo
1906 - Add edns-client-tag-opcode option
1907 - Use inclusive language in configuration
1909 21 September 2020: Ralph
1910 - Fix #304: dnstap logging not recovering after dnstap process restarts
1912 21 September 2020: Wouter
1913 - Merge PR #311 by luismerino: Dynlibmod leak.
1914 - Error message is logged for dynlibmod malloc failures.
1915 - iana portlist updated.
1917 18 September 2020: Wouter
1918 - Fix that prefer-ip4 and prefer-ip6 can be get and set with
1919 unbound-control, with libunbound and the unbound-checkconf option
1921 - iana portlist updated.
1923 15 September 2020: George
1924 - Introduce test for statistics.
1926 15 September 2020: Wouter
1929 11 September 2020: Wouter
1930 - Remove x file mode on ipset/ipset.c and h files.
1932 9 September 2020: Wouter
1933 - Fix num.expired statistics output.
1935 31 August 2020: Wouter
1936 - Merge PR #293: Add missing prototype. Also refactor to use the new
1937 shorthand function to clean up the code.
1938 - Refactor to use sock_strerr shorthand function.
1939 - Fix #296: systemd nss-lookup.target is reached before unbound can
1940 successfully answer queries. Changed contrib/unbound.service.in.
1942 27 August 2020: Wouter
1943 - Similar to NSD PR#113, implement that interface names can be used,
1944 eg. something like interface: eth0 is resolved at server start and
1945 uses the IP addresses for that named interface.
1946 - Review fix, doxygen and assign null in case of error free.
1948 26 August 2020: George
1949 - Update documentation in python example code.
1951 24 August 2020: Wouter
1952 - Fix that dnstap reconnects do not spam the log with the repeated
1953 attempts. Attempts on the timer are only logged on high verbosity,
1954 if they produce a connection failure error.
1955 - Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
1956 - Change configure to use EVP_sha256 instead of HMAC_Update for
1959 20 August 2020: Ralph
1960 - Fix stats double count issue (#289).
1962 13 August 2020: Ralph
1963 - Create and init edns tags data for libunbound.
1965 10 August 2020: Ralph
1966 - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
1969 10 August 2020: Wouter
1970 - Fix #287: doc typo: "Additionaly".
1973 6 August 2020: Wouter
1974 - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
1975 The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
1976 was advise to stop using it. The current code base does not contain
1977 DLV code any more. The use of dlv options displays a warning.
1979 5 August 2020: Wouter
1980 - contrib/aaaa-filter-iterator.patch file renewed diff content to
1981 apply cleanly to the current coderepo for the current code version.
1983 5 August 2020: Ralph
1984 - Merge PR #272: Add EDNS client tag functionality.
1986 4 August 2020: George
1987 - Improve error log message when inserting rpz RR.
1988 - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
1989 definedness, by Felipe Gasper.
1991 4 August 2020: Wouter
1992 - Fix mini_event.h on OpenBSD cannot find fd_set.
1994 31 July 2020: Wouter
1995 - Fix doxygen comment for no ssl for tls session ticket key callback
1998 27 July 2020: George
1999 - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
2000 March 2020, by and0x000.
2003 - Merge PR #269, Fix python module len() implementations, by Torbjörn
2006 27 July 2020: Wouter
2007 - branch now named 1.11.1. 1.11.0rc1 became the 1.11.0 release.
2008 - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
2010 20 July 2020: Wouter
2011 - Fix streamtcp to print packet data to stdout. This makes the
2012 stdout and stderr not mix together lines, when parsing its output.
2013 - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
2014 due to added libdynmod, but it does not compile, it conflicts with
2016 - branch now named 1.11.0 and 1.11.0rc1 tag.
2018 17 July 2020: Wouter
2019 - Fix libnettle compile for session ticket key callback function
2021 - Fix lock dependency cycle in rpz zone config setup.
2024 - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
2026 - Fix PR #234 log_assert sizeof to use union buffer.
2028 16 July 2020: Wouter
2029 - Fix check conf test for referencing installation paths.
2030 - Fix unused variable warning for clang analyzer.
2032 16 July 2020: George
2033 - Introduce 'include-toplevel:' configuration option.
2036 - Add bidirectional frame streams support.
2039 - Fix add missing DSA header, for compilation without deprecated
2041 - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
2043 - Longer keys for the test set, this avoids weak crypto errors.
2046 - Fix #259: Fix unbound-checkconf does not check view existence.
2047 unbound-checkconf checks access-control-view, access-control-tags,
2048 access-control-tag-actions and access-control-tag-datas.
2049 - Fix offset of error printout for access-control-tag-datas.
2050 - Review fixes for checkconf #259 change.
2053 - run_vm cleanup better and removes trailing slash on single argument.
2055 29 June 2020: Wouter
2056 - Move reply list clean for serve expired mesh callback to after
2057 the reply is sent, so that script callbacks have reply_info.
2058 - Also move reply list clean for mesh callbacks to the scrip callback
2059 can see the reply_info.
2060 - Fix for mesh accounting if the reply list already empty to begin
2062 - Fix for mesh accounting when rpz decides to drop a reply with a
2063 tcp stream waiting for it.
2064 - Review fix for number of detached states due to use of variable
2066 - Fix tcp req info drop due to size call into mesh accounting
2067 removal of mesh state during mesh send reply.
2069 24 June 2020: Wouter
2070 - iana portlist updated.
2071 - doxygen file comments for dynlibmodule.
2073 17 June 2020: Wouter
2074 - Fix default explanation in man page for qname-minimisation-strict.
2075 - Fix display of event loop method with libev.
2078 - Mention tls name possible when tls is enabled for stub-addr in the
2082 - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
2086 - Update contrib/aaaa-filter-iterator.patch for the recent
2087 generate_sub_request() change and to apply cleanly.
2090 - Fix for integer overflow when printing RDF_TYPE_TIME.
2093 - CVE-2020-12662 Unbound can be tricked into amplifying an incoming
2094 query into a large number of queries directed to a target.
2095 - CVE-2020-12663 Malformed answers from upstream name servers can be
2096 used to make Unbound unresponsive.
2097 - Release 1.10.1 is 1.10.0 with fixes, code repository continues,
2098 including those fixes, towards the next release. Configure has
2099 version 1.10.2 version number in it.
2100 - For PR #93: windows compile warnings removal
2101 - windows compile warnings removal for ip dscp option code.
2102 - For PR #93: unit test for dynlib module.
2105 - For PR #93: dynlibmod can handle reloads and deinit and inits again,
2106 with dlclose and dlopen of the library again. Also for multiple
2107 modules. Fix memory leak by not closing dlopened content. Fix
2108 to allow one dynlibmod instance by unbound-checkconf.
2109 - For PR #93: checkconf allows multiple dynlib in module-config, for
2111 - For PR #93: checkconf allows python dynlib in module-config, for
2113 - For PR #93: man page spelling reference fix.
2114 - For PR #93: fix link of other executables for dynlibmod dependency.
2117 - Merge PR #93: Add dynamic library support.
2118 - Fixed conflicts for PR #93 and make configure, yacc, lex.
2119 - For PR #93: Fix warnings for dynlibmodule.
2122 - Cache ECS answers with longest scope of CNAME chain.
2124 22 April 2020: George
2125 - Explicitly use 'rrset-roundrobin: no' for test cases.
2127 21 April 2020: Wouter
2128 - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
2129 KSK-2010 from the default list in unbound-anchor, now that the
2130 revocation period is over. KSK-2017 is the only trust anchor in
2131 the shipped default now.
2133 21 April 2020: George
2134 - Change default value for 'rrset-roundrobin' to yes.
2135 - Fix tests for new rrset-roundrobin default.
2137 20 April 2020: Wouter
2138 - Fix #222: --enable-rpath, fails to rpath python lib.
2139 - Fix for count of reply states in the mesh.
2140 - Remove unneeded was_mesh_reply check.
2142 17 April 2020: George
2143 - Add SNI support on more TLS connections (fixes #193).
2144 - Add SNI support to unbound-anchor.
2146 16 April 2020: George
2147 - Add doxygen documentation for DSCP.
2149 16 April 2020: Wouter
2150 - Fix help return code in unbound-control-setup script.
2151 - Fix for posix shell syntax for trap in nsd-control-setup.
2152 - Fix for posix shell syntax for trap in run_msg.sh test script.
2154 15 April 2020: George
2155 - Fix #220: auth-zone section in config may lead to segfault.
2157 7 April 2020: Wouter
2158 - Merge PR #214 from gearnode: unbound-control-setup recreate
2159 certificates. With the -r option the certificates are created
2160 again, without it, only the files that do not exist are created.
2163 - Keep track of number of timeouts. Use this counter to determine if
2164 capsforid fallback should be started.
2166 6 April 2020: George
2167 - More documentation for redis-expire-records option.
2169 1 April 2020: George
2170 - Merge PR #206: Redis TTL, by Talkabout.
2172 30 March 2020: Wouter
2173 - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
2174 - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
2177 27 March 2020: Wouter
2178 - Merge PR #203 from noloader: Update README-Travis.md with current
2181 27 March 2020: Ralph
2182 - Make unbound-control error returned on missing domain name more user
2185 26 March 2020: Ralph
2186 - Fix RPZ concurrency issue when using auth_zone_reload.
2188 25 March 2020: George
2189 - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
2192 24 March 2020: Wouter
2193 - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
2194 tag for outgoing packets.
2196 - Travis fix for ios by omitting tools from install.
2198 23 March 2020: Wouter
2199 - Fix compile on Solaris for unbound-checkconf.
2201 20 March 2020: George
2202 - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
2203 only used in this file.
2205 20 March 2020: Wouter
2206 - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
2209 19 March 2020: Ralph
2210 - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
2211 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
2213 - Merge PR#134, Allow the kernel to provide random source ports. By
2215 - Log warning when using outgoing-port-permit and outgoing-port-avoid
2216 while explicit port randomisation is disabled.
2217 - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
2218 - Fix .travis.yml error, missing 'env' option.
2220 16 March 2020: Wouter
2221 - Fix #192: In the unbound-checkconf tool, the module config of
2222 dns64 subnetcache respip validator iterator is whitelisted, it was
2223 reported it seems to work.
2225 12 March 2020: Wouter
2226 - Fix compile of test tools without protobuf.
2228 11 March 2020: Ralph
2229 - Add check to make sure RPZ records are subdomains of configured
2232 11 March 2020: George
2233 - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
2235 - Changelog entry for (Fix #189, Merge PR #190).
2237 11 March 2020: Wouter
2238 - Fix #188: unbound-control.c:882:6: error: 'execlp' is
2239 unavailable: not available on tvOS.
2241 6 March 2020: George
2242 - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
2245 5 March 2020: Wouter
2246 - Fix PR #182 from noloader: Add iOS testing to Travis.
2249 - Update README-Travis.md (from PR #179), by Jeffrey Walton.
2251 4 March 2020: George
2252 - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
2254 4 March 2020: Wouter
2255 - Merge PR #180 from noloader: Avoid calling exit in Travis script.
2257 3 March 2020: George
2258 - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
2261 - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
2262 with no-engine, thanks noloader.
2264 2 March 2020: George
2265 - Fix compiler warning in dns64/dns64.c
2266 - Merge PR #174: Add Android to Travis testing, by noloader.
2267 - Move android build scripts to contrib/ and allow android tests to fail.
2269 2 March 2020: Wouter
2270 - Fix #177: dnstap does not build on macOS.
2272 28 February 2020: Ralph
2273 - Merge PR #172: Add IBM s390x arch for testing, by noloader.
2275 28 February 2020: Wouter
2276 - Merge PR #173: updated makedist.sh for config.guess and
2277 config.sub and sha256 digest for gpg, by noloader.
2278 - Merge PR #164: Framestreams, this branch implements dnstap
2279 unidirectional connectivity in unbound. This has a number of
2282 The dependency on libfstrm is removed. The fstrm protocol code
2283 resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
2284 contains a brief definition of what unbound needs.
2286 The make unbound-dnstap-socket builds a debug tool,
2287 unbound-dnstap-socket. It can listen, accept multiple DNSTAP
2288 streams and print information. Commandline options control it.
2290 Unbound can reconnect if the unix domain socket file socket is
2291 closed. This uses exponential backoff after which it uses a
2292 one second timer to throttle cpu down. There is also support
2293 to use TCP and TLS for connecting to the log server. There
2294 are new config options to turn them on, in the dnstap section
2295 in the man page and example config file. dnstap-ip with IP
2296 address of server for TCP or TLS use. dnstap-tls to turn
2297 on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
2298 dnstap-tls-client-key-file and dnstap-tls-client-cert-file
2299 to configure the certificates for server authentication and
2300 client authentication, or leave at "" to not use that.
2302 27 February 2020: George
2303 - Merge PR #171: Add additional compilers and platforms to Travis
2304 testing, by noloader.
2306 27 February 2020: Wouter
2307 - Fix #169: Fix warning for daemon/remote.c output may be truncated
2309 - Fix #170: Fix gcc undefined sanitizer signed integer overflow
2310 warning in signature expiry RFC1982 serial number arithmetic.
2311 - Fix more undefined sanitizer issues, in respip copy_rrset null
2312 dname, and in the client_info_compare routine for null memcmp.
2314 26 February 2020: Wouter
2315 - iana portlist updated.
2317 25 February 2020: Wouter
2318 - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
2319 using ipv4 filters, because the hosts ip6 netblock /64 is not owned
2320 by one operator, and thus reputation is shared.
2322 24 February 2020: George
2323 - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
2325 20 February 2020: Wouter
2326 - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
2327 Unbound from Yuri Voinov.
2328 - master branch has 1.10.1 version.
2330 18 February 2020: Wouter
2331 - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
2332 different openssl versions.
2334 17 February 2020: Wouter
2335 - changelog point where the tag for 1.10.0rc2 release is. And with
2336 the unbound_smf23 commit added to it, that is the 1.10.0 release.
2338 17 February 2020: Ralph
2339 - Add respip to supported module-config options in unbound-checkconf.
2341 17 February 2020: George
2342 - Remove unused variable.
2344 17 February 2020: Wouter
2345 - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
2346 in RPZ-Format, contributed by Andreas Schulze.
2348 14 February 2020: Wouter
2349 - Fix spelling in unbound.conf.5.in.
2350 - Stop unbound-checkconf from insisting that auth-zone and rpz
2351 zonefiles have to exist. They can not exist, and download later.
2353 13 February 2020: Wouter
2354 - tag for 1.10.0rc1 release.
2356 12 February 2020: Wouter
2357 - Fix with libnettle make test with dsa disabled.
2358 - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
2359 fixes, but it does not compile, conflicts with new rpz code.
2360 - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
2361 - Fix compile warning when threads disabled.
2362 - updated version number to 1.10.0.
2364 10 February 2020: George
2365 - Document 'ub_result.was_ratelimited' in libunbound.
2366 - Fix use after free on log-identity after a reload; Fixes #163.
2368 6 February 2020: George
2369 - Fix num_reply_states and num_detached_states counting with
2370 serve_expired_callback.
2371 - Cleaner code in mesh_serve_expired_lookup.
2372 - Document in unbound.conf manpage that configuration clauses can be
2373 repeated in the configuration file.
2375 6 February 2020: Wouter
2376 - Fix num_reply_addr counting in mesh and tcp drop due to size
2377 after serve_stale commit.
2378 - Fix to create and destroy rpz_lock in auth_zones structure.
2379 - Fix to lock zone before adding rpz qname trigger.
2380 - Fix to lock and release once in mesh_serve_expired_lookup.
2381 - Fix to put braces around empty if body when threading is disabled.
2383 5 February 2020: George
2384 - Added serve-stale functionality as described in
2385 draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
2386 to configure the behavior.
2387 - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
2388 - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
2389 come with a configurable TTL value (`serve-expired-reply-ttl`).
2390 - Fixed stats when replying with cached, cname-aliased records.
2391 - Added missing default values for redis cachedb backend.
2393 3 February 2020: Ralph
2394 - Add assertion to please static analyzer
2396 31 January 2020: Wouter
2397 - Fix fclose on error in TLS session ticket code.
2399 30 January 2020: Ralph
2400 - Fix memory leak in error condition remote.c
2401 - Fix double free in error condition view.c
2402 - Fix memory leak in do_auth_zone_transfer on success
2403 - Merge RPZ support into master. Only QNAME and Response IP triggers are
2405 - Stop working on socket when socket() call returns an error.
2406 - Check malloc return values in TLS session ticket code
2408 30 January 2020: Wouter
2409 - Fix subnet tests for disabled DSA algorithm by default.
2410 - Update contrib/fastrpz.patch for clean diff with current code.
2411 - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
2412 and Frzk. Updates the unbound.service systemd file and adds
2413 a portable systemd service file.
2414 - updated .gitignore for added contrib file.
2415 - Add build rule for ipset to Makefile
2416 - Add getentropy_freebsd.o to Makefile dependencies.
2418 29 January 2020: Ralph
2419 - Merge PR#156 from Alexander Berkes; Added unbound-control
2420 view_local_datas_remove command.
2422 29 January 2020: Wouter
2423 - Fix #157: undefined reference to `htobe64'.
2425 28 January 2020: Ralph
2426 - Merge PR#147; change rfc reference for reserved top level dns names.
2428 28 January 2020: Wouter
2429 - iana portlist updated.
2430 - Fix to silence the tls handshake errors for broken pipe and reset
2431 by peer, unless verbosity is set to 2 or higher.
2433 27 January 2020: Ralph
2434 - Merge PR#154; Allow use of libbsd functions with configure option
2435 --with-libbsd. By Robert Edmonds and Steven Chamberlain.
2436 - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
2438 27 January 2020: Wouter
2439 - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
2440 to Libs/Requires for crypto library dependencies.
2441 - Fix #153: Disable validation for DSA algorithms. RFC 8624
2444 23 January 2020: Wouter
2445 - Merge PR#150 from Frzk: Systemd unit without chroot. It add
2446 contrib/unbound_nochroot.service.in, a systemd file for use with
2447 chroot: "", see comments in the file, it uses systemd protections
2450 14 January 2020: Wouter
2451 - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
2452 because dnscrypt-proxy (2.0.36) does not support the test setup
2453 any more, and also the config file format does not seem to have
2454 the appropriate keys to recreate that setup.
2455 - Fix crash after reload where a stats lookup could reference old key
2456 cache and neg cache structures.
2457 - Fix for memory leak when edns subnet config options are read when
2458 compiled without edns subnet support.
2459 - Fix auth zone support for NSEC3 records without salt.
2461 10 January 2020: Wouter
2462 - Fix the relationship between serve-expired and prefetch options,
2463 patch from Saksham Manchanda from Secure64.
2464 - Fix unreachable code in ssl set options code.
2466 8 January 2020: Ralph
2467 - Fix #138: stop binding pidfile inside chroot dir in systemd service
2470 8 January 2020: Wouter
2471 - Fix 'make test' to work for --disable-sha1 configure option.
2472 - Fix out-of-bounds null-byte write in sldns_bget_token_par while
2473 parsing type WKS, reported by Luis Merino from X41 D-Sec.
2474 - Updated sldns_bget_token_par fix for also space for the zero
2475 delimiter after the character. And update for more spare space.
2477 6 January 2020: George
2478 - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
2479 The dl_iterate_phdr() function introduced in newer versions raises
2480 compilation errors on solaris 10.
2481 - Changes to compat/getentropy_solaris.c for,
2482 ifdef stdint.h inclusion for older systems.
2483 ifdef sha2.h inclusion for older systems.
2485 6 January 2020: Wouter
2486 - Merge #135 from Florian Obser: Use passed in neg and key cache
2488 - Fix #140: Document slave not downloading new zonefile upon update.
2490 16 December 2019: George
2491 - Update mailing list URL.
2493 12 December 2019: Ralph
2494 - Master is 1.9.7 in development.
2495 - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
2498 10 December 2019: Wouter
2499 - Fix to make auth zone IXFR to fallback to AXFR if a single
2500 response RR is received over TCP with the SOA in it.
2502 6 December 2019: Wouter
2503 - Fix ipsecmod compile.
2504 - Fix Makefile.in for ipset module compile, from Adi Prasaja.
2505 - release-1.9.6 tag, which became the 1.9.6 release
2507 5 December 2019: Wouter
2508 - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
2509 replacements for unbound-fuzzme.c that gets created after applying
2510 the contrib/unbound-fuzzme.patch. They are contributed by
2511 Eric Sesterhenn from X41 D-Sec.
2514 4 December 2019: Wouter
2515 - Fix lock type for memory purify log lock deletion.
2516 - Fix testbound for alloccheck runs, memory purify and lock checks.
2517 - update contrib/fastrpz.patch to apply more cleanly.
2518 - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
2519 reported by X41 D-Sec.
2521 3 December 2019: Wouter
2522 - Merge pull request #124 from rmetrich: Changed log lock
2523 from 'quick' to 'basic' because this is an I/O lock.
2524 - Fix text around serial arithmatic used for RRSIG times to refer
2525 to correct RFC number.
2526 - Fix Assert Causing DoS in synth_cname(),
2527 reported by X41 D-Sec.
2528 - Fix similar code in auth_zone synth cname to add the extra checks.
2529 - Fix Assert Causing DoS in dname_pkt_copy(),
2530 reported by X41 D-Sec.
2531 - Fix OOB Read in sldns_wire2str_dname_scan(),
2532 reported by X41 D-Sec.
2533 - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
2534 reported by X41 D-Sec.
2535 - Fix Out of Bounds Write in sldns_b64_pton(),
2536 fixed by check in sldns_str2wire_int16_data_buf(),
2537 reported by X41 D-Sec.
2538 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
2539 reported by X41 D-Sec.
2540 - Fix Out of Bound Write Compressed Names in rdata_copy(),
2541 reported by X41 D-Sec.
2542 - Fix Hang in sldns_wire2str_pkt_scan(),
2543 reported by X41 D-Sec.
2544 This further lowers the max to 256.
2545 - Fix snprintf() supports the n-specifier,
2546 reported by X41 D-Sec.
2547 - Fix Bad Indentation, in dnscrypt.c,
2548 reported by X41 D-Sec.
2549 - Fix Client NONCE Generation used for Server NONCE,
2550 reported by X41 D-Sec.
2551 - Fix compile error in dnscrypt.
2552 - Fix _vfixed not Used, removed from sbuffer code,
2553 reported by X41 D-Sec.
2554 - Fix Hardcoded Constant, reported by X41 D-Sec.
2557 2 December 2019: Wouter
2558 - Merge pull request #122 from he32: In tcp_callback_writer(),
2559 don't disable time-out when changing to read.
2561 22 November 2019: George
2562 - Fix compiler warnings.
2564 22 November 2019: Wouter
2565 - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
2566 - Add make distclean that removes everything configure produced,
2567 and make maintainer-clean that removes bison and flex output.
2569 20 November 2019: Wouter
2570 - Fix Out of Bounds Read in rrinternal_get_owner(),
2571 reported by X41 D-Sec.
2572 - Fix Race Condition in autr_tp_create(),
2573 reported by X41 D-Sec.
2574 - Fix Shared Memory World Writeable,
2575 reported by X41 D-Sec.
2576 - Adjust unbound-control to make stats_shm a read only operation.
2577 - Fix Weak Entropy Used For Nettle,
2578 reported by X41 D-Sec.
2579 - Fix Randomness Error not Handled Properly,
2580 reported by X41 D-Sec.
2581 - Fix Out-of-Bounds Read in dname_valid(),
2582 reported by X41 D-Sec.
2583 - Fix Config Injection in create_unbound_ad_servers.sh,
2584 reported by X41 D-Sec.
2585 - Fix Local Memory Leak in cachedb_init(),
2586 reported by X41 D-Sec.
2587 - Fix Integer Underflow in Regional Allocator,
2588 reported by X41 D-Sec.
2589 - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
2590 - Synchronize compat/getentropy_win.c with version 1.5 from
2591 OpenBSD, no changes but makes the file, comments, identical.
2592 - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
2593 - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
2594 - Changes to compat/getentropy files for,
2595 no link to openssl if using nettle, and hence config.h for
2596 HAVE_NETTLE variable.
2597 compat definition of MAP_ANON, for older systems.
2598 ifdef stdint.h inclusion for older systems.
2599 ifdef sha2.h inclusion for older systems.
2600 - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
2601 - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
2602 - Fix Terminating Quotes not Written, reported by X41 D-Sec.
2603 - Fix Useless memset() in validator, reported by X41 D-Sec.
2604 - Fix Unrequired Checks, reported by X41 D-Sec.
2605 - Fix Enum Name not Used, reported by X41 D-Sec.
2606 - Fix NULL Pointer Dereference via Control Port,
2607 reported by X41 D-Sec.
2608 - Fix Bad Randomness in Seed, reported by X41 D-Sec.
2609 - Fix python examples/calc.py for eval, reported by X41 D-Sec.
2610 - Fix comments for doxygen in dns64.
2612 19 November 2019: Wouter
2613 - Fix CVE-2019-18934, shell execution in ipsecmod.
2614 - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
2615 - Fix authzone printout buffer length check.
2616 - Fixes to please lint checks.
2617 - Fix Integer Overflow in Regional Allocator,
2618 reported by X41 D-Sec.
2619 - Fix Unchecked NULL Pointer in dns64_inform_super()
2620 and ipsecmod_new(), reported by X41 D-Sec.
2621 - Fix Out-of-bounds Read in rr_comment_dnskey(),
2622 reported by X41 D-Sec.
2623 - Fix Integer Overflows in Size Calculations,
2624 reported by X41 D-Sec.
2625 - Fix Integer Overflow to Buffer Overflow in
2626 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
2627 - Fix Out of Bounds Read in sldns_str2wire_dname(),
2628 reported by X41 D-Sec.
2629 - Fix Out of Bounds Write in sldns_bget_token_par(),
2630 reported by X41 D-Sec.
2632 18 November 2019: Wouter
2633 - In unbound-host use separate variable for get_option to please
2635 - update to bison output of 3.4.1 in code repository.
2636 - Provide a prototype for compat malloc to remove compile warning.
2637 - Portable grep usage for reuseport configure test.
2638 - Check return type of HMAC_Init_ex for openssl 0.9.8.
2639 - gitignore .source tempfile used for compatible make.
2641 13 November 2019: Wouter
2642 - iana portlist updated.
2643 - contrib/fastrpz.patch updated to apply for current code.
2644 - fixes for splint cleanliness, long vs int in SSL set_mode.
2646 11 November 2019: Wouter
2647 - Fix #109: check number of arguments for stdin-pipes in
2648 unbound-control and fail if too many arguments.
2649 - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
2651 24 October 2019: Wouter
2652 - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
2654 23 October 2019: George
2655 - Add new configure option `--enable-fully-static` to enable full static
2656 build if requested; in relation to #91.
2658 23 October 2019: Wouter
2659 - Merge #97: manpage: Add missing word on unbound.conf,
2662 22 October 2019: Wouter
2663 - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
2664 queries, to stop random floods. Apply with
2665 patch -p1 < contrib/drop-tld.diff and compile.
2666 From Saksham Manchanda (Secure64). Please note that we think this
2667 will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
2668 lookups for downstream clients.
2670 7 October 2019: Wouter
2671 - Add doxygen comments to unbound-anchor source address code, in #86.
2673 3 October 2019: Wouter
2674 - Merge #90 from vcunat: fix build with nettle-3.5.
2675 - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
2676 - Continue with development of 1.9.5.
2677 - Merge #86 from psquarejho: Added -b source address option to
2678 smallapp/unbound-anchor.c, from Lukas Wunner.
2680 26 September 2019: Wouter
2681 - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
2682 Drop CAP_KILL, use + prefix for ExecReload= instead.
2684 25 September 2019: Wouter
2685 - The unbound.conf includes are sorted ascending, for include
2686 statements with a '*' from glob.
2688 23 September 2019: Wouter
2689 - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
2690 service file to fix that systemctl reload fails.
2692 20 September 2019: Wouter
2693 - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
2695 - Merge #81 from Maryse47: Consistently use /dev/urandom instead
2696 of /dev/random in scripts and docs.
2697 - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
2698 into the background.
2700 19 September 2019: Wouter
2701 - Fix #78: Memory leak in outside_network.c.
2702 - Merge pull request #76 from Maryse47: Improvements and fixes for
2703 systemd unbound.service.
2704 - oss-fuzz badge on README.md.
2705 - Fix fix for #78 to also free service callback struct.
2706 - Fix for oss-fuzz build warning.
2707 - Fix wrong response ttl for prepended short CNAME ttls, this would
2708 create a wrong zero_ttl response count with serve-expired enabled.
2709 - Merge #80 from stasic: Improve wording in man page.
2711 11 September 2019: Wouter
2712 - Use explicit bzero for wiping clear buffer of hash in cachedb,
2713 reported by Eric Sesterhenn from X41 D-Sec.
2715 9 September 2019: Wouter
2716 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
2717 LOG_DAEMON (as before) can set the syslog facility that the server
2718 uses to log messages.
2720 4 September 2019: Wouter
2721 - Fix #71: fix openssl error squelch commit compilation error.
2723 3 September 2019: Wouter
2724 - squelch DNS over TLS errors 'ssl handshake failed crypto error'
2725 on low verbosity, they show on verbosity 3 (query details), because
2726 there is a high volume and the operator cannot do anything for the
2727 remote failure. Specifically filters the high volume errors.
2729 2 September 2019: Wouter
2730 - ipset module #28: log that an address is added, when verbosity high.
2731 - ipset: refactor long routine into three smaller ones.
2732 - updated Makefile dependencies.
2734 23 August 2019: Wouter
2735 - Fix contrib/fastrpz.patch asprintf return value checks.
2737 22 August 2019: Wouter
2738 - Fix that pkg-config is setup before --enable-systemd needs it.
2739 - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
2740 Master is 1.9.4 in development.
2742 21 August 2019: Wouter
2743 - Fix log_dns_msg to log irrespective of minimal responses config.
2745 19 August 2019: Ralph
2746 - Document limitation of pidfile removal outside of chroot directory.
2748 16 August 2019: Wouter
2749 - Fix unittest valgrind false positive uninitialised value report,
2750 where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
2751 issues an uninitialised value for the token buffer at the str2wire.c
2752 rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
2753 straight character comparisons removes the false positive. Also
2754 valgrinds --expensive-definedness-checks=yes can stop this false
2756 - Please doxygen's parser for "@" occurrence in doxygen comment.
2757 - Fixup contrib/fastrpz.patch
2758 - Remove warning about unknown cast-function-type warning pragma.
2760 15 August 2019: Wouter
2761 - iana portlist updated.
2762 - Fix autotrust temp file uniqueness windows compile.
2763 - avoid warning about upcast on 32bit systems for autotrust.
2764 - escape commandline contents for -V.
2765 - Fix character buffer size in ub_ctx_hosts.
2766 - 1.9.3rc1 release candidate tag.
2767 - Option -V prints if TCP fastopen is available.
2769 14 August 2019: George
2770 - Fix #59, when compiled with systemd support check that we can properly
2771 communicate with systemd through the `NOTIFY_SOCKET`.
2773 14 August 2019: Wouter
2774 - Generate configlexer with newer flex.
2775 - Fix warning for unused variable for compilation without systemd.
2777 12 August 2019: George
2778 - Introduce `-V` option to print the version number and build options.
2779 Previously reported build options like linked libs and linked modules
2780 are now moved from `-h` to `-V` as well for consistency.
2781 - PACKAGE_BUGREPORT now also includes link to GitHub issues.
2783 1 August 2019: Wouter
2784 - For #52 #53, second context does not close logfile override.
2785 - Fix #52 #53, fix for example fail program.
2786 - Fix to return after failed auth zone http chunk write.
2787 - Fix to remove unused test for task_probe existance.
2788 - Fix to timeval_add for remaining second in microseconds.
2789 - Check repinfo in worker_handle_request, if null, drop it.
2791 29 July 2019: Wouter
2792 - Add verbose log message when auth zone file is written, at level 4.
2793 - Add hex print of trust anchor pointer to trust anchor file temp
2794 name to make it unique, for libunbound created multiple contexts.
2796 23 July 2019: Wouter
2797 - Fix question section mismatch in local zone redirect.
2799 19 July 2019: Wouter
2800 - Fix #49: Set no renegotiation on the SSL context to stop client
2801 session renegotiation.
2803 12 July 2019: Wouter
2804 - Fix #48: Unbound returns additional records on NODATA response,
2805 if minimal-responses is enabled, also the additional for negative
2806 responses is removed.
2809 - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
2810 call made it impossible to go up the tree when the matching netmask is
2814 - Fix for possible assertion failure when answering respip CNAME from
2817 25 June 2019: Wouter
2818 - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
2819 when do-not-query-localhost is turned on, or at default on,
2820 unbound-checkconf prints a warning if it is found in forward-addr or
2821 stub-addr statements.
2823 24 June 2019: Wouter
2824 - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
2826 18 June 2019: Wouter
2827 - PR #28: IPSet module, by Kevin Chou. Created a module to support
2828 the ipset that could add the domain's ip to a list easily.
2829 Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
2830 - Fix to omit RRSIGs from addition to the ipset.
2831 - Fix to make unbound-control with ipset, remove unused variable,
2832 use unsigned type because of comparison, and assign null instead
2833 of compare with it. Remade lex and yacc output.
2835 - Added documentation to the ipset files (for doxygen output).
2836 - Merge PR #6: Python module: support multiple instances
2837 - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
2838 - Merge PR #4: Python module: assign something useful to the
2839 per-query data store 'qdata'
2840 - Fix python dict reference and double free in config.
2842 17 June 2019: Wouter
2843 - Master contains version 1.9.3 in development.
2844 - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
2845 - Fix for #24: Fix abort due to scan of auth zone masters using old
2846 address from previous scan.
2848 12 June 2019: Wouter
2849 - Fix another spoolbuf storage code point, in prefetch.
2850 - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
2853 11 June 2019: Wouter
2854 - Fix that fixes the Fix that spoolbuf is not used to store tcp
2855 pipelined response between mesh send and callback end, this fixes
2856 error cases that did not use the correct spoolbuf.
2857 - 1.9.2rc2 release candidate tag.
2860 - 1.9.2rc1 release candidate tag.
2863 - iana portlist updated.
2866 - Fix to guard _OPENBSD_SOURCE from redefinition.
2869 - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
2870 - gitignore config.h.in~.
2873 - Fix double file close in tcp pipelined response code.
2876 - Fix that spoolbuf is not used to store tcp pipelined response
2877 between mesh send and callback end.
2880 - Note that so-reuseport at extreme load is better turned off,
2881 otherwise queries are not distributed evenly, on Linux 4.4.x.
2884 - Fix #31: swig 4.0 and python module.
2887 - Squelch log messages from tcp send about connection reset by peer.
2888 They can be enabled with verbosity at higher values for diagnosing
2889 network connectivity issues.
2890 - Attempt to fix malformed tcp response.
2893 - Revert fix for oss-fuzz, error is in that build script that
2894 unconditionally includes .o files detected by configure, also
2895 when the machine architecture uses different LIBOBJS files.
2898 - Attempt to fix build failure in oss-fuzz because of reallocarray.
2899 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
2900 Does not omit compile flags from commandline.
2903 - Fix edns-subnet locks, in error cases the lock was not unlocked.
2904 - Fix doxygen output error on readme markdown vignettes.
2907 - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
2908 - Fix #30: AddressSanitizer finding in lookup3.c. This sets the
2909 hash function to use a slower but better auditable code that does
2910 not read beyond array boundaries. This makes code better security
2911 checkable, and is better for security. It is fixed to be slower,
2912 but not read outside of the array.
2915 - contrib/fastrpz.patch updated for code changes, and with git diff.
2916 - Fix .gitignore, add pythonmod and dnstap generated files.
2917 And unit test generated files, and generated doc files.
2920 - Update makedist for git.
2921 - Nicer travis output for clang analysis.
2922 - PR #16: XoT support, AXFR over TLS, turn it on with
2923 master: <ip>#<authname> in unbound.conf. This uses TLS to
2924 download the AXFR (or IXFR).
2926 25 April 2019: Wouter
2927 - Fix wrong query name in local zone redirect answers with a CNAME,
2928 the copy of the local alias is in unpacked form.
2930 18 April 2019: Ralph
2931 - Scrub RRs from answer section when reusing NXDOMAIN message for
2933 - For harden-below-nxdomain: do not consider a name to be non-exitent
2934 when message contains a CNAME record.
2936 18 April 2019: Wouter
2937 - travis build file.
2939 16 April 2019: Wouter
2940 - Better braces in if statement in TCP fastopen code.
2941 - iana portlist updated.
2943 15 April 2019: Wouter
2944 - Fix tls write event for read state change to re-call SSL_write and
2945 not resume the TLS handshake.
2947 11 April 2019: George
2948 - Update python documentation for init_standard().
2951 11 April 2019: Wouter
2952 - Fix that auth zone uses correct network type for sockets for
2953 SOA serial probes. This fixes that probes fail because earlier
2954 probe addresses are unreachable.
2955 - Fix that auth zone fails over to next master for timeout in tcp.
2956 - Squelch SSL read and write connection reset by peer and broken pipe
2957 messages. Verbosity 2 and higher enables them.
2959 8 April 2019: Wouter
2960 - Fix to use event_assign with libevent for thread-safety.
2961 - verbose information about auth zone lookup process, also lookup
2962 start, timeout and fail.
2963 - Fix #17: Add python module example from Jan Janak, that is a
2964 plugin for the Unbound DNS resolver to resolve DNS records in
2965 multicast DNS [RFC 6762] via Avahi. The plugin communicates
2966 with Avahi via DBus. The comment section at the beginning of
2967 the file contains detailed documentation.
2968 - Fix to wipe ssl ticket keys from memory with explicit_bzero,
2971 5 April 2019: Wouter
2972 - Fix to reinit event structure for accepted TCP (and TLS) sockets.
2974 4 April 2019: Wouter
2975 - Fix spelling error in log output for event method.
2977 3 April 2019: Wouter
2978 - Move goto label in answer_from_cache to the end of the function
2979 where it is more visible.
2980 - Fix auth-zone NSEC3 response for wildcard nodata answers,
2981 include the closest encloser in the answer.
2983 2 April 2019: Wouter
2984 - Fix auth-zone NSEC3 response for empty nonterminals with exact
2985 match nsec3 records.
2986 - Fix for out of bounds integers, thanks to OSTIF audit. It is in
2987 allocation debug code.
2988 - Fix for auth zone nsec3 ent fix for wildcard nodata.
2990 25 March 2019: Wouter
2991 - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
2992 disables the tls session ticker key calls into the OpenSSL API.
2993 - Fix crash if tls-servic-pem not filled in when necessary.
2995 21 March 2019: Wouter
2996 - Fix #4240: Fix whitespace cleanup in example.conf.
2998 19 March 2019: Wouter
2999 - add type CAA to libpyunbound (accessing libunbound from python).
3001 18 March 2019: Wouter
3002 - Add log message, at verbosity 4, that says the query is encrypted
3003 with TLS, if that is enabled for the query.
3004 - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
3006 7 March 2019: Wouter
3007 - Fix for #4233: guard use of NDEBUG, so that it can be passed in
3008 CFLAGS into configure.
3010 5 March 2019: Wouter
3011 - Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
3012 has 1.9.2 in development.
3014 1 March 2019: Wouter
3015 - output forwarder log in ssl_req_order test.
3017 28 February 2019: Wouter
3018 - Remove memory leak on pythonmod python2 script file init.
3019 - Remove swig gcc8 python function cast warnings, they are ignored.
3020 - Print correct module that failed when module-config is wrong.
3022 27 February 2019: Wouter
3023 - Fix #4229: Unbound man pages lack information, about access-control
3024 order and local zone tags, and elements in views.
3025 - Fix #14: contrib/unbound.init: Fix wrong comparison judgment
3027 - Fix for python module on Windows, fix fopen.
3029 25 February 2019: Wouter
3030 - Fix #4227: pair event del and add for libevent for tcp_req_info.
3032 21 February 2019: Wouter
3033 - Fix the error for unknown module in module-config is understandable,
3034 and explains it was not compiled in and where to see the list.
3035 - In example.conf explain where to put cachedb module in module-config.
3036 - In man page and example config explain that most modules have to
3037 be listed at the start of module-config.
3039 20 February 2019: Wouter
3040 - Fix pythonmod include and sockaddr_un ifdefs for compile on
3041 Windows, and for libunbound.
3043 18 February 2019: Wouter
3044 - Print query name with ip_ratelimit exceeded log lines.
3045 - Spaces instead of tabs in that log message.
3046 - Print query name and IP address when domain rate limit exceeded.
3048 14 February 2019: Wouter
3049 - Fix capsforid canonical sort qsort callback.
3051 11 February 2019: Wouter
3052 - Note default for module-config in man page.
3053 - Fix recursion lame test for qname minimisation asked queries,
3054 that were not present in the set of prepared answers.
3055 - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
3056 cert name matching, from man page.
3057 - make depend, with newer gcc, nicer layout.
3059 7 February 2019: Wouter
3060 - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
3061 - Fix that qname minimisation does not skip a label when missing
3062 nameserver targets need to be fetched.
3063 - Fix #4225: clients seem to erroneously receive no answer with
3064 DNS-over-TLS and qname-minimisation.
3066 4 February 2019: Wouter
3067 - Fix that log-replies prints the correct name for local-alias
3068 names, for names that have a CNAME in local-data configuration.
3069 It logs the original query name, not the target of the CNAME.
3070 - Add local-zone type inform_redirect, which logs like type inform,
3071 and redirects like type redirect.
3072 - Perform canonical sort for 0x20 capsforid compare of replies,
3073 this sorts rrsets in the authority and additional section before
3074 comparison, so that out of order rrsets do not cause failure.
3076 31 January 2019: Wouter
3077 - Set ub_ctx_set_tls call signature in ltrace config file for
3078 libunbound in contrib/libunbound.so.conf.
3079 - improve documentation for tls-service-key and forward-first.
3080 - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
3081 conditional section, fixes systemd builds, from Enrico Scholz.
3082 - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
3083 still supports the set_id_callback previous API. And for 1.1.0
3084 no locking callbacks are needed.
3085 - #8: Fix OpenSSL without ENGINE support compilation.
3086 - Wipe TLS session key data from memory on exit.
3088 30 January 2019: Ralph
3089 - Fix case in which query timeout can result in marking delegation
3092 29 January 2019: Wouter
3093 - Fix spelling of tls-ciphers in example.conf.in.
3094 - Fix #4224: auth_xfr_notify.rpl test broken due to typo
3095 - Fix locking for libunbound context setup with broken port config.
3097 28 January 2019: Wouter
3098 - ub_ctx_set_tls call for libunbound that enables DoT for the machines
3099 set with ub_ctx_set_fwd. Patch from Florian Obser.
3100 - Set build system for added call in the libunbound API.
3101 - List example config for root zone copy locally hosted with auth-zone
3102 as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
3104 - set version to 1.9.0 for release. And this was released with the
3105 spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
3108 25 January 2019: Wouter
3109 - Fix that tcp for auth zone and outgoing does not remove and
3110 then gets the ssl read again applied to the deleted commpoint.
3111 - updated contrib/fastrpz.patch to cleanly diff.
3112 - no lock when threads disabled in tcp request buffer count.
3113 - remove compile warnings from libnettle compile.
3114 - output of newer lex 2.6.1 and bison 3.0.5.
3116 24 January 2019: Wouter
3117 - Newer aclocal and libtoolize used for generating configure scripts,
3118 aclocal 1.16.1 and libtoolize 2.4.6.
3119 - Fix unit test for python 3.7 new keyword 'async'.
3120 - clang analysis fixes, assert arc4random buffer in init,
3121 no check for already checked delegation pointer in iterator,
3122 in testcode check for NULL packet matches, in perf do not copy
3123 from NULL start list when growing capacity. Adjust host and file
3124 only when present in test header read to please checker. In
3125 testcode for unknown macro operand give zero result. Initialise the
3126 passed argv array in test code. In test code add EDNS data
3127 segment copy only when nonempty.
