1 30 November 2020: Wouter
2 - Fix assertion failure on double callback when iterator loses
3 interest in query at head of line that then has the tcp stream
5 - tag for the 1.13.0rc4 release.
7 27 November 2020: Wouter
8 - Fix compile warning for type cast in http2_submit_dns_response.
9 - Fix when use free buffer to initialize rbtree for stream reuse.
10 - Fix compile warnings for windows.
11 - Fix compile warnings in rpz initialization.
12 - Fix contrib/metrics.awk for FreeBSD awk compatibility.
13 - tag for the 1.13.0rc3 release.
15 26 November 2020: Wouter
16 - Fix to omit UDP receive errors from log, if verbosity low.
17 These happen because of udp-connect.
18 - For #352: contrib/metrics.awk for Prometheus style metrics output.
19 - Fix that after failed read, the readagain cannot activate.
20 - Clear readagain upon decommission of pending tcp structure.
22 25 November 2020: Wouter
23 - with udp-connect ignore connection refused with UDP timeouts.
24 - Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
25 - Better fix for reuse tree comparison for is-tls sockets. Where
26 the tree key identity is preserved after cleanup of the TLS state.
27 - Remove debug commands from reuse tests.
28 - Fix memory leak for edns client tag opcode config element.
29 - Attempt fix for libevent state in tcp reuse cases after a packet
31 - Fix readagain and writeagain callback functions for comm point
33 - tag for the 1.13.0rc2 release.
35 24 November 2020: Wouter
36 - Merge PR #283 : Stream reuse. This implements upstream stream
37 reuse for performing several queries over the same TCP or TLS
39 - set version of main branch to 1.13.0 for upcoming release.
40 - iana portlist updated.
41 - Fix one port unit test for udp-connect.
42 - tag for the 1.13.0rc1 release.
43 - Fix crash when TLS connection is closed prematurely, when
44 reuse tree comparison is not properly identical to insertion.
45 - Fix padding of struct regional for 32bit systems.
47 23 November 2020: George
48 - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
49 edns-client-string option.
51 23 November 2020: Wouter
52 - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
54 - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
55 failed to list interfaces: getifaddrs: Address family not
56 supported by protocol.
57 - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
58 - Option to toggle udp-connect, default is enabled.
59 - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
60 with chown of pidfile.
61 - Further fix for it and retvalue 0 fix for it.
63 12 November 2020: Wouter
64 - Fix to connect() to UDP destinations, default turned on,
65 this lowers vulnerability to ICMP side channels.
66 - Retry for interfaces with unused ports if possible.
68 10 November 2020: Wouter
69 - Fix #341: fixing a possible memory leak.
70 - Fix memory leak after fix for possible memory leak failure.
71 - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
74 27 October 2020: Wouter
75 - In man page note that tls-cert-bundle is read before permission
78 22 October 2020: Wouter
79 - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
81 - Fix that minimal-responses does not remove addresses from a priming
84 21 October 2020: George
85 - Fix #327: net/if.h check fails on some darwin versions; contribution by
87 - Fix #320: potential memory corruption due to size miscomputation upton
88 custom region alloc init.
90 21 October 2020: Wouter
91 - Merge PR #228 : infra-keep-probing option to probe hosts that are
92 down. Add infra-keep-probing: yes option. Hosts that are down are
93 probed more frequently.
94 With the option turned on, it probes about every 120 seconds,
95 eventually after exponential backoff, and that keeps that way. If
96 traffic keeps up for the domain. It probes with one at a time, eg.
97 one query is allowed to probe, other queries within that 120 second
98 interval are turned away.
100 19 October 2020: George
101 - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
102 unbound-control TLS certificates.
103 - Fix for PR #324 to attach the x509v3 extensions to the client
106 19 October 2020: Ralph
107 - local-zone regional allocations outside of chunk
109 19 October 2020: Wouter
110 - Fix that http settings have colon in set_option, for
111 http-endpoint, http-max-streams, http-query-buffer-size,
112 http-response-buffer-size, and http-nodelay.
113 - Fix memory leak of https port string when reading config.
114 - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
115 This adds the option http-notls-downstream: yesno to change that,
116 and the dohclient test code has the -n option.
117 - Fix python documentation warning on functions.rst inplace_cb_reply.
118 - Fix dnstap test to wait for log timer to see if queries are logged.
119 - Log ip address when http session recv fails, eg. due to tls fail.
120 - Fix to set the tcp handler event toggle flag back to default when
121 the handler structure is reused.
122 - Clean the fix for out of order TCP processing limits on number
123 of queries. It was tested to work.
125 16 October 2020: Wouter
126 - Fix that the out of order TCP processing does not limit the
127 number of outstanding queries over a connection.
129 15 October 2020: George
130 - Fix that if there are reply callbacks for the given rcode, those
131 are called per reply and a new message created if that was modified
133 - Pass the comm_reply information to the inplace_cb_reply* functions
134 during the mesh state and update the documentation on that.
136 15 October 2020: Wouter
137 - Merge PR #326 from netblue30: DoH: implement content-length
139 - DoH content length, simplify code, remove declaration after
140 statement and fix cast warning.
142 14 October 2020: Wouter
143 - Fix for python reply callback to see mesh state reply_list member,
144 it only removes it briefly for the commpoint call so that it does
145 not drop it and attempt to modify the reply list during reply.
146 - Fix that if there are on reply callbacks, those are called per
147 reply and a new message created if that was modified by the call.
148 - Free up auth zone parse region after use for lookup of host
150 13 October 2020: Wouter
151 - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
152 if systemd support is build.
154 9 October 2020: Wouter
155 - Fix dnstap socket and the chroot not applied properly to the dnstap
157 - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
159 8 October 2020: Wouter
160 - Tag for 1.12.0 release.
161 - Current repo is version 1.12.1 in development.
162 - Fix #319: potential memory leak on config failure, in rpz config.
164 1 October 2020: Wouter
165 - Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
167 30 September 2020: Wouter
168 - Fix doh tests when not compiled in.
169 - Add dohclient test executable to gitignore.
170 - Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
171 alloc check debug output.
172 - Easier kill of unbound-dnstap-socket tool in test.
173 - Fix memory leak of edns tags at libunbound context delete.
174 - Fix double loopexit for unbound-dnstap-socket after sigterm.
176 29 September 2020: Ralph
177 - DNS Flag Day 2020: change edns-buffer-size default to 1232.
179 28 September 2020: Wouter
180 - Fix unit test for dnstap changes, so that it waits for the timer.
182 23 September 2020: Wouter
183 - Fix #305: dnstap logging significantly affects unbound performance
184 (regression in 1.11).
185 - Fix #305: only wake up thread when threshold reached.
186 - Fix to ifdef fptr wlist item for dnstap.
188 23 September 2020: Ralph
189 - Fix edns-client-tags get_option typo
190 - Add edns-client-tag-opcode option
191 - Use inclusive language in configuration
193 21 September 2020: Ralph
194 - Fix #304: dnstap logging not recovering after dnstap process restarts
196 21 September 2020: Wouter
197 - Merge PR #311 by luismerino: Dynlibmod leak.
198 - Error message is logged for dynlibmod malloc failures.
199 - iana portlist updated.
201 18 September 2020: Wouter
202 - Fix that prefer-ip4 and prefer-ip6 can be get and set with
203 unbound-control, with libunbound and the unbound-checkconf option
205 - iana portlist updated.
207 15 September 2020: George
208 - Introduce test for statistics.
210 15 September 2020: Wouter
213 11 September 2020: Wouter
214 - Remove x file mode on ipset/ipset.c and h files.
216 9 September 2020: Wouter
217 - Fix num.expired statistics output.
219 31 August 2020: Wouter
220 - Merge PR #293: Add missing prototype. Also refactor to use the new
221 shorthand function to clean up the code.
222 - Refactor to use sock_strerr shorthand function.
223 - Fix #296: systemd nss-lookup.target is reached before unbound can
224 successfully answer queries. Changed contrib/unbound.service.in.
226 27 August 2020: Wouter
227 - Similar to NSD PR#113, implement that interface names can be used,
228 eg. something like interface: eth0 is resolved at server start and
229 uses the IP addresses for that named interface.
230 - Review fix, doxygen and assign null in case of error free.
232 26 August 2020: George
233 - Update documentation in python example code.
235 24 August 2020: Wouter
236 - Fix that dnstap reconnects do not spam the log with the repeated
237 attempts. Attempts on the timer are only logged on high verbosity,
238 if they produce a connection failure error.
239 - Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
240 - Change configure to use EVP_sha256 instead of HMAC_Update for
243 20 August 2020: Ralph
244 - Fix stats double count issue (#289).
246 13 August 2020: Ralph
247 - Create and init edns tags data for libunbound.
249 10 August 2020: Ralph
250 - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
251 by VÃtÄ›zslav ČÞek.
253 10 August 2020: Wouter
254 - Fix #287: doc typo: "Additionaly".
257 6 August 2020: Wouter
258 - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
259 The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
260 was advise to stop using it. The current code base does not contain
261 DLV code any more. The use of dlv options displays a warning.
263 5 August 2020: Wouter
264 - contrib/aaaa-filter-iterator.patch file renewed diff content to
265 apply cleanly to the current coderepo for the current code version.
268 - Merge PR #272: Add EDNS client tag functionality.
270 4 August 2020: George
271 - Improve error log message when inserting rpz RR.
272 - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
273 definedness, by Felipe Gasper.
275 4 August 2020: Wouter
276 - Fix mini_event.h on OpenBSD cannot find fd_set.
279 - Fix doxygen comment for no ssl for tls session ticket key callback
283 - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
284 March 2020, by and0x000.
287 - Merge PR #269, Fix python module len() implementations, by Torbjörn
291 - branch now named 1.11.1. 1.11.0rc1 became the 1.11.0 release.
292 - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
295 - Fix streamtcp to print packet data to stdout. This makes the
296 stdout and stderr not mix together lines, when parsing its output.
297 - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
298 due to added libdynmod, but it does not compile, it conflicts with
300 - branch now named 1.11.0 and 1.11.0rc1 tag.
303 - Fix libnettle compile for session ticket key callback function
305 - Fix lock dependency cycle in rpz zone config setup.
308 - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
310 - Fix PR #234 log_assert sizeof to use union buffer.
313 - Fix check conf test for referencing installation paths.
314 - Fix unused variable warning for clang analyzer.
317 - Introduce 'include-toplevel:' configuration option.
320 - Add bidirectional frame streams support.
323 - Fix add missing DSA header, for compilation without deprecated
325 - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
327 - Longer keys for the test set, this avoids weak crypto errors.
330 - Fix #259: Fix unbound-checkconf does not check view existence.
331 unbound-checkconf checks access-control-view, access-control-tags,
332 access-control-tag-actions and access-control-tag-datas.
333 - Fix offset of error printout for access-control-tag-datas.
334 - Review fixes for checkconf #259 change.
337 - run_vm cleanup better and removes trailing slash on single argument.
340 - Move reply list clean for serve expired mesh callback to after
341 the reply is sent, so that script callbacks have reply_info.
342 - Also move reply list clean for mesh callbacks to the scrip callback
343 can see the reply_info.
344 - Fix for mesh accounting if the reply list already empty to begin
346 - Fix for mesh accounting when rpz decides to drop a reply with a
347 tcp stream waiting for it.
348 - Review fix for number of detached states due to use of variable
350 - Fix tcp req info drop due to size call into mesh accounting
351 removal of mesh state during mesh send reply.
354 - iana portlist updated.
355 - doxygen file comments for dynlibmodule.
358 - Fix default explanation in man page for qname-minimisation-strict.
359 - Fix display of event loop method with libev.
362 - Mention tls name possible when tls is enabled for stub-addr in the
366 - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
370 - Update contrib/aaaa-filter-iterator.patch for the recent
371 generate_sub_request() change and to apply cleanly.
374 - Fix for integer overflow when printing RDF_TYPE_TIME.
377 - CVE-2020-12662 Unbound can be tricked into amplifying an incoming
378 query into a large number of queries directed to a target.
379 - CVE-2020-12663 Malformed answers from upstream name servers can be
380 used to make Unbound unresponsive.
381 - Release 1.10.1 is 1.10.0 with fixes, code repository continues,
382 including those fixes, towards the next release. Configure has
383 version 1.10.2 version number in it.
384 - For PR #93: windows compile warnings removal
385 - windows compile warnings removal for ip dscp option code.
386 - For PR #93: unit test for dynlib module.
389 - For PR #93: dynlibmod can handle reloads and deinit and inits again,
390 with dlclose and dlopen of the library again. Also for multiple
391 modules. Fix memory leak by not closing dlopened content. Fix
392 to allow one dynlibmod instance by unbound-checkconf.
393 - For PR #93: checkconf allows multiple dynlib in module-config, for
395 - For PR #93: checkconf allows python dynlib in module-config, for
397 - For PR #93: man page spelling reference fix.
398 - For PR #93: fix link of other executables for dynlibmod dependency.
401 - Merge PR #93: Add dynamic library support.
402 - Fixed conflicts for PR #93 and make configure, yacc, lex.
403 - For PR #93: Fix warnings for dynlibmodule.
406 - Cache ECS answers with longest scope of CNAME chain.
408 22 April 2020: George
409 - Explicitly use 'rrset-roundrobin: no' for test cases.
411 21 April 2020: Wouter
412 - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
413 KSK-2010 from the default list in unbound-anchor, now that the
414 revocation period is over. KSK-2017 is the only trust anchor in
415 the shipped default now.
417 21 April 2020: George
418 - Change default value for 'rrset-roundrobin' to yes.
419 - Fix tests for new rrset-roundrobin default.
421 20 April 2020: Wouter
422 - Fix #222: --enable-rpath, fails to rpath python lib.
423 - Fix for count of reply states in the mesh.
424 - Remove unneeded was_mesh_reply check.
426 17 April 2020: George
427 - Add SNI support on more TLS connections (fixes #193).
428 - Add SNI support to unbound-anchor.
430 16 April 2020: George
431 - Add doxygen documentation for DSCP.
433 16 April 2020: Wouter
434 - Fix help return code in unbound-control-setup script.
435 - Fix for posix shell syntax for trap in nsd-control-setup.
436 - Fix for posix shell syntax for trap in run_msg.sh test script.
438 15 April 2020: George
439 - Fix #220: auth-zone section in config may lead to segfault.
442 - Merge PR #214 from gearnode: unbound-control-setup recreate
443 certificates. With the -r option the certificates are created
444 again, without it, only the files that do not exist are created.
447 - Keep track of number of timeouts. Use this counter to determine if
448 capsforid fallback should be started.
451 - More documentation for redis-expire-records option.
454 - Merge PR #206: Redis TTL, by Talkabout.
456 30 March 2020: Wouter
457 - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
458 - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
461 27 March 2020: Wouter
462 - Merge PR #203 from noloader: Update README-Travis.md with current
466 - Make unbound-control error returned on missing domain name more user
470 - Fix RPZ concurrency issue when using auth_zone_reload.
472 25 March 2020: George
473 - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
476 24 March 2020: Wouter
477 - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
478 tag for outgoing packets.
480 - Travis fix for ios by omitting tools from install.
482 23 March 2020: Wouter
483 - Fix compile on Solaris for unbound-checkconf.
485 20 March 2020: George
486 - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
487 only used in this file.
489 20 March 2020: Wouter
490 - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
494 - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
495 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
497 - Merge PR#134, Allow the kernel to provide random source ports. By
499 - Log warning when using outgoing-port-permit and outgoing-port-avoid
500 while explicit port randomisation is disabled.
501 - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
502 - Fix .travis.yml error, missing 'env' option.
504 16 March 2020: Wouter
505 - Fix #192: In the unbound-checkconf tool, the module config of
506 dns64 subnetcache respip validator iterator is whitelisted, it was
507 reported it seems to work.
509 12 March 2020: Wouter
510 - Fix compile of test tools without protobuf.
513 - Add check to make sure RPZ records are subdomains of configured
516 11 March 2020: George
517 - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
519 - Changelog entry for (Fix #189, Merge PR #190).
521 11 March 2020: Wouter
522 - Fix #188: unbound-control.c:882:6: error: 'execlp' is
523 unavailable: not available on tvOS.
526 - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
530 - Fix PR #182 from noloader: Add iOS testing to Travis.
533 - Update README-Travis.md (from PR #179), by Jeffrey Walton.
536 - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
539 - Merge PR #180 from noloader: Avoid calling exit in Travis script.
542 - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
545 - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
546 with no-engine, thanks noloader.
549 - Fix compiler warning in dns64/dns64.c
550 - Merge PR #174: Add Android to Travis testing, by noloader.
551 - Move android build scripts to contrib/ and allow android tests to fail.
554 - Fix #177: dnstap does not build on macOS.
556 28 February 2020: Ralph
557 - Merge PR #172: Add IBM s390x arch for testing, by noloader.
559 28 February 2020: Wouter
560 - Merge PR #173: updated makedist.sh for config.guess and
561 config.sub and sha256 digest for gpg, by noloader.
562 - Merge PR #164: Framestreams, this branch implements dnstap
563 unidirectional connectivity in unbound. This has a number of
566 The dependency on libfstrm is removed. The fstrm protocol code
567 resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
568 contains a brief definition of what unbound needs.
570 The make unbound-dnstap-socket builds a debug tool,
571 unbound-dnstap-socket. It can listen, accept multiple DNSTAP
572 streams and print information. Commandline options control it.
574 Unbound can reconnect if the unix domain socket file socket is
575 closed. This uses exponential backoff after which it uses a
576 one second timer to throttle cpu down. There is also support
577 to use TCP and TLS for connecting to the log server. There
578 are new config options to turn them on, in the dnstap section
579 in the man page and example config file. dnstap-ip with IP
580 address of server for TCP or TLS use. dnstap-tls to turn
581 on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
582 dnstap-tls-client-key-file and dnstap-tls-client-cert-file
583 to configure the certificates for server authentication and
584 client authentication, or leave at "" to not use that.
586 27 February 2020: George
587 - Merge PR #171: Add additional compilers and platforms to Travis
588 testing, by noloader.
590 27 February 2020: Wouter
591 - Fix #169: Fix warning for daemon/remote.c output may be truncated
593 - Fix #170: Fix gcc undefined sanitizer signed integer overflow
594 warning in signature expiry RFC1982 serial number arithmetic.
595 - Fix more undefined sanitizer issues, in respip copy_rrset null
596 dname, and in the client_info_compare routine for null memcmp.
598 26 February 2020: Wouter
599 - iana portlist updated.
601 25 February 2020: Wouter
602 - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
603 using ipv4 filters, because the hosts ip6 netblock /64 is not owned
604 by one operator, and thus reputation is shared.
606 24 February 2020: George
607 - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
609 20 February 2020: Wouter
610 - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
611 Unbound from Yuri Voinov.
612 - master branch has 1.10.1 version.
614 18 February 2020: Wouter
615 - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
616 different openssl versions.
618 17 February 2020: Wouter
619 - changelog point where the tag for 1.10.0rc2 release is. And with
620 the unbound_smf23 commit added to it, that is the 1.10.0 release.
622 17 February 2020: Ralph
623 - Add respip to supported module-config options in unbound-checkconf.
625 17 February 2020: George
626 - Remove unused variable.
628 17 February 2020: Wouter
629 - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
630 in RPZ-Format, contributed by Andreas Schulze.
632 14 February 2020: Wouter
633 - Fix spelling in unbound.conf.5.in.
634 - Stop unbound-checkconf from insisting that auth-zone and rpz
635 zonefiles have to exist. They can not exist, and download later.
637 13 February 2020: Wouter
638 - tag for 1.10.0rc1 release.
640 12 February 2020: Wouter
641 - Fix with libnettle make test with dsa disabled.
642 - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
643 fixes, but it does not compile, conflicts with new rpz code.
644 - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
645 - Fix compile warning when threads disabled.
646 - updated version number to 1.10.0.
648 10 February 2020: George
649 - Document 'ub_result.was_ratelimited' in libunbound.
650 - Fix use after free on log-identity after a reload; Fixes #163.
652 6 February 2020: George
653 - Fix num_reply_states and num_detached_states counting with
654 serve_expired_callback.
655 - Cleaner code in mesh_serve_expired_lookup.
656 - Document in unbound.conf manpage that configuration clauses can be
657 repeated in the configuration file.
659 6 February 2020: Wouter
660 - Fix num_reply_addr counting in mesh and tcp drop due to size
661 after serve_stale commit.
662 - Fix to create and destroy rpz_lock in auth_zones structure.
663 - Fix to lock zone before adding rpz qname trigger.
664 - Fix to lock and release once in mesh_serve_expired_lookup.
665 - Fix to put braces around empty if body when threading is disabled.
667 5 February 2020: George
668 - Added serve-stale functionality as described in
669 draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
670 to configure the behavior.
671 - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
672 - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
673 come with a configurable TTL value (`serve-expired-reply-ttl`).
674 - Fixed stats when replying with cached, cname-aliased records.
675 - Added missing default values for redis cachedb backend.
677 3 February 2020: Ralph
678 - Add assertion to please static analyzer
680 31 January 2020: Wouter
681 - Fix fclose on error in TLS session ticket code.
683 30 January 2020: Ralph
684 - Fix memory leak in error condition remote.c
685 - Fix double free in error condition view.c
686 - Fix memory leak in do_auth_zone_transfer on success
687 - Merge RPZ support into master. Only QNAME and Response IP triggers are
689 - Stop working on socket when socket() call returns an error.
690 - Check malloc return values in TLS session ticket code
692 30 January 2020: Wouter
693 - Fix subnet tests for disabled DSA algorithm by default.
694 - Update contrib/fastrpz.patch for clean diff with current code.
695 - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
696 and Frzk. Updates the unbound.service systemd file and adds
697 a portable systemd service file.
698 - updated .gitignore for added contrib file.
699 - Add build rule for ipset to Makefile
700 - Add getentropy_freebsd.o to Makefile dependencies.
702 29 January 2020: Ralph
703 - Merge PR#156 from Alexander Berkes; Added unbound-control
704 view_local_datas_remove command.
706 29 January 2020: Wouter
707 - Fix #157: undefined reference to `htobe64'.
709 28 January 2020: Ralph
710 - Merge PR#147; change rfc reference for reserved top level dns names.
712 28 January 2020: Wouter
713 - iana portlist updated.
714 - Fix to silence the tls handshake errors for broken pipe and reset
715 by peer, unless verbosity is set to 2 or higher.
717 27 January 2020: Ralph
718 - Merge PR#154; Allow use of libbsd functions with configure option
719 --with-libbsd. By Robert Edmonds and Steven Chamberlain.
720 - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
722 27 January 2020: Wouter
723 - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
724 to Libs/Requires for crypto library dependencies.
725 - Fix #153: Disable validation for DSA algorithms. RFC 8624
728 23 January 2020: Wouter
729 - Merge PR#150 from Frzk: Systemd unit without chroot. It add
730 contrib/unbound_nochroot.service.in, a systemd file for use with
731 chroot: "", see comments in the file, it uses systemd protections
734 14 January 2020: Wouter
735 - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
736 because dnscrypt-proxy (2.0.36) does not support the test setup
737 any more, and also the config file format does not seem to have
738 the appropriate keys to recreate that setup.
739 - Fix crash after reload where a stats lookup could reference old key
740 cache and neg cache structures.
741 - Fix for memory leak when edns subnet config options are read when
742 compiled without edns subnet support.
743 - Fix auth zone support for NSEC3 records without salt.
745 10 January 2020: Wouter
746 - Fix the relationship between serve-expired and prefetch options,
747 patch from Saksham Manchanda from Secure64.
748 - Fix unreachable code in ssl set options code.
750 8 January 2020: Ralph
751 - Fix #138: stop binding pidfile inside chroot dir in systemd service
754 8 January 2020: Wouter
755 - Fix 'make test' to work for --disable-sha1 configure option.
756 - Fix out-of-bounds null-byte write in sldns_bget_token_par while
757 parsing type WKS, reported by Luis Merino from X41 D-Sec.
758 - Updated sldns_bget_token_par fix for also space for the zero
759 delimiter after the character. And update for more spare space.
761 6 January 2020: George
762 - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
763 The dl_iterate_phdr() function introduced in newer versions raises
764 compilation errors on solaris 10.
765 - Changes to compat/getentropy_solaris.c for,
766 ifdef stdint.h inclusion for older systems.
767 ifdef sha2.h inclusion for older systems.
769 6 January 2020: Wouter
770 - Merge #135 from Florian Obser: Use passed in neg and key cache
772 - Fix #140: Document slave not downloading new zonefile upon update.
774 16 December 2019: George
775 - Update mailing list URL.
777 12 December 2019: Ralph
778 - Master is 1.9.7 in development.
779 - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
782 10 December 2019: Wouter
783 - Fix to make auth zone IXFR to fallback to AXFR if a single
784 response RR is received over TCP with the SOA in it.
786 6 December 2019: Wouter
787 - Fix ipsecmod compile.
788 - Fix Makefile.in for ipset module compile, from Adi Prasaja.
789 - release-1.9.6 tag, which became the 1.9.6 release
791 5 December 2019: Wouter
792 - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
793 replacements for unbound-fuzzme.c that gets created after applying
794 the contrib/unbound-fuzzme.patch. They are contributed by
795 Eric Sesterhenn from X41 D-Sec.
798 4 December 2019: Wouter
799 - Fix lock type for memory purify log lock deletion.
800 - Fix testbound for alloccheck runs, memory purify and lock checks.
801 - update contrib/fastrpz.patch to apply more cleanly.
802 - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
803 reported by X41 D-Sec.
805 3 December 2019: Wouter
806 - Merge pull request #124 from rmetrich: Changed log lock
807 from 'quick' to 'basic' because this is an I/O lock.
808 - Fix text around serial arithmatic used for RRSIG times to refer
809 to correct RFC number.
810 - Fix Assert Causing DoS in synth_cname(),
811 reported by X41 D-Sec.
812 - Fix similar code in auth_zone synth cname to add the extra checks.
813 - Fix Assert Causing DoS in dname_pkt_copy(),
814 reported by X41 D-Sec.
815 - Fix OOB Read in sldns_wire2str_dname_scan(),
816 reported by X41 D-Sec.
817 - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
818 reported by X41 D-Sec.
819 - Fix Out of Bounds Write in sldns_b64_pton(),
820 fixed by check in sldns_str2wire_int16_data_buf(),
821 reported by X41 D-Sec.
822 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
823 reported by X41 D-Sec.
824 - Fix Out of Bound Write Compressed Names in rdata_copy(),
825 reported by X41 D-Sec.
826 - Fix Hang in sldns_wire2str_pkt_scan(),
827 reported by X41 D-Sec.
828 This further lowers the max to 256.
829 - Fix snprintf() supports the n-specifier,
830 reported by X41 D-Sec.
831 - Fix Bad Indentation, in dnscrypt.c,
832 reported by X41 D-Sec.
833 - Fix Client NONCE Generation used for Server NONCE,
834 reported by X41 D-Sec.
835 - Fix compile error in dnscrypt.
836 - Fix _vfixed not Used, removed from sbuffer code,
837 reported by X41 D-Sec.
838 - Fix Hardcoded Constant, reported by X41 D-Sec.
841 2 December 2019: Wouter
842 - Merge pull request #122 from he32: In tcp_callback_writer(),
843 don't disable time-out when changing to read.
845 22 November 2019: George
846 - Fix compiler warnings.
848 22 November 2019: Wouter
849 - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
850 - Add make distclean that removes everything configure produced,
851 and make maintainer-clean that removes bison and flex output.
853 20 November 2019: Wouter
854 - Fix Out of Bounds Read in rrinternal_get_owner(),
855 reported by X41 D-Sec.
856 - Fix Race Condition in autr_tp_create(),
857 reported by X41 D-Sec.
858 - Fix Shared Memory World Writeable,
859 reported by X41 D-Sec.
860 - Adjust unbound-control to make stats_shm a read only operation.
861 - Fix Weak Entropy Used For Nettle,
862 reported by X41 D-Sec.
863 - Fix Randomness Error not Handled Properly,
864 reported by X41 D-Sec.
865 - Fix Out-of-Bounds Read in dname_valid(),
866 reported by X41 D-Sec.
867 - Fix Config Injection in create_unbound_ad_servers.sh,
868 reported by X41 D-Sec.
869 - Fix Local Memory Leak in cachedb_init(),
870 reported by X41 D-Sec.
871 - Fix Integer Underflow in Regional Allocator,
872 reported by X41 D-Sec.
873 - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
874 - Synchronize compat/getentropy_win.c with version 1.5 from
875 OpenBSD, no changes but makes the file, comments, identical.
876 - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
877 - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
878 - Changes to compat/getentropy files for,
879 no link to openssl if using nettle, and hence config.h for
880 HAVE_NETTLE variable.
881 compat definition of MAP_ANON, for older systems.
882 ifdef stdint.h inclusion for older systems.
883 ifdef sha2.h inclusion for older systems.
884 - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
885 - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
886 - Fix Terminating Quotes not Written, reported by X41 D-Sec.
887 - Fix Useless memset() in validator, reported by X41 D-Sec.
888 - Fix Unrequired Checks, reported by X41 D-Sec.
889 - Fix Enum Name not Used, reported by X41 D-Sec.
890 - Fix NULL Pointer Dereference via Control Port,
891 reported by X41 D-Sec.
892 - Fix Bad Randomness in Seed, reported by X41 D-Sec.
893 - Fix python examples/calc.py for eval, reported by X41 D-Sec.
894 - Fix comments for doxygen in dns64.
896 19 November 2019: Wouter
897 - Fix CVE-2019-18934, shell execution in ipsecmod.
898 - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
899 - Fix authzone printout buffer length check.
900 - Fixes to please lint checks.
901 - Fix Integer Overflow in Regional Allocator,
902 reported by X41 D-Sec.
903 - Fix Unchecked NULL Pointer in dns64_inform_super()
904 and ipsecmod_new(), reported by X41 D-Sec.
905 - Fix Out-of-bounds Read in rr_comment_dnskey(),
906 reported by X41 D-Sec.
907 - Fix Integer Overflows in Size Calculations,
908 reported by X41 D-Sec.
909 - Fix Integer Overflow to Buffer Overflow in
910 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
911 - Fix Out of Bounds Read in sldns_str2wire_dname(),
912 reported by X41 D-Sec.
913 - Fix Out of Bounds Write in sldns_bget_token_par(),
914 reported by X41 D-Sec.
916 18 November 2019: Wouter
917 - In unbound-host use separate variable for get_option to please
919 - update to bison output of 3.4.1 in code repository.
920 - Provide a prototype for compat malloc to remove compile warning.
921 - Portable grep usage for reuseport configure test.
922 - Check return type of HMAC_Init_ex for openssl 0.9.8.
923 - gitignore .source tempfile used for compatible make.
925 13 November 2019: Wouter
926 - iana portlist updated.
927 - contrib/fastrpz.patch updated to apply for current code.
928 - fixes for splint cleanliness, long vs int in SSL set_mode.
930 11 November 2019: Wouter
931 - Fix #109: check number of arguments for stdin-pipes in
932 unbound-control and fail if too many arguments.
933 - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
935 24 October 2019: Wouter
936 - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
938 23 October 2019: George
939 - Add new configure option `--enable-fully-static` to enable full static
940 build if requested; in relation to #91.
942 23 October 2019: Wouter
943 - Merge #97: manpage: Add missing word on unbound.conf,
946 22 October 2019: Wouter
947 - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
948 queries, to stop random floods. Apply with
949 patch -p1 < contrib/drop-tld.diff and compile.
950 From Saksham Manchanda (Secure64). Please note that we think this
951 will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
952 lookups for downstream clients.
954 7 October 2019: Wouter
955 - Add doxygen comments to unbound-anchor source address code, in #86.
957 3 October 2019: Wouter
958 - Merge #90 from vcunat: fix build with nettle-3.5.
959 - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
960 - Continue with development of 1.9.5.
961 - Merge #86 from psquarejho: Added -b source address option to
962 smallapp/unbound-anchor.c, from Lukas Wunner.
964 26 September 2019: Wouter
965 - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
966 Drop CAP_KILL, use + prefix for ExecReload= instead.
968 25 September 2019: Wouter
969 - The unbound.conf includes are sorted ascending, for include
970 statements with a '*' from glob.
972 23 September 2019: Wouter
973 - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
974 service file to fix that systemctl reload fails.
976 20 September 2019: Wouter
977 - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
979 - Merge #81 from Maryse47: Consistently use /dev/urandom instead
980 of /dev/random in scripts and docs.
981 - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
984 19 September 2019: Wouter
985 - Fix #78: Memory leak in outside_network.c.
986 - Merge pull request #76 from Maryse47: Improvements and fixes for
987 systemd unbound.service.
988 - oss-fuzz badge on README.md.
989 - Fix fix for #78 to also free service callback struct.
990 - Fix for oss-fuzz build warning.
991 - Fix wrong response ttl for prepended short CNAME ttls, this would
992 create a wrong zero_ttl response count with serve-expired enabled.
993 - Merge #80 from stasic: Improve wording in man page.
995 11 September 2019: Wouter
996 - Use explicit bzero for wiping clear buffer of hash in cachedb,
997 reported by Eric Sesterhenn from X41 D-Sec.
999 9 September 2019: Wouter
1000 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
1001 LOG_DAEMON (as before) can set the syslog facility that the server
1002 uses to log messages.
1004 4 September 2019: Wouter
1005 - Fix #71: fix openssl error squelch commit compilation error.
1007 3 September 2019: Wouter
1008 - squelch DNS over TLS errors 'ssl handshake failed crypto error'
1009 on low verbosity, they show on verbosity 3 (query details), because
1010 there is a high volume and the operator cannot do anything for the
1011 remote failure. Specifically filters the high volume errors.
1013 2 September 2019: Wouter
1014 - ipset module #28: log that an address is added, when verbosity high.
1015 - ipset: refactor long routine into three smaller ones.
1016 - updated Makefile dependencies.
1018 23 August 2019: Wouter
1019 - Fix contrib/fastrpz.patch asprintf return value checks.
1021 22 August 2019: Wouter
1022 - Fix that pkg-config is setup before --enable-systemd needs it.
1023 - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
1024 Master is 1.9.4 in development.
1026 21 August 2019: Wouter
1027 - Fix log_dns_msg to log irrespective of minimal responses config.
1029 19 August 2019: Ralph
1030 - Document limitation of pidfile removal outside of chroot directory.
1032 16 August 2019: Wouter
1033 - Fix unittest valgrind false positive uninitialised value report,
1034 where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
1035 issues an uninitialised value for the token buffer at the str2wire.c
1036 rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
1037 straight character comparisons removes the false positive. Also
1038 valgrinds --expensive-definedness-checks=yes can stop this false
1040 - Please doxygen's parser for "@" occurrence in doxygen comment.
1041 - Fixup contrib/fastrpz.patch
1042 - Remove warning about unknown cast-function-type warning pragma.
1044 15 August 2019: Wouter
1045 - iana portlist updated.
1046 - Fix autotrust temp file uniqueness windows compile.
1047 - avoid warning about upcast on 32bit systems for autotrust.
1048 - escape commandline contents for -V.
1049 - Fix character buffer size in ub_ctx_hosts.
1050 - 1.9.3rc1 release candidate tag.
1051 - Option -V prints if TCP fastopen is available.
1053 14 August 2019: George
1054 - Fix #59, when compiled with systemd support check that we can properly
1055 communicate with systemd through the `NOTIFY_SOCKET`.
1057 14 August 2019: Wouter
1058 - Generate configlexer with newer flex.
1059 - Fix warning for unused variable for compilation without systemd.
1061 12 August 2019: George
1062 - Introduce `-V` option to print the version number and build options.
1063 Previously reported build options like linked libs and linked modules
1064 are now moved from `-h` to `-V` as well for consistency.
1065 - PACKAGE_BUGREPORT now also includes link to GitHub issues.
1067 1 August 2019: Wouter
1068 - For #52 #53, second context does not close logfile override.
1069 - Fix #52 #53, fix for example fail program.
1070 - Fix to return after failed auth zone http chunk write.
1071 - Fix to remove unused test for task_probe existance.
1072 - Fix to timeval_add for remaining second in microseconds.
1073 - Check repinfo in worker_handle_request, if null, drop it.
1075 29 July 2019: Wouter
1076 - Add verbose log message when auth zone file is written, at level 4.
1077 - Add hex print of trust anchor pointer to trust anchor file temp
1078 name to make it unique, for libunbound created multiple contexts.
1080 23 July 2019: Wouter
1081 - Fix question section mismatch in local zone redirect.
1083 19 July 2019: Wouter
1084 - Fix #49: Set no renegotiation on the SSL context to stop client
1085 session renegotiation.
1087 12 July 2019: Wouter
1088 - Fix #48: Unbound returns additional records on NODATA response,
1089 if minimal-responses is enabled, also the additional for negative
1090 responses is removed.
1093 - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
1094 call made it impossible to go up the tree when the matching netmask is
1098 - Fix for possible assertion failure when answering respip CNAME from
1101 25 June 2019: Wouter
1102 - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
1103 when do-not-query-localhost is turned on, or at default on,
1104 unbound-checkconf prints a warning if it is found in forward-addr or
1105 stub-addr statements.
1107 24 June 2019: Wouter
1108 - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
1110 18 June 2019: Wouter
1111 - PR #28: IPSet module, by Kevin Chou. Created a module to support
1112 the ipset that could add the domain's ip to a list easily.
1113 Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
1114 - Fix to omit RRSIGs from addition to the ipset.
1115 - Fix to make unbound-control with ipset, remove unused variable,
1116 use unsigned type because of comparison, and assign null instead
1117 of compare with it. Remade lex and yacc output.
1119 - Added documentation to the ipset files (for doxygen output).
1120 - Merge PR #6: Python module: support multiple instances
1121 - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
1122 - Merge PR #4: Python module: assign something useful to the
1123 per-query data store 'qdata'
1124 - Fix python dict reference and double free in config.
1126 17 June 2019: Wouter
1127 - Master contains version 1.9.3 in development.
1128 - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
1129 - Fix for #24: Fix abort due to scan of auth zone masters using old
1130 address from previous scan.
1132 12 June 2019: Wouter
1133 - Fix another spoolbuf storage code point, in prefetch.
1134 - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
1137 11 June 2019: Wouter
1138 - Fix that fixes the Fix that spoolbuf is not used to store tcp
1139 pipelined response between mesh send and callback end, this fixes
1140 error cases that did not use the correct spoolbuf.
1141 - 1.9.2rc2 release candidate tag.
1144 - 1.9.2rc1 release candidate tag.
1147 - iana portlist updated.
1150 - Fix to guard _OPENBSD_SOURCE from redefinition.
1153 - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
1154 - gitignore config.h.in~.
1157 - Fix double file close in tcp pipelined response code.
1160 - Fix that spoolbuf is not used to store tcp pipelined response
1161 between mesh send and callback end.
1164 - Note that so-reuseport at extreme load is better turned off,
1165 otherwise queries are not distributed evenly, on Linux 4.4.x.
1168 - Fix #31: swig 4.0 and python module.
1171 - Squelch log messages from tcp send about connection reset by peer.
1172 They can be enabled with verbosity at higher values for diagnosing
1173 network connectivity issues.
1174 - Attempt to fix malformed tcp response.
1177 - Revert fix for oss-fuzz, error is in that build script that
1178 unconditionally includes .o files detected by configure, also
1179 when the machine architecture uses different LIBOBJS files.
1182 - Attempt to fix build failure in oss-fuzz because of reallocarray.
1183 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
1184 Does not omit compile flags from commandline.
1187 - Fix edns-subnet locks, in error cases the lock was not unlocked.
1188 - Fix doxygen output error on readme markdown vignettes.
1191 - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
1192 - Fix #30: AddressSanitizer finding in lookup3.c. This sets the
1193 hash function to use a slower but better auditable code that does
1194 not read beyond array boundaries. This makes code better security
1195 checkable, and is better for security. It is fixed to be slower,
1196 but not read outside of the array.
1199 - contrib/fastrpz.patch updated for code changes, and with git diff.
1200 - Fix .gitignore, add pythonmod and dnstap generated files.
1201 And unit test generated files, and generated doc files.
1204 - Update makedist for git.
1205 - Nicer travis output for clang analysis.
1206 - PR #16: XoT support, AXFR over TLS, turn it on with
1207 master: <ip>#<authname> in unbound.conf. This uses TLS to
1208 download the AXFR (or IXFR).
1210 25 April 2019: Wouter
1211 - Fix wrong query name in local zone redirect answers with a CNAME,
1212 the copy of the local alias is in unpacked form.
1214 18 April 2019: Ralph
1215 - Scrub RRs from answer section when reusing NXDOMAIN message for
1217 - For harden-below-nxdomain: do not consider a name to be non-exitent
1218 when message contains a CNAME record.
1220 18 April 2019: Wouter
1221 - travis build file.
1223 16 April 2019: Wouter
1224 - Better braces in if statement in TCP fastopen code.
1225 - iana portlist updated.
1227 15 April 2019: Wouter
1228 - Fix tls write event for read state change to re-call SSL_write and
1229 not resume the TLS handshake.
1231 11 April 2019: George
1232 - Update python documentation for init_standard().
1235 11 April 2019: Wouter
1236 - Fix that auth zone uses correct network type for sockets for
1237 SOA serial probes. This fixes that probes fail because earlier
1238 probe addresses are unreachable.
1239 - Fix that auth zone fails over to next master for timeout in tcp.
1240 - Squelch SSL read and write connection reset by peer and broken pipe
1241 messages. Verbosity 2 and higher enables them.
1243 8 April 2019: Wouter
1244 - Fix to use event_assign with libevent for thread-safety.
1245 - verbose information about auth zone lookup process, also lookup
1246 start, timeout and fail.
1247 - Fix #17: Add python module example from Jan Janak, that is a
1248 plugin for the Unbound DNS resolver to resolve DNS records in
1249 multicast DNS [RFC 6762] via Avahi. The plugin communicates
1250 with Avahi via DBus. The comment section at the beginning of
1251 the file contains detailed documentation.
1252 - Fix to wipe ssl ticket keys from memory with explicit_bzero,
1255 5 April 2019: Wouter
1256 - Fix to reinit event structure for accepted TCP (and TLS) sockets.
1258 4 April 2019: Wouter
1259 - Fix spelling error in log output for event method.
1261 3 April 2019: Wouter
1262 - Move goto label in answer_from_cache to the end of the function
1263 where it is more visible.
1264 - Fix auth-zone NSEC3 response for wildcard nodata answers,
1265 include the closest encloser in the answer.
1267 2 April 2019: Wouter
1268 - Fix auth-zone NSEC3 response for empty nonterminals with exact
1269 match nsec3 records.
1270 - Fix for out of bounds integers, thanks to OSTIF audit. It is in
1271 allocation debug code.
1272 - Fix for auth zone nsec3 ent fix for wildcard nodata.
1274 25 March 2019: Wouter
1275 - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
1276 disables the tls session ticker key calls into the OpenSSL API.
1277 - Fix crash if tls-servic-pem not filled in when necessary.
1279 21 March 2019: Wouter
1280 - Fix #4240: Fix whitespace cleanup in example.conf.
1282 19 March 2019: Wouter
1283 - add type CAA to libpyunbound (accessing libunbound from python).
1285 18 March 2019: Wouter
1286 - Add log message, at verbosity 4, that says the query is encrypted
1287 with TLS, if that is enabled for the query.
1288 - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
1290 7 March 2019: Wouter
1291 - Fix for #4233: guard use of NDEBUG, so that it can be passed in
1292 CFLAGS into configure.
1294 5 March 2019: Wouter
1295 - Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
1296 has 1.9.2 in development.