3128 - Patch from Florian Obser fixes some compiler warnings:
3129 include mini_event.h to have a prototype for mini_ev_cmp
3130 include edns.h to have a prototype for apply_edns_options
3131 sldns_wire2str_edns_keepalive_print is only called in the wire2str,
3132 module declare it static to get rid of compiler warning:
3133 no previous prototype for function
3134 infra_find_ip_ratedata() is only called in the infra module,
3135 declare it static to get rid of compiler warning:
3136 no previous prototype for function
3137 do not shadow local variable buf in authzone
3138 auth_chunks_delete and az_nsec3_findnode are only called in the
3139 authzone module, declare them static to get rid of compiler warning:
3140 no previous prototype for function...
3141 copy_rrset() is only called in the respip module, declare it
3142 static to get rid of compiler warning:
3143 no previous prototype for function 'copy_rrset'
3144 no need for another variable "r"; gets rid of compiler warning:
3145 declaration shadows a local variable in libunbound.c
3146 no need for another variable "ns"; gets rid of compiler warning:
3147 declaration shadows a local variable in iterator.c
3148 - Moved includes and make depend.
3150 23 January 2019: Wouter
3151 - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
3152 options for unbound.conf.
3153 - Fixes for the patch, and man page entry.
3154 - Fix configure to detect SSL_CTX_set_ciphersuites, for better
3155 library compatibility when compiling.
3156 - Patch for TLS session resumption from Manabu Sonoda,
3157 enable with tls-session-ticket-keys in unbound.conf.
3158 - Fixes for patch (includes, declarations, warnings). Free at end
3159 and keep config options in order read from file to keep the first
3160 one as the first one.
3161 - Fix for IXFR fallback to reset counter when IXFR does not timeout.
3163 22 January 2019: Wouter
3164 - Fix space calculation for tcp req buffer size.
3165 - Doc for stream-wait-size and unit test.
3166 - unbound-control stats has mem.streamwait that counts TCP and TLS
3167 waiting result buffers.
3168 - Fix for #4219: secondaries not updated after serial change, unbound
3169 falls back to AXFR after IXFR gives several timeout failures.
3170 - Fix that auth zone after IXFR fallback tries the same master.
3172 21 January 2019: Wouter
3173 - Fix tcp idle timeout test, for difference in the tcp reply code.
3174 - Unit test for tcp request reorder and timeouts.
3175 - Unit tests for ssl out of order processing.
3176 - Fix that multiple dns fragments can be carried in one TLS frame.
3177 - Add stream-wait-size: 4m config option to limit the maximum
3178 memory used by waiting tcp and tls stream replies. This avoids
3179 a denial of service where these replies use up all of the memory.
3181 17 January 2019: Wouter
3182 - For caps-for-id fallback, use the whitelist to avoid timeout
3183 starting a fallback sequence for it.
3184 - increase mesh max activation count for capsforid long fetches.
3186 16 January 2019: Ralph
3187 - Get ready for the DNS flag day: remove EDNS lame procedure, do not
3188 re-query without EDNS after timeout.
3190 15 January 2019: Wouter
3191 - In the out of order processing, reset byte count for (potential)
3193 - Review fixes in out of order processing.
3195 14 January 2019: Wouter
3196 - streamtcp option -a send queries consecutively and prints answers
3198 - Fix for out of order processing administration quit cleanup.
3199 - unit test for tcp out of order processing.
3201 11 January 2019: Wouter
3202 - Initial commit for out-of-order processing for TCP and TLS.
3204 9 January 2019: Wouter
3205 - Log query name for looping module errors.
3207 8 January 2019: Wouter
3208 - Fix syntax in comment of local alias processing.
3209 - Fix NSEC3 record that is returned in wildcard replies from
3210 auth-zone zones with NSEC3 and wildcards.
3212 7 January 2019: Wouter
3213 - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
3214 and server tcp fastopen is enabled at compile time.
3215 - Document interaction between the tls-upstream option in the server
3216 section and forward-tls-upstream option in the forward-zone sections.
3217 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
3218 the patch adds a program used for fuzzing.
3220 12 December 2018: Wouter
3221 - Fix for crash in dns64 module if response is null.
3223 10 December 2018: Wouter
3224 - Fix config parser memory leaks.
3225 - ip-ratelimit-factor of 1 allows all traffic through, instead of the
3226 previous blocking everything.
3227 - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
3228 - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
3229 alongside the 1.1.0 and later support that is already there.
3230 - Fixup openssl 1.0.2 compile
3232 6 December 2018: Wouter
3233 - Fix dns64 allocation in wrong region for returned internal queries.
3235 3 December 2018: Wouter
3236 - Fix icon, no ragged edges and nicer resolutions available, for eg.
3237 Win 7 and Windows 10 display.
3238 - cache-max-ttl also defines upperbound of initial TTL in response.
3240 30 November 2018: Wouter
3241 - Patch for typo in unbound.conf man page.
3242 - log-tag-queryreply: yes in unbound.conf tags the log-queries and
3243 log-replies in the log file for easier log filter maintenance.
3245 29 November 2018: Wouter
3246 - iana portlist updated.
3247 - Fix chroot auth-zone fix to remove chroot prefix.
3248 - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
3249 updated. Trunk contains 1.8.3 in development.
3250 Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
3251 Trunk then became 1.8.4 in development.
3252 - Fix that unbound-checkconf does not complains if the config file
3253 is not placed inside the chroot.
3254 - Refuse to start with no ports.
3255 - Remove clang analysis warnings.
3257 28 November 2018: Wouter
3258 - Fix leak in chroot fix for auth-zone.
3259 - Fix clang analysis for outside directory build test.
3261 27 November 2018: Wouter
3262 - Fix DNS64 to not store intermediate results in cache, this avoids
3263 other threads from picking up the wrong data. The module restores
3264 the previous no_cache_store setting when the the module is finished.
3265 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
3266 - New and better fix for Fix #4193: Fix that prefetch failure does
3267 not overwrite valid cache entry with SERVFAIL.
3268 - auth-zone give SERVFAIL when expired, fallback activates when
3269 expired, and this is documented in the man page.
3270 - stat count SERVFAIL downstream auth-zone queries for expired zones.
3271 - Put new logos into windows installer.
3272 - Fix windows compile for new rrset roundrobin fix.
3273 - Update contrib fastrpz patch for latest release.
3275 26 November 2018: Wouter
3276 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
3277 sorted and in a predictable order.
3278 - Fix #4193: Fix that prefetch failure does not overwrite valid cache
3279 entry with SERVFAIL.
3280 - Add unbound-control view_local_datas command, like local_datas.
3281 - Fix that unbound-control can send file for view_local_datas.
3283 22 November 2018: Wouter
3284 - With ./configure --with-pyunbound --with-pythonmodule
3285 PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
3286 succeed for the python module.
3287 - pythonmod logs the python error and traceback on failure.
3288 - ignore debug python module for test in doxygen output.
3289 - review fixes for python module.
3290 - Fix #4209: Crash in libunbound when called from getdns.
3291 - auth zone zonefiles can be in a chroot, the chroot directory
3292 components are removed before use.
3293 - Fix that empty zonefile means the zonefile is not set and not used.
3296 21 November 2018: Wouter
3297 - Scrub NS records from NODATA responses as well.
3299 20 November 2018: Wouter
3300 - Scrub NS records from NXDOMAIN responses to stop fragmentation
3301 poisoning of the cache.
3302 - Add patch from Jan Vcelak for pythonmod,
3303 add sockaddr_storage getters, add support for query callbacks,
3304 allow raw address access via comm_reply and update API documentation.
3305 - Removed compile warnings in pythonmod sockaddr routines.
3307 19 November 2018: Wouter
3308 - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
3309 option in unbound.conf.
3311 6 November 2018: Ralph
3312 - Bugfix min-client-subnet-ipv6
3314 25 October 2018: Ralph
3315 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
3317 25 October 2018: Wouter
3318 - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
3319 - Fix #4190: Please create a "ANY" deny option, adds the option
3320 deny-any: yes in unbound.conf. This responds with an empty message
3321 to queries of type ANY.
3322 - Fix #4141: More randomness to rrset-roundrobin.
3323 - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
3324 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
3325 adds the option unknown-server-time-limit to unbound.conf that
3326 can be increased to avoid the problem.
3327 - remade makefile dependencies.
3328 - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
3330 24 October 2018: Ralph
3331 - Add markdel function to ECS slabhash.
3332 - Limit ECS scope returned to client to the scope used for caching.
3333 - Make lint like previous #4154 fix.
3335 22 October 2018: Wouter
3336 - Fix #4192: unbound-control-setup generates keys not readable by
3338 - check that the dnstap socket file can be opened and exists, print
3340 - Fix #4154: make ECS_MAX_TREESIZE configurable, with
3341 the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
3343 22 October 2018: Ralph
3344 - Change fast-server-num default to 3.
3346 8 October 2018: Ralph
3347 - Add fast-server-permil and fast-server-num options.
3348 - Deprecate low-rtt and low-rtt-permil options.
3350 8 October 2018: Wouter
3351 - Squelch log of failed to tcp initiate after TCP Fastopen failure.
3353 5 October 2018: Wouter
3354 - Squelch EADDRNOTAVAIL errors when the interface goes away,
3355 this omits 'can't assign requested address' errors unless
3356 verbosity is set to a high value.
3357 - Set default for so-reuseport to no for FreeBSD. It is enabled
3358 by default for Linux and DragonFlyBSD. The setting can
3359 be configured in unbound.conf to override the default.
3362 2 October 2018: Wouter
3363 - updated contrib/fastrpz.patch to apply for this version
3364 - dnscrypt.c removed sizeof to get array bounds.
3365 - Fix testlock code to set noreturn on error routine.
3366 - Remove unused variable from contrib fastrpz/rpz.c and
3367 remove unused diagnostic pragmas that themselves generate warnings
3368 - clang analyze test is used only when assertions are enabled.
3370 1 October 2018: Wouter
3371 - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
3372 fastrpz.patch fix included. Trunk has 1.8.2 in development.
3374 27 September 2018: Wouter
3375 - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
3376 qname minimisation with a forwarder when connectivity has issues
3377 from rejecting responses.
3379 25 September 2018: Wouter
3380 - Perform TLS SNI indication of the host that is being contacted
3381 for DNS over TLS service. It sets the configured tls auth name.
3382 This is useful for hosts that apart from the DNS over TLS services
3383 also provide other (web) services.
3384 - Fix #4149: Add SSL cleanup for tcp timeout.
3386 17 September 2018: Wouter
3387 - Fix compile on Mac for unbound, provide explicit_bzero when libc
3389 - Fix unbound for openssl in FIPS mode, it uses the digests with
3390 the EVP call contexts.
3391 - Fix that with harden-below-nxdomain and qname minisation enabled
3392 some iterator states for nonresponsive domains can get into a
3393 state where they waited for an empty list.
3394 - Stop UDP to TCP failover after timeouts that causes the ping count
3395 to be reset by the TCP time measurement (that exists for TLS),
3396 because that causes the UDP part to not be measured as timeout.
3397 - Fix #4156: Fix systemd service manager state change notification.
3399 13 September 2018: Wouter
3400 - Fix seed for random backup code to use explicit zero when wiped.
3401 - exit log routine is annotated as noreturn function.
3402 - free memory leaks in config strlist and str2list insert functions.
3403 - do not move unused argv variable after getopt.
3404 - Remove unused if clause in testcode.
3405 - in testcode, free async ids, initialise array, and check for null
3406 pointer during test of the test. And use exit for return to note
3407 irregular program stop.
3408 - Free memory leak in config strlist append.
3409 - make sure nsec3 comparison salt is initialized.
3410 - unit test has clang analysis.
3411 - remove unused variable assignment from iterator scrub routine.
3412 - check for null in delegation point during iterator refetch
3414 - neater pointer cast in libunbound context quit routine.
3415 - initialize statistics totals for printout.
3416 - in authzone check that node exists before adding rrset.
3417 - in unbound-anchor, use readwrite memory BIO.
3418 - assertion in autotrust that packed rrset is formed correctly.
3419 - Fix memory leak when message parse fails partway through copy.
3420 - remove unused udpsize assignment in message encode.
3421 - nicer bio free code in unbound-anchor.
3422 - annotate exit functions with noreturn in unbound-control.
3424 11 September 2018: Wouter
3425 - Fixed unused return value warnings in contrib/fastrpz.patch for
3427 - Fix to squelch respip warning in unit test, it is printed at
3428 higher verbosity settings.
3429 - Fix spelling errors.
3430 - Fix initialisation in remote.c
3432 10 September 2018: Wouter
3433 - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
3436 5 September 2018: Wouter
3437 - Fix spelling error in header, from getdns commit by Andreas Gelmini.
3439 4 September 2018: Ralph
3440 - More explicitly mention the type of ratelimit when applying
3443 4 September 2018: Wouter
3444 - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
3446 31 August 2018: Wouter
3447 - Disable minimal-responses in subnet unit tests.
3449 30 August 2018: Wouter
3450 - Fix that a local-zone with a local-zone-type that is transparent
3451 in a view with view-first, makes queries check for answers from the
3452 local-zones defined outside of views.
3454 28 August 2018: Ralph
3455 - Disable minimal-responses in ipsecmod unit tests.
3456 - Added serve-expired-ttl and serve-expired-ttl-reset options.
3458 27 August 2018: Wouter
3459 - Set defaults to yes for a number of options to increase speed and
3460 resilience of the server. The so-reuseport, harden-below-nxdomain,
3461 and minimal-responses options are enabled by default. They used
3462 to be disabled by default, waiting to make sure they worked. They
3463 are enabled by default now, and can be disabled explicitly by
3464 setting them to "no" in the unbound.conf config file. The reuseport
3465 and minimal options increases speed of the server, and should be
3466 otherwise harmless. The harden-below-nxdomain option works well
3467 together with the recently default enabled qname minimisation, this
3468 causes more fetches to use information from the cache.
3469 - next release is called 1.8.0.
3470 - Fix lintflags for lint on FreeBSD.
3472 22 August 2018: George
3473 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
3474 gives access to reply information for the client's communication
3475 point when the callback is called before the mesh state (modules).
3476 Changes to C and Python's inplace_callback signatures were also
3479 21 August 2018: Wouter
3480 - log-local-actions: yes option for unbound.conf that logs all the
3481 local zone actions, a patch from Saksham Manchanda (Secure64).
3482 - #4146: num.query.subnet and num.query.subnet_cache counters.
3483 - Fix only misc failure from log-servfail when val-log-level is not
3486 17 August 2018: Ralph
3487 - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
3490 17 August 2018: Wouter
3491 - Set libunbound to increase current, because the libunbound change
3492 to the event callback function signature. That needs programs,
3493 that use it, to recompile against the new header definition.
3494 - print servfail info to log as error.
3495 - added more servfail printout statements, to the iterator.
3496 - log-servfail: yes prints log lines that say why queries are
3497 returning SERVFAIL to clients.
3499 16 August 2018: Wouter
3500 - Fix warning on compile without threads.
3501 - Fix contrib/fastrpz.patch.
3503 15 August 2018: Wouter
3504 - Fix segfault in auth-zone read and reorder of RRSIGs.
3506 14 August 2018: Wouter
3507 - Fix that printout of error for cycle targets is a verbosity 4
3508 printout and does not wrongly print it is a memory error.
3509 - Upgraded crosscompile script to include libunbound DLL in the
3512 10 August 2018: Wouter
3513 - Fix #4144: dns64 module caches wrong (negative) information.
3515 9 August 2018: Wouter
3516 - unbound-checkconf checks if modules exist and prints if they are
3517 not compiled in the name of the wrong module.
3518 - document --enable-subnet in doc/README.
3519 - Patch for stub-no-cache and forward-no-cache options that disable
3520 caching for the contents of that stub or forward, for when you
3521 want immediate changes visible, from Bjoern A. Zeeb.
3523 7 August 2018: Ralph
3524 - Make capsforid fallback QNAME minimisation aware.
3526 7 August 2018: Wouter
3527 - Fix #4142: unbound.service.in: improvements and fixes.
3528 Add unit dependency ordering (based on systemd-resolved).
3529 Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
3530 about missing privileges during startup). Add 'AF_INET6' to
3531 'RestrictAddressFamilies' (without it IPV6 can't work). From
3533 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
3534 This limits the number of simultaneous TCP client connections
3535 from a nominated netblock.
3536 - make depend, yacc, lex, doc, headers. And log the limit exceeded
3537 message only on high verbosity, so as to not spam the logs when
3540 6 August 2018: Wouter
3541 - Fix for #4136: Fix to unconditionally call destroy in daemon.c.
3543 3 August 2018: George
3544 - Expose if a query (or a subquery) was ratelimited (not src IP
3545 ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
3546 This also introduces a change to 'ub_event_callback_type' in
3547 libunbound/unbound-event.h.
3550 3 August 2018: Wouter
3551 - Revert previous change for #4136: because it introduces build
3553 - New fix for #4136: This one ignores lex without without
3556 1 August 2018: Wouter
3557 - Fix to remove systemd sockaddr function check, that is not
3558 always present. Make socket activation more lenient. But not
3559 different when socket activation is not used.
3560 - iana port list update.
3562 31 July 2018: Wouter
3563 - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
3564 - Sort out test runs when the build directory isn't the project
3566 - Add config tcp-idle-timeout (default 30s). This applies to
3567 client connections only; the timeout on TCP connections upstream
3569 - Error if EDNS Keepalive received over UDP.
3570 - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
3571 and implement option in client responses.
3572 - Correct and expand manual page entries for keepalive and idle timeout.
3573 - Implement progressive backoff of TCP idle/keepalive timeout.
3574 - Fix 'make depend' to work when build dir is not project root.
3575 - Add delay parameter to streamtcp, -d secs.
3576 To be used when testing idle timeout.
3577 - From Wouter: make depend, the dependencies in the patches did not
3578 apply cleanly. Also remade yacc and lex.
3579 - Fix mesh.c incompatible pointer pass.
3580 - Please doxygen so it passes.
3581 - Fix #4139: Fix unbound-host leaks memory on ANY.
3583 30 July 2018: Wouter
3584 - Fix #4136: insufficiency from mismatch of FLEX capability between
3585 released tarball and build host.
3587 27 July 2018: Wouter
3588 - Fix man page, say that chroot is enabled by default.
3590 26 July 2018: Wouter
3591 - Fix #4135: 64-bit Windows Installer Creates Entries Under The
3592 Wrong Registry Key, reported by Brian White.
3594 23 July 2018: Wouter
3595 - Fix use-systemd readiness signalling, only when use-systemd is yes
3596 and not in signal handler.
3598 20 July 2018: Wouter
3599 - Fix #4130: print text describing -dd and unbound-checkconf on
3600 config file read error at startup, the errors may have been moved
3601 away by the startup process.
3602 - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
3604 19 July 2018: Wouter
3605 - Fix #4129 unbound-control error message with wrong cert permissions
3608 17 July 2018: Wouter
3609 - Fix #4127 unbound -h does not list -p help.
3610 - Print error if SSL name verification configured but not available
3612 - Fix that ratelimit and ip-ratelimit are applied after reload of
3613 changed config file.
3614 - Resize ratelimit and ip-ratelimit caches if changed on reload.
3616 16 July 2018: Wouter
3617 - Fix qname minimisation NXDOMAIN validation lookup failures causing
3618 error_supers assertion fails.
3619 - Squelch can't bind socket errors with Permission denied unless
3620 verbosity is 4 or higher, for UDP outgoing sockets.
3622 12 July 2018: Wouter
3623 - Fix to improve systemd socket activation code file descriptor
3625 - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
3626 easily changed to adjust default rtt assumptions.
3628 10 July 2018: Wouter
3629 - Note in documentation that the cert name match code needs
3630 OpenSSL 1.1.0 or later to be enabled.
3633 - Fix documentation ambiguity for tls-win-cert in tls-upstream and
3634 forward-tls-upstream docs.
3636 - Note RFC8162 support. SMIMEA record type can be read in by the
3638 - Fix round robin for failed addresses with prefer-ip6: yes
3641 - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
3642 if DNSSEC is not enabled. New option -R allows fallback from
3643 resolv.conf to direct queries.
3646 - Better documentation for unblock-lan-zones and insecure-lan-zones
3648 - Fix permission denied printed for auth zone probe random port nrs.
3651 - Fix checking for libhiredis printout in configure output.
3652 - Fix typo on man page in ip-address description.
3653 - Update libunbound/python/examples/dnssec_test.py example code to
3654 also set the 20326 trust anchor for the root in the example code.
3656 29 June 2018: Wouter
3657 - dns64-ignore-aaaa: config option to list domain names for which the
3658 existing AAAA is ignored and dns64 processing is used on the A
3661 28 June 2018: Wouter
3662 - num.queries.tls counter for queries over TLS.
3663 - log port number with err_addr logs.
3665 27 June 2018: Wouter
3666 - #4109: Fix that package config depends on python unconditionally.
3667 - Patch, do not export python from pkg-config, from Petr Menšík.
3669 26 June 2018: Wouter
3670 - Partial fix for permission denied on IPv6 address on FreeBSD.
3671 - Fix that auth-zone master reply with current SOA serial does not
3672 stop scan of masters for an updated zone.
3673 - Fix that auth-zone does not start the wait timer without checking
3674 if the wait timer has already been started.
3676 21 June 2018: Wouter
3677 - #4108: systemd reload hang fix.
3678 - Fix usage printout for unbound-host, hostname has to be last
3679 argument on BSDs and Windows.
3681 19 June 2018: Wouter
3682 - Fix for unbound-control on Windows and set TCP socket parameters
3684 This fix is part of 1.7.3.
3685 - Windows example service.conf edited with more windows specific
3687 - Fix windows unbound-control no cert bad file descriptor error.
3688 This fix is part of 1.7.3.
3690 18 June 2018: Wouter
3691 - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
3692 This fix is part of 1.7.3rc2.
3693 - Fix unbound-checkconf for control-use-cert.
3694 This fix is part of 1.7.3.
3696 15 June 2018: Wouter
3699 - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
3700 - unbound-control auth_zone_transfer _zone_ option starts the probe
3701 sequence for a master to transfer the zone from and transfers when
3702 a new zone version is available.
3704 14 June 2018: Wouter
3705 - #4103: Fix that auth-zone does not insist on SOA record first in
3706 file for url downloads.
3707 - Fix that first control-interface determines if TLS is used. Warn
3708 when IP address interfaces are used without TLS.
3709 - Fix nettle compile.
3712 - Don't count CNAME response types received during qname minimisation as
3715 12 June 2018: Wouter
3716 - #4102 for NSD, but for Unbound. Named unix pipes do not use
3717 certificate and key files, access can be restricted with file and
3718 directory permissions. The option control-use-cert is no longer
3719 used, and ignored if found in unbound.conf.
3720 - Rename tls-additional-ports to tls-additional-port, because every
3722 - Fix buffer size warning in unit test.
3723 - remade dependencies in the Makefile.
3726 - Patch to fix openwrt for mac os build darwin detection in configure.
3729 - Fix crash if ratelimit taken into use with unbound-control
3730 instead of with unbound.conf.
3733 - Fix deadlock caused by incoming notify for auth-zone.
3734 - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
3735 trunk is 1.7.3 in development from this point.
3736 - #4100: Fix stub reprime when it becomes useless.
3739 - Rename additional-tls-port to tls-additional-ports.
3740 The older name is accepted for backwards compatibility.
3743 - Patch from Syzdek: Add ability to ignore RD bit and treat all
3744 requests as if the RD bit is set.
3747 - in compat/arc4random call getentropy_urandom when getentropy fails
3749 - Fix that fallback for windows port.
3752 - Fix windows tcp and tls spin on events.
3753 - Add routine from getdns to add windows cert store to the SSL_CTX.
3754 - tls-win-cert option that adds the system certificate store for
3755 authenticating DNS-over-TLS connections. It can be used instead
3756 of the tls-cert-bundle option, or with it to add certificates.
3759 - For TCP and TLS connections that don't establish, perform address
3760 update in infra cache, so future selections can exclude them.
3761 - Fix that tcp sticky events are removed for closed fd on windows.
3762 - Fix close events for tcp only.
3765 - Fix that libunbound can do DNS-over-TLS, when configured.
3766 - Fix that windows unbound service can use DNS-over-TLS.
3767 - unbound-host initializes ssl (for potential DNS-over-TLS usage
3768 inside libunbound), when ssl upstream or a cert-bundle is configured.
3771 - Use accept4 to speed up incoming TCP (and TLS) connections,
3772 available on Linux, FreeBSD and OpenBSD.
3775 - Qname minimisation default changed to yes.
3778 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
3781 - Fix contrib/libunbound.pc for libssl libcrypto references,
3782 from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
3785 - Fix windows to not have sticky TLS events for TCP.
3786 - Fix read of DNS over TLS length and data in one read call.
3787 - Fix mesh state assertion failure due to callback removal.
3790 - Fix that configure --with-libhiredis also turns on cachedb.
3791 - Fix gcc 8 buffer warning in testcode.
3792 - Fix function type cast warning in libunbound context callback type.
3795 - Fix fail to reject dead peers in forward-zone, with ssl-upstream.
3798 - Fix that unbound-control reload frees the rrset keys and returns
3799 the memory pages to the system.
3801 30 April 2018: Wouter
3802 - Fix spelling error in man page and note defaults as no instead of
3805 26 April 2018: Wouter
3806 - Fix for crash in daemon_cleanup with dnstap during reload,
3807 from Saksham Manchanda.
3808 - Also that for dnscrypt.
3809 - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
3810 is from here 1.7.2 in development.
3812 25 April 2018: Ralph
3813 - Fix memory leak when caching wildcard records for aggressive NSEC use
3815 24 April 2018: Wouter
3816 - Fix contrib/fastrpz.patch for this release.
3817 - Fix auth https for libev.
3819 24 April 2018: Ralph
3820 - Added root-key-sentinel support
3822 23 April 2018: Wouter
3823 - makedist uses bz2 for expat code, instead of tar.gz.
3824 - Fix #4092: libunbound: use-caps-for-id lacks colon in
3826 - auth zone http download stores exact copy of downloaded file,
3827 including comments in the file.
3828 - Fix sldns parse failure for CDS alternate delete syntax empty hex.
3829 - Attempt for auth zone fix; add of callback in mesh gets from
3830 callback does not skip callback of result.
3831 - Fix cname classification with qname minimisation enabled.
3832 - list_auth_zones unbound-control command.
3834 20 April 2018: Wouter
3835 - man page documentation for dns-over-tls forward-addr '#' notation.
3836 - removed free from failed parse case.
3837 - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
3838 with the previous contents.
3839 - Delete auth zone when removed from config.
3841 19 April 2018: Wouter
3842 - Can set tls authentication with forward-addr: IP#tls.auth.name
3843 And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
3844 such as forward-addr: 9.9.9.9@853#dns.quad9.net or
3845 1.1.1.1@853#cloudflare-dns.com
3846 - Fix #658: unbound using TLS in a forwarding configuration does not
3847 verify the server's certificate (RFC 8310 support).
3848 - For addr with #authname and no @port notation, the default is 853.
3850 18 April 2018: Wouter
3851 - Fix auth-zone retry timer to be on schedule with retry timeout,
3852 with backoff. Also time a refresh at the zone expiry.
3854 17 April 2018: Wouter
3855 - auth zone notify work.
3856 - allow-notify: config statement for auth-zones.
3857 - unit test for allow-notify
3859 16 April 2018: Wouter
3860 - Fix auth zone target lookup iterator.
3861 - auth zone notify with prefix
3862 - auth zone notify work.
3864 13 April 2018: Wouter
3865 - Fix for max include depth for authzones.
3866 - Fix memory free on fail for $INCLUDE in authzone.
3867 - Fix that an internal error to look up the wrong rr type for
3868 auth zone gets stopped, before trying to send there.
3869 - auth zone notify work.
3871 10 April 2018: Ralph
3872 - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
3873 statistics counters.
3875 10 April 2018: Wouter
3876 - documentation for low-rtt and low-rtt-pct.
3877 - auth zone notify work.
3879 9 April 2018: Wouter
3880 - Fix that flush_zone sets prefetch ttl expired, so that with
3881 serve-expired enabled it'll start prefetching those entries.
3882 - num.query.authzone.up and num.query.authzone.down statistics counters.
3883 - Fix downstream auth zone, only fallback when auth zone fails to
3884 answer and fallback is enabled.
3885 - Accept both option names with and without colon for get_option
3887 - low-rtt and low-rtt-pct in unbound.conf enable the server selection
3888 of fast servers for some percentage of the time.
3890 5 April 2018: Wouter
3891 - Combine write of tcp length and tcp query for dns over tls.
3892 - nitpick fixes in example.conf.
3893 - Fix above stub queries for type NS and useless delegation point.
3894 - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
3895 tls_choose_sigalg routine does not allow the ciphers for the pipe,
3899 3 April 2018: Wouter
3900 - Fix #4043: make test fails due to v6 presentation issue in macOS.
3901 - Fix unable to resolve after new WLAN connection, due to auth-zone
3902 failing with a forwarder set. Now, auth-zone is only used for
3903 answers (not referrals) when a forwarder is set.
3905 29 March 2018: Ralph
3906 - Check "result" in dup_all(), by Florian Obser.
3908 23 March 2018: Ralph
3909 - Fix unbound-control get_option aggressive-nsec
3911 21 March 2018: Ralph
3912 - Do not use cached NSEC records to generate negative answers for
3913 domains under DNSSEC Negative Trust Anchors.
3915 19 March 2018: Wouter
3918 16 March 2018: Wouter
3919 - corrected a minor typo in the changelog.
3920 - move htobe64/be64toh portability code to cachedb.c.
3922 15 March 2018: Wouter
3923 - Add --with-libhiredis, unbound support for a new cachedb backend
3924 that uses a Redis server as the storage. This implementation
3925 depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
3926 And unbound should be built with both --enable-cachedb and
3927 --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
3928 should exist). Patch from Jinmei Tatuya (Infoblox).
3929 - Fix #3817: core dump happens in libunbound delete, when queued
3930 servfail hits deleted message queue.
3931 - Create additional tls service interfaces by opening them on other
3932 portnumbers and listing the portnumbers as additional-tls-port: nr.
3934 13 March 2018: Wouter
3935 - Fix typo in documentation.
3936 - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
3937 flushed with serve-expired on.
3939 12 March 2018: Wouter
3940 - Added documentation for aggressive-nsec: yes.
3941 - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
3942 now has 1.7.1 in development.
3943 - Fix #3727: Protocol name is TLS, options have been renamed but
3944 documentation is not consistent.
3945 - Check IXFR start serial.
3947 9 March 2018: Wouter
3948 - Fix #3598: Fix swig build issue on rhel6 based system.
3949 configure --disable-swig-version-check stops the swig version check.
3951 8 March 2018: Wouter
3954 7 March 2018: Wouter
3955 - Fixed contrib/fastrpz.patch, even though this already applied
3956 cleanly for me, now also for others.
3957 - patch to log creates keytag queries, from A. Schulze.
3958 - patch suggested by Debian lintian: allow to -> allow one to, from
3960 - Attempt to remove warning about trailing whitespace.
3962 6 March 2018: Wouter
3963 - Reverted fix for #3512, this may not be the best way forward;
3964 although it could be changed at a later time, to stay similar to
3965 other implementations.
3966 - svn trunk contains 1.7.0, this is the number for the next release.
3967 - Fix for windows compile.
3970 5 March 2018: Wouter
3971 - Fix to check define of DSA for when openssl is without deprecated.
3973 - Fix #3582: Squelch address already in use log when reuseaddr option
3974 causes same port to be used twice for tcp connections.
3976 27 February 2018: Wouter
3977 - Fixup contrib/fastrpz.patch so that it applies.
3978 - Fix compile without threads, and remove unused variable.
3979 - Fix compile with staticexe and python module.
3980 - Fix nettle compile.
3982 22 February 2018: Ralph
3983 - Save wildcard RRset from answer with original owner for use in
3986 21 February 2018: Wouter
3987 - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
3988 when there is a CNAME loop.
3989 - Fix validation for CNAME loops. When it detects a cname loop,
3990 by finding the cname, cname in the existing list, it returns
3991 the partial result with the validation result up to then.
3992 - more robust cachedump rrset routine.
3994 19 February 2018: Wouter
3995 - Fix #3505: Documentation for default local zones references
3997 - Fix #3494: local-zone noview can be used to break out of the view
3998 to the global local zone contents, for queries for that zone.
3999 - Fix for more maintainable code in localzone.
4001 16 February 2018: Wouter
4002 - Fixes for clang static analyzer, the missing ; in
4003 edns-subnet/addrtree.c after the assert made clang analyzer
4004 produce a failure to analyze it.
4006 13 February 2018: Ralph
4007 - Aggressive NSEC tests
4009 13 February 2018: Wouter
4010 - tls-cert-bundle option in unbound.conf enables TLS authentication.
4013 12 February 2018: Wouter
4014 - Unit test for auth zone https url download.
4016 12 February 2018: Ralph
4017 - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
4018 - Processed aggressive NSEC code review remarks Wouter
4020 8 February 2018: Ralph
4021 - Aggressive use of NSEC implementation. Use cached NSEC records to
4022 generate NXDOMAIN, NODATA and positive wildcard answers.
4024 8 February 2018: Wouter
4026 - auth zone url config.
4028 5 February 2018: Wouter
4029 - Fix #3451: dnstap not building when you have a separate build dir.
4030 And removed protoc warning, set dnstap.proto syntax to proto2.
4031 - auth-zone provides a way to configure RFC7706 from unbound.conf,
4032 eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
4033 fallback-enabled: yes and masters or a zonefile with data.
4035 2 February 2018: Wouter
4036 - Fix unfreed locks in log and arc4random at exit of unbound.
4037 - unit test with valgrind
4038 - Fix lock race condition in dns cache dname synthesis.
4039 - lock subnet new item before insertion to please checklocks,
4040 no modification of critical regions outside of lock region.
4042 1 February 2018: Wouter
4043 - fix unaligned structure making a false positive in checklock
4046 29 January 2018: Ralph
4047 - Use NSEC with longest ce to prove wildcard absence.
4048 - Only use *.ce to prove wildcard absence, no longer names.
4050 25 January 2018: Wouter
4051 - ltrace.conf file for libunbound in contrib.
4053 23 January 2018: Wouter
4054 - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
4055 for startup scripts to get the full pathname(s) of anchor file(s).
4056 - Print fatal errors about remote control setup before log init,
4057 so that it is printed to console.
4059 22 January 2018: Wouter
4060 - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
4061 also recognized and means the same. Also for tls-port,
4062 tls-service-key, tls-service-pem, stub-tls-upstream and
4063 forward-tls-upstream.
4064 - Fix #3397: Fix that cachedb could return a partial CNAME chain.
4065 - Fix #3397: Fix that when the cache contains an unsigned DNAME in
4066 the middle of a cname chain, a result without the DNAME could
4069 19 January 2018: Wouter
4070 - tag 1.6.8 for release with CVE fix.
4071 - trunk has 1.6.9 with fix and previous commits.
4072 - patch for CVE-2017-15105: vulnerability in the processing of
4073 wildcard synthesized NSEC records.
4075 - make depend: code dependencies updated in Makefile.
4077 4 January 2018: Ralph
4078 - Copy query and correctly set flags on REFUSED answers when cache
4079 snooping is not allowed.
4081 3 January 2018: Ralph
4082 - Fix queries being leaked above stub when refetching glue.
4084 2 January 2017: Wouter
4085 - Fix that DS queries with referral replies are answered straight
4086 away, without a repeat query picking the DS from cache.
4087 The correct reply should have been an answer, the reply is fixed
4088 by the scrubber to have the answer in the answer section.
4089 - Remove clang optimizer disable,
4090 Fix that expiration date checks don't fail with clang -O2.
4092 15 December 2017: Wouter
4093 - Fix timestamp failure because of clang optimizer failure, by
4094 disabling -O2 when the compiler --version is clang.
4096 - Also disable -flto for clang, to make incep-expi signature check
4099 12 December 2017: Ralph
4100 - Fix qname-minimisation documentation (A QTYPE, not NS)
4102 12 December 2017: Wouter
4103 - authzone work, transfer connect.
4105 7 December 2017: Ralph
4106 - Check whether --with-libunbound-only is set when using --with-nettle
4109 4 December 2017: Wouter
4110 - Fix link failure on OmniOS.
4112 1 December 2017: Wouter
4115 30 November 2017: Wouter
4116 - Fix #3299 - forward CNAME daisy chain is not working
4118 14 November 2017: Wouter
4119 - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
4120 set for stub zone. It no longer searches for DNSSEC information.
4121 - auth xfer work on probe timer and lookup.
4123 13 November 2017: Wouter
4124 - Fix #2801: Install libunbound.pc.
4125 - Fix qname minimisation to send AAAA queries at zonecut like type A.
4126 - reverted AAAA change.
4128 7 November 2017: Wouter
4129 - Fix #2492: Documentation libunbound.
4131 3 November 2017: Wouter
4132 - Fix #2362: TLS1.3/openssl-1.1.1 not working.
4133 - Fix #2034 - Autoconf and -flto.
4134 - Fix #2141 - for libsodium detect lack of entropy in chroot, print
4137 2 November 2017: Wouter
4138 - Fix #1913: ub_ctx_config is under circumstances thread-safe.
4139 - make ip-transparent option work on OpenBSD.
4141 31 October 2017: Wouter
4142 - Document that errno is left informative on libunbound config read
4147 25 October 2017: Ralph
4148 - Fixed libunbound manual typo.
4149 - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
4150 - Fix #2031: Double included headers
4152 24 October 2017: Ralph
4153 - Update B root ipv4 address.
4155 19 October 2017: Wouter
4156 - authzone work, probe timer setup.
4158 18 October 2017: Wouter
4159 - lint for recent authzone commit.
4161 17 October 2017: Wouter
4162 - Fix #1749: With harden-referral-path: performance drops, due to
4163 circular dependency in NS and DS lookups.
4164 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
4166 - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
4168 This option allows handling multiple cert/key pairs while only
4169 distributing some of them.
4170 In order to reliably match a client magic with a given key without
4171 strong assumption as to how those were generated, we need both key and
4172 cert. Likewise, in order to know which ES version should be used.
4173 On the other hand, when rotating a cert, it can be desirable to only
4174 serve the new cert but still be able to handle clients that are still
4175 using the old certs's public key.
4176 The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
4177 publish the cert as part of the DNS's provider_name's TXT answer.
4178 - Better documentation for cache-max-negative-ttl.
4179 - Work on local root zone code.
4181 10 October 2017: Wouter
4183 - trunk has version 1.6.8.
4185 6 October 2017: Wouter
4186 - Fix spelling in unbound-control man page.
4188 5 October 2017: Wouter
4189 - Fix trust-anchor-signaling works in libunbound.
4190 - Fix some more crpls in testdata for different signaling default.
4193 5 October 2017: Ralph
4194 - Set trust-anchor-signaling default to yes
4195 - Use RCODE from A query on DNS64 synthesized answer.
4197 2 October 2017: Wouter
4198 - Fix param unused warning for windows exportsymbol compile.
4200 25 September 2017: Ralph
4201 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
4202 (by Danilo G. Baio).
4204 21 September 2017: Ralph
4205 - Log name of looping module
4207 19 September 2017: Wouter
4208 - use a cachedb answer even if it's "expired" when serve-expired is yes
4209 (patch from Jinmei Tatuya).
4210 - trigger refetching of the answer in that case (this will bypass
4212 - allow storing a 0-TTL answer from cachedb in the in-memory message
4213 cache when serve-expired is yes
4214 - Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
4216 18 September 2017: Ralph
4217 - Fix #1400: allowing use of global cache on ECS-forwarding unless
4220 18 September 2017: Wouter
4221 - tag 1.6.6 (is 1.6.6rc2)
4222 - Fix that looping modules always stop the query, and don't pass
4224 - Fix #1435: Please allow UDP to be disabled separately upstream and
4226 - Fix #1440: [dnscrypt] client nonce cache.
4228 15 September 2017: Wouter
4229 - Fix unbound-host to report error for DNSSEC state of failed lookups.
4230 - Spelling fixes, from Josh Soref.
4232 13 September 2017: Wouter
4233 - tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
4235 12 September 2017: Wouter
4236 - Add dns64 for client-subnet in unbound-checkconf.
4238 4 September 2017: Ralph
4239 - Fix #1412: QNAME minimisation strict mode not honored
4240 - Fix #1434: Fix windows openssl 1.1.0 linking.
4242 4 September 2017: Wouter
4244 - makedist fix for windows binaries, with openssl 1.1.0 windres fix,
4245 and expat 2.2.4 install target fix.
4247 1 September 2017: Wouter
4248 - Recommend 1472 buffer size in unbound.conf
4250 31 August 2017: Wouter
4251 - Fix #1424: cachedb:testframe is not thread safe.
4252 - For #1417: escape ; in dnscrypt tests.
4253 - but reverted that, tests fails with that escape.
4254 - Fix #1417: [dnscrypt] shared secret cache counters, and works when
4255 dnscrypt is not enabled. And cache size configuration option.
4257 - Fix #1418: [ip ratelimit] initialize slabhash using
4260 30 August 2017: Wouter
4261 - updated contrib/fastrpz.patch to apply with configparser changes.
4262 - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
4264 29 August 2017: Wouter
4265 - Fix #1414: fix segfault on parse failure and log_replies.
4266 - zero qinfo in handle_request, this zeroes local_alias and also the
4268 - new keys and certs for dnscrypt tests.
4269 - fixup WKS test on buildhost without servicebyname.
4271 28 August 2017: Wouter
4272 - Fix #1415: patch to free dnscrypt environment on reload.
4273 - iana portlist update
4274 - Fix #1415: [dnscrypt] shared secret cache, patch from
4276 - Small fixes for the shared secret cache patch.
4277 - Fix WKS records on kvm autobuild host, with default protobyname
4278 entries for udp and tcp.
4280 23 August 2017: Wouter
4281 - Fix #1407: Add ECS options check to unbound-checkconf.
4283 - Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
4286 22 August 2017: Wouter
4287 - Fix install of trust anchor when two anchors are present, makes both
4288 valid. Checks hash of DS but not signature of new key. This fixes
4289 the root.key file if created when unbound is installed between
4290 sep11 and oct11 2017.
4291 - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
4292 - trunk version 1.6.6 in development.
4293 - Fix issue on macOX 10.10 where TCP fast open is detected but not
4294 implemented causing TCP to fail. The fix allows fallback to regular
4295 TCP in this case and is also more robust for cases where connectx()
4296 fails for some reason.
4297 - Fix #1402: squelch invalid argument error for fd_set_block on windows.
4299 10 August 2017: Wouter
4300 - Patch to show DNSCrypt status in help output, from Carsten
4303 8 August 2017: Wouter
4304 - Fix #1398: make cachedb secret configurable.
4305 - Remove spaces from Makefile.
4307 7 August 2017: Wouter
4308 - Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
4310 3 August 2017: Ralph
4311 - Remove unused iter_env member (ip6arpa_dname)
4312 - Do not reset rrset.bogus stats when called using stats_noreset.
4313 - Added stats for queries that have been ratelimited by domain
4315 - Do not add rrset_bogus and query ratelimiting stats per thread, these
4316 module stats are global.
4318 3 August 2017: Wouter
4319 - Fix #1394: mix of serve-expired and response-ip could cause a crash.
4321 24 July 2017: Wouter
4322 - upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
4323 config.sub(2016-09-05).
4324 - annotate case statement fallthrough for gcc 7.1.1.
4325 - flex output from flex 2.6.1.
4326 - snprintf of thread number does not warn about truncated string.
4327 - squelch TCP fast open error on FreeBSD when kernel has it disabled,
4328 unless verbosity is high.
4329 - remove warning from windows compile.
4330 - Fix compile with libnettle
4331 - Fix DSA configure switch (--disable dsa) for libnettle and libnss.
4332 - Fix #1365: Add Ed25519 support using libnettle.
4333 - iana portlist update
4335 17 July 2017: Wouter
4336 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
4337 - Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
4338 With the -p option unbound does not create a pidfile.
4340 11 July 2017: Wouter
4341 - Fix #1344: RFC6761-reserved domains: test. and invalid.
4342 - Redirect all localhost names to localhost address for RFC6761.
4345 - Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
4346 - Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
4349 - Fix 1332: Bump verbosity of failed chown'ing of the control socket.
4352 - Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
4354 - Fix #1331: libunbound segfault in threaded mode when context is
4356 - Fix pythonmod link line option flag.
4357 - Fix openssl 1.1.0 load of ssl error strings from ssl init.
4359 29 June 2017: Wouter
4360 - Fix python example0 return module wait instead of error for pass.