1298 1 March 2019: Wouter
1299 - output forwarder log in ssl_req_order test.
1301 28 February 2019: Wouter
1302 - Remove memory leak on pythonmod python2 script file init.
1303 - Remove swig gcc8 python function cast warnings, they are ignored.
1304 - Print correct module that failed when module-config is wrong.
1306 27 February 2019: Wouter
1307 - Fix #4229: Unbound man pages lack information, about access-control
1308 order and local zone tags, and elements in views.
1309 - Fix #14: contrib/unbound.init: Fix wrong comparison judgment
1311 - Fix for python module on Windows, fix fopen.
1313 25 February 2019: Wouter
1314 - Fix #4227: pair event del and add for libevent for tcp_req_info.
1316 21 February 2019: Wouter
1317 - Fix the error for unknown module in module-config is understandable,
1318 and explains it was not compiled in and where to see the list.
1319 - In example.conf explain where to put cachedb module in module-config.
1320 - In man page and example config explain that most modules have to
1321 be listed at the start of module-config.
1323 20 February 2019: Wouter
1324 - Fix pythonmod include and sockaddr_un ifdefs for compile on
1325 Windows, and for libunbound.
1327 18 February 2019: Wouter
1328 - Print query name with ip_ratelimit exceeded log lines.
1329 - Spaces instead of tabs in that log message.
1330 - Print query name and IP address when domain rate limit exceeded.
1332 14 February 2019: Wouter
1333 - Fix capsforid canonical sort qsort callback.
1335 11 February 2019: Wouter
1336 - Note default for module-config in man page.
1337 - Fix recursion lame test for qname minimisation asked queries,
1338 that were not present in the set of prepared answers.
1339 - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
1340 cert name matching, from man page.
1341 - make depend, with newer gcc, nicer layout.
1343 7 February 2019: Wouter
1344 - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
1345 - Fix that qname minimisation does not skip a label when missing
1346 nameserver targets need to be fetched.
1347 - Fix #4225: clients seem to erroneously receive no answer with
1348 DNS-over-TLS and qname-minimisation.
1350 4 February 2019: Wouter
1351 - Fix that log-replies prints the correct name for local-alias
1352 names, for names that have a CNAME in local-data configuration.
1353 It logs the original query name, not the target of the CNAME.
1354 - Add local-zone type inform_redirect, which logs like type inform,
1355 and redirects like type redirect.
1356 - Perform canonical sort for 0x20 capsforid compare of replies,
1357 this sorts rrsets in the authority and additional section before
1358 comparison, so that out of order rrsets do not cause failure.
1360 31 January 2019: Wouter
1361 - Set ub_ctx_set_tls call signature in ltrace config file for
1362 libunbound in contrib/libunbound.so.conf.
1363 - improve documentation for tls-service-key and forward-first.
1364 - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
1365 conditional section, fixes systemd builds, from Enrico Scholz.
1366 - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
1367 still supports the set_id_callback previous API. And for 1.1.0
1368 no locking callbacks are needed.
1369 - #8: Fix OpenSSL without ENGINE support compilation.
1370 - Wipe TLS session key data from memory on exit.
1372 30 January 2019: Ralph
1373 - Fix case in which query timeout can result in marking delegation
1376 29 January 2019: Wouter
1377 - Fix spelling of tls-ciphers in example.conf.in.
1378 - Fix #4224: auth_xfr_notify.rpl test broken due to typo
1379 - Fix locking for libunbound context setup with broken port config.
1381 28 January 2019: Wouter
1382 - ub_ctx_set_tls call for libunbound that enables DoT for the machines
1383 set with ub_ctx_set_fwd. Patch from Florian Obser.
1384 - Set build system for added call in the libunbound API.
1385 - List example config for root zone copy locally hosted with auth-zone
1386 as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
1388 - set version to 1.9.0 for release. And this was released with the
1389 spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
1392 25 January 2019: Wouter
1393 - Fix that tcp for auth zone and outgoing does not remove and
1394 then gets the ssl read again applied to the deleted commpoint.
1395 - updated contrib/fastrpz.patch to cleanly diff.
1396 - no lock when threads disabled in tcp request buffer count.
1397 - remove compile warnings from libnettle compile.
1398 - output of newer lex 2.6.1 and bison 3.0.5.
1400 24 January 2019: Wouter
1401 - Newer aclocal and libtoolize used for generating configure scripts,
1402 aclocal 1.16.1 and libtoolize 2.4.6.
1403 - Fix unit test for python 3.7 new keyword 'async'.
1404 - clang analysis fixes, assert arc4random buffer in init,
1405 no check for already checked delegation pointer in iterator,
1406 in testcode check for NULL packet matches, in perf do not copy
1407 from NULL start list when growing capacity. Adjust host and file
1408 only when present in test header read to please checker. In
1409 testcode for unknown macro operand give zero result. Initialise the
1410 passed argv array in test code. In test code add EDNS data
1411 segment copy only when nonempty.
1412 - Patch from Florian Obser fixes some compiler warnings:
1413 include mini_event.h to have a prototype for mini_ev_cmp
1414 include edns.h to have a prototype for apply_edns_options
1415 sldns_wire2str_edns_keepalive_print is only called in the wire2str,
1416 module declare it static to get rid of compiler warning:
1417 no previous prototype for function
1418 infra_find_ip_ratedata() is only called in the infra module,
1419 declare it static to get rid of compiler warning:
1420 no previous prototype for function
1421 do not shadow local variable buf in authzone
1422 auth_chunks_delete and az_nsec3_findnode are only called in the
1423 authzone module, declare them static to get rid of compiler warning:
1424 no previous prototype for function...
1425 copy_rrset() is only called in the respip module, declare it
1426 static to get rid of compiler warning:
1427 no previous prototype for function 'copy_rrset'
1428 no need for another variable "r"; gets rid of compiler warning:
1429 declaration shadows a local variable in libunbound.c
1430 no need for another variable "ns"; gets rid of compiler warning:
1431 declaration shadows a local variable in iterator.c
1432 - Moved includes and make depend.
1434 23 January 2019: Wouter
1435 - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
1436 options for unbound.conf.
1437 - Fixes for the patch, and man page entry.
1438 - Fix configure to detect SSL_CTX_set_ciphersuites, for better
1439 library compatibility when compiling.
1440 - Patch for TLS session resumption from Manabu Sonoda,
1441 enable with tls-session-ticket-keys in unbound.conf.
1442 - Fixes for patch (includes, declarations, warnings). Free at end
1443 and keep config options in order read from file to keep the first
1444 one as the first one.
1445 - Fix for IXFR fallback to reset counter when IXFR does not timeout.
1447 22 January 2019: Wouter
1448 - Fix space calculation for tcp req buffer size.
1449 - Doc for stream-wait-size and unit test.
1450 - unbound-control stats has mem.streamwait that counts TCP and TLS
1451 waiting result buffers.
1452 - Fix for #4219: secondaries not updated after serial change, unbound
1453 falls back to AXFR after IXFR gives several timeout failures.
1454 - Fix that auth zone after IXFR fallback tries the same master.
1456 21 January 2019: Wouter
1457 - Fix tcp idle timeout test, for difference in the tcp reply code.
1458 - Unit test for tcp request reorder and timeouts.
1459 - Unit tests for ssl out of order processing.
1460 - Fix that multiple dns fragments can be carried in one TLS frame.
1461 - Add stream-wait-size: 4m config option to limit the maximum
1462 memory used by waiting tcp and tls stream replies. This avoids
1463 a denial of service where these replies use up all of the memory.
1465 17 January 2019: Wouter
1466 - For caps-for-id fallback, use the whitelist to avoid timeout
1467 starting a fallback sequence for it.
1468 - increase mesh max activation count for capsforid long fetches.
1470 16 January 2019: Ralph
1471 - Get ready for the DNS flag day: remove EDNS lame procedure, do not
1472 re-query without EDNS after timeout.
1474 15 January 2019: Wouter
1475 - In the out of order processing, reset byte count for (potential)
1477 - Review fixes in out of order processing.
1479 14 January 2019: Wouter
1480 - streamtcp option -a send queries consecutively and prints answers
1482 - Fix for out of order processing administration quit cleanup.
1483 - unit test for tcp out of order processing.
1485 11 January 2019: Wouter
1486 - Initial commit for out-of-order processing for TCP and TLS.
1488 9 January 2019: Wouter
1489 - Log query name for looping module errors.
1491 8 January 2019: Wouter
1492 - Fix syntax in comment of local alias processing.
1493 - Fix NSEC3 record that is returned in wildcard replies from
1494 auth-zone zones with NSEC3 and wildcards.
1496 7 January 2019: Wouter
1497 - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
1498 and server tcp fastopen is enabled at compile time.
1499 - Document interaction between the tls-upstream option in the server
1500 section and forward-tls-upstream option in the forward-zone sections.
1501 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
1502 the patch adds a program used for fuzzing.
1504 12 December 2018: Wouter
1505 - Fix for crash in dns64 module if response is null.
1507 10 December 2018: Wouter
1508 - Fix config parser memory leaks.
1509 - ip-ratelimit-factor of 1 allows all traffic through, instead of the
1510 previous blocking everything.
1511 - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
1512 - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
1513 alongside the 1.1.0 and later support that is already there.
1514 - Fixup openssl 1.0.2 compile
1516 6 December 2018: Wouter
1517 - Fix dns64 allocation in wrong region for returned internal queries.
1519 3 December 2018: Wouter
1520 - Fix icon, no ragged edges and nicer resolutions available, for eg.
1521 Win 7 and Windows 10 display.
1522 - cache-max-ttl also defines upperbound of initial TTL in response.
1524 30 November 2018: Wouter
1525 - Patch for typo in unbound.conf man page.
1526 - log-tag-queryreply: yes in unbound.conf tags the log-queries and
1527 log-replies in the log file for easier log filter maintenance.
1529 29 November 2018: Wouter
1530 - iana portlist updated.
1531 - Fix chroot auth-zone fix to remove chroot prefix.
1532 - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
1533 updated. Trunk contains 1.8.3 in development.
1534 Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
1535 Trunk then became 1.8.4 in development.
1536 - Fix that unbound-checkconf does not complains if the config file
1537 is not placed inside the chroot.
1538 - Refuse to start with no ports.
1539 - Remove clang analysis warnings.
1541 28 November 2018: Wouter
1542 - Fix leak in chroot fix for auth-zone.
1543 - Fix clang analysis for outside directory build test.
1545 27 November 2018: Wouter
1546 - Fix DNS64 to not store intermediate results in cache, this avoids
1547 other threads from picking up the wrong data. The module restores
1548 the previous no_cache_store setting when the the module is finished.
1549 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
1550 - New and better fix for Fix #4193: Fix that prefetch failure does
1551 not overwrite valid cache entry with SERVFAIL.
1552 - auth-zone give SERVFAIL when expired, fallback activates when
1553 expired, and this is documented in the man page.
1554 - stat count SERVFAIL downstream auth-zone queries for expired zones.
1555 - Put new logos into windows installer.
1556 - Fix windows compile for new rrset roundrobin fix.
1557 - Update contrib fastrpz patch for latest release.
1559 26 November 2018: Wouter
1560 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
1561 sorted and in a predictable order.
1562 - Fix #4193: Fix that prefetch failure does not overwrite valid cache
1563 entry with SERVFAIL.
1564 - Add unbound-control view_local_datas command, like local_datas.
1565 - Fix that unbound-control can send file for view_local_datas.
1567 22 November 2018: Wouter
1568 - With ./configure --with-pyunbound --with-pythonmodule
1569 PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
1570 succeed for the python module.
1571 - pythonmod logs the python error and traceback on failure.
1572 - ignore debug python module for test in doxygen output.
1573 - review fixes for python module.
1574 - Fix #4209: Crash in libunbound when called from getdns.
1575 - auth zone zonefiles can be in a chroot, the chroot directory
1576 components are removed before use.
1577 - Fix that empty zonefile means the zonefile is not set and not used.
1580 21 November 2018: Wouter
1581 - Scrub NS records from NODATA responses as well.
1583 20 November 2018: Wouter
1584 - Scrub NS records from NXDOMAIN responses to stop fragmentation
1585 poisoning of the cache.
1586 - Add patch from Jan Vcelak for pythonmod,
1587 add sockaddr_storage getters, add support for query callbacks,
1588 allow raw address access via comm_reply and update API documentation.
1589 - Removed compile warnings in pythonmod sockaddr routines.
1591 19 November 2018: Wouter
1592 - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
1593 option in unbound.conf.
1595 6 November 2018: Ralph
1596 - Bugfix min-client-subnet-ipv6
1598 25 October 2018: Ralph
1599 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
1601 25 October 2018: Wouter
1602 - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
1603 - Fix #4190: Please create a "ANY" deny option, adds the option
1604 deny-any: yes in unbound.conf. This responds with an empty message
1605 to queries of type ANY.
1606 - Fix #4141: More randomness to rrset-roundrobin.
1607 - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
1608 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
1609 adds the option unknown-server-time-limit to unbound.conf that
1610 can be increased to avoid the problem.
1611 - remade makefile dependencies.
1612 - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
1614 24 October 2018: Ralph
1615 - Add markdel function to ECS slabhash.
1616 - Limit ECS scope returned to client to the scope used for caching.
1617 - Make lint like previous #4154 fix.
1619 22 October 2018: Wouter
1620 - Fix #4192: unbound-control-setup generates keys not readable by
1622 - check that the dnstap socket file can be opened and exists, print
1624 - Fix #4154: make ECS_MAX_TREESIZE configurable, with
1625 the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
1627 22 October 2018: Ralph
1628 - Change fast-server-num default to 3.
1630 8 October 2018: Ralph
1631 - Add fast-server-permil and fast-server-num options.
1632 - Deprecate low-rtt and low-rtt-permil options.
1634 8 October 2018: Wouter
1635 - Squelch log of failed to tcp initiate after TCP Fastopen failure.
1637 5 October 2018: Wouter
1638 - Squelch EADDRNOTAVAIL errors when the interface goes away,
1639 this omits 'can't assign requested address' errors unless
1640 verbosity is set to a high value.
1641 - Set default for so-reuseport to no for FreeBSD. It is enabled
1642 by default for Linux and DragonFlyBSD. The setting can
1643 be configured in unbound.conf to override the default.
1646 2 October 2018: Wouter
1647 - updated contrib/fastrpz.patch to apply for this version
1648 - dnscrypt.c removed sizeof to get array bounds.
1649 - Fix testlock code to set noreturn on error routine.
1650 - Remove unused variable from contrib fastrpz/rpz.c and
1651 remove unused diagnostic pragmas that themselves generate warnings
1652 - clang analyze test is used only when assertions are enabled.
1654 1 October 2018: Wouter
1655 - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
1656 fastrpz.patch fix included. Trunk has 1.8.2 in development.
1658 27 September 2018: Wouter
1659 - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
1660 qname minimisation with a forwarder when connectivity has issues
1661 from rejecting responses.
1663 25 September 2018: Wouter
1664 - Perform TLS SNI indication of the host that is being contacted
1665 for DNS over TLS service. It sets the configured tls auth name.
1666 This is useful for hosts that apart from the DNS over TLS services
1667 also provide other (web) services.
1668 - Fix #4149: Add SSL cleanup for tcp timeout.
1670 17 September 2018: Wouter
1671 - Fix compile on Mac for unbound, provide explicit_bzero when libc
1673 - Fix unbound for openssl in FIPS mode, it uses the digests with
1674 the EVP call contexts.
1675 - Fix that with harden-below-nxdomain and qname minisation enabled
1676 some iterator states for nonresponsive domains can get into a
1677 state where they waited for an empty list.
1678 - Stop UDP to TCP failover after timeouts that causes the ping count
1679 to be reset by the TCP time measurement (that exists for TLS),
1680 because that causes the UDP part to not be measured as timeout.
1681 - Fix #4156: Fix systemd service manager state change notification.
1683 13 September 2018: Wouter
1684 - Fix seed for random backup code to use explicit zero when wiped.
1685 - exit log routine is annotated as noreturn function.
1686 - free memory leaks in config strlist and str2list insert functions.
1687 - do not move unused argv variable after getopt.
1688 - Remove unused if clause in testcode.
1689 - in testcode, free async ids, initialise array, and check for null
1690 pointer during test of the test. And use exit for return to note
1691 irregular program stop.
1692 - Free memory leak in config strlist append.
1693 - make sure nsec3 comparison salt is initialized.
1694 - unit test has clang analysis.
1695 - remove unused variable assignment from iterator scrub routine.
1696 - check for null in delegation point during iterator refetch
1698 - neater pointer cast in libunbound context quit routine.
1699 - initialize statistics totals for printout.
1700 - in authzone check that node exists before adding rrset.
1701 - in unbound-anchor, use readwrite memory BIO.
1702 - assertion in autotrust that packed rrset is formed correctly.
1703 - Fix memory leak when message parse fails partway through copy.
1704 - remove unused udpsize assignment in message encode.
1705 - nicer bio free code in unbound-anchor.
1706 - annotate exit functions with noreturn in unbound-control.
1708 11 September 2018: Wouter
1709 - Fixed unused return value warnings in contrib/fastrpz.patch for
1711 - Fix to squelch respip warning in unit test, it is printed at
1712 higher verbosity settings.
1713 - Fix spelling errors.
1714 - Fix initialisation in remote.c
1716 10 September 2018: Wouter
1717 - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
1720 5 September 2018: Wouter
1721 - Fix spelling error in header, from getdns commit by Andreas Gelmini.
1723 4 September 2018: Ralph
1724 - More explicitly mention the type of ratelimit when applying
1727 4 September 2018: Wouter
1728 - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
1730 31 August 2018: Wouter
1731 - Disable minimal-responses in subnet unit tests.
1733 30 August 2018: Wouter
1734 - Fix that a local-zone with a local-zone-type that is transparent
1735 in a view with view-first, makes queries check for answers from the
1736 local-zones defined outside of views.
1738 28 August 2018: Ralph
1739 - Disable minimal-responses in ipsecmod unit tests.
1740 - Added serve-expired-ttl and serve-expired-ttl-reset options.
1742 27 August 2018: Wouter
1743 - Set defaults to yes for a number of options to increase speed and
1744 resilience of the server. The so-reuseport, harden-below-nxdomain,
1745 and minimal-responses options are enabled by default. They used
1746 to be disabled by default, waiting to make sure they worked. They
1747 are enabled by default now, and can be disabled explicitly by
1748 setting them to "no" in the unbound.conf config file. The reuseport
1749 and minimal options increases speed of the server, and should be
1750 otherwise harmless. The harden-below-nxdomain option works well
1751 together with the recently default enabled qname minimisation, this
1752 causes more fetches to use information from the cache.
1753 - next release is called 1.8.0.
1754 - Fix lintflags for lint on FreeBSD.
1756 22 August 2018: George
1757 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
1758 gives access to reply information for the client's communication
1759 point when the callback is called before the mesh state (modules).
1760 Changes to C and Python's inplace_callback signatures were also
1763 21 August 2018: Wouter
1764 - log-local-actions: yes option for unbound.conf that logs all the
1765 local zone actions, a patch from Saksham Manchanda (Secure64).
1766 - #4146: num.query.subnet and num.query.subnet_cache counters.
1767 - Fix only misc failure from log-servfail when val-log-level is not
1770 17 August 2018: Ralph
1771 - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
1774 17 August 2018: Wouter
1775 - Set libunbound to increase current, because the libunbound change
1776 to the event callback function signature. That needs programs,
1777 that use it, to recompile against the new header definition.
1778 - print servfail info to log as error.
1779 - added more servfail printout statements, to the iterator.
1780 - log-servfail: yes prints log lines that say why queries are
1781 returning SERVFAIL to clients.
1783 16 August 2018: Wouter
1784 - Fix warning on compile without threads.
1785 - Fix contrib/fastrpz.patch.
1787 15 August 2018: Wouter
1788 - Fix segfault in auth-zone read and reorder of RRSIGs.
1790 14 August 2018: Wouter
1791 - Fix that printout of error for cycle targets is a verbosity 4
1792 printout and does not wrongly print it is a memory error.
1793 - Upgraded crosscompile script to include libunbound DLL in the
1796 10 August 2018: Wouter
1797 - Fix #4144: dns64 module caches wrong (negative) information.
1799 9 August 2018: Wouter
1800 - unbound-checkconf checks if modules exist and prints if they are
1801 not compiled in the name of the wrong module.
1802 - document --enable-subnet in doc/README.
1803 - Patch for stub-no-cache and forward-no-cache options that disable
1804 caching for the contents of that stub or forward, for when you
1805 want immediate changes visible, from Bjoern A. Zeeb.
1807 7 August 2018: Ralph
1808 - Make capsforid fallback QNAME minimisation aware.
1810 7 August 2018: Wouter
1811 - Fix #4142: unbound.service.in: improvements and fixes.
1812 Add unit dependency ordering (based on systemd-resolved).
1813 Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
1814 about missing privileges during startup). Add 'AF_INET6' to
1815 'RestrictAddressFamilies' (without it IPV6 can't work). From
1817 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
1818 This limits the number of simultaneous TCP client connections
1819 from a nominated netblock.
1820 - make depend, yacc, lex, doc, headers. And log the limit exceeded
1821 message only on high verbosity, so as to not spam the logs when
1824 6 August 2018: Wouter
1825 - Fix for #4136: Fix to unconditionally call destroy in daemon.c.
1827 3 August 2018: George
1828 - Expose if a query (or a subquery) was ratelimited (not src IP
1829 ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
1830 This also introduces a change to 'ub_event_callback_type' in
1831 libunbound/unbound-event.h.
1834 3 August 2018: Wouter
1835 - Revert previous change for #4136: because it introduces build
1837 - New fix for #4136: This one ignores lex without without
1840 1 August 2018: Wouter
1841 - Fix to remove systemd sockaddr function check, that is not
1842 always present. Make socket activation more lenient. But not
1843 different when socket activation is not used.
1844 - iana port list update.
1846 31 July 2018: Wouter
1847 - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
1848 - Sort out test runs when the build directory isn't the project
1850 - Add config tcp-idle-timeout (default 30s). This applies to
1851 client connections only; the timeout on TCP connections upstream
1853 - Error if EDNS Keepalive received over UDP.
1854 - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
1855 and implement option in client responses.
1856 - Correct and expand manual page entries for keepalive and idle timeout.
1857 - Implement progressive backoff of TCP idle/keepalive timeout.
1858 - Fix 'make depend' to work when build dir is not project root.
1859 - Add delay parameter to streamtcp, -d secs.
1860 To be used when testing idle timeout.
1861 - From Wouter: make depend, the dependencies in the patches did not
1862 apply cleanly. Also remade yacc and lex.
1863 - Fix mesh.c incompatible pointer pass.
1864 - Please doxygen so it passes.
1865 - Fix #4139: Fix unbound-host leaks memory on ANY.
1867 30 July 2018: Wouter
1868 - Fix #4136: insufficiency from mismatch of FLEX capability between
1869 released tarball and build host.
1871 27 July 2018: Wouter
1872 - Fix man page, say that chroot is enabled by default.
1874 26 July 2018: Wouter
1875 - Fix #4135: 64-bit Windows Installer Creates Entries Under The
1876 Wrong Registry Key, reported by Brian White.
1878 23 July 2018: Wouter
1879 - Fix use-systemd readiness signalling, only when use-systemd is yes
1880 and not in signal handler.
1882 20 July 2018: Wouter
1883 - Fix #4130: print text describing -dd and unbound-checkconf on
1884 config file read error at startup, the errors may have been moved
1885 away by the startup process.
1886 - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
1888 19 July 2018: Wouter
1889 - Fix #4129 unbound-control error message with wrong cert permissions
1892 17 July 2018: Wouter
1893 - Fix #4127 unbound -h does not list -p help.
1894 - Print error if SSL name verification configured but not available
1896 - Fix that ratelimit and ip-ratelimit are applied after reload of
1897 changed config file.
1898 - Resize ratelimit and ip-ratelimit caches if changed on reload.
1900 16 July 2018: Wouter
1901 - Fix qname minimisation NXDOMAIN validation lookup failures causing
1902 error_supers assertion fails.
1903 - Squelch can't bind socket errors with Permission denied unless
1904 verbosity is 4 or higher, for UDP outgoing sockets.
1906 12 July 2018: Wouter
1907 - Fix to improve systemd socket activation code file descriptor
1909 - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
1910 easily changed to adjust default rtt assumptions.
1912 10 July 2018: Wouter
1913 - Note in documentation that the cert name match code needs
1914 OpenSSL 1.1.0 or later to be enabled.
1917 - Fix documentation ambiguity for tls-win-cert in tls-upstream and
1918 forward-tls-upstream docs.
1920 - Note RFC8162 support. SMIMEA record type can be read in by the
1922 - Fix round robin for failed addresses with prefer-ip6: yes
1925 - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
1926 if DNSSEC is not enabled. New option -R allows fallback from
1927 resolv.conf to direct queries.
1930 - Better documentation for unblock-lan-zones and insecure-lan-zones
1932 - Fix permission denied printed for auth zone probe random port nrs.
1935 - Fix checking for libhiredis printout in configure output.
1936 - Fix typo on man page in ip-address description.
1937 - Update libunbound/python/examples/dnssec_test.py example code to
1938 also set the 20326 trust anchor for the root in the example code.
1940 29 June 2018: Wouter
1941 - dns64-ignore-aaaa: config option to list domain names for which the
1942 existing AAAA is ignored and dns64 processing is used on the A
1945 28 June 2018: Wouter
1946 - num.queries.tls counter for queries over TLS.
1947 - log port number with err_addr logs.
1949 27 June 2018: Wouter
1950 - #4109: Fix that package config depends on python unconditionally.
1951 - Patch, do not export python from pkg-config, from Petr MenÅ¡Ãk.
1953 26 June 2018: Wouter
1954 - Partial fix for permission denied on IPv6 address on FreeBSD.
1955 - Fix that auth-zone master reply with current SOA serial does not
1956 stop scan of masters for an updated zone.
1957 - Fix that auth-zone does not start the wait timer without checking
1958 if the wait timer has already been started.
1960 21 June 2018: Wouter
1961 - #4108: systemd reload hang fix.
1962 - Fix usage printout for unbound-host, hostname has to be last
1963 argument on BSDs and Windows.
1965 19 June 2018: Wouter
1966 - Fix for unbound-control on Windows and set TCP socket parameters
1968 This fix is part of 1.7.3.
1969 - Windows example service.conf edited with more windows specific
1971 - Fix windows unbound-control no cert bad file descriptor error.
1972 This fix is part of 1.7.3.
1974 18 June 2018: Wouter
1975 - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
1976 This fix is part of 1.7.3rc2.
1977 - Fix unbound-checkconf for control-use-cert.
1978 This fix is part of 1.7.3.
1980 15 June 2018: Wouter
1983 - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
1984 - unbound-control auth_zone_transfer _zone_ option starts the probe
1985 sequence for a master to transfer the zone from and transfers when
1986 a new zone version is available.
1988 14 June 2018: Wouter
1989 - #4103: Fix that auth-zone does not insist on SOA record first in
1990 file for url downloads.
1991 - Fix that first control-interface determines if TLS is used. Warn
1992 when IP address interfaces are used without TLS.
1993 - Fix nettle compile.
1996 - Don't count CNAME response types received during qname minimisation as
1999 12 June 2018: Wouter
2000 - #4102 for NSD, but for Unbound. Named unix pipes do not use
2001 certificate and key files, access can be restricted with file and
2002 directory permissions. The option control-use-cert is no longer
2003 used, and ignored if found in unbound.conf.
2004 - Rename tls-additional-ports to tls-additional-port, because every
2006 - Fix buffer size warning in unit test.
2007 - remade dependencies in the Makefile.
2010 - Patch to fix openwrt for mac os build darwin detection in configure.
2013 - Fix crash if ratelimit taken into use with unbound-control
2014 instead of with unbound.conf.
2017 - Fix deadlock caused by incoming notify for auth-zone.
2018 - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
2019 trunk is 1.7.3 in development from this point.
2020 - #4100: Fix stub reprime when it becomes useless.
2023 - Rename additional-tls-port to tls-additional-ports.
2024 The older name is accepted for backwards compatibility.
2027 - Patch from Syzdek: Add ability to ignore RD bit and treat all
2028 requests as if the RD bit is set.
2031 - in compat/arc4random call getentropy_urandom when getentropy fails
2033 - Fix that fallback for windows port.
2036 - Fix windows tcp and tls spin on events.
2037 - Add routine from getdns to add windows cert store to the SSL_CTX.
2038 - tls-win-cert option that adds the system certificate store for
2039 authenticating DNS-over-TLS connections. It can be used instead
2040 of the tls-cert-bundle option, or with it to add certificates.
2043 - For TCP and TLS connections that don't establish, perform address
2044 update in infra cache, so future selections can exclude them.
2045 - Fix that tcp sticky events are removed for closed fd on windows.
2046 - Fix close events for tcp only.
2049 - Fix that libunbound can do DNS-over-TLS, when configured.
2050 - Fix that windows unbound service can use DNS-over-TLS.
2051 - unbound-host initializes ssl (for potential DNS-over-TLS usage
2052 inside libunbound), when ssl upstream or a cert-bundle is configured.
2055 - Use accept4 to speed up incoming TCP (and TLS) connections,
2056 available on Linux, FreeBSD and OpenBSD.
2059 - Qname minimisation default changed to yes.
2062 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
2065 - Fix contrib/libunbound.pc for libssl libcrypto references,
2066 from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
2069 - Fix windows to not have sticky TLS events for TCP.
2070 - Fix read of DNS over TLS length and data in one read call.
2071 - Fix mesh state assertion failure due to callback removal.
2074 - Fix that configure --with-libhiredis also turns on cachedb.
2075 - Fix gcc 8 buffer warning in testcode.
2076 - Fix function type cast warning in libunbound context callback type.
2079 - Fix fail to reject dead peers in forward-zone, with ssl-upstream.
2082 - Fix that unbound-control reload frees the rrset keys and returns
2083 the memory pages to the system.
2085 30 April 2018: Wouter
2086 - Fix spelling error in man page and note defaults as no instead of
2089 26 April 2018: Wouter
2090 - Fix for crash in daemon_cleanup with dnstap during reload,
2091 from Saksham Manchanda.
2092 - Also that for dnscrypt.
2093 - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
2094 is from here 1.7.2 in development.
2096 25 April 2018: Ralph
2097 - Fix memory leak when caching wildcard records for aggressive NSEC use
2099 24 April 2018: Wouter
2100 - Fix contrib/fastrpz.patch for this release.
2101 - Fix auth https for libev.
2103 24 April 2018: Ralph
2104 - Added root-key-sentinel support
2106 23 April 2018: Wouter
2107 - makedist uses bz2 for expat code, instead of tar.gz.
2108 - Fix #4092: libunbound: use-caps-for-id lacks colon in
2110 - auth zone http download stores exact copy of downloaded file,
2111 including comments in the file.
2112 - Fix sldns parse failure for CDS alternate delete syntax empty hex.
2113 - Attempt for auth zone fix; add of callback in mesh gets from
2114 callback does not skip callback of result.
2115 - Fix cname classification with qname minimisation enabled.
2116 - list_auth_zones unbound-control command.
2118 20 April 2018: Wouter
2119 - man page documentation for dns-over-tls forward-addr '#' notation.
2120 - removed free from failed parse case.
2121 - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
2122 with the previous contents.
2123 - Delete auth zone when removed from config.
2125 19 April 2018: Wouter
2126 - Can set tls authentication with forward-addr: IP#tls.auth.name
2127 And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
2128 such as forward-addr: 9.9.9.9@853#dns.quad9.net or
2129 1.1.1.1@853#cloudflare-dns.com
2130 - Fix #658: unbound using TLS in a forwarding configuration does not
2131 verify the server's certificate (RFC 8310 support).
2132 - For addr with #authname and no @port notation, the default is 853.
2134 18 April 2018: Wouter
2135 - Fix auth-zone retry timer to be on schedule with retry timeout,
2136 with backoff. Also time a refresh at the zone expiry.
2138 17 April 2018: Wouter
2139 - auth zone notify work.
2140 - allow-notify: config statement for auth-zones.
2141 - unit test for allow-notify
2143 16 April 2018: Wouter
2144 - Fix auth zone target lookup iterator.
2145 - auth zone notify with prefix
2146 - auth zone notify work.
2148 13 April 2018: Wouter
2149 - Fix for max include depth for authzones.
2150 - Fix memory free on fail for $INCLUDE in authzone.
2151 - Fix that an internal error to look up the wrong rr type for
2152 auth zone gets stopped, before trying to send there.
2153 - auth zone notify work.
2155 10 April 2018: Ralph
2156 - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
2157 statistics counters.
2159 10 April 2018: Wouter
2160 - documentation for low-rtt and low-rtt-pct.
2161 - auth zone notify work.
2163 9 April 2018: Wouter
2164 - Fix that flush_zone sets prefetch ttl expired, so that with
2165 serve-expired enabled it'll start prefetching those entries.
2166 - num.query.authzone.up and num.query.authzone.down statistics counters.
2167 - Fix downstream auth zone, only fallback when auth zone fails to
2168 answer and fallback is enabled.
2169 - Accept both option names with and without colon for get_option
2171 - low-rtt and low-rtt-pct in unbound.conf enable the server selection
2172 of fast servers for some percentage of the time.
2174 5 April 2018: Wouter
2175 - Combine write of tcp length and tcp query for dns over tls.
2176 - nitpick fixes in example.conf.
2177 - Fix above stub queries for type NS and useless delegation point.
2178 - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
2179 tls_choose_sigalg routine does not allow the ciphers for the pipe,
2183 3 April 2018: Wouter
2184 - Fix #4043: make test fails due to v6 presentation issue in macOS.
2185 - Fix unable to resolve after new WLAN connection, due to auth-zone
2186 failing with a forwarder set. Now, auth-zone is only used for
2187 answers (not referrals) when a forwarder is set.
2189 29 March 2018: Ralph
2190 - Check "result" in dup_all(), by Florian Obser.
2192 23 March 2018: Ralph
2193 - Fix unbound-control get_option aggressive-nsec
2195 21 March 2018: Ralph
2196 - Do not use cached NSEC records to generate negative answers for
2197 domains under DNSSEC Negative Trust Anchors.
2199 19 March 2018: Wouter
2202 16 March 2018: Wouter
2203 - corrected a minor typo in the changelog.
2204 - move htobe64/be64toh portability code to cachedb.c.
2206 15 March 2018: Wouter
2207 - Add --with-libhiredis, unbound support for a new cachedb backend
2208 that uses a Redis server as the storage. This implementation
2209 depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
2210 And unbound should be built with both --enable-cachedb and
2211 --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
2212 should exist). Patch from Jinmei Tatuya (Infoblox).
2213 - Fix #3817: core dump happens in libunbound delete, when queued
2214 servfail hits deleted message queue.
2215 - Create additional tls service interfaces by opening them on other
2216 portnumbers and listing the portnumbers as additional-tls-port: nr.
2218 13 March 2018: Wouter
2219 - Fix typo in documentation.
2220 - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
2221 flushed with serve-expired on.
2223 12 March 2018: Wouter
2224 - Added documentation for aggressive-nsec: yes.
2225 - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
2226 now has 1.7.1 in development.
2227 - Fix #3727: Protocol name is TLS, options have been renamed but
2228 documentation is not consistent.
2229 - Check IXFR start serial.
2231 9 March 2018: Wouter
2232 - Fix #3598: Fix swig build issue on rhel6 based system.
2233 configure --disable-swig-version-check stops the swig version check.
2235 8 March 2018: Wouter
2238 7 March 2018: Wouter
2239 - Fixed contrib/fastrpz.patch, even though this already applied
2240 cleanly for me, now also for others.
2241 - patch to log creates keytag queries, from A. Schulze.
2242 - patch suggested by Debian lintian: allow to -> allow one to, from
2244 - Attempt to remove warning about trailing whitespace.
2246 6 March 2018: Wouter
2247 - Reverted fix for #3512, this may not be the best way forward;
2248 although it could be changed at a later time, to stay similar to
2249 other implementations.
2250 - svn trunk contains 1.7.0, this is the number for the next release.
2251 - Fix for windows compile.
2254 5 March 2018: Wouter
2255 - Fix to check define of DSA for when openssl is without deprecated.
2257 - Fix #3582: Squelch address already in use log when reuseaddr option
2258 causes same port to be used twice for tcp connections.
2260 27 February 2018: Wouter
2261 - Fixup contrib/fastrpz.patch so that it applies.
2262 - Fix compile without threads, and remove unused variable.
2263 - Fix compile with staticexe and python module.
2264 - Fix nettle compile.
2266 22 February 2018: Ralph
2267 - Save wildcard RRset from answer with original owner for use in
2270 21 February 2018: Wouter
2271 - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
2272 when there is a CNAME loop.
2273 - Fix validation for CNAME loops. When it detects a cname loop,
2274 by finding the cname, cname in the existing list, it returns
2275 the partial result with the validation result up to then.
2276 - more robust cachedump rrset routine.
2278 19 February 2018: Wouter
2279 - Fix #3505: Documentation for default local zones references
2281 - Fix #3494: local-zone noview can be used to break out of the view
2282 to the global local zone contents, for queries for that zone.
2283 - Fix for more maintainable code in localzone.
2285 16 February 2018: Wouter
2286 - Fixes for clang static analyzer, the missing ; in
2287 edns-subnet/addrtree.c after the assert made clang analyzer
2288 produce a failure to analyze it.
2290 13 February 2018: Ralph
2291 - Aggressive NSEC tests
2293 13 February 2018: Wouter
2294 - tls-cert-bundle option in unbound.conf enables TLS authentication.
2297 12 February 2018: Wouter
2298 - Unit test for auth zone https url download.
2300 12 February 2018: Ralph
2301 - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
2302 - Processed aggressive NSEC code review remarks Wouter
2304 8 February 2018: Ralph
2305 - Aggressive use of NSEC implementation. Use cached NSEC records to
2306 generate NXDOMAIN, NODATA and positive wildcard answers.
2308 8 February 2018: Wouter
2310 - auth zone url config.
2312 5 February 2018: Wouter
2313 - Fix #3451: dnstap not building when you have a separate build dir.
2314 And removed protoc warning, set dnstap.proto syntax to proto2.
2315 - auth-zone provides a way to configure RFC7706 from unbound.conf,
2316 eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
2317 fallback-enabled: yes and masters or a zonefile with data.
2319 2 February 2018: Wouter
2320 - Fix unfreed locks in log and arc4random at exit of unbound.
2321 - unit test with valgrind
2322 - Fix lock race condition in dns cache dname synthesis.
2323 - lock subnet new item before insertion to please checklocks,
2324 no modification of critical regions outside of lock region.
2326 1 February 2018: Wouter
2327 - fix unaligned structure making a false positive in checklock
2330 29 January 2018: Ralph
2331 - Use NSEC with longest ce to prove wildcard absence.
2332 - Only use *.ce to prove wildcard absence, no longer names.
2334 25 January 2018: Wouter
2335 - ltrace.conf file for libunbound in contrib.
2337 23 January 2018: Wouter
2338 - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
2339 for startup scripts to get the full pathname(s) of anchor file(s).
2340 - Print fatal errors about remote control setup before log init,
2341 so that it is printed to console.
2343 22 January 2018: Wouter
2344 - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
2345 also recognized and means the same. Also for tls-port,
2346 tls-service-key, tls-service-pem, stub-tls-upstream and
2347 forward-tls-upstream.
2348 - Fix #3397: Fix that cachedb could return a partial CNAME chain.
2349 - Fix #3397: Fix that when the cache contains an unsigned DNAME in
2350 the middle of a cname chain, a result without the DNAME could
2353 19 January 2018: Wouter
2354 - tag 1.6.8 for release with CVE fix.
2355 - trunk has 1.6.9 with fix and previous commits.
2356 - patch for CVE-2017-15105: vulnerability in the processing of
2357 wildcard synthesized NSEC records.
2359 - make depend: code dependencies updated in Makefile.
2361 4 January 2018: Ralph
2362 - Copy query and correctly set flags on REFUSED answers when cache
2363 snooping is not allowed.
2365 3 January 2018: Ralph
2366 - Fix queries being leaked above stub when refetching glue.
2368 2 January 2017: Wouter
2369 - Fix that DS queries with referral replies are answered straight
2370 away, without a repeat query picking the DS from cache.
2371 The correct reply should have been an answer, the reply is fixed
2372 by the scrubber to have the answer in the answer section.
2373 - Remove clang optimizer disable,
2374 Fix that expiration date checks don't fail with clang -O2.
2376 15 December 2017: Wouter
2377 - Fix timestamp failure because of clang optimizer failure, by
2378 disabling -O2 when the compiler --version is clang.
2380 - Also disable -flto for clang, to make incep-expi signature check
2383 12 December 2017: Ralph
2384 - Fix qname-minimisation documentation (A QTYPE, not NS)
2386 12 December 2017: Wouter
2387 - authzone work, transfer connect.
2389 7 December 2017: Ralph
2390 - Check whether --with-libunbound-only is set when using --with-nettle
2393 4 December 2017: Wouter
2394 - Fix link failure on OmniOS.
2396 1 December 2017: Wouter
2399 30 November 2017: Wouter
2400 - Fix #3299 - forward CNAME daisy chain is not working
2402 14 November 2017: Wouter
2403 - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
2404 set for stub zone. It no longer searches for DNSSEC information.
2405 - auth xfer work on probe timer and lookup.
2407 13 November 2017: Wouter
2408 - Fix #2801: Install libunbound.pc.
2409 - Fix qname minimisation to send AAAA queries at zonecut like type A.
2410 - reverted AAAA change.
2412 7 November 2017: Wouter
2413 - Fix #2492: Documentation libunbound.
2415 3 November 2017: Wouter
2416 - Fix #2362: TLS1.3/openssl-1.1.1 not working.
2417 - Fix #2034 - Autoconf and -flto.
2418 - Fix #2141 - for libsodium detect lack of entropy in chroot, print
2421 2 November 2017: Wouter
2422 - Fix #1913: ub_ctx_config is under circumstances thread-safe.
2423 - make ip-transparent option work on OpenBSD.
2425 31 October 2017: Wouter
2426 - Document that errno is left informative on libunbound config read
2431 25 October 2017: Ralph
2432 - Fixed libunbound manual typo.
2433 - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
2434 - Fix #2031: Double included headers
2436 24 October 2017: Ralph
2437 - Update B root ipv4 address.
2439 19 October 2017: Wouter
2440 - authzone work, probe timer setup.
2442 18 October 2017: Wouter
2443 - lint for recent authzone commit.
2445 17 October 2017: Wouter
2446 - Fix #1749: With harden-referral-path: performance drops, due to
2447 circular dependency in NS and DS lookups.
2448 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
2450 - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
2452 This option allows handling multiple cert/key pairs while only
2453 distributing some of them.
2454 In order to reliably match a client magic with a given key without
2455 strong assumption as to how those were generated, we need both key and
2456 cert. Likewise, in order to know which ES version should be used.
2457 On the other hand, when rotating a cert, it can be desirable to only
2458 serve the new cert but still be able to handle clients that are still
2459 using the old certs's public key.
2460 The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
2461 publish the cert as part of the DNS's provider_name's TXT answer.
2462 - Better documentation for cache-max-negative-ttl.
2463 - Work on local root zone code.
2465 10 October 2017: Wouter
2467 - trunk has version 1.6.8.
2469 6 October 2017: Wouter
2470 - Fix spelling in unbound-control man page.