4361 - iana portlist update
4362 - enhancement for hardened-tls for DNS over TLS. Removed duplicated
4365 27 June 2017: Wouter
4366 - Tag 1.6.4 is created with the 1.6.4rc2 contents.
4367 - Trunk contains 1.6.5, with changes from 26, 27 june.
4368 - Remove signed unsigned warning from authzone.
4369 - Fix that infra cache host hash does not change after reconfig.
4371 26 June 2017: Wouter
4373 Better fixup of dnscrypt_cert_chacha test for different escapes.
4374 - First fix for zero b64 and hex text zone format in sldns.
4375 - unbound-control dump_infra prints port number for address if not 53.
4377 23 June 2017: Wouter
4378 - (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
4380 22 June 2017: Wouter
4384 - Added fastrpz patch to contrib
4386 21 June 2017: Wouter
4387 - Fix #1316: heap read buffer overflow in parse_edns_options.
4389 20 June 2017: Wouter
4390 - Fix warning in pythonmod under clang compiler.
4395 - Fix #1277: disable domain ratelimit by setting value to 0.
4397 16 June 2017: Wouter
4398 - Fix #1301: memory leak in respip and tests.
4399 - Free callback in edns-subnetmod on exit and restart.
4400 - Fix memory leak in sldns_buffer_new_frm_data.
4401 - Fix memory leak in dnscrypt config read.
4402 - Fix dnscrypt chacha cert support ifdefs.
4403 - Fix dnscrypt chacha cert unit test escapes in grep.
4404 - Remove asynclook tests that cause test and purifier problems.
4405 - Fix to unlock view in view test.
4407 15 June 2017: Wouter
4408 - Fix stub zone queries leaking to the internet for
4409 harden-referral-path ns checks.
4410 - Fix query for refetch_glue of stub leaking to internet.
4412 13 June 2017: Wouter
4413 - Fix #1279: Memory leak on reload when python module is enabled.
4414 - Fix #1280: Unbound fails assert when response from authoritative
4415 contains malformed qname. When 0x20 caps-for-id is enabled, when
4416 assertions are not enabled the malformed qname is handled correctly.
4417 - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
4418 - More fixes in depth for buffer checks in 0x20 qname checks.
4420 12 June 2017: Wouter
4421 - Fix #1278: Incomplete wildcard proof.
4424 - Added domain name based ECS whitelist.
4427 - Detect chacha for dnscrypt at configure time.
4428 - dnscrypt unit tests with chacha.
4431 - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
4432 - Add dnscrypt XChaCha20 tests.
4435 - Add an explicit type cast for TCP FASTOPEN fix.
4436 - renumbering B-Root's IPv6 address to 2001:500:200::b.
4437 - Fix #1275: cached data in cachedb is never used.
4438 - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
4441 - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
4442 (from Manu Bretelle).
4445 - Fix fastopen EPIPE fallthrough to perform connect.
4448 - Also use global local-zones when there is a matching view that does
4449 not have any local-zone specified.
4452 - Fix #1273: cachedb.c doesn't compile with -Wextra.
4453 - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
4456 - Fix #1269: inconsistent use of built-in local zones with views.
4457 - Add defaults for new local-zone trees added to views using
4461 - Support for openssl EVP_DigestVerify.
4462 - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
4465 - Fix assertion for low buffer size and big edns payload when worker
4469 - Added redirect-bogus.patch to contrib directory.
4472 - Fix #1270: unitauth.c doesn't compile with higher warning level
4474 - exec_prefix is by default equal to prefix.
4475 - printout localzone for duplicate local-zone warnings.
4478 - authzone cname chain, no rrset duplicates, wildcard doesn't change
4479 rrsets added for cname chain.
4482 - first services/authzone check in, it compiles and reads and writes
4484 - iana portlist update
4487 - Fix #1268: SIGSEGV after log_reopen.
4490 - Fix #1265 to use /bin/kill.
4491 - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
4492 and compatibility with BoringSSL.
4495 - Fix #1265: contrib/unbound.service contains hardcoded path.
4498 - Use qstate's region for IPSECKEY rrset (ipsecmod).
4501 - Implemented opportunistic IPsec support module (ipsecmod).
4502 - Some whitespace fixup.
4505 - updated dependencies in the makefile.
4506 - document trust-anchor-signaling in example config file.
4507 - updated configure, dependencies and flex output.
4508 - better module memory lookup, fix of unbound-control shm names for
4509 module memory printout of statistics.
4510 - Fix type AVC sldns rrdef.
4513 - Adjust servfail by iterator to not store in cache when serve-expired
4514 is enabled, to avoid overwriting useful information there.
4515 - Fix queries for nameservers under a stub leaking to the internet.
4518 - Add 'c' to getopt() in testbound.
4519 - iana portlist update
4522 - Fix tcp-mss failure printout text.
4523 - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
4524 connect limited tcp connections. With the option tcp connections
4525 can share the same source port (for different destinations).
4528 - Added mesh_add_sub to add detached mesh entries.
4529 - Use mesh_add_sub for key tag signaling query.
4532 - Added test for leak of stub information.
4533 - Fix sldns wire2str printout of RR type CAA tags.
4534 - Fix sldns int16_data parse.
4535 - Fix sldns parse and printout of TSIG RRs.
4536 - sldns SMIMEA and AVC definitions, same as getdns definitions.
4539 - Fix #1259: "--disable-ecdsa" argument overwritten
4540 by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
4541 - iana portlist update
4542 - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
4543 and fix that 64bit getting installed in C:\Program Files (x86).
4545 26 April 2017: Ralph
4546 - Implemented trust anchor signaling using key tag query.
4548 26 April 2017: Wouter
4549 - Based on #1257: check parse limit before t increment in sldns RR
4550 string parse routine.
4552 24 April 2017: Wouter
4553 - unbound-checkconf -o allows query of dnstap config variables.
4554 Also unbound-control get_option. Also for dnscrypt.
4555 - trunk contains 1.6.3 version number (changes from 1.6.2 back from
4556 when the 1.6.2rc1 tag has been created).
4558 21 April 2017: Ralph
4559 - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
4560 - iana portlist update
4562 18 April 2017: Ralph
4563 - Fix #1252: more indentation inconsistencies.
4564 - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
4566 13 April 2017: Ralph
4567 - Added ECS unit test (from Manu Bretelle).
4568 - ECS documentation fix (from Manu Bretelle).
4570 13 April 2017: Wouter
4571 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
4573 - (for 1.6.3:) unbound.h exports the shm stats structures. They use
4574 type long long and no ifdefs, and ub_ before the typenames.
4576 12 April 2017: Wouter
4577 - subnet mem value is available in shm, also when not enabled,
4578 to make the struct easier to memmap by other applications,
4579 independent of the configuration of unbound.
4581 12 April 2017: Ralph
4582 - Fix #1247: unbound does not shorten source prefix length when
4584 - Properly check for allocation failure in local_data_find_tag_datas.
4585 - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
4586 - Set SHM ECS memory usage to 0 when module not loaded.
4588 11 April 2017: Ralph
4589 - Display ECS module memory usage.
4591 10 April 2017: Wouter
4592 - harden-algo-downgrade: no also makes unbound more lenient about
4593 digest algorithms in DS records.
4595 10 April 2017: Ralph
4596 - Remove ECS option after REFUSED answer.
4597 - Fix small memory leak in edns_opt_copy_alloc.
4598 - Respip dereference after NULL check.
4599 - Zero initialize addrtree allocation.
4600 - Use correct identifier for SHM destroy.
4602 7 April 2017: George
4603 - Fix pythonmod for cb changes.
4604 - Some whitespace fixup.
4607 - Unlock view in respip unit test
4610 - Generalise inplace callback (de)registration
4611 - (de)register inplace callbacks for module id
4612 - No unbound-control set_option for ECS options
4613 - Deprecated client-subnet-opcode config option
4614 - Introduced client-subnet-always-forward config option
4615 - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
4616 - Removed extern ECS config options
4617 - module_restart_next now calls clear on all following modules
4618 - Also create ECS module qstate on module_event_pass event
4619 - remove malloc from inplace_cb_register
4621 6 April 2017: Wouter
4622 - Small fixup for documentation.
4623 - iana portlist update
4624 - Fix respip for braces when locks arent used.
4625 - Fix pythonmod for cb changes.
4627 4 April 2017: Wouter
4628 - Fix #1244: document that use of chroot requires trust anchor file to
4630 - iana portlist update
4633 - Do not add current time twice to TTL before ECS cache store.
4634 - Do not touch rrset cache after ECS cache message generation.
4635 - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
4637 3 April 2017: Wouter
4638 - Fix #1217: Add metrics to unbound-control interface showing
4639 crypted, cert request, plaintext and malformed queries (from
4641 - iana portlist update
4643 27 March 2017: Wouter
4644 - Remove (now unused) event2 include from dnscrypt code.
4646 24 March 2017: George
4647 - Fix to prevent non-referal query from being cached as referal when the
4648 no_cache_store flag was set.
4650 23 March 2017: Wouter
4651 - Fix #1239: configure fails to find python distutils if python
4654 22 March 2017: Wouter
4655 - Fix #1238: segmentation fault when adding through the remote
4656 interface a per-view local zone to a view with no previous
4657 (configured) local zones.
4658 - Fix #1229: Systemd service sandboxing, options in wrong sections.
4660 21 March 2017: Ralph
4661 - Merge EDNS Client subnet implementation from feature branch into main
4662 branch, using new EDNS processing framework.
4664 21 March 2017: Wouter
4665 - Fix doxygen for dnscrypt files.
4667 20 March 2017: Wouter
4668 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
4669 enabled in the config file from Manu Bretelle.
4670 - make depend, autoconf, remove warnings about statement before var.
4671 - lru_demote and lruhash_insert_or_retrieve functions for getdns.
4672 - fixup for lruhash (whitespace and header file comment).
4675 17 March 2017: Wouter
4676 - Patch for view functionality for local-data-ptr from Björn Ketelaars.
4677 - Fix #1237 - Wrong resolving in chain, for norec queries that get
4680 16 March 2017: Wouter
4681 - Fix that SHM is not inited if not enabled.
4682 - Add trustanchor.unbound CH TXT that gets a response with a number
4683 of TXT RRs with a string like "example.com. 2345 1234" with
4684 the trust anchors and their keytags.
4685 - Fix that looped DNAMEs do not cause unbound to spend effort.
4686 - trustanchor tags are sorted. reusable routine to fetch taglist.
4688 13 March 2017: Wouter
4689 - testbound understands Deckard MATCH rcode question answer commands.
4690 - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
4691 of YXDOMAIN + query loop, reported by Petr Spacek.
4693 10 March 2017: Wouter
4694 - Fix #1234: shortening DNAME loop produces duplicate DNAME records
4697 9 March 2017: Wouter
4698 - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
4699 DS records. NSEC3 is not disabled.
4700 - fake-sha1 test option; print warning if used. To make unit tests.
4701 - unbound-control list local zone and data commands listed in the
4704 8 March 2017: Wouter
4705 - make depend for build dependencies.
4706 - swig version 2.0.1 required.
4707 - fix enum conversion warnings
4709 7 March 2017: Wouter
4710 - Fix #1230: swig version 2.0.0 is required for pythonmod, with
4711 1.3.40 it crashes when running repeatly unbound-control reload.
4712 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
4714 6 March 2017: Wouter
4715 - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
4716 - iana portlist update
4718 28 February 2017: Ralph
4719 - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
4722 28 February 2017: Wouter
4723 - For #1227: if we have sha256, set the cipher list to have no
4726 27 February 2017: Wouter
4727 - Fix #1227: Fix that Unbound control allows weak ciphersuits.
4728 - Fix #1226: provide official 32bit binary for windows.
4730 24 February 2017: Wouter
4731 - include sys/time.h for new shm code on NetBSD.
4733 23 February 2017: Wouter
4734 - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
4736 - Patch from Luiz Fernando Softov for Stats Shared Memory.
4737 - unbound-control stats_shm command prints stats using shared memory,
4738 which uses less cpu.
4739 - make depend, autoconf, doxygen and lint fixed up.
4741 22 February 2017: Wouter
4742 - Fix #1224: Fix that defaults should not fall back to "Program Files
4743 (x86) if Unbound is 64bit by default on windows.
4745 21 February 2017: Wouter
4746 - iana portlist update
4748 16 February 2017: Wouter
4749 - sldns updated for vfixed and buffer resize indication from getdns.
4751 15 February 2017: Wouter
4752 - sldns has ED25519 and ED448 algorithm number and name for display.
4754 14 February 2017: Wouter
4755 - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
4757 13 February 2017: Wouter
4758 - Fix autoconf of systemd check for lack of pkg-config.
4760 10 February 2017: Wouter
4761 - Fix pythonmod for typedef changes.
4762 - Fix dnstap for warning of set but not used.
4765 9 February 2017: Wouter
4768 8 February 2017: Wouter
4769 - Fix for type name change and fix warning on windows compile.
4771 7 February 2017: Wouter
4772 - Include root trust anchor id 20326 in unbound-anchor.
4774 6 February 2017: Wouter
4775 - Fix compile on solaris of the fix to use $host detect.
4777 4 February 2017: Wouter
4778 - fix root_anchor test for updated icannbundle.pem lower certificates.
4780 26 January 2017: Wouter
4781 - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
4782 more helpful error message.
4784 20 January 2017: Wouter
4785 - Increase MAX_MODULE to 16.
4787 19 January 2017: Wouter
4788 - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
4789 reserves _t typedefs.
4790 - Fix to rename internally used types from _t to _type, because _t
4791 type names are reserved by POSIX.
4792 - iana portlist update
4794 12 January 2017: Wouter
4795 - Fix to also block meta types 128 through to 248 with formerr.
4796 - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
4798 9 January 2017: Wouter
4799 - Fix #1202: Fix code comment that packed_rrset_data is not always
4802 6 January 2017: Wouter
4803 - Fix #1201: Fix missing unlock in answer_from_cache error condition.
4805 5 January 2017: Wouter
4806 - Fix to return formerr for queries for meta-types, to avoid
4807 packet amplification if this meta-type is sent on to upstream.
4808 - Fix #1184: Log DNS replies. This includes the same logging
4809 information that DNS queries and response code and response size,
4810 patch from Larissa Feng.
4811 - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
4813 3 January 2017: Wouter
4814 - configure --enable-systemd and lets unbound use systemd sockets if
4815 you enable use-systemd: yes in unbound.conf.
4816 Also there are contrib/unbound.socket and contrib/unbound.service:
4817 systemd files for unbound, install them in /usr/lib/systemd/system.
4818 Contributed by Sami Kerola and Pavel Odintsov.
4819 - Fix reload chdir failure when also chrooted to that directory.
4821 2 January 2017: Wouter
4822 - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
4824 23 December 2016: Ralph
4825 - Fix #1190: Do not echo back EDNS options in local-zone error response.
4826 - iana portlist update
4828 21 December 2016: Ralph
4829 - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
4832 19 December 2016: Ralph
4833 - Fix #1191: remove comment about view deletion.
4835 15 December 2016: Wouter
4836 - iana portlist update
4837 - 64bit is default for windows builds.
4838 - Fix inet_ntop and inet_pton warnings in windows compile.
4840 14 December 2016: Wouter
4841 - Fix #1178: attempt to fix setup error at end, pop result values
4844 13 December 2016: Wouter
4845 - Fix #1182: Fix Resource leak (socket), at startup.
4846 - Fix unbound-control and ipv6 only.
4848 9 December 2016: Wouter
4849 - Fix #1176: stack size too small for Alpine Linux.
4851 8 December 2016: Wouter
4852 - Fix downcast warnings from visual studio in sldns code.
4853 - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
4855 7 December 2016: Ralph
4856 - Add DSA support for OpenSSL 1.1.0
4857 - Fix remote control without cert for LibreSSL
4859 6 December 2016: George
4860 - Added generic EDNS code for registering known EDNS option codes,
4861 bypassing the cache response stage and uniquifying mesh states. Four EDNS
4862 option lists were added to module_qstate (module_qstate.edns_opts_*) to
4863 store EDNS options from/to front/back side.
4864 - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
4865 control the modules' cache interactions.
4866 - Added code for registering inplace callback functions. The registered
4867 functions can be called just before replying with local data or Chaos,
4868 replying from cache, replying with SERVFAIL, replying with a resolved
4869 query, sending a query to a nameserver. The functions can inspect the
4870 available data and maybe change response/query related data (i.e. append
4872 - Updated Python module for the above.
4873 - Updated Python documentation.
4875 5 December 2016: Ralph
4876 - Fix #1173: differ local-zone type deny from unset
4877 tag_actions element.
4879 5 December 2016: Wouter
4880 - Fix #1170: document that 'inform' local-zone uses local-data.
4882 1 December 2016: Ralph
4883 - hyphen as minus fix, by Andreas Schulze
4885 30 November 2016: Ralph
4886 - Added local-zones and local-data bulk addition and removal
4887 functionality in unbound-control (local_zones, local_zones_remove,
4888 local_datas and local_datas_remove).
4889 - iana portlist update
4891 29 November 2016: Wouter
4892 - version 1.6.0 is in the development branch.
4893 - braces in view.c around lock statements.
4895 28 November 2016: Wouter
4898 25 November 2016: Wouter
4899 - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
4900 using no encryption over the unix socket.
4902 22 November 2016: Ralph
4903 - Make access-control-tag-data RDATA absolute. This makes the RDATA
4904 origin consistent between local-data and access-control-tag-data.
4905 - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
4906 subdomain of the NSEC owner.
4907 - QNAME minimisation uses QTYPE=A, therefore always check cache for
4908 this type in harden-below-nxdomain functionality.
4909 - Added unit test for QNAME minimisation + harden below nxdomain
4912 22 November 2016: Wouter
4913 - iana portlist update.
4914 - Fix unit tests for DS hash processing for fake-dsa test option.
4915 - patch from Dag-Erling Smorgrav that removes code that relies
4918 21 November 2016: Wouter
4919 - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
4920 Underneath" for the harden-below-nxdomain option.
4922 10 November 2016: Ralph
4923 - Fix #1155: test status code of unbound-control in 04-checkconf,
4924 not the status code from the tee command.
4926 4 November 2016: Ralph
4927 - Added stub-ssl-upstream and forward-ssl-upstream options.
4929 4 November 2016: Wouter
4930 - configure detects ssl security level API function in the autoconf
4931 manner. Every function on its own, so that other libraries (eg.
4932 LibreSSL) can develop their API without hindrance.
4933 - Fix #1154: segfault when reading config with duplicate zones.
4934 - Note that for harden-below-nxdomain the nxdomain must be secure,
4935 this means nsec3 with optout is insufficient.
4937 3 November 2016: Ralph
4938 - Set OpenSSL security level to 0 when using aNULL ciphers.
4940 3 November 2016: Wouter
4941 - .gitattributes line for githubs code language display.
4942 - log-identity: config option to set sys log identity, patch from
4943 "Robin H. Johnson" <robbat2@gentoo.org>
4945 2 November 2016: Wouter
4946 - iana portlist update.
4948 31 October 2016: Wouter
4949 - Fix failure to build on arm64 with no sbrk.
4950 - iana portlist update.
4952 28 October 2016: Wouter
4953 - Patch for server.num.zero_ttl stats for count of expired replies,
4954 from Pavel Odintsov.
4956 26 October 2016: Wouter
4957 - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
4958 with the undocumented switch 'fake-dsa'. It logs a warning.
4960 25 October 2016: Wouter
4961 - Fix #1134: unbound-control set_option -- val-override-date: -1 works
4962 immediately to ignore datetime, or back to 0 to enable it again.
4963 The -- is to ignore the '-1' as an option flag.
4965 24 October 2016: Wouter
4966 - serve-expired config option: serve expired responses with TTL 0.
4967 - g.root-servers.net has AAAA address.
4969 21 October 2016: Wouter
4970 - Ported tests for local_cname unit test to testbound framework.
4972 20 October 2016: Wouter
4973 - suppress compile warning in lex files.
4974 - init lzt variable, for older gcc compiler warnings.
4975 - fix --enable-dsa to work, instead of copying ecdsa enable.
4976 - Fix DNSSEC validation of query type ANY with DNAME answers.
4977 - Fixup query_info local_alias init.
4979 19 October 2016: Wouter
4980 - Fix #1130: whitespace in example.conf.in more consistent.
4982 18 October 2016: Wouter
4983 - Patch that resolves CNAMEs entered in local-data conf statements that
4984 point to data on the internet, from Jinmei Tatuya (Infoblox).
4985 - Removed patch comments from acllist.c and msgencode.c
4986 - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
4987 from Jinmei Tatuya (Infoblox).
4988 - Fix #1125: unbound could reuse an answer packet incorrectly for
4989 clients with different EDNS parameters, from Jinmei Tatuya.
4990 - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
4991 - Added Requires line to libunbound.pc
4992 - Please doxygen by modifying mesh.h
4994 17 October 2016: Wouter
4995 - Re-fix #839 from view commit overwrite.
4996 - Fixup const void cast warning.
4998 12 October 2016: Ralph
4999 - Free view config elements.
5001 11 October 2016: Ralph
5002 - Added qname-minimisation-strict config option.
5003 - iana portlist update.
5004 - fix memoryleak logfile when in debug mode.
5006 5 October 2016: Ralph
5007 - Added views functionality.
5008 - Fix #1117: spelling errors, from Robert Edmonds.
5010 30 September 2016: Wouter
5011 - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
5013 29 September 2016: Wouter
5014 - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
5015 - Fix #839: Memory grows unexpectedly with large RPZ files.
5016 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
5017 - Fix #841: big local-zone's make it consume large amounts of memory.
5019 27 September 2016: Wouter
5020 - tag for 1.5.10 release
5021 - trunk contains 1.5.11 in development.
5022 - Fix dnstap relaying "random" messages instead of resolver/forwarder
5023 responses, from Nikolay Edigaryev.
5024 - Fix #836: unbound could echo back EDNS options in an error response.
5026 20 September 2016: Wouter
5027 - iana portlist update.
5028 - Fix #835: fix --disable-dsa with nettle verify.
5029 - tag for 1.5.10rc1 release.
5031 15 September 2016: Wouter
5032 - Fix 883: error for duplicate local zone entry.
5033 - Test for openssl init_crypto and init_ssl functions.
5035 15 September 2016: Ralph
5036 - fix potential memory leak in daemon/remote.c and nullpointer
5037 dereference in validator/autotrust.
5038 - iana portlist update.
5040 13 September 2016: Wouter
5041 - Silenced flex-generated sign-unsigned warning print with gcc
5043 - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
5045 9 September 2016: Wouter
5046 - Fix #831: workaround for spurious fread_chk warning against petal.c
5048 5 September 2016: Ralph
5049 - Take configured minimum TTL into consideration when reducing TTL
5050 to original TTL from RRSIG.
5052 5 September 2016: Wouter
5053 - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
5054 off-by-one typo, from Jinmei Tatuya (Infoblox).
5055 - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
5056 - Fix #828: missing type in access-control-tag-action redirect results
5059 2 September 2016: Wouter
5060 - Fix compile with openssl 1.1.0 with api=1.1.0.
5062 1 September 2016: Wouter
5063 - RFC 7958 is now out, updated docs for unbound-anchor.
5064 - Fix for compile without warnings with openssl 1.1.0.
5065 - Fix #826: Fix refuse_non_local could result in a broken response.
5066 - iana portlist update.
5068 29 August 2016: Wouter
5069 - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
5071 - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
5073 25 August 2016: Ralph
5074 - Clarify local-zone-override entry in unbound.conf.5
5076 25 August 2016: Wouter
5077 - 64bit build option for makedist windows compile, -w64.
5079 24 August 2016: Ralph
5080 - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
5081 in each iteration in find_tag_datas().
5082 - unbound.conf.5 entries for define-tag, access-control-tag,
5083 access-control-tag-action, access-control-tag-data, local-zone-tag,
5084 and local-zone-override.
5086 23 August 2016: Wouter
5087 - Fix #804: unbound stops responding after outage. Fixes queries
5088 that attempt to wait for an empty list of subqueries.
5089 - Fix #804: lower num_target_queries for iterator also for failed
5092 8 August 2016: Wouter
5093 - Note that OPENPGPKEY type is RFC 7929.
5095 4 August 2016: Wouter
5096 - Fix #807: workaround for possible some "unused" function parameters
5097 in test code, from Jinmei Tatuya.
5099 3 August 2016: Wouter
5100 - use sendmsg instead of sendto for TFO.
5102 28 July 2016: Wouter
5103 - Fix #806: wrong comment removed.
5105 26 July 2016: Wouter
5106 - nicer ratelimit-below-domain explanation.
5108 22 July 2016: Wouter
5109 - Fix #801: missing error condition handling in
5110 daemon_create_workers().
5111 - Fix #802: workaround for function parameters that are "unused"
5113 - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
5115 20 July 2016: Wouter
5116 - Fix typo in unbound.conf.
5118 18 July 2016: Wouter
5119 - Fix #798: Client-side TCP fast open fails (Linux).
5121 14 July 2016: Wouter
5122 - TCP Fast open patch from Sara Dickinson.
5123 - Fixed unbound.doxygen for 1.8.11.
5126 - access-control-tag-data implemented. verbose(4) prints tag debug.
5129 - Fix dynamic link of anchor-update.exe on windows.
5130 - Fix detect of mingw for MXE package build.
5131 - Fixes for 64bit windows compile.
5132 - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
5133 --with-libunbound-only --with-nettle.
5136 - For #787: prefer-ip6 option for unbound.conf prefers to send
5137 upstream queries to ipv6 servers.
5138 - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
5139 freebind to use 64bits of entropy for every query with random local
5142 30 June 2016: Wouter
5143 - Document always_transparent, always_refuse, always_nxdomain types.
5145 29 June 2016: Wouter
5146 - Fix static compile on windows missing gdi32.
5148 28 June 2016: Wouter
5149 - Create a pkg-config file for libunbound in contrib.
5151 27 June 2016: Wouter
5152 - Fix #784: Build configure assumess that having getpwnam means there
5153 is endpwent function available.
5154 - Updated repository with newer flex and bison output.
5157 - Possibility to specify local-zone type for an acl/tag pair
5158 - Possibility to specify (override) local-zone type for a source address
5161 - Decrease dp attempts at each QNAME minimisation iteration
5163 16 June 2016: Wouter
5164 - Fix tcp timeouts in tv.usec.
5166 15 June 2016: Wouter
5167 - TCP_TIMEOUT is specified in milliseconds.
5168 - If more than half of tcp connections are in use, a shorter timeout
5169 is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
5172 - QNAME minimisation unit test for dropped QTYPE=A queries.
5174 14 June 2016: Wouter
5175 - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
5176 null delete for wsaevent.
5177 - Fix spelling in freebind option man page text.
5178 - Fix windows link of ssl with crypt32.
5179 - Fix 779: Union casting is non-portable.
5180 - Fix 780: MAP_ANON not defined in HP-UX 11.31.
5181 - Fix 781: prealloc() is an HP-UX system library call.
5184 - Use QTYPE=A for QNAME minimisation.
5185 - Keep track of number of time-outs when performing QNAME minimisation.
5186 Stop minimising when number of time-outs for a QNAME/QTYPE pair is
5189 13 June 2016: Wouter
5190 - Fix #778: unbound 1.5.9: -h segfault (null deref).
5191 - Fix directory: fix for unbound-checkconf, it restores cwd.
5193 10 June 2016: Wouter
5194 - And delete service.conf.shipped on uninstall.
5195 - In unbound.conf directory: dir immediately changes to that directory,
5196 so that include: file below that is relative to that directory.
5197 With chroot, make the directory an absolute path inside chroot.
5198 - keep debug symbols in windows build.
5199 - do not delete service.conf on windows uninstall.
5200 - document directory immediate fix and allow EXECUTABLE syntax in it
5204 - Trunk is called 1.5.10 (with previous fixes already in there to 2
5206 - Revert fix for NetworkService account on windows due to breakage
5208 - Fix that windows install will not overwrite existing service.conf
5209 file (and ignore gui config choices if it exists).
5212 - Lookup localzones by taglist from acl.
5213 - Possibility to lookup local_zone, regardless the taglist.
5214 - Added local_zone/taglist/acl unit test.
5217 - Fix #773: Non-standard Python location build failure with pyunbound.
5218 - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
5221 - Better help text from -h (from Ray Griffith).
5222 - access-control-tag config directive.
5223 - local-zone-override config directive.
5224 - access-control-tag-action and access-control-tag-data config
5226 - free acl-tags, acltag-action and acltag-data config lists during
5227 initialisation to free up memory for more entries.
5230 - Fix to not ignore return value of chown() in daemon startup.
5233 - Fix libubound for edns optlist feature.
5234 - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
5235 - Fix #752: retry resource temporarily unavailable on control pipe.
5236 - un-document localzone tags.
5237 - tag for release 1.5.9rc1.
5238 And this also became release 1.5.9.
5239 - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
5240 Program Files with (x86) appended.
5241 - re-documented localzone tags in example.conf.
5244 - Fix windows service to be created run with limited rights, as a
5245 network service account, from Mario Turschmann.
5246 - compat strsep implementation.
5247 - generic edns option parse and store code.
5248 - and also generic edns options for upstream messages (and replies).
5249 after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
5250 to insert use edns_opt_append(edns, region, code, len, bindata) on
5251 the opt_list passed to send_query, or in edns_opt_inplace_reply.
5254 - Fix time in case answer comes from cache in ub_resolve_event().
5255 - Attempted fix for #765: _unboundmodule missing for python3.
5258 - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
5259 if unbound control uses a unix local named pipe.
5260 - Document write permission to directory of trust anchor needed.
5261 - Fix #768: Unbound Service Sometimes Can Not Shutdown
5262 Completely, WER Report Shown Up. Close handle before closing WSA.
5265 - Updated patch from Charles Walker.
5268 - disable-dnssec-lame-check config option from Charles Walker.
5269 - remove memory leak from lame-check patch.
5270 - iana portlist update.
5273 - Fix #767: Reference to an expired Internet-Draft in
5274 harden-below-nxdomain documentation.
5277 - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
5279 - iana portlist update.
5282 - Fix #766: dns64 should synthesize results on timeout/errors.
5285 - Fix #761: DNSSEC LAME false positive resolving nic.club.
5288 - trunk updated with output of flex 2.6.0.
5291 - Fix memory leak in out-of-memory conditions of local zone add.
5293 29 April 2016: Wouter
5294 - Fix sldns with static checking fixes copied from getdns.
5296 28 April 2016: Wouter
5297 - Fix #759: 0x20 capsforid no longer checks type PTR, for
5298 compatibility with cisco dns guard. This lowers false positives.
5300 18 April 2016: Wouter
5301 - Fix some malformed responses to edns queries get fallback to nonedns.
5303 15 April 2016: Wouter
5304 - cachedb module event handling design.
5306 14 April 2016: Wouter
5307 - cachedb module framework (empty).
5308 - iana portlist update.
5310 12 April 2016: Wouter
5311 - Fix #753: document dump_requestlist is for first thread.
5313 24 March 2016: Wouter
5314 - Document permit-small-holddown for 5011 debug.
5315 - Fix #749: unbound-checkconf gets SIGSEGV when use against a
5316 malformatted conf file.
5318 23 March 2016: Wouter
5319 - OpenSSL 1.1.0 portability, --disable-dsa configure option.
5321 21 March 2016: Wouter
5322 - Fix compile of getentropy_linux for SLES11 servicepack 4.
5323 - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
5324 - Fix test for openssl to use HMAC_Update for 1.1.0.
5325 - acx_nlnetlabs.m4 to v33, with HMAC_Update.
5326 - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
5327 - ERR_remove_state deprecated since openssl 1.0.0.
5328 - OPENSSL_config is deprecated, removing.
5330 18 March 2016: Ralph
5331 - Validate QNAME minimised NXDOMAIN responses.
5332 - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
5333 harden-below-nxdomain.
5335 17 March 2016: Ralph
5336 - Limit number of QNAME minimisation iterations.
5338 17 March 2016: Wouter
5339 - Fix #746: Fix unbound sets CD bit on all forwards.
5340 If no trust anchors, it'll not set CD bit when forwarding to another
5341 server. If a trust anchor, no CD bit on the first attempt to a
5342 forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
5343 - iana portlist update.
5345 16 March 2016: Wouter
5346 - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
5347 - Fix ip-transparent for tcp on freebsd.
5349 15 March 2016: Wouter
5350 - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
5351 binding to an IP address while the interface or address is down.
5353 14 March 2016: Wouter
5354 - Fix warnings in ifdef corner case, older or unknown libevent.
5355 - Fix compile for ub_event code with older libev.
5357 11 March 2016: Wouter
5358 - Remove warning about unused parameter in event_pluggable.c.
5359 - Fix libev usage of dispatch return value.
5360 - No side effects in tolower() call, in case it is a macro.
5361 - For test put free in pluggable api in parenthesis.
5363 10 March 2016: Wouter
5364 - Fixup backend2str for libev.
5366 09 March 2016: Willem
5367 - User defined pluggable event API for libunbound
5368 - Fixup of compile fix for pluggable event API from P.Y. Adi
5371 09 March 2016: Wouter
5372 - Updated configure and ltmain.sh.
5373 - Updated L root IPv6 address.
5375 07 March 2016: Wouter
5376 - Fix #747: assert in outnet_serviced_query_stop.
5377 - iana ports fetched via https.
5378 - iana portlist update.
5380 03 March 2016: Wouter
5381 - configure tests for the weak attribute support by the compiler.
5383 02 March 2016: Wouter
5385 - trunk contains 1.5.9 in development.
5386 - iana portlist update.
5387 - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
5388 contains trailing dot.
5390 24 February 2016: Wouter
5391 - Fix OpenBSD asynclook lock free that gets used later (fix test code).
5392 - Fix that NSEC3 negative cache is used when there is no salt.
5394 23 February 2016: Wouter
5395 - ub_ctx_set_stub() function for libunbound to config stub zones.
5396 - sorted ubsyms.def file with exported libunbound functions.
5398 19 February 2016: Wouter
5399 - Print understandable debug log when unusable DS record is seen.
5400 - load gost algorithm if digest is seen before key algorithm.
5401 - iana portlist update.
5403 17 February 2016: Wouter
5404 - Fix that "make install" fails due to "text file busy" error.
5406 16 February 2016: Wouter
5407 - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
5409 15 February 2016: Wouter
5410 - ip-transparent option for FreeBSD with IP_BINDANY socket option.
5411 - wait for sendto to drain socket buffers when they are full.
5413 9 February 2016: Wouter
5414 - Test for type OPENPGPKEY.
5415 - insecure-lan-zones: yesno config option, patch from Dag-Erling
5418 8 February 2016: Wouter
5419 - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
5420 - RR Type CSYNC support RFC 7477, in debug printout and config input.
5421 - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
5423 29 January 2016: Wouter
5424 - Neater cmdline_verbose increment patch from Edgar Pettijohn.
5426 27 January 2016: Wouter
5427 - Made netbsd sendmsg test nonfatal, in case of false positives.
5428 - Fix #741: log message for dnstap socket connection is more clear.
5430 26 January 2016: Wouter
5431 - Fix #734: chown the pidfile if it resides inside the chroot.
5432 - Use arc4random instead of random in tests (because it is
5433 available, possibly as compat, anyway).
5434 - Fix cmsg alignment for argument to sendmsg on NetBSD.
5435 - Fix that unbound complains about unimplemented IP_PKTINFO for
5436 sendmsg on NetBSD (for interface-automatic).
5438 25 January 2016: Wouter
5439 - Fix #738: Swig should not be invoked with CPPFLAGS.
5441 19 January 2016: Wouter
5442 - Squelch 'cannot assign requested address' log messages unless
5443 verbosity is high, it was spammed after network down.
5445 14 January 2016: Wouter
5446 - Fix to simplify empty string checking from Michael McConville.
5447 - iana portlist update.
5449 12 January 2016: Wouter
5450 - Fix #734: Do not log an error when the PID file cannot be chown'ed.
5451 Patch from Simon Deziel.
5453 11 January 2016: Wouter
5454 - Fix test if -pthreads unused to use better grep for portability.
5456 06 January 2016: Wouter
5457 - Fix mingw crosscompile for recent mingw.
5458 - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
5460 05 January 2016: Wouter
5461 - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
5462 from Daisuke Higashi.
5463 - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
5464 by default, and can be unblocked with "nodefault" localzone config.
5466 04 January 2016: Wouter
5467 - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
5468 for Linux glibc 2.20.
5469 - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
5470 source code, so it applies cleanly again. Removed unused variable
5473 15 December 2015: Ralph
5474 - Fix #729: omit use of escape sequences in echo since they are not
5475 portable (unbound-control-setup).
5477 11 December 2015: Wouter
5478 - remove NULL-checks before free, patch from Michael McConville.
5479 - updated ax_pthread.m4 to version 21 with clang support, this
5480 removes a warning from compilation.
5481 - OSX portability, detect if sbrk is deprecated.
5482 - OSX clang, stop -pthread unused during link stage warnings.
5483 - OSX clang new flto check.
5485 10 December 2015: Wouter
5487 - trunk has 1.5.8 in development.
5489 8 December 2015: Wouter
5490 - Fixup 724 for unbound-control.
5492 7 December 2015: Ralph
5493 - Do not minimise forwarded requests.
5495 4 December 2015: Wouter
5496 - Removed unneeded whitespace from example.conf.
5498 3 December 2015: Ralph
5500 - Committed fix to qname minimisation and unit test case for it.
5502 3 December 2015: Wouter
5503 - iana portlist update.
5504 - 1.5.7rc1 prerelease tag.
5506 2 December 2015: Wouter
5507 - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
5508 re-enable stdout printout.
5509 - For 724: Add Changelog to windows binary dist.
5511 1 December 2015: Ralph
5512 - Qname minimisation review fixes
5514 1 December 2015: Wouter
5515 - Fixup 724 fix for fname_after_chroot() calls.
5516 - Remove stdout printout for unbound-service-install.exe
5517 - .gitignore for git users.
5519 30 November 2015: Ralph
5520 - Implemented qname minimisation
5522 30 November 2015: Wouter
5523 - Fix for #724: conf syntax to read files from run dir (on Windows).
5525 25 November 2015: Wouter
5526 - Fix for #720, fix unbound-control-setup windows batch file.
5528 24 November 2015: Wouter
5529 - Fix #720: add windows scripts to zip bundle.
5530 - iana portlist update.
5532 20 November 2015: Wouter
5533 - Added assert on rrset cache correctness.
5534 - Fix that malformed EDNS query gets a response without malformed EDNS.
5536 18 November 2015: Wouter
5537 - newer acx_nlnetlabs.m4.
5538 - spelling fixes from Igor Sobrado Delgado.
5540 17 November 2015: Wouter
5541 - Fix #594. libunbound: optionally use libnettle for crypto.
5542 Contributed by Luca Bruno. Added --with-nettle for use with
5543 --with-libunbound-only.
5544 - refactor nsec3 hash implementation to be more library-portable.
5545 - iana portlist update.
5546 - Fixup DER encoded DSA signatures for libnettle.
5548 16 November 2015: Wouter
5549 - Fix for lenient accept of reverse order DNAME and CNAME.
5551 6 November 2015: Wouter
5552 - Change example.conf: ftp.internic.net to https://www.internic.net
5554 5 November 2015: Wouter
5555 - ACX_SSL_CHECKS no longer adds -ldl needlessly.
5557 3 November 2015: Wouter
5558 - Fix #718: Fix unbound-control-setup with support for env
5559 without HEREDOC bash support.
5561 29 October 2015: Wouter
5562 - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
5563 - Fix #716: nodata proof with empty non-terminals and wildcards.
5565 28 October 2015: Wouter
5566 - Fix checklock testcode for linux threads on exit.
5568 27 October 2015: Wouter
5569 - isblank() compat implementation.
5570 - detect libexpat without xml_StopParser function.
5571 - portability fixes.
5572 - portability, replace snprintf if return value broken.
5574 23 October 2015: Wouter
5575 - Fix #714: Document config to block private-address for IPv4
5576 mapped IPv6 addresses.
5578 22 October 2015: Wouter
5579 - Fix #712: unbound-anchor appears to not fsync root.key.
5581 20 October 2015: Wouter
5583 - trunk tracks development of 1.5.7.
5585 15 October 2015: Wouter
5586 - Fix segfault in the dns64 module in the formaterror error path.
5587 - Fix sldns_wire2str_rdata_scan for malformed RRs.
5588 - tag for 1.5.6rc1 release.
5590 14 October 2015: Wouter
5591 - ANY responses include DNAME records if present, as per Evan Hunt's
5593 - Fix manpage to suggest using SIGTERM to terminate the server.
5595 9 October 2015: Wouter
5596 - Default for ssl-port is port 853, the temporary port assignment
5597 for secure domain name system traffic.
5598 If you used to rely on the older default of port 443, you have
5599 to put a clause in unbound.conf for that. The new value is likely
5600 going to be the standardised port number for this traffic.
5601 - iana portlist update.
5603 6 October 2015: Wouter
5605 - trunk tracks the development of 1.5.6.
5607 28 September 2015: Wouter
5608 - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
5610 - tag for 1.5.5rc1 release.
5611 - makedist.sh: pgp sig echo commands.
5613 25 September 2015: Wouter
5614 - Fix unbound-control flush that does not succeed in removing data.
5616 22 September 2015: Wouter
5617 - Fix config globbed include chroot treatment, this fixes reload of
5618 globs (patch from Dag-Erling Smørgrav).
5619 - iana portlist update.
5620 - Fix #702: New IPs for for h.root-servers.net.
5621 - Remove confusion comment from canonical_compare() function.
5622 - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
5623 - testbound selftest also works in non-debug mode.
5624 - Fix minor error in unbound.conf.5.in
5625 - Fix unbound.conf(5) access-control description for precedence
5628 31 August 2015: Wouter
5629 - changed windows setup compression to be more transparent.
5631 28 August 2015: Wouter
5632 - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
5634 - Feature #699: --enable-pie option to that builds PIE binary.
5635 - Feature #700: --enable-relro-now option that enables full read-only
5638 24 August 2015: Wouter
5639 - Fix deadlock for local data add and zone add when unbound-control
5640 list_local_data printout is interrupted.
5641 - iana portlist update.
5642 - Change default of harden-algo-downgrade to off. This is lenient
5643 for algorithm rollover.
5645 13 August 2015: Wouter
5646 - 5011 implementation does not insist on all algorithms, when
5647 harden-algo-downgrade is turned off.
5648 - Reap the child process that libunbound spawns.
5650 11 August 2015: Wouter
5651 - Fix #694: configure script does not detect LibreSSL 2.2.2
5653 4 August 2015: Wouter
5654 - Document that local-zone nodefault matches exactly and transparent
5655 can be used to release a subzone.
5657 3 August 2015: Wouter
5658 - Document in the manual more text about configuring locally served
5660 - Fix 5011 anchor update timer after reload.
5661 - Fix mktime in unbound-anchor not using UTC.
5663 30 July 2015: Wouter
5664 - please afl-gcc (llvm) for uninitialised variable warning.
5665 - Added permit-small-holddown config to debug fast 5011 rollover.
5667 24 July 2015: Wouter
5668 - Fix #690: Reload fails when so-reuseport is yes after changing
5670 - iana portlist update.
5672 21 July 2015: Wouter
5673 - Fix configure to detect SSL_CTX_set_ecdh_auto.
5674 - iana portlist update.
5676 20 July 2015: Wouter
5677 - Enable ECDHE for servers. Where available, use
5678 SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
5679 enable ECDHE. Otherwise, manually offer curve p256.
5680 Client connections should automatically use ECDHE when available.
5681 (thanks Daniel Kahn Gillmor)
5683 18 July 2015: Willem
5684 - Allow certificate chain files to allow for intermediate certificates.
5685 (thanks Daniel Kahn Gillmor)
5687 13 July 2015: Wouter
5688 - makedist produces sha1 and sha256 files for created binaries too.
5692 - trunk has 1.5.5 in development.
5693 - Fix #681: Setting forwarders with unbound-control forward
5694 implicitly turns on forward-first.
5696 29 June 2015: Wouter
5697 - iana portlist update.
5698 - Fix alloc with log for allocation size checks.
5700 26 June 2015: Wouter
5701 - Fix #677 Fix DNAME responses from cache that failed internal chain
5703 - iana portlist update.
5705 22 June 2015: Wouter
5706 - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
5707 and was therefore always synthesized (thanks to Valentin Dietrich).
5710 - RFC 7553 RR type URI support, is now enabled by default.
5713 - Fix #674: Do not free pointers given by getenv.
5716 - Fix that unparseable error responses are ratelimited.
5717 - SOA negative TTL is capped at minimumttl in its rdata section.
5718 - cache-max-negative-ttl config option, default 3600.
5721 - Document that ratelimit works with unbound-control set_option.
5724 - iana portlist update.
5725 - documentation proposes ratelimit of 1000 (closer to what upstream
5726 servers expect from us).
5729 - DLV is going to be decommissioned. Advice to stop using it, and
5730 put text in the example configuration and man page to that effect.
5733 - Change syntax of particular validator error to be easier for
5734 machine parse, swap rrset and ip adres info so it looks like:
5735 validation failure <www.example.nl. TXT IN>: signature crypto
5736 failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
5739 - caps-whitelist in unbound.conf allows whitelist of loadbalancers
5740 that cannot work with caps-for-id or its fallback.
5742 30 April 2015: Wouter
5743 - Unit test for type ANY synthesis.
5745 22 April 2015: Wouter
5746 - Removed contrib/unbound_unixsock.diff, because it has been
5747 integrated, use control-interface: /path in unbound.conf.
5748 - iana portlist update.
5750 17 April 2015: Wouter
5751 - Synthesize ANY responses from cache. Does not search exhaustively,
5752 but MX,A,AAAA,SOA,NS also CNAME.
5753 - Fix leaked dns64prefix configuration string.
5755 16 April 2015: Wouter
5756 - Add local-zone type inform_deny, that logs query and drops answer.
5757 - Ratelimit does not apply to prefetched queries, and ratelimit-factor
5758 is default 10. Repeated normal queries get resolved and with
5759 prefetch stay in the cache.
5760 - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
5761 Use print_function also for Python2.
5762 libunbound examples: produce sorted output.
5763 libunbound-Python: libldns is not used anymore.
5764 Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
5766 10 April 2015: Wouter
5767 - unbound-control ratelimit_list lists high rate domains.
5768 - ratelimit feature, ratelimit: 100, or some sensible qps, can be
5769 used to turn it on. It ratelimits recursion effort per zone.
5770 For particular names you can configure exceptions in unbound.conf.
5771 - Fix that get_option for cache-sizes does not print double newline.
5772 - Fix#663: ssl handshake fails when using unix socket because dh size
5775 8 April 2015: Wouter
5776 - Fix crash in dnstap: Do not try to log TCP responses after timeout.
5778 7 April 2015: Wouter
5779 - Libunbound skips dos-line-endings from etc/hosts.
5780 - Unbound exits with a fatal error when the auto-trust-anchor-file
5781 fails to be writable. This is seconds after startup. You can
5782 load a readonly auto-trust-anchor-file with trust-anchor-file.
5783 The file has to be writable to notice the trust anchor change,
5784 without it, a trust anchor change will be unnoticed and the system
5785 will then become inoperable.
5786 - unbound-control list_insecure command shows the negative trust
5787 anchors currently configured, patch from Jelte Jansen.
5789 2 April 2015: Wouter
5790 - Fix #660: Fix interface-automatic broken in the presence of
5793 26 March 2015: Wouter
5794 - remote.c probedelay line is easier to read.
5795 - rename ldns subdirectory to sldns to avoid name collision.
5797 25 March 2015: Wouter
5798 - Fix #657: libunbound(3) recommends deprecated
5799 CRYPTO_set_id_callback.
5800 - If unknown trust anchor algorithm, and libressl is used, error
5801 message encourages upgrade of the libressl package.
5803 23 March 2015: Wouter
5804 - Fix segfault on user not found at startup (from Maciej Soltysiak).
5806 20 March 2015: Wouter
5807 - Fixed to add integer overflow checks on allocation (defense in depth).
5809 19 March 2015: Wouter
5810 - Add ip-transparent config option for bind to non-local addresses.
5812 17 March 2015: Wouter
5813 - Use reallocarray for integer overflow protection, patch submitted
5814 by Loganaden Velvindron.
5816 16 March 2015: Wouter
5817 - Fixup compile on cygwin, more portable openssl thread id.
5819 12 March 2015: Wouter
5820 - Updated default keylength in unbound-control-setup to 3k.
5822 10 March 2015: Wouter
5823 - Fix lintian warning in unbound-checkconf man page (from Andreas
5825 - print svnroot when building windows dist.
5826 - iana portlist update.
5827 - Fix warning on sign compare in getentropy_linux.
5829 9 March 2015: Wouter
5830 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
5831 reported excessive validation failure when multiple algorithms
5832 are present. It allows the weakest algorithm to validate the zone.
5833 - iana portlist update.
5835 5 March 2015: Wouter
5836 - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
5837 scripts. Contributed by Yuri Voinov.
5838 - Document that incoming-num-tcp increase is good for large servers.
5839 - stats reports tcp usage, of incoming-num-tcp buffers.
5841 4 March 2015: Wouter
5842 - Patch from Brad Smith that syncs compat/getentropy_linux with
5843 OpenBSD's version (2015-03-04).
5844 - 0x20 fallback improved: servfail responses do not count as missing
5845 comparisons (except if all responses are errors),
5846 inability to find nameservers does not fail equality comparisons,
5847 many nameservers does not try to compare more than max-sent-count,
5848 parse failures start 0x20 fallback procedure.
5849 - store caps_response with best response in case downgrade response
5850 happens to be the last one.
5851 - Document windows 8 tests.
5853 3 March 2015: Wouter
5855 [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
5857 2 March 2015: Wouter
5858 - iana portlist update.
5860 20 February 2015: Wouter
5861 - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
5863 - Fix #645 Portability to Solaris 10, use AF_LOCAL.
5864 - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
5865 - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
5868 19 February 2015: Wouter
5869 - 1.5.2 release tag.
5870 - svn trunk contains 1.5.3 under development.
5872 13 February 2015: Wouter
5873 - Fix #643: doc/example.conf.in: unnecessary whitespace.
5875 12 February 2015: Wouter
5878 11 February 2015: Wouter
5879 - iana portlist update.
5881 10 February 2015: Wouter
5882 - Fix scrubber with harden-glue turned off to reject NS (and other
5883 not-address) records.
5885 9 February 2015: Wouter
5886 - Fix validation failure in case upstream forwarder (ISC BIND) does
5887 not have the same trust anchors and decides to insert unsigned NS
5888 record in authority section.
5890 2 February 2015: Wouter
5891 - infra-cache-min-rtt patch from Florian Riehm, for expected long
5892 uplink roundtrip times.
5894 30 January 2015: Wouter
5895 - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
5897 - Portability fix for Solaris ('sun' is not usable for a variable).
5899 29 January 2015: Wouter
5900 - Fix pyunbound byte string representation for python3.
5902 26 January 2015: Wouter
5903 - Fix unintended use of gcc extension for incomplete enum types,
5904 compile with pedantic c99 compliance (from Daniel Dickman).
5906 23 January 2015: Wouter
5907 - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
5909 16 January 2015: Wouter
5910 - unit test for local unix connection. Documentation and log_addr
5911 does not inspect port for AF_LOCAL.
5912 - unbound-checkconf -f prints chroot with pidfile path.
5914 13 January 2015: Wouter
5915 - iana portlist update.
5917 12 January 2015: Wouter
5918 - Cast sun_len sizeof to socklen_t.
5919 - Fix pyunbound ord call, portable for python 2 and 3.
5921 7 January 2015: Wouter
5922 - Fix warnings in pythonmod changes.
5924 6 January 2015: Wouter
5925 - iana portlist update.
5926 - patch for remote control over local sockets, from Dag-Erling
5927 Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
5928 control-use-cert: no.
5929 - Fixup that patch and uid lookup (only for daemon).
5930 - coded the default of control-use-cert, to yes.
5932 5 January 2015: Wouter
5933 - getauxval test for ppc64 linux compatibility.
5934 - make strip works for unbound-host and unbound-anchor.
5935 - patch from Stephane Lapie that adds to the python API, that
5936 exposes struct delegpt, and adds the find_delegation function.
5937 - print query name when max target count is exceeded.
5938 - patch from Stuart Henderson that fixes DESTDIR in
5939 unbound-control-setup for installs where config is not in
5940 the prefix location.
5941 - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
5942 IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
5943 - Updated contrib warmup.cmd/sh to support two modes - load
5944 from pre-defined list of domains or (with filename as argument)
5945 load from user-specified list of domains, and updated contrib
5946 unbound_cache.sh/cmd to support loading/save/reload cache to/from
5947 default path or (with secondary argument) arbitrary path/filename,
5949 - Patch from Philip Paeps to contrib/unbound_munin_ that uses
5950 type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
5951 unbound_munin_hits.graph_period minute
5953 9 December 2014: Wouter
5954 - svn trunk has 1.5.2 in development.
5955 - config.guess and config.sub update from libtoolize.
5956 - local-zone: example.com inform makes unbound log a message with
5957 client IP for queries in that zone. Eg. for finding infected hosts.
5959 8 December 2014: Wouter
5960 - Fix CVE-2014-8602: denial of service by making resolver chase
5961 endless series of delegations.
5963 1 December 2014: Wouter
5964 - Fix bug#632: unbound fails to build on AArch64, protects
5965 getentropy compat code from calling sysctl if it is has been removed.
5967 29 November 2014: Wouter
5968 - Add include to getentropy_linux.c, hopefully fixing debian build.
5970 28 November 2014: Wouter
5971 - Fix makefile for build from noexec source tree.
5973 26 November 2014: Wouter
5974 - Fix libunbound undefined symbol errors for main.
5975 Referencing main does not seem to be possible for libunbound.
5977 24 November 2014: Wouter
5978 - Fix log at high verbosity and memory allocation failure.
5979 - iana portlist update.
5981 21 November 2014: Wouter
5982 - Fix crash on multiple thread random usage on systems without
5985 20 November 2014: Wouter
5986 - fix compat/getentropy_win.c check if CryptGenRandom works and no
5987 immediate exit on windows.
5989 19 November 2014: Wouter
5990 - Fix cdflag dns64 processing.
5992 18 November 2014: Wouter
5993 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
5995 - iana portlist update.
5997 17 November 2014: Wouter
5998 - Fix #627: SSL_CTX_load_verify_locations return code not properly
6001 14 November 2014: Wouter
6002 - parser with bison 2.7
6004 13 November 2014: Wouter
6005 - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
6006 added to contrib/aaaa-filter-iterator.patch.
6008 12 November 2014: Wouter
6009 - trunk has 1.5.1 in development.
6010 - Patch from Robert Edmonds to build pyunbound python module
6011 differently. No versioninfo, with -shared and without $(LIBS).
6012 - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
6013 - Removed 'increased limit open files' log message that is written
6014 to console. It is only written on verbosity 4 and higher.
6015 This keeps system bootup console cleaner.
6016 - Patch from James Raftery, always print stats for rcodes 0..5.
6018 11 November 2014: Wouter
6019 - iana portlist update.
6020 - Fix bug where forward or stub addresses with same address but
6021 different port number were not tried.
6022 - version number in svn trunk is 1.5.0
6024 - review fix from Ralph.
6026 7 November 2014: Wouter
6027 - dnstap fixes by Robert Edmonds:
6028 dnstap/dnstap.m4: cosmetic fixes
6029 dnstap/: Remove compiled protoc-c output files
6030 dnstap/dnstap.m4: Error out if required libraries are not found
6031 dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
6033 dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
6035 4 November 2014: Wouter
6036 - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
6037 tracked trust anchor to libunbound.
6038 - Redefine internal minievent symbols to unique symbols that helps
6039 linking on platforms where the linker leaks names across modules.
6041 27 October 2014: Wouter
6042 - Disabled use of SSLv3 in remote-control and ssl-upstream.
6043 - iana portlist update.
6045 16 October 2014: Wouter
6046 - Documented dns64 configuration in unbound.conf man page.
6048 13 October 2014: Wouter
6049 - Fix #617: in ldns in unbound, lowercase WKS services.
6050 - Fix ctype invocation casts.
6052 10 October 2014: Wouter
6053 - Fix unbound-checkconf check for module config with dns64 module.
6054 - Fix unbound capsforid fallback, it ignores TTLs in comparison.
6056 6 October 2014: Wouter
6057 - Fix #614: man page variable substitution bug.
6058 6 October 2014: Willem
6059 - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
6060 - $TTL's value starts at position 5 (ldns).
6062 1 October 2014: Wouter
6063 - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
6065 29 September 2014: Wouter
6066 - Fix #612: create service with service.conf in present directory and
6068 - Fix for mingw compile openssl ranlib.
6070 25 September 2014: Wouter
6071 - updated configure and aclocal with newer autoconf 1.13.
6073 22 September 2014: Wouter
6074 - Fix swig and python examples for Python 3.x.
6075 - Fix for mingw compile with openssl-1.0.1i.
6077 19 September 2014: Wouter
6078 - improve python configuration detection to build on Fedora 22.
6080 18 September 2014: Wouter
6081 - patches to also build with Python 3.x (from Pavel Simerda).
6083 16 September 2014: Wouter
6084 - Fix tcp timer waiting list removal code.
6085 - iana portlist update.
6086 - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
6087 is longer and more tcp connections can be handled.
6089 15 September 2014: Wouter
6090 - Fix unit test for CDS typecode.
6092 5 September 2014: Wouter
6093 - type CDS and CDNSKEY types in sldns.
6095 25 August 2014: Wouter
6096 - Fixup checklock code for log lock and its mutual initialization
6098 - iana portlist update.
6099 - Removed necessity for pkg-config from the dnstap.m4, new are
6100 the --with-libfstrm and --with-protobuf-c configure options.
6102 19 August 2014: Wouter
6103 - Update unbound manpage with more explanation (from Florian Obser).
6105 18 August 2014: Wouter
6106 - Fix #603: unbound-checkconf -o <option> should skip verification
6108 - iana portlist update.
6109 - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
6111 5 August 2014: Wouter
6112 - dnstap support, with a patch from Farsight Security, written by
6113 Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
6114 It is BSD licensed (see dnstap/dnstap.c).
6115 Building with --enable-dnstap needs pkg-config with this patch.
6116 - Noted dnstap in doc/README and doc/CREDITS.
6117 - Changes to the dnstap patch.
6119 - dnstap/dnstap_config.h should not have been added to the repo,
6120 because is it generated.
6122 1 August 2014: Wouter
6123 - Patch add msg, rrset, infra and key cache sizes to stats command
6124 from Maciej Soltysiak.
6125 - iana portlist update.
6127 31 July 2014: Wouter
6128 - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
6129 Initial commit of the patch from the FreeBSD base (with its fixes).
6130 This adds a module (for module-config in unbound.conf) dns64 that
6131 performs DNS64 processing, see README.DNS64.
6132 - Changes from DNS64:
6133 strcpy changed to memmove.
6134 arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
6135 allocation of result consistently in the correct region.
6136 time_t is now used for ttl in unbound (since the patch's version).
6137 - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
6139 29 July 2014: Wouter
6140 - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
6141 does not fork in the background and also logs to stderr.
6143 21 July 2014: Wouter
6144 - Fix endian.h include for OpenBSD.
6146 16 July 2014: Wouter
6147 - And Fix#596: Bail out of unbound-control dump_infra when ssl
6150 15 July 2014: Wouter
6151 - Fix #596: Bail out of unbound-control list_local_zones when ssl
6153 - iana portlist update.
6155 13 July 2014: Wouter
6156 - Configure tests if main can be linked to from getentropy compat.
6158 12 July 2014: Wouter
6159 - Fix getentropy compat code, function refs were not portable.
6160 - Fix to check openssl version number only for OpenSSL.
6161 - LibreSSL provides compat items, check for that in configure.
6162 - Fix bug in fix for log locks that caused deadlock in signal handler.
6163 - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
6165 11 July 2014: Matthijs
6166 - fake-rfc2553 patch (thanks Benjamin Baier).
6168 11 July 2014: Wouter
6169 - arc4random in compat/ and getentropy, explicit_bzero, chacha for
6170 dependencies, from OpenBSD. arc4_lock and sha512 in compat.
6171 This makes arc4random available on all platforms, except when
6172 compiled with LIBNSS (it uses libNSS crypto random).
6173 - fix strptime implicit declaration error on OpenBSD.
6174 - arc4random, getentropy and explicit_bzero compat for Windows.
6177 - Fix #593: segfault or crash upon rotating logfile.
6181 - signit tool fixup for compile with libldns library.
6182 - iana portlist updated.
6184 27 June 2014: Wouter
6185 - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
6187 26 June 2014: Wouter
6188 - unbound-control status reports if so-reuseport was successful.
6189 - iana portlist updated.
6191 24 June 2014: Wouter
6192 - Fix caps-for-id fallback, and added fallback attempt when servers
6193 drop 0x20 perturbed queries.
6194 - Fixup testsetup for VM tests (run testcode/run_vm.sh).
6196 17 June 2014: Wouter
6197 - iana portlist updated.
6200 - Add AAAA for B root server to default root hints.
6203 - Remove unused define from iterator.h
6206 - Fixup sldns_enum_edns_option typedef definition.
6209 - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
6210 fixes from FreeBSD's copy of Unbound, he notes:
6211 Generate unbound-control-setup.sh at build time so it respects
6212 prefix and sysconfdir from the configure script. Also fix the
6213 umask to match the comment, and the comment to match the umask.
6214 Add const and static where needed. Use unions instead of
6215 playing pointer poker. Move declarations that are needed in
6216 multiple source files into a shared header. Move sldns_bgetc()
6217 from parse.c to buffer.c where it belongs. Introduce a new
6218 header file, worker.h, which declares the callbacks that
6219 all workers must define. Remove those declarations from
6220 libworker.h. Include the correct headers in the correct places.
6221 Fix a few dummy callbacks that don't match their prototype.
6222 Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
6223 Remove a useless printf which breaks reproducible builds.
6224 Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
6225 no longer used. Add unbound-control-setup.sh to the list of
6226 generated files. The prototype for libworker_event_done_cb()
6227 needs to be moved from libunbound/libworker.h to
6228 libunbound/worker.h.
6229 - Fixup out-of-directory compile with unbound-control-setup.sh.in.
6233 - unbound-host -D enabled dnssec and reads root trust anchor from
6234 the default root key file that was compiled in.
6237 - Feature, unblock-lan-zones: yesno that you can use to make unbound
6238 perform 10.0.0.0/8 and other reverse lookups normally, for use if
6239 unbound is running service for localhost on localhost.
6242 - Updated create_unbound_ad_servers and unbound_cache scripts from
6243 Yuri Voinov in the source/contrib directory. Added
6244 warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
6247 - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
6248 - iana portlist updated.
6251 - Contrib windows scripts from Yuri Voinov added to src/contrib:
6252 create_unbound_ad_servers.cmd: enters anti-ad server lists.
6253 unbound_cache.cmd: saves and loads the cache.
6254 - Added unbound-control-setup.cmd from Yuri Voinov to the windows
6255 unbound distribution set. It requires openssl installed in %PATH%.
6258 - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
6261 - More #567: remove : from output of stub and forward lists, this is
6264 29 April 2014: Wouter
6265 - iana portlist updated.
6266 - Add unbound-control flush_negative that flushed nxdomains, nodata,
6267 and errors from the cache. For dnssec-trigger and NetworkManager,
6268 fixes cases where network changes have localdata that was already
6269 negatively cached from the previous network.
6271 23 April 2014: Wouter
6272 - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
6273 if available on the OS, it gets entropy from the OS.
6275 15 April 2014: Wouter
6276 - Fix compile with libevent2 on FreeBSD.
6278 11 April 2014: Wouter
6279 - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
6280 but it stops the use of the ipv6 transport layer for DNS traffic.
6281 - iana portlist updated.
6283 10 April 2014: Wouter
6284 - iana portlist updated.
6285 - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
6286 option for DNS fragmentation defense.
6287 - Document that dump_requestlist only prints queries from thread 0.
6288 - unbound-control stats prints num.query.tcpout with number of TCP
6289 outgoing queries made in the previous statistics interval.
6290 - Fix #567: unbound lists if forward zone is secure or insecure with
6291 +i annotation in output of list_forwards, also for list_stubs
6292 (for NetworkManager integration.)
6293 - Fix #554: use unsigned long to print 64bit statistics counters on
6295 - Fix #558: failed prefetch lookup does not remove cached response
6296 but delays next prefetch (in lieu of caching a SERVFAIL).
6297 - Fix #545: improved logging, the ip address of the error is printed
6298 on the same log-line as the error.
6300 8 April 2014: Wouter
6301 - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
6302 in testbound scripts.
6303 - iana portlist updated.
6305 7 April 2014: Wouter
6306 - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
6307 hints (patch from Anand Buddhdev).
6308 - Fix #572: Fix unit test failure for systems with different
6311 28 March 2014: Wouter
6312 - Fix #569: do_tcp is do-tcp in unbound.conf man page.
6314 25 March 2014: Wouter
6315 - Patch from Stuart Henderson to build unbound-host man from .1.in.
6317 24 March 2014: Wouter
6318 - Fix print filename of encompassing config file on read failure.
6320 12 March 2014: Wouter
6322 - trunk has 1.4.23 in development.
6324 10 March 2014: Wouter
6325 - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
6326 because of spelling. Patch from Chris Coates.
6328 27 February 2014: Wouter
6331 21 February 2014: Wouter
6332 - iana portlist updated.
6334 20 February 2014: Matthijs
6335 - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
6336 received. This is okay according 4035, but not after revising
6337 existence in 4592. NSEC empty non-terminals exist and thus the
6338 RCODE should have been NOERROR. If this occurs, and the RRsets
6339 are secure, we set the RCODE to NOERROR and the security status
6340 of the response is also considered secure.
6342 14 February 2014: Wouter
6343 - Works on Minix (3.2.1).
6345 11 February 2014: Wouter
6346 - Fix parse of #553(NSD) string in sldns, quotes without spaces.
6348 7 February 2014: Wouter
6349 - iana portlist updated.
6350 - add body to ifstatement if locks disabled.
6351 - add TXT string"string" test case to unit test.
6352 - Fix #551: License change "Regents" to "Copyright holder", matching
6353 the BSD license on opensource.org.
6355 6 February 2014: Wouter
6356 - sldns has type HIP.
6357 - code documentation on the module interface.
6359 5 February 2014: Wouter
6360 - Fix sldns parse tests on osx.
6362 3 February 2014: Wouter
6363 - Detect libevent2 install automatically by configure.
6364 - Fixup link with lib/event2 subdir.
6365 - Fix parse in sldns of quoted parenthesized text strings.
6367 31 January 2014: Wouter
6368 - unit test for ldns wire to str and back with zones, root, nlnetlabs
6370 - Fix for hex to string in unknown, atma and nsap.
6371 - fixup nss compile (no ldns in it).
6372 - fixup warning in unitldns
6373 - fixup WKS and rdata type service to print unsigned because strings
6374 are not portable; they cannot be read (for sure) on other computers.
6375 - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
6378 30 January 2014: Wouter
6379 - delay-close does not act if there are udp-wait queries, so that
6380 it does not make a socketdrain DoS easier.
6382 28 January 2014: Wouter
6383 - iana portlist updated.
6384 - iana portlist test updated so it does not touch the source
6385 if there are no changes.
6386 - delay-close: msec option that delays closing ports for which
6387 the UDP reply has timed out. Keeps the port open, only accepts
6388 the correct reply. This correct reply is not used, but the port
6389 is open so that no port-denied ICMPs are generated.
6391 27 January 2014: Wouter
6392 - reuseport is attempted, then fallback to without on failure.
6394 24 January 2014: Wouter
6395 - Change unbound-event.h to use void* buffer, length idiom.
6396 - iana portlist updated.
6397 - unbound-event.h is installed if you configure --enable-event-api.
6398 - speed up unbound (reports say it could be up to 10%), by reducing
6399 lock contention on localzones.lock. It is changed to an rwlock.
6400 - so-reuseport: yesno option to distribute queries evenly over
6401 threads on Linux (Thanks Robert Edmonds).
6404 21 January 2014: Wouter
6405 - Fix #547: no trustanchor written if filesystem full, fclose checked.
6407 17 January 2014: Wouter
6408 - Fix isprint() portability in sldns, uses unsigned int.
6409 - iana portlist updated.
6411 16 January 2014: Wouter
6412 - fix #544: Fixed +i causes segfault when running with module conf
6414 - Windows port, adjust %lld to %I64d, and warning in win_event.c.
6416 14 January 2014: Wouter
6417 - iana portlist updated.
6420 - Fix bug in cachedump that uses sldns.
6421 - update pythonmod for ldns_ to sldns_ name change.
6424 - Fix sldns to use sldns_ prefix for all ldns_ variables.
6425 - Fix windows compile to compile with sldns.
6428 - Fix sldns to make globals use sldns_ prefix. This fixes
6429 linking with libldns that uses global variables ldns_ .
6432 - Fix bug#537: compile python plugin without ldns library.
6435 - Fix bug#536: acl_deny_non_local and refuse_non_local added.
6438 - Patch from Neel Goyal to fix async id assignment if callback
6439 is called by libunbound in the mesh attach.
6440 - Accept ip-address: as an alternative for interface: for
6441 consistency with nsd.conf syntax.
6444 - Patch from Neel Goyal to fix callback in libunbound.
6447 - if configured --with-libunbound-only fix make install.
6450 - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
6451 more specific interface port 53 can be used at the same time, and
6452 one of the daemons is unbound.
6453 - iana portlist update.
6454 - separate ldns into core ldns inside ldns/ subdirectory. No more
6455 --with-ldns is needed and unbound does not rely on libldns.
6456 - portability fixes for new USE_SLDNS ldns subdir codebase.
6459 - Patch from Neel Goyal: Add an API call to set an event base on an
6460 existing ub_ctx. This basically just destroys the current worker and
6461 sets the event base to the current. And fix a deadlock in
6462 ub_resolve_event – the cfglock is held when libworker_create is
6463 called. This ends up trying to acquire the lock again in
6464 context_obtain_alloc in the call chain.
6465 - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
6468 - unbound-event.h is installed if configured --with-libevent. It
6469 contains low-level library calls, that use libevent's event_base
6470 and an ldns_buffer for the wire return packet to perform async
6471 resolution in the client's eventloop.
6474 - 1.4.21 tag created.
6475 - trunk has 1.4.22 number inside it.
6476 - iana portlist updated.
6477 - acx_nlnetlabs.m4 to 26; improve FLTO help text.
6480 - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
6484 - MIN_TTL and MAX_TTL also in time_t.
6485 - tag 1.4.21rc1 made again.
6488 - More fixes for bug#519: for the threaded case test if the bg
6489 thread has been killed, on ub_ctx_delete, to avoid hangs.
6492 - more fixes that I overlooked.
6493 - review fixes from Willem.
6496 - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
6499 - Fix for 2038, with time_t instead of uint32_t.
6502 - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
6505 - Fix uninit variable in fix#516.
6508 - Fix#516 dnssec lameness detection for answers that are improper.
6514 - Fix#512 memleak in testcode for testbound (if it fails).
6515 - Fix#512 NSS returned arrays out of setup function to be statics.
6518 - max include of 100.000 files (depth and globbed at one time).
6519 This is to preserve system memory in bug cases, or endless cases.
6520 - iana portlist updated.
6523 - streamtcp man page, contributed by Tomas Hozza.
6524 - iana portlist updated.
6525 - libunbound documentation on how to avoid openssl race conditions.
6528 - Squelch sendto-permission denied errors when the network is
6529 not connected, to avoid spamming syslog.
6530 - configure --disable-flto option (from Robert Edmonds).
6533 - Fix for const string literals in C++ for libunbound, from Karel
6535 - iana portlist updated.
6538 - Fixup manpage syntax.
6541 - get_option and set_option support for log-time-ascii, python-script
6542 val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
6543 immediately. The others are mostly useful for libunbound users.
6546 - get_option, set_option, unbound-checkconf -o and libunbound
6547 getoption and setoption support cache-min-ttl and cache-max-ttl.
6550 - Fix#501: forward-first does not recurse, when forward name is ".".
6551 - iana portlist update.
6552 - Max include depth is unlimited.
6555 - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
6556 patch to it to not fail when -Werror is also specified, from the
6558 - iana portlist update.
6561 - Explain bogus and secure flags in libunbound more.
6564 - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
6566 - Fix#500 use on non-initialised values on socket bind failures.
6569 - Fix round-robin doesn't work with some Windows clients (from Ilya
6573 - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
6575 26 April 2013: Wouter
6576 - add unbound-control insecure_add and insecure_remove for the
6577 administration of negative trust anchors.
6579 25 April 2013: Wouter
6580 - Implement max-udp-size config option, default 4096 (thanks
6582 - Robust checks on dname validity from rdata for dname compare.
6583 - updated iana portlist.
6585 19 April 2013: Wouter
6586 - Fixup snprintf return value usage, fixed libunbound_get_option.
6588 18 April 2013: Wouter
6589 - fix bug #491: pick program name (0th argument) as syslog identity.
6590 - own implementation of compat/snprintf.c.
6592 15 April 2013: Wouter
6593 - Fix so that for a configuration line of include: "*.conf" it is not
6594 an error if there are no files matching the glob pattern.
6595 - unbound-anchor review: BIO_write can return 0 successfully if it
6596 has successfully appended a zero length string.
6598 11 April 2013: Wouter
6599 - Fix queries leaking up for stubs and forwards, if the configured
6600 nameservers all fail to answer.
6602 10 April 2013: Wouter
6603 - code improve for minimal responses, small speed increase.
6605 9 April 2013: Wouter
6606 - updated iana portlist.
6607 - Fix crash in previous private address fixup of 22 March.
6609 28 March 2013: Wouter
6610 - Make reverse zones easier by documenting the nodefault statements
6611 commented-out in the example config file.
6613 26 March 2013: Wouter
6614 - more fixes to lookup3.c endianness detection.
6616 25 March 2013: Wouter
6617 - #492: Fix endianness detection, revert to older lookup3.c detection
6618 and put new detect lines after previous tests, to avoid regressions
6619 but allow new detections to succeed.
6620 And add detection for machine/endian.h to it.
6622 22 March 2013: Wouter
6623 - Fix resolve of names that use a mix of public and private addresses.
6624 - iana portlist update.
6625 - Fix makedist for new svn for -d option.
6626 - unbound.h header file has UNBOUND_VERSION_MAJOR define.
6627 - Fix windows RSRC version for long version numbers.
6629 21 March 2013: Wouter
6632 - committed libunbound version 4:1:2 for binary API updated in 1.4.20
6633 - install copy of unbound-control.8 man page for unbound-control-setup
6635 14 March 2013: Wouter
6636 - iana portlist update.
6639 12 March 2013: Wouter
6640 - Fixup makedist.sh for windows compile.
6642 11 March 2013: Wouter
6643 - iana portlist update.
6644 - testcode/ldns-testpkts.c check for makedist is informational.
6646 15 February 2013: Wouter
6647 - fix defines in lookup3 for bigendian bsd alpha
6649 11 February 2013: Wouter
6650 - Fixup openssl_thread init code to only run if compiled with SSL.
6652 7 February 2013: Wouter
6653 - detect endianness in lookup3 on BSD.
6654 - add libunbound.ttl at end of result structure, version bump for
6655 libunbound and binary backwards compatible, but 1.4.19 is not
6656 forward compatible with 1.4.20.
6657 - update iana port list.
6659 30 January 2013: Wouter
6660 - includes and have_ssl fixes for nss.
6662 29 January 2013: Wouter
6663 - printout name of zone with duplicate fwd and hint errors.
6665 28 January 2013: Wouter
6666 - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
6668 17 January 2013: Wouter
6669 - unbound-anchors checks the emailAddress of the signer of the
6670 root.xml file, default is dnssec@iana.org. It also checks that
6671 the signer has the correct key usage for a digital signature.
6672 - update iana port list.
6674 3 January 2013: Wouter
6675 - Test that unbound-control checks client credentials.
6676 - Test that unbound can handle a CNAME at an intermediate node in
6677 the chain of trust (where it seeks a DS record).
6678 - Check the commonName of the signer of the root.xml file in
6679 unbound-anchor, default is dnssec@iana.org.
6681 2 January 2013: Wouter
6682 - Fix openssl lock free on exit (reported by Robert Fleischman).
6683 - iana portlist updated.
6684 - Tested that unbound implements the RFC5155 Technical Errata id 3441.
6685 Unbound already implements insecure classification of an empty
6686 nonterminal in NSEC3 optout zone.
6688 20 December 2012: Wouter
6689 - Fix unbound-anchor xml parse of entity declarations for safety.
6691 19 December 2012: Wouter
6692 - iana portlist updated.
6694 18 December 2012: Wouter
6695 - iana portlist updated.
6697 14 December 2012: Wouter
6698 - Change of D.ROOT-SERVERS.NET A address in default root hints.
6700 12 December 2012: Wouter
6702 - trunk has 1.4.20 under development.
6704 5 December 2012: Wouter
6705 - note support for AAAA RR type RFC.
6707 4 December 2012: Wouter
6710 30 November 2012: Wouter
6711 - bug 481: fix python example0.
6712 - iana portlist updated.
6714 27 November 2012: Wouter
6715 - iana portlist updated.
6717 9 November 2012: Wouter
6718 - Fix unbound-control forward disables configured stubs below it.
6720 7 November 2012: Wouter
6721 - Fixup ldns-testpkts, identical to ldns/examples.
6722 - iana portlist updated.
6724 30 October 2012: Wouter
6725 - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
6727 29 October 2012: Matthijs
6728 - Fix validation for responses with both CNAME and wildcard
6729 expanded CNAME records in answer section.
6731 8 October 2012: Wouter
6732 - update ldns-testpkts.c to ldns 1.6.14 version.
6733 - fix build of pythonmod in objdir, for unbound.py.
6734 - make clean and makerealclean remove generated python and docs.
6736 5 October 2012: Wouter
6737 - fix build of pythonmod in objdir (thanks Jakob Schlyter).
6739 3 October 2012: Wouter
6740 - fix text in unbound-anchor man page.
6742 1 October 2012: Wouter
6743 - ignore trusted-keys globs that have no files (from Paul Wouters).
6745 27 September 2012: Wouter
6746 - include: directive in config file accepts wildcards. Patch from
6747 Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
6748 - unbound-control -q option is quiet, patch from Mariano Absatz.
6749 - iana portlist updated.
6750 - updated contrib/unbound.spec, patch from Valentin Bud.
6752 21 September 2012: Wouter
6753 - chdir to / after chroot call (suggested by Camiel Dobbelaar).
6755 17 September 2012: Wouter
6756 - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
6757 otherwise it is treated as insecure. The RSAMD5 algorithm is
6758 deprecated (RFC6725). The MD5 hash is considered weak for some
6759 purposes, if you want to sign your zone, then RSASHA256 is an
6762 30 August 2012: Wouter
6763 - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
6764 - iana portlist updated.
6766 29 August 2012: Wouter
6767 - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
6769 22 August 2012: Wouter
6770 - Fallback to 1472 and 1232, one fragment size without headers.
6772 21 August 2012: Wouter
6773 - Fix timeouts so that when a server has been offline for a while
6774 and is probed to see it works, it becomes fully available for
6775 server selection again.
6777 17 August 2012: Wouter
6778 - Add documentation to libunbound for default nonuse of resolv.conf.
6780 2 August 2012: Wouter
6781 - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
6783 - iana portlist updated.
6785 1 August 2012: Wouter
6786 - Fix openssl race condition, initializes openssl locks, reported
6787 by Einar Lonn and Patrik Wallstrom.
6789 31 July 2012: Wouter
6790 - Improved forward-first and stub-first documentation.
6791 - Fix that enables modules to register twice for the same
6792 serviced_query, without race conditions or administration issues.
6793 This should not happen with the current codebase, but it is robust.
6794 - Fix forward-first option where it sets the RD flag wrongly.
6795 - added manpage links for libunbound calls (Thanks Paul Wouters).
6797 30 July 2012: Wouter
6798 - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
6800 27 July 2012: Wouter
6801 - unbound-host works with libNSS
6802 - fix bogus nodata cname chain not reported as bogus by validator,
6803 (Thanks Peter van Dijk).
6805 26 July 2012: Wouter
6806 - iana portlist updated.
6809 25 July 2012: Wouter
6810 - review fix for libnss, check hash prefix allocation size.
6812 23 July 2012: Wouter
6813 - fix missing break for GOST DS hash function.
6814 - implemented forward_first for the root.
6816 20 July 2012: Wouter
6817 - Fix bug#452 and another assertion failure in mesh.c, makes
6818 assertions in mesh.c resist duplicates. Fixes DS NS search to
6819 not generate duplicate sub queries.
6821 19 July 2012: Willem
6822 - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
6823 if CFLAGS is specified at configure time then '-g -O2' is not
6824 appended to CFLAGS, so that the user can override them.
6826 18 July 2012: Willem
6827 - Fix libunbound report of errors when in background mode.
6829 11 July 2012: Willem
6830 - updated iana ports list.
6833 - Add flush_bogus option for unbound-control
6836 - Fix validation of qtype DS queries that result in no data for
6837 non-optout NSEC3 zones.
6840 - compile libunbound with libnss on Suse, passes regression tests.
6843 - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
6846 - updated iana ports list.
6848 29 June 2012: Wouter
6849 - patch for unbound_munin_ script to handle arbitrary thread count by
6852 28 June 2012: Wouter
6853 - detect if openssl has FIPS_mode.
6854 - code review: return value of cache_store can be ignored for better
6855 performance in out of memory conditions.
6856 - fix edns-buffer-size and msg-buffer-size manpage documentation.
6857 - updated iana ports list.
6859 25 June 2012: Wouter
6860 - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
6862 22 June 2012: Wouter
6863 - implement DS records, NSEC3 and ECDSA for compile with libnss.
6865 21 June 2012: Wouter
6866 - fix error handling of alloc failure during rrsig verification.
6867 - nss check for verification failure.
6868 - nss crypto works for RSA and DSA.
6870 20 June 2012: Wouter
6871 - work on --with-nss build option (for now, --with-libunbound-only).
6873 19 June 2012: Wouter
6874 - --with-libunbound-only build option, only builds the library and
6875 not the daemon and other tools.
6877 18 June 2012: Wouter
6880 15 June 2012: Wouter
6881 - implement log-time-ascii on windows.
6882 - The key-cache bad key ttl is now 60 seconds.
6883 - updated iana ports list.
6886 11 June 2012: Wouter
6887 - bug #452: fix crash on assert in mesh_state_attachment.
6890 - silence warning from swig-generated code (md set but not used in
6891 swig initmodule, due to ifdefs in swig-generated code).
6894 - Fix debian-bugs-658021: Please enable hardened build flags.
6897 - updated iana ports list.
6900 - tag for 1.4.17 release.
6901 - trunk is 1.4.18 in development.
6904 - Review comments, removed duplicate memset to zero in delegpt.
6907 - Updated doc/FEATURES with RFCs that are implemented but not listed.
6908 - Protect if statements in val_anchor for compile without locks.
6909 - tag for 1.4.17rc1.
6912 - fix configure ECDSA support in ldns detection for windows compile.
6913 - fix possible uninitialised variable in windows pipe implementation.
6916 - Fix alignment problem in util/random on sparc64/freebsd.
6919 - Fix for accept spinning reported by OpenBSD.
6920 - iana portlist updated.
6923 - Fix validation of nodata for DS query in NSEC zones, reported by
6926 13 April 2012: Wouter
6927 - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
6930 10 April 2012: Wouter
6931 - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
6932 minimal-responses features.
6933 - iana portlist updated.
6935 5 April 2012: Wouter
6936 - fix bug #443: --with-chroot-dir not honoured by configure.
6937 - fix bug #444: setusercontext was called too late (thanks Bjorn
6940 27 March 2012: Wouter
6941 - fix bug #442: Fix that Makefile depends on pythonmod headers
6942 even using --without-pythonmodule.
6944 22 March 2012: Wouter
6945 - contrib/validation-reporter follows rotated log file (patch from
6948 21 March 2012: Wouter
6949 - new approach to NS fetches for DS lookup that works with
6950 cornercases, and is more robust and considers forwarders.
6952 19 March 2012: Wouter
6953 - iana portlist updated.
6954 - fix to locate nameservers for DS lookup with NS fetches.
6956 16 March 2012: Wouter
6957 - Patch for access to full DNS packet data in unbound python module
6960 9 March 2012: Wouter
6961 - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
6963 2 March 2012: Wouter
6964 - flush_infra cleans timeouted servers from the cache too.
6965 - removed warning from --enable-ecdsa.
6967 1 March 2012: Wouter
6968 - forward-first option. Tries without forward if a query fails.
6969 Also stub-first option that is similar.
6971 28 February 2012: Wouter
6972 - Fix from code review, if EINPROGRESS not defined chain if statement
6975 27 February 2012: Wouter
6976 - Fix bug#434: on windows check registry for config file location
6977 for unbound-control.exe, and unbound-checkconf.exe.
6979 23 February 2012: Wouter
6980 - Fix to squelch 'network unreachable' errors from tcp connect in
6981 logs, high verbosity will show them.
6983 16 February 2012: Wouter
6984 - iter_hints is now thread-owned in module env, and thus threadsafe.
6985 - Fix prefetch and sticky NS, now the prefetch works. It picks
6986 nameservers that 'would be valid in the future', and if this makes
6987 the NS timeout, it updates that NS by asking delegation from the
6988 parent again. If child NS has longer TTL, that TTL does not get
6989 refreshed from the lookup to the child nameserver.
6991 15 February 2012: Wouter
6992 - Fix forward-zone memory, uses malloc and frees original root dp.
6993 - iter hints (stubs) uses malloc inside for more dynamicity.
6994 - unbound-control forward_add, forward_remove, stub_add, stub_remove
6995 can modify stubs and forwards for running unbound (on mobile computer)
6996 they can also add and remove domain-insecure for the zone.
6998 14 February 2012: Wouter
6999 - Fix sticky NS (ghost domain problem) if prefetch is yes.
7000 - iter forwards uses malloc inside for more dynamicity.
7002 13 February 2012: Wouter
7003 - RT#2955. Fix for cygwin compilation.
7004 - iana portlist updated.
7006 10 February 2012: Wouter
7007 - Slightly smaller critical region in one case in infra cache.
7008 - Fix timeouts to keep track of query type, A, AAAA and other, if
7009 another has caused timeout blacklist, different type can still probe.
7010 - unit test fix for nomem_cnametopos.rpl race condition.
7012 9 February 2012: Wouter
7013 - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
7015 8 February 2012: Wouter
7016 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
7017 implementation is experimental at this time and not recommended
7018 for use on the public internet (the protocol numbers have not
7019 been assigned). Needs recent ldns with --enable-ecdsa.
7020 - fix memory leak in errorcase for DSA signatures.
7021 - iana portlist updated.
7022 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
7024 3 February 2012: Wouter
7025 - fix for windows, rename() is not posix compliant on windows.
7027 2 February 2012: Wouter
7028 - 1.4.16 release tag.
7029 - svn trunk is 1.4.17 in development.
7030 - iana portlist updated.
7032 1 February 2012: Wouter
7033 - Fix validation failures (like: validation failure xx: no NSEC3
7034 closest encloser from yy for DS zz. while building chain of trust,
7035 because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
7036 for an NSEC3. Now it does not change rdata, and fixes TTL.
7038 30 January 2012: Wouter
7039 - Fix version-number in libtool to be version-info so it produces
7040 libunbound.so.2 like it should.
7042 26 January 2012: Wouter
7043 - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
7044 - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
7045 and keyfile write fixup.
7046 - applied patch to support outgoing-interface with ub_ctx_set_option.
7048 23 January 2012: Wouter
7049 - Fix memset in test code.
7051 20 January 2012: Wouter
7052 - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
7054 19 January 2012: Wouter
7055 - Fix to write key files completely to a temporary file, and if that
7056 succeeds, replace the real key file. So failures leave a useful file.
7058 18 January 2012: Wouter
7059 - tag 1.4.15rc1 created
7060 - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
7062 17 January 2012: Wouter
7063 - Fix bug where canonical_compare of RRSIG did not downcase the
7064 signer-name. This is mostly harmless because RRSIGs do not have
7065 to be sorted in canonical order, usually.