2472 5 October 2017: Wouter
2473 - Fix trust-anchor-signaling works in libunbound.
2474 - Fix some more crpls in testdata for different signaling default.
2477 5 October 2017: Ralph
2478 - Set trust-anchor-signaling default to yes
2479 - Use RCODE from A query on DNS64 synthesized answer.
2481 2 October 2017: Wouter
2482 - Fix param unused warning for windows exportsymbol compile.
2484 25 September 2017: Ralph
2485 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
2486 (by Danilo G. Baio).
2488 21 September 2017: Ralph
2489 - Log name of looping module
2491 19 September 2017: Wouter
2492 - use a cachedb answer even if it's "expired" when serve-expired is yes
2493 (patch from Jinmei Tatuya).
2494 - trigger refetching of the answer in that case (this will bypass
2496 - allow storing a 0-TTL answer from cachedb in the in-memory message
2497 cache when serve-expired is yes
2498 - Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
2500 18 September 2017: Ralph
2501 - Fix #1400: allowing use of global cache on ECS-forwarding unless
2504 18 September 2017: Wouter
2505 - tag 1.6.6 (is 1.6.6rc2)
2506 - Fix that looping modules always stop the query, and don't pass
2508 - Fix #1435: Please allow UDP to be disabled separately upstream and
2510 - Fix #1440: [dnscrypt] client nonce cache.
2512 15 September 2017: Wouter
2513 - Fix unbound-host to report error for DNSSEC state of failed lookups.
2514 - Spelling fixes, from Josh Soref.
2516 13 September 2017: Wouter
2517 - tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
2519 12 September 2017: Wouter
2520 - Add dns64 for client-subnet in unbound-checkconf.
2522 4 September 2017: Ralph
2523 - Fix #1412: QNAME minimisation strict mode not honored
2524 - Fix #1434: Fix windows openssl 1.1.0 linking.
2526 4 September 2017: Wouter
2528 - makedist fix for windows binaries, with openssl 1.1.0 windres fix,
2529 and expat 2.2.4 install target fix.
2531 1 September 2017: Wouter
2532 - Recommend 1472 buffer size in unbound.conf
2534 31 August 2017: Wouter
2535 - Fix #1424: cachedb:testframe is not thread safe.
2536 - For #1417: escape ; in dnscrypt tests.
2537 - but reverted that, tests fails with that escape.
2538 - Fix #1417: [dnscrypt] shared secret cache counters, and works when
2539 dnscrypt is not enabled. And cache size configuration option.
2541 - Fix #1418: [ip ratelimit] initialize slabhash using
2544 30 August 2017: Wouter
2545 - updated contrib/fastrpz.patch to apply with configparser changes.
2546 - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
2548 29 August 2017: Wouter
2549 - Fix #1414: fix segfault on parse failure and log_replies.
2550 - zero qinfo in handle_request, this zeroes local_alias and also the
2552 - new keys and certs for dnscrypt tests.
2553 - fixup WKS test on buildhost without servicebyname.
2555 28 August 2017: Wouter
2556 - Fix #1415: patch to free dnscrypt environment on reload.
2557 - iana portlist update
2558 - Fix #1415: [dnscrypt] shared secret cache, patch from
2560 - Small fixes for the shared secret cache patch.
2561 - Fix WKS records on kvm autobuild host, with default protobyname
2562 entries for udp and tcp.
2564 23 August 2017: Wouter
2565 - Fix #1407: Add ECS options check to unbound-checkconf.
2567 - Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
2570 22 August 2017: Wouter
2571 - Fix install of trust anchor when two anchors are present, makes both
2572 valid. Checks hash of DS but not signature of new key. This fixes
2573 the root.key file if created when unbound is installed between
2574 sep11 and oct11 2017.
2575 - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
2576 - trunk version 1.6.6 in development.
2577 - Fix issue on macOX 10.10 where TCP fast open is detected but not
2578 implemented causing TCP to fail. The fix allows fallback to regular
2579 TCP in this case and is also more robust for cases where connectx()
2580 fails for some reason.
2581 - Fix #1402: squelch invalid argument error for fd_set_block on windows.
2583 10 August 2017: Wouter
2584 - Patch to show DNSCrypt status in help output, from Carsten
2587 8 August 2017: Wouter
2588 - Fix #1398: make cachedb secret configurable.
2589 - Remove spaces from Makefile.
2591 7 August 2017: Wouter
2592 - Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
2594 3 August 2017: Ralph
2595 - Remove unused iter_env member (ip6arpa_dname)
2596 - Do not reset rrset.bogus stats when called using stats_noreset.
2597 - Added stats for queries that have been ratelimited by domain
2599 - Do not add rrset_bogus and query ratelimiting stats per thread, these
2600 module stats are global.
2602 3 August 2017: Wouter
2603 - Fix #1394: mix of serve-expired and response-ip could cause a crash.
2605 24 July 2017: Wouter
2606 - upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
2607 config.sub(2016-09-05).
2608 - annotate case statement fallthrough for gcc 7.1.1.
2609 - flex output from flex 2.6.1.
2610 - snprintf of thread number does not warn about truncated string.
2611 - squelch TCP fast open error on FreeBSD when kernel has it disabled,
2612 unless verbosity is high.
2613 - remove warning from windows compile.
2614 - Fix compile with libnettle
2615 - Fix DSA configure switch (--disable dsa) for libnettle and libnss.
2616 - Fix #1365: Add Ed25519 support using libnettle.
2617 - iana portlist update
2619 17 July 2017: Wouter
2620 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
2621 - Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
2622 With the -p option unbound does not create a pidfile.
2624 11 July 2017: Wouter
2625 - Fix #1344: RFC6761-reserved domains: test. and invalid.
2626 - Redirect all localhost names to localhost address for RFC6761.
2629 - Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
2630 - Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
2633 - Fix 1332: Bump verbosity of failed chown'ing of the control socket.
2636 - Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
2638 - Fix #1331: libunbound segfault in threaded mode when context is
2640 - Fix pythonmod link line option flag.
2641 - Fix openssl 1.1.0 load of ssl error strings from ssl init.
2643 29 June 2017: Wouter
2644 - Fix python example0 return module wait instead of error for pass.
2645 - iana portlist update
2646 - enhancement for hardened-tls for DNS over TLS. Removed duplicated
2649 27 June 2017: Wouter
2650 - Tag 1.6.4 is created with the 1.6.4rc2 contents.
2651 - Trunk contains 1.6.5, with changes from 26, 27 june.
2652 - Remove signed unsigned warning from authzone.
2653 - Fix that infra cache host hash does not change after reconfig.
2655 26 June 2017: Wouter
2657 Better fixup of dnscrypt_cert_chacha test for different escapes.
2658 - First fix for zero b64 and hex text zone format in sldns.
2659 - unbound-control dump_infra prints port number for address if not 53.
2661 23 June 2017: Wouter
2662 - (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
2664 22 June 2017: Wouter
2668 - Added fastrpz patch to contrib
2670 21 June 2017: Wouter
2671 - Fix #1316: heap read buffer overflow in parse_edns_options.
2673 20 June 2017: Wouter
2674 - Fix warning in pythonmod under clang compiler.
2679 - Fix #1277: disable domain ratelimit by setting value to 0.
2681 16 June 2017: Wouter
2682 - Fix #1301: memory leak in respip and tests.
2683 - Free callback in edns-subnetmod on exit and restart.
2684 - Fix memory leak in sldns_buffer_new_frm_data.
2685 - Fix memory leak in dnscrypt config read.
2686 - Fix dnscrypt chacha cert support ifdefs.
2687 - Fix dnscrypt chacha cert unit test escapes in grep.
2688 - Remove asynclook tests that cause test and purifier problems.
2689 - Fix to unlock view in view test.
2691 15 June 2017: Wouter
2692 - Fix stub zone queries leaking to the internet for
2693 harden-referral-path ns checks.
2694 - Fix query for refetch_glue of stub leaking to internet.
2696 13 June 2017: Wouter
2697 - Fix #1279: Memory leak on reload when python module is enabled.
2698 - Fix #1280: Unbound fails assert when response from authoritative
2699 contains malformed qname. When 0x20 caps-for-id is enabled, when
2700 assertions are not enabled the malformed qname is handled correctly.
2701 - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
2702 - More fixes in depth for buffer checks in 0x20 qname checks.
2704 12 June 2017: Wouter
2705 - Fix #1278: Incomplete wildcard proof.
2708 - Added domain name based ECS whitelist.
2711 - Detect chacha for dnscrypt at configure time.
2712 - dnscrypt unit tests with chacha.
2715 - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
2716 - Add dnscrypt XChaCha20 tests.
2719 - Add an explicit type cast for TCP FASTOPEN fix.
2720 - renumbering B-Root's IPv6 address to 2001:500:200::b.
2721 - Fix #1275: cached data in cachedb is never used.
2722 - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
2725 - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
2726 (from Manu Bretelle).
2729 - Fix fastopen EPIPE fallthrough to perform connect.
2732 - Also use global local-zones when there is a matching view that does
2733 not have any local-zone specified.
2736 - Fix #1273: cachedb.c doesn't compile with -Wextra.
2737 - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
2740 - Fix #1269: inconsistent use of built-in local zones with views.
2741 - Add defaults for new local-zone trees added to views using
2745 - Support for openssl EVP_DigestVerify.
2746 - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
2749 - Fix assertion for low buffer size and big edns payload when worker
2753 - Added redirect-bogus.patch to contrib directory.
2756 - Fix #1270: unitauth.c doesn't compile with higher warning level
2758 - exec_prefix is by default equal to prefix.
2759 - printout localzone for duplicate local-zone warnings.
2762 - authzone cname chain, no rrset duplicates, wildcard doesn't change
2763 rrsets added for cname chain.
2766 - first services/authzone check in, it compiles and reads and writes
2768 - iana portlist update
2771 - Fix #1268: SIGSEGV after log_reopen.
2774 - Fix #1265 to use /bin/kill.
2775 - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
2776 and compatibility with BoringSSL.
2779 - Fix #1265: contrib/unbound.service contains hardcoded path.
2782 - Use qstate's region for IPSECKEY rrset (ipsecmod).
2785 - Implemented opportunistic IPsec support module (ipsecmod).
2786 - Some whitespace fixup.
2789 - updated dependencies in the makefile.
2790 - document trust-anchor-signaling in example config file.
2791 - updated configure, dependencies and flex output.
2792 - better module memory lookup, fix of unbound-control shm names for
2793 module memory printout of statistics.
2794 - Fix type AVC sldns rrdef.
2797 - Adjust servfail by iterator to not store in cache when serve-expired
2798 is enabled, to avoid overwriting useful information there.
2799 - Fix queries for nameservers under a stub leaking to the internet.
2802 - Add 'c' to getopt() in testbound.
2803 - iana portlist update
2806 - Fix tcp-mss failure printout text.
2807 - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
2808 connect limited tcp connections. With the option tcp connections
2809 can share the same source port (for different destinations).
2812 - Added mesh_add_sub to add detached mesh entries.
2813 - Use mesh_add_sub for key tag signaling query.
2816 - Added test for leak of stub information.
2817 - Fix sldns wire2str printout of RR type CAA tags.
2818 - Fix sldns int16_data parse.
2819 - Fix sldns parse and printout of TSIG RRs.
2820 - sldns SMIMEA and AVC definitions, same as getdns definitions.
2823 - Fix #1259: "--disable-ecdsa" argument overwritten
2824 by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
2825 - iana portlist update
2826 - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
2827 and fix that 64bit getting installed in C:\Program Files (x86).
2829 26 April 2017: Ralph
2830 - Implemented trust anchor signaling using key tag query.
2832 26 April 2017: Wouter
2833 - Based on #1257: check parse limit before t increment in sldns RR
2834 string parse routine.
2836 24 April 2017: Wouter
2837 - unbound-checkconf -o allows query of dnstap config variables.
2838 Also unbound-control get_option. Also for dnscrypt.
2839 - trunk contains 1.6.3 version number (changes from 1.6.2 back from
2840 when the 1.6.2rc1 tag has been created).
2842 21 April 2017: Ralph
2843 - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
2844 - iana portlist update
2846 18 April 2017: Ralph
2847 - Fix #1252: more indentation inconsistencies.
2848 - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
2850 13 April 2017: Ralph
2851 - Added ECS unit test (from Manu Bretelle).
2852 - ECS documentation fix (from Manu Bretelle).
2854 13 April 2017: Wouter
2855 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
2857 - (for 1.6.3:) unbound.h exports the shm stats structures. They use
2858 type long long and no ifdefs, and ub_ before the typenames.
2860 12 April 2017: Wouter
2861 - subnet mem value is available in shm, also when not enabled,
2862 to make the struct easier to memmap by other applications,
2863 independent of the configuration of unbound.
2865 12 April 2017: Ralph
2866 - Fix #1247: unbound does not shorten source prefix length when
2868 - Properly check for allocation failure in local_data_find_tag_datas.
2869 - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
2870 - Set SHM ECS memory usage to 0 when module not loaded.
2872 11 April 2017: Ralph
2873 - Display ECS module memory usage.
2875 10 April 2017: Wouter
2876 - harden-algo-downgrade: no also makes unbound more lenient about
2877 digest algorithms in DS records.
2879 10 April 2017: Ralph
2880 - Remove ECS option after REFUSED answer.
2881 - Fix small memory leak in edns_opt_copy_alloc.
2882 - Respip dereference after NULL check.
2883 - Zero initialize addrtree allocation.
2884 - Use correct identifier for SHM destroy.
2886 7 April 2017: George
2887 - Fix pythonmod for cb changes.
2888 - Some whitespace fixup.
2891 - Unlock view in respip unit test
2894 - Generalise inplace callback (de)registration
2895 - (de)register inplace callbacks for module id
2896 - No unbound-control set_option for ECS options
2897 - Deprecated client-subnet-opcode config option
2898 - Introduced client-subnet-always-forward config option
2899 - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
2900 - Removed extern ECS config options
2901 - module_restart_next now calls clear on all following modules
2902 - Also create ECS module qstate on module_event_pass event
2903 - remove malloc from inplace_cb_register
2905 6 April 2017: Wouter
2906 - Small fixup for documentation.
2907 - iana portlist update
2908 - Fix respip for braces when locks arent used.
2909 - Fix pythonmod for cb changes.
2911 4 April 2017: Wouter
2912 - Fix #1244: document that use of chroot requires trust anchor file to
2914 - iana portlist update
2917 - Do not add current time twice to TTL before ECS cache store.
2918 - Do not touch rrset cache after ECS cache message generation.
2919 - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
2921 3 April 2017: Wouter
2922 - Fix #1217: Add metrics to unbound-control interface showing
2923 crypted, cert request, plaintext and malformed queries (from
2925 - iana portlist update
2927 27 March 2017: Wouter
2928 - Remove (now unused) event2 include from dnscrypt code.
2930 24 March 2017: George
2931 - Fix to prevent non-referal query from being cached as referal when the
2932 no_cache_store flag was set.
2934 23 March 2017: Wouter
2935 - Fix #1239: configure fails to find python distutils if python
2938 22 March 2017: Wouter
2939 - Fix #1238: segmentation fault when adding through the remote
2940 interface a per-view local zone to a view with no previous
2941 (configured) local zones.
2942 - Fix #1229: Systemd service sandboxing, options in wrong sections.
2944 21 March 2017: Ralph
2945 - Merge EDNS Client subnet implementation from feature branch into main
2946 branch, using new EDNS processing framework.
2948 21 March 2017: Wouter
2949 - Fix doxygen for dnscrypt files.
2951 20 March 2017: Wouter
2952 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
2953 enabled in the config file from Manu Bretelle.
2954 - make depend, autoconf, remove warnings about statement before var.
2955 - lru_demote and lruhash_insert_or_retrieve functions for getdns.
2956 - fixup for lruhash (whitespace and header file comment).
2959 17 March 2017: Wouter
2960 - Patch for view functionality for local-data-ptr from Björn Ketelaars.
2961 - Fix #1237 - Wrong resolving in chain, for norec queries that get
2964 16 March 2017: Wouter
2965 - Fix that SHM is not inited if not enabled.
2966 - Add trustanchor.unbound CH TXT that gets a response with a number
2967 of TXT RRs with a string like "example.com. 2345 1234" with
2968 the trust anchors and their keytags.
2969 - Fix that looped DNAMEs do not cause unbound to spend effort.
2970 - trustanchor tags are sorted. reusable routine to fetch taglist.
2972 13 March 2017: Wouter
2973 - testbound understands Deckard MATCH rcode question answer commands.
2974 - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
2975 of YXDOMAIN + query loop, reported by Petr Spacek.
2977 10 March 2017: Wouter
2978 - Fix #1234: shortening DNAME loop produces duplicate DNAME records
2981 9 March 2017: Wouter
2982 - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
2983 DS records. NSEC3 is not disabled.
2984 - fake-sha1 test option; print warning if used. To make unit tests.
2985 - unbound-control list local zone and data commands listed in the
2988 8 March 2017: Wouter
2989 - make depend for build dependencies.
2990 - swig version 2.0.1 required.
2991 - fix enum conversion warnings
2993 7 March 2017: Wouter
2994 - Fix #1230: swig version 2.0.0 is required for pythonmod, with
2995 1.3.40 it crashes when running repeatly unbound-control reload.
2996 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
2998 6 March 2017: Wouter
2999 - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
3000 - iana portlist update
3002 28 February 2017: Ralph
3003 - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
3006 28 February 2017: Wouter
3007 - For #1227: if we have sha256, set the cipher list to have no
3010 27 February 2017: Wouter
3011 - Fix #1227: Fix that Unbound control allows weak ciphersuits.
3012 - Fix #1226: provide official 32bit binary for windows.
3014 24 February 2017: Wouter
3015 - include sys/time.h for new shm code on NetBSD.
3017 23 February 2017: Wouter
3018 - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
3020 - Patch from Luiz Fernando Softov for Stats Shared Memory.
3021 - unbound-control stats_shm command prints stats using shared memory,
3022 which uses less cpu.
3023 - make depend, autoconf, doxygen and lint fixed up.
3025 22 February 2017: Wouter
3026 - Fix #1224: Fix that defaults should not fall back to "Program Files
3027 (x86) if Unbound is 64bit by default on windows.
3029 21 February 2017: Wouter
3030 - iana portlist update
3032 16 February 2017: Wouter
3033 - sldns updated for vfixed and buffer resize indication from getdns.
3035 15 February 2017: Wouter
3036 - sldns has ED25519 and ED448 algorithm number and name for display.
3038 14 February 2017: Wouter
3039 - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
3041 13 February 2017: Wouter
3042 - Fix autoconf of systemd check for lack of pkg-config.
3044 10 February 2017: Wouter
3045 - Fix pythonmod for typedef changes.
3046 - Fix dnstap for warning of set but not used.
3049 9 February 2017: Wouter
3052 8 February 2017: Wouter
3053 - Fix for type name change and fix warning on windows compile.
3055 7 February 2017: Wouter
3056 - Include root trust anchor id 20326 in unbound-anchor.
3058 6 February 2017: Wouter
3059 - Fix compile on solaris of the fix to use $host detect.
3061 4 February 2017: Wouter
3062 - fix root_anchor test for updated icannbundle.pem lower certificates.
3064 26 January 2017: Wouter
3065 - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
3066 more helpful error message.
3068 20 January 2017: Wouter
3069 - Increase MAX_MODULE to 16.
3071 19 January 2017: Wouter
3072 - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
3073 reserves _t typedefs.
3074 - Fix to rename internally used types from _t to _type, because _t
3075 type names are reserved by POSIX.
3076 - iana portlist update
3078 12 January 2017: Wouter
3079 - Fix to also block meta types 128 through to 248 with formerr.
3080 - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
3082 9 January 2017: Wouter
3083 - Fix #1202: Fix code comment that packed_rrset_data is not always
3086 6 January 2017: Wouter
3087 - Fix #1201: Fix missing unlock in answer_from_cache error condition.
3089 5 January 2017: Wouter
3090 - Fix to return formerr for queries for meta-types, to avoid
3091 packet amplification if this meta-type is sent on to upstream.
3092 - Fix #1184: Log DNS replies. This includes the same logging
3093 information that DNS queries and response code and response size,
3094 patch from Larissa Feng.
3095 - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
3097 3 January 2017: Wouter
3098 - configure --enable-systemd and lets unbound use systemd sockets if
3099 you enable use-systemd: yes in unbound.conf.
3100 Also there are contrib/unbound.socket and contrib/unbound.service:
3101 systemd files for unbound, install them in /usr/lib/systemd/system.
3102 Contributed by Sami Kerola and Pavel Odintsov.
3103 - Fix reload chdir failure when also chrooted to that directory.
3105 2 January 2017: Wouter
3106 - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
3108 23 December 2016: Ralph
3109 - Fix #1190: Do not echo back EDNS options in local-zone error response.
3110 - iana portlist update
3112 21 December 2016: Ralph
3113 - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
3116 19 December 2016: Ralph
3117 - Fix #1191: remove comment about view deletion.
3119 15 December 2016: Wouter
3120 - iana portlist update
3121 - 64bit is default for windows builds.
3122 - Fix inet_ntop and inet_pton warnings in windows compile.
3124 14 December 2016: Wouter
3125 - Fix #1178: attempt to fix setup error at end, pop result values
3128 13 December 2016: Wouter
3129 - Fix #1182: Fix Resource leak (socket), at startup.
3130 - Fix unbound-control and ipv6 only.
3132 9 December 2016: Wouter
3133 - Fix #1176: stack size too small for Alpine Linux.
3135 8 December 2016: Wouter
3136 - Fix downcast warnings from visual studio in sldns code.
3137 - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
3139 7 December 2016: Ralph
3140 - Add DSA support for OpenSSL 1.1.0
3141 - Fix remote control without cert for LibreSSL
3143 6 December 2016: George
3144 - Added generic EDNS code for registering known EDNS option codes,
3145 bypassing the cache response stage and uniquifying mesh states. Four EDNS
3146 option lists were added to module_qstate (module_qstate.edns_opts_*) to
3147 store EDNS options from/to front/back side.
3148 - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
3149 control the modules' cache interactions.
3150 - Added code for registering inplace callback functions. The registered
3151 functions can be called just before replying with local data or Chaos,
3152 replying from cache, replying with SERVFAIL, replying with a resolved
3153 query, sending a query to a nameserver. The functions can inspect the
3154 available data and maybe change response/query related data (i.e. append
3156 - Updated Python module for the above.
3157 - Updated Python documentation.
3159 5 December 2016: Ralph
3160 - Fix #1173: differ local-zone type deny from unset
3161 tag_actions element.
3163 5 December 2016: Wouter
3164 - Fix #1170: document that 'inform' local-zone uses local-data.
3166 1 December 2016: Ralph
3167 - hyphen as minus fix, by Andreas Schulze
3169 30 November 2016: Ralph
3170 - Added local-zones and local-data bulk addition and removal
3171 functionality in unbound-control (local_zones, local_zones_remove,
3172 local_datas and local_datas_remove).
3173 - iana portlist update
3175 29 November 2016: Wouter
3176 - version 1.6.0 is in the development branch.
3177 - braces in view.c around lock statements.
3179 28 November 2016: Wouter
3182 25 November 2016: Wouter
3183 - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
3184 using no encryption over the unix socket.
3186 22 Novenber 2016: Ralph
3187 - Make access-control-tag-data RDATA absolute. This makes the RDATA
3188 origin consistent between local-data and access-control-tag-data.
3189 - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
3190 subdomain of the NSEC owner.
3191 - QNAME minimisation uses QTYPE=A, therefore always check cache for
3192 this type in harden-below-nxdomain functionality.
3193 - Added unit test for QNAME minimisation + harden below nxdomain
3196 22 November 2016: Wouter
3197 - iana portlist update.
3198 - Fix unit tests for DS hash processing for fake-dsa test option.
3199 - patch from Dag-Erling Smorgrav that removes code that relies
3202 21 November 2016: Wouter
3203 - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
3204 Underneath" for the harden-below-nxdomain option.
3206 10 November 2016: Ralph
3207 - Fix #1155: test status code of unbound-control in 04-checkconf,
3208 not the status code from the tee command.
3210 4 November 2016: Ralph
3211 - Added stub-ssl-upstream and forward-ssl-upstream options.
3213 4 November 2016: Wouter
3214 - configure detects ssl security level API function in the autoconf
3215 manner. Every function on its own, so that other libraries (eg.
3216 LibreSSL) can develop their API without hindrance.
3217 - Fix #1154: segfault when reading config with duplicate zones.
3218 - Note that for harden-below-nxdomain the nxdomain must be secure,
3219 this means nsec3 with optout is insufficient.
3221 3 November 2016: Ralph
3222 - Set OpenSSL security level to 0 when using aNULL ciphers.
3224 3 November 2016: Wouter
3225 - .gitattributes line for githubs code language display.
3226 - log-identity: config option to set sys log identity, patch from
3227 "Robin H. Johnson" <robbat2@gentoo.org>
3229 2 November 2016: Wouter
3230 - iana portlist update.
3232 31 October 2016: Wouter
3233 - Fix failure to build on arm64 with no sbrk.
3234 - iana portlist update.
3236 28 October 2016: Wouter
3237 - Patch for server.num.zero_ttl stats for count of expired replies,
3238 from Pavel Odintsov.
3240 26 October 2016: Wouter
3241 - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
3242 with the undocumented switch 'fake-dsa'. It logs a warning.
3244 25 October 2016: Wouter
3245 - Fix #1134: unbound-control set_option -- val-override-date: -1 works
3246 immediately to ignore datetime, or back to 0 to enable it again.
3247 The -- is to ignore the '-1' as an option flag.
3249 24 October 2016: Wouter
3250 - serve-expired config option: serve expired responses with TTL 0.
3251 - g.root-servers.net has AAAA address.
3253 21 October 2016: Wouter
3254 - Ported tests for local_cname unit test to testbound framework.
3256 20 October 2016: Wouter
3257 - suppress compile warning in lex files.
3258 - init lzt variable, for older gcc compiler warnings.
3259 - fix --enable-dsa to work, instead of copying ecdsa enable.
3260 - Fix DNSSEC validation of query type ANY with DNAME answers.
3261 - Fixup query_info local_alias init.
3263 19 October 2016: Wouter
3264 - Fix #1130: whitespace in example.conf.in more consistent.
3266 18 October 2016: Wouter
3267 - Patch that resolves CNAMEs entered in local-data conf statements that
3268 point to data on the internet, from Jinmei Tatuya (Infoblox).
3269 - Removed patch comments from acllist.c and msgencode.c
3270 - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
3271 from Jinmei Tatuya (Infoblox).
3272 - Fix #1125: unbound could reuse an answer packet incorrectly for
3273 clients with different EDNS parameters, from Jinmei Tatuya.
3274 - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
3275 - Added Requires line to libunbound.pc
3276 - Please doxygen by modifying mesh.h
3278 17 October 2016: Wouter
3279 - Re-fix #839 from view commit overwrite.
3280 - Fixup const void cast warning.
3282 12 October 2016: Ralph
3283 - Free view config elements.
3285 11 October 2016: Ralph
3286 - Added qname-minimisation-strict config option.
3287 - iana portlist update.
3288 - fix memoryleak logfile when in debug mode.
3290 5 October 2016: Ralph
3291 - Added views functionality.
3292 - Fix #1117: spelling errors, from Robert Edmonds.
3294 30 September 2016: Wouter
3295 - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
3297 29 September 2016: Wouter
3298 - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
3299 - Fix #839: Memory grows unexpectedly with large RPZ files.
3300 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
3301 - Fix #841: big local-zone's make it consume large amounts of memory.
3303 27 September 2016: Wouter
3304 - tag for 1.5.10 release
3305 - trunk contains 1.5.11 in development.
3306 - Fix dnstap relaying "random" messages instead of resolver/forwarder
3307 responses, from Nikolay Edigaryev.
3308 - Fix #836: unbound could echo back EDNS options in an error response.
3310 20 September 2016: Wouter
3311 - iana portlist update.
3312 - Fix #835: fix --disable-dsa with nettle verify.
3313 - tag for 1.5.10rc1 release.
3315 15 September 2016: Wouter
3316 - Fix 883: error for duplicate local zone entry.
3317 - Test for openssl init_crypto and init_ssl functions.
3319 15 September 2016: Ralph
3320 - fix potential memory leak in daemon/remote.c and nullpointer
3321 dereference in validator/autotrust.
3322 - iana portlist update.
3324 13 September 2016: Wouter
3325 - Silenced flex-generated sign-unsigned warning print with gcc
3327 - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
3329 9 September 2016: Wouter
3330 - Fix #831: workaround for spurious fread_chk warning against petal.c
3332 5 September 2016: Ralph
3333 - Take configured minimum TTL into consideration when reducing TTL
3334 to original TTL from RRSIG.
3336 5 September 2016: Wouter
3337 - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
3338 off-by-one typo, from Jinmei Tatuya (Infoblox).
3339 - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
3340 - Fix #828: missing type in access-control-tag-action redirect results
3343 2 September 2016: Wouter
3344 - Fix compile with openssl 1.1.0 with api=1.1.0.
3346 1 September 2016: Wouter
3347 - RFC 7958 is now out, updated docs for unbound-anchor.
3348 - Fix for compile without warnings with openssl 1.1.0.
3349 - Fix #826: Fix refuse_non_local could result in a broken response.
3350 - iana portlist update.
3352 29 August 2016: Wouter
3353 - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
3355 - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
3357 25 August 2016: Ralph
3358 - Clarify local-zone-override entry in unbound.conf.5
3360 25 August 2016: Wouter
3361 - 64bit build option for makedist windows compile, -w64.
3363 24 August 2016: Ralph
3364 - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
3365 in each iteration in find_tag_datas().
3366 - unbound.conf.5 entries for define-tag, access-control-tag,
3367 access-control-tag-action, access-control-tag-data, local-zone-tag,
3368 and local-zone-override.
3370 23 August 2016: Wouter
3371 - Fix #804: unbound stops responding after outage. Fixes queries
3372 that attempt to wait for an empty list of subqueries.
3373 - Fix #804: lower num_target_queries for iterator also for failed
3376 8 August 2016: Wouter
3377 - Note that OPENPGPKEY type is RFC 7929.
3379 4 August 2016: Wouter
3380 - Fix #807: workaround for possible some "unused" function parameters
3381 in test code, from Jinmei Tatuya.
3383 3 August 2016: Wouter
3384 - use sendmsg instead of sendto for TFO.
3386 28 July 2016: Wouter
3387 - Fix #806: wrong comment removed.
3389 26 July 2016: Wouter
3390 - nicer ratelimit-below-domain explanation.
3392 22 July 2016: Wouter
3393 - Fix #801: missing error condition handling in
3394 daemon_create_workers().
3395 - Fix #802: workaround for function parameters that are "unused"
3397 - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
3399 20 July 2016: Wouter
3400 - Fix typo in unbound.conf.
3402 18 July 2016: Wouter
3403 - Fix #798: Client-side TCP fast open fails (Linux).
3405 14 July 2016: Wouter
3406 - TCP Fast open patch from Sara Dickinson.
3407 - Fixed unbound.doxygen for 1.8.11.
3410 - access-control-tag-data implemented. verbose(4) prints tag debug.
3413 - Fix dynamic link of anchor-update.exe on windows.
3414 - Fix detect of mingw for MXE package build.
3415 - Fixes for 64bit windows compile.
3416 - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
3417 --with-libunbound-only --with-nettle.
3420 - For #787: prefer-ip6 option for unbound.conf prefers to send
3421 upstream queries to ipv6 servers.
3422 - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
3423 freebind to use 64bits of entropy for every query with random local
3426 30 June 2016: Wouter
3427 - Document always_transparent, always_refuse, always_nxdomain types.
3429 29 June 2016: Wouter
3430 - Fix static compile on windows missing gdi32.
3432 28 June 2016: Wouter
3433 - Create a pkg-config file for libunbound in contrib.
3435 27 June 2016: Wouter
3436 - Fix #784: Build configure assumess that having getpwnam means there
3437 is endpwent function available.
3438 - Updated repository with newer flex and bison output.
3441 - Possibility to specify local-zone type for an acl/tag pair
3442 - Possibility to specify (override) local-zone type for a source address
3445 - Decrease dp attempts at each QNAME minimisation iteration
3447 16 June 2016: Wouter
3448 - Fix tcp timeouts in tv.usec.
3450 15 June 2016: Wouter
3451 - TCP_TIMEOUT is specified in milliseconds.
3452 - If more than half of tcp connections are in use, a shorter timeout
3453 is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
3456 - QNAME minimisation unit test for dropped QTYPE=A queries.
3458 14 June 2016: Wouter
3459 - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
3460 null delete for wsaevent.
3461 - Fix spelling in freebind option man page text.
3462 - Fix windows link of ssl with crypt32.
3463 - Fix 779: Union casting is non-portable.
3464 - Fix 780: MAP_ANON not defined in HP-UX 11.31.
3465 - Fix 781: prealloc() is an HP-UX system library call.
3468 - Use QTYPE=A for QNAME minimisation.
3469 - Keep track of number of time-outs when performing QNAME minimisation.
3470 Stop minimising when number of time-outs for a QNAME/QTYPE pair is
3473 13 June 2016: Wouter
3474 - Fix #778: unbound 1.5.9: -h segfault (null deref).
3475 - Fix directory: fix for unbound-checkconf, it restores cwd.
3477 10 June 2016: Wouter
3478 - And delete service.conf.shipped on uninstall.
3479 - In unbound.conf directory: dir immediately changes to that directory,
3480 so that include: file below that is relative to that directory.
3481 With chroot, make the directory an absolute path inside chroot.
3482 - keep debug symbols in windows build.
3483 - do not delete service.conf on windows uninstall.
3484 - document directory immediate fix and allow EXECUTABLE syntax in it
3488 - Trunk is called 1.5.10 (with previous fixes already in there to 2
3490 - Revert fix for NetworkService account on windows due to breakage
3492 - Fix that windows install will not overwrite existing service.conf
3493 file (and ignore gui config choices if it exists).
3496 - Lookup localzones by taglist from acl.
3497 - Possibility to lookup local_zone, regardless the taglist.
3498 - Added local_zone/taglist/acl unit test.
3501 - Fix #773: Non-standard Python location build failure with pyunbound.
3502 - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
3505 - Better help text from -h (from Ray Griffith).
3506 - access-control-tag config directive.
3507 - local-zone-override config directive.
3508 - access-control-tag-action and access-control-tag-data config
3510 - free acl-tags, acltag-action and acltag-data config lists during
3511 initialisation to free up memory for more entries.
3514 - Fix to not ignore return value of chown() in daemon startup.
3517 - Fix libubound for edns optlist feature.
3518 - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
3519 - Fix #752: retry resource temporarily unavailable on control pipe.
3520 - un-document localzone tags.
3521 - tag for release 1.5.9rc1.
3522 And this also became release 1.5.9.
3523 - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
3524 Program Files with (x86) appended.
3525 - re-documented localzone tags in example.conf.
3528 - Fix windows service to be created run with limited rights, as a
3529 network service account, from Mario Turschmann.
3530 - compat strsep implementation.
3531 - generic edns option parse and store code.
3532 - and also generic edns options for upstream messages (and replies).
3533 after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
3534 to insert use edns_opt_append(edns, region, code, len, bindata) on
3535 the opt_list passed to send_query, or in edns_opt_inplace_reply.
3538 - Fix time in case answer comes from cache in ub_resolve_event().
3539 - Attempted fix for #765: _unboundmodule missing for python3.
3542 - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
3543 if unbound control uses a unix local named pipe.
3544 - Document write permission to directory of trust anchor needed.
3545 - Fix #768: Unbound Service Sometimes Can Not Shutdown
3546 Completely, WER Report Shown Up. Close handle before closing WSA.
3549 - Updated patch from Charles Walker.
3552 - disable-dnssec-lame-check config option from Charles Walker.
3553 - remove memory leak from lame-check patch.
3554 - iana portlist update.
3557 - Fix #767: Reference to an expired Internet-Draft in
3558 harden-below-nxdomain documentation.
3561 - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
3563 - iana portlist update.
3566 - Fix #766: dns64 should synthesize results on timeout/errors.
3569 - Fix #761: DNSSEC LAME false positive resolving nic.club.
3572 - trunk updated with output of flex 2.6.0.
3575 - Fix memory leak in out-of-memory conditions of local zone add.
3577 29 April 2016: Wouter
3578 - Fix sldns with static checking fixes copied from getdns.
3580 28 April 2016: Wouter
3581 - Fix #759: 0x20 capsforid no longer checks type PTR, for
3582 compatibility with cisco dns guard. This lowers false positives.
3584 18 April 2016: Wouter
3585 - Fix some malformed responses to edns queries get fallback to nonedns.
3587 15 April 2016: Wouter
3588 - cachedb module event handling design.
3590 14 April 2016: Wouter
3591 - cachedb module framework (empty).
3592 - iana portlist update.
3594 12 April 2016: Wouter
3595 - Fix #753: document dump_requestlist is for first thread.
3597 24 March 2016: Wouter
3598 - Document permit-small-holddown for 5011 debug.
3599 - Fix #749: unbound-checkconf gets SIGSEGV when use against a
3600 malformatted conf file.
3602 23 March 2016: Wouter
3603 - OpenSSL 1.1.0 portability, --disable-dsa configure option.
3605 21 March 2016: Wouter
3606 - Fix compile of getentropy_linux for SLES11 servicepack 4.
3607 - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
3608 - Fix test for openssl to use HMAC_Update for 1.1.0.
3609 - acx_nlnetlabs.m4 to v33, with HMAC_Update.
3610 - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
3611 - ERR_remove_state deprecated since openssl 1.0.0.
3612 - OPENSSL_config is deprecated, removing.
3614 18 March 2016: Ralph
3615 - Validate QNAME minimised NXDOMAIN responses.
3616 - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
3617 harden-below-nxdomain.
3619 17 March 2016: Ralph
3620 - Limit number of QNAME minimisation iterations.
3622 17 March 2016: Wouter
3623 - Fix #746: Fix unbound sets CD bit on all forwards.
3624 If no trust anchors, it'll not set CD bit when forwarding to another
3625 server. If a trust anchor, no CD bit on the first attempt to a
3626 forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
3627 - iana portlist update.
3629 16 March 2016: Wouter
3630 - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
3631 - Fix ip-transparent for tcp on freebsd.
3633 15 March 2016: Wouter
3634 - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
3635 binding to an IP address while the interface or address is down.
3637 14 March 2016: Wouter
3638 - Fix warnings in ifdef corner case, older or unknown libevent.
3639 - Fix compile for ub_event code with older libev.
3641 11 March 2016: Wouter
3642 - Remove warning about unused parameter in event_pluggable.c.
3643 - Fix libev usage of dispatch return value.
3644 - No side effects in tolower() call, in case it is a macro.
3645 - For test put free in pluggable api in parenthesis.
3647 10 March 2016: Wouter
3648 - Fixup backend2str for libev.
3650 09 March 2016: Willem
3651 - User defined pluggable event API for libunbound
3652 - Fixup of compile fix for pluggable event API from P.Y. Adi
3655 09 March 2016: Wouter
3656 - Updated configure and ltmain.sh.
3657 - Updated L root IPv6 address.
3659 07 March 2016: Wouter
3660 - Fix #747: assert in outnet_serviced_query_stop.
3661 - iana ports fetched via https.
3662 - iana portlist update.
3664 03 March 2016: Wouter
3665 - configure tests for the weak attribute support by the compiler.
3667 02 March 2016: Wouter
3669 - trunk contains 1.5.9 in development.
3670 - iana portlist update.
3671 - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
3672 contains trailing dot.
3674 24 February 2016: Wouter
3675 - Fix OpenBSD asynclook lock free that gets used later (fix test code).
3676 - Fix that NSEC3 negative cache is used when there is no salt.
3678 23 February 2016: Wouter
3679 - ub_ctx_set_stub() function for libunbound to config stub zones.
3680 - sorted ubsyms.def file with exported libunbound functions.
3682 19 February 2016: Wouter
3683 - Print understandable debug log when unusable DS record is seen.
3684 - load gost algorithm if digest is seen before key algorithm.
3685 - iana portlist update.
3687 17 February 2016: Wouter
3688 - Fix that "make install" fails due to "text file busy" error.
3690 16 February 2016: Wouter
3691 - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
3693 15 February 2016: Wouter
3694 - ip-transparent option for FreeBSD with IP_BINDANY socket option.
3695 - wait for sendto to drain socket buffers when they are full.
3697 9 February 2016: Wouter
3698 - Test for type OPENPGPKEY.
3699 - insecure-lan-zones: yesno config option, patch from Dag-Erling
3702 8 February 2016: Wouter
3703 - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
3704 - RR Type CSYNC support RFC 7477, in debug printout and config input.
3705 - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
3707 29 January 2016: Wouter
3708 - Neater cmdline_verbose increment patch from Edgar Pettijohn.
3710 27 January 2016: Wouter
3711 - Made netbsd sendmsg test nonfatal, in case of false positives.
3712 - Fix #741: log message for dnstap socket connection is more clear.
3714 26 January 2016: Wouter
3715 - Fix #734: chown the pidfile if it resides inside the chroot.
3716 - Use arc4random instead of random in tests (because it is
3717 available, possibly as compat, anyway).
3718 - Fix cmsg alignment for argument to sendmsg on NetBSD.
3719 - Fix that unbound complains about unimplemented IP_PKTINFO for
3720 sendmsg on NetBSD (for interface-automatic).
3722 25 January 2016: Wouter
3723 - Fix #738: Swig should not be invoked with CPPFLAGS.
3725 19 January 2016: Wouter
3726 - Squelch 'cannot assign requested address' log messages unless
3727 verbosity is high, it was spammed after network down.
3729 14 January 2016: Wouter
3730 - Fix to simplify empty string checking from Michael McConville.
3731 - iana portlist update.
3733 12 January 2016: Wouter
3734 - Fix #734: Do not log an error when the PID file cannot be chown'ed.
3735 Patch from Simon Deziel.
3737 11 January 2016: Wouter
3738 - Fix test if -pthreads unused to use better grep for portability.
3740 06 January 2016: Wouter
3741 - Fix mingw crosscompile for recent mingw.
3742 - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
3744 05 January 2016: Wouter
3745 - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
3746 from Daisuke Higashi.
3747 - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
3748 by default, and can be unblocked with "nodefault" localzone config.
3750 04 January 2016: Wouter
3751 - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
3752 for Linux glibc 2.20.
3753 - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
3754 source code, so it applies cleanly again. Removed unused variable
3757 15 December 2015: Ralph
3758 - Fix #729: omit use of escape sequences in echo since they are not
3759 portable (unbound-control-setup).
3761 11 December 2015: Wouter
3762 - remove NULL-checks before free, patch from Michael McConville.
3763 - updated ax_pthread.m4 to version 21 with clang support, this
3764 removes a warning from compilation.
3765 - OSX portability, detect if sbrk is deprecated.
3766 - OSX clang, stop -pthread unused during link stage warnings.
3767 - OSX clang new flto check.
3769 10 December 2015: Wouter
3771 - trunk has 1.5.8 in development.
3773 8 December 2015: Wouter
3774 - Fixup 724 for unbound-control.
3776 7 December 2015: Ralph
3777 - Do not minimise forwarded requests.
3779 4 December 2015: Wouter
3780 - Removed unneeded whitespace from example.conf.
3782 3 December 2015: Ralph
3784 - Committed fix to qname minimisation and unit test case for it.
3786 3 December 2015: Wouter
3787 - iana portlist update.
3788 - 1.5.7rc1 prerelease tag.
3790 2 December 2015: Wouter
3791 - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
3792 re-enable stdout printout.
3793 - For 724: Add Changelog to windows binary dist.
3795 1 December 2015: Ralph
3796 - Qname minimisation review fixes
3798 1 December 2015: Wouter
3799 - Fixup 724 fix for fname_after_chroot() calls.
3800 - Remove stdout printout for unbound-service-install.exe
3801 - .gitignore for git users.
3803 30 November 2015: Ralph
3804 - Implemented qname minimisation
3806 30 November 2015: Wouter
3807 - Fix for #724: conf syntax to read files from run dir (on Windows).
3809 25 November 2015: Wouter
3810 - Fix for #720, fix unbound-control-setup windows batch file.
3812 24 November 2015: Wouter
3813 - Fix #720: add windows scripts to zip bundle.
3814 - iana portlist update.
3816 20 November 2015: Wouter
3817 - Added assert on rrset cache correctness.
3818 - Fix that malformed EDNS query gets a response without malformed EDNS.
3820 18 November 2015: Wouter
3821 - newer acx_nlnetlabs.m4.
3822 - spelling fixes from Igor Sobrado Delgado.
3824 17 November 2015: Wouter
3825 - Fix #594. libunbound: optionally use libnettle for crypto.
3826 Contributed by Luca Bruno. Added --with-nettle for use with
3827 --with-libunbound-only.
3828 - refactor nsec3 hash implementation to be more library-portable.
3829 - iana portlist update.
3830 - Fixup DER encoded DSA signatures for libnettle.
3832 16 November 2015: Wouter
3833 - Fix for lenient accept of reverse order DNAME and CNAME.
3835 6 November 2015: Wouter
3836 - Change example.conf: ftp.internic.net to https://www.internic.net
3838 5 November 2015: Wouter
3839 - ACX_SSL_CHECKS no longer adds -ldl needlessly.
3841 3 November 2015: Wouter
3842 - Fix #718: Fix unbound-control-setup with support for env
3843 without HEREDOC bash support.
3845 29 October 2015: Wouter
3846 - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
3847 - Fix #716: nodata proof with empty non-terminals and wildcards.
3849 28 October 2015: Wouter
3850 - Fix checklock testcode for linux threads on exit.
3852 27 October 2015: Wouter
3853 - isblank() compat implementation.
3854 - detect libexpat without xml_StopParser function.
3855 - portability fixes.
3856 - portability, replace snprintf if return value broken.
3858 23 October 2015: Wouter
3859 - Fix #714: Document config to block private-address for IPv4
3860 mapped IPv6 addresses.
3862 22 October 2015: Wouter
3863 - Fix #712: unbound-anchor appears to not fsync root.key.
3865 20 October 2015: Wouter
3867 - trunk tracks development of 1.5.7.
3869 15 October 2015: Wouter
3870 - Fix segfault in the dns64 module in the formaterror error path.
3871 - Fix sldns_wire2str_rdata_scan for malformed RRs.
3872 - tag for 1.5.6rc1 release.
3874 14 October 2015: Wouter
3875 - ANY responses include DNAME records if present, as per Evan Hunt's
3877 - Fix manpage to suggest using SIGTERM to terminate the server.
3879 9 October 2015: Wouter
3880 - Default for ssl-port is port 853, the temporary port assignment
3881 for secure domain name system traffic.
3882 If you used to rely on the older default of port 443, you have
3883 to put a clause in unbound.conf for that. The new value is likely
3884 going to be the standardised port number for this traffic.
3885 - iana portlist update.
3887 6 October 2015: Wouter
3889 - trunk tracks the development of 1.5.6.
3891 28 September 2015: Wouter
3892 - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
3894 - tag for 1.5.5rc1 release.
3895 - makedist.sh: pgp sig echo commands.
3897 25 September 2015: Wouter
3898 - Fix unbound-control flush that does not succeed in removing data.
3900 22 September 2015: Wouter
3901 - Fix config globbed include chroot treatment, this fixes reload of
3902 globs (patch from Dag-Erling Smørgrav).
3903 - iana portlist update.
3904 - Fix #702: New IPs for for h.root-servers.net.
3905 - Remove confusion comment from canonical_compare() function.
3906 - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
3907 - testbound selftest also works in non-debug mode.
3908 - Fix minor error in unbound.conf.5.in
3909 - Fix unbound.conf(5) access-control description for precedence
3912 31 August 2015: Wouter
3913 - changed windows setup compression to be more transparent.
3915 28 August 2015: Wouter
3916 - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
3918 - Feature #699: --enable-pie option to that builds PIE binary.
3919 - Feature #700: --enable-relro-now option that enables full read-only
3922 24 August 2015: Wouter
3923 - Fix deadlock for local data add and zone add when unbound-control
3924 list_local_data printout is interrupted.
3925 - iana portlist update.
3926 - Change default of harden-algo-downgrade to off. This is lenient
3927 for algorithm rollover.
3929 13 August 2015: Wouter
3930 - 5011 implementation does not insist on all algorithms, when
3931 harden-algo-downgrade is turned off.
3932 - Reap the child process that libunbound spawns.
3934 11 August 2015: Wouter
3935 - Fix #694: configure script does not detect LibreSSL 2.2.2
3937 4 August 2015: Wouter
3938 - Document that local-zone nodefault matches exactly and transparent
3939 can be used to release a subzone.
3941 3 August 2015: Wouter
3942 - Document in the manual more text about configuring locally served
3944 - Fix 5011 anchor update timer after reload.
3945 - Fix mktime in unbound-anchor not using UTC.
3947 30 July 2015: Wouter
3948 - please afl-gcc (llvm) for uninitialised variable warning.
3949 - Added permit-small-holddown config to debug fast 5011 rollover.
3951 24 July 2015: Wouter
3952 - Fix #690: Reload fails when so-reuseport is yes after changing
3954 - iana portlist update.
3956 21 July 2015: Wouter
3957 - Fix configure to detect SSL_CTX_set_ecdh_auto.
3958 - iana portlist update.
3960 20 July 2015: Wouter
3961 - Enable ECDHE for servers. Where available, use
3962 SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
3963 enable ECDHE. Otherwise, manually offer curve p256.
3964 Client connections should automatically use ECDHE when available.
3965 (thanks Daniel Kahn Gillmor)
3967 18 July 2015: Willem
3968 - Allow certificate chain files to allow for intermediate certificates.
3969 (thanks Daniel Kahn Gillmor)
3971 13 July 2015: Wouter
3972 - makedist produces sha1 and sha256 files for created binaries too.
3976 - trunk has 1.5.5 in development.
3977 - Fix #681: Setting forwarders with unbound-control forward
3978 implicitly turns on forward-first.
3980 29 June 2015: Wouter
3981 - iana portlist update.
3982 - Fix alloc with log for allocation size checks.
3984 26 June 2015: Wouter
3985 - Fix #677 Fix DNAME responses from cache that failed internal chain
3987 - iana portlist update.
3989 22 June 2015: Wouter
3990 - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
3991 and was therefore always synthesized (thanks to Valentin Dietrich).
3994 - RFC 7553 RR type URI support, is now enabled by default.
3997 - Fix #674: Do not free pointers given by getenv.
4000 - Fix that unparseable error responses are ratelimited.
4001 - SOA negative TTL is capped at minimumttl in its rdata section.
4002 - cache-max-negative-ttl config option, default 3600.
4005 - Document that ratelimit works with unbound-control set_option.
4008 - iana portlist update.
4009 - documentation proposes ratelimit of 1000 (closer to what upstream
4010 servers expect from us).
4013 - DLV is going to be decommissioned. Advice to stop using it, and
4014 put text in the example configuration and man page to that effect.
4017 - Change syntax of particular validator error to be easier for
4018 machine parse, swap rrset and ip adres info so it looks like:
4019 validation failure <www.example.nl. TXT IN>: signature crypto
4020 failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
4023 - caps-whitelist in unbound.conf allows whitelist of loadbalancers
4024 that cannot work with caps-for-id or its fallback.
4026 30 April 2015: Wouter
4027 - Unit test for type ANY synthesis.
4029 22 April 2015: Wouter
4030 - Removed contrib/unbound_unixsock.diff, because it has been
4031 integrated, use control-interface: /path in unbound.conf.
4032 - iana portlist update.
4034 17 April 2015: Wouter
4035 - Synthesize ANY responses from cache. Does not search exhaustively,
4036 but MX,A,AAAA,SOA,NS also CNAME.
4037 - Fix leaked dns64prefix configuration string.
4039 16 April 2015: Wouter
4040 - Add local-zone type inform_deny, that logs query and drops answer.
4041 - Ratelimit does not apply to prefetched queries, and ratelimit-factor
4042 is default 10. Repeated normal queries get resolved and with
4043 prefetch stay in the cache.
4044 - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
4045 Use print_function also for Python2.
4046 libunbound examples: produce sorted output.
4047 libunbound-Python: libldns is not used anymore.
4048 Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
4050 10 April 2015: Wouter
4051 - unbound-control ratelimit_list lists high rate domains.
4052 - ratelimit feature, ratelimit: 100, or some sensible qps, can be
4053 used to turn it on. It ratelimits recursion effort per zone.
4054 For particular names you can configure exceptions in unbound.conf.
4055 - Fix that get_option for cache-sizes does not print double newline.
4056 - Fix#663: ssl handshake fails when using unix socket because dh size
4059 8 April 2015: Wouter
4060 - Fix crash in dnstap: Do not try to log TCP responses after timeout.
4062 7 April 2015: Wouter
4063 - Libunbound skips dos-line-endings from etc/hosts.
4064 - Unbound exits with a fatal error when the auto-trust-anchor-file
4065 fails to be writable. This is seconds after startup. You can
4066 load a readonly auto-trust-anchor-file with trust-anchor-file.
4067 The file has to be writable to notice the trust anchor change,
4068 without it, a trust anchor change will be unnoticed and the system
4069 will then become inoperable.
4070 - unbound-control list_insecure command shows the negative trust
4071 anchors currently configured, patch from Jelte Jansen.
4073 2 April 2015: Wouter
4074 - Fix #660: Fix interface-automatic broken in the presence of
4077 26 March 2015: Wouter
4078 - remote.c probedelay line is easier to read.
4079 - rename ldns subdirectory to sldns to avoid name collision.
4081 25 March 2015: Wouter
4082 - Fix #657: libunbound(3) recommends deprecated
4083 CRYPTO_set_id_callback.
4084 - If unknown trust anchor algorithm, and libressl is used, error
4085 message encourages upgrade of the libressl package.
4087 23 March 2015: Wouter
4088 - Fix segfault on user not found at startup (from Maciej Soltysiak).
4090 20 March 2015: Wouter
4091 - Fixed to add integer overflow checks on allocation (defense in depth).
4093 19 March 2015: Wouter
4094 - Add ip-transparent config option for bind to non-local addresses.
4096 17 March 2015: Wouter
4097 - Use reallocarray for integer overflow protection, patch submitted
4098 by Loganaden Velvindron.
4100 16 March 2015: Wouter
4101 - Fixup compile on cygwin, more portable openssl thread id.
4103 12 March 2015: Wouter
4104 - Updated default keylength in unbound-control-setup to 3k.
4106 10 March 2015: Wouter
4107 - Fix lintian warning in unbound-checkconf man page (from Andreas
4109 - print svnroot when building windows dist.
4110 - iana portlist update.
4111 - Fix warning on sign compare in getentropy_linux.
4113 9 March 2015: Wouter
4114 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
4115 reported excessive validation failure when multiple algorithms
4116 are present. It allows the weakest algorithm to validate the zone.
4117 - iana portlist update.
4119 5 March 2015: Wouter
4120 - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
4121 scripts. Contributed by Yuri Voinov.
4122 - Document that incoming-num-tcp increase is good for large servers.
4123 - stats reports tcp usage, of incoming-num-tcp buffers.
4125 4 March 2015: Wouter
4126 - Patch from Brad Smith that syncs compat/getentropy_linux with
4127 OpenBSD's version (2015-03-04).
4128 - 0x20 fallback improved: servfail responses do not count as missing
4129 comparisons (except if all responses are errors),
4130 inability to find nameservers does not fail equality comparisons,
4131 many nameservers does not try to compare more than max-sent-count,
4132 parse failures start 0x20 fallback procedure.
4133 - store caps_response with best response in case downgrade response
4134 happens to be the last one.
4135 - Document windows 8 tests.
4137 3 March 2015: Wouter
4139 [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
4141 2 March 2015: Wouter
4142 - iana portlist update.
4144 20 February 2015: Wouter
4145 - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
4147 - Fix #645 Portability to Solaris 10, use AF_LOCAL.
4148 - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
4149 - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
4152 19 February 2015: Wouter
4153 - 1.5.2 release tag.
4154 - svn trunk contains 1.5.3 under development.
4156 13 February 2015: Wouter
4157 - Fix #643: doc/example.conf.in: unnecessary whitespace.
4159 12 February 2015: Wouter
4162 11 February 2015: Wouter
4163 - iana portlist update.
4165 10 February 2015: Wouter
4166 - Fix scrubber with harden-glue turned off to reject NS (and other
4167 not-address) records.
4169 9 February 2015: Wouter
4170 - Fix validation failure in case upstream forwarder (ISC BIND) does
4171 not have the same trust anchors and decides to insert unsigned NS
4172 record in authority section.
4174 2 February 2015: Wouter
4175 - infra-cache-min-rtt patch from Florian Riehm, for expected long
4176 uplink roundtrip times.
4178 30 January 2015: Wouter
4179 - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
4181 - Portability fix for Solaris ('sun' is not usable for a variable).
4183 29 January 2015: Wouter
4184 - Fix pyunbound byte string representation for python3.
4186 26 January 2015: Wouter
4187 - Fix unintended use of gcc extension for incomplete enum types,
4188 compile with pedantic c99 compliance (from Daniel Dickman).
4190 23 January 2015: Wouter
4191 - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
4193 16 January 2015: Wouter
4194 - unit test for local unix connection. Documentation and log_addr
4195 does not inspect port for AF_LOCAL.
4196 - unbound-checkconf -f prints chroot with pidfile path.
4198 13 January 2015: Wouter
4199 - iana portlist update.
4201 12 January 2015: Wouter
4202 - Cast sun_len sizeof to socklen_t.
4203 - Fix pyunbound ord call, portable for python 2 and 3.
4205 7 January 2015: Wouter
4206 - Fix warnings in pythonmod changes.
4208 6 January 2015: Wouter
4209 - iana portlist update.
4210 - patch for remote control over local sockets, from Dag-Erling
4211 Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
4212 control-use-cert: no.
4213 - Fixup that patch and uid lookup (only for daemon).
4214 - coded the default of control-use-cert, to yes.
4216 5 January 2015: Wouter
4217 - getauxval test for ppc64 linux compatibility.
4218 - make strip works for unbound-host and unbound-anchor.
4219 - patch from Stephane Lapie that adds to the python API, that
4220 exposes struct delegpt, and adds the find_delegation function.
4221 - print query name when max target count is exceeded.
4222 - patch from Stuart Henderson that fixes DESTDIR in
4223 unbound-control-setup for installs where config is not in
4224 the prefix location.
4225 - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
4226 IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
4227 - Updated contrib warmup.cmd/sh to support two modes - load
4228 from pre-defined list of domains or (with filename as argument)
4229 load from user-specified list of domains, and updated contrib
4230 unbound_cache.sh/cmd to support loading/save/reload cache to/from
4231 default path or (with secondary argument) arbitrary path/filename,
4233 - Patch from Philip Paeps to contrib/unbound_munin_ that uses
4234 type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
4235 unbound_munin_hits.graph_period minute
4237 9 December 2014: Wouter
4238 - svn trunk has 1.5.2 in development.
4239 - config.guess and config.sub update from libtoolize.
4240 - local-zone: example.com inform makes unbound log a message with
4241 client IP for queries in that zone. Eg. for finding infected hosts.
4243 8 December 2014: Wouter
4244 - Fix CVE-2014-8602: denial of service by making resolver chase
4245 endless series of delegations.
4247 1 December 2014: Wouter
4248 - Fix bug#632: unbound fails to build on AArch64, protects
4249 getentropy compat code from calling sysctl if it is has been removed.
4251 29 November 2014: Wouter
4252 - Add include to getentropy_linux.c, hopefully fixing debian build.
4254 28 November 2014: Wouter
4255 - Fix makefile for build from noexec source tree.
4257 26 November 2014: Wouter
4258 - Fix libunbound undefined symbol errors for main.
4259 Referencing main does not seem to be possible for libunbound.
4261 24 November 2014: Wouter
4262 - Fix log at high verbosity and memory allocation failure.
4263 - iana portlist update.
4265 21 November 2014: Wouter
4266 - Fix crash on multiple thread random usage on systems without
4269 20 November 2014: Wouter
4270 - fix compat/getentropy_win.c check if CryptGenRandom works and no
4271 immediate exit on windows.
4273 19 November 2014: Wouter
4274 - Fix cdflag dns64 processing.
4276 18 November 2014: Wouter
4277 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
4279 - iana portlist update.
4281 17 November 2014: Wouter
4282 - Fix #627: SSL_CTX_load_verify_locations return code not properly
4285 14 November 2014: Wouter
4286 - parser with bison 2.7
4288 13 November 2014: Wouter
4289 - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
4290 added to contrib/aaaa-filter-iterator.patch.
4292 12 November 2014: Wouter
4293 - trunk has 1.5.1 in development.
4294 - Patch from Robert Edmonds to build pyunbound python module
4295 differently. No versioninfo, with -shared and without $(LIBS).
4296 - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
4297 - Removed 'increased limit open files' log message that is written
4298 to console. It is only written on verbosity 4 and higher.
4299 This keeps system bootup console cleaner.
4300 - Patch from James Raftery, always print stats for rcodes 0..5.
4302 11 November 2014: Wouter
4303 - iana portlist update.
4304 - Fix bug where forward or stub addresses with same address but
4305 different port number were not tried.
4306 - version number in svn trunk is 1.5.0
4308 - review fix from Ralph.
4310 7 November 2014: Wouter
4311 - dnstap fixes by Robert Edmonds:
4312 dnstap/dnstap.m4: cosmetic fixes
4313 dnstap/: Remove compiled protoc-c output files
4314 dnstap/dnstap.m4: Error out if required libraries are not found
4315 dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
4317 dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
4319 4 November 2014: Wouter
4320 - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
4321 tracked trust anchor to libunbound.
4322 - Redefine internal minievent symbols to unique symbols that helps
4323 linking on platforms where the linker leaks names across modules.
4325 27 October 2014: Wouter
4326 - Disabled use of SSLv3 in remote-control and ssl-upstream.
4327 - iana portlist update.
4329 16 October 2014: Wouter
4330 - Documented dns64 configuration in unbound.conf man page.
4332 13 October 2014: Wouter
4333 - Fix #617: in ldns in unbound, lowercase WKS services.
4334 - Fix ctype invocation casts.
4336 10 October 2014: Wouter
4337 - Fix unbound-checkconf check for module config with dns64 module.
4338 - Fix unbound capsforid fallback, it ignores TTLs in comparison.
4340 6 October 2014: Wouter
4341 - Fix #614: man page variable substitution bug.
4342 6 October 2014: Willem
4343 - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
4344 - $TTL's value starts at position 5 (ldns).
4346 1 October 2014: Wouter
4347 - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
4349 29 September 2014: Wouter
4350 - Fix #612: create service with service.conf in present directory and
4352 - Fix for mingw compile openssl ranlib.
4354 25 September 2014: Wouter
4355 - updated configure and aclocal with newer autoconf 1.13.
4357 22 September 2014: Wouter
4358 - Fix swig and python examples for Python 3.x.
4359 - Fix for mingw compile with openssl-1.0.1i.
4361 19 September 2014: Wouter
4362 - improve python configuration detection to build on Fedora 22.
4364 18 September 2014: Wouter
4365 - patches to also build with Python 3.x (from Pavel Simerda).
4367 16 September 2014: Wouter
4368 - Fix tcp timer waiting list removal code.
4369 - iana portlist update.
4370 - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
4371 is longer and more tcp connections can be handled.
4373 15 September 2014: Wouter
4374 - Fix unit test for CDS typecode.
4376 5 September 2014: Wouter
4377 - type CDS and CDNSKEY types in sldns.
4379 25 August 2014: Wouter
4380 - Fixup checklock code for log lock and its mutual initialization
4382 - iana portlist update.
4383 - Removed necessity for pkg-config from the dnstap.m4, new are
4384 the --with-libfstrm and --with-protobuf-c configure options.
4386 19 August 2014: Wouter
4387 - Update unbound manpage with more explanation (from Florian Obser).
4389 18 August 2014: Wouter
4390 - Fix #603: unbound-checkconf -o <option> should skip verification
4392 - iana portlist update.
4393 - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
4395 5 August 2014: Wouter
4396 - dnstap support, with a patch from Farsight Security, written by
4397 Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
4398 It is BSD licensed (see dnstap/dnstap.c).
4399 Building with --enable-dnstap needs pkg-config with this patch.
4400 - Noted dnstap in doc/README and doc/CREDITS.
4401 - Changes to the dnstap patch.
4403 - dnstap/dnstap_config.h should not have been added to the repo,
4404 because is it generated.
4406 1 August 2014: Wouter
4407 - Patch add msg, rrset, infra and key cache sizes to stats command
4408 from Maciej Soltysiak.
4409 - iana portlist update.
4411 31 July 2014: Wouter
4412 - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
4413 Initial commit of the patch from the FreeBSD base (with its fixes).
4414 This adds a module (for module-config in unbound.conf) dns64 that
4415 performs DNS64 processing, see README.DNS64.
4416 - Changes from DNS64:
4417 strcpy changed to memmove.
4418 arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
4419 allocation of result consistently in the correct region.
4420 time_t is now used for ttl in unbound (since the patch's version).
4421 - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
4423 29 July 2014: Wouter
4424 - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
4425 does not fork in the background and also logs to stderr.
4427 21 July 2014: Wouter
4428 - Fix endian.h include for OpenBSD.
4430 16 July 2014: Wouter
4431 - And Fix#596: Bail out of unbound-control dump_infra when ssl
4434 15 July 2014: Wouter
4435 - Fix #596: Bail out of unbound-control list_local_zones when ssl
4437 - iana portlist update.
4439 13 July 2014: Wouter
4440 - Configure tests if main can be linked to from getentropy compat.
4442 12 July 2014: Wouter
4443 - Fix getentropy compat code, function refs were not portable.
4444 - Fix to check openssl version number only for OpenSSL.
4445 - LibreSSL provides compat items, check for that in configure.
4446 - Fix bug in fix for log locks that caused deadlock in signal handler.
4447 - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
4449 11 July 2014: Matthijs
4450 - fake-rfc2553 patch (thanks Benjamin Baier).
4452 11 July 2014: Wouter
4453 - arc4random in compat/ and getentropy, explicit_bzero, chacha for
4454 dependencies, from OpenBSD. arc4_lock and sha512 in compat.
4455 This makes arc4random available on all platforms, except when
4456 compiled with LIBNSS (it uses libNSS crypto random).
4457 - fix strptime implicit declaration error on OpenBSD.
4458 - arc4random, getentropy and explicit_bzero compat for Windows.
4461 - Fix #593: segfault or crash upon rotating logfile.
4465 - signit tool fixup for compile with libldns library.
4466 - iana portlist updated.
4468 27 June 2014: Wouter
4469 - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
4471 26 June 2014: Wouter
4472 - unbound-control status reports if so-reuseport was successful.
4473 - iana portlist updated.
4475 24 June 2014: Wouter
4476 - Fix caps-for-id fallback, and added fallback attempt when servers
4477 drop 0x20 perturbed queries.
4478 - Fixup testsetup for VM tests (run testcode/run_vm.sh).
4480 17 June 2014: Wouter
4481 - iana portlist updated.
4484 - Add AAAA for B root server to default root hints.
4487 - Remove unused define from iterator.h
4490 - Fixup sldns_enum_edns_option typedef definition.
4493 - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
4494 fixes from FreeBSD's copy of Unbound, he notes:
4495 Generate unbound-control-setup.sh at build time so it respects
4496 prefix and sysconfdir from the configure script. Also fix the
4497 umask to match the comment, and the comment to match the umask.
4498 Add const and static where needed. Use unions instead of
4499 playing pointer poker. Move declarations that are needed in
4500 multiple source files into a shared header. Move sldns_bgetc()
4501 from parse.c to buffer.c where it belongs. Introduce a new
4502 header file, worker.h, which declares the callbacks that
4503 all workers must define. Remove those declarations from
4504 libworker.h. Include the correct headers in the correct places.
4505 Fix a few dummy callbacks that don't match their prototype.
4506 Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
4507 Remove a useless printf which breaks reproducible builds.
4508 Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
4509 no longer used. Add unbound-control-setup.sh to the list of
4510 generated files. The prototype for libworker_event_done_cb()
4511 needs to be moved from libunbound/libworker.h to
4512 libunbound/worker.h.
4513 - Fixup out-of-directory compile with unbound-control-setup.sh.in.
4517 - unbound-host -D enabled dnssec and reads root trust anchor from
4518 the default root key file that was compiled in.
4521 - Feature, unblock-lan-zones: yesno that you can use to make unbound
4522 perform 10.0.0.0/8 and other reverse lookups normally, for use if
4523 unbound is running service for localhost on localhost.
4526 - Updated create_unbound_ad_servers and unbound_cache scripts from
4527 Yuri Voinov in the source/contrib directory. Added
4528 warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
4531 - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
4532 - iana portlist updated.
4535 - Contrib windows scripts from Yuri Voinov added to src/contrib:
4536 create_unbound_ad_servers.cmd: enters anti-ad server lists.
4537 unbound_cache.cmd: saves and loads the cache.
4538 - Added unbound-control-setup.cmd from Yuri Voinov to the windows
4539 unbound distribution set. It requires openssl installed in %PATH%.
4542 - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
4545 - More #567: remove : from output of stub and forward lists, this is
4548 29 April 2014: Wouter
4549 - iana portlist updated.
4550 - Add unbound-control flush_negative that flushed nxdomains, nodata,
4551 and errors from the cache. For dnssec-trigger and NetworkManager,
4552 fixes cases where network changes have localdata that was already
4553 negatively cached from the previous network.
4555 23 April 2014: Wouter
4556 - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
4557 if available on the OS, it gets entropy from the OS.
4559 15 April 2014: Wouter
4560 - Fix compile with libevent2 on FreeBSD.
4562 11 April 2014: Wouter
4563 - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
4564 but it stops the use of the ipv6 transport layer for DNS traffic.
4565 - iana portlist updated.
4567 10 April 2014: Wouter
4568 - iana portlist updated.
4569 - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
4570 option for DNS fragmentation defense.
4571 - Document that dump_requestlist only prints queries from thread 0.
4572 - unbound-control stats prints num.query.tcpout with number of TCP
4573 outgoing queries made in the previous statistics interval.
4574 - Fix #567: unbound lists if forward zone is secure or insecure with
4575 +i annotation in output of list_forwards, also for list_stubs
4576 (for NetworkManager integration.)
4577 - Fix #554: use unsigned long to print 64bit statistics counters on
4579 - Fix #558: failed prefetch lookup does not remove cached response
4580 but delays next prefetch (in lieu of caching a SERVFAIL).
4581 - Fix #545: improved logging, the ip address of the error is printed
4582 on the same log-line as the error.
4584 8 April 2014: Wouter
4585 - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
4586 in testbound scripts.
4587 - iana portlist updated.
4589 7 April 2014: Wouter
4590 - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
4591 hints (patch from Anand Buddhdev).
4592 - Fix #572: Fix unit test failure for systems with different
4595 28 March 2014: Wouter
4596 - Fix #569: do_tcp is do-tcp in unbound.conf man page.
4598 25 March 2014: Wouter
4599 - Patch from Stuart Henderson to build unbound-host man from .1.in.
4601 24 March 2014: Wouter
4602 - Fix print filename of encompassing config file on read failure.
4604 12 March 2014: Wouter
4606 - trunk has 1.4.23 in development.
4608 10 March 2014: Wouter
4609 - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
4610 because of spelling. Patch from Chris Coates.
4612 27 February 2014: Wouter
4615 21 February 2014: Wouter
4616 - iana portlist updated.
4618 20 February 2014: Matthijs
4619 - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
4620 received. This is okay according 4035, but not after revising
4621 existence in 4592. NSEC empty non-terminals exist and thus the
4622 RCODE should have been NOERROR. If this occurs, and the RRsets
4623 are secure, we set the RCODE to NOERROR and the security status
4624 of the response is also considered secure.
4626 14 February 2014: Wouter
4627 - Works on Minix (3.2.1).
4629 11 February 2014: Wouter
4630 - Fix parse of #553(NSD) string in sldns, quotes without spaces.
4632 7 February 2014: Wouter
4633 - iana portlist updated.
4634 - add body to ifstatement if locks disabled.
4635 - add TXT string"string" test case to unit test.
4636 - Fix #551: License change "Regents" to "Copyright holder", matching
4637 the BSD license on opensource.org.
4639 6 February 2014: Wouter
4640 - sldns has type HIP.
4641 - code documentation on the module interface.
4643 5 February 2014: Wouter
4644 - Fix sldns parse tests on osx.
4646 3 February 2014: Wouter
4647 - Detect libevent2 install automatically by configure.
4648 - Fixup link with lib/event2 subdir.
4649 - Fix parse in sldns of quoted parenthesized text strings.
4651 31 January 2014: Wouter
4652 - unit test for ldns wire to str and back with zones, root, nlnetlabs
4654 - Fix for hex to string in unknown, atma and nsap.
4655 - fixup nss compile (no ldns in it).
4656 - fixup warning in unitldns
4657 - fixup WKS and rdata type service to print unsigned because strings
4658 are not portable; they cannot be read (for sure) on other computers.
4659 - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
4662 30 January 2014: Wouter
4663 - delay-close does not act if there are udp-wait queries, so that
4664 it does not make a socketdrain DoS easier.
4666 28 January 2014: Wouter
4667 - iana portlist updated.
4668 - iana portlist test updated so it does not touch the source
4669 if there are no changes.
4670 - delay-close: msec option that delays closing ports for which
4671 the UDP reply has timed out. Keeps the port open, only accepts
4672 the correct reply. This correct reply is not used, but the port
4673 is open so that no port-denied ICMPs are generated.
4675 27 January 2014: Wouter
4676 - reuseport is attempted, then fallback to without on failure.
4678 24 January 2014: Wouter
4679 - Change unbound-event.h to use void* buffer, length idiom.
4680 - iana portlist updated.
4681 - unbound-event.h is installed if you configure --enable-event-api.
4682 - speed up unbound (reports say it could be up to 10%), by reducing
4683 lock contention on localzones.lock. It is changed to an rwlock.
4684 - so-reuseport: yesno option to distribute queries evenly over
4685 threads on Linux (Thanks Robert Edmonds).
4688 21 January 2014: Wouter
4689 - Fix #547: no trustanchor written if filesystem full, fclose checked.
4691 17 January 2014: Wouter
4692 - Fix isprint() portability in sldns, uses unsigned int.
4693 - iana portlist updated.
4695 16 January 2014: Wouter
4696 - fix #544: Fixed +i causes segfault when running with module conf
4698 - Windows port, adjust %lld to %I64d, and warning in win_event.c.
4700 14 January 2014: Wouter
4701 - iana portlist updated.
4704 - Fix bug in cachedump that uses sldns.
4705 - update pythonmod for ldns_ to sldns_ name change.
4708 - Fix sldns to use sldns_ prefix for all ldns_ variables.
4709 - Fix windows compile to compile with sldns.
4712 - Fix sldns to make globals use sldns_ prefix. This fixes
4713 linking with libldns that uses global variables ldns_ .
4716 - Fix bug#537: compile python plugin without ldns library.
4719 - Fix bug#536: acl_deny_non_local and refuse_non_local added.
4722 - Patch from Neel Goyal to fix async id assignment if callback
4723 is called by libunbound in the mesh attach.
4724 - Accept ip-address: as an alternative for interface: for
4725 consistency with nsd.conf syntax.
4728 - Patch from Neel Goyal to fix callback in libunbound.
4731 - if configured --with-libunbound-only fix make install.
4734 - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
4735 more specific interface port 53 can be used at the same time, and
4736 one of the daemons is unbound.
4737 - iana portlist update.
4738 - separate ldns into core ldns inside ldns/ subdirectory. No more
4739 --with-ldns is needed and unbound does not rely on libldns.
4740 - portability fixes for new USE_SLDNS ldns subdir codebase.
4743 - Patch from Neel Goyal: Add an API call to set an event base on an
4744 existing ub_ctx. This basically just destroys the current worker and
4745 sets the event base to the current. And fix a deadlock in
4746 ub_resolve_event – the cfglock is held when libworker_create is
4747 called. This ends up trying to acquire the lock again in
4748 context_obtain_alloc in the call chain.
4749 - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
4752 - unbound-event.h is installed if configured --with-libevent. It
4753 contains low-level library calls, that use libevent's event_base
4754 and an ldns_buffer for the wire return packet to perform async
4755 resolution in the client's eventloop.
4758 - 1.4.21 tag created.
4759 - trunk has 1.4.22 number inside it.
4760 - iana portlist updated.
4761 - acx_nlnetlabs.m4 to 26; improve FLTO help text.
4764 - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
4768 - MIN_TTL and MAX_TTL also in time_t.
4769 - tag 1.4.21rc1 made again.
4772 - More fixes for bug#519: for the threaded case test if the bg
4773 thread has been killed, on ub_ctx_delete, to avoid hangs.
4776 - more fixes that I overlooked.
4777 - review fixes from Willem.
4780 - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
4783 - Fix for 2038, with time_t instead of uint32_t.
4786 - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
4789 - Fix uninit variable in fix#516.
4792 - Fix#516 dnssec lameness detection for answers that are improper.
4798 - Fix#512 memleak in testcode for testbound (if it fails).
4799 - Fix#512 NSS returned arrays out of setup function to be statics.
4802 - max include of 100.000 files (depth and globbed at one time).
4803 This is to preserve system memory in bug cases, or endless cases.
4804 - iana portlist updated.
4807 - streamtcp man page, contributed by Tomas Hozza.
4808 - iana portlist updated.
4809 - libunbound documentation on how to avoid openssl race conditions.
4812 - Squelch sendto-permission denied errors when the network is
4813 not connected, to avoid spamming syslog.
4814 - configure --disable-flto option (from Robert Edmonds).
4817 - Fix for const string literals in C++ for libunbound, from Karel
4819 - iana portlist updated.
4822 - Fixup manpage syntax.
4825 - get_option and set_option support for log-time-ascii, python-script
4826 val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
4827 immediately. The others are mostly useful for libunbound users.
4830 - get_option, set_option, unbound-checkconf -o and libunbound
4831 getoption and setoption support cache-min-ttl and cache-max-ttl.
4834 - Fix#501: forward-first does not recurse, when forward name is ".".
4835 - iana portlist update.
4836 - Max include depth is unlimited.
4839 - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
4840 patch to it to not fail when -Werror is also specified, from the
4842 - iana portlist update.
4845 - Explain bogus and secure flags in libunbound more.
4848 - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
4850 - Fix#500 use on non-initialised values on socket bind failures.
4853 - Fix round-robin doesn't work with some Windows clients (from Ilya
4857 - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
4859 26 April 2013: Wouter
4860 - add unbound-control insecure_add and insecure_remove for the
4861 administration of negative trust anchors.
4863 25 April 2013: Wouter
4864 - Implement max-udp-size config option, default 4096 (thanks
4866 - Robust checks on dname validity from rdata for dname compare.
4867 - updated iana portlist.
4869 19 April 2013: Wouter
4870 - Fixup snprintf return value usage, fixed libunbound_get_option.
4872 18 April 2013: Wouter
4873 - fix bug #491: pick program name (0th argument) as syslog identity.
4874 - own implementation of compat/snprintf.c.
4876 15 April 2013: Wouter
4877 - Fix so that for a configuration line of include: "*.conf" it is not
4878 an error if there are no files matching the glob pattern.
4879 - unbound-anchor review: BIO_write can return 0 successfully if it
4880 has successfully appended a zero length string.
4882 11 April 2013: Wouter
4883 - Fix queries leaking up for stubs and forwards, if the configured
4884 nameservers all fail to answer.
4886 10 April 2013: Wouter
4887 - code improve for minimal responses, small speed increase.
4889 9 April 2013: Wouter
4890 - updated iana portlist.
4891 - Fix crash in previous private address fixup of 22 March.
4893 28 March 2013: Wouter
4894 - Make reverse zones easier by documenting the nodefault statements
4895 commented-out in the example config file.
4897 26 March 2013: Wouter
4898 - more fixes to lookup3.c endianness detection.
4900 25 March 2013: Wouter
4901 - #492: Fix endianness detection, revert to older lookup3.c detection
4902 and put new detect lines after previous tests, to avoid regressions
4903 but allow new detections to succeed.
4904 And add detection for machine/endian.h to it.
4906 22 March 2013: Wouter
4907 - Fix resolve of names that use a mix of public and private addresses.
4908 - iana portlist update.
4909 - Fix makedist for new svn for -d option.
4910 - unbound.h header file has UNBOUND_VERSION_MAJOR define.
4911 - Fix windows RSRC version for long version numbers.
4913 21 March 2013: Wouter
4916 - committed libunbound version 4:1:2 for binary API updated in 1.4.20
4917 - install copy of unbound-control.8 man page for unbound-control-setup
4919 14 March 2013: Wouter
4920 - iana portlist update.
4923 12 March 2013: Wouter
4924 - Fixup makedist.sh for windows compile.
4926 11 March 2013: Wouter
4927 - iana portlist update.
4928 - testcode/ldns-testpkts.c check for makedist is informational.
4930 15 February 2013: Wouter
4931 - fix defines in lookup3 for bigendian bsd alpha
4933 11 February 2013: Wouter
4934 - Fixup openssl_thread init code to only run if compiled with SSL.
4936 7 February 2013: Wouter
4937 - detect endianness in lookup3 on BSD.
4938 - add libunbound.ttl at end of result structure, version bump for
4939 libunbound and binary backwards compatible, but 1.4.19 is not
4940 forward compatible with 1.4.20.
4941 - update iana port list.
4943 30 January 2013: Wouter
4944 - includes and have_ssl fixes for nss.
4946 29 January 2013: Wouter
4947 - printout name of zone with duplicate fwd and hint errors.
4949 28 January 2013: Wouter
4950 - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
4952 17 January 2013: Wouter
4953 - unbound-anchors checks the emailAddress of the signer of the
4954 root.xml file, default is dnssec@iana.org. It also checks that
4955 the signer has the correct key usage for a digital signature.
4956 - update iana port list.
4958 3 January 2013: Wouter
4959 - Test that unbound-control checks client credentials.
4960 - Test that unbound can handle a CNAME at an intermediate node in
4961 the chain of trust (where it seeks a DS record).
4962 - Check the commonName of the signer of the root.xml file in
4963 unbound-anchor, default is dnssec@iana.org.
4965 2 January 2013: Wouter
4966 - Fix openssl lock free on exit (reported by Robert Fleischman).
4967 - iana portlist updated.
4968 - Tested that unbound implements the RFC5155 Technical Errata id 3441.
4969 Unbound already implements insecure classification of an empty
4970 nonterminal in NSEC3 optout zone.
4972 20 December 2012: Wouter
4973 - Fix unbound-anchor xml parse of entity declarations for safety.
4975 19 December 2012: Wouter
4976 - iana portlist updated.
4978 18 December 2012: Wouter
4979 - iana portlist updated.
4981 14 December 2012: Wouter
4982 - Change of D.ROOT-SERVERS.NET A address in default root hints.
4984 12 December 2012: Wouter
4986 - trunk has 1.4.20 under development.
4988 5 December 2012: Wouter
4989 - note support for AAAA RR type RFC.
4991 4 December 2012: Wouter
4994 30 November 2012: Wouter
4995 - bug 481: fix python example0.
4996 - iana portlist updated.
4998 27 November 2012: Wouter
4999 - iana portlist updated.
5001 9 November 2012: Wouter
5002 - Fix unbound-control forward disables configured stubs below it.
5004 7 November 2012: Wouter
5005 - Fixup ldns-testpkts, identical to ldns/examples.
5006 - iana portlist updated.
5008 30 October 2012: Wouter
5009 - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
5011 29 October 2012: Matthijs
5012 - Fix validation for responses with both CNAME and wildcard
5013 expanded CNAME records in answer section.
5015 8 October 2012: Wouter
5016 - update ldns-testpkts.c to ldns 1.6.14 version.
5017 - fix build of pythonmod in objdir, for unbound.py.
5018 - make clean and makerealclean remove generated python and docs.
5020 5 October 2012: Wouter
5021 - fix build of pythonmod in objdir (thanks Jakob Schlyter).
5023 3 October 2012: Wouter
5024 - fix text in unbound-anchor man page.
5026 1 October 2012: Wouter
5027 - ignore trusted-keys globs that have no files (from Paul Wouters).
5029 27 September 2012: Wouter
5030 - include: directive in config file accepts wildcards. Patch from
5031 Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
5032 - unbound-control -q option is quiet, patch from Mariano Absatz.
5033 - iana portlist updated.
5034 - updated contrib/unbound.spec, patch from Valentin Bud.
5036 21 September 2012: Wouter
5037 - chdir to / after chroot call (suggested by Camiel Dobbelaar).
5039 17 September 2012: Wouter
5040 - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
5041 otherwise it is treated as insecure. The RSAMD5 algorithm is
5042 deprecated (RFC6725). The MD5 hash is considered weak for some
5043 purposes, if you want to sign your zone, then RSASHA256 is an
5046 30 August 2012: Wouter
5047 - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
5048 - iana portlist updated.
5050 29 August 2012: Wouter
5051 - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
5053 22 August 2012: Wouter
5054 - Fallback to 1472 and 1232, one fragment size without headers.
5056 21 August 2012: Wouter
5057 - Fix timeouts so that when a server has been offline for a while
5058 and is probed to see it works, it becomes fully available for
5059 server selection again.
5061 17 August 2012: Wouter
5062 - Add documentation to libunbound for default nonuse of resolv.conf.
5064 2 August 2012: Wouter
5065 - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
5067 - iana portlist updated.
5069 1 August 2012: Wouter
5070 - Fix openssl race condition, initializes openssl locks, reported
5071 by Einar Lonn and Patrik Wallstrom.
5073 31 July 2012: Wouter
5074 - Improved forward-first and stub-first documentation.
5075 - Fix that enables modules to register twice for the same
5076 serviced_query, without race conditions or administration issues.
5077 This should not happen with the current codebase, but it is robust.
5078 - Fix forward-first option where it sets the RD flag wrongly.
5079 - added manpage links for libunbound calls (Thanks Paul Wouters).
5081 30 July 2012: Wouter
5082 - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
5084 27 July 2012: Wouter
5085 - unbound-host works with libNSS
5086 - fix bogus nodata cname chain not reported as bogus by validator,
5087 (Thanks Peter van Dijk).
5089 26 July 2012: Wouter
5090 - iana portlist updated.
5093 25 July 2012: Wouter
5094 - review fix for libnss, check hash prefix allocation size.
5096 23 July 2012: Wouter
5097 - fix missing break for GOST DS hash function.
5098 - implemented forward_first for the root.
5100 20 July 2012: Wouter
5101 - Fix bug#452 and another assertion failure in mesh.c, makes
5102 assertions in mesh.c resist duplicates. Fixes DS NS search to
5103 not generate duplicate sub queries.