7067 12 January 2012: Wouter
7068 - bug#428: add ub_version() call to libunbound. API version increase,
7069 with (binary) backwards compatibility for the previous version.
7071 10 January 2012: Wouter
7072 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
7073 that would be permissible by the RFCs but it is not the TTL in the
7075 - iana portlist updated.
7076 - uninitialised variable in reprobe for rtt blocked domains fixed.
7077 - lintfix and new flex output.
7079 2 January 2012: Wouter
7080 - Fix to randomize hash function, based on 28c3 congress, reported
7083 24 December 2011: Wouter
7084 - Fix for memory leak (about 20 bytes when a tcp or udp send operation
7085 towards authority servers failed, takes about 50.000 such failures to
7086 leak one Mb, such failures are also usually logged), reported by
7088 - iana portlist updated.
7090 19 December 2011: Wouter
7091 - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
7092 vulnerabilities from nonstandard redirection and denial of existence
7093 http://www.unbound.net/downloads/CVE-2011-4528.txt
7094 - robust checks for next-closer NSEC3s.
7095 - tag 1.4.14 created.
7096 - trunk has 1.4.15 in development.
7098 15 December 2011: Wouter
7099 - remove uninit warning from cachedump code.
7100 - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
7102 13 December 2011: Wouter
7103 - iana portlist updated.
7105 - fix infra cache comparison.
7106 - Fix to constrain signer_name to be a parent of the lookupname.
7108 5 December 2011: Wouter
7109 - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
7110 - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
7111 - Fix warning unused in compat/strptime.c.
7112 - Fix malloc detection and double definition.
7114 2 December 2011: Wouter
7115 - configure generated with autoconf 2.68.
7117 30 November 2011: Wouter
7118 - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
7119 SERVFAILs. Also fixed for UDP (but less likely).
7121 28 November 2011: Wouter
7122 - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
7123 - iana ports updated.
7125 11 November 2011: Wouter
7126 - Makefile compat with SunOS make, BSD make and GNU make.
7127 - iana ports updated.
7129 10 November 2011: Wouter
7130 - Makefile changed for BSD make compatibility.
7132 9 November 2011: Wouter
7133 - added unit test for SSL service and SSL-upstream.
7135 8 November 2011: Wouter
7136 - can configure ssl service to one port number, and not on others.
7137 - fixup windows compile with ssl support.
7138 - Fix double free in unbound-host, reported by Steve Grubb.
7139 - iana portlist updated.
7141 1 November 2011: Wouter
7142 - dns over ssl support as a client, ssl-upstream yes turns it on.
7143 It performs an SSL transaction for every DNS query (250 msec).
7144 - documentation for new options: ssl-upstream, ssl-service-key and
7146 - iana portlist updated.
7147 - fix -flto detection on Lion for llvm-gcc.
7149 31 October 2011: Wouter
7150 - dns over ssl support, ssl-service-pem and ssl-service-key files
7151 can be given and then TCP queries are serviced wrapped in SSL.
7153 27 October 2011: Wouter
7154 - lame-ttl and lame-size options no longer exist, it is integrated
7155 with the host info. They are ignored (with verbose warning) if
7156 encountered to keep the config file backwards compatible.
7157 - fix iana-update for changing gzip compression of results.
7158 - fix export-all-symbols on OSX.
7160 26 October 2011: Wouter
7161 - iana portlist updated.
7162 - Infra cache stores information about ping and lameness per IP, zone.
7163 This fixes bug #416.
7164 - fix iana_update target for gzipped file on iana site.
7166 24 October 2011: Wouter
7167 - Fix resolve of partners.extranet.microsoft.com with a fix for the
7168 server selection for choosing out of a (particular) list of bad
7170 - Fix make_new_space function so that the incoming query is not
7171 overwritten if a jostled out query causes a waiting query to be
7172 resumed that then fails and sends an error message. (Thanks to
7175 21 October 2011: Wouter
7176 - fix --enable-allsymbols, fptr wlist is disabled on windows with this
7177 option enabled because of memory layout exe vs dll.
7179 19 October 2011: Wouter
7180 - fix unbound-anchor for broken strptime on OSX lion, detected
7182 - Detect if GOST really works, openssl1.0 on OSX fails.
7183 - Implement ipv6%interface notation for scope_id usage.
7185 17 October 2011: Wouter
7186 - better documentation for inform_super (Thanks Yang Zhe).
7188 14 October 2011: Wouter
7189 - Fix for out-of-memory condition in libunbound (thanks
7192 13 October 2011: Wouter
7193 - Fix --enable-allsymbols, it depended on link specifics of the
7194 target platform, or fptr_wlist assertion failures could occur.
7196 12 October 2011: Wouter
7197 - updated contrib/unbound_munin_ to family=auto so that it works with
7198 munin-node-configure automatically (if installed as
7199 /usr/local/share/munin/plugins/unbound_munin_ ).
7201 27 September 2011: Wouter
7202 - unbound.exe -w windows option for start and stop service.
7204 23 September 2011: Wouter
7205 - TCP-upstream calculates tcp-ping so server selection works if there
7208 20 September 2011: Wouter
7209 - Fix classification of NS set in answer section, where there is a
7210 parent-child server, and the answer has the AA flag for dir.slb.com.
7211 Thanks to Amanda Constant from Secure64.
7213 16 September 2011: Wouter
7214 - fix bug #408: accept patch from Steve Snyder that comments out
7215 unused functions in lookup3.c.
7216 - iana portlist updated.
7217 - fix EDNS1480 change memleak and TCP fallback.
7218 - fix various compiler warnings (reported by Paul Wouters).
7219 - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
7220 fetch if sentcount > 3, stop query if sentcount > 16. Count is
7221 reset when referral or CNAME happens. This makes unbound better
7222 at managing large NS sets, they are explored when there is continued
7223 interest (in the form of queries).
7225 15 September 2011: Wouter
7227 - trunk contains 1.4.14 in development.
7228 - Unbound probes at EDNS1480 if there an EDNS0 timeout.
7230 12 September 2011: Wouter
7231 - Reverted dns EDNS backoff fix, it did not help and needs
7232 fragmentation fixes instead.
7235 7 September 2011: Wouter
7236 - Fix operation in ipv6 only (do-ip4: no) mode.
7238 6 September 2011: Wouter
7239 - fedora specfile updated.
7241 5 September 2011: Wouter
7244 2 September 2011: Wouter
7245 - iana portlist updated.
7247 26 August 2011: Wouter
7248 - Fix num-threads 0 does not segfault, reported by Simon Deziel.
7249 - Fix validation failures due to EDNS backoff retries, the retry
7250 for fetch of data has want_dnssec because the iter_indicate_dnssec
7251 function returns true when validation failure retry happens, and
7252 then the serviced query code does not fallback to noEDNS, even if
7253 the cache says it has this. This helps for DLV deployment when
7254 the DNSSEC status is not known for sure before the lookup concludes.
7256 24 August 2011: Wouter
7257 - Applied patch from Karel Slany that fixes a memory leak in the
7258 unbound python module, in string conversions.
7260 22 August 2011: Wouter
7261 - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
7262 Zhang and Luo Ce). Unbound responds with the RR types that are
7263 available at the name for qtype ANY and validates those RR types.
7264 It does not test for completeness (i.e. with NSEC or NSEC3 query),
7265 and it does not follow the CNAME or DNAME to another name (with
7266 even more data for the already large response).
7267 - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
7268 - Documented the options that work with control set_option command.
7269 - tcp-upstream yes/no option (works with set_option) for tunnels.
7271 18 August 2011: Wouter
7272 - fix autoconf call in makedist crosscompile to RC or snapshot.
7274 17 August 2011: Wouter
7275 - Fix validation of . DS query.
7276 - new xml format at IANA, new awk for iana_update.
7277 - iana portlist updated.
7279 10 August 2011: Wouter
7280 - Fix python site-packages path to /usr/lib64.
7281 - updated patch from Tom.
7282 - fix memory and fd leak after out-of-memory condition.
7284 9 August 2011: Wouter
7285 - patch from Tom Hendrikx fixes load of python modules.
7287 8 August 2011: Wouter
7288 - make clean had ldns-src reference, removed.
7290 1 August 2011: Wouter
7291 - Fix autoconf 2.68 warnings
7293 14 July 2011: Wouter
7294 - Unbound implements RFC6303 (since version 1.4.7).
7295 - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
7296 meantime, those are for 1.4.13).
7297 - iana portlist updated.
7299 13 July 2011: Wouter
7300 - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
7302 11 July 2011: Wouter
7303 - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
7304 validated as insecure, reported by Jia Li (lijia@cnnic.cn).
7307 - 1.4.12rc1 tag created.
7310 - version number in example config file.
7311 - fix that --enable-static-exe does not complain about it unknown.
7313 30 June 2011: Wouter
7314 - tag relase 1.4.11, trunk is 1.4.12 development.
7315 - iana portlist updated.
7316 - fix bug#395: id bits of other query may leak out under conditions
7317 - fix replyaddr count wrong after jostled queries, which leads to
7318 eventual starvation where the daemon has no replyaddrs left to use.
7319 - fix comment about rndc port, that referred to the old port number.
7320 - fix that the listening socket is not closed when too many remote
7321 control connections are made at the same time.
7322 - removed ldns-src tarball inside the unbound tarball.
7324 23 June 2011: Wouter
7325 - Changed -flto check to support clang compiler.
7326 - tag 1.4.11rc3 created.
7328 17 June 2011: Wouter
7329 - tag 1.4.11rc1 created.
7330 - remove warning about signed/unsigned from flex (other flex version).
7331 - updated aclocal.m4 and libtool to match.
7332 - tag 1.4.11rc2 created.
7334 16 June 2011: Wouter
7335 - log-queries: yesno option, default is no, prints querylog.
7336 - version is 1.4.11.
7338 14 June 2011: Wouter
7339 - Use -flto compiler flag for link time optimization, if supported.
7340 - iana portlist updated.
7342 12 June 2011: Wouter
7343 - IPv6 service address for d.root-servers.net (2001:500:2D::D).
7345 10 June 2011: Wouter
7346 - unbound-control has version number in the header,
7347 UBCT[version]_space_ is the header sent by the client now.
7348 - Unbound control port number is registered with IANA:
7349 ub-dns-control 8953/tcp unbound dns nameserver control
7350 This is the new default for the control-port config setting.
7351 - statistics-interval prints the number of jostled queries to log.
7354 - Fix Makefile for U in environment, since wrong U is more common than
7355 deansification necessity.
7356 - iana portlist updated.
7357 - updated ldns tarball to 1.6.10rc2 snapshot of today.
7360 - Fix assertion failure when unbound generates an empty error reply
7361 in response to a query, CVE-2011-1922 VU#531342.
7362 - This fix is in tag 1.4.10.
7363 - defense in depth against the above bug, an error is printed to log
7364 instead of an assertion failure.
7367 - bug#386: --enable-allsymbols option links all binaries to libunbound
7368 and reduces install size significantly.
7369 - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
7370 - iana portlist updated.
7371 - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
7373 14 April 2011: Wouter
7374 - configure created with newer autoconf 2.66.
7376 12 April 2011: Wouter
7377 - bug#378: Fix that configure checks for ldns_get_random presence.
7379 8 April 2011: Wouter
7380 - iana portlist updated.
7381 - queries with CD flag set cause DNSSEC validation, but the answer is
7382 not withheld if it is bogus. Thus, unbound will retry if it is bad
7383 and curb the TTL if it is bad, thus protecting the cache for use by
7384 downstream validators.
7385 - val-override-date: -1 ignores dates entirely, for NTP usage.
7387 29 March 2011: Wouter
7388 - harden-below-nxdomain: changed so that it activates when the
7389 cached nxdomain is dnssec secure. This avoids backwards
7390 incompatibility because those old servers do not have dnssec.
7392 24 March 2011: Wouter
7393 - iana portlist updated.
7397 17 March 2011: Wouter
7398 - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
7399 Applied but did not do the --disable-gost.
7401 10 March 2011: Wouter
7402 - tag 1.4.9 release candidate 1 created.
7404 3 March 2011: Wouter
7405 - updated ldns to today.
7407 1 March 2011: Wouter
7408 - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
7409 - give config parse error for multiple names on a stub or forward zone.
7410 - updated ldns tarball to 1.6.9(todays snapshot).
7412 24 February 2011: Wouter
7413 - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
7415 23 February 2011: Wouter
7416 - iana portlist updated.
7417 - common.sh to version 3.
7419 18 February 2011: Wouter
7420 - common.sh in testdata updated to version 2.
7422 15 February 2011: Wouter
7423 - Added explicit note on unbound-anchor usage:
7424 Please note usage of unbound-anchor root anchor is at your own risk
7425 and under the terms of our LICENSE (see that file in the source).
7427 11 February 2011: Wouter
7428 - iana portlist updated.
7429 - tpkg updated with common.sh for common functionality.
7431 7 February 2011: Wouter
7432 - Added regression test for addition of a .net DS to the root, and
7433 cache effects with different TTL for glue and DNSKEY.
7434 - iana portlist updated.
7436 28 January 2011: Wouter
7437 - Fix remove private address does not throw away entire response.
7439 24 January 2011: Wouter
7442 19 January 2011: Wouter
7443 - fix bug#349: no -L/usr for ldns.
7445 18 January 2011: Wouter
7446 - ldns 1.6.8 tarball included.
7449 17 January 2011: Wouter
7450 - add get and set option for harden-below-nxdomain feature.
7451 - iana portlist updated.
7453 14 January 2011: Wouter
7454 - Fix so a changed NS RRset does not get moved name stuck on old
7455 server, for type NS the TTL is not increased.
7457 13 January 2011: Wouter
7458 - Fix prefetch so it does not get stuck on old server for moved names.
7460 12 January 2011: Wouter
7461 - iana portlist updated.
7463 11 January 2011: Wouter
7464 - Fix insecure CNAME sequence marked as secure, reported by Bert
7467 10 January 2011: Wouter
7468 - faster lruhash get_mem routine.
7470 4 January 2011: Wouter
7471 - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
7472 - iana portlist updated.
7474 23 December 2010: Wouter
7475 - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
7477 21 December 2010: Wouter
7478 - algorithm compromise protection using the algorithms signalled in
7479 the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
7480 and thus, if you have multiple algorithms in your trust-anchor-file
7481 then it will now behave different than before. Also, 5011 rollover
7482 for algorithms needs to be double-signature until the old algorithm
7484 It is not an option, because I see no use to turn the security off.
7485 - iana portlist updated.
7487 17 December 2010: Wouter
7488 - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
7489 - fix validation in this case: CNAME to nodata for co-hosted opt-in
7490 NSEC3 insecure delegation, was bogus, fixed to be insecure.
7492 16 December 2010: Wouter
7493 - Fix our 'BDS' license (typo reported by Xavier Belanger).
7495 10 December 2010: Wouter
7496 - iana portlist updated.
7497 - review changes for unbound-anchor.
7499 2 December 2010: Wouter
7500 - feature typetransparent localzone, does not block other RR types.
7502 1 December 2010: Wouter
7503 - Fix bug#338: print address when socket creation fails.
7505 30 November 2010: Wouter
7506 - Fix storage of EDNS failures in the infra cache.
7507 - iana portlist updated.
7509 18 November 2010: Wouter
7510 - harden-below-nxdomain option, default off (because very old
7511 software may be incompatible). We could enable it by default in
7514 17 November 2010: Wouter
7515 - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
7516 - make test output nicer.
7518 15 November 2010: Wouter
7519 - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
7520 - iana portlist updated.
7521 - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
7523 9 November 2010: Wouter
7524 - unbound-anchor compiles with openssl 0.9.7.
7526 8 November 2010: Wouter
7527 - release tag 1.4.7.
7528 - trunk is version 1.4.8.
7529 - Be lenient and accept imgw.pl malformed packet (like BIND).
7531 5 November 2010: Wouter
7532 - do not synthesize a CNAME message from cache for qtype DS.
7534 4 November 2010: Wouter
7535 - Use central entropy to seed threads.
7537 3 November 2010: Wouter
7538 - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
7540 2 November 2010: Wouter
7544 1 November 2010: Wouter
7545 - GOST code enabled by default (RFC 5933).
7547 27 October 2010: Wouter
7548 - Fix uninit value in dump_infra print.
7549 - Fix validation failure for parent and child on same server with an
7550 insecure childzone and a CNAME from parent to child.
7551 - Configure detects libev-4.00.
7553 26 October 2010: Wouter
7554 - dump_infra and flush_infra commands for unbound-control.
7555 - no timeout backoff if meanwhile a query succeeded.
7556 - Change of timeout code. No more lost and backoff in blockage.
7557 At 12sec timeout (and at least 2x lost before) one probe per IP
7558 is allowed only. At 120sec, the IP is blocked. After 15min, a
7559 120sec entry has a single retry packet.
7561 25 October 2010: Wouter
7562 - Configure errors if ldns is not found.
7564 22 October 2010: Wouter
7565 - Windows 7 fix for the installer.
7567 21 October 2010: Wouter
7568 - Fix bug where fallback_tcp causes wrong roundtrip and edns
7569 observation to be noted in cache. Fix bug where EDNSprobe halted
7570 exponential backoff if EDNS status unknown.
7571 - new unresponsive host method, exponentially increasing block backoff.
7572 - iana portlist updated.
7574 20 October 2010: Wouter
7575 - interface automatic works for some people with ip6 disabled.
7576 Therefore the error check is removed, so they can use the option.
7578 19 October 2010: Wouter
7579 - Fix for request list growth, if a server has long timeout but the
7580 lost counter is low, then its effective rtt is the one without
7581 exponential backoff applied. Because the backoff is not working.
7582 The lost counter can then increase and the server is blacklisted,
7583 or the lost counter does not increase and the server is working
7586 18 October 2010: Wouter
7587 - iana portlist updated.
7589 13 October 2010: Wouter
7590 - Fix TCP so it uses a random outgoing-interface.
7591 - unbound-anchor handles ADDPEND keystate.
7593 11 October 2010: Wouter
7594 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
7595 the zone has a secure delegation hosted on the same server did not
7596 verify as secure (it was insecure by mistake).
7597 - iana portlist updated.
7598 - ldns tarball updated (for reading cachedumps with bad RR data).
7600 1 October 2010: Wouter
7601 - test for unbound-anchor. fix for reading certs.
7602 - Fix alloc_reg_release for longer uptime in out of memory conditions.
7604 28 September 2010: Wouter
7605 - unbound-anchor working, it creates or updates a root.key file.
7606 Use it before you start the validator (e.g. at system boot time).
7608 27 September 2010: Wouter
7609 - iana portlist updated.
7611 24 September 2010: Wouter
7612 - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
7614 23 September 2010: Wouter
7615 - unbound-anchor app, unbound requires libexpat (xml parser library).
7617 22 September 2010: Wouter
7618 - compliance with draft-ietf-dnsop-default-local-zones-14, removed
7619 reverse ipv6 orchid prefix from builtin list.
7620 - iana portlist updated.
7622 17 September 2010: Wouter
7623 - DLV has downgrade protection again, because the RFC says so.
7624 - iana portlist updated.
7626 16 September 2010: Wouter
7627 - Algorithm rollover operational reality intrudes, for trust-anchor,
7628 5011-store, and DLV-anchor if one key matches it's good enough.
7629 - iana portlist updated.
7630 - Fix reported validation error in out of memory condition.
7632 15 September 2010: Wouter
7633 - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
7635 14 September 2010: Wouter
7636 - increased mesh-max-activation from 1000 to 3000 for crazy domains
7637 like _tcp.slb.com with 262 servers.
7638 - iana portlist updated.
7640 13 September 2010: Wouter
7641 - bug#327: Fix for cannot access stub zones until the root is primed.
7643 9 September 2010: Wouter
7644 - unresponsive servers are not completely blacklisted (because of
7645 firewalls), but also not probed all the time (because of the request
7646 list size it generates). The probe rate is 1%.
7647 - iana portlist updated.
7649 20 August 2010: Wouter
7650 - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
7651 iterator get_mem includes priv_get_mem. delegpt nodup removed.
7652 listen_pushback, query_info_allocqname, write_socket, send_packet,
7653 comm_point_set_cb_arg and listen_resume removed.
7655 19 August 2010: Wouter
7656 - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
7657 Delegpt structures checked for duplicates always.
7658 No more nameserver lookups generated when depth is full anyway.
7659 - example.conf notes how to do DNSSEC validation and track the root.
7660 - iana portlist updated.
7662 18 August 2010: Wouter
7663 - Fix bug#322: configure does not respect CFLAGS on Solaris.
7664 Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
7665 if use sun-cc, but some systems need different flags.
7667 16 August 2010: Wouter
7668 - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
7669 changes, uses m4_bpatsubst now.
7670 - make test (or make check) should be more portable and run the unit
7671 test and testbound scripts. (make longtest has special requirements).
7673 13 August 2010: Wouter
7674 - More pleasant remote control command parsing.
7675 - documentation added for return values reported by doxygen 1.7.1.
7676 - iana portlist updated.
7678 9 August 2010: Wouter
7679 - Fix name of rrset printed that failed validation.
7681 5 August 2010: Wouter
7682 - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
7684 4 August 2010: Wouter
7685 - Fix validation in case a trust anchor enters into a zone with
7686 unsupported algorithms.
7688 3 August 2010: Wouter
7689 - updated ldns tarball with bugfixes.
7690 - release tag 1.4.6.
7691 - trunk becomes 1.4.7 develop.
7692 - iana portlist updated.
7694 22 July 2010: Wouter
7695 - more error details on failed remote control connection.
7697 15 July 2010: Wouter
7698 - rlimit adjustments for select and ulimit can happen at the same time.
7700 14 July 2010: Wouter
7701 - Donation text added to README.
7702 - Fix integer underflow in prefetch ttl creation from cache. This
7703 fixes a potential negative prefetch ttl.
7705 12 July 2010: Wouter
7706 - Changed the defaults for num-queries-per-thread/outgoing-range.
7707 For builtin-select: 512/960, for libevent 1024/4096 and for
7708 windows 24/48 (because of win api). This makes the ratio this way
7709 to improve resilience under heavy load. For high performance, use
7710 libevent and possibly higher numbers.
7712 10 July 2010: Wouter
7713 - GOST enabled if SSL is recent and ldns has GOST enabled too.
7714 - ldns tarball updated.
7717 - iana portlist updated.
7718 - Fix validation of qtype DNSKEY when a key-cache entry exists but
7719 no rr-cache entry is used (it expired or prefetch), it then goes
7720 back up to the DS or trust-anchor to validate the DNSKEY.
7723 - Neat function prototypes, unshadowed local declarations.
7726 - failure to chown the pidfile is not fatal any more.
7727 - testbound uses UTC timezone.
7728 - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
7729 /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
7732 - log if a server is skipped because it is on the donotquery list,
7733 at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
7734 - added feature to print configure date, target and options with -h.
7735 - added feature to print event backend system details with -h.
7736 - wdiff is not actually required by make test, updated requirements.
7739 - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
7740 must be signed with all algorithms from the DS rrset at the parent.
7741 This is now checked and becomes bogus if not.
7743 28 June 2010: Wouter
7744 - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
7745 in overload situations to be about 5 qps for the class of shortly
7747 The capacity of the resolver is then about (numqueriesperthread / 2)
7748 / (average time for such long queries) qps for long queries.
7749 And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
7750 qps for short queries, per thread.
7751 - Fix the max number of reply-address count to be applied for duplicate
7752 queries, and not for new query list entries. This raises the memory
7753 usage to a max of (16+1)*numqueriesperthread reply addresses.
7755 25 June 2010: Wouter
7756 - Fix handling of corner case reply from lame server, follows rfc2308.
7757 It could lead to a nodata reply getting into the cache if the search
7758 for a non-lame server turned up other misconfigured servers.
7759 - unbound.h has extern "C" statement for easier include in c++.
7761 23 June 2010: Wouter
7762 - iana portlist updated.
7763 - makedist upgraded cross compile openssl option, like this:
7764 ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
7766 22 June 2010: Wouter
7767 - Unbound reports libev or libevent correctly in logs in verbose mode.
7768 - Fix to unload gost dynamic library module for leak testing.
7770 18 June 2010: Wouter
7771 - iana portlist updated.
7773 17 June 2010: Wouter
7774 - Add AAAA to root hints for I.ROOT-SERVERS.NET.
7776 16 June 2010: Wouter
7777 - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
7778 assertion was wrong.
7779 - updated ldns tarball.
7781 15 June 2010: Wouter
7782 - tag 1.4.5 created.
7783 - trunk contains 1.4.6 in development.
7784 - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
7785 - Fix to use one pointer less for iterator query state store_parent_NS.
7786 - makedist crosscompile to windows uses builtin ldns not host ldns.
7787 - Max referral count from 30 to 130, because 128 one character domains
7789 - added documentation for the histogram printout to syslog.
7791 11 June 2010: Wouter
7792 - When retry to parent the retrycount is not wiped, so failed
7793 nameservers are not tried again.
7794 - iana portlist updated.
7796 10 June 2010: Wouter
7797 - Fix bug where a long loop could be entered, now cycle detection
7798 has a loop-counter and maximum search amount.
7801 - iana portlist updated.
7802 - 1.4.5rc1 tag created.
7805 - ldns tarball updated, 1.6.5.
7806 - review comments, split dependency cycle tracking for parentside
7807 last resort lookups for A and AAAA so there are more lookup options.
7810 - Fix compile warning if compiled without threads.
7811 - updated ldns-tarball with current ldns svn (pre 1.6.5).
7812 - GOST disabled-by-default, the algorithm number is allocated but the
7813 RFC is still has to pass AUTH48 at the IETF.
7816 - Ignore Z flag in incoming messages too.
7817 - Fix storage of negative parent glue if that last resort fails.
7818 - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
7819 - new splint flags for newer splint install.
7822 - Fix AD flag handling, it could in some cases mistakenly copy the AD
7823 flag from upstream servers.
7824 - alloc_special_obtain out of memory is not a fatal error any more,
7825 enabling unbound to continue longer in out of memory conditions.
7826 - parentside names are dispreferred but not said to be dnssec-lame.
7827 - parentside check for cached newname glue.
7828 - fix parentside and querytargets modulestate, for dump_requestlist.
7829 - unbound-control-setup makes keys -rw-r--- so not all users permitted.
7830 - fix parentside from cache to be marked dispreferred for bad names.
7833 - iana portlist updated.
7834 - parent-child disagreement approach altered. Older fixes are
7835 removed in place of a more exhaustive search for misconfigured data
7836 available via the parent of a delegation.
7837 This is designed to be throttled by cache entries, with TTL from the
7838 parent if possible. Additionally the loop-counter is used.
7839 It also tests for NS RRset differences between parent and child.
7840 The fetch of misconfigured data should be more reliable and thorough.
7841 It should work reliably even with no or only partial data in cache.
7842 Data received from the child (as always) is deemed more
7843 authoritative than information received from the delegation parent.
7844 The search for misconfigured data is not performed normally.
7847 - Contribution from Migiel de Vos (Surfnet): nagios patch for
7848 unbound-host, in contrib/ (in the source tarball). Makes
7849 unbound-host suitable for monitoring dnssec(-chain) status.
7852 - EDNS timeout code will not fire if EDNS status already known.
7853 - EDNS failure not stored if EDNS status known to work.
7856 - Fix resolution for domains like safesvc.com.cn. If the iterator
7857 can not recurse further and it finds the delegation in a state
7858 where it would otherwise have rejected it outhand if so received
7859 from a cache lookup, then it can try to ask higherup (with loop
7861 - Fix comments in iter_utils:dp_is_useless.
7864 - Fix various compiler warnings from the clang llvm compiler.
7865 - iana portlist updated.
7868 - Fix bug#308: spelling error in variable name in parser and lexer.
7871 - Fix dnssec-missing detection that was turned off by server selection.
7872 - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
7873 reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
7874 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
7876 29 April 2010: Wouter
7877 - Fix for dnssec lameness detection to use the key cache.
7878 - infra cache entries that are expired are wiped clean. Previously
7879 it was possible to not expire host data (if accessed often).
7881 28 April 2010: Wouter
7882 - ldns tarball updated and GOST support is detected and then enabled.
7883 - iana portlist updated.
7884 - Fix detection of gost support in ldns (reported by Chris Smith).
7886 27 April 2010: Wouter
7887 - unbound-control get_option domain-insecure shows config file items.
7888 - fix retry sequence if prime hints are recursion-lame.
7889 - autotrust anchor file can be initialized with a ZSK key as well.
7890 - harden-referral-path does not result in failures due to max-depth.
7891 You can increase the max-depth by adding numbers (' 0') after the
7892 target-fetch-policy, this increases the depth to which is checked.
7894 26 April 2010: Wouter
7895 - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
7896 CPPFLAGS during configure process.
7897 - if libev is installed on the base system (not libevent), detect
7898 it from the event.h header file and link with -lev.
7899 - configlexer.lex gets config.h, and configyyrename.h added by make,
7900 no more double include.
7901 - More strict scrubber (Thanks to George Barwood for the idea):
7902 NS set must be pertinent to the query (qname subdomain nsname).
7903 - Fix bug#307: In 0x20 backoff fix fallback so the number of
7904 outstanding queries does not become -1 and block the request.
7905 Fixed handling of recursion-lame in combination with 0x20 fallback.
7906 Fix so RRsets are compared canonicalized and sorted if the immediate
7907 comparison fails, this makes it work around round-robin sites.
7909 23 April 2010: Wouter
7910 - Squelch log message: sendto failed permission denied for
7911 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
7912 - Fix to fetch data as last resort more tenaciously. When cycle
7913 targets cause the server selection to believe there are more options
7914 when they really are not there, the server selection is reinitiated.
7915 - Fix fetch from blacklisted dnssec lame servers as last resort. The
7916 server's IP address is then given in validator errors as well.
7917 - Fix local-zone type redirect that did not use the query name for
7920 22 April 2010: Wouter
7922 - trunk contains 1.4.5 in development.
7923 - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
7924 The validator error message was 'no signatures from ...'.
7926 16 April 2010: Wouter
7927 - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
7930 15 April 2010: Wouter
7931 - ECC-GOST algorithm number 12 that is assigned by IANA. New test
7932 example key and signatures for GOST. GOST requires openssl-1.0.0.
7933 GOST is still disabled by default.
7935 9 April 2010: Wouter
7936 - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
7937 get into an endless loop, if 0x20 was enabled, and buffers are small
7938 or particular broken packets are received.
7939 - Fix chain of trust with CNAME at an intermediate step, for the DS
7942 8 April 2010: Wouter
7943 - Fix validation of queries with wildcard names (*.example).
7945 6 April 2010: Wouter
7946 - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
7947 cache timeout coincided with a server update, the current EDNS
7948 backoff is less sensitive, and does not cache the backoff unless
7949 the backoff actually works and the domain is not expecting DNSSEC.
7950 - GOST support with correct algorithm numbers.
7952 1 April 2010: Wouter
7953 - iana portlist updated.
7955 24 March 2010: Wouter
7956 - unbound control flushed items are not counted when flushed again.
7958 23 March 2010: Wouter
7959 - iana portlist updated.
7961 22 March 2010: Wouter
7962 - unbound-host disables use-syslog from config file so that the
7963 config file for the main server can be used more easily.
7964 - fix bug#301: unbound-checkconf could not parse interface
7965 '0.0.0.0@5353', even though unbound itself worked fine.
7967 19 March 2010: Wouter
7968 - fix fwd_ancil test to pass if the socket options are not supported.
7970 18 March 2010: Wouter
7971 - Fixed random numbers for port, interface and server selection.
7972 Removed very small bias.
7973 - Refer to the listing in unbound-control man page in the extended
7974 statistics entry in the unbound.conf man page.
7976 16 March 2010: Wouter
7977 - Fix interface-automatic for OpenBSD: msg.controllen was too small,
7978 also assertions on ancillary data buffer.
7979 - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
7980 - for NSEC3 check if signatures are cached.
7982 15 March 2010: Wouter
7983 - unit test for util/regional.c.
7985 12 March 2010: Wouter
7986 - Reordered configure checks so fork and -lnsl -lsocket checks are
7987 earlier, and thus later checks benefit from and do not hinder them.
7988 - iana portlist updated.
7989 - ldns tarball updated.
7990 - Fix python use when multithreaded.
7991 - Fix solaris python compile.
7992 - Include less in config.h and include per code file for ldns, ssl.
7994 11 March 2010: Wouter
7995 - another memory allocation option: --enable-alloc-nonregional.
7996 exposes the regional allocations to other memory purifiers.
7997 - fix for memory alignment in struct sock_list allocation.
7998 - Fix for MacPorts ldns without ssl default, unbound checks if ldns
7999 has dnssec functionality and uses the builtin if not.
8000 - Fix daemonize on Solaris 10, it did not detach from terminal.
8001 - tag 1.4.3 created.
8002 - trunk is 1.4.4 in development.
8003 - spelling fix in validation error involving cnames.
8005 10 March 2010: Wouter
8006 - --enable-alloc-lite works with test set.
8007 - portability in the testset: printf format conversions, prototypes.
8009 9 March 2010: Wouter
8010 - tag 1.4.2 created.
8011 - trunk is 1.4.3 in development.
8012 - --enable-alloc-lite debug option.
8014 8 March 2010: Wouter
8015 - iana portlist updated.
8017 4 March 2010: Wouter
8018 - Fix crash in control channel code.
8020 3 March 2010: Wouter
8021 - better casts in pipe code, brackets placed wrongly.
8022 - iana portlist updated.
8024 1 March 2010: Wouter
8025 - make install depends on make all.
8026 - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
8027 - --enable-checking: enables assertions but does not look nonproduction.
8028 - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
8029 nxdomain and nodata distinguished.
8030 - ldns tarball updated.
8031 - --disable-rpath fixed for libtool not found errors.
8032 - new fedora specfile from Fedora13 in contrib from Paul Wouters.
8034 26 February 2010: Wouter
8035 - Fixup prototype for lexer cleanup in daemon code.
8036 - unbound-control list_stubs, list_forwards, list_local_zones and
8039 24 February 2010: Wouter
8040 - Fix scrubber bug that potentially let NS records through. Reported
8042 - Also delete potential poison references from additional.
8043 - Fix: no classification of a forwarder as lame, throw away instead.
8045 23 February 2010: Wouter
8046 - libunbound ub_ctx_get_option() added.
8047 - unbound-control set_option and get_option commands.
8048 - iana portlist updated.
8050 18 February 2010: Wouter
8051 - A little more strict DS scrubbing.
8052 - No more blacklisting of unresponsive servers, a 2 minute timeout
8054 - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
8055 - pickup ldns compile fix, libdl for libcrypto.
8056 - log 'tcp connect: connection timed out' only in high verbosity.
8057 - unbound-control log_reopen command.
8058 - moved get_option code from unbound-checkconf to util/config_file.c
8060 17 February 2010: Wouter
8061 - Disregard DNSKEY from authority section for chain of trust.
8062 DS records that are irrelevant to a referral scrubbed. Anti-poison.
8063 - iana portlist updated.
8065 16 February 2010: Wouter
8066 - Check for 'no space left on device' (or other errors) when
8067 writing updated autotrust anchors and print errno to log.
8069 15 February 2010: Wouter
8070 - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
8071 hardcoded. We made the choice to send out more conservatively,
8072 protecting against an aggregate effect more than protecting a
8073 single user (from their own folly, perhaps in case of misconfig).
8075 12 February 2010: Wouter
8076 - Re-query pattern changed on validation failure. To protect troubled
8077 authority servers, unbound caches a failure for the DNSKEY or DS
8078 records for the entire zone, and only retries that 900 seconds later.
8079 This implies that only a handful of packets are sent extra to the
8080 authority if the zone fails.
8082 11 February 2010: Wouter
8083 - ldns tarball update for long label length syntax error fix.
8084 - iana portlist updated.
8086 9 February 2010: Wouter
8087 - Fixup in compat snprintf routine, %f 1.02 and %g support.
8088 - include math.h for testbound test compile portability.
8090 2 February 2010: Wouter
8091 - Updated url of IANA itar, interim trust anchor repository, in script.
8093 1 February 2010: Wouter
8094 - iana portlist updated.
8095 - configure test for memcmp portability.
8097 27 January 2010: Wouter
8098 - removed warning on format string in validator error log statement.
8099 - iana portlist updated.
8101 22 January 2010: Wouter
8102 - libtool finish the install of unbound python dynamic library.
8104 21 January 2010: Wouter
8105 - acx_nlnetlabs.m4 synchronised with nsd's version.
8107 20 January 2010: Wouter
8108 - Fixup lookup trouble for parent-child domains on the first query.
8110 14 January 2010: Wouter
8111 - Fixup ldns detection to also check for header files.
8113 13 January 2010: Wouter
8114 - prefetch-key option that performs DNSKEY queries earlier in the
8115 validation process, and that could halve the latency on DNSSEC
8116 queries. It takes some extra processing (CPU, a cache is needed).
8118 12 January 2010: Wouter
8119 - Fix unbound-checkconf for auto-trust-anchor-file present checks.
8121 8 January 2010: Wouter
8122 - Fix for parent-child disagreement code which could have trouble
8123 when (a) ipv6 was disabled and (b) the TTL for parent and child
8124 were different. There were two bugs, the parent-side information
8125 is fixed to no longer block lookup of child side information and
8126 the iterator is fixed to no longer attempt to get ipv6 when it is
8127 not enabled and then give up in failure.
8128 - test and fixes to make prefetch actually store the answer in the
8129 cache. Considers some rrsets 'already expired' but does not allow
8130 overwriting of rrsets considered more secure.
8132 7 January 2010: Wouter
8133 - Fixup python documentation (thanks Leo Vandewoestijne).
8134 - Work on cache prefetch feature.
8135 - Stats for prefetch, in log print stats, unbound-control stats
8136 and in unbound_munin plugin.
8138 6 January 2010: Wouter
8139 - iana portlist updated.
8140 - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
8141 - verbose output includes parent-side-address notion for lameness.
8142 - documented val-log-level: 2 setting in example.conf and man page.
8143 - change unbound-control-setup from 1024(sha1) to 1536(sha256).
8145 1 January 2010: Wouter
8146 - iana portlist updated.
8148 22 December 2009: Wouter
8149 - configure with newer libtool 2.2.6b.
8151 17 December 2009: Wouter
8154 - trunk to version 1.4.2.
8156 15 December 2009: Wouter
8157 - Answer to qclass=ANY queries, with class IN contents.
8158 Test that validation also works.
8159 - updated ldns snapshot tarball with latest fixes (parsing records).
8161 11 December 2009: Wouter
8162 - on IPv4 UDP turn off DF flag.
8164 10 December 2009: Wouter
8165 - requirements.txt updated with design choice explanations.
8166 - Reading fixes: fix to set unlame when child confirms parent glue,
8167 and fix to avoid duplicate addresses in delegation point.
8168 - verify_rrsig routine checks expiration last.
8170 9 December 2009: Wouter
8171 - Fix Bug#287(reopened): update of ldns tarball with fix for parse
8172 errors generated for domain names like '.example.com'.
8173 - Fix SOA excluded from negative DS responses. Reported by Hauke
8174 Lampe. The negative cache did not include proper SOA records for
8175 negative qtype DS responses which makes BIND barf on it, such
8176 responses are now only used internally.
8177 - Fix negative cache lookup of closestencloser check of DS type bit.
8179 8 December 2009: Wouter
8180 - Fix for lookup of parent-child disagreement domains, where the
8181 parent-side glue works but it does not provide proper NS, A or AAAA
8182 for itself, fixing domains such as motorcaravanners.eu.
8183 - Feature: you can specify a port number in the interface: line, so
8184 you can bind the same interface multiple times at different ports.
8186 7 December 2009: Wouter
8187 - Bug#287: Fix segfault when unbound-control remove nonexistent local
8188 data. Added check to tests.
8190 1 December 2009: Wouter
8191 - Fix crash with module-config "iterator".
8192 - Added unit test that has "iterator" module-config.
8194 30 November 2009: Wouter
8195 - bug#284: fix parse of # without end-of-line at end-of-file.
8197 26 November 2009: Wouter
8198 - updated ldns with release candidate for version 1.6.3.
8199 - tag for 1.4.0 release.
8200 - 1.4.1 version in trunk.
8201 - Fixup major libtool version to 2 because of why_bogus change.
8202 It was 1:5:0 but should have been 2:0:0.
8204 23 November 2009: Wouter
8205 - Patch from David Hubbard for libunbound manual page.
8206 - Fixup endless spinning in unbound-control stats reported by
8207 Attila Nagy. Probably caused by clock reversal.
8209 20 November 2009: Wouter
8210 - contrib/split-itar.sh contributed by Tom Hendrikx.
8212 19 November 2009: Wouter
8213 - better argument help for unbound-control.
8214 - iana portlist updated.
8216 17 November 2009: Wouter
8217 - noted multiple entries for multiple domain names in example.conf.
8218 - iana portlist updated.
8220 16 November 2009: Wouter
8221 - Fixed signer detection of CNAME responses without signatures.
8222 - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
8223 - Tests for CNAMEs to deeper trust anchors, secure and bogus.
8224 - svn tag 1.4.0rc1 made.
8226 13 November 2009: Wouter
8227 - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
8228 - unbound-host does not fail on type ANY.
8229 - Fixed wireparse failure to put RRSIGs together with data in some
8230 long ANY mix cases, which fixes validation failures.
8232 12 November 2009: Wouter
8233 - iana portlist updated.
8234 - fix manpage errors reported by debian lintian.
8236 - fixup very long vallog2 level error strings.
8238 11 November 2009: Wouter
8239 - ldns tarball updated (to 1.6.2).
8242 10 November 2009: Wouter
8243 - Thanks to Surfnet found bug in new dnssec-retry code that failed
8244 to combine well when combined with DLV and a particular failure.
8245 - Fixed unbound-control -h output about argument optionality.
8248 5 November 2009: Wouter
8249 - lint fixes and portability tests.
8250 - better error text for multiple domain keys in one autotrust file.
8252 2 November 2009: Wouter
8253 - Fix bug where autotrust does not work when started with a DS.
8254 - Updated GOST unit tests for unofficial algorithm number 249
8255 and DNSKEY-format changes in draft version -01.
8257 29 October 2009: Wouter
8258 - iana portlist updated.
8259 - edns-buffer-size option, default 4096.
8262 28 October 2009: Wouter
8263 - removed abort on prealloc failure, error still printed but softfail.
8264 - iana portlist updated.
8265 - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
8266 - ldns tarball updated (which also enables rsasha256 support).
8268 27 October 2009: Wouter
8269 - iana portlist updated.
8271 8 October 2009: Wouter
8273 - add val-log-level print to corner case (nameserver.epost.bg).
8274 - more detail to errors from insecure delegation checks.
8275 - Fix double time subtraction in negative cache reported by
8276 Amanda Constant and Hugh Mahon.
8277 - Made new validator error string available from libunbound for
8278 applications. It is in result->why_bogus, a zero-terminated string.
8279 unbound-host prints it by default if a result is bogus.
8280 Also the errinf is public in module_qstate (for other modules).
8282 7 October 2009: Wouter
8283 - retry for validation failure in DS and prime results. Less mem use.
8284 unit test. Provisioning in other tests for requeries.
8285 - retry for validation failure in DNSKEY in middle of chain of trust.
8287 - retry for empty non terminals in chain of trust and unit test.
8288 - Fixed security bug where the signatures for NSEC3 records were not
8289 checked when checking for absence of DS records. This could have
8290 enabled the substitution of an insecure delegation.
8291 - moved version number to 1.4.0 because of 1.3.4 release with only
8292 the NSEC3 patch from the entry above.
8293 - val-log-level: 2 shows extended error information for validation
8294 failures, but still one (longish) line per failure. For example:
8295 validation failure <example.com. DNSKEY IN>: signature expired from
8296 192.0.2.4 for trust anchor example.com. while building chain of trust
8297 validation failure <www.example.com. A IN>: no signatures from
8298 192.0.2.6 for key example.com. while building chain of trust
8300 6 October 2009: Wouter
8301 - Test set updated to provide additional ns lookup result.
8302 The retry would attempt to fetch the data from other nameservers
8303 for bogus data, and this needed to be provisioned in the tests.
8305 5 October 2009: Wouter
8306 - first validation failure retry code. Retries for data failures.
8309 2 October 2009: Wouter
8310 - improve 5011 modularization.