5105 19 July 2012: Willem
5106 - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
5107 if CFLAGS is specified at configure time then '-g -O2' is not
5108 appended to CFLAGS, so that the user can override them.
5110 18 July 2012: Willem
5111 - Fix libunbound report of errors when in background mode.
5113 11 July 2012: Willem
5114 - updated iana ports list.
5117 - Add flush_bogus option for unbound-control
5120 - Fix validation of qtype DS queries that result in no data for
5121 non-optout NSEC3 zones.
5124 - compile libunbound with libnss on Suse, passes regression tests.
5127 - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
5130 - updated iana ports list.
5132 29 June 2012: Wouter
5133 - patch for unbound_munin_ script to handle arbitrary thread count by
5136 28 June 2012: Wouter
5137 - detect if openssl has FIPS_mode.
5138 - code review: return value of cache_store can be ignored for better
5139 performance in out of memory conditions.
5140 - fix edns-buffer-size and msg-buffer-size manpage documentation.
5141 - updated iana ports list.
5143 25 June 2012: Wouter
5144 - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
5146 22 June 2012: Wouter
5147 - implement DS records, NSEC3 and ECDSA for compile with libnss.
5149 21 June 2012: Wouter
5150 - fix error handling of alloc failure during rrsig verification.
5151 - nss check for verification failure.
5152 - nss crypto works for RSA and DSA.
5154 20 June 2012: Wouter
5155 - work on --with-nss build option (for now, --with-libunbound-only).
5157 19 June 2012: Wouter
5158 - --with-libunbound-only build option, only builds the library and
5159 not the daemon and other tools.
5161 18 June 2012: Wouter
5164 15 June 2012: Wouter
5165 - implement log-time-ascii on windows.
5166 - The key-cache bad key ttl is now 60 seconds.
5167 - updated iana ports list.
5170 11 June 2012: Wouter
5171 - bug #452: fix crash on assert in mesh_state_attachment.
5174 - silence warning from swig-generated code (md set but not used in
5175 swig initmodule, due to ifdefs in swig-generated code).
5178 - Fix debian-bugs-658021: Please enable hardened build flags.
5181 - updated iana ports list.
5184 - tag for 1.4.17 release.
5185 - trunk is 1.4.18 in development.
5188 - Review comments, removed duplicate memset to zero in delegpt.
5191 - Updated doc/FEATURES with RFCs that are implemented but not listed.
5192 - Protect if statements in val_anchor for compile without locks.
5193 - tag for 1.4.17rc1.
5196 - fix configure ECDSA support in ldns detection for windows compile.
5197 - fix possible uninitialised variable in windows pipe implementation.
5200 - Fix alignment problem in util/random on sparc64/freebsd.
5203 - Fix for accept spinning reported by OpenBSD.
5204 - iana portlist updated.
5207 - Fix validation of nodata for DS query in NSEC zones, reported by
5210 13 April 2012: Wouter
5211 - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
5214 10 April 2012: Wouter
5215 - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
5216 minimal-responses features.
5217 - iana portlist updated.
5219 5 April 2012: Wouter
5220 - fix bug #443: --with-chroot-dir not honoured by configure.
5221 - fix bug #444: setusercontext was called too late (thanks Bjorn
5224 27 March 2012: Wouter
5225 - fix bug #442: Fix that Makefile depends on pythonmod headers
5226 even using --without-pythonmodule.
5228 22 March 2012: Wouter
5229 - contrib/validation-reporter follows rotated log file (patch from
5232 21 March 2012: Wouter
5233 - new approach to NS fetches for DS lookup that works with
5234 cornercases, and is more robust and considers forwarders.
5236 19 March 2012: Wouter
5237 - iana portlist updated.
5238 - fix to locate nameservers for DS lookup with NS fetches.
5240 16 March 2012: Wouter
5241 - Patch for access to full DNS packet data in unbound python module
5244 9 March 2012: Wouter
5245 - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
5247 2 March 2012: Wouter
5248 - flush_infra cleans timeouted servers from the cache too.
5249 - removed warning from --enable-ecdsa.
5251 1 March 2012: Wouter
5252 - forward-first option. Tries without forward if a query fails.
5253 Also stub-first option that is similar.
5255 28 February 2012: Wouter
5256 - Fix from code review, if EINPROGRESS not defined chain if statement
5259 27 February 2012: Wouter
5260 - Fix bug#434: on windows check registry for config file location
5261 for unbound-control.exe, and unbound-checkconf.exe.
5263 23 February 2012: Wouter
5264 - Fix to squelch 'network unreachable' errors from tcp connect in
5265 logs, high verbosity will show them.
5267 16 February 2012: Wouter
5268 - iter_hints is now thread-owned in module env, and thus threadsafe.
5269 - Fix prefetch and sticky NS, now the prefetch works. It picks
5270 nameservers that 'would be valid in the future', and if this makes
5271 the NS timeout, it updates that NS by asking delegation from the
5272 parent again. If child NS has longer TTL, that TTL does not get
5273 refreshed from the lookup to the child nameserver.
5275 15 February 2012: Wouter
5276 - Fix forward-zone memory, uses malloc and frees original root dp.
5277 - iter hints (stubs) uses malloc inside for more dynamicity.
5278 - unbound-control forward_add, forward_remove, stub_add, stub_remove
5279 can modify stubs and forwards for running unbound (on mobile computer)
5280 they can also add and remove domain-insecure for the zone.
5282 14 February 2012: Wouter
5283 - Fix sticky NS (ghost domain problem) if prefetch is yes.
5284 - iter forwards uses malloc inside for more dynamicity.
5286 13 February 2012: Wouter
5287 - RT#2955. Fix for cygwin compilation.
5288 - iana portlist updated.
5290 10 February 2012: Wouter
5291 - Slightly smaller critical region in one case in infra cache.
5292 - Fix timeouts to keep track of query type, A, AAAA and other, if
5293 another has caused timeout blacklist, different type can still probe.
5294 - unit test fix for nomem_cnametopos.rpl race condition.
5296 9 February 2012: Wouter
5297 - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
5299 8 February 2012: Wouter
5300 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
5301 implementation is experimental at this time and not recommended
5302 for use on the public internet (the protocol numbers have not
5303 been assigned). Needs recent ldns with --enable-ecdsa.
5304 - fix memory leak in errorcase for DSA signatures.
5305 - iana portlist updated.
5306 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
5308 3 February 2012: Wouter
5309 - fix for windows, rename() is not posix compliant on windows.
5311 2 February 2012: Wouter
5312 - 1.4.16 release tag.
5313 - svn trunk is 1.4.17 in development.
5314 - iana portlist updated.
5316 1 February 2012: Wouter
5317 - Fix validation failures (like: validation failure xx: no NSEC3
5318 closest encloser from yy for DS zz. while building chain of trust,
5319 because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
5320 for an NSEC3. Now it does not change rdata, and fixes TTL.
5322 30 January 2012: Wouter
5323 - Fix version-number in libtool to be version-info so it produces
5324 libunbound.so.2 like it should.
5326 26 January 2012: Wouter
5327 - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
5328 - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
5329 and keyfile write fixup.
5330 - applied patch to support outgoing-interface with ub_ctx_set_option.
5332 23 January 2012: Wouter
5333 - Fix memset in test code.
5335 20 January 2012: Wouter
5336 - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
5338 19 January 2012: Wouter
5339 - Fix to write key files completely to a temporary file, and if that
5340 succeeds, replace the real key file. So failures leave a useful file.
5342 18 January 2012: Wouter
5343 - tag 1.4.15rc1 created
5344 - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
5346 17 January 2012: Wouter
5347 - Fix bug where canonical_compare of RRSIG did not downcase the
5348 signer-name. This is mostly harmless because RRSIGs do not have
5349 to be sorted in canonical order, usually.
5351 12 January 2012: Wouter
5352 - bug#428: add ub_version() call to libunbound. API version increase,
5353 with (binary) backwards compatibility for the previous version.
5355 10 January 2012: Wouter
5356 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
5357 that would be permissible by the RFCs but it is not the TTL in the
5359 - iana portlist updated.
5360 - uninitialised variable in reprobe for rtt blocked domains fixed.
5361 - lintfix and new flex output.
5363 2 January 2012: Wouter
5364 - Fix to randomize hash function, based on 28c3 congress, reported
5367 24 December 2011: Wouter
5368 - Fix for memory leak (about 20 bytes when a tcp or udp send operation
5369 towards authority servers failed, takes about 50.000 such failures to
5370 leak one Mb, such failures are also usually logged), reported by
5372 - iana portlist updated.
5374 19 December 2011: Wouter
5375 - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
5376 vulnerabilities from nonstandard redirection and denial of existence
5377 http://www.unbound.net/downloads/CVE-2011-4528.txt
5378 - robust checks for next-closer NSEC3s.
5379 - tag 1.4.14 created.
5380 - trunk has 1.4.15 in development.
5382 15 December 2011: Wouter
5383 - remove uninit warning from cachedump code.
5384 - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
5386 13 December 2011: Wouter
5387 - iana portlist updated.
5389 - fix infra cache comparison.
5390 - Fix to constrain signer_name to be a parent of the lookupname.
5392 5 December 2011: Wouter
5393 - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
5394 - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
5395 - Fix warning unused in compat/strptime.c.
5396 - Fix malloc detection and double definition.
5398 2 December 2011: Wouter
5399 - configure generated with autoconf 2.68.
5401 30 November 2011: Wouter
5402 - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
5403 SERVFAILs. Also fixed for UDP (but less likely).
5405 28 November 2011: Wouter
5406 - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
5407 - iana ports updated.
5409 11 November 2011: Wouter
5410 - Makefile compat with SunOS make, BSD make and GNU make.
5411 - iana ports updated.
5413 10 November 2011: Wouter
5414 - Makefile changed for BSD make compatibility.
5416 9 November 2011: Wouter
5417 - added unit test for SSL service and SSL-upstream.
5419 8 November 2011: Wouter
5420 - can configure ssl service to one port number, and not on others.
5421 - fixup windows compile with ssl support.
5422 - Fix double free in unbound-host, reported by Steve Grubb.
5423 - iana portlist updated.
5425 1 November 2011: Wouter
5426 - dns over ssl support as a client, ssl-upstream yes turns it on.
5427 It performs an SSL transaction for every DNS query (250 msec).
5428 - documentation for new options: ssl-upstream, ssl-service-key and
5430 - iana portlist updated.
5431 - fix -flto detection on Lion for llvm-gcc.
5433 31 October 2011: Wouter
5434 - dns over ssl support, ssl-service-pem and ssl-service-key files
5435 can be given and then TCP queries are serviced wrapped in SSL.
5437 27 October 2011: Wouter
5438 - lame-ttl and lame-size options no longer exist, it is integrated
5439 with the host info. They are ignored (with verbose warning) if
5440 encountered to keep the config file backwards compatible.
5441 - fix iana-update for changing gzip compression of results.
5442 - fix export-all-symbols on OSX.
5444 26 October 2011: Wouter
5445 - iana portlist updated.
5446 - Infra cache stores information about ping and lameness per IP, zone.
5447 This fixes bug #416.
5448 - fix iana_update target for gzipped file on iana site.
5450 24 October 2011: Wouter
5451 - Fix resolve of partners.extranet.microsoft.com with a fix for the
5452 server selection for choosing out of a (particular) list of bad
5454 - Fix make_new_space function so that the incoming query is not
5455 overwritten if a jostled out query causes a waiting query to be
5456 resumed that then fails and sends an error message. (Thanks to
5459 21 October 2011: Wouter
5460 - fix --enable-allsymbols, fptr wlist is disabled on windows with this
5461 option enabled because of memory layout exe vs dll.
5463 19 October 2011: Wouter
5464 - fix unbound-anchor for broken strptime on OSX lion, detected
5466 - Detect if GOST really works, openssl1.0 on OSX fails.
5467 - Implement ipv6%interface notation for scope_id usage.
5469 17 October 2011: Wouter
5470 - better documentation for inform_super (Thanks Yang Zhe).
5472 14 October 2011: Wouter
5473 - Fix for out-of-memory condition in libunbound (thanks
5476 13 October 2011: Wouter
5477 - Fix --enable-allsymbols, it depended on link specifics of the
5478 target platform, or fptr_wlist assertion failures could occur.
5480 12 October 2011: Wouter
5481 - updated contrib/unbound_munin_ to family=auto so that it works with
5482 munin-node-configure automatically (if installed as
5483 /usr/local/share/munin/plugins/unbound_munin_ ).
5485 27 September 2011: Wouter
5486 - unbound.exe -w windows option for start and stop service.
5488 23 September 2011: Wouter
5489 - TCP-upstream calculates tcp-ping so server selection works if there
5492 20 September 2011: Wouter
5493 - Fix classification of NS set in answer section, where there is a
5494 parent-child server, and the answer has the AA flag for dir.slb.com.
5495 Thanks to Amanda Constant from Secure64.
5497 16 September 2011: Wouter
5498 - fix bug #408: accept patch from Steve Snyder that comments out
5499 unused functions in lookup3.c.
5500 - iana portlist updated.
5501 - fix EDNS1480 change memleak and TCP fallback.
5502 - fix various compiler warnings (reported by Paul Wouters).
5503 - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
5504 fetch if sentcount > 3, stop query if sentcount > 16. Count is
5505 reset when referral or CNAME happens. This makes unbound better
5506 at managing large NS sets, they are explored when there is continued
5507 interest (in the form of queries).
5509 15 September 2011: Wouter
5511 - trunk contains 1.4.14 in development.
5512 - Unbound probes at EDNS1480 if there an EDNS0 timeout.
5514 12 September 2011: Wouter
5515 - Reverted dns EDNS backoff fix, it did not help and needs
5516 fragmentation fixes instead.
5519 7 September 2011: Wouter
5520 - Fix operation in ipv6 only (do-ip4: no) mode.
5522 6 September 2011: Wouter
5523 - fedora specfile updated.
5525 5 September 2011: Wouter
5528 2 September 2011: Wouter
5529 - iana portlist updated.
5531 26 August 2011: Wouter
5532 - Fix num-threads 0 does not segfault, reported by Simon Deziel.
5533 - Fix validation failures due to EDNS backoff retries, the retry
5534 for fetch of data has want_dnssec because the iter_indicate_dnssec
5535 function returns true when validation failure retry happens, and
5536 then the serviced query code does not fallback to noEDNS, even if
5537 the cache says it has this. This helps for DLV deployment when
5538 the DNSSEC status is not known for sure before the lookup concludes.
5540 24 August 2011: Wouter
5541 - Applied patch from Karel Slany that fixes a memory leak in the
5542 unbound python module, in string conversions.
5544 22 August 2011: Wouter
5545 - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
5546 Zhang and Luo Ce). Unbound responds with the RR types that are
5547 available at the name for qtype ANY and validates those RR types.
5548 It does not test for completeness (i.e. with NSEC or NSEC3 query),
5549 and it does not follow the CNAME or DNAME to another name (with
5550 even more data for the already large response).
5551 - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
5552 - Documented the options that work with control set_option command.
5553 - tcp-upstream yes/no option (works with set_option) for tunnels.
5555 18 August 2011: Wouter
5556 - fix autoconf call in makedist crosscompile to RC or snapshot.
5558 17 August 2011: Wouter
5559 - Fix validation of . DS query.
5560 - new xml format at IANA, new awk for iana_update.
5561 - iana portlist updated.
5563 10 August 2011: Wouter
5564 - Fix python site-packages path to /usr/lib64.
5565 - updated patch from Tom.
5566 - fix memory and fd leak after out-of-memory condition.
5568 9 August 2011: Wouter
5569 - patch from Tom Hendrikx fixes load of python modules.
5571 8 August 2011: Wouter
5572 - make clean had ldns-src reference, removed.
5574 1 August 2011: Wouter
5575 - Fix autoconf 2.68 warnings
5577 14 July 2011: Wouter
5578 - Unbound implements RFC6303 (since version 1.4.7).
5579 - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
5580 meantime, those are for 1.4.13).
5581 - iana portlist updated.
5583 13 July 2011: Wouter
5584 - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
5586 11 July 2011: Wouter
5587 - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
5588 validated as insecure, reported by Jia Li (lijia@cnnic.cn).
5591 - 1.4.12rc1 tag created.
5594 - version number in example config file.
5595 - fix that --enable-static-exe does not complain about it unknown.
5597 30 June 2011: Wouter
5598 - tag relase 1.4.11, trunk is 1.4.12 development.
5599 - iana portlist updated.
5600 - fix bug#395: id bits of other query may leak out under conditions
5601 - fix replyaddr count wrong after jostled queries, which leads to
5602 eventual starvation where the daemon has no replyaddrs left to use.
5603 - fix comment about rndc port, that referred to the old port number.
5604 - fix that the listening socket is not closed when too many remote
5605 control connections are made at the same time.
5606 - removed ldns-src tarball inside the unbound tarball.
5608 23 June 2011: Wouter
5609 - Changed -flto check to support clang compiler.
5610 - tag 1.4.11rc3 created.
5612 17 June 2011: Wouter
5613 - tag 1.4.11rc1 created.
5614 - remove warning about signed/unsigned from flex (other flex version).
5615 - updated aclocal.m4 and libtool to match.
5616 - tag 1.4.11rc2 created.
5618 16 June 2011: Wouter
5619 - log-queries: yesno option, default is no, prints querylog.
5620 - version is 1.4.11.
5622 14 June 2011: Wouter
5623 - Use -flto compiler flag for link time optimization, if supported.
5624 - iana portlist updated.
5626 12 June 2011: Wouter
5627 - IPv6 service address for d.root-servers.net (2001:500:2D::D).
5629 10 June 2011: Wouter
5630 - unbound-control has version number in the header,
5631 UBCT[version]_space_ is the header sent by the client now.
5632 - Unbound control port number is registered with IANA:
5633 ub-dns-control 8953/tcp unbound dns nameserver control
5634 This is the new default for the control-port config setting.
5635 - statistics-interval prints the number of jostled queries to log.
5638 - Fix Makefile for U in environment, since wrong U is more common than
5639 deansification necessity.
5640 - iana portlist updated.
5641 - updated ldns tarball to 1.6.10rc2 snapshot of today.
5644 - Fix assertion failure when unbound generates an empty error reply
5645 in response to a query, CVE-2011-1922 VU#531342.
5646 - This fix is in tag 1.4.10.
5647 - defense in depth against the above bug, an error is printed to log
5648 instead of an assertion failure.
5651 - bug#386: --enable-allsymbols option links all binaries to libunbound
5652 and reduces install size significantly.
5653 - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
5654 - iana portlist updated.
5655 - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
5657 14 April 2011: Wouter
5658 - configure created with newer autoconf 2.66.
5660 12 April 2011: Wouter
5661 - bug#378: Fix that configure checks for ldns_get_random presence.
5663 8 April 2011: Wouter
5664 - iana portlist updated.
5665 - queries with CD flag set cause DNSSEC validation, but the answer is
5666 not withheld if it is bogus. Thus, unbound will retry if it is bad
5667 and curb the TTL if it is bad, thus protecting the cache for use by
5668 downstream validators.
5669 - val-override-date: -1 ignores dates entirely, for NTP usage.
5671 29 March 2011: Wouter
5672 - harden-below-nxdomain: changed so that it activates when the
5673 cached nxdomain is dnssec secure. This avoids backwards
5674 incompatibility because those old servers do not have dnssec.
5676 24 March 2011: Wouter
5677 - iana portlist updated.
5681 17 March 2011: Wouter
5682 - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
5683 Applied but did not do the --disable-gost.
5685 10 March 2011: Wouter
5686 - tag 1.4.9 release candidate 1 created.
5688 3 March 2011: Wouter
5689 - updated ldns to today.
5691 1 March 2011: Wouter
5692 - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
5693 - give config parse error for multiple names on a stub or forward zone.
5694 - updated ldns tarball to 1.6.9(todays snapshot).
5696 24 February 2011: Wouter
5697 - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
5699 23 February 2011: Wouter
5700 - iana portlist updated.
5701 - common.sh to version 3.
5703 18 February 2011: Wouter
5704 - common.sh in testdata updated to version 2.
5706 15 February 2011: Wouter
5707 - Added explicit note on unbound-anchor usage:
5708 Please note usage of unbound-anchor root anchor is at your own risk
5709 and under the terms of our LICENSE (see that file in the source).
5711 11 February 2011: Wouter
5712 - iana portlist updated.
5713 - tpkg updated with common.sh for common functionality.
5715 7 February 2011: Wouter
5716 - Added regression test for addition of a .net DS to the root, and
5717 cache effects with different TTL for glue and DNSKEY.
5718 - iana portlist updated.
5720 28 January 2011: Wouter
5721 - Fix remove private address does not throw away entire response.
5723 24 January 2011: Wouter
5726 19 January 2011: Wouter
5727 - fix bug#349: no -L/usr for ldns.
5729 18 January 2011: Wouter
5730 - ldns 1.6.8 tarball included.
5733 17 January 2011: Wouter
5734 - add get and set option for harden-below-nxdomain feature.
5735 - iana portlist updated.
5737 14 January 2011: Wouter
5738 - Fix so a changed NS RRset does not get moved name stuck on old
5739 server, for type NS the TTL is not increased.
5741 13 January 2011: Wouter
5742 - Fix prefetch so it does not get stuck on old server for moved names.
5744 12 January 2011: Wouter
5745 - iana portlist updated.
5747 11 January 2011: Wouter
5748 - Fix insecure CNAME sequence marked as secure, reported by Bert
5751 10 January 2011: Wouter
5752 - faster lruhash get_mem routine.
5754 4 January 2011: Wouter
5755 - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
5756 - iana portlist updated.
5758 23 December 2010: Wouter
5759 - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
5761 21 December 2010: Wouter
5762 - algorithm compromise protection using the algorithms signalled in
5763 the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
5764 and thus, if you have multiple algorithms in your trust-anchor-file
5765 then it will now behave different than before. Also, 5011 rollover
5766 for algorithms needs to be double-signature until the old algorithm
5768 It is not an option, because I see no use to turn the security off.
5769 - iana portlist updated.
5771 17 December 2010: Wouter
5772 - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
5773 - fix validation in this case: CNAME to nodata for co-hosted opt-in
5774 NSEC3 insecure delegation, was bogus, fixed to be insecure.
5776 16 December 2010: Wouter
5777 - Fix our 'BDS' license (typo reported by Xavier Belanger).
5779 10 December 2010: Wouter
5780 - iana portlist updated.
5781 - review changes for unbound-anchor.
5783 2 December 2010: Wouter
5784 - feature typetransparent localzone, does not block other RR types.
5786 1 December 2010: Wouter
5787 - Fix bug#338: print address when socket creation fails.
5789 30 November 2010: Wouter
5790 - Fix storage of EDNS failures in the infra cache.
5791 - iana portlist updated.
5793 18 November 2010: Wouter
5794 - harden-below-nxdomain option, default off (because very old
5795 software may be incompatible). We could enable it by default in
5798 17 November 2010: Wouter
5799 - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
5800 - make test output nicer.
5802 15 November 2010: Wouter
5803 - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
5804 - iana portlist updated.
5805 - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
5807 9 November 2010: Wouter
5808 - unbound-anchor compiles with openssl 0.9.7.
5810 8 November 2010: Wouter
5811 - release tag 1.4.7.
5812 - trunk is version 1.4.8.
5813 - Be lenient and accept imgw.pl malformed packet (like BIND).
5815 5 November 2010: Wouter
5816 - do not synthesize a CNAME message from cache for qtype DS.
5818 4 November 2010: Wouter
5819 - Use central entropy to seed threads.
5821 3 November 2010: Wouter
5822 - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
5824 2 November 2010: Wouter
5828 1 November 2010: Wouter
5829 - GOST code enabled by default (RFC 5933).
5831 27 October 2010: Wouter
5832 - Fix uninit value in dump_infra print.
5833 - Fix validation failure for parent and child on same server with an
5834 insecure childzone and a CNAME from parent to child.
5835 - Configure detects libev-4.00.
5837 26 October 2010: Wouter
5838 - dump_infra and flush_infra commands for unbound-control.
5839 - no timeout backoff if meanwhile a query succeeded.
5840 - Change of timeout code. No more lost and backoff in blockage.
5841 At 12sec timeout (and at least 2x lost before) one probe per IP
5842 is allowed only. At 120sec, the IP is blocked. After 15min, a
5843 120sec entry has a single retry packet.
5845 25 October 2010: Wouter
5846 - Configure errors if ldns is not found.
5848 22 October 2010: Wouter
5849 - Windows 7 fix for the installer.
5851 21 October 2010: Wouter
5852 - Fix bug where fallback_tcp causes wrong roundtrip and edns
5853 observation to be noted in cache. Fix bug where EDNSprobe halted
5854 exponential backoff if EDNS status unknown.
5855 - new unresponsive host method, exponentially increasing block backoff.
5856 - iana portlist updated.
5858 20 October 2010: Wouter
5859 - interface automatic works for some people with ip6 disabled.
5860 Therefore the error check is removed, so they can use the option.
5862 19 October 2010: Wouter
5863 - Fix for request list growth, if a server has long timeout but the
5864 lost counter is low, then its effective rtt is the one without
5865 exponential backoff applied. Because the backoff is not working.
5866 The lost counter can then increase and the server is blacklisted,
5867 or the lost counter does not increase and the server is working
5870 18 October 2010: Wouter
5871 - iana portlist updated.
5873 13 October 2010: Wouter
5874 - Fix TCP so it uses a random outgoing-interface.
5875 - unbound-anchor handles ADDPEND keystate.
5877 11 October 2010: Wouter
5878 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
5879 the zone has a secure delegation hosted on the same server did not
5880 verify as secure (it was insecure by mistake).
5881 - iana portlist updated.
5882 - ldns tarball updated (for reading cachedumps with bad RR data).
5884 1 October 2010: Wouter
5885 - test for unbound-anchor. fix for reading certs.
5886 - Fix alloc_reg_release for longer uptime in out of memory conditions.
5888 28 September 2010: Wouter
5889 - unbound-anchor working, it creates or updates a root.key file.
5890 Use it before you start the validator (e.g. at system boot time).
5892 27 September 2010: Wouter
5893 - iana portlist updated.
5895 24 September 2010: Wouter
5896 - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
5898 23 September 2010: Wouter
5899 - unbound-anchor app, unbound requires libexpat (xml parser library).
5901 22 September 2010: Wouter
5902 - compliance with draft-ietf-dnsop-default-local-zones-14, removed
5903 reverse ipv6 orchid prefix from builtin list.
5904 - iana portlist updated.
5906 17 September 2010: Wouter
5907 - DLV has downgrade protection again, because the RFC says so.
5908 - iana portlist updated.
5910 16 September 2010: Wouter
5911 - Algorithm rollover operational reality intrudes, for trust-anchor,
5912 5011-store, and DLV-anchor if one key matches it's good enough.
5913 - iana portlist updated.
5914 - Fix reported validation error in out of memory condition.
5916 15 September 2010: Wouter
5917 - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
5919 14 September 2010: Wouter
5920 - increased mesh-max-activation from 1000 to 3000 for crazy domains
5921 like _tcp.slb.com with 262 servers.
5922 - iana portlist updated.
5924 13 September 2010: Wouter
5925 - bug#327: Fix for cannot access stub zones until the root is primed.
5927 9 September 2010: Wouter
5928 - unresponsive servers are not completely blacklisted (because of
5929 firewalls), but also not probed all the time (because of the request
5930 list size it generates). The probe rate is 1%.
5931 - iana portlist updated.
5933 20 August 2010: Wouter
5934 - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
5935 iterator get_mem includes priv_get_mem. delegpt nodup removed.
5936 listen_pushback, query_info_allocqname, write_socket, send_packet,
5937 comm_point_set_cb_arg and listen_resume removed.
5939 19 August 2010: Wouter
5940 - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
5941 Delegpt structures checked for duplicates always.
5942 No more nameserver lookups generated when depth is full anyway.
5943 - example.conf notes how to do DNSSEC validation and track the root.
5944 - iana portlist updated.
5946 18 August 2010: Wouter
5947 - Fix bug#322: configure does not respect CFLAGS on Solaris.
5948 Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
5949 if use sun-cc, but some systems need different flags.
5951 16 August 2010: Wouter
5952 - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
5953 changes, uses m4_bpatsubst now.
5954 - make test (or make check) should be more portable and run the unit
5955 test and testbound scripts. (make longtest has special requirements).
5957 13 August 2010: Wouter
5958 - More pleasant remote control command parsing.
5959 - documentation added for return values reported by doxygen 1.7.1.
5960 - iana portlist updated.
5962 9 August 2010: Wouter
5963 - Fix name of rrset printed that failed validation.
5965 5 August 2010: Wouter
5966 - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
5968 4 August 2010: Wouter
5969 - Fix validation in case a trust anchor enters into a zone with
5970 unsupported algorithms.
5972 3 August 2010: Wouter
5973 - updated ldns tarball with bugfixes.
5974 - release tag 1.4.6.
5975 - trunk becomes 1.4.7 develop.
5976 - iana portlist updated.
5978 22 July 2010: Wouter
5979 - more error details on failed remote control connection.
5981 15 July 2010: Wouter
5982 - rlimit adjustments for select and ulimit can happen at the same time.
5984 14 July 2010: Wouter
5985 - Donation text added to README.
5986 - Fix integer underflow in prefetch ttl creation from cache. This
5987 fixes a potential negative prefetch ttl.
5989 12 July 2010: Wouter
5990 - Changed the defaults for num-queries-per-thread/outgoing-range.
5991 For builtin-select: 512/960, for libevent 1024/4096 and for
5992 windows 24/48 (because of win api). This makes the ratio this way
5993 to improve resilience under heavy load. For high performance, use
5994 libevent and possibly higher numbers.
5996 10 July 2010: Wouter
5997 - GOST enabled if SSL is recent and ldns has GOST enabled too.
5998 - ldns tarball updated.
6001 - iana portlist updated.
6002 - Fix validation of qtype DNSKEY when a key-cache entry exists but
6003 no rr-cache entry is used (it expired or prefetch), it then goes
6004 back up to the DS or trust-anchor to validate the DNSKEY.
6007 - Neat function prototypes, unshadowed local declarations.
6010 - failure to chown the pidfile is not fatal any more.
6011 - testbound uses UTC timezone.
6012 - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
6013 /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
6016 - log if a server is skipped because it is on the donotquery list,
6017 at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
6018 - added feature to print configure date, target and options with -h.
6019 - added feature to print event backend system details with -h.
6020 - wdiff is not actually required by make test, updated requirements.
6023 - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
6024 must be signed with all algorithms from the DS rrset at the parent.
6025 This is now checked and becomes bogus if not.
6027 28 June 2010: Wouter
6028 - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
6029 in overload situations to be about 5 qps for the class of shortly
6031 The capacity of the resolver is then about (numqueriesperthread / 2)
6032 / (average time for such long queries) qps for long queries.
6033 And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
6034 qps for short queries, per thread.
6035 - Fix the max number of reply-address count to be applied for duplicate
6036 queries, and not for new query list entries. This raises the memory
6037 usage to a max of (16+1)*numqueriesperthread reply addresses.
6039 25 June 2010: Wouter
6040 - Fix handling of corner case reply from lame server, follows rfc2308.
6041 It could lead to a nodata reply getting into the cache if the search
6042 for a non-lame server turned up other misconfigured servers.
6043 - unbound.h has extern "C" statement for easier include in c++.
6045 23 June 2010: Wouter
6046 - iana portlist updated.
6047 - makedist upgraded cross compile openssl option, like this:
6048 ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
6050 22 June 2010: Wouter
6051 - Unbound reports libev or libevent correctly in logs in verbose mode.
6052 - Fix to unload gost dynamic library module for leak testing.
6054 18 June 2010: Wouter
6055 - iana portlist updated.
6057 17 June 2010: Wouter
6058 - Add AAAA to root hints for I.ROOT-SERVERS.NET.
6060 16 June 2010: Wouter
6061 - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
6062 assertion was wrong.
6063 - updated ldns tarball.
6065 15 June 2010: Wouter
6066 - tag 1.4.5 created.
6067 - trunk contains 1.4.6 in development.
6068 - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
6069 - Fix to use one pointer less for iterator query state store_parent_NS.
6070 - makedist crosscompile to windows uses builtin ldns not host ldns.
6071 - Max referral count from 30 to 130, because 128 one character domains
6073 - added documentation for the histogram printout to syslog.
6075 11 June 2010: Wouter
6076 - When retry to parent the retrycount is not wiped, so failed
6077 nameservers are not tried again.
6078 - iana portlist updated.
6080 10 June 2010: Wouter
6081 - Fix bug where a long loop could be entered, now cycle detection
6082 has a loop-counter and maximum search amount.
6085 - iana portlist updated.
6086 - 1.4.5rc1 tag created.
6089 - ldns tarball updated, 1.6.5.
6090 - review comments, split dependency cycle tracking for parentside
6091 last resort lookups for A and AAAA so there are more lookup options.
6094 - Fix compile warning if compiled without threads.
6095 - updated ldns-tarball with current ldns svn (pre 1.6.5).
6096 - GOST disabled-by-default, the algorithm number is allocated but the
6097 RFC is still has to pass AUTH48 at the IETF.
6100 - Ignore Z flag in incoming messages too.
6101 - Fix storage of negative parent glue if that last resort fails.
6102 - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
6103 - new splint flags for newer splint install.
6106 - Fix AD flag handling, it could in some cases mistakenly copy the AD
6107 flag from upstream servers.
6108 - alloc_special_obtain out of memory is not a fatal error any more,
6109 enabling unbound to continue longer in out of memory conditions.
6110 - parentside names are dispreferred but not said to be dnssec-lame.
6111 - parentside check for cached newname glue.
6112 - fix parentside and querytargets modulestate, for dump_requestlist.
6113 - unbound-control-setup makes keys -rw-r--- so not all users permitted.
6114 - fix parentside from cache to be marked dispreferred for bad names.
6117 - iana portlist updated.
6118 - parent-child disagreement approach altered. Older fixes are
6119 removed in place of a more exhaustive search for misconfigured data
6120 available via the parent of a delegation.
6121 This is designed to be throttled by cache entries, with TTL from the
6122 parent if possible. Additionally the loop-counter is used.
6123 It also tests for NS RRset differences between parent and child.
6124 The fetch of misconfigured data should be more reliable and thorough.
6125 It should work reliably even with no or only partial data in cache.
6126 Data received from the child (as always) is deemed more
6127 authoritative than information received from the delegation parent.
6128 The search for misconfigured data is not performed normally.
6131 - Contribution from Migiel de Vos (Surfnet): nagios patch for
6132 unbound-host, in contrib/ (in the source tarball). Makes
6133 unbound-host suitable for monitoring dnssec(-chain) status.
6136 - EDNS timeout code will not fire if EDNS status already known.
6137 - EDNS failure not stored if EDNS status known to work.
6140 - Fix resolution for domains like safesvc.com.cn. If the iterator
6141 can not recurse further and it finds the delegation in a state
6142 where it would otherwise have rejected it outhand if so received
6143 from a cache lookup, then it can try to ask higherup (with loop
6145 - Fix comments in iter_utils:dp_is_useless.
6148 - Fix various compiler warnings from the clang llvm compiler.
6149 - iana portlist updated.
6152 - Fix bug#308: spelling error in variable name in parser and lexer.
6155 - Fix dnssec-missing detection that was turned off by server selection.
6156 - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
6157 reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
6158 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
6160 29 April 2010: Wouter
6161 - Fix for dnssec lameness detection to use the key cache.
6162 - infra cache entries that are expired are wiped clean. Previously
6163 it was possible to not expire host data (if accessed often).
6165 28 April 2010: Wouter
6166 - ldns tarball updated and GOST support is detected and then enabled.
6167 - iana portlist updated.
6168 - Fix detection of gost support in ldns (reported by Chris Smith).
6170 27 April 2010: Wouter
6171 - unbound-control get_option domain-insecure shows config file items.
6172 - fix retry sequence if prime hints are recursion-lame.
6173 - autotrust anchor file can be initialized with a ZSK key as well.
6174 - harden-referral-path does not result in failures due to max-depth.
6175 You can increase the max-depth by adding numbers (' 0') after the
6176 target-fetch-policy, this increases the depth to which is checked.
6178 26 April 2010: Wouter
6179 - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
6180 CPPFLAGS during configure process.
6181 - if libev is installed on the base system (not libevent), detect
6182 it from the event.h header file and link with -lev.
6183 - configlexer.lex gets config.h, and configyyrename.h added by make,
6184 no more double include.
6185 - More strict scrubber (Thanks to George Barwood for the idea):
6186 NS set must be pertinent to the query (qname subdomain nsname).
6187 - Fix bug#307: In 0x20 backoff fix fallback so the number of
6188 outstanding queries does not become -1 and block the request.
6189 Fixed handling of recursion-lame in combination with 0x20 fallback.
6190 Fix so RRsets are compared canonicalized and sorted if the immediate
6191 comparison fails, this makes it work around round-robin sites.
6193 23 April 2010: Wouter
6194 - Squelch log message: sendto failed permission denied for
6195 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
6196 - Fix to fetch data as last resort more tenaciously. When cycle
6197 targets cause the server selection to believe there are more options
6198 when they really are not there, the server selection is reinitiated.
6199 - Fix fetch from blacklisted dnssec lame servers as last resort. The
6200 server's IP address is then given in validator errors as well.
6201 - Fix local-zone type redirect that did not use the query name for
6204 22 April 2010: Wouter
6206 - trunk contains 1.4.5 in development.
6207 - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
6208 The validator error message was 'no signatures from ...'.
6210 16 April 2010: Wouter
6211 - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
6214 15 April 2010: Wouter
6215 - ECC-GOST algorithm number 12 that is assigned by IANA. New test
6216 example key and signatures for GOST. GOST requires openssl-1.0.0.
6217 GOST is still disabled by default.
6219 9 April 2010: Wouter
6220 - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
6221 get into an endless loop, if 0x20 was enabled, and buffers are small
6222 or particular broken packets are received.
6223 - Fix chain of trust with CNAME at an intermediate step, for the DS
6226 8 April 2010: Wouter
6227 - Fix validation of queries with wildcard names (*.example).
6229 6 April 2010: Wouter
6230 - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
6231 cache timeout coincided with a server update, the current EDNS
6232 backoff is less sensitive, and does not cache the backoff unless
6233 the backoff actually works and the domain is not expecting DNSSEC.
6234 - GOST support with correct algorithm numbers.
6236 1 April 2010: Wouter
6237 - iana portlist updated.
6239 24 March 2010: Wouter
6240 - unbound control flushed items are not counted when flushed again.
6242 23 March 2010: Wouter
6243 - iana portlist updated.
6245 22 March 2010: Wouter
6246 - unbound-host disables use-syslog from config file so that the
6247 config file for the main server can be used more easily.
6248 - fix bug#301: unbound-checkconf could not parse interface
6249 '0.0.0.0@5353', even though unbound itself worked fine.
6251 19 March 2010: Wouter
6252 - fix fwd_ancil test to pass if the socket options are not supported.
6254 18 March 2010: Wouter
6255 - Fixed random numbers for port, interface and server selection.
6256 Removed very small bias.
6257 - Refer to the listing in unbound-control man page in the extended
6258 statistics entry in the unbound.conf man page.
6260 16 March 2010: Wouter
6261 - Fix interface-automatic for OpenBSD: msg.controllen was too small,
6262 also assertions on ancillary data buffer.
6263 - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
6264 - for NSEC3 check if signatures are cached.
6266 15 March 2010: Wouter
6267 - unit test for util/regional.c.
6269 12 March 2010: Wouter
6270 - Reordered configure checks so fork and -lnsl -lsocket checks are
6271 earlier, and thus later checks benefit from and do not hinder them.
6272 - iana portlist updated.
6273 - ldns tarball updated.
6274 - Fix python use when multithreaded.
6275 - Fix solaris python compile.
6276 - Include less in config.h and include per code file for ldns, ssl.
6278 11 March 2010: Wouter
6279 - another memory allocation option: --enable-alloc-nonregional.
6280 exposes the regional allocations to other memory purifiers.
6281 - fix for memory alignment in struct sock_list allocation.
6282 - Fix for MacPorts ldns without ssl default, unbound checks if ldns
6283 has dnssec functionality and uses the builtin if not.
6284 - Fix daemonize on Solaris 10, it did not detach from terminal.
6285 - tag 1.4.3 created.
6286 - trunk is 1.4.4 in development.
6287 - spelling fix in validation error involving cnames.
6289 10 March 2010: Wouter
6290 - --enable-alloc-lite works with test set.
6291 - portability in the testset: printf format conversions, prototypes.
6293 9 March 2010: Wouter
6294 - tag 1.4.2 created.
6295 - trunk is 1.4.3 in development.
6296 - --enable-alloc-lite debug option.
6298 8 March 2010: Wouter
6299 - iana portlist updated.
6301 4 March 2010: Wouter
6302 - Fix crash in control channel code.
6304 3 March 2010: Wouter
6305 - better casts in pipe code, brackets placed wrongly.
6306 - iana portlist updated.
6308 1 March 2010: Wouter
6309 - make install depends on make all.
6310 - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
6311 - --enable-checking: enables assertions but does not look nonproduction.
6312 - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
6313 nxdomain and nodata distinguished.
6314 - ldns tarball updated.
6315 - --disable-rpath fixed for libtool not found errors.
6316 - new fedora specfile from Fedora13 in contrib from Paul Wouters.
6318 26 February 2010: Wouter
6319 - Fixup prototype for lexer cleanup in daemon code.
6320 - unbound-control list_stubs, list_forwards, list_local_zones and
6323 24 February 2010: Wouter
6324 - Fix scrubber bug that potentially let NS records through. Reported
6326 - Also delete potential poison references from additional.
6327 - Fix: no classification of a forwarder as lame, throw away instead.
6329 23 February 2010: Wouter
6330 - libunbound ub_ctx_get_option() added.
6331 - unbound-control set_option and get_option commands.
6332 - iana portlist updated.
6334 18 February 2010: Wouter
6335 - A little more strict DS scrubbing.
6336 - No more blacklisting of unresponsive servers, a 2 minute timeout
6338 - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
6339 - pickup ldns compile fix, libdl for libcrypto.
6340 - log 'tcp connect: connection timed out' only in high verbosity.
6341 - unbound-control log_reopen command.
6342 - moved get_option code from unbound-checkconf to util/config_file.c
6344 17 February 2010: Wouter
6345 - Disregard DNSKEY from authority section for chain of trust.
6346 DS records that are irrelevant to a referral scrubbed. Anti-poison.
6347 - iana portlist updated.
6349 16 February 2010: Wouter
6350 - Check for 'no space left on device' (or other errors) when
6351 writing updated autotrust anchors and print errno to log.
6353 15 February 2010: Wouter
6354 - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
6355 hardcoded. We made the choice to send out more conservatively,
6356 protecting against an aggregate effect more than protecting a
6357 single user (from their own folly, perhaps in case of misconfig).
6359 12 February 2010: Wouter
6360 - Re-query pattern changed on validation failure. To protect troubled
6361 authority servers, unbound caches a failure for the DNSKEY or DS
6362 records for the entire zone, and only retries that 900 seconds later.
6363 This implies that only a handful of packets are sent extra to the
6364 authority if the zone fails.
6366 11 February 2010: Wouter
6367 - ldns tarball update for long label length syntax error fix.
6368 - iana portlist updated.
6370 9 February 2010: Wouter
6371 - Fixup in compat snprintf routine, %f 1.02 and %g support.
6372 - include math.h for testbound test compile portability.