8311 - fix unbound-host so -d can be given before -C.
8312 - iana portlist updated.
8314 28 September 2009: Wouter
8315 - autotrust-anchor-file can read multiline input and $ORIGIN.
8316 - prevent integer overflow in holddown calculation. review fixes.
8317 - fixed race condition in trust point revocation. review fix.
8318 - review fixes to comments, removed unused code.
8320 25 September 2009: Wouter
8321 - so-rcvbuf: 4m option added. Set this on large busy servers to not
8322 drop the occasional packet in spikes due to full socket buffers.
8323 netstat -su keeps a counter of UDP dropped due to full buffers.
8324 - review of validator/autotrust.c, small fixes and comments.
8326 23 September 2009: Wouter
8327 - 5011 query failed counts verification failures, not lookup failures.
8328 - 5011 probe failure handling fixup.
8329 - test unbound reading of original autotrust data.
8330 The metadata per-key, such as key state (PENDING, MISSING, VALID) is
8331 picked up, otherwise performs initial probe like usual.
8333 22 September 2009: Wouter
8334 - autotrust test with algorithm rollover, new ordering of checks
8335 assists in orderly rollover.
8336 - autotrust test with algorithm rollover to unknown algorithm.
8337 checks if new keys are supported before adding them.
8338 - autotrust test with trust point revocation, becomes unsigned.
8339 - fix DNSSEC-missing-signature detection for minimal responses
8340 for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
8342 18 September 2009: Wouter
8343 - autotrust tests, fix trustpoint timer deletion code.
8344 fix count of valid anchors during missing remove.
8345 - autotrust: pick up REVOKE even if not signed with known other keys.
8347 17 September 2009: Wouter
8348 - fix compile of unbound-host when --enable-alloc-checks.
8349 - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
8350 - Manual page fixes reported by Tony Finch.
8352 16 September 2009: Wouter
8353 - Fix memory leak reported by Tao Ma.
8354 - Fix memstats test tool for log-time-ascii log format.
8356 15 September 2009: Wouter
8357 - iana portlist updated.
8359 10 September 2009: Wouter
8360 - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
8361 - use linebuffering for log-file: output, this can be significantly
8362 faster than the previous fflush method and enable some class of
8363 resolvers to use high verbosity (for short periods).
8364 Not on windows, because line buffering does not work there.
8366 9 September 2009: Wouter
8367 - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
8368 The RRsets would still expire at the normal time, but this would
8369 keep messages bogus in the cache for too long.
8370 - regression test for that bug.
8371 - documented that load_cache is meant for debugging.
8373 8 September 2009: Wouter
8374 - fixup printing errors when load_cache, they were printed to the
8375 SSL connection which broke, now to the log.
8376 - new ldns - with fixed parse of large SOA values.
8378 7 September 2009: Wouter
8379 - autotrust testbound scenarios.
8380 - autotrust fix that failure count is written to file.
8381 - autotrust fix that keys may become valid after add holddown time
8382 alone, before the probe returns.
8384 4 September 2009: Wouter
8385 - Changes to make unbound work with libevent-2.0.3 alpha. (in
8386 configure detection due to new ssl dependency in libevent)
8387 - do not call sphinx for documentation when python is disabled.
8388 - remove EV_PERSIST from libevent timeout code to make the code
8389 compatible with the libevent-2.0. Works with older libevent too.
8390 - fix memory leak in python code.
8392 3 September 2009: Wouter
8393 - Got a patch from Luca Bruno for libunbound support on windows to
8394 pick up the system resolvconf nameservers and hosts there.
8395 - included ldns updated (enum warning fixed).
8396 - makefile fix for parallel makes.
8397 - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
8398 from python scripts. See pythonmod/examples/resip.py.
8399 - doxygen comment fixes.
8401 2 September 2009: Wouter
8402 - TRAFFIC keyword for testbound. Simplifies test generation.
8403 ${range lower val upper} to check probe timeout values.
8404 - test with 5011-prepublish rollover and revocation.
8405 - fix revocation of RR for autotrust, stray exclamation mark.
8407 1 September 2009: Wouter
8408 - testbound variable arithmetic.
8409 - autotrust probe time is randomised.
8410 - autotrust: the probe is active and does not fetch from cache.
8412 31 August 2009: Wouter
8413 - testbound variable processing.
8415 28 August 2009: Wouter
8416 - fixup unbound-control lookup to print forward and stub servers.
8418 27 August 2009: Wouter
8419 - autotrust: mesh answer callback is empty.
8421 26 August 2009: Wouter
8422 - autotrust probing.
8423 - iana portlist updated.
8425 25 August 2009: Wouter
8426 - fixup memleak in trust anchor unsupported algorithm check.
8427 - iana portlist updated.
8428 - autotrust options: add-holddown, del-holddown, keep-missing.
8429 - autotrust store revoked status of trust points.
8430 - ctime_r compat definition.
8431 - detect yylex_destroy() in configure.
8432 - detect SSL_get_compression_methods declaration in configure.
8433 - fixup DS lookup at anchor point with unsigned parent.
8434 - fixup DLV lookup for DS queries to unsigned domains.
8436 24 August 2009: Wouter
8437 - cleaner memory allocation on exit. autotrust test routines.
8438 - free all memory on program exit, fix for ssl and flex.
8440 21 August 2009: Wouter
8441 - autotrust: debug routines. Read,write and conversions work.
8443 20 August 2009: Wouter
8444 - autotrust: save and read trustpoint variables.
8446 19 August 2009: Wouter
8447 - autotrust: state table updates.
8448 - iana portlist updated.
8450 17 August 2009: Wouter
8451 - autotrust: process events.
8453 17 August 2009: Wouter
8454 - Fix so that servers are only blacklisted if they fail to reply
8455 to 16 queries in a row and the timeout gets above 2 minutes.
8456 - autotrust work, split up DS verification of DNSKEYs.
8458 14 August 2009: Wouter
8459 - unbound-control lookup prints out infra cache information, like RTT.
8460 - Fix bug in DLV lookup reported by Amanda from Secure64.
8461 It could sometimes wrongly classify a domain as unsigned, which
8462 does not give the AD bit on replies.
8464 13 August 2009: Wouter
8465 - autotrust read anchor files. locked trust anchors.
8467 12 August 2009: Wouter
8468 - autotrust import work.
8470 11 August 2009: Wouter
8471 - Check for openssl compatible with gost if enabled.
8472 - updated unit test for GOST=211 code.
8473 Nicer naming of test files.
8474 - iana portlist updated.
8476 7 August 2009: Wouter
8477 - call OPENSSL_config() in unbound and unit test so that the
8478 operator can use openssl.cnf for configuration options.
8479 - removed small memory leak from config file reader.
8481 6 August 2009: Wouter
8482 - configure --enable-gost for GOST support, experimental
8483 implementation of draft-dolmatov-dnsext-dnssec-gost-01.
8484 - iana portlist updated.
8485 - ldns tarball updated (with GOST support).
8487 5 August 2009: Wouter
8488 - trunk moved to 1.3.4.
8490 4 August 2009: Wouter
8491 - Added test that the examples from draft rsasha256-14 verify.
8492 - iana portlist updated.
8495 3 August 2009: Wouter
8496 - nicer warning when algorithm not supported, tells you to upgrade.
8497 - iana portlist updated.
8499 27 July 2009: Wouter
8500 - Updated unbound-cacti contribution from Dmitriy Demidov, with
8501 the queue statistics displayed in its own graph.
8502 - iana portlist updated.
8504 22 July 2009: Wouter
8505 - Fix bug found by Michael Tokarev where unbound would try to
8506 prime the root servers even though forwarders are configured for
8510 21 July 2009: Wouter
8511 - Fix server selection, so that it waits for open target queries when
8512 faced with lameness.
8514 20 July 2009: Wouter
8515 - Ignore transient sendto errors, no route to host, and host, net down.
8516 - contrib/update-anchor.sh has -r option for root-hints.
8517 - feature val-log-level: 1 prints validation failures so you can
8518 keep track of them during dnssec deployment.
8520 16 July 2009: Wouter
8521 - fix replacement malloc code. Used in crosscompile.
8522 - makedist -w creates crosscompiled setup.exe on fedora11.
8524 15 July 2009: Wouter
8525 - dependencies for compat items, for crosscompile.
8526 - mingw32 crosscompile changes, dependencies and zipfile creation.
8527 and with System.dll from the windows NSIS you can make setup.exe.
8528 - package libgcc_s_sjlj exception handler for NSISdl.dll.
8530 14 July 2009: Wouter
8531 - updated ldns tarball for solaris x64 compile assistance.
8532 - no need to define RAND_MAX from config.h.
8533 - iana portlist updated.
8534 - configure changes and ldns update for mingw32 crosscompile.
8536 13 July 2009: Wouter
8537 - Fix for crash at start on windows.
8538 - tag for release 1.3.2.
8539 - trunk has version 1.3.3.
8540 - Fix for ID bits on windows to use all 16. RAND_MAX was not
8541 defined like you'd expect on mingw. Reported by Mees de Roo.
8544 - tag for release 1.3.1.
8545 - trunk has version 1.3.2.
8548 - iana portlist updated.
8551 - prettier error handling in SSL setup.
8552 - makedist.sh uname fix (same as ldns).
8553 - updated fedora spec file.
8556 - fixup linking when ldnsdir is "".
8558 30 June 2009: Wouter
8559 - more lenient truncation checks.
8561 29 June 2009: Wouter
8562 - ldns trunk r2959 imported as tarball, because of solaris cc compile
8563 support for c99. r2960 for better configure.
8564 - better wrongly_truncated check.
8565 - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
8566 avoid dropped packets at routers.
8568 26 June 2009: Wouter
8569 - Fix EDNS fallback when EDNS works for short answers but long answers
8572 22 June 2009: Wouter
8573 - fixup iter priv strict aliasing while preserving size of sockaddr.
8574 - iana portlist updated. (one less port allocated, one more fraction
8575 of a bit for security!)
8576 - updated fedora specfile in contrib from Paul Wouters.
8578 19 June 2009: Wouter
8579 - Fixup strict aliasing warning in iter priv code.
8580 and config_file code.
8581 - iana portlist updated.
8582 - harden-referral-path: handle cases where NS is in answer section.
8584 18 June 2009: Wouter
8585 - Fix of message parse bug where (specifically) an NSEC and RRSIG
8586 in the wrong order would be parsed, but put wrongly into internal
8587 structures so that later validation would fail.
8588 - Extreme lenience for wrongly truncated replies where a positive
8589 reply has an NS in the authority but no signatures. They are
8590 turned into minimal responses with only the (secure) answer.
8591 - autoconf 2.63 for configure.
8592 - python warnings suppress. Keep python API away from header files.
8594 17 June 2009: Wouter
8595 - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
8596 used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
8598 16 June 2009: Wouter
8599 - Fixup opportunistic target query generation to it does not
8600 generate queries that are known to fail.
8601 - Touchup on munin total memory report.
8602 - messages picked out of the cache by the iterator are checked
8603 if their cname chain is still correct and if validation status
8604 has to be reexamined.
8606 15 June 2009: Wouter
8607 - iana portlist updated.
8609 14 June 2009: Wouter
8610 - Fixed bug where cached responses would lose their security
8611 status on second validation, which especially impacted dlv
8612 lookups. Reported by Hauke Lampe.
8614 13 June 2009: Wouter
8615 - bug #254. removed random whitespace from example.conf.
8617 12 June 2009: Wouter
8618 - Fixup potential wrong NSEC picked out of the cache.
8619 - If unfulfilled callbacks are deleted they are called with an error.
8620 - fptr wlist checks for mesh callbacks.
8621 - fwd above stub in configuration works.
8623 11 June 2009: Wouter
8624 - Fix queries for type DS when forward or stub zones are there.
8625 They are performed to higherup domains, and thus treated as if
8626 going to higher zones when looking up the right forward or stub
8627 server. This makes a stub pointing to a local server that has
8628 a local view of example.com signed with the same keys as are
8629 publicly used work. Reported by Johan Ihren.
8630 - Added build-unbound-localzone-from-hosts.pl to contrib, from
8631 Dennis DeDonatis. It converts /etc/hosts into config statements.
8632 - same thing fixed for forward-zone and DS, chain of trust from
8633 public internet into the forward-zone works now. Added unit test.
8636 - openssl key files are opened apache-style, when user is root and
8637 before chrooting. This makes permissions on remote-control key
8638 files easier to set up. Fixes bug #251.
8639 - flush_type and flush_name remove msg cache entries.
8640 - codereview - dp copy bogus setting fix.
8643 - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
8644 inadvertant behaviour.
8645 - 1.3.0 tarball for release created.
8646 - 1.3.1 development in svn trunk.
8647 - iana portlist updated.
8648 - fix lint from complaining on ldns/sha.h.
8649 - help compiler figure out aliasing in priv_rrset_bad() routine.
8650 - fail to configure with python if swig is not found.
8651 - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
8654 - fixup bad free() when wrongly encoded DSA signature is seen.
8655 Reported by Paul Wouters.
8656 - review comments from Matthijs.
8659 - --enable-sha2 option. The draft rsasha256 changed its algorithm
8660 numbers too often. Therefore it is more prudent to disable the
8661 RSASHA256 and RSASHA512 support by default.
8662 - ldns trunk included as new tarball.
8663 - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
8666 - fixup doc bug in README reported by Matthew Dempsky.
8669 - update iana port list
8670 - update ldns lib tarball
8673 - detect lack of IPv6 support on XP (with a different error code).
8674 - Fixup a crash-on-exit which was triggered by a very long queue.
8675 Unbound would try to re-use ports that came free, but this is
8676 of course not really possible because everything is deleted.
8677 Most easily triggered on XP (not Vista), maybe because of the
8678 network stack encouraging large messages backlogs.
8679 - change in debug statements.
8680 - Fixed bug that could cause a crash if root prime failed when there
8681 were message backlogs.
8684 - Thanks again to Brett Carr, found an assertion that was not true.
8685 Assertion checked if recursion parent query still existed.
8687 29 April 2009: Wouter
8688 - Thanks to Brett Carr, caught windows resource leak, use
8689 closesocket() and not close() on sockets or else the network stack
8690 starts to leak handles.
8691 - Removed usage of windows Mutex because windows cannot handle enough
8692 mutexes open. Provide own mutex implementation using primitives.
8694 28 April 2009: Wouter
8695 - created svn tag for 1.3.0.
8697 27 April 2009: Wouter
8698 - optimised cname from cache.
8699 - ifdef windows functions in testbound.
8701 23 April 2009: Wouter
8702 - fix for threadsafety in solaris thr_key_create() in tests.
8703 - iana portlist updated.
8704 - fix pylib test for Darwin.
8705 - fix pymod test for Darwin and a python threading bug in pymod init.
8706 - check python >= 2.4 in configure.
8707 - -ldl check for libcrypto 1.0.0beta.
8709 21 April 2009: Wouter
8710 - fix for build outside sourcedir.
8711 - fix for configure script swig detection.
8713 17 April 2009: Wouter
8714 - Fix reentrant in minievent handler for unix. Could have resulted
8715 in spurious event callbacks.
8716 - timers do not take up a fd slot for winsock handler.
8717 - faster fix for winsock reentrant check.
8718 - fix rsasha512 unit test for new (interim) algorithm number.
8719 - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
8720 - fix compile warning on ubuntu (configlexer fwrite return value).
8721 - move python include directives into CPPFLAGS instead of CFLAGS.
8723 16 April 2009: Wouter
8724 - winsock event handler exit very quickly on signal, even if
8726 - iana portlist updated.
8727 - fixup windows winsock handler reentrant problem.
8729 14 April 2009: Wouter
8730 - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
8731 - makedist.sh; better help text.
8732 - cache-min-ttl option and tests.
8733 - mingw detect error condition on TCP sockets (NOTCONN).
8735 9 April 2009: Wouter
8736 - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
8737 - ldns tarball updated.
8738 - iana portlist update.
8739 - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
8740 because that openssl defines the name STRING for itself.
8742 6 April 2009: Wouter
8743 - windows compile fix.
8744 - Detect FreeBSD jail without ipv6 addresses assigned.
8745 - python libunbound wrapper unit test.
8746 - installs the following files. Default is to not build them.
8747 from configure --with-pythonmodule:
8748 /usr/lib/python2.x/site-packages/unboundmodule.py
8749 from configure --with-pyunbound:
8750 /usr/lib/python2.x/site-packages/unbound.py
8751 /usr/lib/python2.x/site-packages/_unbound.so*
8752 The example python scripts (pythonmod/examples and
8753 libunbound/python/examples) are not installed.
8754 - python invalidate routine respects packed rrset ids and locks.
8755 - clock skew checks in unbound, config statements.
8756 - nxdomain ttl considerations in requirements.txt
8758 3 April 2009: Wouter
8759 - Fixed a bug that caused messages to be stored in the cache too
8760 long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
8761 targets have been more vulnerable to the TTL miscalculation bug.
8762 - documentation test fixed for python addition.
8764 2 April 2009: Wouter
8765 - pyunbound (libunbound python plugin) compiles using libtool.
8766 - documentation for pythonmod and pyunbound is generated in doc/html.
8767 - iana portlist updated.
8768 - fixed bug in unbound-control flush_zone where it would not flush
8769 every message in the target domain. This especially impacted
8770 NXDOMAIN messages which could remain in the cache regardless.
8771 - python module test package.
8773 1 April 2009: Wouter
8774 - suppress errors when trying to contact authority servers that gave
8775 ipv6 AAAA records for their nameservers with ipv4 mapped contents.
8776 Still tries to do so, could work when deployed in intranet.
8777 Higher verbosity shows the error.
8778 - new libunbound calls documented.
8779 - pyunbound in libunbound/python. Removed compile warnings.
8780 Makefile to make it.
8782 30 March 2009: Wouter
8783 - Fixup LDFLAGS from libevent sourcedir compile configure restore.
8784 - Fixup so no non-absolute rpaths are added.
8785 - Fixup validation of RRSIG queries, they are let through.
8786 - read /dev/random before chroot
8787 - checkconf fix no python checks when no python module enabled.
8788 - fix configure, pthread first, so other libs do not change outcome.
8790 27 March 2009: Wouter
8791 - nicer -h output. report linked libraries and modules.
8792 - prints modules in intuitive order (config file friendly).
8793 - python compiles easily on BSD.
8795 26 March 2009: Wouter
8796 - ignore swig varargs warnings with gcc.
8797 - remove duplicate example.conf text from python example configs.
8798 - outofdir compile fix for python.
8800 - print modules compiled in on -h. manpage.
8802 25 March 2009: Wouter
8803 - initial import of the python contribution from Zdenek Vasicek and
8805 - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
8807 24 March 2009: Wouter
8808 - more neat configure.ac. Removed duplicate config.h includes.
8809 - neater config.h.in.
8810 - iana portlist updated.
8811 - fix util/configlexer.c and solaris -std=c99 flag.
8812 - fix postcommit aclocal errors.
8813 - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
8814 - swap order of host detect and libtool generation.
8816 23 March 2009: Wouter
8817 - added launchd plist example file for MacOSX to contrib.
8818 - deprecation test for daemon(3).
8819 - moved common configure actions to m4 include, prettier Makefile.
8821 20 March 2009: Wouter
8822 - bug #239: module-config entries order is important. Documented.
8823 - build fix for test asynclook.
8825 19 March 2009: Wouter
8826 - winrc/README.txt dos-format text file.
8827 - iana portlist updated.
8828 - use _beginthreadex() when available (performs stack alignment).
8829 - defaults for windows baked into configure.ac (used if on mingw).
8831 18 March 2009: Wouter
8832 - Added tests, unknown algorithms become insecure. fallback works.
8833 - Fix for and test for unknown algorithms in a trust anchor
8834 definition. Trust anchors with no supported algos are ignored.
8835 This means a (higher)DS or DLV entry for them could succeed, and
8836 otherwise they are treated as insecure.
8837 - domain-insecure: "example.com" statement added. Sets domain
8838 insecure regardless of chain of trust DSs or DLVs. The inverse
8841 17 March 2009: Wouter
8842 - unit test for unsupported algorithm in anchor warning.
8843 - fixed so queries do not fail on opportunistic target queries.
8845 16 March 2009: Wouter
8846 - fixup diff error printout in contrib/update-itar.sh.
8847 - added contrib/unbound_cacti for statistics support in cacti,
8848 contributed by Dmitriy Demidov.
8850 13 March 2009: Wouter
8851 - doxygen and lex/yacc on linux.
8852 - strip update-anchor on makedist -w.
8853 - fix testbound on windows.
8854 - default log to syslog for windows.
8855 - uninstaller can stop unbound - changed text on it to reflect that.
8856 - remove debugging from windows 'cron' actions.
8858 12 March 2009: Wouter
8859 - log to App.logs on windows prints executable identity.
8861 - munin plugin fix benign locking error printout.
8862 - anchor-update for windows, called every 24 hours; unbound reloads.
8864 11 March 2009: Wouter
8865 - winsock event handler resets WSAevents after signalled.
8866 - winsock event handler tests if signals are really signalled.
8867 - install and service with log to file works on XP and Vista on
8868 default install location.
8869 - on windows logging to the Application logbook works (as a service).
8870 - fix RUN_DIR on windows compile setting in makedist.
8871 - windows registry has Software\Unbound\ConfigFile element.
8872 If does not exist, the default is used. The -c switch overrides it.
8873 - fix makedist version cleanup function.
8875 10 March 2009: Wouter
8876 - makedist -w strips out old rc.. and snapshot info from version.
8877 - setup.exe starts and stops unbound after install, before uninstall.
8878 - unbound-checkconf recognizes absolute pathnames on windows (C:...).
8880 9 March 2009: Wouter
8881 - Nullsoft NSIS installer creation script.
8883 5 March 2009: Wouter
8884 - fixup memory leak introduced on 18feb in mesh reentrant fix.
8886 3 March 2009: Wouter
8887 - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
8888 - service works on xp/vista, no config necessary (using defaults).
8889 - windows registry settings.
8891 2 March 2009: Wouter
8892 - fixup --export-symbols to be -export-symbls for libtool.
8893 This should fix extraneous symbols exported from libunbound.
8894 Thanks to Ondrej Sury and Robert Edmonds for finding it.
8895 - iana portlist updated.
8896 - document FAQ entry on stub/forward zones and default blocking.
8897 - fix asynclook test app for libunbound not exporting symbols.
8898 - service install and remove utils that work with vista UAC.
8900 27 February 2009: Wouter
8901 - Fixup lexer, to not give warnings about fwrite. Appeared in
8903 - makedistro functionality for mingw. Has RC support.
8904 - support spaces and backslashes in configured defaults paths.
8905 - register, deregister in service control manager.
8907 25 February 2009: Wouter
8908 - windres usage for application resources.
8910 24 February 2009: Wouter
8911 - isc moved their dlv key download location.
8912 - fixup warning on vista/mingw.
8913 - makedist -w for window zip distribution first version.
8915 20 February 2009: Wouter
8916 - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
8917 Nicer script layout. Added url to site in -h output.
8919 19 February 2009: Wouter
8920 - unbound-checkconf and unbound print warnings when trust anchors
8921 have unsupported algorithms.
8922 - added contrib/update-itar.sh This script is similar to
8923 update-anchor.sh, and updates from the IANA ITAR repository.
8924 You can provide your own PGP key and trust repo, or can use the
8925 builtin. The program uses wget and gpg to work.
8926 - iana portlist updated.
8927 - update-itar.sh: using ftp:// urls because https godaddy certificate
8928 is not available everywhere and then gives fatal errors. The
8929 security is provided by pgp signature.
8931 18 February 2009: Wouter
8932 - more cycle detection. Also for target queries.
8933 - fixup bug where during deletion of the mesh queries the callbacks
8934 that were reentrant caused assertion failures. Keep the mesh in
8935 a reentrant safe state. Affects libunbound, reload of server,
8936 on quit and flush_requestlist.
8937 - iana portlist updated.
8939 13 February 2009: Wouter
8940 - forwarder information now per-thread duplicated.
8941 This keeps it read only for speed, with no locking necessary.
8942 - forward command for unbound control to change forwarders to use
8944 - document that unbound-host reads no config file by default.
8945 - updated iana portlist.
8947 12 February 2009: Wouter
8948 - call setusercontext if available (on BSD).
8949 - small refactor of stats clearing.
8950 - #227: flush_stats feature for unbound-control.
8951 - stats_noreset feature for unbound-control.
8952 - flush_requestlist feature for unbound-control.
8953 - libunbound version upped API (was changed 5 feb).
8954 - unbound-control status shows if root forwarding is in use.
8955 - slightly nicer memory management in iter-fwd code.
8957 10 February 2009: Wouter
8958 - keys with rfc5011 REVOKE flag are skipped and not considered when
8960 - iana portlist updated
8961 - #226: dump_requestlist feature for unbound-control.
8963 6 February 2009: Wouter
8964 - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
8965 - iana portlist updated.
8966 - fixup EOL in include directive (reported by Paul Wouters).
8967 You can no longer specify newlines in the names of included files.
8968 - config parser changed. Gives some syntax errors closer to where they
8969 occurred. Does not enforce a space after keyword anymore.
8970 Does not allow literal newlines inside quoted strings anymore.
8971 - verbosity level 5 logs customer IP for new requestlist entries.
8972 - test fix, lexer and cancel test.
8973 - new option log-time-ascii: yes if you enable it prints timestamps
8974 in the log file as Feb 06 13:45:26 (like syslog does).
8975 - detect event_base_new in libevent-1.4.1 and later and use it.
8976 - #231 unbound-checkconf -o option prints that value from config file.
8977 Useful for scripting in management scripts and the like.
8979 5 February 2009: Wouter
8980 - ldns 1.5.0 rc as tarball included.
8981 - 1.3.0 development continues:
8982 change in libunbound API: ub_cancel can return an error, that
8983 the async_id did not exist, or that it was already delivered.
8984 The result could have been delivered just before the cancel
8985 routine managed to acquire the lock, so a caller may get the
8986 result at the same time they call cancel. For this case,
8987 ub_cancel tries to return an error code.
8988 Fixes race condition in ub_cancel() libunbound function.
8989 - MacOSX Leopard cleaner text output from configure.
8990 - initgroups(3) is called to drop secondary group permissions, if
8992 - configure option --with-ldns-builtin forces the use of the
8993 inluded ldns package with the unbound source. The -I include
8994 is put before the others, so it avoids bad include files from
8995 an older ldns install.
8996 - daemon(3) posix call is used when available.
8997 - testbound test for older fix added.
8999 4 February 2009: Wouter
9000 - tag for release 1.2.1.
9001 - trunk setup for 1.3.0 development.
9003 3 February 2009: Wouter
9004 - noted feature requests in doc/TODO.
9005 - printout more detailed errors on ssl certificate loading failures.
9006 - updated IANA portlist.
9008 16 January 2009: Wouter
9009 - more quiet about ipv6 network failures, i.e. when ipv6 is not
9010 available (network unreachable). Debug still printed on high
9012 - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
9013 debugging with unbound-host -4 -d ...
9014 - more cycle detection for NS-check, addr-check, root-prime and
9015 stub-prime queries in the iterator. Avoids possible deadlock
9018 15 January 2009: Wouter
9019 - bug #229: fixup configure checks for compilation with Solaris
9020 Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
9021 - fixup suncc warnings.
9022 - fix bug where unbound could crash using libevent 1.3 and older.
9023 - update testset for recent retry change.
9025 14 January 2009: Wouter
9026 - 1.2.1 feature: negative caching for failed queries.
9027 Queries that failed are cached for 5 seconds (NORR_TTL).
9028 If the failure is local, like out of memory, it is not cached.
9029 - the TTL comparison for the cache used different comparisons,
9030 causing many cache responses that used the iterator and validator
9031 state machines unnecessarily.
9032 - retry from 4 to 5 so that EDNS drop retry is part of the first
9033 query resolve attempt, and cached error does not stop EDNS fallback.
9034 - remove debug prints that protect against bad referrals.
9035 - honor QUIET=no on make commandline (or QUIET=yes ).
9037 13 January 2009: Wouter
9038 - fixed bug in lameness marking, removed printouts.
9039 - find NS rrset more cleanly for qtype NS.
9040 - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
9042 - 1.2.1 feature: stops resolving AAAAs promiscuously when they
9043 are in the negative cache.
9045 12 January 2009: Wouter
9046 - fixed bug in infrastructure lameness cache, did not lowercase
9047 name of zone to hash when setting lame.
9048 - lameness debugging printouts.
9050 9 January 2009: Wouter
9051 - created svn tag for 1.2.0 release.
9052 - svn trunk contains 1.2.1 version number.
9053 - iana portlist updated for todays list.
9054 - removed debug print.
9056 8 January 2009: Wouter
9057 - new version of ldns-trunk (today) included as tarball, fixed
9058 bug #224, building with -j race condition.
9059 - remove possible race condition in the test for race conditions.
9061 7 January 2009: Wouter
9062 - version 1.2.0 in preparation.
9063 - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
9064 statements. (Adapted from patch by Paul Wouters).
9065 - typo fix and iana portlist updated.
9066 - porting testsuite; unused var warning, and type fixup.
9068 6 January 2009: Wouter
9069 - fixup packet-of-death when compiled with --enable-debug.
9070 A malformed packet could cause an internal assertion failure.
9071 - added test for HINFO canonicalisation behaviour.
9072 - fixup reported problem with transparent local-zone data where
9073 queries with different type could get nxdomain. Now queries
9074 with a different name get resolved normally, with different type
9075 get a correct NOERROR/NODATA answer.
9076 - HINFO no longer downcased for validation, making unbound compatible
9078 - fix reading included config files when chrooted.
9079 Give full path names for include files.
9080 Relative path names work if the start dir equals the working dir.
9081 - fix libunbound message transport when no packet buffer is available.
9083 5 January 2009: Wouter
9084 - fixup getaddrinfo failure handling for remote control port.
9085 - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
9086 - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
9087 - comm_timer_set performs base_set operation after event_add.
9089 18 December 2008: Wouter
9090 - fixed bug reported by Duane Wessels: error in DLV lookup, would make
9091 some zones that had correct DLV keys as insecure.
9092 - follows -rc makedist from ldns changes (no _rc).
9093 - ldns tarball updated with 1.4.1rc for DLV unit test.
9094 - verbose prints about recursion lame detection and server selection.
9095 - fixup BSD port for infra host storage. It hashed wrongly.
9096 - fixup makedist snapshot name generation.
9097 - do not reopen syslog to avoid dev/log dependency.
9099 17 December 2008: Wouter
9100 - follows ldns makedist.sh. -rc option. autom4te dir removed.
9101 - unbound-control status command.
9102 - extended statistics has a number of ipv6 queries counter.
9103 contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
9105 16 December 2008: Wouter
9106 - follow makedist improvements from ldns, for maintainers prereleases.
9107 - snapshot version uses _ not - to help rpm distinguish the
9110 11 December 2008: Wouter
9111 - better fix for bug #219: use LOG_NDELAY with openlog() call.
9112 Thanks to Tamas Tevesz.
9114 9 December 2008: Wouter
9115 - bug #221 fixed: unbound checkconf checks if key files exist if
9116 remote control is enabled. Also fixed NULL printf when not chrooted.
9117 - iana portlist updated.
9119 3 December 2008: Wouter
9120 - Fix problem reported by Jaco Engelbrecht where unbound-control stats
9121 freezes up unbound if this was compiled without threading, and
9122 was using multiple processes.
9123 - iana portlist updated.
9124 - test for remote control with interprocess communication.
9125 - created command distribution mechanism so that remote control
9126 commands other than 'stats' work on all processes in a nonthreaded
9127 compiled version. dump/load cache work, on the first process.
9128 - fixup remote control local_data addition memory corruption bug.
9130 1 December 2008: Wouter
9131 - SElinux policy files in contrib/selinux for the unbound daemon,
9132 by Paul Wouters and Adam Tkac.
9134 25 November 2008: Wouter
9135 - configure complains when --without-ssl is given (bug #220).
9136 - skip unsupported feature tests on vista/mingw.
9137 - fixup testcode/streamtcp to work on vista/mingw.
9138 - root-hints test checks version of dig required.
9139 - blacklisted servers are polled at a low rate (1%) to see if they
9140 come back up. But not if there is some other working server.
9142 24 November 2008: Wouter
9143 - document that the user of the server daemon needs read privileges
9144 on the keys and certificates generated by unbound-control-setup.
9145 This is different per system or distribution, usually, running the
9146 script under the same username as the server uses suffices.
9147 i.e. sudo -u unbound unbound-control-setup
9148 - testset port to vista/mingw.
9149 - tcp_sigpipe to freebsd port.
9151 21 November 2008: Wouter
9152 - fixed tcp accept, errors were printed when they should not.
9153 - unbound-control-setup.sh removes read/write permissions other
9154 from the keys it creates (as suggested by Dmitriy Demidov).
9156 20 November 2008: Wouter
9157 - fixup fatal error due to faulty error checking after tcp accept.
9158 - add check in rlimit to avoid integer underflow.
9159 - rlimit check with new formula; better estimate for number interfaces
9160 - nicer comments in rlimit check.
9161 - tag 1.1.1 created in svn.
9162 - trunk label is 1.1.2
9164 19 November 2008: Wouter
9165 - bug #219: fixed so that syslog which delays opening until the first
9166 log line is written, gets a log line while not chroot'ed yet.
9168 18 November 2008: Wouter
9169 - iana portlist updated.
9170 - removed cast in unit test debug print that was not 64bit safe.
9171 - trunk back to 1.1.0; copied to tags 1.1.0 release.
9172 - trunk to has version number 1.1.1 again.
9173 - in 1.1.1; make clean nicer. grammar in manpage.
9175 17 November 2008: Wouter
9176 - theoretical fix for problems reported on mailing list.
9177 If a delegation point has no A but only AAAA and do-ip6 is no,
9178 resolution would fail. Fixed to ask for the A and AAAA records.
9179 It has to ask for both always, so that it can fail quietly, from
9180 TLD perspective, when a zone is only reachable on one transport.
9181 - test for above, only AAAA and doip6 is no. Fix causes A record
9182 for nameserver to be fetched.
9183 - fixup address duplication on cache fillup for delegation points.
9184 - testset updated for new query answer requirements.
9186 14 November 2008: Wouter
9187 - created 1.1.0 release tag in svn.
9188 - trunk moved to 1.1.1
9189 - fixup unittest-neg for locking.
9191 13 November 2008: Wouter
9192 - added fedora init and specfile to contrib (by Paul Wouters).
9193 - added configure check for ldns 1.4.0 (using its compat funcs).
9194 - neater comments in worker.h.
9195 - removed doc/plan and updated doc/TODO.
9196 - silenced EHOSTDOWN (verbosity 2 or higher to see it).
9197 - review comments from Jelte, Matthijs. Neater code.
9199 12 November 2008: Wouter
9200 - add unbound-control manpage to makedist replace list.
9202 11 November 2008: Wouter
9203 - unit test for negative cache, stress tests the refcounting.
9204 - fix for refcounting error that could cause fptr_wlist fatal exit
9205 in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
9206 Attila Nagy for testing).
9207 - nicer comments in cachedump about failed RR to string conversion.
9208 - fix 32bit wrap around when printing large (4G and more) mem usage
9209 for extended statistics.
9211 10 November 2008: Wouter
9212 - fixup the getaddrinfo compat code rename.
9214 8 November 2008: Wouter
9215 - added configure check for eee build warning.
9217 7 November 2008: Wouter
9218 - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
9219 - detect nonblocking problems in network stack in configure script.
9221 6 November 2008: Wouter
9222 - dname_priv must decompress the name before comparison.
9223 - iana portlist updated.
9225 5 November 2008: Wouter
9226 - fixed possible memory leak in key_entry_key deletion.
9227 Would leak a couple bytes when trust anchors were replaced.
9228 - if query and reply qname overlap, the bytes are skipped not copied.
9229 - fixed file descriptor leak when messages were jostled out that
9230 had outstanding (TCP) replies.
9231 - DNAMEs used from cache have their synthesized CNAMEs initialized
9233 - fixed file descriptor leak for localzone type deny (for TCP).
9234 - fixed memleak at exit for nsec3 negative cached zones.
9235 - fixed memleak for the keyword 'nodefault' when reading config.
9236 - made verbosity of 'edns incapable peer' warning higher, so you
9237 do not get spammed by it.
9238 - caught elusive Bad file descriptor error bug, that would print the
9239 error while unnecessarily try to listen to a closed fd. Fixed.
9241 4 November 2008: Wouter
9242 - fixed -Wwrite-strings warnings that result in better code.
9244 3 November 2008: Wouter
9245 - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
9246 - generated configure with autoconf-2.61.
9247 - iana portlist updated.
9248 - detect if libssl needs libdl. For static linking with libssl.
9249 - changed to use new algorithm identifiers for sha256/sha512
9250 from ldns 1.4.0 (need very latest version).
9251 - updated the included ldns tarball.
9252 - proper detection of SHA256 and SHA512 functions (not just sizes).
9254 23 October 2008: Wouter
9255 - a little more debug info for failure on signer names. prints names.
9257 22 October 2008: Wouter
9258 - CFLAGS are picked up by configure from the environment.
9259 - iana portlist updated.
9260 - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
9261 - new stub-prime: yesno option. Default is off, so it does not prime.
9262 can be turned on to get same behaviour as previous unbound release.
9263 - made automated test that checks if builtin root hints are uptodate.
9264 - finished draft-wijngaards-dnsext-resolver-side-mitigation
9265 implementation. The unwanted-reply-threshold can be set.
9266 - fixup so fptr_whitelist test in alloc.c works.
9268 21 October 2008: Wouter
9269 - fix update-anchors.sh, so it does not report different RR order
9270 as an update. Sorts the keys in the file. Updated copyright.
9271 - fixup testbound on windows, the command control pipe doesn't exist.
9272 - skip 08hostlib test on windows, no fork() available.
9273 - made unbound-remote work on windows.
9275 20 October 2008: Wouter
9276 - quench a log message that is debug only.
9277 - iana portlist updated.
9278 - do not query bogus nameservers. It is like nameservers that have
9279 the NS or A or AAAA record bogus are listed as donotquery.
9280 - if server selection is faced with only bad choices, it will
9281 attempt to get more options to be fetched.
9282 - changed bogus-ttl default value from 900 to 60 seconds.
9283 In anticipation that operator caused failures are more likely than
9284 actual attacks at this time. And thus repeated validation helps
9285 the operators get the problem fixed sooner. It makes validation
9286 failures go away sooner (60 seconds after the zone is fixed).
9287 Also it is likely to try different nameserver targets every minute,
9288 so that if a zone is bad on one server but not another, it is
9289 likely to pick up the 'correct' one after a couple minutes,
9290 and if the TTL is big enough that solves validation for the zone.
9291 - fixup unbound-control compilation on windows.
9293 17 October 2008: Wouter
9294 - port Leopard/G5: fixup type conversion size_t/uint32.
9295 please ranlib, stop file without symbols warning.
9296 - harden referral path now also validates the root after priming.
9297 It looks up the root NS authoritatively as well as the root servers
9298 and attemps to validate the entries.
9300 16 October 2008: Wouter
9301 - Fixup negative TTL values appearing (reported by Attila Nagy).
9303 15 October 2008: Wouter
9304 - better documentation for 0x20; remove fallback TODO, it is done.
9305 - harden-referral-path feature includes A, AAAA queries for glue,
9306 as well as very careful NS caching (only when doing NS query).
9307 A, AAAA use the delegation from the NS-query.
9309 14 October 2008: Wouter
9310 - fwd_three.tpkg test was flaky. If the three requests hit the
9311 wrong threads by chance (or bad OS) then the test would fail.
9312 Made less flaky by increasing number of retries.
9313 - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
9314 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
9315 Which includes the ldns_dname_absolute fix.
9316 - fwd_three test remains flaky now that unbound does not stop
9317 listening when full. Thus, removed timeout problem.
9318 It may be serviced by three threads, or maybe by one.
9319 Mostly only useful for lock-check testing now.
9321 13 October 2008: Wouter
9322 - fixed recursion servers deployed as authoritative detection, so
9323 that as a last resort, a +RD query is sent there to get the
9325 - iana port list update.
9326 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
9328 10 October 2008: Wouter
9329 - fixup tests - the negative cache contained the correct NSEC3s for
9330 two tests that are supposed to fail to validate.
9332 9 October 2008: Wouter
9333 - negative cache caps max iterations of NSEC3 done.
9334 - NSEC3 negative cache for qtype DS works.
9336 8 October 2008: Wouter
9337 - NSEC negative cache for DS.
9339 6 October 2008: Wouter
9340 - jostle-timeout option, so you can config for slow links.
9341 - 0x20 fallback code. Tries 3xnumber of nameserver addresses
9342 queries that must all be the same. Sent to random nameservers.
9343 - documented choices for DoS, EDNS, 0x20.
9345 2 October 2008: Wouter
9346 - fixup unlink of pidfile.
9347 - fixup SHA256 algorithm collation code.
9348 - contrib/update-anchor.sh does not overwrite anchors if not needed.
9349 exits 0 when a restart is needed, other values if not.
9350 so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
9351 can restart unbound exactly when needed.
9353 30 September 2008: Wouter
9354 - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
9355 - tests for sha256 support and downgrade resistance.
9356 - RSASHA256 and RSASHA512 support (using the draft in dnsext),
9357 using the drafted protocol numbers.
9358 - when using stub on localhost (127.0.0.1@10053) unbound works.
9359 Like when running NSD to host a local zone, on the same machine.
9360 The noprime feature. manpages more explanation. Added a test for it.
9361 - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
9363 29 September 2008: Wouter
9364 - EDNS lameness detection, if EDNS packets are dropped this is
9365 detected, eventually.
9366 - multiple query timeout rtt backoff does not backoff too much.
9368 26 September 2008: Wouter
9369 - tests for remote-control.
9370 - small memory leak in exception during remote control fixed.
9371 - fixup for lock checking but not unchecking in remote control.
9372 - iana portlist updated.
9374 23 September 2008: Wouter
9375 - Msg cache is loaded. A cache load enables cache responses.
9376 - unbound-control flush [name], flush_type and flush_zone.
9378 22 September 2008: Wouter
9379 - dump_cache and load_cache statements in unbound-control.
9380 RRsets are dumped and loaded correctly.
9381 Msg cache is dumped.
9383 19 September 2008: Wouter
9384 - locking on the localdata structure.
9385 - add and remove local zone and data with unbound-control.
9386 - ldns trunk snapshot updated, make tests work again.
9388 18 September 2008: Wouter
9389 - fixup error in time calculation.
9390 - munin plugin improvements.
9391 - nicer abbreviations for high query types values (ixfr, axfr, any...)
9392 - documented the statistics output in unbound-control man page.
9393 - extended statistics prints out histogram, over unbound-control.
9395 17 September 2008: Wouter
9396 - locking for threadsafe bogus rrset counter.
9397 - ldns trunk no longer exports b32 functions, provide compat.
9398 - ldns tarball updated.
9399 - testcode/ldns-testpkts.c const fixups.
9400 - fixed rcode stat printout.
9401 - munin plugin in contrib.
9402 - stats always printout uptime, because stats plugins need it.
9404 16 September 2008: Wouter
9405 - extended-statistics: yesno config option.
9406 - unwanted replies spoof nearmiss detector.
9407 - iana portlist updated.
9409 15 September 2008: Wouter
9410 - working start, stop, reload commands for unbound-control.
9411 - test for unbound-control working; better exit value for control.
9412 - verbosity control via unbound-control.
9413 - unbound-control stats.
9415 12 September 2008: Wouter
9416 - removed browser control mentions. Proto speccy.
9418 11 September 2008: Wouter
9419 - set nonblocking on new TCP streams, because linux does not inherit
9420 the socket options to the accepted socket.
9422 - SSL protected connection between server and unbound-control.
9424 10 September 2008: Wouter
9425 - remove memleak in privacy addresses on reloads and quits.
9426 - remote control work.
9428 9 September 2008: Wouter
9429 - smallapp/unbound-control-setup.sh script to set up certificates.
9431 4 September 2008: Wouter
9432 - scrubber scrubs away private addresses.
9433 - test for private addresses. man page entry.
9434 - code refactored for name and address tree lookups.
9436 3 September 2008: Wouter
9437 - options for 'DNS Rebinding' protection: private-address and
9439 - dnstree for reuse of routines that help with domain, addr lookups.