6374 2 February 2010: Wouter
6375 - Updated url of IANA itar, interim trust anchor repository, in script.
6377 1 February 2010: Wouter
6378 - iana portlist updated.
6379 - configure test for memcmp portability.
6381 27 January 2010: Wouter
6382 - removed warning on format string in validator error log statement.
6383 - iana portlist updated.
6385 22 January 2010: Wouter
6386 - libtool finish the install of unbound python dynamic library.
6388 21 January 2010: Wouter
6389 - acx_nlnetlabs.m4 synchronised with nsd's version.
6391 20 January 2010: Wouter
6392 - Fixup lookup trouble for parent-child domains on the first query.
6394 14 January 2010: Wouter
6395 - Fixup ldns detection to also check for header files.
6397 13 January 2010: Wouter
6398 - prefetch-key option that performs DNSKEY queries earlier in the
6399 validation process, and that could halve the latency on DNSSEC
6400 queries. It takes some extra processing (CPU, a cache is needed).
6402 12 January 2010: Wouter
6403 - Fix unbound-checkconf for auto-trust-anchor-file present checks.
6405 8 January 2010: Wouter
6406 - Fix for parent-child disagreement code which could have trouble
6407 when (a) ipv6 was disabled and (b) the TTL for parent and child
6408 were different. There were two bugs, the parent-side information
6409 is fixed to no longer block lookup of child side information and
6410 the iterator is fixed to no longer attempt to get ipv6 when it is
6411 not enabled and then give up in failure.
6412 - test and fixes to make prefetch actually store the answer in the
6413 cache. Considers some rrsets 'already expired' but does not allow
6414 overwriting of rrsets considered more secure.
6416 7 January 2010: Wouter
6417 - Fixup python documentation (thanks Leo Vandewoestijne).
6418 - Work on cache prefetch feature.
6419 - Stats for prefetch, in log print stats, unbound-control stats
6420 and in unbound_munin plugin.
6422 6 January 2010: Wouter
6423 - iana portlist updated.
6424 - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
6425 - verbose output includes parent-side-address notion for lameness.
6426 - documented val-log-level: 2 setting in example.conf and man page.
6427 - change unbound-control-setup from 1024(sha1) to 1536(sha256).
6429 1 January 2010: Wouter
6430 - iana portlist updated.
6432 22 December 2009: Wouter
6433 - configure with newer libtool 2.2.6b.
6435 17 December 2009: Wouter
6438 - trunk to version 1.4.2.
6440 15 December 2009: Wouter
6441 - Answer to qclass=ANY queries, with class IN contents.
6442 Test that validation also works.
6443 - updated ldns snapshot tarball with latest fixes (parsing records).
6445 11 December 2009: Wouter
6446 - on IPv4 UDP turn off DF flag.
6448 10 December 2009: Wouter
6449 - requirements.txt updated with design choice explanations.
6450 - Reading fixes: fix to set unlame when child confirms parent glue,
6451 and fix to avoid duplicate addresses in delegation point.
6452 - verify_rrsig routine checks expiration last.
6454 9 December 2009: Wouter
6455 - Fix Bug#287(reopened): update of ldns tarball with fix for parse
6456 errors generated for domain names like '.example.com'.
6457 - Fix SOA excluded from negative DS responses. Reported by Hauke
6458 Lampe. The negative cache did not include proper SOA records for
6459 negative qtype DS responses which makes BIND barf on it, such
6460 responses are now only used internally.
6461 - Fix negative cache lookup of closestencloser check of DS type bit.
6463 8 December 2009: Wouter
6464 - Fix for lookup of parent-child disagreement domains, where the
6465 parent-side glue works but it does not provide proper NS, A or AAAA
6466 for itself, fixing domains such as motorcaravanners.eu.
6467 - Feature: you can specify a port number in the interface: line, so
6468 you can bind the same interface multiple times at different ports.
6470 7 December 2009: Wouter
6471 - Bug#287: Fix segfault when unbound-control remove nonexistent local
6472 data. Added check to tests.
6474 1 December 2009: Wouter
6475 - Fix crash with module-config "iterator".
6476 - Added unit test that has "iterator" module-config.
6478 30 November 2009: Wouter
6479 - bug#284: fix parse of # without end-of-line at end-of-file.
6481 26 November 2009: Wouter
6482 - updated ldns with release candidate for version 1.6.3.
6483 - tag for 1.4.0 release.
6484 - 1.4.1 version in trunk.
6485 - Fixup major libtool version to 2 because of why_bogus change.
6486 It was 1:5:0 but should have been 2:0:0.
6488 23 November 2009: Wouter
6489 - Patch from David Hubbard for libunbound manual page.
6490 - Fixup endless spinning in unbound-control stats reported by
6491 Attila Nagy. Probably caused by clock reversal.
6493 20 November 2009: Wouter
6494 - contrib/split-itar.sh contributed by Tom Hendrikx.
6496 19 November 2009: Wouter
6497 - better argument help for unbound-control.
6498 - iana portlist updated.
6500 17 November 2009: Wouter
6501 - noted multiple entries for multiple domain names in example.conf.
6502 - iana portlist updated.
6504 16 November 2009: Wouter
6505 - Fixed signer detection of CNAME responses without signatures.
6506 - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
6507 - Tests for CNAMEs to deeper trust anchors, secure and bogus.
6508 - svn tag 1.4.0rc1 made.
6510 13 November 2009: Wouter
6511 - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
6512 - unbound-host does not fail on type ANY.
6513 - Fixed wireparse failure to put RRSIGs together with data in some
6514 long ANY mix cases, which fixes validation failures.
6516 12 November 2009: Wouter
6517 - iana portlist updated.
6518 - fix manpage errors reported by debian lintian.
6520 - fixup very long vallog2 level error strings.
6522 11 November 2009: Wouter
6523 - ldns tarball updated (to 1.6.2).
6526 10 November 2009: Wouter
6527 - Thanks to Surfnet found bug in new dnssec-retry code that failed
6528 to combine well when combined with DLV and a particular failure.
6529 - Fixed unbound-control -h output about argument optionality.
6532 5 November 2009: Wouter
6533 - lint fixes and portability tests.
6534 - better error text for multiple domain keys in one autotrust file.
6536 2 November 2009: Wouter
6537 - Fix bug where autotrust does not work when started with a DS.
6538 - Updated GOST unit tests for unofficial algorithm number 249
6539 and DNSKEY-format changes in draft version -01.
6541 29 October 2009: Wouter
6542 - iana portlist updated.
6543 - edns-buffer-size option, default 4096.
6546 28 October 2009: Wouter
6547 - removed abort on prealloc failure, error still printed but softfail.
6548 - iana portlist updated.
6549 - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
6550 - ldns tarball updated (which also enables rsasha256 support).
6552 27 October 2009: Wouter
6553 - iana portlist updated.
6555 8 October 2009: Wouter
6557 - add val-log-level print to corner case (nameserver.epost.bg).
6558 - more detail to errors from insecure delegation checks.
6559 - Fix double time subtraction in negative cache reported by
6560 Amanda Constant and Hugh Mahon.
6561 - Made new validator error string available from libunbound for
6562 applications. It is in result->why_bogus, a zero-terminated string.
6563 unbound-host prints it by default if a result is bogus.
6564 Also the errinf is public in module_qstate (for other modules).
6566 7 October 2009: Wouter
6567 - retry for validation failure in DS and prime results. Less mem use.
6568 unit test. Provisioning in other tests for requeries.
6569 - retry for validation failure in DNSKEY in middle of chain of trust.
6571 - retry for empty non terminals in chain of trust and unit test.
6572 - Fixed security bug where the signatures for NSEC3 records were not
6573 checked when checking for absence of DS records. This could have
6574 enabled the substitution of an insecure delegation.
6575 - moved version number to 1.4.0 because of 1.3.4 release with only
6576 the NSEC3 patch from the entry above.
6577 - val-log-level: 2 shows extended error information for validation
6578 failures, but still one (longish) line per failure. For example:
6579 validation failure <example.com. DNSKEY IN>: signature expired from
6580 192.0.2.4 for trust anchor example.com. while building chain of trust
6581 validation failure <www.example.com. A IN>: no signatures from
6582 192.0.2.6 for key example.com. while building chain of trust
6584 6 October 2009: Wouter
6585 - Test set updated to provide additional ns lookup result.
6586 The retry would attempt to fetch the data from other nameservers
6587 for bogus data, and this needed to be provisioned in the tests.
6589 5 October 2009: Wouter
6590 - first validation failure retry code. Retries for data failures.
6593 2 October 2009: Wouter
6594 - improve 5011 modularization.
6595 - fix unbound-host so -d can be given before -C.
6596 - iana portlist updated.
6598 28 September 2009: Wouter
6599 - autotrust-anchor-file can read multiline input and $ORIGIN.
6600 - prevent integer overflow in holddown calculation. review fixes.
6601 - fixed race condition in trust point revocation. review fix.
6602 - review fixes to comments, removed unused code.
6604 25 September 2009: Wouter
6605 - so-rcvbuf: 4m option added. Set this on large busy servers to not
6606 drop the occasional packet in spikes due to full socket buffers.
6607 netstat -su keeps a counter of UDP dropped due to full buffers.
6608 - review of validator/autotrust.c, small fixes and comments.
6610 23 September 2009: Wouter
6611 - 5011 query failed counts verification failures, not lookup failures.
6612 - 5011 probe failure handling fixup.
6613 - test unbound reading of original autotrust data.
6614 The metadata per-key, such as key state (PENDING, MISSING, VALID) is
6615 picked up, otherwise performs initial probe like usual.
6617 22 September 2009: Wouter
6618 - autotrust test with algorithm rollover, new ordering of checks
6619 assists in orderly rollover.
6620 - autotrust test with algorithm rollover to unknown algorithm.
6621 checks if new keys are supported before adding them.
6622 - autotrust test with trust point revocation, becomes unsigned.
6623 - fix DNSSEC-missing-signature detection for minimal responses
6624 for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
6626 18 September 2009: Wouter
6627 - autotrust tests, fix trustpoint timer deletion code.
6628 fix count of valid anchors during missing remove.
6629 - autotrust: pick up REVOKE even if not signed with known other keys.
6631 17 September 2009: Wouter
6632 - fix compile of unbound-host when --enable-alloc-checks.
6633 - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
6634 - Manual page fixes reported by Tony Finch.
6636 16 September 2009: Wouter
6637 - Fix memory leak reported by Tao Ma.
6638 - Fix memstats test tool for log-time-ascii log format.
6640 15 September 2009: Wouter
6641 - iana portlist updated.
6643 10 September 2009: Wouter
6644 - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
6645 - use linebuffering for log-file: output, this can be significantly
6646 faster than the previous fflush method and enable some class of
6647 resolvers to use high verbosity (for short periods).
6648 Not on windows, because line buffering does not work there.
6650 9 September 2009: Wouter
6651 - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
6652 The RRsets would still expire at the normal time, but this would
6653 keep messages bogus in the cache for too long.
6654 - regression test for that bug.
6655 - documented that load_cache is meant for debugging.
6657 8 September 2009: Wouter
6658 - fixup printing errors when load_cache, they were printed to the
6659 SSL connection which broke, now to the log.
6660 - new ldns - with fixed parse of large SOA values.
6662 7 September 2009: Wouter
6663 - autotrust testbound scenarios.
6664 - autotrust fix that failure count is written to file.
6665 - autotrust fix that keys may become valid after add holddown time
6666 alone, before the probe returns.
6668 4 September 2009: Wouter
6669 - Changes to make unbound work with libevent-2.0.3 alpha. (in
6670 configure detection due to new ssl dependency in libevent)
6671 - do not call sphinx for documentation when python is disabled.
6672 - remove EV_PERSIST from libevent timeout code to make the code
6673 compatible with the libevent-2.0. Works with older libevent too.
6674 - fix memory leak in python code.
6676 3 September 2009: Wouter
6677 - Got a patch from Luca Bruno for libunbound support on windows to
6678 pick up the system resolvconf nameservers and hosts there.
6679 - included ldns updated (enum warning fixed).
6680 - makefile fix for parallel makes.
6681 - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
6682 from python scripts. See pythonmod/examples/resip.py.
6683 - doxygen comment fixes.
6685 2 September 2009: Wouter
6686 - TRAFFIC keyword for testbound. Simplifies test generation.
6687 ${range lower val upper} to check probe timeout values.
6688 - test with 5011-prepublish rollover and revocation.
6689 - fix revocation of RR for autotrust, stray exclamation mark.
6691 1 September 2009: Wouter
6692 - testbound variable arithmetic.
6693 - autotrust probe time is randomised.
6694 - autotrust: the probe is active and does not fetch from cache.
6696 31 August 2009: Wouter
6697 - testbound variable processing.
6699 28 August 2009: Wouter
6700 - fixup unbound-control lookup to print forward and stub servers.
6702 27 August 2009: Wouter
6703 - autotrust: mesh answer callback is empty.
6705 26 August 2009: Wouter
6706 - autotrust probing.
6707 - iana portlist updated.
6709 25 August 2009: Wouter
6710 - fixup memleak in trust anchor unsupported algorithm check.
6711 - iana portlist updated.
6712 - autotrust options: add-holddown, del-holddown, keep-missing.
6713 - autotrust store revoked status of trust points.
6714 - ctime_r compat definition.
6715 - detect yylex_destroy() in configure.
6716 - detect SSL_get_compression_methods declaration in configure.
6717 - fixup DS lookup at anchor point with unsigned parent.
6718 - fixup DLV lookup for DS queries to unsigned domains.
6720 24 August 2009: Wouter
6721 - cleaner memory allocation on exit. autotrust test routines.
6722 - free all memory on program exit, fix for ssl and flex.
6724 21 August 2009: Wouter
6725 - autotrust: debug routines. Read,write and conversions work.
6727 20 August 2009: Wouter
6728 - autotrust: save and read trustpoint variables.
6730 19 August 2009: Wouter
6731 - autotrust: state table updates.
6732 - iana portlist updated.
6734 17 August 2009: Wouter
6735 - autotrust: process events.
6737 17 August 2009: Wouter
6738 - Fix so that servers are only blacklisted if they fail to reply
6739 to 16 queries in a row and the timeout gets above 2 minutes.
6740 - autotrust work, split up DS verification of DNSKEYs.
6742 14 August 2009: Wouter
6743 - unbound-control lookup prints out infra cache information, like RTT.
6744 - Fix bug in DLV lookup reported by Amanda from Secure64.
6745 It could sometimes wrongly classify a domain as unsigned, which
6746 does not give the AD bit on replies.
6748 13 August 2009: Wouter
6749 - autotrust read anchor files. locked trust anchors.
6751 12 August 2009: Wouter
6752 - autotrust import work.
6754 11 August 2009: Wouter
6755 - Check for openssl compatible with gost if enabled.
6756 - updated unit test for GOST=211 code.
6757 Nicer naming of test files.
6758 - iana portlist updated.
6760 7 August 2009: Wouter
6761 - call OPENSSL_config() in unbound and unit test so that the
6762 operator can use openssl.cnf for configuration options.
6763 - removed small memory leak from config file reader.
6765 6 August 2009: Wouter
6766 - configure --enable-gost for GOST support, experimental
6767 implementation of draft-dolmatov-dnsext-dnssec-gost-01.
6768 - iana portlist updated.
6769 - ldns tarball updated (with GOST support).
6771 5 August 2009: Wouter
6772 - trunk moved to 1.3.4.
6774 4 August 2009: Wouter
6775 - Added test that the examples from draft rsasha256-14 verify.
6776 - iana portlist updated.
6779 3 August 2009: Wouter
6780 - nicer warning when algorithm not supported, tells you to upgrade.
6781 - iana portlist updated.
6783 27 July 2009: Wouter
6784 - Updated unbound-cacti contribution from Dmitriy Demidov, with
6785 the queue statistics displayed in its own graph.
6786 - iana portlist updated.
6788 22 July 2009: Wouter
6789 - Fix bug found by Michael Tokarev where unbound would try to
6790 prime the root servers even though forwarders are configured for
6794 21 July 2009: Wouter
6795 - Fix server selection, so that it waits for open target queries when
6796 faced with lameness.
6798 20 July 2009: Wouter
6799 - Ignore transient sendto errors, no route to host, and host, net down.
6800 - contrib/update-anchor.sh has -r option for root-hints.
6801 - feature val-log-level: 1 prints validation failures so you can
6802 keep track of them during dnssec deployment.
6804 16 July 2009: Wouter
6805 - fix replacement malloc code. Used in crosscompile.
6806 - makedist -w creates crosscompiled setup.exe on fedora11.
6808 15 July 2009: Wouter
6809 - dependencies for compat items, for crosscompile.
6810 - mingw32 crosscompile changes, dependencies and zipfile creation.
6811 and with System.dll from the windows NSIS you can make setup.exe.
6812 - package libgcc_s_sjlj exception handler for NSISdl.dll.
6814 14 July 2009: Wouter
6815 - updated ldns tarball for solaris x64 compile assistance.
6816 - no need to define RAND_MAX from config.h.
6817 - iana portlist updated.
6818 - configure changes and ldns update for mingw32 crosscompile.
6820 13 July 2009: Wouter
6821 - Fix for crash at start on windows.
6822 - tag for release 1.3.2.
6823 - trunk has version 1.3.3.
6824 - Fix for ID bits on windows to use all 16. RAND_MAX was not
6825 defined like you'd expect on mingw. Reported by Mees de Roo.
6828 - tag for release 1.3.1.
6829 - trunk has version 1.3.2.
6832 - iana portlist updated.
6835 - prettier error handling in SSL setup.
6836 - makedist.sh uname fix (same as ldns).
6837 - updated fedora spec file.
6840 - fixup linking when ldnsdir is "".
6842 30 June 2009: Wouter
6843 - more lenient truncation checks.
6845 29 June 2009: Wouter
6846 - ldns trunk r2959 imported as tarball, because of solaris cc compile
6847 support for c99. r2960 for better configure.
6848 - better wrongly_truncated check.
6849 - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
6850 avoid dropped packets at routers.
6852 26 June 2009: Wouter
6853 - Fix EDNS fallback when EDNS works for short answers but long answers
6856 22 June 2009: Wouter
6857 - fixup iter priv strict aliasing while preserving size of sockaddr.
6858 - iana portlist updated. (one less port allocated, one more fraction
6859 of a bit for security!)
6860 - updated fedora specfile in contrib from Paul Wouters.
6862 19 June 2009: Wouter
6863 - Fixup strict aliasing warning in iter priv code.
6864 and config_file code.
6865 - iana portlist updated.
6866 - harden-referral-path: handle cases where NS is in answer section.
6868 18 June 2009: Wouter
6869 - Fix of message parse bug where (specifically) an NSEC and RRSIG
6870 in the wrong order would be parsed, but put wrongly into internal
6871 structures so that later validation would fail.
6872 - Extreme lenience for wrongly truncated replies where a positive
6873 reply has an NS in the authority but no signatures. They are
6874 turned into minimal responses with only the (secure) answer.
6875 - autoconf 2.63 for configure.
6876 - python warnings suppress. Keep python API away from header files.
6878 17 June 2009: Wouter
6879 - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
6880 used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
6882 16 June 2009: Wouter
6883 - Fixup opportunistic target query generation to it does not
6884 generate queries that are known to fail.
6885 - Touchup on munin total memory report.
6886 - messages picked out of the cache by the iterator are checked
6887 if their cname chain is still correct and if validation status
6888 has to be reexamined.
6890 15 June 2009: Wouter
6891 - iana portlist updated.
6893 14 June 2009: Wouter
6894 - Fixed bug where cached responses would lose their security
6895 status on second validation, which especially impacted dlv
6896 lookups. Reported by Hauke Lampe.
6898 13 June 2009: Wouter
6899 - bug #254. removed random whitespace from example.conf.
6901 12 June 2009: Wouter
6902 - Fixup potential wrong NSEC picked out of the cache.
6903 - If unfulfilled callbacks are deleted they are called with an error.
6904 - fptr wlist checks for mesh callbacks.
6905 - fwd above stub in configuration works.
6907 11 June 2009: Wouter
6908 - Fix queries for type DS when forward or stub zones are there.
6909 They are performed to higherup domains, and thus treated as if
6910 going to higher zones when looking up the right forward or stub
6911 server. This makes a stub pointing to a local server that has
6912 a local view of example.com signed with the same keys as are
6913 publicly used work. Reported by Johan Ihren.
6914 - Added build-unbound-localzone-from-hosts.pl to contrib, from
6915 Dennis DeDonatis. It converts /etc/hosts into config statements.
6916 - same thing fixed for forward-zone and DS, chain of trust from
6917 public internet into the forward-zone works now. Added unit test.
6920 - openssl key files are opened apache-style, when user is root and
6921 before chrooting. This makes permissions on remote-control key
6922 files easier to set up. Fixes bug #251.
6923 - flush_type and flush_name remove msg cache entries.
6924 - codereview - dp copy bogus setting fix.
6927 - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
6928 inadvertant behaviour.
6929 - 1.3.0 tarball for release created.
6930 - 1.3.1 development in svn trunk.
6931 - iana portlist updated.
6932 - fix lint from complaining on ldns/sha.h.
6933 - help compiler figure out aliasing in priv_rrset_bad() routine.
6934 - fail to configure with python if swig is not found.
6935 - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
6938 - fixup bad free() when wrongly encoded DSA signature is seen.
6939 Reported by Paul Wouters.
6940 - review comments from Matthijs.
6943 - --enable-sha2 option. The draft rsasha256 changed its algorithm
6944 numbers too often. Therefore it is more prudent to disable the
6945 RSASHA256 and RSASHA512 support by default.
6946 - ldns trunk included as new tarball.
6947 - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
6950 - fixup doc bug in README reported by Matthew Dempsky.
6953 - update iana port list
6954 - update ldns lib tarball
6957 - detect lack of IPv6 support on XP (with a different error code).
6958 - Fixup a crash-on-exit which was triggered by a very long queue.
6959 Unbound would try to re-use ports that came free, but this is
6960 of course not really possible because everything is deleted.
6961 Most easily triggered on XP (not Vista), maybe because of the
6962 network stack encouraging large messages backlogs.
6963 - change in debug statements.
6964 - Fixed bug that could cause a crash if root prime failed when there
6965 were message backlogs.
6968 - Thanks again to Brett Carr, found an assertion that was not true.
6969 Assertion checked if recursion parent query still existed.
6971 29 April 2009: Wouter
6972 - Thanks to Brett Carr, caught windows resource leak, use
6973 closesocket() and not close() on sockets or else the network stack
6974 starts to leak handles.
6975 - Removed usage of windows Mutex because windows cannot handle enough
6976 mutexes open. Provide own mutex implementation using primitives.
6978 28 April 2009: Wouter
6979 - created svn tag for 1.3.0.
6981 27 April 2009: Wouter
6982 - optimised cname from cache.
6983 - ifdef windows functions in testbound.
6985 23 April 2009: Wouter
6986 - fix for threadsafety in solaris thr_key_create() in tests.
6987 - iana portlist updated.
6988 - fix pylib test for Darwin.
6989 - fix pymod test for Darwin and a python threading bug in pymod init.
6990 - check python >= 2.4 in configure.
6991 - -ldl check for libcrypto 1.0.0beta.
6993 21 April 2009: Wouter
6994 - fix for build outside sourcedir.
6995 - fix for configure script swig detection.
6997 17 April 2009: Wouter
6998 - Fix reentrant in minievent handler for unix. Could have resulted
6999 in spurious event callbacks.
7000 - timers do not take up a fd slot for winsock handler.
7001 - faster fix for winsock reentrant check.
7002 - fix rsasha512 unit test for new (interim) algorithm number.
7003 - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
7004 - fix compile warning on ubuntu (configlexer fwrite return value).
7005 - move python include directives into CPPFLAGS instead of CFLAGS.
7007 16 April 2009: Wouter
7008 - winsock event handler exit very quickly on signal, even if
7010 - iana portlist updated.
7011 - fixup windows winsock handler reentrant problem.
7013 14 April 2009: Wouter
7014 - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
7015 - makedist.sh; better help text.
7016 - cache-min-ttl option and tests.
7017 - mingw detect error condition on TCP sockets (NOTCONN).
7019 9 April 2009: Wouter
7020 - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
7021 - ldns tarball updated.
7022 - iana portlist update.
7023 - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
7024 because that openssl defines the name STRING for itself.
7026 6 April 2009: Wouter
7027 - windows compile fix.
7028 - Detect FreeBSD jail without ipv6 addresses assigned.
7029 - python libunbound wrapper unit test.
7030 - installs the following files. Default is to not build them.
7031 from configure --with-pythonmodule:
7032 /usr/lib/python2.x/site-packages/unboundmodule.py
7033 from configure --with-pyunbound:
7034 /usr/lib/python2.x/site-packages/unbound.py
7035 /usr/lib/python2.x/site-packages/_unbound.so*
7036 The example python scripts (pythonmod/examples and
7037 libunbound/python/examples) are not installed.
7038 - python invalidate routine respects packed rrset ids and locks.
7039 - clock skew checks in unbound, config statements.
7040 - nxdomain ttl considerations in requirements.txt
7042 3 April 2009: Wouter
7043 - Fixed a bug that caused messages to be stored in the cache too
7044 long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
7045 targets have been more vulnerable to the TTL miscalculation bug.
7046 - documentation test fixed for python addition.
7048 2 April 2009: Wouter
7049 - pyunbound (libunbound python plugin) compiles using libtool.
7050 - documentation for pythonmod and pyunbound is generated in doc/html.
7051 - iana portlist updated.
7052 - fixed bug in unbound-control flush_zone where it would not flush
7053 every message in the target domain. This especially impacted
7054 NXDOMAIN messages which could remain in the cache regardless.
7055 - python module test package.
7057 1 April 2009: Wouter
7058 - suppress errors when trying to contact authority servers that gave
7059 ipv6 AAAA records for their nameservers with ipv4 mapped contents.
7060 Still tries to do so, could work when deployed in intranet.
7061 Higher verbosity shows the error.
7062 - new libunbound calls documented.
7063 - pyunbound in libunbound/python. Removed compile warnings.
7064 Makefile to make it.
7066 30 March 2009: Wouter
7067 - Fixup LDFLAGS from libevent sourcedir compile configure restore.
7068 - Fixup so no non-absolute rpaths are added.
7069 - Fixup validation of RRSIG queries, they are let through.
7070 - read /dev/random before chroot
7071 - checkconf fix no python checks when no python module enabled.
7072 - fix configure, pthread first, so other libs do not change outcome.
7074 27 March 2009: Wouter
7075 - nicer -h output. report linked libraries and modules.
7076 - prints modules in intuitive order (config file friendly).
7077 - python compiles easily on BSD.
7079 26 March 2009: Wouter
7080 - ignore swig varargs warnings with gcc.
7081 - remove duplicate example.conf text from python example configs.
7082 - outofdir compile fix for python.
7084 - print modules compiled in on -h. manpage.
7086 25 March 2009: Wouter
7087 - initial import of the python contribution from Zdenek Vasicek and
7089 - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
7091 24 March 2009: Wouter
7092 - more neat configure.ac. Removed duplicate config.h includes.
7093 - neater config.h.in.
7094 - iana portlist updated.
7095 - fix util/configlexer.c and solaris -std=c99 flag.
7096 - fix postcommit aclocal errors.
7097 - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
7098 - swap order of host detect and libtool generation.
7100 23 March 2009: Wouter
7101 - added launchd plist example file for MacOSX to contrib.
7102 - deprecation test for daemon(3).
7103 - moved common configure actions to m4 include, prettier Makefile.
7105 20 March 2009: Wouter
7106 - bug #239: module-config entries order is important. Documented.
7107 - build fix for test asynclook.
7109 19 March 2009: Wouter
7110 - winrc/README.txt dos-format text file.
7111 - iana portlist updated.
7112 - use _beginthreadex() when available (performs stack alignment).
7113 - defaults for windows baked into configure.ac (used if on mingw).
7115 18 March 2009: Wouter
7116 - Added tests, unknown algorithms become insecure. fallback works.
7117 - Fix for and test for unknown algorithms in a trust anchor
7118 definition. Trust anchors with no supported algos are ignored.
7119 This means a (higher)DS or DLV entry for them could succeed, and
7120 otherwise they are treated as insecure.
7121 - domain-insecure: "example.com" statement added. Sets domain
7122 insecure regardless of chain of trust DSs or DLVs. The inverse
7125 17 March 2009: Wouter
7126 - unit test for unsupported algorithm in anchor warning.
7127 - fixed so queries do not fail on opportunistic target queries.
7129 16 March 2009: Wouter
7130 - fixup diff error printout in contrib/update-itar.sh.
7131 - added contrib/unbound_cacti for statistics support in cacti,
7132 contributed by Dmitriy Demidov.
7134 13 March 2009: Wouter
7135 - doxygen and lex/yacc on linux.
7136 - strip update-anchor on makedist -w.
7137 - fix testbound on windows.
7138 - default log to syslog for windows.
7139 - uninstaller can stop unbound - changed text on it to reflect that.
7140 - remove debugging from windows 'cron' actions.
7142 12 March 2009: Wouter
7143 - log to App.logs on windows prints executable identity.
7145 - munin plugin fix benign locking error printout.
7146 - anchor-update for windows, called every 24 hours; unbound reloads.
7148 11 March 2009: Wouter
7149 - winsock event handler resets WSAevents after signalled.
7150 - winsock event handler tests if signals are really signalled.
7151 - install and service with log to file works on XP and Vista on
7152 default install location.
7153 - on windows logging to the Application logbook works (as a service).
7154 - fix RUN_DIR on windows compile setting in makedist.
7155 - windows registry has Software\Unbound\ConfigFile element.
7156 If does not exist, the default is used. The -c switch overrides it.
7157 - fix makedist version cleanup function.
7159 10 March 2009: Wouter
7160 - makedist -w strips out old rc.. and snapshot info from version.
7161 - setup.exe starts and stops unbound after install, before uninstall.
7162 - unbound-checkconf recognizes absolute pathnames on windows (C:...).
7164 9 March 2009: Wouter
7165 - Nullsoft NSIS installer creation script.
7167 5 March 2009: Wouter
7168 - fixup memory leak introduced on 18feb in mesh reentrant fix.
7170 3 March 2009: Wouter
7171 - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
7172 - service works on xp/vista, no config necessary (using defaults).
7173 - windows registry settings.
7175 2 March 2009: Wouter
7176 - fixup --export-symbols to be -export-symbls for libtool.
7177 This should fix extraneous symbols exported from libunbound.
7178 Thanks to Ondrej Sury and Robert Edmonds for finding it.
7179 - iana portlist updated.
7180 - document FAQ entry on stub/forward zones and default blocking.
7181 - fix asynclook test app for libunbound not exporting symbols.
7182 - service install and remove utils that work with vista UAC.
7184 27 February 2009: Wouter
7185 - Fixup lexer, to not give warnings about fwrite. Appeared in
7187 - makedistro functionality for mingw. Has RC support.
7188 - support spaces and backslashes in configured defaults paths.
7189 - register, deregister in service control manager.
7191 25 February 2009: Wouter
7192 - windres usage for application resources.
7194 24 February 2009: Wouter
7195 - isc moved their dlv key download location.
7196 - fixup warning on vista/mingw.
7197 - makedist -w for window zip distribution first version.
7199 20 February 2009: Wouter
7200 - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
7201 Nicer script layout. Added url to site in -h output.
7203 19 February 2009: Wouter
7204 - unbound-checkconf and unbound print warnings when trust anchors
7205 have unsupported algorithms.
7206 - added contrib/update-itar.sh This script is similar to
7207 update-anchor.sh, and updates from the IANA ITAR repository.
7208 You can provide your own PGP key and trust repo, or can use the
7209 builtin. The program uses wget and gpg to work.
7210 - iana portlist updated.
7211 - update-itar.sh: using ftp:// urls because https godaddy certificate
7212 is not available everywhere and then gives fatal errors. The
7213 security is provided by pgp signature.
7215 18 February 2009: Wouter
7216 - more cycle detection. Also for target queries.
7217 - fixup bug where during deletion of the mesh queries the callbacks
7218 that were reentrant caused assertion failures. Keep the mesh in
7219 a reentrant safe state. Affects libunbound, reload of server,
7220 on quit and flush_requestlist.
7221 - iana portlist updated.
7223 13 February 2009: Wouter
7224 - forwarder information now per-thread duplicated.
7225 This keeps it read only for speed, with no locking necessary.
7226 - forward command for unbound control to change forwarders to use
7228 - document that unbound-host reads no config file by default.
7229 - updated iana portlist.
7231 12 February 2009: Wouter
7232 - call setusercontext if available (on BSD).
7233 - small refactor of stats clearing.
7234 - #227: flush_stats feature for unbound-control.
7235 - stats_noreset feature for unbound-control.
7236 - flush_requestlist feature for unbound-control.
7237 - libunbound version upped API (was changed 5 feb).
7238 - unbound-control status shows if root forwarding is in use.
7239 - slightly nicer memory management in iter-fwd code.
7241 10 February 2009: Wouter
7242 - keys with rfc5011 REVOKE flag are skipped and not considered when
7244 - iana portlist updated
7245 - #226: dump_requestlist feature for unbound-control.
7247 6 February 2009: Wouter
7248 - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
7249 - iana portlist updated.
7250 - fixup EOL in include directive (reported by Paul Wouters).
7251 You can no longer specify newlines in the names of included files.
7252 - config parser changed. Gives some syntax errors closer to where they
7253 occurred. Does not enforce a space after keyword anymore.
7254 Does not allow literal newlines inside quoted strings anymore.
7255 - verbosity level 5 logs customer IP for new requestlist entries.
7256 - test fix, lexer and cancel test.
7257 - new option log-time-ascii: yes if you enable it prints timestamps
7258 in the log file as Feb 06 13:45:26 (like syslog does).
7259 - detect event_base_new in libevent-1.4.1 and later and use it.
7260 - #231 unbound-checkconf -o option prints that value from config file.
7261 Useful for scripting in management scripts and the like.
7263 5 February 2009: Wouter
7264 - ldns 1.5.0 rc as tarball included.
7265 - 1.3.0 development continues:
7266 change in libunbound API: ub_cancel can return an error, that
7267 the async_id did not exist, or that it was already delivered.
7268 The result could have been delivered just before the cancel
7269 routine managed to acquire the lock, so a caller may get the
7270 result at the same time they call cancel. For this case,
7271 ub_cancel tries to return an error code.
7272 Fixes race condition in ub_cancel() libunbound function.
7273 - MacOSX Leopard cleaner text output from configure.
7274 - initgroups(3) is called to drop secondary group permissions, if
7276 - configure option --with-ldns-builtin forces the use of the
7277 inluded ldns package with the unbound source. The -I include
7278 is put before the others, so it avoids bad include files from
7279 an older ldns install.
7280 - daemon(3) posix call is used when available.
7281 - testbound test for older fix added.
7283 4 February 2009: Wouter
7284 - tag for release 1.2.1.
7285 - trunk setup for 1.3.0 development.
7287 3 February 2009: Wouter
7288 - noted feature requests in doc/TODO.
7289 - printout more detailed errors on ssl certificate loading failures.
7290 - updated IANA portlist.
7292 16 January 2009: Wouter
7293 - more quiet about ipv6 network failures, i.e. when ipv6 is not
7294 available (network unreachable). Debug still printed on high
7296 - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
7297 debugging with unbound-host -4 -d ...
7298 - more cycle detection for NS-check, addr-check, root-prime and
7299 stub-prime queries in the iterator. Avoids possible deadlock
7302 15 January 2009: Wouter
7303 - bug #229: fixup configure checks for compilation with Solaris
7304 Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
7305 - fixup suncc warnings.
7306 - fix bug where unbound could crash using libevent 1.3 and older.
7307 - update testset for recent retry change.
7309 14 January 2009: Wouter
7310 - 1.2.1 feature: negative caching for failed queries.
7311 Queries that failed are cached for 5 seconds (NORR_TTL).
7312 If the failure is local, like out of memory, it is not cached.
7313 - the TTL comparison for the cache used different comparisons,
7314 causing many cache responses that used the iterator and validator
7315 state machines unnecessarily.
7316 - retry from 4 to 5 so that EDNS drop retry is part of the first
7317 query resolve attempt, and cached error does not stop EDNS fallback.
7318 - remove debug prints that protect against bad referrals.
7319 - honor QUIET=no on make commandline (or QUIET=yes ).
7321 13 January 2009: Wouter
7322 - fixed bug in lameness marking, removed printouts.
7323 - find NS rrset more cleanly for qtype NS.
7324 - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
7326 - 1.2.1 feature: stops resolving AAAAs promiscuously when they
7327 are in the negative cache.
7329 12 January 2009: Wouter
7330 - fixed bug in infrastructure lameness cache, did not lowercase
7331 name of zone to hash when setting lame.
7332 - lameness debugging printouts.
7334 9 January 2009: Wouter
7335 - created svn tag for 1.2.0 release.
7336 - svn trunk contains 1.2.1 version number.
7337 - iana portlist updated for todays list.
7338 - removed debug print.
7340 8 January 2009: Wouter
7341 - new version of ldns-trunk (today) included as tarball, fixed
7342 bug #224, building with -j race condition.
7343 - remove possible race condition in the test for race conditions.
7345 7 January 2009: Wouter
7346 - version 1.2.0 in preparation.
7347 - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
7348 statements. (Adapted from patch by Paul Wouters).
7349 - typo fix and iana portlist updated.
7350 - porting testsuite; unused var warning, and type fixup.
7352 6 January 2009: Wouter
7353 - fixup packet-of-death when compiled with --enable-debug.
7354 A malformed packet could cause an internal assertion failure.
7355 - added test for HINFO canonicalisation behaviour.
7356 - fixup reported problem with transparent local-zone data where
7357 queries with different type could get nxdomain. Now queries
7358 with a different name get resolved normally, with different type
7359 get a correct NOERROR/NODATA answer.
7360 - HINFO no longer downcased for validation, making unbound compatible
7362 - fix reading included config files when chrooted.
7363 Give full path names for include files.
7364 Relative path names work if the start dir equals the working dir.
7365 - fix libunbound message transport when no packet buffer is available.
7367 5 January 2009: Wouter
7368 - fixup getaddrinfo failure handling for remote control port.
7369 - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
7370 - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
7371 - comm_timer_set performs base_set operation after event_add.
7373 18 December 2008: Wouter
7374 - fixed bug reported by Duane Wessels: error in DLV lookup, would make
7375 some zones that had correct DLV keys as insecure.
7376 - follows -rc makedist from ldns changes (no _rc).
7377 - ldns tarball updated with 1.4.1rc for DLV unit test.
7378 - verbose prints about recursion lame detection and server selection.
7379 - fixup BSD port for infra host storage. It hashed wrongly.
7380 - fixup makedist snapshot name generation.
7381 - do not reopen syslog to avoid dev/log dependency.
7383 17 December 2008: Wouter
7384 - follows ldns makedist.sh. -rc option. autom4te dir removed.
7385 - unbound-control status command.
7386 - extended statistics has a number of ipv6 queries counter.
7387 contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
7389 16 December 2008: Wouter
7390 - follow makedist improvements from ldns, for maintainers prereleases.
7391 - snapshot version uses _ not - to help rpm distinguish the
7394 11 December 2008: Wouter
7395 - better fix for bug #219: use LOG_NDELAY with openlog() call.
7396 Thanks to Tamas Tevesz.
7398 9 December 2008: Wouter
7399 - bug #221 fixed: unbound checkconf checks if key files exist if
7400 remote control is enabled. Also fixed NULL printf when not chrooted.
7401 - iana portlist updated.
7403 3 December 2008: Wouter
7404 - Fix problem reported by Jaco Engelbrecht where unbound-control stats
7405 freezes up unbound if this was compiled without threading, and
7406 was using multiple processes.
7407 - iana portlist updated.
7408 - test for remote control with interprocess communication.
7409 - created command distribution mechanism so that remote control
7410 commands other than 'stats' work on all processes in a nonthreaded
7411 compiled version. dump/load cache work, on the first process.
7412 - fixup remote control local_data addition memory corruption bug.
7414 1 December 2008: Wouter
7415 - SElinux policy files in contrib/selinux for the unbound daemon,
7416 by Paul Wouters and Adam Tkac.
7418 25 November 2008: Wouter
7419 - configure complains when --without-ssl is given (bug #220).
7420 - skip unsupported feature tests on vista/mingw.
7421 - fixup testcode/streamtcp to work on vista/mingw.
7422 - root-hints test checks version of dig required.
7423 - blacklisted servers are polled at a low rate (1%) to see if they
7424 come back up. But not if there is some other working server.
7426 24 November 2008: Wouter
7427 - document that the user of the server daemon needs read privileges
7428 on the keys and certificates generated by unbound-control-setup.
7429 This is different per system or distribution, usually, running the
7430 script under the same username as the server uses suffices.
7431 i.e. sudo -u unbound unbound-control-setup
7432 - testset port to vista/mingw.
7433 - tcp_sigpipe to freebsd port.
7435 21 November 2008: Wouter
7436 - fixed tcp accept, errors were printed when they should not.
7437 - unbound-control-setup.sh removes read/write permissions other
7438 from the keys it creates (as suggested by Dmitriy Demidov).
7440 20 November 2008: Wouter
7441 - fixup fatal error due to faulty error checking after tcp accept.
7442 - add check in rlimit to avoid integer underflow.
7443 - rlimit check with new formula; better estimate for number interfaces
7444 - nicer comments in rlimit check.
7445 - tag 1.1.1 created in svn.
7446 - trunk label is 1.1.2
7448 19 November 2008: Wouter
7449 - bug #219: fixed so that syslog which delays opening until the first
7450 log line is written, gets a log line while not chroot'ed yet.
7452 18 November 2008: Wouter
7453 - iana portlist updated.
7454 - removed cast in unit test debug print that was not 64bit safe.
7455 - trunk back to 1.1.0; copied to tags 1.1.0 release.
7456 - trunk to has version number 1.1.1 again.
7457 - in 1.1.1; make clean nicer. grammar in manpage.
7459 17 November 2008: Wouter
7460 - theoretical fix for problems reported on mailing list.
7461 If a delegation point has no A but only AAAA and do-ip6 is no,
7462 resolution would fail. Fixed to ask for the A and AAAA records.
7463 It has to ask for both always, so that it can fail quietly, from
7464 TLD perspective, when a zone is only reachable on one transport.
7465 - test for above, only AAAA and doip6 is no. Fix causes A record
7466 for nameserver to be fetched.
7467 - fixup address duplication on cache fillup for delegation points.
7468 - testset updated for new query answer requirements.
7470 14 November 2008: Wouter
7471 - created 1.1.0 release tag in svn.
7472 - trunk moved to 1.1.1
7473 - fixup unittest-neg for locking.
7475 13 November 2008: Wouter
7476 - added fedora init and specfile to contrib (by Paul Wouters).
7477 - added configure check for ldns 1.4.0 (using its compat funcs).
7478 - neater comments in worker.h.
7479 - removed doc/plan and updated doc/TODO.
7480 - silenced EHOSTDOWN (verbosity 2 or higher to see it).
7481 - review comments from Jelte, Matthijs. Neater code.
7483 12 November 2008: Wouter
7484 - add unbound-control manpage to makedist replace list.
7486 11 November 2008: Wouter
7487 - unit test for negative cache, stress tests the refcounting.
7488 - fix for refcounting error that could cause fptr_wlist fatal exit
7489 in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
7490 Attila Nagy for testing).
7491 - nicer comments in cachedump about failed RR to string conversion.