9440 - private-address and private-domain config option read, stored.
9442 2 September 2008: Wouter
9443 - DoS protection features. Queries are jostled out to make room.
9444 - testbound can pass time, increasing the internal timer.
9445 - do not mark unsigned additionals bogus, leave unchecked, which
9448 1 September 2008: Wouter
9449 - disallow nonrecursive queries for cache snooping by default.
9450 You can allow is using access-control: <subnet> allow_snoop.
9451 The defaults do allow access no authoritative data without RD bit.
9452 - two tests for it and fixups of tests for nonrec refused.
9454 29 August 2008: Wouter
9455 - version 1.1 number in trunk.
9456 - harden-referral-path option for query for NS records.
9457 Default turns off expensive, experimental option.
9459 28 August 2008: Wouter
9460 - fixup logfile handling; it is created with correct permissions
9461 again. (from bugfix#199).
9462 Some errors are not written to logfile (pidfile writing, forking),
9463 and these are only visible by using the -d commandline flag.
9465 27 August 2008: Wouter
9466 - daemon(3) is causing problems for people. Reverting the patch.
9467 bug#200, and 199 and 203 contain sideline discussion on it.
9468 - bug#199 fixed: pidfile can be outside chroot. openlog is done before
9469 chroot and drop permissions.
9470 - config option to set size of aggressive negative cache,
9472 - bug#203 fixed: dlv has been implemented.
9474 26 August 2008: Wouter
9475 - test for insecure zone when DLV is in use, also does negative cache.
9476 - test for trustanchor when DLV is in use (the anchor works).
9477 - test for DLV used for a zone below a trustanchor.
9478 - added scrub filter for overreaching NSEC records and unit test.
9479 - iana portlist update
9480 - use of setresuid or setreuid when available.
9481 - use daemon(3) if available.
9483 25 August 2008: Wouter
9484 - realclean patch from Robert Edmonds.
9486 22 August 2008: Wouter
9487 - nicer debuglogging of DLV.
9488 - test with secure delegation inside the DLV repository.
9490 21 August 2008: Wouter
9491 - negative cache code linked into validator, for DLV use.
9492 negative cache works for DLV.
9493 - iana portlist update.
9494 - dlv-anchor option for unit tests.
9495 - fixup NSEC_AT_APEX classification for short typemaps.
9496 - ldns-testns has subdomain checks, for unit tests.
9498 20 August 2008: Wouter
9499 - negative cache code, reviewed.
9501 18 August 2008: Wouter
9502 - changes info: in logfile to notice: info: or debug: depending on
9503 the verbosity of the statements. Better logfile message
9505 - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
9507 15 August 2008: Wouter
9508 - DLV nsec code fixed for better detection of closest existing
9509 enclosers from NSEC responses.
9510 - DLV works, straight to the dlv repository, so not for production.
9513 14 August 2008: Wouter
9514 - synthesize DLV messages from the rrset cache, like done for DS.
9516 13 August 2008: Wouter
9517 - bug #203: nicer do-auto log message when user sets incompatible
9519 - bug #204: variable name ameliorated in log.c.
9520 - bug #206: in iana_update, no egrep, but awk use.
9521 - ldns snapshot r2699 taken (includes DLV type).
9522 - DLV work, config file element, trust anchor read in.
9524 12 August 2008: Wouter
9525 - finished adjusting testset to provide qtype NS answers.
9527 11 August 2008: Wouter
9528 - Fixup rrset security updates overwriting 2181 trust status.
9529 This makes validated to be insecure data just as worthless as
9530 nonvalidated data, and 2181 rules prevent cache overwrites to them.
9531 - Fix assertion fail on bogus key handling.
9532 - dnssec lameness detection works on first query at trust apex.
9533 - NS queries get proper cache and dnssec lameness treatment.
9534 - fixup compilation without pthreads on linux.
9536 8 August 2008: Wouter
9537 - NS queries are done after every referral.
9538 validator is used on those NS records (if anchors enabled).
9540 7 August 2008: Wouter
9541 - Scrubber more strict. CNAME chains, DNAMEs from cache, other
9542 irrelevant rrsets removed.
9543 - 1.0.2 released from 1.0 support branch.
9544 - fixup update-anchor.sh to work both in BSD shell and bash.
9546 5 August 2008: Wouter
9547 - fixup DS test so apex nodata works again.
9549 4 August 2008: Wouter
9552 - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
9553 - added explanatory text for outgoing-port-permit in manpage.
9555 30 July 2008: Wouter
9556 - fixup bug qtype DS for unsigned zone and signed parent validation.
9558 25 July 2008: Wouter
9559 - added original copyright statement of OpenBSD arc4random code.
9560 - created tube signaling solution on windows, as a pipe replacement.
9561 this makes background asynchronous resolution work on windows.
9562 - removed very insecure socketpair compat code. It also did not
9563 work with event_waiting. Solved by pipe replacement.
9564 - unbound -h prints openssl version number as well.
9566 22 July 2008: Wouter
9567 - moved pipe actions to util/tube.c. easier porting and shared code.
9568 - check _raw() commpoint callbacks with fptr_wlist.
9571 21 July 2008: Wouter
9572 - #198: nicer entropy warning message. manpage OS hints.
9574 19 July 2008: Wouter
9575 - #198: fixup man page to suggest chroot entropy fix.
9577 18 July 2008: Wouter
9578 - branch for 1.0 support.
9579 - trunk work on tube.c.
9581 17 July 2008: Wouter
9582 - fix bug #196, compile outside source tree.
9583 - fix bug #195, add --with-username=user configure option.
9584 - print error and exit if started with config that requires more
9585 fds than the builtin minievent can handle.
9587 16 July 2008: Wouter
9588 - made svn tag 1.0.1, trunk now 1.0.2
9589 - sha256 checksums enabled in makedist.sh
9591 15 July 2008: Wouter
9592 - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
9593 IPv6 example prefix to AS112 default blocklist.
9594 - fixup lookup of DS records by client with trustanchor for same.
9595 - libunbound ub_resolve, fix handling of error condition during setup.
9596 - lowered log_hex blocksize to fit through BSD syslog linesize.
9597 - no useless initialisation if getpwnam not available.
9598 - iana, ldns snapshot updated.
9601 - Matthijs fixed memory leaks in root hints file reading.
9603 26 June 2008: Wouter
9604 - fixup streamtcp bounds setting for udp mode, in the test framework.
9605 - contrib item for updating trust anchors.
9607 25 June 2008: Wouter
9608 - fixup fwd_ancil test typos.
9609 - Fix for newegg lameness : ok for qtype=A, but lame for others.
9610 - fixup unit test for infra cache, test lame merging.
9611 - porting to mingw, bind, listen, getsockopt and setsockopt error
9614 24 June 2008: Wouter
9615 - removed testcode/checklocks from production code compilation path.
9616 - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
9618 - fwd_ancil test fails if platform support is lacking.
9620 23 June 2008: Wouter
9621 - fixup minitpkg to cleanup on windows with its file locking troubles.
9622 - minitpkg shows skipped tests in report.
9623 - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
9625 - winsock event handler keeps track of sticky TCP events, that have
9626 not been fully handled yet. when interest in the event(s) resumes,
9627 they are sent again. When WOULDBLOCK is returned events are cleared.
9628 - skip tests that need signals when testing on mingw.
9630 18 June 2008: Wouter
9631 - open testbound replay files in binary mode, because fseek/ftell
9632 do not work in ascii-mode on windows. The b does nothing on unix.
9633 unittest and testbound tests work on windows (xp too).
9634 - ioctlsocket prints nicer error message.
9635 - fixed up some TCP porting for winsock.
9636 - lack of IPv6 gives a warning, no fatal error.
9637 - use WSAGetLastError() on windows instead of errno for some errors.
9639 17 June 2008: Wouter
9640 - outgoing num fds 32 by default on windows ; it supports less
9641 fds for waiting on than unixes.
9642 - winsock_event minievent handler for windows. (you could also
9643 attempt to link with libevent/libev ports for windows).
9644 - neater crypto check and gdi32 detection.
9645 - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
9647 16 June 2008: Wouter
9648 - on windows, use windows threads, mutex and thread-local-storage(Tls).
9649 - detect if openssl needs gdi32.
9650 - if no threading, THREADS_DISABLED is defined for use in the code.
9651 - sets USE_WINSOCK if using ws2_32 on windows.
9652 - wsa_strerror() function for more readable errors.
9653 - WSA Startup and Cleanup called in unbound.exe.
9655 13 June 2008: Wouter
9656 - port mingw32, more signal ifdefs, detect sleep, usleep,
9657 random, srandom (used inside the tests).
9658 - signed or unsigned FD_SET is cast.
9660 10 June 2008: Wouter
9661 - fixup warnings compiling on eeepc xandros linux.
9664 - in iteration response type code
9665 * first check for SOA record (negative answer) before NS record
9667 * check if no AA bit for non-forwarder, and thus lame zone.
9668 In response to error report by Richard Doty for mail.opusnet.com.
9669 - fixup unput warning from lexer on freeBSD.
9670 - bug#183. pidfile, rundir, and chroot configure options. Also the
9671 example.conf and manual pages get the configured defaults.
9672 You can use: (or accept the defaults to /usr/local/etc/unbound/)
9673 --with-conf-file=filename
9674 --with-pidfile=filename
9676 --with-chroot-dir=path
9679 - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
9680 Reported by Robert Edmonds.
9681 - iana port updated.
9684 - updated libtool files with newer version.
9685 - iana portlist updated.
9688 - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
9689 trailing dot is not used during comparison.
9692 - Jelte fixed bugs in my absence
9693 - bug 178: fixed unportable shell usage in configure (relied on
9695 - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
9696 - bug 181: fixed buffer overflow in ldns (called by unbound to parse
9699 - bug 177: fixed compilation failure on opensuse, the
9700 --disable-static configure flag caused problems. (Patch from
9702 - bug 179: same fix as 177.
9703 - bug 185: --disable-shared not passed along to ldns included with
9704 unbound. Fixed so that configure parameters are passed to the
9705 subdir configure script.
9706 fixed that ./libtool is used always, you can still override
9707 manually with ./configure libtool=mylibtool or set $libtool in
9709 - update of the ldns tarball to current ldns svn version (fix 181).
9710 - bug 184: -r option for unbound-host, read resolv.conf for
9711 forwarder. (Note that forwarder must support DNSSEC for validation
9716 - test for sys/wait.h
9717 - WSAEWOULDBLOCK test after nonblocking TCP connect.
9718 - write_iov_buffer removed: unused and no struct iov on windows.
9719 - signed/unsigned warning fixup mini_event.
9720 - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
9721 - skip signals that are not defined
9723 - detect getpwnam, getrlimit, setsid, sbrk, chroot.
9724 - default config has no chroot if chroot() unavailable.
9725 - if no kill() then no pidfile is read or written.
9726 - gmtime_r is replaced by nonthreadsafe alternative if unavail.
9727 used in rrsig time validation errors.
9730 - contrib unbound.spec from Patrick Vande Walle.
9731 - fixup bug#175: call tzset before chroot to have correct timestamps
9733 - do not generate lex input and lex unput functions.
9734 - mingw port. replacement functions labelled _unbound.
9735 - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
9738 - fedora 9, check in6_pktinfo define in configure.
9739 - CREDITS fixup of history.
9740 - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
9743 - fixup for MacOSX hosts file reading (reported by John Dickinson).
9744 - created 1.0.0 svn tag.
9745 - trunk version 1.0.1.
9748 - accepted patch from Ondrej Sury for library version libtool option.
9749 - configure --disable-rpath fixes up libtool for rpath trouble.
9750 Adapted from debian package patch file.
9753 - Added root ipv6 addresses to builtin root hints.
9754 - TODO modified for post 1.0 plans.
9755 - trunk version set to 1.0.0.
9756 - no unnecessary linking with librt (only when libevent/libev used).
9759 - fixup no-ip4 problem with error callback in outside network.
9761 25 April 2008: Wouter
9762 - DESTDIR is honored by the Makefile for rpms.
9763 - contrib files unbound.spec and unbound.init, builds working RPM
9764 on FC7 Linux, a chrooted caching resolver, and libunbound.
9765 - iana ports update.
9767 24 April 2008: Wouter
9768 - chroot checks improved. working directory relative to chroot.
9769 checks if config file path is inside chroot. Documentation on it.
9770 - nicer example.conf text.
9773 23 April 2008: Wouter
9774 - parseunbound.pl contrib update from Kai Storbeck for threads.
9777 22 April 2008: Wouter
9779 - unit test for SIGPIPE ignore.
9781 21 April 2008: Wouter
9782 - FEATURES document.
9783 - fixup reread of config file if it was given as a full path
9784 and chroot was used.
9786 16 April 2008: Wouter
9787 - requirements doc, updated clean query returns.
9788 - parseunbound.pl update from Kai Storbeck.
9789 - sunos4 porting changes.
9791 15 April 2008: Wouter
9792 - fixup default rc.d pidfile location to /usr/local/etc.
9793 - iana ports updated.
9794 - copyright updated in ldns-testpkts to keep same as in ldns.
9795 - fixup checkconf chroot tests a bit more, chdir must be inside
9797 - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
9798 - example.conf values changed to /usr/local/etc/unbound
9800 - DSA signatures: unbound is compatible with both encodings found.
9801 It will detect and convert when necessary.
9803 14 April 2008: Wouter
9804 - got update for parseunbound.pl statistics script from Kai Storbeck.
9805 - tpkg tests for udp wait list.
9806 - documented 0x20 status.
9807 - fixup chroot and checkconf, it is much smarter now.
9808 - fixup DSA EVP signature decoding. Solution that Jelte found copied.
9809 - and check first sig byte for the encoding type.
9811 11 April 2008: Wouter
9812 - random port selection out of the configged ports.
9813 - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
9814 - removed base_port.
9815 - created 256-port ephemeral space for the OS, 59802 available.
9816 - fixup consistency of port_if out array during heavy use.
9818 10 April 2008: Wouter
9819 - --with-libevent works with latest libevent 1.4.99-trunk.
9820 - added log file statistics perl script to contrib.
9821 - automatic iana ports update from makefile. 60058 available.
9823 9 April 2008: Wouter
9824 - configure can detect libev(from its build directory) when passed
9825 --with-libevent=/home/wouter/libev-3.2
9826 libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
9827 - unused commpoints not listed in epoll list.
9828 - statistics-cumulative option so that the values are not reset.
9829 - config creates array of available ports, 61841 available,
9830 it excludes <1024 and iana assigned numbers.
9831 config statements to modify the available port numbers.
9833 8 April 2008: Wouter
9834 - unbound tries to set the ulimit fds when started as server.
9835 if that does not work, it will scale back its requirements.
9837 27 March 2008: Wouter
9838 - documented /dev/random symlink from chrootdir as FAQ entry.
9840 26 March 2008: Wouter
9841 - implemented AD bit signaling. If a query sets AD bit (but not DO)
9842 then the AD bit is set in the reply if the answer validated.
9843 Without including DNSSEC signatures. Useful if you have a trusted
9844 path from the client to the resolver. Follows dnssec-updates draft.
9846 25 March 2008: Wouter
9847 - implemented check that for NXDOMAIN and NOERROR answers a query
9848 section must be present in the reply (by the scrubber). And it must
9849 be equal to the question sent, at least lowercase folded.
9850 Previously this feature happened because the cache code refused
9851 to store such messages. However blocking by the scrubber makes
9852 sure nothing gets into the RRset cache. Also, this looks like a
9853 timeout (instead of an allocation failure) and this retries are
9854 done (which is useful in a spoofing situation).
9855 - RTT banding. Band size 400 msec, this makes band around zero (fast)
9856 include unknown servers. This makes unbound explore unknown servers.
9858 7 March 2008: Wouter
9859 - -C config feature for harvest program.
9860 - harvest handles CNAMEs too.
9862 5 March 2008: Wouter
9863 - patch from Hugo Koji Kobayashi for iterator logs spelling.
9865 4 March 2008: Wouter
9866 - From report by Jinmei Tatuya, rfc2181 trust value for remainder
9867 of a cname trust chain is lower; not full answer_AA.
9868 - test for this fix.
9869 - default config file location is /usr/local/etc/unbound.
9870 Thus prefix is used to determine the location. This is also the
9871 chroot and pidfile default location.
9873 3 March 2008: Wouter
9874 - Create 0.10 svn tag.
9875 - 0.11 version in trunk.
9876 - indentation nicer.
9878 29 February 2008: Wouter
9879 - documentation update.
9880 - fixup port to Solaris of perf test tool.
9881 - updated ldns-tarball with decl-after-statement fixes.
9883 28 February 2008: Wouter
9884 - fixed memory leaks in libunbound (during cancellation and wait).
9885 - libunbound returns the answer packet in full.
9886 - snprintf compat update.
9887 - harvest performs lookup.
9888 - ldns-tarball update with fix for ldns_dname_label.
9889 - installs to sbin by default.
9890 - install all manual pages (unbound-host and libunbound too).
9892 27 February 2008: Wouter
9893 - option to use caps for id randomness.
9894 - config file option use-caps-for-id: yes
9895 - harvest debug tool
9897 26 February 2008: Wouter
9898 - delay utility delays TCP as well. If the server that is forwarded
9899 to has a TCP error, the delay utility closes the connection.
9900 - delay does REUSE_ADDR, and can handle a server that closes its end.
9901 - answers use casing from query.
9903 25 February 2008: Wouter
9904 - delay utility works. Gets decent thoughput too (>20000).
9906 22 February 2008: Wouter
9907 - +2% for recursions, if identical queries (except for destination
9908 and query ID) in the reply list, avoid re-encoding the answer.
9909 - removed TODO items for optimizations that do not show up in
9911 - default is now minievent - not libevent. As its faster and
9912 not needed for regular installs, only for very large port ranges.
9913 - loop check different speedup pkt-dname-reading, 1% faster for
9914 nocache-recursion check.
9915 - less hashing during msg parse, 4% for recursion.
9916 - small speed fix for dname_count_size_labels, +1 or +2% recursion.
9917 - some speed results noted:
9918 optimization resulted in +40% for recursion (cache miss) and
9919 +70 to +80 for cache hits, and +96% for version.bind.
9920 zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
9921 www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
9922 www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
9923 So, unbound can be about equal qps to NSD in cache hits.
9924 And about 3.4x faster than BIND in cache performance.
9925 - delay utility for testing.
9927 21 February 2008: Wouter
9928 - speedup of root-delegation message encoding by 15%.
9929 - minor speedup of compress tree_lookup, maybe 1%.
9930 - speedup of dname_lab_cmp and memlowercmp - the top functions in
9931 profiler output, maybe a couple percent when it matters.
9933 20 February 2008: Wouter
9934 - setup speec_cache for need-ldns-testns in dotests.
9935 - check number of queued replies on incoming queries to avoid overload
9937 - fptr whitelist checks are not disabled in optimize mode.
9938 - do-daemonize config file option.
9939 - minievent time share initializes time at start.
9940 - updated testdata for nsec3 new algorithm numbers (6, 7).
9941 - small performance test of packet encoding (root delegation).
9943 19 February 2008: Wouter
9944 - applied patch to unbound-host man page from Jan-Piet Mens.
9945 - fix donotquery-localhost: yes default (it erroneously was switched
9947 - time is only gotten once and the value is shared across unbound.
9948 - unittest cleans up crypto, so that it has no memory leaks.
9949 - mini_event shares the time value with unbound this results in
9950 +3% speed for cache responses and +9% for recursions.
9951 - ldns tarball update with new NSEC3 sign code numbers.
9952 - perform several reads per UDP operation. This improves performance
9953 in DoS conditions, and costs very little in normal conditions.
9954 improves cache response +50%, and recursions +10%.
9955 - modified asynclook test. because the callback from async is not
9956 in any sort of lock (and thus can use all library functions freely),
9957 this causes a tiny race condition window when the last lock is
9958 released for a callback and a new cancel() for that callback.
9959 The only way to remove this is by putting callbacks into some
9960 lock window. I'd rather have the small possibility of a callback
9961 for a cancelled function then no use of library functions in
9962 callbacks. Could be possible to only outlaw process(), wait(),
9963 cancel() from callbacks, by adding another lock, but I'd rather not.
9965 18 February 2008: Wouter
9966 - patch to unbound-host from Jan-Piet Mens.
9967 - unbound host prints errors if fails to configure context.
9968 - fixup perf to resend faster, so that long waiting requests do
9969 not hold up the queue, they become lost packets or SERVFAILs,
9970 or can be sent a little while later (i.e. processing time may
9971 take long, but throughput has to be high).
9972 - fixup iterator operating in no cache conditions (RD flag unset
9974 - streamlined code for RD flag setting.
9975 - profiled code and changed dname compares to be faster.
9976 The speedup is about +3% to +8% (depending on the test).
9977 - minievent tests for eintr and eagain.
9979 15 February 2008: Wouter
9980 - added FreeBSD rc.d script to contrib.
9981 - --prefix option for configure also changes directory: pidfile:
9982 and chroot: defaults in config file.
9983 - added cache speed test, for cache size OK and cache too small.
9985 14 February 2008: Wouter
9986 - start without a config file (will complain, but start with
9988 - perf test program works.
9990 13 February 2008: Wouter
9992 - 1.0 development. Printout ldns version on unbound -h.
9993 - start of perf tool.
9994 - bugfix to read empty lines from /etc/hosts.
9996 12 February 2008: Wouter
9997 - fixup problem with configure calling itself if ldns-src tarball
10000 11 February 2008: Wouter
10001 - changed library to use ub_ instead of ub_val_ as prefix.
10002 - statistics output text nice.
10003 - etc/hosts handling.
10004 - library function to put logging to a stream.
10005 - set any option interface.
10007 8 February 2008: Wouter
10008 - test program for multiple queries over a TCP channel.
10009 - tpkg test for stream tcp queries.
10010 - unbound replies to multiple TCP queries on a TCP channel.
10011 - fixup misclassification of root referral with NS in answer
10012 when validating a nonrec query.
10014 - layout of manpages, spelling fix in header, manpages process by
10015 makedist, list asynclook and tcpstream tests as ldns-testns
10018 7 February 2008: Wouter
10019 - moved up all current level 2 to be level 3. And 3 to 4.
10020 to make room for new debug level 2 for detailed information
10022 - verbosity level 2. Describes recursion and validation.
10023 - cleaner configure script and fixes for libevent solaris.
10024 - signedness for log output memory sizes in high verbosity.
10026 6 February 2008: Wouter
10027 - clearer explanation of threading configure options.
10028 - fixup asynclook test for nothreading (it creates only one process
10029 to do the extended test).
10030 - changed name of ub_val_result_free to ub_val_resolve_free.
10031 - removes warning message during library linking, renamed
10032 libunbound/unbound.c -> libunbound.c and worker to libworker.
10033 - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
10035 5 February 2008: Wouter
10036 - statistics-interval: seconds option added.
10037 - test for statistics option
10038 - ignore errors making directories, these can occur in parallel builds
10039 - fixup Makefile strip command and libunbound docs typo.
10041 31 January 2008: Wouter
10042 - bg thread/process reads and writes the pipe nonblocking all the time
10043 so that even if the pipe is buffered or so, the bg thread does not
10044 block, and services both pipes and queries.
10046 30 January 2008: Wouter
10047 - check trailing / on chrootdir in checkconf.
10048 - check if root hints and anchor files are in chrootdir.
10049 - no route to host tcp error is verbosity level 2.
10050 - removed unused send_reply_iov. and its configure check.
10051 - added prints of 'remote address is 1.2.3.4 port 53' to errors
10052 from netevent; the basic socket errors.
10054 28 January 2008: Wouter
10055 - fixup uninit use of buffer by libunbound (query id, flags) for
10056 local_zone answers.
10057 - fixup uninit warning from random.c; also seems to fix sporadic
10058 sigFPE coming out of openssl.
10059 - made openssl entropy warning more silent for library use. Needs
10061 - fixup forgotten locks for rbtree_searches on ctx->query tree.
10062 - random generator cleanup - RND_STATE_SIZE removed, and instead
10063 a super-rnd can be passed at init to chain init random states.
10064 - test also does lock checks if available.
10065 - protect config access in libworker_setup().
10066 - libevent doesn't like comm_base_exit outside of runloop.
10067 - close fds after removing commpoints only (for epoll, kqueue).
10069 25 January 2008: Wouter
10070 - added tpkg for asynclook and library use.
10071 - allows localhost to be queried when as a library.
10072 - fixup race condition between cancel and answer (in case of
10073 really fast answers that beat the cancel).
10074 - please doxygen, put doxygen comment in one place.
10075 - asynclook -b blocking mode and test.
10076 - refactor asynclook, nicer code.
10077 - fixup race problems from opensll in rand init from library, with
10078 a mutex around the rand init.
10079 - fix pass async_id=NULL to _async resolve().
10080 - rewrote _wait() routine, so that it is threadsafe.
10081 - cancelation is threadsafe.
10082 - asynclook extended test in tpkg.
10083 - fixed two races where forked bg process waits for (somehow shared?)
10084 locks, so does not service the query pipe on the bg side.
10085 Now those locks are only held for fg_threads and for bg_as_a_thread.
10087 24 January 2008: Wouter
10088 - tested the cancel() function.
10089 - asynclook -c (cancel) feature.
10090 - fix fail to allocate context actions.
10091 - make pipe nonblocking at start.
10092 - update plane for retry mode with caution to limit bandwidth.
10093 - fix Makefile for concurrent make of unbound-host.
10094 - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
10095 - new calls to set forwarding added to header and docs.
10097 23 January 2008: Wouter
10098 - removed debug prints from if-auto, verb-algo enables some.
10099 - libunbound QUIT setup, remove memory leaks, when using threads
10100 will share memory for passing results instead of writing it over
10101 the pipe, only writes ID number over the pipe (towards the handler
10102 thread that does process() ).
10104 22 January 2008: Wouter
10105 - library code for async in libunbound/unbound.c.
10106 - fix link testbound.
10107 - fixup exit bug in mini_event.
10108 - background worker query enter and result functions.
10109 - bg query test application asynclook, it looks up multiple
10110 hostaddresses (A records) at the same time.
10112 21 January 2008: Wouter
10113 - libworker work, netevent raw commpoints, write_msg, serialize.
10115 18 January 2008: Wouter
10116 - touch up of manpage for libunbound.
10117 - support for IP_RECVDSTADDR (for *BSD ip4).
10118 - fix for BSD, do not use ip4to6 mapping, make two sockets, once
10119 ip6 and once ip4, uses socket options.
10120 - goodbye ip4to6 mapping.
10121 - update ldns-testpkts with latest version from ldns-trunk.
10122 - updated makedist for relative ldns pathnames.
10123 - library API with more information inside the result structure.
10124 - work on background resolves.
10126 17 January 2008: Wouter
10127 - fixup configure in case -lldns is installed.
10128 - fixup a couple of doxygen warnings, about enum variables.
10129 - interface-automatic now copies the interface address from the
10130 PKT_INFO structure as well.
10131 - manual page with library API, all on one page 'man libunbound'.
10132 - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
10134 16 January 2008: Wouter
10135 - incoming queries to the server with TC bit on are replied FORMERR.
10136 - interface-automatic replied the wrong source address on localhost
10137 queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
10138 to use ifnum=-1 to mean 'no interface, use kernel route'.
10140 15 January 2008: Wouter
10141 - interface-automatic feature. experimental. Nice for anycast.
10142 - tpkg test for ip6 ancillary data.
10143 - removed debug prints.
10144 - porting experience, define for Solaris, test refined for BSD
10145 compatibility. The feature probably will not work on OpenBSD.
10146 - makedist fixup for ldns-src in build-dir.
10148 14 January 2008: Wouter
10149 - in no debug sets NDEBUG to remove asserts.
10150 - configure --enable-debug is needed for dependency generation
10151 for assertions and for compiler warnings.
10152 - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
10153 - fix lint, unit test in optimize mode.
10154 - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
10156 11 January 2008: Wouter
10157 - man page, warning removed.
10158 - added text describing the use of stub zones for private zones.
10159 - checkconf tests for bad hostnames (IP address), and for doubled
10161 - memory sizes can be given with 'k', 'Kb', or M or G appended.
10163 10 January 2008: Wouter
10164 - typo in example.conf.
10165 - made using ldns-src that is included the package more portable
10166 by linking with .lo instead of .o files in the ldns package.
10167 - nicer do-ip6: yes/no documentation.
10168 - nicer linking of libevent .o files.
10169 - man pages render correctly on solaris.
10171 9 January 2008: Wouter
10172 - fixup openssl RAND problem, when the system is not configured to
10173 give entropy, and the rng needs to be seeded.
10175 8 January 2008: Wouter
10176 - print median and quartiles with extensive logging.
10178 4 January 2008: Wouter
10179 - document misconfiguration in private network.
10181 2 January 2008: Wouter
10182 - fixup typo in requirements.
10183 - document that 'refused' is a better choice than 'drop' for
10184 the access control list, as refused will stop retries.
10186 7 December 2007: Wouter
10187 - unbound-host has a -d option to show what happens. This can help
10188 with debugging (why do I get this answer).
10189 - fixup CNAME handling, on nodata, sets and display canonname.
10190 - dot removed from CNAME display.
10191 - respect -v for NXDOMAINs.
10192 - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
10193 - size_t to int for portability of the header file.
10194 - fixup bogus handling.
10195 - dependencies and lint for unbound-host.
10197 6 December 2007: Wouter
10198 - library resolution works in foreground mode, unbound-host app
10200 - unbound-host prints rdata using ldns.
10201 - unbound-host accepts trust anchors, and prints validation
10202 information when you give -v.
10204 5 December 2007: Wouter
10205 - locking in context_new() inside the function.
10206 - setup of libworker.
10208 4 December 2007: Wouter
10209 - minor Makefile fixup.
10210 - moved module-stack code out of daemon/daemon into services/modstack,
10211 preparing for code-reuse.
10212 - move context into own header file.
10213 - context query structure.
10214 - removed unused variable pwd from checkconf.
10215 - removed unused assignment from outside netw.
10216 - check timeval length of string.
10217 - fixup error in val_utils getsigner.
10218 - fixup same (*var) error in netblocktostr.
10219 - fixup memleak on parse error in localzone.
10220 - fixup memleak on packet parse error.
10221 - put ; after union in parser.y.
10222 - small hardening in iter_operate against iq==NULL.
10223 - hardening, if error reply with rcode=0 (noerror) send servfail.
10224 - fixup same (*var) error in find_rrset in msgparse, was harmless.
10225 - check return value of evtimer_add().
10226 - fixup lockorder in lruhash_reclaim(), building up a list of locked
10227 entries one at a time. Instead they are removed and unlocked.
10228 - fptr_wlist for markdelfunc.
10229 - removed is_locked param from lruhash delkeyfunc.
10230 - moved bin_unlock during bin_split purely to please.
10232 3 December 2007: Wouter
10233 - changed checkconf/ to smallapp/ to make room for more support tools.
10234 (such as unbound-host).
10235 - install dirs created with -m 755 because they need to be accessible.
10236 - library extensive featurelist added to TODO.
10237 - please doxygen, lint.
10238 - library test application, with basic functionality.
10239 - fix for building in a subdirectory.
10240 - link lib fix for Leopard.
10242 30 November 2007: Wouter
10243 - makefile that creates libunbound.la, basic file or libunbound.a
10244 when creating static executables (no libtool).
10247 29 November 2007: Wouter
10248 - 0.9 public API start.
10250 28 November 2007: Wouter
10251 - Changeup plan for 0.8 - no complication needed, a simple solution
10252 has been chosen for authoritative features.
10253 - you can use single quotes in the config file, so it is possible
10254 to specify TXT records in local data.
10255 - fixup small memory problem in implicit transparent zone creation.
10256 - test for implicit zone creation and multiple RR RRsets local data.
10257 - local-zone nodefault test.
10258 - show testbound testlist on commit.
10259 - iterator normalizer changes CNAME chains ending in NXDOMAIN where
10260 the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
10262 - nicer verbosity: 0 and 1 levels.
10263 - lower nonRDquery chance of eliciting wrongly typed validation
10264 requiring message from the cache.
10265 - fix for nonRDquery validation typing; nodata is detected when
10266 SOA record in auth section (all validation-requiring nodata messages
10267 have a SOA record in authority, so this is OK for the validator),
10268 and NS record is needed to be a referral.
10269 - duplicate checking when adding NSECs for a CNAME, and test.
10270 - created svn tag 0.8, after completing testbed tests.
10272 27 November 2007: Wouter
10273 - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
10274 - set size of msgparse lookup table to 32, from 1024, so that its size
10275 is below the 2048 regional large size threshold, and does not cause
10276 a call to malloc when a message is parsed.
10277 - update of memstats tool to print number of allocation calls.
10278 This is what is taking time (not space) and indicates the avg size
10279 of the allocations as well. region_alloc stat is removed.
10281 22 November 2007: Wouter
10282 - noted EDNS in-the-middle dropping trouble as a TODO.
10283 At this point theoretical, no user trouble has been reported.
10284 - added all default AS112 zones.
10285 - answers from local zone content.
10286 * positive answer, the rrset in question
10287 * nodata answer (exist, but not that type).
10288 * nxdomain answer (domain does not exist).
10289 * empty-nonterminal answer.
10290 * But not: wildcard, nsec, referral, rrsig, cname/dname,
10291 or additional section processing, NS put in auth.
10292 - test for correct working of static and transparent and couple
10293 of important defaults (localhost, as112, reverses).
10294 Also checks deny and refuse settings.
10295 - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
10297 21 November 2007: Wouter
10298 - local zone internal data setup.
10300 20 November 2007: Wouter
10301 - 0.8 - str2list config support for double string config options.
10302 - local-zone and local-data options, config storage and documentation.
10304 19 November 2007: Wouter
10305 - do not downcase NSEC and RRSIG for verification. Follows
10306 draft-ietf-dnsext-dnssec-bis-updates-06.txt.
10307 - fixup leaking unbound daemons at end of tests.
10308 - README file updated.
10309 - nice libevent not found error.
10310 - README talks about gnu make.
10311 - 0.8: unit test for addr_mask and fixups for it.
10312 and unit test for addr_in_common().
10313 - 0.8: access-control config file element.
10314 and unit test rpl replay file.
10315 - 0.8: fixup address reporting from netevent.
10317 16 November 2007: Wouter
10318 - privilege separation is not needed in unbound at this time.
10319 TODO item marked as such.
10320 - created beta-0.7 branch for support.
10321 - tagged 0.7 for beta release.
10322 - moved trunk to 0.8 for 0.8(auth features) development.
10323 - 0.8: access control list setup.
10325 15 November 2007: Wouter
10326 - review fixups from Jelte.
10328 14 November 2007: Wouter
10329 - testbed script does not recreate configure, since its in svn now.
10330 - fixup checkconf test so that it does not test
10331 /etc/unbound/unbound.conf.
10334 13 November 2007: Wouter
10335 - remove debug print.
10336 - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
10338 12 November 2007: Wouter
10339 - fixup signal handling where SIGTERM could be ignored if a SIGHUP
10341 - bugreports to unbound-bugs@nlnetlabs.nl
10342 - fixup testbound so it exits cleanly.
10343 - cleanup the caches on a reload, so that rrsetID numbers won't clash.
10345 9 November 2007: Wouter
10346 - took ldns snapshot in repo.
10347 - default config file is /etc/unbound/unbound.conf.
10348 If it doesn't exist, it is installed with the doc/example.conf file.
10349 The file is not deleted on uninstall.
10350 - default listening is not all, but localhost interfaces.
10352 8 November 2007: Wouter
10353 - Fixup chroot and drop user privileges.
10354 - new L root ip address in default hints.
10356 1 November 2007: Wouter
10357 - Fixup of crash on reload, due to anchors in env not NULLed after
10358 dealloc during deinit.
10359 - Fixup of chroot call. Happens after privileges are dropped, so
10360 that checking the passwd entry still works.
10361 - minor touch up of clear() hashtable function.
10362 - VERB_DETAIL prints out what chdir, username, chroot is being done.
10363 - when id numbers run out, caches are cleared, as in design notes.
10364 Tested with a mock setup with very few bits in id, it worked.
10365 - harden-dnssec-stripped: yes is now default. It insists on dnssec
10366 data for trust anchors. Included tests for the feature.
10368 31 October 2007: Wouter
10369 - cache-max-ttl config option.
10370 - building outside sourcedir works again.
10371 - defaults more secure:
10372 username: "unbound"
10373 chroot: "/etc/unbound"
10374 The operator can override them to be less secure ("") if necessary.
10375 - fix horrible oversight in sorting rrset references in a message,
10376 sort per reference key pointer, not on referencepointer itself.
10377 - pidfile: "/etc/unbound/unbound.pid" is now the default.
10378 - tests changed to reflect the updated default.
10379 - created hashtable clear() function that respects locks.
10381 30 October 2007: Wouter
10382 - fixup assertion failure that relied on compressed names to be
10383 smaller than uncompressed names. A packet from comrite.com was seen
10384 to be compressed to a larger size. Added it as unit test.
10385 - quieter logging at low verbosity level for common tcp messages.
10386 - no greedy TTL update.
10388 23 October 2007: Wouter
10389 - fixup (grand-)parent problem for dnssec-lameness detection.
10390 - fixup tests to do additional section processing for lame replies,
10391 since the detection needs that.
10392 - no longer trust in query section in reply during dnssec lame detect.
10393 - dnssec lameness does not make the server never ever queried, but
10394 non-preferred. If no other servers exist or answer, the dnssec lame
10395 server is used; the fastest dnssec lame server is chosen.
10396 - added test then when trust anchor cannot be primed (nodata), the
10397 insecure mode from unbound works.
10398 - Fixup max queries per thread, any more are dropped.
10400 22 October 2007: Wouter
10401 - added donotquerylocalhost config option. Can be turned off for
10403 - ISO C compat changes.
10404 - detect RA-no-AA lameness, as LAME.
10405 - DNSSEC-lameness detection, as LAME.
10406 See notes in requirements.txt for choices made.
10407 - tests for lameness detection.
10408 - added all to make test target; need unbound for fwd tests.
10409 - testbound does not pollute /etc/unbound.
10411 19 October 2007: Wouter
10412 - added configure (and its files) to svn, so that the trunk is easier
10413 to use. ./configure, config.guess, config.sub, ltmain.sh,
10415 - added yacc/lex generated files, util/configlexer.c,
10416 util/configparser.c util/configparser.h, to svn.
10417 - without lex no attempt to use it.
10418 - unsecure response validation collated into one block.
10419 - remove warning about const cast of cfgfile name.
10420 - outgoing-interfaces can be different from service interfaces.
10421 - ldns-src configure is done during unbound configure and
10422 ldns-src make is done during unbound make, and so inherits the
10423 make arguments from the unbound make invocation.
10424 - nicer error when libevent problem causes instant exit on signal.
10425 - read root hints from a root hint file (like BIND does).
10427 18 October 2007: Wouter
10428 - addresses are logged with errors.
10429 - fixup testcode fake event to remove pending before callback
10430 since the callback may create new pending items.
10431 - tests updated because retries are now in iterator module.
10432 - ldns-testpkts code is checked for differences between unbound
10433 and ldns by makedist.sh.
10434 - ldns trunk from today added in svn repo for fallback in case
10435 no ldns is installed on the system.
10436 make download_ldns refreshes the tarball with ldns svn trunk.
10437 - ldns-src.tar.gz is used if no ldns is found on the system, and
10438 statically linked into unbound.
10439 - start of regional allocator code.
10440 - regional uses less memory and variables, simplified code.
10441 - remove of region-allocator.
10442 - alloc cache keeps a cache of recently released regional blocks,
10444 - make unit test cleanly free memory.
10446 17 October 2007: Wouter
10447 - fixup another cycle detect and ns-addr timeout resolution bug.
10448 This time by refusing delegations from the cache without addresses
10449 when resolving a mandatory-glue nameserver-address for that zone.
10450 We're going to have to ask a TLD server anyway; might as well be
10451 the TLD server for this name. And this resolves a lot of cases where
10452 the other nameserver names lead to cycles or are not available.
10453 - changed random generator from random(3) clone to arc4random wrapped
10454 for thread safety. The random generator is initialised with
10455 entropy from the system.
10456 - fix crash where failure to prime DNSKEY tried to print null pointer
10457 in the log message.
10458 - removed some debug prints, only verb_algo (4) enables them.
10459 - fixup test; new random generator took new paths; such as one
10460 where no scripted answer was available.
10461 - mark insecure RRs as insecure.
10462 - fixup removal of nonsecure items from the additional.
10463 - reduced timeout values to more realistic, 376 msec (262 msec has
10464 90% of roundtrip times, 512 msec has 99% of roundtrip times.)
10465 - server selection failover to next server after timeout (376 msec).
10467 16 October 2007: Wouter
10468 - no malloc in log_hex.
10469 - assertions around system calls.
10470 - protect against gethostname without ending zero.
10471 - ntop output is null terminated by unbound.
10472 - pidfile content null termination
10473 - various snprintf use sizeof(stringbuf) instead of fixed constant.
10474 - changed loopdetect % 8 with & 0x7 since % can become negative for
10475 weird negative input and particular interpretation of integer math.
10476 - dname_pkt_copy checks length of result, to protect result buffers.
10477 prints an error, this should not happen. Bad strings should have
10478 been rejected earlier in the program.
10479 - remove a size_t underflow from msgreply size func.
10481 15 October 2007: Wouter
10483 - fix IP6 TCP, wrong definition check. With test package.
10484 - fixup the fact that the query section was not compressed to,
10485 the code was there but was called by value instead of by reference.
10486 And test for the case, uses xxd and nc.
10487 - more portable ip6 check for sockaddr types.
10489 8 October 2007: Wouter
10490 - --disable-rpath option in configure for 64bit systems with
10491 several dynamic lib dirs.
10493 7 October 2007: Wouter
10494 - fixup tests for no AD bit in non-DO queries.
10495 - test that makes sure AD bit is not set on non-DO query.
10497 6 October 2007: Wouter
10498 - removed logfile open early. It did not have the proper permissions;
10499 it was opened as root instead of the user. And we cannot change user
10500 id yet, since chroot and bind ports need to be done.
10501 - callback checks for event callbacks done from mini_event. Because
10502 of deletions cannot do this from netevent. This means when using
10503 libevent the protection does not work on event-callbacks.
10504 - fixup too small reply (did not zero counts).
10505 - fixup reply no longer AD bit when query without DO bit.
10507 5 October 2007: Wouter
10508 - function pointer whitelist.
10510 4 October 2007: Wouter
10511 - overwrite sensitive random seed value after use.
10512 - switch to logfile very soon if not -d (console attached).
10513 - error messages do not reveal the trustanchor contents.
10514 - start work on function pointer whitelists.
10516 3 October 2007: Wouter
10517 - fix for multiple empty nonterminals, after multiple DSes in the
10519 - mesh checks if modules are looping, and stops them.
10520 - refetch with CNAMEd nameserver address regression test added.
10521 - fixup line count bug in testcode, so testbound prints correct line
10522 number with parse errors.
10523 - unit test for multiple ENT case.
10524 - fix for cname out of validated unsec zone.
10525 - fixup nasty id=0 reuse. Also added assertions to detect its
10526 return (the assertion catches in the existing test cases).
10528 1 October 2007: Wouter
10529 - skip F77, CXX, objC tests in configure step.
10530 - fixup crash in refetch glue after a CNAME.
10531 and protection against similar failures (with error print).
10533 28 September 2007: Wouter
10534 - test case for unbound-checkconf, fixed so it also checks the
10535 interface: statements.
10537 26 September 2007: Wouter
10538 - SIGHUP will reopen the log file.
10539 - Option to log to syslog.
10540 - please lint, fixup tests (that went to syslog on open, oops).
10541 - config check program.
10543 25 September 2007: Wouter
10544 - tests for NSEC3. Fixup bitmap checks for NSEC3.
10545 - positive ANY response needs to check if wildcard expansion, and
10546 check that original data did not exist.
10547 - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
10548 delegation, for abuse of child zone apex nsec3.
10549 - create 0.5 release tag.
10551 24 September 2007: Wouter
10552 - do not make test programs by default.
10553 - But 'make test' will perform all of the tests.
10554 - Advertise builtin select libevent alternative when no libevent
10556 - signit can generate NSEC3 hashes, for generating tests.
10557 - multiple nsec3 parameters in message test.