7492 - fix 32bit wrap around when printing large (4G and more) mem usage
7493 for extended statistics.
7495 10 November 2008: Wouter
7496 - fixup the getaddrinfo compat code rename.
7498 8 November 2008: Wouter
7499 - added configure check for eee build warning.
7501 7 November 2008: Wouter
7502 - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
7503 - detect nonblocking problems in network stack in configure script.
7505 6 November 2008: Wouter
7506 - dname_priv must decompress the name before comparison.
7507 - iana portlist updated.
7509 5 November 2008: Wouter
7510 - fixed possible memory leak in key_entry_key deletion.
7511 Would leak a couple bytes when trust anchors were replaced.
7512 - if query and reply qname overlap, the bytes are skipped not copied.
7513 - fixed file descriptor leak when messages were jostled out that
7514 had outstanding (TCP) replies.
7515 - DNAMEs used from cache have their synthesized CNAMEs initialized
7517 - fixed file descriptor leak for localzone type deny (for TCP).
7518 - fixed memleak at exit for nsec3 negative cached zones.
7519 - fixed memleak for the keyword 'nodefault' when reading config.
7520 - made verbosity of 'edns incapable peer' warning higher, so you
7521 do not get spammed by it.
7522 - caught elusive Bad file descriptor error bug, that would print the
7523 error while unnecessarily try to listen to a closed fd. Fixed.
7525 4 November 2008: Wouter
7526 - fixed -Wwrite-strings warnings that result in better code.
7528 3 November 2008: Wouter
7529 - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
7530 - generated configure with autoconf-2.61.
7531 - iana portlist updated.
7532 - detect if libssl needs libdl. For static linking with libssl.
7533 - changed to use new algorithm identifiers for sha256/sha512
7534 from ldns 1.4.0 (need very latest version).
7535 - updated the included ldns tarball.
7536 - proper detection of SHA256 and SHA512 functions (not just sizes).
7538 23 October 2008: Wouter
7539 - a little more debug info for failure on signer names. prints names.
7541 22 October 2008: Wouter
7542 - CFLAGS are picked up by configure from the environment.
7543 - iana portlist updated.
7544 - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
7545 - new stub-prime: yesno option. Default is off, so it does not prime.
7546 can be turned on to get same behaviour as previous unbound release.
7547 - made automated test that checks if builtin root hints are uptodate.
7548 - finished draft-wijngaards-dnsext-resolver-side-mitigation
7549 implementation. The unwanted-reply-threshold can be set.
7550 - fixup so fptr_whitelist test in alloc.c works.
7552 21 October 2008: Wouter
7553 - fix update-anchors.sh, so it does not report different RR order
7554 as an update. Sorts the keys in the file. Updated copyright.
7555 - fixup testbound on windows, the command control pipe doesn't exist.
7556 - skip 08hostlib test on windows, no fork() available.
7557 - made unbound-remote work on windows.
7559 20 October 2008: Wouter
7560 - quench a log message that is debug only.
7561 - iana portlist updated.
7562 - do not query bogus nameservers. It is like nameservers that have
7563 the NS or A or AAAA record bogus are listed as donotquery.
7564 - if server selection is faced with only bad choices, it will
7565 attempt to get more options to be fetched.
7566 - changed bogus-ttl default value from 900 to 60 seconds.
7567 In anticipation that operator caused failures are more likely than
7568 actual attacks at this time. And thus repeated validation helps
7569 the operators get the problem fixed sooner. It makes validation
7570 failures go away sooner (60 seconds after the zone is fixed).
7571 Also it is likely to try different nameserver targets every minute,
7572 so that if a zone is bad on one server but not another, it is
7573 likely to pick up the 'correct' one after a couple minutes,
7574 and if the TTL is big enough that solves validation for the zone.
7575 - fixup unbound-control compilation on windows.
7577 17 October 2008: Wouter
7578 - port Leopard/G5: fixup type conversion size_t/uint32.
7579 please ranlib, stop file without symbols warning.
7580 - harden referral path now also validates the root after priming.
7581 It looks up the root NS authoritatively as well as the root servers
7582 and attemps to validate the entries.
7584 16 October 2008: Wouter
7585 - Fixup negative TTL values appearing (reported by Attila Nagy).
7587 15 October 2008: Wouter
7588 - better documentation for 0x20; remove fallback TODO, it is done.
7589 - harden-referral-path feature includes A, AAAA queries for glue,
7590 as well as very careful NS caching (only when doing NS query).
7591 A, AAAA use the delegation from the NS-query.
7593 14 October 2008: Wouter
7594 - fwd_three.tpkg test was flaky. If the three requests hit the
7595 wrong threads by chance (or bad OS) then the test would fail.
7596 Made less flaky by increasing number of retries.
7597 - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
7598 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
7599 Which includes the ldns_dname_absolute fix.
7600 - fwd_three test remains flaky now that unbound does not stop
7601 listening when full. Thus, removed timeout problem.
7602 It may be serviced by three threads, or maybe by one.
7603 Mostly only useful for lock-check testing now.
7605 13 October 2008: Wouter
7606 - fixed recursion servers deployed as authoritative detection, so
7607 that as a last resort, a +RD query is sent there to get the
7609 - iana port list update.
7610 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
7612 10 October 2008: Wouter
7613 - fixup tests - the negative cache contained the correct NSEC3s for
7614 two tests that are supposed to fail to validate.
7616 9 October 2008: Wouter
7617 - negative cache caps max iterations of NSEC3 done.
7618 - NSEC3 negative cache for qtype DS works.
7620 8 October 2008: Wouter
7621 - NSEC negative cache for DS.
7623 6 October 2008: Wouter
7624 - jostle-timeout option, so you can config for slow links.
7625 - 0x20 fallback code. Tries 3xnumber of nameserver addresses
7626 queries that must all be the same. Sent to random nameservers.
7627 - documented choices for DoS, EDNS, 0x20.
7629 2 October 2008: Wouter
7630 - fixup unlink of pidfile.
7631 - fixup SHA256 algorithm collation code.
7632 - contrib/update-anchor.sh does not overwrite anchors if not needed.
7633 exits 0 when a restart is needed, other values if not.
7634 so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
7635 can restart unbound exactly when needed.
7637 30 September 2008: Wouter
7638 - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
7639 - tests for sha256 support and downgrade resistance.
7640 - RSASHA256 and RSASHA512 support (using the draft in dnsext),
7641 using the drafted protocol numbers.
7642 - when using stub on localhost (127.0.0.1@10053) unbound works.
7643 Like when running NSD to host a local zone, on the same machine.
7644 The noprime feature. manpages more explanation. Added a test for it.
7645 - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
7647 29 September 2008: Wouter
7648 - EDNS lameness detection, if EDNS packets are dropped this is
7649 detected, eventually.
7650 - multiple query timeout rtt backoff does not backoff too much.
7652 26 September 2008: Wouter
7653 - tests for remote-control.
7654 - small memory leak in exception during remote control fixed.
7655 - fixup for lock checking but not unchecking in remote control.
7656 - iana portlist updated.
7658 23 September 2008: Wouter
7659 - Msg cache is loaded. A cache load enables cache responses.
7660 - unbound-control flush [name], flush_type and flush_zone.
7662 22 September 2008: Wouter
7663 - dump_cache and load_cache statements in unbound-control.
7664 RRsets are dumped and loaded correctly.
7665 Msg cache is dumped.
7667 19 September 2008: Wouter
7668 - locking on the localdata structure.
7669 - add and remove local zone and data with unbound-control.
7670 - ldns trunk snapshot updated, make tests work again.
7672 18 September 2008: Wouter
7673 - fixup error in time calculation.
7674 - munin plugin improvements.
7675 - nicer abbreviations for high query types values (ixfr, axfr, any...)
7676 - documented the statistics output in unbound-control man page.
7677 - extended statistics prints out histogram, over unbound-control.
7679 17 September 2008: Wouter
7680 - locking for threadsafe bogus rrset counter.
7681 - ldns trunk no longer exports b32 functions, provide compat.
7682 - ldns tarball updated.
7683 - testcode/ldns-testpkts.c const fixups.
7684 - fixed rcode stat printout.
7685 - munin plugin in contrib.
7686 - stats always printout uptime, because stats plugins need it.
7688 16 September 2008: Wouter
7689 - extended-statistics: yesno config option.
7690 - unwanted replies spoof nearmiss detector.
7691 - iana portlist updated.
7693 15 September 2008: Wouter
7694 - working start, stop, reload commands for unbound-control.
7695 - test for unbound-control working; better exit value for control.
7696 - verbosity control via unbound-control.
7697 - unbound-control stats.
7699 12 September 2008: Wouter
7700 - removed browser control mentions. Proto speccy.
7702 11 September 2008: Wouter
7703 - set nonblocking on new TCP streams, because linux does not inherit
7704 the socket options to the accepted socket.
7706 - SSL protected connection between server and unbound-control.
7708 10 September 2008: Wouter
7709 - remove memleak in privacy addresses on reloads and quits.
7710 - remote control work.
7712 9 September 2008: Wouter
7713 - smallapp/unbound-control-setup.sh script to set up certificates.
7715 4 September 2008: Wouter
7716 - scrubber scrubs away private addresses.
7717 - test for private addresses. man page entry.
7718 - code refactored for name and address tree lookups.
7720 3 September 2008: Wouter
7721 - options for 'DNS Rebinding' protection: private-address and
7723 - dnstree for reuse of routines that help with domain, addr lookups.
7724 - private-address and private-domain config option read, stored.
7726 2 September 2008: Wouter
7727 - DoS protection features. Queries are jostled out to make room.
7728 - testbound can pass time, increasing the internal timer.
7729 - do not mark unsigned additionals bogus, leave unchecked, which
7732 1 September 2008: Wouter
7733 - disallow nonrecursive queries for cache snooping by default.
7734 You can allow is using access-control: <subnet> allow_snoop.
7735 The defaults do allow access no authoritative data without RD bit.
7736 - two tests for it and fixups of tests for nonrec refused.
7738 29 August 2008: Wouter
7739 - version 1.1 number in trunk.
7740 - harden-referral-path option for query for NS records.
7741 Default turns off expensive, experimental option.
7743 28 August 2008: Wouter
7744 - fixup logfile handling; it is created with correct permissions
7745 again. (from bugfix#199).
7746 Some errors are not written to logfile (pidfile writing, forking),
7747 and these are only visible by using the -d commandline flag.
7749 27 August 2008: Wouter
7750 - daemon(3) is causing problems for people. Reverting the patch.
7751 bug#200, and 199 and 203 contain sideline discussion on it.
7752 - bug#199 fixed: pidfile can be outside chroot. openlog is done before
7753 chroot and drop permissions.
7754 - config option to set size of aggressive negative cache,
7756 - bug#203 fixed: dlv has been implemented.
7758 26 August 2008: Wouter
7759 - test for insecure zone when DLV is in use, also does negative cache.
7760 - test for trustanchor when DLV is in use (the anchor works).
7761 - test for DLV used for a zone below a trustanchor.
7762 - added scrub filter for overreaching NSEC records and unit test.
7763 - iana portlist update
7764 - use of setresuid or setreuid when available.
7765 - use daemon(3) if available.
7767 25 August 2008: Wouter
7768 - realclean patch from Robert Edmonds.
7770 22 August 2008: Wouter
7771 - nicer debuglogging of DLV.
7772 - test with secure delegation inside the DLV repository.
7774 21 August 2008: Wouter
7775 - negative cache code linked into validator, for DLV use.
7776 negative cache works for DLV.
7777 - iana portlist update.
7778 - dlv-anchor option for unit tests.
7779 - fixup NSEC_AT_APEX classification for short typemaps.
7780 - ldns-testns has subdomain checks, for unit tests.
7782 20 August 2008: Wouter
7783 - negative cache code, reviewed.
7785 18 August 2008: Wouter
7786 - changes info: in logfile to notice: info: or debug: depending on
7787 the verbosity of the statements. Better logfile message
7789 - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
7791 15 August 2008: Wouter
7792 - DLV nsec code fixed for better detection of closest existing
7793 enclosers from NSEC responses.
7794 - DLV works, straight to the dlv repository, so not for production.
7797 14 August 2008: Wouter
7798 - synthesize DLV messages from the rrset cache, like done for DS.
7800 13 August 2008: Wouter
7801 - bug #203: nicer do-auto log message when user sets incompatible
7803 - bug #204: variable name ameliorated in log.c.
7804 - bug #206: in iana_update, no egrep, but awk use.
7805 - ldns snapshot r2699 taken (includes DLV type).
7806 - DLV work, config file element, trust anchor read in.
7808 12 August 2008: Wouter
7809 - finished adjusting testset to provide qtype NS answers.
7811 11 August 2008: Wouter
7812 - Fixup rrset security updates overwriting 2181 trust status.
7813 This makes validated to be insecure data just as worthless as
7814 nonvalidated data, and 2181 rules prevent cache overwrites to them.
7815 - Fix assertion fail on bogus key handling.
7816 - dnssec lameness detection works on first query at trust apex.
7817 - NS queries get proper cache and dnssec lameness treatment.
7818 - fixup compilation without pthreads on linux.
7820 8 August 2008: Wouter
7821 - NS queries are done after every referral.
7822 validator is used on those NS records (if anchors enabled).
7824 7 August 2008: Wouter
7825 - Scrubber more strict. CNAME chains, DNAMEs from cache, other
7826 irrelevant rrsets removed.
7827 - 1.0.2 released from 1.0 support branch.
7828 - fixup update-anchor.sh to work both in BSD shell and bash.
7830 5 August 2008: Wouter
7831 - fixup DS test so apex nodata works again.
7833 4 August 2008: Wouter
7836 - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
7837 - added explanatory text for outgoing-port-permit in manpage.
7839 30 July 2008: Wouter
7840 - fixup bug qtype DS for unsigned zone and signed parent validation.
7842 25 July 2008: Wouter
7843 - added original copyright statement of OpenBSD arc4random code.
7844 - created tube signaling solution on windows, as a pipe replacement.
7845 this makes background asynchronous resolution work on windows.
7846 - removed very insecure socketpair compat code. It also did not
7847 work with event_waiting. Solved by pipe replacement.
7848 - unbound -h prints openssl version number as well.
7850 22 July 2008: Wouter
7851 - moved pipe actions to util/tube.c. easier porting and shared code.
7852 - check _raw() commpoint callbacks with fptr_wlist.
7855 21 July 2008: Wouter
7856 - #198: nicer entropy warning message. manpage OS hints.
7858 19 July 2008: Wouter
7859 - #198: fixup man page to suggest chroot entropy fix.
7861 18 July 2008: Wouter
7862 - branch for 1.0 support.
7863 - trunk work on tube.c.
7865 17 July 2008: Wouter
7866 - fix bug #196, compile outside source tree.
7867 - fix bug #195, add --with-username=user configure option.
7868 - print error and exit if started with config that requires more
7869 fds than the builtin minievent can handle.
7871 16 July 2008: Wouter
7872 - made svn tag 1.0.1, trunk now 1.0.2
7873 - sha256 checksums enabled in makedist.sh
7875 15 July 2008: Wouter
7876 - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
7877 IPv6 example prefix to AS112 default blocklist.
7878 - fixup lookup of DS records by client with trustanchor for same.
7879 - libunbound ub_resolve, fix handling of error condition during setup.
7880 - lowered log_hex blocksize to fit through BSD syslog linesize.
7881 - no useless initialisation if getpwnam not available.
7882 - iana, ldns snapshot updated.
7885 - Matthijs fixed memory leaks in root hints file reading.
7887 26 June 2008: Wouter
7888 - fixup streamtcp bounds setting for udp mode, in the test framework.
7889 - contrib item for updating trust anchors.
7891 25 June 2008: Wouter
7892 - fixup fwd_ancil test typos.
7893 - Fix for newegg lameness : ok for qtype=A, but lame for others.
7894 - fixup unit test for infra cache, test lame merging.
7895 - porting to mingw, bind, listen, getsockopt and setsockopt error
7898 24 June 2008: Wouter
7899 - removed testcode/checklocks from production code compilation path.
7900 - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
7902 - fwd_ancil test fails if platform support is lacking.
7904 23 June 2008: Wouter
7905 - fixup minitpkg to cleanup on windows with its file locking troubles.
7906 - minitpkg shows skipped tests in report.
7907 - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
7909 - winsock event handler keeps track of sticky TCP events, that have
7910 not been fully handled yet. when interest in the event(s) resumes,
7911 they are sent again. When WOULDBLOCK is returned events are cleared.
7912 - skip tests that need signals when testing on mingw.
7914 18 June 2008: Wouter
7915 - open testbound replay files in binary mode, because fseek/ftell
7916 do not work in ascii-mode on windows. The b does nothing on unix.
7917 unittest and testbound tests work on windows (xp too).
7918 - ioctlsocket prints nicer error message.
7919 - fixed up some TCP porting for winsock.
7920 - lack of IPv6 gives a warning, no fatal error.
7921 - use WSAGetLastError() on windows instead of errno for some errors.
7923 17 June 2008: Wouter
7924 - outgoing num fds 32 by default on windows ; it supports less
7925 fds for waiting on than unixes.
7926 - winsock_event minievent handler for windows. (you could also
7927 attempt to link with libevent/libev ports for windows).
7928 - neater crypto check and gdi32 detection.
7929 - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
7931 16 June 2008: Wouter
7932 - on windows, use windows threads, mutex and thread-local-storage(Tls).
7933 - detect if openssl needs gdi32.
7934 - if no threading, THREADS_DISABLED is defined for use in the code.
7935 - sets USE_WINSOCK if using ws2_32 on windows.
7936 - wsa_strerror() function for more readable errors.
7937 - WSA Startup and Cleanup called in unbound.exe.
7939 13 June 2008: Wouter
7940 - port mingw32, more signal ifdefs, detect sleep, usleep,
7941 random, srandom (used inside the tests).
7942 - signed or unsigned FD_SET is cast.
7944 10 June 2008: Wouter
7945 - fixup warnings compiling on eeepc xandros linux.
7948 - in iteration response type code
7949 * first check for SOA record (negative answer) before NS record
7951 * check if no AA bit for non-forwarder, and thus lame zone.
7952 In response to error report by Richard Doty for mail.opusnet.com.
7953 - fixup unput warning from lexer on freeBSD.
7954 - bug#183. pidfile, rundir, and chroot configure options. Also the
7955 example.conf and manual pages get the configured defaults.
7956 You can use: (or accept the defaults to /usr/local/etc/unbound/)
7957 --with-conf-file=filename
7958 --with-pidfile=filename
7960 --with-chroot-dir=path
7963 - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
7964 Reported by Robert Edmonds.
7965 - iana port updated.
7968 - updated libtool files with newer version.
7969 - iana portlist updated.
7972 - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
7973 trailing dot is not used during comparison.
7976 - Jelte fixed bugs in my absence
7977 - bug 178: fixed unportable shell usage in configure (relied on
7979 - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
7980 - bug 181: fixed buffer overflow in ldns (called by unbound to parse
7983 - bug 177: fixed compilation failure on opensuse, the
7984 --disable-static configure flag caused problems. (Patch from
7986 - bug 179: same fix as 177.
7987 - bug 185: --disable-shared not passed along to ldns included with
7988 unbound. Fixed so that configure parameters are passed to the
7989 subdir configure script.
7990 fixed that ./libtool is used always, you can still override
7991 manually with ./configure libtool=mylibtool or set $libtool in
7993 - update of the ldns tarball to current ldns svn version (fix 181).
7994 - bug 184: -r option for unbound-host, read resolv.conf for
7995 forwarder. (Note that forwarder must support DNSSEC for validation
8000 - test for sys/wait.h
8001 - WSAEWOULDBLOCK test after nonblocking TCP connect.
8002 - write_iov_buffer removed: unused and no struct iov on windows.
8003 - signed/unsigned warning fixup mini_event.
8004 - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
8005 - skip signals that are not defined
8007 - detect getpwnam, getrlimit, setsid, sbrk, chroot.
8008 - default config has no chroot if chroot() unavailable.
8009 - if no kill() then no pidfile is read or written.
8010 - gmtime_r is replaced by nonthreadsafe alternative if unavail.
8011 used in rrsig time validation errors.
8014 - contrib unbound.spec from Patrick Vande Walle.
8015 - fixup bug#175: call tzset before chroot to have correct timestamps
8017 - do not generate lex input and lex unput functions.
8018 - mingw port. replacement functions labelled _unbound.
8019 - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
8022 - fedora 9, check in6_pktinfo define in configure.
8023 - CREDITS fixup of history.
8024 - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
8027 - fixup for MacOSX hosts file reading (reported by John Dickinson).
8028 - created 1.0.0 svn tag.
8029 - trunk version 1.0.1.
8032 - accepted patch from Ondrej Sury for library version libtool option.
8033 - configure --disable-rpath fixes up libtool for rpath trouble.
8034 Adapted from debian package patch file.
8037 - Added root ipv6 addresses to builtin root hints.
8038 - TODO modified for post 1.0 plans.
8039 - trunk version set to 1.0.0.
8040 - no unnecessary linking with librt (only when libevent/libev used).
8043 - fixup no-ip4 problem with error callback in outside network.
8045 25 April 2008: Wouter
8046 - DESTDIR is honored by the Makefile for rpms.
8047 - contrib files unbound.spec and unbound.init, builds working RPM
8048 on FC7 Linux, a chrooted caching resolver, and libunbound.
8049 - iana ports update.
8051 24 April 2008: Wouter
8052 - chroot checks improved. working directory relative to chroot.
8053 checks if config file path is inside chroot. Documentation on it.
8054 - nicer example.conf text.
8057 23 April 2008: Wouter
8058 - parseunbound.pl contrib update from Kai Storbeck for threads.
8061 22 April 2008: Wouter
8063 - unit test for SIGPIPE ignore.
8065 21 April 2008: Wouter
8066 - FEATURES document.
8067 - fixup reread of config file if it was given as a full path
8068 and chroot was used.
8070 16 April 2008: Wouter
8071 - requirements doc, updated clean query returns.
8072 - parseunbound.pl update from Kai Storbeck.
8073 - sunos4 porting changes.
8075 15 April 2008: Wouter
8076 - fixup default rc.d pidfile location to /usr/local/etc.
8077 - iana ports updated.
8078 - copyright updated in ldns-testpkts to keep same as in ldns.
8079 - fixup checkconf chroot tests a bit more, chdir must be inside
8081 - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
8082 - example.conf values changed to /usr/local/etc/unbound
8084 - DSA signatures: unbound is compatible with both encodings found.
8085 It will detect and convert when necessary.
8087 14 April 2008: Wouter
8088 - got update for parseunbound.pl statistics script from Kai Storbeck.
8089 - tpkg tests for udp wait list.
8090 - documented 0x20 status.
8091 - fixup chroot and checkconf, it is much smarter now.
8092 - fixup DSA EVP signature decoding. Solution that Jelte found copied.
8093 - and check first sig byte for the encoding type.
8095 11 April 2008: Wouter
8096 - random port selection out of the configged ports.
8097 - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
8098 - removed base_port.
8099 - created 256-port ephemeral space for the OS, 59802 available.
8100 - fixup consistency of port_if out array during heavy use.
8102 10 April 2008: Wouter
8103 - --with-libevent works with latest libevent 1.4.99-trunk.
8104 - added log file statistics perl script to contrib.
8105 - automatic iana ports update from makefile. 60058 available.
8107 9 April 2008: Wouter
8108 - configure can detect libev(from its build directory) when passed
8109 --with-libevent=/home/wouter/libev-3.2
8110 libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
8111 - unused commpoints not listed in epoll list.
8112 - statistics-cumulative option so that the values are not reset.
8113 - config creates array of available ports, 61841 available,
8114 it excludes <1024 and iana assigned numbers.
8115 config statements to modify the available port numbers.
8117 8 April 2008: Wouter
8118 - unbound tries to set the ulimit fds when started as server.
8119 if that does not work, it will scale back its requirements.
8121 27 March 2008: Wouter
8122 - documented /dev/random symlink from chrootdir as FAQ entry.
8124 26 March 2008: Wouter
8125 - implemented AD bit signaling. If a query sets AD bit (but not DO)
8126 then the AD bit is set in the reply if the answer validated.
8127 Without including DNSSEC signatures. Useful if you have a trusted
8128 path from the client to the resolver. Follows dnssec-updates draft.
8130 25 March 2008: Wouter
8131 - implemented check that for NXDOMAIN and NOERROR answers a query
8132 section must be present in the reply (by the scrubber). And it must
8133 be equal to the question sent, at least lowercase folded.
8134 Previously this feature happened because the cache code refused
8135 to store such messages. However blocking by the scrubber makes
8136 sure nothing gets into the RRset cache. Also, this looks like a
8137 timeout (instead of an allocation failure) and this retries are
8138 done (which is useful in a spoofing situation).
8139 - RTT banding. Band size 400 msec, this makes band around zero (fast)
8140 include unknown servers. This makes unbound explore unknown servers.
8142 7 March 2008: Wouter
8143 - -C config feature for harvest program.
8144 - harvest handles CNAMEs too.
8146 5 March 2008: Wouter
8147 - patch from Hugo Koji Kobayashi for iterator logs spelling.
8149 4 March 2008: Wouter
8150 - From report by Jinmei Tatuya, rfc2181 trust value for remainder
8151 of a cname trust chain is lower; not full answer_AA.
8152 - test for this fix.
8153 - default config file location is /usr/local/etc/unbound.
8154 Thus prefix is used to determine the location. This is also the
8155 chroot and pidfile default location.
8157 3 March 2008: Wouter
8158 - Create 0.10 svn tag.
8159 - 0.11 version in trunk.
8160 - indentation nicer.
8162 29 February 2008: Wouter
8163 - documentation update.
8164 - fixup port to Solaris of perf test tool.
8165 - updated ldns-tarball with decl-after-statement fixes.
8167 28 February 2008: Wouter
8168 - fixed memory leaks in libunbound (during cancellation and wait).
8169 - libunbound returns the answer packet in full.
8170 - snprintf compat update.
8171 - harvest performs lookup.
8172 - ldns-tarball update with fix for ldns_dname_label.
8173 - installs to sbin by default.
8174 - install all manual pages (unbound-host and libunbound too).
8176 27 February 2008: Wouter
8177 - option to use caps for id randomness.
8178 - config file option use-caps-for-id: yes
8179 - harvest debug tool
8181 26 February 2008: Wouter
8182 - delay utility delays TCP as well. If the server that is forwarded
8183 to has a TCP error, the delay utility closes the connection.
8184 - delay does REUSE_ADDR, and can handle a server that closes its end.
8185 - answers use casing from query.
8187 25 February 2008: Wouter
8188 - delay utility works. Gets decent thoughput too (>20000).
8190 22 February 2008: Wouter
8191 - +2% for recursions, if identical queries (except for destination
8192 and query ID) in the reply list, avoid re-encoding the answer.
8193 - removed TODO items for optimizations that do not show up in
8195 - default is now minievent - not libevent. As its faster and
8196 not needed for regular installs, only for very large port ranges.
8197 - loop check different speedup pkt-dname-reading, 1% faster for
8198 nocache-recursion check.
8199 - less hashing during msg parse, 4% for recursion.
8200 - small speed fix for dname_count_size_labels, +1 or +2% recursion.
8201 - some speed results noted:
8202 optimization resulted in +40% for recursion (cache miss) and
8203 +70 to +80 for cache hits, and +96% for version.bind.
8204 zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
8205 www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
8206 www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
8207 So, unbound can be about equal qps to NSD in cache hits.
8208 And about 3.4x faster than BIND in cache performance.
8209 - delay utility for testing.
8211 21 February 2008: Wouter
8212 - speedup of root-delegation message encoding by 15%.
8213 - minor speedup of compress tree_lookup, maybe 1%.
8214 - speedup of dname_lab_cmp and memlowercmp - the top functions in
8215 profiler output, maybe a couple percent when it matters.
8217 20 February 2008: Wouter
8218 - setup speec_cache for need-ldns-testns in dotests.
8219 - check number of queued replies on incoming queries to avoid overload
8221 - fptr whitelist checks are not disabled in optimize mode.
8222 - do-daemonize config file option.
8223 - minievent time share initializes time at start.
8224 - updated testdata for nsec3 new algorithm numbers (6, 7).
8225 - small performance test of packet encoding (root delegation).
8227 19 February 2008: Wouter
8228 - applied patch to unbound-host man page from Jan-Piet Mens.
8229 - fix donotquery-localhost: yes default (it erroneously was switched
8231 - time is only gotten once and the value is shared across unbound.
8232 - unittest cleans up crypto, so that it has no memory leaks.
8233 - mini_event shares the time value with unbound this results in
8234 +3% speed for cache responses and +9% for recursions.
8235 - ldns tarball update with new NSEC3 sign code numbers.
8236 - perform several reads per UDP operation. This improves performance
8237 in DoS conditions, and costs very little in normal conditions.
8238 improves cache response +50%, and recursions +10%.
8239 - modified asynclook test. because the callback from async is not
8240 in any sort of lock (and thus can use all library functions freely),
8241 this causes a tiny race condition window when the last lock is
8242 released for a callback and a new cancel() for that callback.
8243 The only way to remove this is by putting callbacks into some
8244 lock window. I'd rather have the small possibility of a callback
8245 for a cancelled function then no use of library functions in
8246 callbacks. Could be possible to only outlaw process(), wait(),
8247 cancel() from callbacks, by adding another lock, but I'd rather not.
8249 18 February 2008: Wouter
8250 - patch to unbound-host from Jan-Piet Mens.
8251 - unbound host prints errors if fails to configure context.
8252 - fixup perf to resend faster, so that long waiting requests do
8253 not hold up the queue, they become lost packets or SERVFAILs,
8254 or can be sent a little while later (i.e. processing time may
8255 take long, but throughput has to be high).
8256 - fixup iterator operating in no cache conditions (RD flag unset
8258 - streamlined code for RD flag setting.
8259 - profiled code and changed dname compares to be faster.
8260 The speedup is about +3% to +8% (depending on the test).
8261 - minievent tests for eintr and eagain.
8263 15 February 2008: Wouter
8264 - added FreeBSD rc.d script to contrib.
8265 - --prefix option for configure also changes directory: pidfile:
8266 and chroot: defaults in config file.
8267 - added cache speed test, for cache size OK and cache too small.
8269 14 February 2008: Wouter
8270 - start without a config file (will complain, but start with
8272 - perf test program works.
8274 13 February 2008: Wouter
8276 - 1.0 development. Printout ldns version on unbound -h.
8277 - start of perf tool.
8278 - bugfix to read empty lines from /etc/hosts.
8280 12 February 2008: Wouter
8281 - fixup problem with configure calling itself if ldns-src tarball
8284 11 February 2008: Wouter
8285 - changed library to use ub_ instead of ub_val_ as prefix.
8286 - statistics output text nice.
8287 - etc/hosts handling.
8288 - library function to put logging to a stream.
8289 - set any option interface.
8291 8 February 2008: Wouter
8292 - test program for multiple queries over a TCP channel.
8293 - tpkg test for stream tcp queries.
8294 - unbound replies to multiple TCP queries on a TCP channel.
8295 - fixup misclassification of root referral with NS in answer
8296 when validating a nonrec query.
8298 - layout of manpages, spelling fix in header, manpages process by
8299 makedist, list asynclook and tcpstream tests as ldns-testns
8302 7 February 2008: Wouter
8303 - moved up all current level 2 to be level 3. And 3 to 4.
8304 to make room for new debug level 2 for detailed information
8306 - verbosity level 2. Describes recursion and validation.
8307 - cleaner configure script and fixes for libevent solaris.
8308 - signedness for log output memory sizes in high verbosity.
8310 6 February 2008: Wouter
8311 - clearer explanation of threading configure options.
8312 - fixup asynclook test for nothreading (it creates only one process
8313 to do the extended test).
8314 - changed name of ub_val_result_free to ub_val_resolve_free.
8315 - removes warning message during library linking, renamed
8316 libunbound/unbound.c -> libunbound.c and worker to libworker.
8317 - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
8319 5 February 2008: Wouter
8320 - statistics-interval: seconds option added.
8321 - test for statistics option
8322 - ignore errors making directories, these can occur in parallel builds
8323 - fixup Makefile strip command and libunbound docs typo.
8325 31 January 2008: Wouter
8326 - bg thread/process reads and writes the pipe nonblocking all the time
8327 so that even if the pipe is buffered or so, the bg thread does not
8328 block, and services both pipes and queries.
8330 30 January 2008: Wouter
8331 - check trailing / on chrootdir in checkconf.
8332 - check if root hints and anchor files are in chrootdir.
8333 - no route to host tcp error is verbosity level 2.
8334 - removed unused send_reply_iov. and its configure check.
8335 - added prints of 'remote address is 1.2.3.4 port 53' to errors
8336 from netevent; the basic socket errors.
8338 28 January 2008: Wouter
8339 - fixup uninit use of buffer by libunbound (query id, flags) for
8341 - fixup uninit warning from random.c; also seems to fix sporadic
8342 sigFPE coming out of openssl.
8343 - made openssl entropy warning more silent for library use. Needs
8345 - fixup forgotten locks for rbtree_searches on ctx->query tree.
8346 - random generator cleanup - RND_STATE_SIZE removed, and instead
8347 a super-rnd can be passed at init to chain init random states.
8348 - test also does lock checks if available.
8349 - protect config access in libworker_setup().
8350 - libevent doesn't like comm_base_exit outside of runloop.
8351 - close fds after removing commpoints only (for epoll, kqueue).
8353 25 January 2008: Wouter
8354 - added tpkg for asynclook and library use.
8355 - allows localhost to be queried when as a library.
8356 - fixup race condition between cancel and answer (in case of
8357 really fast answers that beat the cancel).
8358 - please doxygen, put doxygen comment in one place.
8359 - asynclook -b blocking mode and test.
8360 - refactor asynclook, nicer code.
8361 - fixup race problems from opensll in rand init from library, with
8362 a mutex around the rand init.
8363 - fix pass async_id=NULL to _async resolve().
8364 - rewrote _wait() routine, so that it is threadsafe.
8365 - cancelation is threadsafe.
8366 - asynclook extended test in tpkg.
8367 - fixed two races where forked bg process waits for (somehow shared?)
8368 locks, so does not service the query pipe on the bg side.
8369 Now those locks are only held for fg_threads and for bg_as_a_thread.
8371 24 January 2008: Wouter
8372 - tested the cancel() function.
8373 - asynclook -c (cancel) feature.
8374 - fix fail to allocate context actions.
8375 - make pipe nonblocking at start.
8376 - update plane for retry mode with caution to limit bandwidth.
8377 - fix Makefile for concurrent make of unbound-host.
8378 - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
8379 - new calls to set forwarding added to header and docs.
8381 23 January 2008: Wouter
8382 - removed debug prints from if-auto, verb-algo enables some.
8383 - libunbound QUIT setup, remove memory leaks, when using threads
8384 will share memory for passing results instead of writing it over
8385 the pipe, only writes ID number over the pipe (towards the handler
8386 thread that does process() ).
8388 22 January 2008: Wouter
8389 - library code for async in libunbound/unbound.c.
8390 - fix link testbound.
8391 - fixup exit bug in mini_event.
8392 - background worker query enter and result functions.
8393 - bg query test application asynclook, it looks up multiple
8394 hostaddresses (A records) at the same time.
8396 21 January 2008: Wouter
8397 - libworker work, netevent raw commpoints, write_msg, serialize.
8399 18 January 2008: Wouter
8400 - touch up of manpage for libunbound.
8401 - support for IP_RECVDSTADDR (for *BSD ip4).
8402 - fix for BSD, do not use ip4to6 mapping, make two sockets, once
8403 ip6 and once ip4, uses socket options.
8404 - goodbye ip4to6 mapping.
8405 - update ldns-testpkts with latest version from ldns-trunk.
8406 - updated makedist for relative ldns pathnames.
8407 - library API with more information inside the result structure.
8408 - work on background resolves.
8410 17 January 2008: Wouter
8411 - fixup configure in case -lldns is installed.
8412 - fixup a couple of doxygen warnings, about enum variables.
8413 - interface-automatic now copies the interface address from the
8414 PKT_INFO structure as well.
8415 - manual page with library API, all on one page 'man libunbound'.
8416 - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
8418 16 January 2008: Wouter
8419 - incoming queries to the server with TC bit on are replied FORMERR.
8420 - interface-automatic replied the wrong source address on localhost
8421 queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
8422 to use ifnum=-1 to mean 'no interface, use kernel route'.
8424 15 January 2008: Wouter
8425 - interface-automatic feature. experimental. Nice for anycast.
8426 - tpkg test for ip6 ancillary data.
8427 - removed debug prints.
8428 - porting experience, define for Solaris, test refined for BSD
8429 compatibility. The feature probably will not work on OpenBSD.
8430 - makedist fixup for ldns-src in build-dir.
8432 14 January 2008: Wouter
8433 - in no debug sets NDEBUG to remove asserts.
8434 - configure --enable-debug is needed for dependency generation
8435 for assertions and for compiler warnings.
8436 - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
8437 - fix lint, unit test in optimize mode.
8438 - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
8440 11 January 2008: Wouter
8441 - man page, warning removed.
8442 - added text describing the use of stub zones for private zones.
8443 - checkconf tests for bad hostnames (IP address), and for doubled
8445 - memory sizes can be given with 'k', 'Kb', or M or G appended.
8447 10 January 2008: Wouter
8448 - typo in example.conf.
8449 - made using ldns-src that is included the package more portable
8450 by linking with .lo instead of .o files in the ldns package.
8451 - nicer do-ip6: yes/no documentation.
8452 - nicer linking of libevent .o files.
8453 - man pages render correctly on solaris.
8455 9 January 2008: Wouter
8456 - fixup openssl RAND problem, when the system is not configured to
8457 give entropy, and the rng needs to be seeded.
8459 8 January 2008: Wouter
8460 - print median and quartiles with extensive logging.
8462 4 January 2008: Wouter
8463 - document misconfiguration in private network.
8465 2 January 2008: Wouter
8466 - fixup typo in requirements.
8467 - document that 'refused' is a better choice than 'drop' for
8468 the access control list, as refused will stop retries.
8470 7 December 2007: Wouter
8471 - unbound-host has a -d option to show what happens. This can help
8472 with debugging (why do I get this answer).
8473 - fixup CNAME handling, on nodata, sets and display canonname.
8474 - dot removed from CNAME display.
8475 - respect -v for NXDOMAINs.
8476 - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
8477 - size_t to int for portability of the header file.
8478 - fixup bogus handling.
8479 - dependencies and lint for unbound-host.
8481 6 December 2007: Wouter
8482 - library resolution works in foreground mode, unbound-host app
8484 - unbound-host prints rdata using ldns.
8485 - unbound-host accepts trust anchors, and prints validation
8486 information when you give -v.
8488 5 December 2007: Wouter
8489 - locking in context_new() inside the function.
8490 - setup of libworker.
8492 4 December 2007: Wouter
8493 - minor Makefile fixup.
8494 - moved module-stack code out of daemon/daemon into services/modstack,
8495 preparing for code-reuse.
8496 - move context into own header file.
8497 - context query structure.
8498 - removed unused variable pwd from checkconf.
8499 - removed unused assignment from outside netw.
8500 - check timeval length of string.
8501 - fixup error in val_utils getsigner.
8502 - fixup same (*var) error in netblocktostr.
8503 - fixup memleak on parse error in localzone.
8504 - fixup memleak on packet parse error.
8505 - put ; after union in parser.y.
8506 - small hardening in iter_operate against iq==NULL.
8507 - hardening, if error reply with rcode=0 (noerror) send servfail.
8508 - fixup same (*var) error in find_rrset in msgparse, was harmless.
8509 - check return value of evtimer_add().
8510 - fixup lockorder in lruhash_reclaim(), building up a list of locked
8511 entries one at a time. Instead they are removed and unlocked.
8512 - fptr_wlist for markdelfunc.
8513 - removed is_locked param from lruhash delkeyfunc.
8514 - moved bin_unlock during bin_split purely to please.
8516 3 December 2007: Wouter
8517 - changed checkconf/ to smallapp/ to make room for more support tools.
8518 (such as unbound-host).
8519 - install dirs created with -m 755 because they need to be accessible.
8520 - library extensive featurelist added to TODO.
8521 - please doxygen, lint.
8522 - library test application, with basic functionality.
8523 - fix for building in a subdirectory.
8524 - link lib fix for Leopard.
8526 30 November 2007: Wouter
8527 - makefile that creates libunbound.la, basic file or libunbound.a
8528 when creating static executables (no libtool).
8531 29 November 2007: Wouter
8532 - 0.9 public API start.
8534 28 November 2007: Wouter
8535 - Changeup plan for 0.8 - no complication needed, a simple solution
8536 has been chosen for authoritative features.
8537 - you can use single quotes in the config file, so it is possible
8538 to specify TXT records in local data.
8539 - fixup small memory problem in implicit transparent zone creation.
8540 - test for implicit zone creation and multiple RR RRsets local data.
8541 - local-zone nodefault test.
8542 - show testbound testlist on commit.
8543 - iterator normalizer changes CNAME chains ending in NXDOMAIN where
8544 the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
8546 - nicer verbosity: 0 and 1 levels.
8547 - lower nonRDquery chance of eliciting wrongly typed validation
8548 requiring message from the cache.
8549 - fix for nonRDquery validation typing; nodata is detected when
8550 SOA record in auth section (all validation-requiring nodata messages
8551 have a SOA record in authority, so this is OK for the validator),
8552 and NS record is needed to be a referral.
8553 - duplicate checking when adding NSECs for a CNAME, and test.
8554 - created svn tag 0.8, after completing testbed tests.
8556 27 November 2007: Wouter
8557 - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
8558 - set size of msgparse lookup table to 32, from 1024, so that its size
8559 is below the 2048 regional large size threshold, and does not cause
8560 a call to malloc when a message is parsed.
8561 - update of memstats tool to print number of allocation calls.
8562 This is what is taking time (not space) and indicates the avg size
8563 of the allocations as well. region_alloc stat is removed.
8565 22 November 2007: Wouter
8566 - noted EDNS in-the-middle dropping trouble as a TODO.
8567 At this point theoretical, no user trouble has been reported.
8568 - added all default AS112 zones.
8569 - answers from local zone content.
8570 * positive answer, the rrset in question
8571 * nodata answer (exist, but not that type).
8572 * nxdomain answer (domain does not exist).
8573 * empty-nonterminal answer.
8574 * But not: wildcard, nsec, referral, rrsig, cname/dname,
8575 or additional section processing, NS put in auth.
8576 - test for correct working of static and transparent and couple
8577 of important defaults (localhost, as112, reverses).
8578 Also checks deny and refuse settings.
8579 - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
8581 21 November 2007: Wouter
8582 - local zone internal data setup.
8584 20 November 2007: Wouter
8585 - 0.8 - str2list config support for double string config options.
8586 - local-zone and local-data options, config storage and documentation.
8588 19 November 2007: Wouter
8589 - do not downcase NSEC and RRSIG for verification. Follows
8590 draft-ietf-dnsext-dnssec-bis-updates-06.txt.
8591 - fixup leaking unbound daemons at end of tests.
8592 - README file updated.
8593 - nice libevent not found error.
8594 - README talks about gnu make.
8595 - 0.8: unit test for addr_mask and fixups for it.
8596 and unit test for addr_in_common().
8597 - 0.8: access-control config file element.
8598 and unit test rpl replay file.
8599 - 0.8: fixup address reporting from netevent.
8601 16 November 2007: Wouter
8602 - privilege separation is not needed in unbound at this time.