10558 - too high nsec3 iterations becomes insecure test.
10560 21 September 2007: Wouter
10561 - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
10562 - fixup testcode lock safety (port FreeBSD).
10563 - removes subscript has type char warnings (port Solaris 9).
10564 - fixup of field with format type to int (port MacOS/X intel).
10565 - added test for infinite loop case in nonRD answer validation.
10566 It was a more general problem, but hard to reproduce. When an
10567 unsigned rrset is being validated and the key fetched, the DS
10568 sequence is followed, but if the final name has no DS, then no
10569 proof is possible - the signature has been stripped off.
10571 20 September 2007: Wouter
10572 - fixup and test for NSEC wildcard with empty nonterminals.
10573 - makedist.sh fixup for svn info.
10574 - acl features request in plan.
10575 - improved DS empty nonterminal handling.
10576 - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
10577 proof anyway, which succeeds in ANS failure case.
10578 - striplab protection in case it becomes -1.
10579 - plans for static and blacklist config.
10581 19 September 2007: Wouter
10582 - comments about non-packed usage.
10583 - plan for overload support in 0.6.
10584 - added testbound tests for a failed resolution from the logs
10585 and for failed prime when missing glue.
10586 - fixup so useless delegation points are not returned from the
10587 cache. Also the safety belt is used if priming fails to complete.
10588 - fixup NSEC rdata not to be lowercased, bind compat.
10590 18 September 2007: Wouter
10591 - wildcard nsec3 testcases, and fixup to get correct wildcard name.
10592 - validator prints subtype classification for debug.
10594 17 September 2007: Wouter
10595 - NSEC3 hash cache unit test.
10596 - validator nsec3 nameerror test.
10598 14 September 2007: Wouter
10599 - nsec3 nodata proof, nods proof, wildcard proof.
10600 - nsec3 support for cname chain ending in noerror or nodata.
10601 - validator calls nsec3 proof routines if no NSECs prove anything.
10602 - fixup iterator bug where it stored the answer to a cname under
10603 the wrong qname into the cache. When prepending the cnames, the
10604 qname has to be reset to the original qname.
10606 13 September 2007: Wouter
10607 - nsec3 find matching and covering, ce proof, prove namerror msg.
10609 12 September 2007: Wouter
10610 - fixup of manual page warnings, like for NSD bugreport.
10611 - nsec3 work, config, max iterations, filter, and hash cache.
10613 6 September 2007: Wouter
10614 - fixup to find libevent on mac port install.
10615 - fixup size_t vs unsigned portability in validator/sigcrypt.
10616 - please compiler on different platforms, for unreachable code.
10618 - pthread_rwlock type is optional, in case of old pthread libs.
10620 5 September 2007: Wouter
10621 - cname, name error validator tests.
10622 - logging of qtype ANY works.
10623 - ANY type answers get RRSIG in answer section of replies (but not
10624 in other sections, unless DO bit is on).
10625 - testbound can replay a TCP query (set MATCH TCP in the QUERY).
10626 - DS and noDS referral validation test.
10627 - if you configure many trust anchors, parent trust anchors can
10628 securely deny existence of child trust anchors, if validated.
10629 - not all *.name NSECs are present because a wildcard was matched,
10630 and *.name NSECs can prove nodata for empty nonterminals.
10631 Also, for wildcard name NSECs, check they are not from the parent
10632 zone (for wildcarded zone cuts), and check absence of CNAME bit,
10633 for a nodata proof.
10634 - configure option for memory allocation debugging.
10635 - port configure option for memory allocation to solaris10.
10637 4 September 2007: Wouter
10638 - fixup of Leakage warning when serviced queries processed multiple
10639 callbacks for the same query from the same server.
10640 - testbound removes config file from /tmp on failed exit.
10641 - fixup for referral cleanup of the additional section.
10642 - tests for cname, referral validation.
10643 - neater testbound tpkg output.
10644 - DNAMEs no longer match their apex when synthesized from the cache.
10645 - find correct signer name for DNAME responses.
10646 - wildcarded DNAME test and fixup code to detect.
10647 - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
10648 So that wildcarded CNAMEs get their NSEC with them to the answer.
10649 - test for a CNAME to a DNAME to a CNAME to an answer, all from
10650 different domains, for key fetching and signature checking of
10653 3 September 2007: Wouter
10654 - Fixed error in iterator that would cause assertion failure in
10655 validator. CNAME to a NXDOMAIN response was collated into a response
10656 with both a CNAME and the NXDOMAIN rcode. Added a test that the
10657 rcode is changed to NOERROR (because of the CNAME).
10658 - timeout on tcp does not lead to spurious leakage detect.
10659 - account memory for name of lame zones, so that memory leakages does
10660 not show lame cache growth as a leakage growth.
10661 - config setting for lameness cache expressed in bytes, instead of
10663 - tool too summarize allocations per code line.
10665 31 August 2007: Wouter
10666 - can read bind trusted-keys { ... }; files, in a compatibility mode.
10667 - iterator should not detach target queries that it still could need.
10668 the protection against multiple outstanding queries is moved to a
10669 current_query num check.
10670 - validator nodata, positive, referral tests.
10671 - dname print can print '*' wildcard.
10673 30 August 2007: Wouter
10674 - fixup override date config option.
10675 - config options to control memory usage.
10676 - caught bad free of un-alloced data in worker_send error case.
10677 - memory accounting for key cache (trust anchors and temporary cache).
10678 - memory accounting fixup for outside network tcp pending waits.
10679 - memory accounting fixup for outside network tcp callbacks.
10680 - memory accounting for iterator fixed storage.
10681 - key cache size and slabs config options.
10682 - lib crypto cleanups at exit.
10684 29 August 2007: Wouter
10685 - test tool to sign rrsets for testing validator with.
10686 - added RSA and DSA test keys, public and private pairs, 512 bits.
10687 - default configuration is with validation enabled.
10688 Only a trust-anchor needs to be configured for DNSSEC to work.
10689 - do not convert to DER for DSA signature verification.
10690 - validator replay test file, for a DS to DNSKEY DSA key prime and
10693 28 August 2007: Wouter
10694 - removed double use for udp buffers, that could fail,
10695 instead performs a malloc to do the backup.
10696 - validator validates referral messages, by validating all the rrsets
10697 and stores the rrsets in the cache. Further referral (nonRD queries)
10698 replies are made from the rrset cache directly. Unless unchecked
10699 rrsets are encountered, there are then validated.
10700 - enforce that signing is done by a parent domain (or same domain).
10701 - adjust TTL downwards if rrset TTL bigger than signature allows.
10702 - permissive mode feature, sets AD bit for secure, but bogus does
10703 not give servfail (bogus is changed into indeterminate).
10704 - optimization of rrset verification. rr canonical sorting is reused,
10705 for the same rrset. canonical rrset image in buffer is reused for
10706 the same signature.
10707 - if the rrset is too big (64k exactly + large owner name) the
10708 canonicalization routine will fail if it does not fit in buffer.
10709 - faster verification for large sigsets.
10710 - verb_detail mode reports validation failures, but not the entire
10711 algorithm for validation. Key prime failures are reported as
10714 27 August 2007: Wouter
10715 - do not garble the edns if a cache answer fails.
10716 - answer norecursive from cache if possible.
10717 - honor clean_additional setting when returning secure non-recursive
10719 - do not store referral in msg cache for nonRD queries.
10720 - store verification status in the rrset cache to speed up future
10722 - mark rrsets indeterminate and insecure if they are found to be so.
10723 and store this in the cache.
10725 24 August 2007: Wouter
10726 - message is bogus if unsecure authority rrsets are present.
10727 - val-clean-additional option, so you can turn it off.
10728 - move rrset verification out of the specific proof types into one
10729 routine. This makes the proof routines prettier.
10730 - fixup cname handling in validator, cname-to-positive and cname-to-
10732 - Do not synthesize DNSKEY and DS responses from the rrset cache if
10733 the rrset is from the additional section. Signatures may have
10734 fallen off the packet, and cause validation failure.
10735 - more verbose signature date errors (with the date attached).
10736 - increased default infrastructure cache size. It is important for
10737 performance, and 1000 entries are only 212k (or a 400 k total cache
10738 size). To 10000 entries (for 2M entries, 4M cache size).
10740 23 August 2007: Wouter
10741 - CNAME handling - move needs_validation to before val_new().
10742 val_new() setups the chase-reply to be an edited copy of the msg.
10743 new classification, and find signer can find for it.
10744 removal of unsigned crap from additional, and query restart for
10746 - refuse to follow wildcarded DNAMEs when validating.
10747 But you can query for qtype ANY, or qtype DNAME and validate that.
10749 22 August 2007: Wouter
10751 - review - use val_error().
10753 21 August 2007: Wouter
10754 - ANY response validation.
10755 - store security status in cache.
10756 - check cache security status and either send the query to be
10757 validated, return the query to client, or send servfail to client.
10758 Sets AD bit on validated replies.
10759 - do not examine security status on an error reply in mesh_done.
10760 - construct DS, DNSKEY messages from rrset cache.
10761 - manual page entry for override-date.
10763 20 August 2007: Wouter
10764 - validate and positive validation, positive wildcard NSEC validation.
10765 - nodata validation, nxdomain validation.
10767 18 August 2007: Wouter
10768 - process DNSKEY response in FINDKEY state.
10770 17 August 2007: Wouter
10771 - work on DS2KE routine.
10772 - val_nsec.c for validator NSEC proofs.
10773 - unit test for NSEC bitmap reading.
10774 - dname iswild and canonical_compare with unit tests.
10776 16 August 2007: Wouter
10777 - DS sig unit test.
10778 - latest release libevent 1.3c and 1.3d have threading fixed.
10779 - key entry fixup data pointer and ttl absolute.
10780 - This makes a key-prime succeed in validator, with DS or DNSKEY as
10782 - fixup canonical compare byfield routine, fix bug and also neater.
10783 - fixed iterator response type classification for queries of type
10785 dig ANY gives sometimes NS rrset in AN and NS section, and parser
10786 removes the NS section duplicate. dig NS gives sometimes the NS
10787 in the answer section, as referral.
10788 - validator FINDKEY state.
10790 15 August 2007: Wouter
10791 - crypto calls to verify signatures.
10792 - unit test for rrsig verification.
10794 14 August 2007: Wouter
10795 - default outgoing ports changed to avoid port 2049 by default.
10796 This port is widely blocked by firewalls.
10797 - count infra lameness cache in memory size.
10798 - accounting of memory improved
10799 - outbound entries are allocated in the query region they are for.
10800 - extensive debugging for memory allocations.
10801 - --enable-lock-checks can be used to enable lock checking.
10802 - protect undefs in config.h from autoheaders ministrations.
10803 - print all received udp packets. log hex will print on multiple
10805 - fixed error in parser with backwards rrsig references.
10806 - mark cycle targets for iterator did not have CD flag so failed
10809 13 August 2007: Wouter
10810 - fixup makefile, if lexer is missing give nice error and do not
10811 mess up the dependencies.
10812 - canonical compare routine updated.
10813 - canonical hinfo compare.
10814 - printout list of the queries that the mesh is working on.
10816 10 August 2007: Wouter
10817 - malloc and free overrides that track total allocation and frees.
10818 for memory debugging.
10819 - work on canonical sort.
10821 9 August 2007: Wouter
10822 - canonicalization, signature checks
10823 - dname signature label count and unit test.
10824 - added debug heap size print to memory printout.
10825 - typo fixup in worker.c
10826 - -R needed on solaris.
10827 - validator override option for date check testing.
10829 8 August 2007: Wouter
10830 - ldns _raw routines created (in ldns trunk).
10831 - sigcrypt DS digest routines
10832 - val_utils uses sigcrypt to perform signature cryptography.
10833 - sigcrypt keyset processing
10835 7 August 2007: Wouter
10836 - security status type.
10837 - security status is copied when rdata is equal for rrsets.
10838 - rrset id is updated to invalidate all the message cache entries
10839 that refer to NSEC, NSEC3, DNAME rrsets that have changed.
10841 - val_sigcrypt file for validator signature checks.
10843 6 August 2007: Wouter
10844 - key cache for validator.
10845 - moved isroot and dellabel to own dname routines, with unit test.
10847 3 August 2007: Wouter
10849 - scrubber check section of lame NS set.
10850 - trust anchors can be in config file or read from zone file,
10851 DS and DNSKEY entries.
10852 - unit test trust anchor storage.
10853 - trust anchors converted to packed rrsets.
10854 - key entry definition.
10856 2 August 2007: Wouter
10857 - configure change for latest libevent trunk version (needs -lrt).
10858 - query_done and walk_supers are moved out of module interface.
10859 - fixup delegation point duplicates.
10860 - fixup iterator scrubber; lame NS set is let through the scrubber
10861 so that the classification is lame.
10862 - validator module exists, and does nothing but pass through,
10863 with calling of next module and return.
10866 1 August 2007: Wouter
10867 - set version to 0.5
10868 - module work for module to module interconnections.
10869 - config of modules.
10870 - detect cycle takes flags.
10872 31 July 2007: Wouter
10876 30 July 2007: Wouter
10877 - changed random state init, so that sequential process IDs are not
10878 cancelled out by sequential thread-ids in the random number seed.
10879 - the fwd_three test, which sends three queries to unbound, and
10880 unbound is kept waiting by ldns-testns for 3 seconds, failed
10881 because the retry timeout for default by unbound is 3 seconds too,
10882 it would hit that timeout and fail the test. Changed so that unbound
10883 is kept waiting for 2 seconds instead.
10885 27 July 2007: Wouter
10886 - removed useless -C debug option. It did not work.
10887 - text edit of documentation.
10888 - added doc/CREDITS file, referred to by the manpages.
10889 - updated planning.
10891 26 July 2007: Wouter
10892 - cycle detection, for query state dependencies. Will attempt to
10893 circumvent the cycle, but if no other targets available fails.
10894 - unit test for AXFR, IXFR response.
10895 - test for cycle detection.
10897 25 July 2007: Wouter
10898 - testbound read ADDRESS and check it.
10899 - test for version.bind and friends.
10900 - test for iterator chaining through several referrals.
10901 - test and fixup for refetch for glue. Refetch fails if glue
10902 is still not provided.
10904 24 July 2007: Wouter
10905 - Example section in config manual.
10906 - Addr stored for range and moment in replay.
10908 20 July 2007: Wouter
10909 - Check CNAME chain before returning cache entry with CNAMEs.
10910 - Option harden-glue, default is on. It will discard out of zone
10911 data. If disabled, performance is faster, but spoofing attempts
10912 become a possibility. Note that still normalize scrubbing is done,
10913 and that the potentially spoofed data is used for infrastructure
10914 and not returned to the client.
10915 - if glue times out, refetch by asking parent of delegation again.
10916 Much like asking for DS at the parent side.
10917 - TODO items from forgery-resilience draft.
10918 and on memory handling improvements.
10919 - renamed module_event_timeout to module_event_noreply.
10920 - memory reporting code; reports on memory usage after handling
10921 a network packet (not on cache replies).
10923 19 July 2007: Wouter
10924 - shuffle NS selection when getting nameserver target addresses.
10925 - fixup of deadlock warnings, yield cpu in checklock code so that
10926 freebsd scheduler selects correct process to run.
10927 - added identity and version config options and replies.
10928 - store cname messages complete answers.
10930 18 July 2007: Wouter
10931 - do not query addresses, 127.0.0.1, and ::1 by default.
10933 17 July 2007: Wouter
10934 - forward zone options in config file.
10935 - forward per zone in iterator. takes precedence over stubs.
10936 - fixup commithooks.
10937 - removed forward-to and forward-to-port features, subsumed by
10939 - fix parser to handle absent server: clause.
10940 - change untrusted rrset test to account for scrubber that is now
10941 applied during the test (which removes the poison, by the way).
10942 - feature, addresses can be specified with @portnumber, like nsd.conf.
10943 - test config files changed over to new forwarder syntax.
10945 27 June 2007: Wouter
10946 - delete of mesh does a postorder traverse of the tree.
10947 - found and fixed a memory leak. For TTL=0 messages, that would
10948 not be cached, instead the msg-replyinfo structure was leaked.
10949 - changed server selection so it will filter out hosts that are
10950 unresponsive. This is defined as a host with the maximum rto value.
10951 This means that unbound tried the host for retries up to 120 secs.
10952 The rto value will time out after host-ttl seconds from the cache.
10953 This keeps such unresolvable queries from taking up resources.
10954 - utility for keeping histogram.
10956 26 June 2007: Wouter
10957 - mesh is called by worker, and iterator uses it.
10958 This removes the hierarchical code.
10959 QueryTargets state and Finished state are merged for iterator.
10960 - forwarder mode no longer sets AA bit on first reply.
10961 - rcode in walk_supers is not needed.
10963 25 June 2007: Wouter
10965 - error encode routine for ease.
10967 22 June 2007: Wouter
10968 - removed unused _node iterator value from rbtree_t. Takes up space.
10969 - iterator can handle querytargets state without a delegation point
10970 set, so that a priming(stub) subquery error can be handled.
10971 - iterator stores if it is priming or not.
10972 - log_query_info() neater logging.
10973 - changed iterator so that it does not alter module_qstate.qinfo
10974 but keeps a chase query info. Also query_flags are not altered,
10975 the iterator uses chase_flags.
10976 - fixup crash in case no ports for the family exist.
10978 21 June 2007: Wouter
10979 - Fixup secondary buffer in case of error callback.
10980 - cleanup slumber list of runnable states.
10981 - module_subreq_depth fails to work in slumber list.
10982 - fixup query release for cached results to sub targets.
10983 - neater error for tcp connection failure, shows addr in verbose.
10984 - rbtree_init so that it can be used with preallocated memory.
10986 20 June 2007: Wouter
10987 - new -C option to enable coredumps after forking away.
10989 - fixup CNAME generation by scrubber, and memory allocation of it.
10990 - fixup deletion of serviced queries when all callbacks delete too.
10991 - set num target queries to 0 when you move them to slumber list.
10992 - typo in check caused subquery errors to be ignored, fixed.
10993 - make lint happy about rlim_t.
10994 - freeup of modules after freeup of module-states.
10995 - duplicate replies work, this uses secondary udp buffer in outnet.
10997 19 June 2007: Wouter
10998 - nicer layout in stats.c, review 0.3 change.
10999 - spelling improvement, review 0.3 change.
11000 - uncapped timeout for server selection, so that very fast or slow
11001 servers will stand out from the rest.
11002 - target-fetch-policy: "3 2 1 0 0" config setting.
11003 - fixup queries answered without RD bit (for root prime results).
11004 - refuse AXFR and IXFR requests.
11005 - fixup RD flag in error reply from iterator. fixup RA flag from
11006 worker error reply.
11007 - fixup encoding of very short edns buffer sizes, now sets TC bit.
11008 - config options harden-short-bufsize and harden-large-queries.
11010 18 June 2007: Wouter
11011 - same, move subqueries to slumber list when first has resolved.
11012 - fixup last fix for duplicate callbacks.
11013 - another offbyone in targetcounter. Also in Java prototype by the way.
11015 15 June 2007: Wouter
11016 - if a query asks to be notified of the same serviced query result
11017 multiple times, this will succeed. Only one callback will happen;
11018 multiple outbound-list entries result (but the double cleanup of it
11020 - when iterator moves on due to CNAME or referral, it will remove
11021 the subqueries (for other targets). These are put on the slumber
11023 - state module wait subq is OK with no new subqs, an old one may have
11024 stopped, with an error, and it is still waiting for other ones.
11025 - if a query loops, halt entire query (easy way to clean up properly).
11027 14 June 2007: Wouter
11028 - num query targets was > 0 , not >= 0 compared, so that fetch
11029 policy of 0 did nothing.
11031 13 June 2007: Wouter
11032 - debug option: configure --enable-static-exe for compile where
11033 ldns and libevent are linked statically. Default is off.
11034 - make install and make uninstall. Works with static-exe and without.
11035 installation of unbound binary and manual pages.
11036 - alignment problem fix on solaris 64.
11037 - fixup address in case of TCP error.
11039 12 June 2007: Wouter
11040 - num target queries was set to 0 at a bad time. Default it to 0 and
11041 increase as target queries are done.
11042 - synthesize CNAME and DNAME responses from the cache.
11043 - Updated doxygen config for doxygen 1.5.
11044 - aclocal newer version.
11045 - doxygen 1.5 fixes for comments (for the strict check on docs).
11047 11 June 2007: Wouter
11048 - replies on TCP queries have the address field set in replyinfo,
11049 for serviced queries, because the initiator does not know that
11050 a TCP fallback has occured.
11051 - omit DNSSEC types from nonDO replies, except if qtype is ANY or
11052 if qtype directly queries for the type (and then only show that
11053 'unknown type' in the answer section).
11054 - fixed message parsing where rrsigs on their own would be put
11055 in the signature list over the rrsig type.
11057 7 June 2007: Wouter
11058 - fixup error in double linked list insertion for subqueries and
11059 for outbound list of serviced queries for iterator module.
11060 - nicer printout of outgoing port selection.
11061 - fixup cname target readout.
11062 - nicer debug output.
11063 - fixup rrset counts when prepending CNAMEs to the answer.
11064 - fixup rrset TTL for prepended CNAMEs.
11065 - process better check for looping modules, and which submodule to
11067 - subreq insertion code fixup for slumber list.
11068 - VERB_DETAIL, verbosity: 2 level gives short but readable output.
11069 VERB_ALGO, verbosity: 3 gives extensive output.
11070 - fixup RA bit in cached replies.
11071 - fixup CNAME responses from the cache no longer partial response.
11072 - error in network send handled without leakage.
11073 - enable ip6 from config, and try ip6 addresses if available,
11074 if ip6 is not connected, skips to next server.
11076 5 June 2007: Wouter
11077 - iterator state finished.
11078 - subrequests without parent store in cache and stop.
11079 - worker slumber list for ongoing promiscuous queries.
11080 - subrequest error handling.
11081 - priming failure returns SERVFAIL.
11082 - priming gives LAME result, returns SERVFAIL.
11083 - debug routine to print dns_msg as handled by iterator.
11084 - memleak in config file stubs fixup.
11085 - more small bugs, in scrubber, query compare no ID for lookup,
11086 in dname validation for NS targets.
11087 - sets entry.key for new special allocs.
11088 - lognametypeclass can display unknown types and classes.
11090 4 June 2007: Wouter
11091 - random selection of equally preferred nameserver targets.
11092 - reply info copy routine. Reuses existing code.
11093 - cache lameness in response handling.
11094 - do not touch qstate after worker_process_query because it may have
11095 been deleted by that routine.
11096 - Prime response state.
11097 - Process target response state.
11098 - some memcmp changed to dname_compare for case preservation.
11100 1 June 2007: Wouter
11101 - normalize incoming messages. Like unbound-java, with CNAME chain
11102 checked, DNAME checked, CNAME's synthesized, glue checked.
11103 - sanitize incoming messages.
11104 - split msgreply encode functions into own file msgencode.c.
11105 - msg_parse to queryinfo/replyinfo conversion more versatile.
11106 - process_response, classify response, delegpt_from_message.
11108 31 May 2007: Wouter
11109 - querytargets state.
11110 - dname_subdomain_c() routine.
11111 - server selection, based on RTT. ip6 is filtered out if not available,
11112 and lameness is checked too.
11113 - delegation point copy routine.
11115 30 May 2007: Wouter
11116 - removed FLAG_CD from message and rrset caches. This was useful for
11117 an agnostic forwarder, but not for a sophisticated (trust value per
11118 rrset enabled) cache.
11119 - iterator response typing.
11120 - iterator cname handle.
11121 - iterator prime start.
11123 - processInitRequest and processInitRequest2.
11124 - cache synthesizes referral messages, with DS and NSEC.
11125 - processInitRequest3.
11126 - if a request creates multiple subrequests these are all activated.
11128 29 May 2007: Wouter
11129 - routines to lock and unlock array of rrsets moved to cache/rrset.
11130 - lookup message from msg cache (and copy to region).
11131 - fixed cast error in dns msg lookup.
11132 - message with duplicate rrset does not increase its TTLs twice.
11133 - 'qnamesize' changed to 'qname_len' for similar naming scheme.
11135 25 May 2007: Wouter
11136 - Acknowledge use of unbound-java code in iterator. Nicer readme.
11137 - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
11138 rrset cache from module environment.
11139 - packed rrset key has type and class as easily accessible struct
11140 members. They are still kept in network format for fast msg encode.
11141 - dns cache find_delegation routine.
11142 - iterator main functions setup.
11143 - dns cache lookup setup.
11145 24 May 2007: Wouter
11146 - small changes to prepare for subqueries.
11147 - iterator forwarder feature separated out.
11148 - iterator hints stub code, config file stub code, so that first
11149 testing can proceed locally.
11150 - replay tests now have config option to enable forwarding mode.
11152 23 May 2007: Wouter
11153 - outside network does precise timers for roundtrip estimates for rtt
11154 and for setting timeout for UDP. Pending_udp takes milliseconds.
11155 - cleaner iterator sockaddr conversion of forwarder address.
11156 - iterator/iter_utils and iter_delegpt setup.
11159 22 May 2007: Wouter
11160 - outbound query list for modules and support to callback with the
11161 outbound entry to the module.
11162 - testbound support for new serviced queries.
11163 - test for retry to TCP cannot use testbound any longer.
11164 - testns test for EDNS fallback, test for TCP fallback already exists.
11165 - fixes for no-locking compile.
11166 - mini_event timer precision and fix for change in timeouts during
11167 timeout callback. Fix for fwd_three tests, performed nonexit query.
11169 21 May 2007: Wouter
11170 - small comment on hash table locking.
11171 - outside network serviced queries, contain edns and tcp fallback,
11172 and udp retries and rtt timing.
11174 16 May 2007: Wouter
11175 - lruhash_touch() would cause locking order problems. Fixup in
11176 lock-verify in case locking cycle is found.
11177 - services/cache/rrset.c for rrset cache code.
11178 - special rrset_cache LRU updating function that uses the rrset id.
11179 - no dependencies calculation when make clean is called.
11180 - config settings for infra cache.
11181 - daemon code slightly cleaner, only creates caches once.
11183 15 May 2007: Wouter
11185 - unit test for host cache.
11187 14 May 2007: Wouter
11188 - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
11189 - extensive lock debug report on join timeout.
11190 - proper RTT calculation, in utility code.
11191 - setup of services/cache/infra, host cache.
11193 11 May 2007: Wouter
11194 - iterator/iterator.c module.
11195 - fixup to pass reply_info in testcode and in netevent.
11197 10 May 2007: Wouter
11198 - created release-0.3 svn tag.
11200 - fixed compression - no longer compresses root name.
11203 - outside network cleans up waiting tcp queries on exit.
11205 - testbound replay with retry in TCP mode.
11206 - tpkg test for retry in TCP mode, against ldns-testns server.
11207 - daemon checks max number of open files and complains if not enough.
11208 - test where data expires in the cache.
11209 - compiletests: fixed empty body ifstatements in alloc.c, in case
11210 locks are disabled.
11213 - outgoing network keeps list of available tcp buffers for outgoing
11215 - outgoing-num-tcp config option.
11216 - outgoing network keeps waiting list of queries waiting for buffer.
11217 - netevent supports outgoing tcp commpoints, nonblocking connects.
11220 - EDNS read from query, used to make reply smaller.
11221 - advertised edns value constants.
11222 - EDNS BADVERS response, if asked for too high edns version.
11223 - EDNS extended error responses once the EDNS record from the query
11224 has successfully been parsed.
11227 - msgreply sizefunc is more accurate.
11228 - config settings for rrset cache size and slabs.
11229 - hashtable insert takes argument so that a thread can use its own
11230 alloc cache to store released keys.
11231 - alloc cache special_release() locks if necessary.
11232 - rrset trustworthiness type added.
11233 - thread keeps a scratchpad region for handling messages.
11234 - writev used in netevent to write tcp length and data after another.
11235 This saves a roundtrip on tcp replies.
11236 - test for one rrset updated in the cache.
11237 - test for one rrset which is not updated, as it is not deemed
11238 trustworthy enough.
11239 - test for TTL refreshed in rrset.
11242 - fill refs. Use new parse and encode to answer queries.
11243 - stores rrsets in cache.
11244 - uses new msgreply format in cache.
11247 - dname unit tests in own file and spread out neatly in functions.
11248 - more dname unit tests.
11249 - message encoding creates truncated TC flagged messages if they do
11250 not fit, and will leave out (whole)rrsets from additional if needed.
11253 - decompress query section, extremely lenient acceptance.
11254 But only for answers from other servers, not for plain queries.
11255 - compression and decompression test cases.
11256 - some stats added.
11257 - example.conf interface: line is changed from 127.0.0.1 which leads
11258 to problems if used (restricting communication to the localhost),
11259 to a documentation and test address.
11261 27 April 2007: Wouter
11262 - removed iov usage, it is not good for dns message encoding.
11263 - owner name compression more optimal.
11264 - rrsig owner name compression.
11265 - rdata domain name compression.
11267 26 April 2007: Wouter
11268 - floating point exception fix in lock-verify.
11269 - lint uses make dependency
11270 - fixup lint in dname owner domain name compression code.
11271 - define for offset range that can be compressed to.
11273 25 April 2007: Wouter
11274 - prettier code; parse_rrset->type kept in host byte order.
11275 - datatype used for hashvalue of converted rrsig structure.
11276 - unit test compares edns section data too.
11278 24 April 2007: Wouter
11279 - ttl per RR, for RRSIG rrsets and others.
11280 - dname_print debug function.
11281 - if type is not known, size calc will skip DNAME decompression.
11282 - RRSIG parsing and storing and putting in messages.
11283 - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
11284 - EDNS extraction routine.
11286 20 April 2007: Wouter
11287 - code comes through all of the unit tests now.
11288 - disabled warning about spurious extra data.
11289 - documented the RRSIG parse plan in msgparse.h.
11290 - rrsig reading and outputting.
11292 19 April 2007: Wouter
11293 - fix unit test to actually to tests.
11294 - fix write iov helper, and fakevent code.
11295 - extra builtin testcase (small packet).
11296 - ttl converted to network format in packets.
11297 - flags converted correctly
11298 - rdatalen off by 2 error fixup.
11299 - uses less iov space for header.
11301 18 April 2007: Wouter
11302 - review of msgparse code.
11303 - smaller test cases.
11305 17 April 2007: Wouter
11306 - copy and decompress dnames.
11307 - store calculated hash value too.
11308 - routine to create message out of stored information.
11309 - util/data/msgparse.c for message parsing code.
11310 - unit test, and first fixes because of test.
11311 * forgot rrset_count addition.
11312 * did & of ptr on stack for memory position calculation.
11313 * dname_pkt_copy forgot to read next label length.
11314 - test from file and fixes
11315 * double frees fixed in error conditions.
11316 * types with less than full rdata allowed by parser.
11317 Some dynamic update packets seem to use it.
11319 16 April 2007: Wouter
11320 - following a small change in LDNS, parsing code calculates the
11321 memory size to allocate for rrs.
11322 - code to handle ID creation.
11324 13 April 2007: Wouter
11325 - parse routines. Code that parses rrsets, rrs.
11327 12 April 2007: Wouter
11328 - dname compare routine that preserves case, with unit tests.
11330 11 April 2007: Wouter
11331 - parse work - dname packet parse, msgparse, querysection parse,
11332 start of sectionparse.
11334 10 April 2007: Wouter
11335 - Improved alignment of reply_info packet, nice for 32 and 64 bit.
11336 - Put RRset counts in reply_info, because the number of RRs can change
11337 due to RRset updates.
11338 - import of region-allocator code from nsd.
11339 - set alloc special type to ub_packed_rrset_key.
11340 Uses lruhash entry overflow chain next pointer in alloc cache.
11341 - doxygen documentation for region-allocator.
11342 - setup for parse scratch data.
11344 5 April 2007: Wouter
11345 - discussed packed rrset with Jelte.
11347 4 April 2007: Wouter
11348 - moved to version 0.3.
11349 - added util/data/dname.c
11350 - layout of memory for rrsets.
11352 3 April 2007: Wouter
11353 - detect sign of msghdr.msg_iovlen so that the cast to that type
11354 in netevent (which is there to please lint) can be correct.
11355 The type on several OSes ranges from int, int32, uint32, size_t.
11356 Detects unsigned or signed using math trick.
11357 - constants for DNS flags.
11358 - compilation without locks fixup.
11359 - removed include of unportable header from lookup3.c.
11360 - more portable use of struct msghdr.
11361 - casts for printf warning portability.
11362 - tweaks to tests to port them to the testbed.
11365 2 April 2007: Wouter
11366 - check sizes of udp received messages, not too short.
11367 - review changes. Some memmoves can be memcpys: 4byte aligned.
11368 set id correctly on cached answers.
11369 - review changes msgreply.c, memleak on error condition. AA flag
11370 clear on cached reply. Lowercase queries on hashing.
11371 unit test on lowercasing. Test AA bit not set on cached reply.
11372 Note that no TTLs are managed.
11374 29 March 2007: Wouter
11375 - writev or sendmsg used when answering from cache.
11376 This avoids a copy of the data.
11377 - do not do useless byteswap on query id. Store reply flags in uint16
11378 for easier access (and no repeated byteswapping).
11380 - configure detects and config.h includes sys/uio.h for writev decl.
11382 28 March 2007: Wouter
11383 - new config option: num-queries-per-thread.
11384 - added tpkg test for answering three queries at the same time
11385 using one thread (from the query service list).
11387 27 March 2007: Wouter
11388 - added test for cache and not cached answers, in testbound replays.
11389 - testbound can give config file and commandline options from the
11390 replay file to unbound.
11391 - created test that checks if items drop out of the cache.
11392 - added word 'partitioned hash table' to documentation on slab hash.
11393 A slab hash is a partitioned hash table.
11394 - worker can handle multiple queries at a time.
11396 26 March 2007: Wouter
11397 - config settings for slab hash message cache.
11398 - test for cached answer.
11399 - Fixup deleting fake answer from testbound list.
11401 23 March 2007: Wouter
11402 - review of yesterday's commits.
11403 - covered up memory leak of the entry locks.
11404 - answers from the cache correctly. Copies flags correctly.
11405 - sanity check for incoming query replies.
11406 - slabbed hash table. Much nicer contention, need dual cpu to see.
11408 22 March 2007: Wouter
11409 - AIX configure check.
11410 - lock-verify can handle references to locks that are created
11411 in files it has not yet read in.
11412 - threaded hash table test.
11413 - unit test runs lock-verify afterwards and checks result.
11414 - need writelock to update data on hash_insert.
11415 - message cache code, msgreply code.
11417 21 March 2007: Wouter
11418 - unit test of hash table, fixup locking problem in table_grow().
11419 - fixup accounting of sizes for removing items from hashtable.
11420 - unit test for hash table, single threaded test of integrity.
11421 - lock-verify reports errors nicely. More quiet in operation.
11423 16 March 2007: Wouter
11424 - lock-verifier, checks consistent order of locking.
11426 14 March 2007: Wouter
11427 - hash table insert (and subroutines) and lookup implemented.
11428 - hash table remove.
11429 - unit tests for hash internal bin, lru functions.
11431 13 March 2007: Wouter
11432 - lock_unprotect in checklocks.
11433 - util/storage/lruhash.h for LRU hash table structure.
11435 12 March 2007: Wouter
11436 - configure.ac moved to 0.2.
11437 - query_info and replymsg util/data structure.
11439 9 March 2007: Wouter
11440 - added rwlock writelock checking.
11441 So it will keep track of the writelock, and readlocks are enforced
11442 to not change protected memory areas.
11443 - log_hex function to dump hex strings to the logfile.
11444 - checklocks zeroes its destroyed lock after checking memory areas.
11445 - unit test for alloc.
11446 - identifier for union in checklocks to please older compilers.
11449 8 March 2007: Wouter
11450 - Reviewed checklock code.
11452 7 March 2007: Wouter
11453 - created a wrapper around thread calls that performs some basic
11454 checking for data race and deadlock, and basic performance
11455 contention measurement.
11457 6 March 2007: Wouter
11458 - Testbed works with threading (different machines, different options).
11459 - alloc work, does the special type.
11461 2 March 2007: Wouter
11462 - do not compile fork funcs unless needed. Otherwise will give
11463 type errors as their typedefs have not been enabled.
11464 - log shows thread numbers much more nicely (and portably).
11465 - even on systems with nonthreadsafe libevent signal handling,
11466 unbound will exit if given a signal.
11467 Reloads will not work, and exit is not graceful.
11468 - start of alloc framework layout.
11470 1 March 2007: Wouter
11471 - Signals, libevent and threads work well, with libevent patch and
11472 changes to code (close after event_del).
11473 - set ipc pipes nonblocking.
11475 27 February 2007: Wouter
11476 - ub_thread_join portable definition.
11477 - forking is used if no threading is available.
11478 Tested, it works, since pipes work across processes as well.
11479 Thread_join is replaced with waitpid.
11480 - During reloads the daemon will temporarily handle signals,
11481 so that they do not result in problems.
11482 - Also randomize the outgoing port range for tests.
11483 - If query list is full, will stop selecting listening ports for read.
11484 This makes all threads service incoming requests, instead of one.
11485 No memory is leaking during reloads, service of queries, etc.
11486 - test that uses ldns-testns -f to test threading. Have to answer
11487 three queries at the same time.
11488 - with verbose=0 operates quietly.
11490 26 February 2007: Wouter
11491 - ub_random code used to select ID and port.
11492 - log code prints thread id.
11493 - unbound can thread itself, with reload(HUP) and quit working
11495 - don't open pipes for #0, doesn't need it.
11496 - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
11498 23 February 2007: Wouter
11499 - Can do reloads on sigHUP. Everything is stopped, and freed,
11500 except the listening ports. Then the config file is reread.
11501 And everything is started again (and listening ports if needed).
11502 - Ports for queries are shared.
11503 - config file added interface:, chroot: and username:.
11504 - config file: directory, logfile, pidfile. And they work too.
11505 - will daemonize by default now. Use -d to stay in the foreground.
11506 - got BSD random[256 state] code, made it threadsafe. util/random.
11508 22 February 2007: Wouter
11509 - Have a config file. Removed commandline options, moved to config.
11510 - tests use config file.
11512 21 February 2007: Wouter
11513 - put -c option in man page.
11514 - minievent fd array capped by FD_SETSIZE.
11516 20 February 2007: Wouter
11517 - Added locks code and pthread spinlock detection.
11518 - can use no locks, or solaris native thread library.
11519 - added yacc and lex configure, and config file parsing code.
11520 also makedist.sh, and manpage.
11521 - put include errno.h in config.h
11523 19 February 2007: Wouter
11524 - Created 0.0 svn tag.
11525 - added acx_pthread.m4 autoconf check for pthreads from
11526 the autoconf archive. It is GPL-with-autoconf-exception Licensed.
11527 You can specify --with-pthreads, or --without-pthreads to configure.
11529 16 February 2007: Wouter
11530 - Updated testbed script, works better by using make on remote end.
11531 - removed check decls, we can compile without them.
11532 - makefile supports LIBOBJ replacements.
11533 - docs checks ignore compat code.
11534 - added util/mini-event.c and .h, a select based alternative used with
11535 ./configure --with-libevent=no
11536 It is limited to 1024 file descriptors, and has less features.
11537 - will not create ip6 sockets if ip6 not on the machine.
11539 15 February 2007: Wouter
11540 - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
11541 Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
11542 - malloc rndstate, so that it is aligned for access.
11543 - fixed rbtree cleanup with postorder traverse.
11544 - fixed pending messages are deleted when handled.
11545 - You can control verbosity; default is not verbose, every -v
11546 adds more verbosity.
11548 14 February 2007: Wouter
11549 - Included configure.ac changes from ldns.
11550 - detect (some) headers before the standards check.
11551 - do not use isblank to test c99, since its not available on solaris9.
11552 - review of testcode.
11553 * entries in a RANGE are no longer reversed.
11554 * print name of file with replay entry parse errors.
11555 - port to OSX: cast to int for some prints of sizet.
11556 - Makefile copies ldnstestpkts.c before doing dependencies on it.
11558 13 February 2007: Wouter
11559 - work on fake events, first fwd replay works.
11560 - events can do timeouts and errors on queries to servers.
11561 - test package that runs replay scenarios.
11563 12 February 2007: Wouter
11564 - work on fake events.
11566 9 February 2007: Wouter
11567 - replay file reading.
11568 - fake event setup, it creates fake structures, and teardowns,
11569 added signal callbacks to reply to be able to fake those,
11570 and main structure of event replay routines.
11572 8 February 2007: Wouter
11575 - testcode/fake_event work.
11577 7 February 2007: Wouter
11578 - return answer with the same ID as query was sent with.
11579 - created udp forwarder test. I've done some effort to make it perform
11580 quickly. After servers are created, no big sleep statements but
11581 it checks the logfiles to see if servers have come up. Takes 0.14s.
11582 - set addrlen value when calling recvfrom.
11583 - comparison of addrs more portable.
11584 - LIBEVENT option for testbed to set libevent directory.
11585 - work on tcp input.
11587 6 February 2007: Wouter
11588 - reviewed code and improved in places.
11590 5 February 2007: Wouter
11591 - Picked up stdc99 and other define tests from ldns. Improved
11592 POSIX define test to include getaddrinfo.
11593 - defined constants for netevent callback error code.
11594 - unit test for strisip6.
11596 2 February 2007: Wouter
11597 - Created udp4 and udp6 port arrays to provide service for both
11599 - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
11600 - listens on both ip4 and ip6 ports to provide correct return address.
11601 - worker fwder address filled correctly.
11602 - fixup timer code.
11603 - forwards udp queries and sends answer.
11605 1 February 2007: Wouter
11606 - outside network more UDP work.
11607 - moved * closer to type.
11608 - comm_timer object and events.
11610 31 January 2007: Wouter
11611 - Added makedist.sh script to make release tarball.
11612 - Removed listen callback layer, did not add anything.
11613 - Added UDP recv to netevent, worker callback for udp.
11614 - netevent communication reply storage structure.
11615 - minimal query header sanity checking for worker.
11616 - copied over rbtree implementation from NSD (BSD licensed too).
11617 - outgoing network query service work.
11619 30 January 2007: Wouter
11620 - links in example/ldns-testpkts.c and .h for premade packet support.
11621 - added callback argument to listen_dnsport and daemon/worker.
11623 29 January 2007: Wouter
11624 - unbound.8 a short manpage.
11626 26 January 2007: Wouter
11628 - make lint works on BSD and Linux (openssl defines).
11630 - testbound program start.
11632 25 January 2007: Wouter
11633 - fixed lint so it may work on BSD.
11634 - put license into header of every file.
11635 - created verbosity flag.
11636 - fixed libevent configure flag.
11637 - detects event_base_free() in new libevent 1.2 version.
11638 - getopt in daemon. fatal_exit() and verbose() logging funcs.
11639 - created log_assert, that throws assertions to the logfile.
11640 - listen_dnsport service. Binds ports.
11642 24 January 2007: Wouter
11643 - cleaned up configure.ac.
11645 23 January 2007: Wouter
11646 - added libevent to configure to link with.
11647 - util/netevent setup work.
11648 - configure searches for libevent.
11649 - search for libs at end of configure (when other headers and types
11651 - doxygen works with ATTR_UNUSED().
11652 - util/netevent implementation.
11654 22 January 2007: Wouter
11655 - Designed header file for network communication.
11657 16 January 2007: Wouter
11658 - added readme.svn and readme.tests.
11660 4 January 2007: Wouter
11661 - Testbed script (run on multiple platforms the test set).
11662 Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
11663 - added unit test tpkg.
11665 3 January 2007: Wouter
11666 - committed first set of files into subversion repository.
11667 svn co svn+ssh://unbound.net/svn/unbound
11668 You need a ssh login. There is no https access yet.
11669 - Added LICENSE, the BSD license.
11670 - Added doc/README with compile help.
11671 - main program stub and quiet makefile.
11672 - minimal logging service (to stderr).
11673 - added postcommit hook that serves emails.
11674 - added first test 00-lint. postcommit also checks if build succeeds.
11675 - 01-doc: doxygen doc target added for html docs. And stringent test
11676 on documented files, functions and parameters.
11678 15 December 2006: Wouter
11679 - Created Makefile.in and configure.ac.
projects / FreeBSD / FreeBSD.git / blob