8603 TODO item marked as such.
8604 - created beta-0.7 branch for support.
8605 - tagged 0.7 for beta release.
8606 - moved trunk to 0.8 for 0.8(auth features) development.
8607 - 0.8: access control list setup.
8609 15 November 2007: Wouter
8610 - review fixups from Jelte.
8612 14 November 2007: Wouter
8613 - testbed script does not recreate configure, since its in svn now.
8614 - fixup checkconf test so that it does not test
8615 /etc/unbound/unbound.conf.
8618 13 November 2007: Wouter
8619 - remove debug print.
8620 - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
8622 12 November 2007: Wouter
8623 - fixup signal handling where SIGTERM could be ignored if a SIGHUP
8625 - bugreports to unbound-bugs@nlnetlabs.nl
8626 - fixup testbound so it exits cleanly.
8627 - cleanup the caches on a reload, so that rrsetID numbers won't clash.
8629 9 November 2007: Wouter
8630 - took ldns snapshot in repo.
8631 - default config file is /etc/unbound/unbound.conf.
8632 If it doesn't exist, it is installed with the doc/example.conf file.
8633 The file is not deleted on uninstall.
8634 - default listening is not all, but localhost interfaces.
8636 8 November 2007: Wouter
8637 - Fixup chroot and drop user privileges.
8638 - new L root ip address in default hints.
8640 1 November 2007: Wouter
8641 - Fixup of crash on reload, due to anchors in env not NULLed after
8642 dealloc during deinit.
8643 - Fixup of chroot call. Happens after privileges are dropped, so
8644 that checking the passwd entry still works.
8645 - minor touch up of clear() hashtable function.
8646 - VERB_DETAIL prints out what chdir, username, chroot is being done.
8647 - when id numbers run out, caches are cleared, as in design notes.
8648 Tested with a mock setup with very few bits in id, it worked.
8649 - harden-dnssec-stripped: yes is now default. It insists on dnssec
8650 data for trust anchors. Included tests for the feature.
8652 31 October 2007: Wouter
8653 - cache-max-ttl config option.
8654 - building outside sourcedir works again.
8655 - defaults more secure:
8657 chroot: "/etc/unbound"
8658 The operator can override them to be less secure ("") if necessary.
8659 - fix horrible oversight in sorting rrset references in a message,
8660 sort per reference key pointer, not on referencepointer itself.
8661 - pidfile: "/etc/unbound/unbound.pid" is now the default.
8662 - tests changed to reflect the updated default.
8663 - created hashtable clear() function that respects locks.
8665 30 October 2007: Wouter
8666 - fixup assertion failure that relied on compressed names to be
8667 smaller than uncompressed names. A packet from comrite.com was seen
8668 to be compressed to a larger size. Added it as unit test.
8669 - quieter logging at low verbosity level for common tcp messages.
8670 - no greedy TTL update.
8672 23 October 2007: Wouter
8673 - fixup (grand-)parent problem for dnssec-lameness detection.
8674 - fixup tests to do additional section processing for lame replies,
8675 since the detection needs that.
8676 - no longer trust in query section in reply during dnssec lame detect.
8677 - dnssec lameness does not make the server never ever queried, but
8678 non-preferred. If no other servers exist or answer, the dnssec lame
8679 server is used; the fastest dnssec lame server is chosen.
8680 - added test then when trust anchor cannot be primed (nodata), the
8681 insecure mode from unbound works.
8682 - Fixup max queries per thread, any more are dropped.
8684 22 October 2007: Wouter
8685 - added donotquerylocalhost config option. Can be turned off for
8687 - ISO C compat changes.
8688 - detect RA-no-AA lameness, as LAME.
8689 - DNSSEC-lameness detection, as LAME.
8690 See notes in requirements.txt for choices made.
8691 - tests for lameness detection.
8692 - added all to make test target; need unbound for fwd tests.
8693 - testbound does not pollute /etc/unbound.
8695 19 October 2007: Wouter
8696 - added configure (and its files) to svn, so that the trunk is easier
8697 to use. ./configure, config.guess, config.sub, ltmain.sh,
8699 - added yacc/lex generated files, util/configlexer.c,
8700 util/configparser.c util/configparser.h, to svn.
8701 - without lex no attempt to use it.
8702 - unsecure response validation collated into one block.
8703 - remove warning about const cast of cfgfile name.
8704 - outgoing-interfaces can be different from service interfaces.
8705 - ldns-src configure is done during unbound configure and
8706 ldns-src make is done during unbound make, and so inherits the
8707 make arguments from the unbound make invocation.
8708 - nicer error when libevent problem causes instant exit on signal.
8709 - read root hints from a root hint file (like BIND does).
8711 18 October 2007: Wouter
8712 - addresses are logged with errors.
8713 - fixup testcode fake event to remove pending before callback
8714 since the callback may create new pending items.
8715 - tests updated because retries are now in iterator module.
8716 - ldns-testpkts code is checked for differences between unbound
8717 and ldns by makedist.sh.
8718 - ldns trunk from today added in svn repo for fallback in case
8719 no ldns is installed on the system.
8720 make download_ldns refreshes the tarball with ldns svn trunk.
8721 - ldns-src.tar.gz is used if no ldns is found on the system, and
8722 statically linked into unbound.
8723 - start of regional allocator code.
8724 - regional uses less memory and variables, simplified code.
8725 - remove of region-allocator.
8726 - alloc cache keeps a cache of recently released regional blocks,
8728 - make unit test cleanly free memory.
8730 17 October 2007: Wouter
8731 - fixup another cycle detect and ns-addr timeout resolution bug.
8732 This time by refusing delegations from the cache without addresses
8733 when resolving a mandatory-glue nameserver-address for that zone.
8734 We're going to have to ask a TLD server anyway; might as well be
8735 the TLD server for this name. And this resolves a lot of cases where
8736 the other nameserver names lead to cycles or are not available.
8737 - changed random generator from random(3) clone to arc4random wrapped
8738 for thread safety. The random generator is initialised with
8739 entropy from the system.
8740 - fix crash where failure to prime DNSKEY tried to print null pointer
8742 - removed some debug prints, only verb_algo (4) enables them.
8743 - fixup test; new random generator took new paths; such as one
8744 where no scripted answer was available.
8745 - mark insecure RRs as insecure.
8746 - fixup removal of nonsecure items from the additional.
8747 - reduced timeout values to more realistic, 376 msec (262 msec has
8748 90% of roundtrip times, 512 msec has 99% of roundtrip times.)
8749 - server selection failover to next server after timeout (376 msec).
8751 16 October 2007: Wouter
8752 - no malloc in log_hex.
8753 - assertions around system calls.
8754 - protect against gethostname without ending zero.
8755 - ntop output is null terminated by unbound.
8756 - pidfile content null termination
8757 - various snprintf use sizeof(stringbuf) instead of fixed constant.
8758 - changed loopdetect % 8 with & 0x7 since % can become negative for
8759 weird negative input and particular interpretation of integer math.
8760 - dname_pkt_copy checks length of result, to protect result buffers.
8761 prints an error, this should not happen. Bad strings should have
8762 been rejected earlier in the program.
8763 - remove a size_t underflow from msgreply size func.
8765 15 October 2007: Wouter
8767 - fix IP6 TCP, wrong definition check. With test package.
8768 - fixup the fact that the query section was not compressed to,
8769 the code was there but was called by value instead of by reference.
8770 And test for the case, uses xxd and nc.
8771 - more portable ip6 check for sockaddr types.
8773 8 October 2007: Wouter
8774 - --disable-rpath option in configure for 64bit systems with
8775 several dynamic lib dirs.
8777 7 October 2007: Wouter
8778 - fixup tests for no AD bit in non-DO queries.
8779 - test that makes sure AD bit is not set on non-DO query.
8781 6 October 2007: Wouter
8782 - removed logfile open early. It did not have the proper permissions;
8783 it was opened as root instead of the user. And we cannot change user
8784 id yet, since chroot and bind ports need to be done.
8785 - callback checks for event callbacks done from mini_event. Because
8786 of deletions cannot do this from netevent. This means when using
8787 libevent the protection does not work on event-callbacks.
8788 - fixup too small reply (did not zero counts).
8789 - fixup reply no longer AD bit when query without DO bit.
8791 5 October 2007: Wouter
8792 - function pointer whitelist.
8794 4 October 2007: Wouter
8795 - overwrite sensitive random seed value after use.
8796 - switch to logfile very soon if not -d (console attached).
8797 - error messages do not reveal the trustanchor contents.
8798 - start work on function pointer whitelists.
8800 3 October 2007: Wouter
8801 - fix for multiple empty nonterminals, after multiple DSes in the
8803 - mesh checks if modules are looping, and stops them.
8804 - refetch with CNAMEd nameserver address regression test added.
8805 - fixup line count bug in testcode, so testbound prints correct line
8806 number with parse errors.
8807 - unit test for multiple ENT case.
8808 - fix for cname out of validated unsec zone.
8809 - fixup nasty id=0 reuse. Also added assertions to detect its
8810 return (the assertion catches in the existing test cases).
8812 1 October 2007: Wouter
8813 - skip F77, CXX, objC tests in configure step.
8814 - fixup crash in refetch glue after a CNAME.
8815 and protection against similar failures (with error print).
8817 28 September 2007: Wouter
8818 - test case for unbound-checkconf, fixed so it also checks the
8819 interface: statements.
8821 26 September 2007: Wouter
8822 - SIGHUP will reopen the log file.
8823 - Option to log to syslog.
8824 - please lint, fixup tests (that went to syslog on open, oops).
8825 - config check program.
8827 25 September 2007: Wouter
8828 - tests for NSEC3. Fixup bitmap checks for NSEC3.
8829 - positive ANY response needs to check if wildcard expansion, and
8830 check that original data did not exist.
8831 - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
8832 delegation, for abuse of child zone apex nsec3.
8833 - create 0.5 release tag.
8835 24 September 2007: Wouter
8836 - do not make test programs by default.
8837 - But 'make test' will perform all of the tests.
8838 - Advertise builtin select libevent alternative when no libevent
8840 - signit can generate NSEC3 hashes, for generating tests.
8841 - multiple nsec3 parameters in message test.
8842 - too high nsec3 iterations becomes insecure test.
8844 21 September 2007: Wouter
8845 - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
8846 - fixup testcode lock safety (port FreeBSD).
8847 - removes subscript has type char warnings (port Solaris 9).
8848 - fixup of field with format type to int (port MacOS/X intel).
8849 - added test for infinite loop case in nonRD answer validation.
8850 It was a more general problem, but hard to reproduce. When an
8851 unsigned rrset is being validated and the key fetched, the DS
8852 sequence is followed, but if the final name has no DS, then no
8853 proof is possible - the signature has been stripped off.
8855 20 September 2007: Wouter
8856 - fixup and test for NSEC wildcard with empty nonterminals.
8857 - makedist.sh fixup for svn info.
8858 - acl features request in plan.
8859 - improved DS empty nonterminal handling.
8860 - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
8861 proof anyway, which succeeds in ANS failure case.
8862 - striplab protection in case it becomes -1.
8863 - plans for static and blacklist config.
8865 19 September 2007: Wouter
8866 - comments about non-packed usage.
8867 - plan for overload support in 0.6.
8868 - added testbound tests for a failed resolution from the logs
8869 and for failed prime when missing glue.
8870 - fixup so useless delegation points are not returned from the
8871 cache. Also the safety belt is used if priming fails to complete.
8872 - fixup NSEC rdata not to be lowercased, bind compat.
8874 18 September 2007: Wouter
8875 - wildcard nsec3 testcases, and fixup to get correct wildcard name.
8876 - validator prints subtype classification for debug.
8878 17 September 2007: Wouter
8879 - NSEC3 hash cache unit test.
8880 - validator nsec3 nameerror test.
8882 14 September 2007: Wouter
8883 - nsec3 nodata proof, nods proof, wildcard proof.
8884 - nsec3 support for cname chain ending in noerror or nodata.
8885 - validator calls nsec3 proof routines if no NSECs prove anything.
8886 - fixup iterator bug where it stored the answer to a cname under
8887 the wrong qname into the cache. When prepending the cnames, the
8888 qname has to be reset to the original qname.
8890 13 September 2007: Wouter
8891 - nsec3 find matching and covering, ce proof, prove namerror msg.
8893 12 September 2007: Wouter
8894 - fixup of manual page warnings, like for NSD bugreport.
8895 - nsec3 work, config, max iterations, filter, and hash cache.
8897 6 September 2007: Wouter
8898 - fixup to find libevent on mac port install.
8899 - fixup size_t vs unsigned portability in validator/sigcrypt.
8900 - please compiler on different platforms, for unreachable code.
8902 - pthread_rwlock type is optional, in case of old pthread libs.
8904 5 September 2007: Wouter
8905 - cname, name error validator tests.
8906 - logging of qtype ANY works.
8907 - ANY type answers get RRSIG in answer section of replies (but not
8908 in other sections, unless DO bit is on).
8909 - testbound can replay a TCP query (set MATCH TCP in the QUERY).
8910 - DS and noDS referral validation test.
8911 - if you configure many trust anchors, parent trust anchors can
8912 securely deny existence of child trust anchors, if validated.
8913 - not all *.name NSECs are present because a wildcard was matched,
8914 and *.name NSECs can prove nodata for empty nonterminals.
8915 Also, for wildcard name NSECs, check they are not from the parent
8916 zone (for wildcarded zone cuts), and check absence of CNAME bit,
8918 - configure option for memory allocation debugging.
8919 - port configure option for memory allocation to solaris10.
8921 4 September 2007: Wouter
8922 - fixup of Leakage warning when serviced queries processed multiple
8923 callbacks for the same query from the same server.
8924 - testbound removes config file from /tmp on failed exit.
8925 - fixup for referral cleanup of the additional section.
8926 - tests for cname, referral validation.
8927 - neater testbound tpkg output.
8928 - DNAMEs no longer match their apex when synthesized from the cache.
8929 - find correct signer name for DNAME responses.
8930 - wildcarded DNAME test and fixup code to detect.
8931 - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
8932 So that wildcarded CNAMEs get their NSEC with them to the answer.
8933 - test for a CNAME to a DNAME to a CNAME to an answer, all from
8934 different domains, for key fetching and signature checking of
8937 3 September 2007: Wouter
8938 - Fixed error in iterator that would cause assertion failure in
8939 validator. CNAME to a NXDOMAIN response was collated into a response
8940 with both a CNAME and the NXDOMAIN rcode. Added a test that the
8941 rcode is changed to NOERROR (because of the CNAME).
8942 - timeout on tcp does not lead to spurious leakage detect.
8943 - account memory for name of lame zones, so that memory leakages does
8944 not show lame cache growth as a leakage growth.
8945 - config setting for lameness cache expressed in bytes, instead of
8947 - tool too summarize allocations per code line.
8949 31 August 2007: Wouter
8950 - can read bind trusted-keys { ... }; files, in a compatibility mode.
8951 - iterator should not detach target queries that it still could need.
8952 the protection against multiple outstanding queries is moved to a
8953 current_query num check.
8954 - validator nodata, positive, referral tests.
8955 - dname print can print '*' wildcard.
8957 30 August 2007: Wouter
8958 - fixup override date config option.
8959 - config options to control memory usage.
8960 - caught bad free of un-alloced data in worker_send error case.
8961 - memory accounting for key cache (trust anchors and temporary cache).
8962 - memory accounting fixup for outside network tcp pending waits.
8963 - memory accounting fixup for outside network tcp callbacks.
8964 - memory accounting for iterator fixed storage.
8965 - key cache size and slabs config options.
8966 - lib crypto cleanups at exit.
8968 29 August 2007: Wouter
8969 - test tool to sign rrsets for testing validator with.
8970 - added RSA and DSA test keys, public and private pairs, 512 bits.
8971 - default configuration is with validation enabled.
8972 Only a trust-anchor needs to be configured for DNSSEC to work.
8973 - do not convert to DER for DSA signature verification.
8974 - validator replay test file, for a DS to DNSKEY DSA key prime and
8977 28 August 2007: Wouter
8978 - removed double use for udp buffers, that could fail,
8979 instead performs a malloc to do the backup.
8980 - validator validates referral messages, by validating all the rrsets
8981 and stores the rrsets in the cache. Further referral (nonRD queries)
8982 replies are made from the rrset cache directly. Unless unchecked
8983 rrsets are encountered, there are then validated.
8984 - enforce that signing is done by a parent domain (or same domain).
8985 - adjust TTL downwards if rrset TTL bigger than signature allows.
8986 - permissive mode feature, sets AD bit for secure, but bogus does
8987 not give servfail (bogus is changed into indeterminate).
8988 - optimization of rrset verification. rr canonical sorting is reused,
8989 for the same rrset. canonical rrset image in buffer is reused for
8991 - if the rrset is too big (64k exactly + large owner name) the
8992 canonicalization routine will fail if it does not fit in buffer.
8993 - faster verification for large sigsets.
8994 - verb_detail mode reports validation failures, but not the entire
8995 algorithm for validation. Key prime failures are reported as
8998 27 August 2007: Wouter
8999 - do not garble the edns if a cache answer fails.
9000 - answer norecursive from cache if possible.
9001 - honor clean_additional setting when returning secure non-recursive
9003 - do not store referral in msg cache for nonRD queries.
9004 - store verification status in the rrset cache to speed up future
9006 - mark rrsets indeterminate and insecure if they are found to be so.
9007 and store this in the cache.
9009 24 August 2007: Wouter
9010 - message is bogus if unsecure authority rrsets are present.
9011 - val-clean-additional option, so you can turn it off.
9012 - move rrset verification out of the specific proof types into one
9013 routine. This makes the proof routines prettier.
9014 - fixup cname handling in validator, cname-to-positive and cname-to-
9016 - Do not synthesize DNSKEY and DS responses from the rrset cache if
9017 the rrset is from the additional section. Signatures may have
9018 fallen off the packet, and cause validation failure.
9019 - more verbose signature date errors (with the date attached).
9020 - increased default infrastructure cache size. It is important for
9021 performance, and 1000 entries are only 212k (or a 400 k total cache
9022 size). To 10000 entries (for 2M entries, 4M cache size).
9024 23 August 2007: Wouter
9025 - CNAME handling - move needs_validation to before val_new().
9026 val_new() setups the chase-reply to be an edited copy of the msg.
9027 new classification, and find signer can find for it.
9028 removal of unsigned crap from additional, and query restart for
9030 - refuse to follow wildcarded DNAMEs when validating.
9031 But you can query for qtype ANY, or qtype DNAME and validate that.
9033 22 August 2007: Wouter
9035 - review - use val_error().
9037 21 August 2007: Wouter
9038 - ANY response validation.
9039 - store security status in cache.
9040 - check cache security status and either send the query to be
9041 validated, return the query to client, or send servfail to client.
9042 Sets AD bit on validated replies.
9043 - do not examine security status on an error reply in mesh_done.
9044 - construct DS, DNSKEY messages from rrset cache.
9045 - manual page entry for override-date.
9047 20 August 2007: Wouter
9048 - validate and positive validation, positive wildcard NSEC validation.
9049 - nodata validation, nxdomain validation.
9051 18 August 2007: Wouter
9052 - process DNSKEY response in FINDKEY state.
9054 17 August 2007: Wouter
9055 - work on DS2KE routine.
9056 - val_nsec.c for validator NSEC proofs.
9057 - unit test for NSEC bitmap reading.
9058 - dname iswild and canonical_compare with unit tests.
9060 16 August 2007: Wouter
9062 - latest release libevent 1.3c and 1.3d have threading fixed.
9063 - key entry fixup data pointer and ttl absolute.
9064 - This makes a key-prime succeed in validator, with DS or DNSKEY as
9066 - fixup canonical compare byfield routine, fix bug and also neater.
9067 - fixed iterator response type classification for queries of type
9069 dig ANY gives sometimes NS rrset in AN and NS section, and parser
9070 removes the NS section duplicate. dig NS gives sometimes the NS
9071 in the answer section, as referral.
9072 - validator FINDKEY state.
9074 15 August 2007: Wouter
9075 - crypto calls to verify signatures.
9076 - unit test for rrsig verification.
9078 14 August 2007: Wouter
9079 - default outgoing ports changed to avoid port 2049 by default.
9080 This port is widely blocked by firewalls.
9081 - count infra lameness cache in memory size.
9082 - accounting of memory improved
9083 - outbound entries are allocated in the query region they are for.
9084 - extensive debugging for memory allocations.
9085 - --enable-lock-checks can be used to enable lock checking.
9086 - protect undefs in config.h from autoheaders ministrations.
9087 - print all received udp packets. log hex will print on multiple
9089 - fixed error in parser with backwards rrsig references.
9090 - mark cycle targets for iterator did not have CD flag so failed
9093 13 August 2007: Wouter
9094 - fixup makefile, if lexer is missing give nice error and do not
9095 mess up the dependencies.
9096 - canonical compare routine updated.
9097 - canonical hinfo compare.
9098 - printout list of the queries that the mesh is working on.
9100 10 August 2007: Wouter
9101 - malloc and free overrides that track total allocation and frees.
9102 for memory debugging.
9103 - work on canonical sort.
9105 9 August 2007: Wouter
9106 - canonicalization, signature checks
9107 - dname signature label count and unit test.
9108 - added debug heap size print to memory printout.
9109 - typo fixup in worker.c
9110 - -R needed on solaris.
9111 - validator override option for date check testing.
9113 8 August 2007: Wouter
9114 - ldns _raw routines created (in ldns trunk).
9115 - sigcrypt DS digest routines
9116 - val_utils uses sigcrypt to perform signature cryptography.
9117 - sigcrypt keyset processing
9119 7 August 2007: Wouter
9120 - security status type.
9121 - security status is copied when rdata is equal for rrsets.
9122 - rrset id is updated to invalidate all the message cache entries
9123 that refer to NSEC, NSEC3, DNAME rrsets that have changed.
9125 - val_sigcrypt file for validator signature checks.
9127 6 August 2007: Wouter
9128 - key cache for validator.
9129 - moved isroot and dellabel to own dname routines, with unit test.
9131 3 August 2007: Wouter
9133 - scrubber check section of lame NS set.
9134 - trust anchors can be in config file or read from zone file,
9135 DS and DNSKEY entries.
9136 - unit test trust anchor storage.
9137 - trust anchors converted to packed rrsets.
9138 - key entry definition.
9140 2 August 2007: Wouter
9141 - configure change for latest libevent trunk version (needs -lrt).
9142 - query_done and walk_supers are moved out of module interface.
9143 - fixup delegation point duplicates.
9144 - fixup iterator scrubber; lame NS set is let through the scrubber
9145 so that the classification is lame.
9146 - validator module exists, and does nothing but pass through,
9147 with calling of next module and return.
9150 1 August 2007: Wouter
9151 - set version to 0.5
9152 - module work for module to module interconnections.
9153 - config of modules.
9154 - detect cycle takes flags.
9156 31 July 2007: Wouter
9160 30 July 2007: Wouter
9161 - changed random state init, so that sequential process IDs are not
9162 cancelled out by sequential thread-ids in the random number seed.
9163 - the fwd_three test, which sends three queries to unbound, and
9164 unbound is kept waiting by ldns-testns for 3 seconds, failed
9165 because the retry timeout for default by unbound is 3 seconds too,
9166 it would hit that timeout and fail the test. Changed so that unbound
9167 is kept waiting for 2 seconds instead.
9169 27 July 2007: Wouter
9170 - removed useless -C debug option. It did not work.
9171 - text edit of documentation.
9172 - added doc/CREDITS file, referred to by the manpages.
9175 26 July 2007: Wouter
9176 - cycle detection, for query state dependencies. Will attempt to
9177 circumvent the cycle, but if no other targets available fails.
9178 - unit test for AXFR, IXFR response.
9179 - test for cycle detection.
9181 25 July 2007: Wouter
9182 - testbound read ADDRESS and check it.
9183 - test for version.bind and friends.
9184 - test for iterator chaining through several referrals.
9185 - test and fixup for refetch for glue. Refetch fails if glue
9186 is still not provided.
9188 24 July 2007: Wouter
9189 - Example section in config manual.
9190 - Addr stored for range and moment in replay.
9192 20 July 2007: Wouter
9193 - Check CNAME chain before returning cache entry with CNAMEs.
9194 - Option harden-glue, default is on. It will discard out of zone
9195 data. If disabled, performance is faster, but spoofing attempts
9196 become a possibility. Note that still normalize scrubbing is done,
9197 and that the potentially spoofed data is used for infrastructure
9198 and not returned to the client.
9199 - if glue times out, refetch by asking parent of delegation again.
9200 Much like asking for DS at the parent side.
9201 - TODO items from forgery-resilience draft.
9202 and on memory handling improvements.
9203 - renamed module_event_timeout to module_event_noreply.
9204 - memory reporting code; reports on memory usage after handling
9205 a network packet (not on cache replies).
9207 19 July 2007: Wouter
9208 - shuffle NS selection when getting nameserver target addresses.
9209 - fixup of deadlock warnings, yield cpu in checklock code so that
9210 freebsd scheduler selects correct process to run.
9211 - added identity and version config options and replies.
9212 - store cname messages complete answers.
9214 18 July 2007: Wouter
9215 - do not query addresses, 127.0.0.1, and ::1 by default.
9217 17 July 2007: Wouter
9218 - forward zone options in config file.
9219 - forward per zone in iterator. takes precedence over stubs.
9220 - fixup commithooks.
9221 - removed forward-to and forward-to-port features, subsumed by
9223 - fix parser to handle absent server: clause.
9224 - change untrusted rrset test to account for scrubber that is now
9225 applied during the test (which removes the poison, by the way).
9226 - feature, addresses can be specified with @portnumber, like nsd.conf.
9227 - test config files changed over to new forwarder syntax.
9229 27 June 2007: Wouter
9230 - delete of mesh does a postorder traverse of the tree.
9231 - found and fixed a memory leak. For TTL=0 messages, that would
9232 not be cached, instead the msg-replyinfo structure was leaked.
9233 - changed server selection so it will filter out hosts that are
9234 unresponsive. This is defined as a host with the maximum rto value.
9235 This means that unbound tried the host for retries up to 120 secs.
9236 The rto value will time out after host-ttl seconds from the cache.
9237 This keeps such unresolvable queries from taking up resources.
9238 - utility for keeping histogram.
9240 26 June 2007: Wouter
9241 - mesh is called by worker, and iterator uses it.
9242 This removes the hierarchical code.
9243 QueryTargets state and Finished state are merged for iterator.
9244 - forwarder mode no longer sets AA bit on first reply.
9245 - rcode in walk_supers is not needed.
9247 25 June 2007: Wouter
9249 - error encode routine for ease.
9251 22 June 2007: Wouter
9252 - removed unused _node iterator value from rbtree_t. Takes up space.
9253 - iterator can handle querytargets state without a delegation point
9254 set, so that a priming(stub) subquery error can be handled.
9255 - iterator stores if it is priming or not.
9256 - log_query_info() neater logging.
9257 - changed iterator so that it does not alter module_qstate.qinfo
9258 but keeps a chase query info. Also query_flags are not altered,
9259 the iterator uses chase_flags.
9260 - fixup crash in case no ports for the family exist.
9262 21 June 2007: Wouter
9263 - Fixup secondary buffer in case of error callback.
9264 - cleanup slumber list of runnable states.
9265 - module_subreq_depth fails to work in slumber list.
9266 - fixup query release for cached results to sub targets.
9267 - neater error for tcp connection failure, shows addr in verbose.
9268 - rbtree_init so that it can be used with preallocated memory.
9270 20 June 2007: Wouter
9271 - new -C option to enable coredumps after forking away.
9273 - fixup CNAME generation by scrubber, and memory allocation of it.
9274 - fixup deletion of serviced queries when all callbacks delete too.
9275 - set num target queries to 0 when you move them to slumber list.
9276 - typo in check caused subquery errors to be ignored, fixed.
9277 - make lint happy about rlim_t.
9278 - freeup of modules after freeup of module-states.
9279 - duplicate replies work, this uses secondary udp buffer in outnet.
9281 19 June 2007: Wouter
9282 - nicer layout in stats.c, review 0.3 change.
9283 - spelling improvement, review 0.3 change.
9284 - uncapped timeout for server selection, so that very fast or slow
9285 servers will stand out from the rest.
9286 - target-fetch-policy: "3 2 1 0 0" config setting.
9287 - fixup queries answered without RD bit (for root prime results).
9288 - refuse AXFR and IXFR requests.
9289 - fixup RD flag in error reply from iterator. fixup RA flag from
9291 - fixup encoding of very short edns buffer sizes, now sets TC bit.
9292 - config options harden-short-bufsize and harden-large-queries.
9294 18 June 2007: Wouter
9295 - same, move subqueries to slumber list when first has resolved.
9296 - fixup last fix for duplicate callbacks.
9297 - another offbyone in targetcounter. Also in Java prototype by the way.
9299 15 June 2007: Wouter
9300 - if a query asks to be notified of the same serviced query result
9301 multiple times, this will succeed. Only one callback will happen;
9302 multiple outbound-list entries result (but the double cleanup of it
9304 - when iterator moves on due to CNAME or referral, it will remove
9305 the subqueries (for other targets). These are put on the slumber
9307 - state module wait subq is OK with no new subqs, an old one may have
9308 stopped, with an error, and it is still waiting for other ones.
9309 - if a query loops, halt entire query (easy way to clean up properly).
9311 14 June 2007: Wouter
9312 - num query targets was > 0 , not >= 0 compared, so that fetch
9313 policy of 0 did nothing.
9315 13 June 2007: Wouter
9316 - debug option: configure --enable-static-exe for compile where
9317 ldns and libevent are linked statically. Default is off.
9318 - make install and make uninstall. Works with static-exe and without.
9319 installation of unbound binary and manual pages.
9320 - alignment problem fix on solaris 64.
9321 - fixup address in case of TCP error.
9323 12 June 2007: Wouter
9324 - num target queries was set to 0 at a bad time. Default it to 0 and
9325 increase as target queries are done.
9326 - synthesize CNAME and DNAME responses from the cache.
9327 - Updated doxygen config for doxygen 1.5.
9328 - aclocal newer version.
9329 - doxygen 1.5 fixes for comments (for the strict check on docs).
9331 11 June 2007: Wouter
9332 - replies on TCP queries have the address field set in replyinfo,
9333 for serviced queries, because the initiator does not know that
9334 a TCP fallback has occured.
9335 - omit DNSSEC types from nonDO replies, except if qtype is ANY or
9336 if qtype directly queries for the type (and then only show that
9337 'unknown type' in the answer section).
9338 - fixed message parsing where rrsigs on their own would be put
9339 in the signature list over the rrsig type.
9342 - fixup error in double linked list insertion for subqueries and
9343 for outbound list of serviced queries for iterator module.
9344 - nicer printout of outgoing port selection.
9345 - fixup cname target readout.
9346 - nicer debug output.
9347 - fixup rrset counts when prepending CNAMEs to the answer.
9348 - fixup rrset TTL for prepended CNAMEs.
9349 - process better check for looping modules, and which submodule to
9351 - subreq insertion code fixup for slumber list.
9352 - VERB_DETAIL, verbosity: 2 level gives short but readable output.
9353 VERB_ALGO, verbosity: 3 gives extensive output.
9354 - fixup RA bit in cached replies.
9355 - fixup CNAME responses from the cache no longer partial response.
9356 - error in network send handled without leakage.
9357 - enable ip6 from config, and try ip6 addresses if available,
9358 if ip6 is not connected, skips to next server.
9361 - iterator state finished.
9362 - subrequests without parent store in cache and stop.
9363 - worker slumber list for ongoing promiscuous queries.
9364 - subrequest error handling.
9365 - priming failure returns SERVFAIL.
9366 - priming gives LAME result, returns SERVFAIL.
9367 - debug routine to print dns_msg as handled by iterator.
9368 - memleak in config file stubs fixup.
9369 - more small bugs, in scrubber, query compare no ID for lookup,
9370 in dname validation for NS targets.
9371 - sets entry.key for new special allocs.
9372 - lognametypeclass can display unknown types and classes.
9375 - random selection of equally preferred nameserver targets.
9376 - reply info copy routine. Reuses existing code.
9377 - cache lameness in response handling.
9378 - do not touch qstate after worker_process_query because it may have
9379 been deleted by that routine.
9380 - Prime response state.
9381 - Process target response state.
9382 - some memcmp changed to dname_compare for case preservation.
9385 - normalize incoming messages. Like unbound-java, with CNAME chain
9386 checked, DNAME checked, CNAME's synthesized, glue checked.
9387 - sanitize incoming messages.
9388 - split msgreply encode functions into own file msgencode.c.
9389 - msg_parse to queryinfo/replyinfo conversion more versatile.
9390 - process_response, classify response, delegpt_from_message.
9393 - querytargets state.
9394 - dname_subdomain_c() routine.
9395 - server selection, based on RTT. ip6 is filtered out if not available,
9396 and lameness is checked too.
9397 - delegation point copy routine.
9400 - removed FLAG_CD from message and rrset caches. This was useful for
9401 an agnostic forwarder, but not for a sophisticated (trust value per
9402 rrset enabled) cache.
9403 - iterator response typing.
9404 - iterator cname handle.
9405 - iterator prime start.
9407 - processInitRequest and processInitRequest2.
9408 - cache synthesizes referral messages, with DS and NSEC.
9409 - processInitRequest3.
9410 - if a request creates multiple subrequests these are all activated.
9413 - routines to lock and unlock array of rrsets moved to cache/rrset.
9414 - lookup message from msg cache (and copy to region).
9415 - fixed cast error in dns msg lookup.
9416 - message with duplicate rrset does not increase its TTLs twice.
9417 - 'qnamesize' changed to 'qname_len' for similar naming scheme.
9420 - Acknowledge use of unbound-java code in iterator. Nicer readme.
9421 - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
9422 rrset cache from module environment.
9423 - packed rrset key has type and class as easily accessible struct
9424 members. They are still kept in network format for fast msg encode.
9425 - dns cache find_delegation routine.
9426 - iterator main functions setup.
9427 - dns cache lookup setup.
9430 - small changes to prepare for subqueries.
9431 - iterator forwarder feature separated out.
9432 - iterator hints stub code, config file stub code, so that first
9433 testing can proceed locally.
9434 - replay tests now have config option to enable forwarding mode.
9437 - outside network does precise timers for roundtrip estimates for rtt
9438 and for setting timeout for UDP. Pending_udp takes milliseconds.
9439 - cleaner iterator sockaddr conversion of forwarder address.
9440 - iterator/iter_utils and iter_delegpt setup.
9444 - outbound query list for modules and support to callback with the
9445 outbound entry to the module.
9446 - testbound support for new serviced queries.
9447 - test for retry to TCP cannot use testbound any longer.
9448 - testns test for EDNS fallback, test for TCP fallback already exists.
9449 - fixes for no-locking compile.
9450 - mini_event timer precision and fix for change in timeouts during
9451 timeout callback. Fix for fwd_three tests, performed nonexit query.
9454 - small comment on hash table locking.
9455 - outside network serviced queries, contain edns and tcp fallback,
9456 and udp retries and rtt timing.
9459 - lruhash_touch() would cause locking order problems. Fixup in
9460 lock-verify in case locking cycle is found.
9461 - services/cache/rrset.c for rrset cache code.
9462 - special rrset_cache LRU updating function that uses the rrset id.
9463 - no dependencies calculation when make clean is called.
9464 - config settings for infra cache.
9465 - daemon code slightly cleaner, only creates caches once.
9469 - unit test for host cache.
9472 - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
9473 - extensive lock debug report on join timeout.
9474 - proper RTT calculation, in utility code.
9475 - setup of services/cache/infra, host cache.
9478 - iterator/iterator.c module.
9479 - fixup to pass reply_info in testcode and in netevent.
9482 - created release-0.3 svn tag.
9484 - fixed compression - no longer compresses root name.
9487 - outside network cleans up waiting tcp queries on exit.
9489 - testbound replay with retry in TCP mode.
9490 - tpkg test for retry in TCP mode, against ldns-testns server.
9491 - daemon checks max number of open files and complains if not enough.
9492 - test where data expires in the cache.
9493 - compiletests: fixed empty body ifstatements in alloc.c, in case
9497 - outgoing network keeps list of available tcp buffers for outgoing
9499 - outgoing-num-tcp config option.
9500 - outgoing network keeps waiting list of queries waiting for buffer.
9501 - netevent supports outgoing tcp commpoints, nonblocking connects.
9504 - EDNS read from query, used to make reply smaller.
9505 - advertised edns value constants.
9506 - EDNS BADVERS response, if asked for too high edns version.
9507 - EDNS extended error responses once the EDNS record from the query
9508 has successfully been parsed.
9511 - msgreply sizefunc is more accurate.
9512 - config settings for rrset cache size and slabs.
9513 - hashtable insert takes argument so that a thread can use its own
9514 alloc cache to store released keys.
9515 - alloc cache special_release() locks if necessary.
9516 - rrset trustworthiness type added.
9517 - thread keeps a scratchpad region for handling messages.
9518 - writev used in netevent to write tcp length and data after another.
9519 This saves a roundtrip on tcp replies.
9520 - test for one rrset updated in the cache.
9521 - test for one rrset which is not updated, as it is not deemed
9523 - test for TTL refreshed in rrset.
9526 - fill refs. Use new parse and encode to answer queries.
9527 - stores rrsets in cache.
9528 - uses new msgreply format in cache.
9531 - dname unit tests in own file and spread out neatly in functions.
9532 - more dname unit tests.
9533 - message encoding creates truncated TC flagged messages if they do
9534 not fit, and will leave out (whole)rrsets from additional if needed.
9537 - decompress query section, extremely lenient acceptance.
9538 But only for answers from other servers, not for plain queries.
9539 - compression and decompression test cases.
9541 - example.conf interface: line is changed from 127.0.0.1 which leads
9542 to problems if used (restricting communication to the localhost),
9543 to a documentation and test address.
9545 27 April 2007: Wouter
9546 - removed iov usage, it is not good for dns message encoding.
9547 - owner name compression more optimal.
9548 - rrsig owner name compression.
9549 - rdata domain name compression.
9551 26 April 2007: Wouter
9552 - floating point exception fix in lock-verify.
9553 - lint uses make dependency
9554 - fixup lint in dname owner domain name compression code.
9555 - define for offset range that can be compressed to.
9557 25 April 2007: Wouter
9558 - prettier code; parse_rrset->type kept in host byte order.
9559 - datatype used for hashvalue of converted rrsig structure.
9560 - unit test compares edns section data too.
9562 24 April 2007: Wouter
9563 - ttl per RR, for RRSIG rrsets and others.
9564 - dname_print debug function.
9565 - if type is not known, size calc will skip DNAME decompression.
9566 - RRSIG parsing and storing and putting in messages.
9567 - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
9568 - EDNS extraction routine.
9570 20 April 2007: Wouter
9571 - code comes through all of the unit tests now.
9572 - disabled warning about spurious extra data.
9573 - documented the RRSIG parse plan in msgparse.h.
9574 - rrsig reading and outputting.
9576 19 April 2007: Wouter
9577 - fix unit test to actually to tests.
9578 - fix write iov helper, and fakevent code.
9579 - extra builtin testcase (small packet).
9580 - ttl converted to network format in packets.
9581 - flags converted correctly
9582 - rdatalen off by 2 error fixup.
9583 - uses less iov space for header.
9585 18 April 2007: Wouter
9586 - review of msgparse code.
9587 - smaller test cases.
9589 17 April 2007: Wouter
9590 - copy and decompress dnames.
9591 - store calculated hash value too.
9592 - routine to create message out of stored information.
9593 - util/data/msgparse.c for message parsing code.
9594 - unit test, and first fixes because of test.
9595 * forgot rrset_count addition.
9596 * did & of ptr on stack for memory position calculation.
9597 * dname_pkt_copy forgot to read next label length.
9598 - test from file and fixes
9599 * double frees fixed in error conditions.
9600 * types with less than full rdata allowed by parser.
9601 Some dynamic update packets seem to use it.
9603 16 April 2007: Wouter
9604 - following a small change in LDNS, parsing code calculates the
9605 memory size to allocate for rrs.
9606 - code to handle ID creation.
9608 13 April 2007: Wouter
9609 - parse routines. Code that parses rrsets, rrs.
9611 12 April 2007: Wouter
9612 - dname compare routine that preserves case, with unit tests.
9614 11 April 2007: Wouter
9615 - parse work - dname packet parse, msgparse, querysection parse,
9616 start of sectionparse.
9618 10 April 2007: Wouter
9619 - Improved alignment of reply_info packet, nice for 32 and 64 bit.
9620 - Put RRset counts in reply_info, because the number of RRs can change
9621 due to RRset updates.
9622 - import of region-allocator code from nsd.
9623 - set alloc special type to ub_packed_rrset_key.
9624 Uses lruhash entry overflow chain next pointer in alloc cache.
9625 - doxygen documentation for region-allocator.
9626 - setup for parse scratch data.
9628 5 April 2007: Wouter
9629 - discussed packed rrset with Jelte.
9631 4 April 2007: Wouter
9632 - moved to version 0.3.
9633 - added util/data/dname.c
9634 - layout of memory for rrsets.
9636 3 April 2007: Wouter
9637 - detect sign of msghdr.msg_iovlen so that the cast to that type
9638 in netevent (which is there to please lint) can be correct.
9639 The type on several OSes ranges from int, int32, uint32, size_t.
9640 Detects unsigned or signed using math trick.
9641 - constants for DNS flags.
9642 - compilation without locks fixup.
9643 - removed include of unportable header from lookup3.c.
9644 - more portable use of struct msghdr.
9645 - casts for printf warning portability.
9646 - tweaks to tests to port them to the testbed.
9649 2 April 2007: Wouter
9650 - check sizes of udp received messages, not too short.
9651 - review changes. Some memmoves can be memcpys: 4byte aligned.
9652 set id correctly on cached answers.
9653 - review changes msgreply.c, memleak on error condition. AA flag
9654 clear on cached reply. Lowercase queries on hashing.
9655 unit test on lowercasing. Test AA bit not set on cached reply.
9656 Note that no TTLs are managed.
9658 29 March 2007: Wouter
9659 - writev or sendmsg used when answering from cache.
9660 This avoids a copy of the data.
9661 - do not do useless byteswap on query id. Store reply flags in uint16
9662 for easier access (and no repeated byteswapping).
9664 - configure detects and config.h includes sys/uio.h for writev decl.
9666 28 March 2007: Wouter
9667 - new config option: num-queries-per-thread.
9668 - added tpkg test for answering three queries at the same time
9669 using one thread (from the query service list).
9671 27 March 2007: Wouter
9672 - added test for cache and not cached answers, in testbound replays.
9673 - testbound can give config file and commandline options from the
9674 replay file to unbound.
9675 - created test that checks if items drop out of the cache.
9676 - added word 'partitioned hash table' to documentation on slab hash.
9677 A slab hash is a partitioned hash table.
9678 - worker can handle multiple queries at a time.
9680 26 March 2007: Wouter
9681 - config settings for slab hash message cache.
9682 - test for cached answer.
9683 - Fixup deleting fake answer from testbound list.
9685 23 March 2007: Wouter
9686 - review of yesterday's commits.
9687 - covered up memory leak of the entry locks.
9688 - answers from the cache correctly. Copies flags correctly.
9689 - sanity check for incoming query replies.
9690 - slabbed hash table. Much nicer contention, need dual cpu to see.
9692 22 March 2007: Wouter
9693 - AIX configure check.
9694 - lock-verify can handle references to locks that are created
9695 in files it has not yet read in.
9696 - threaded hash table test.
9697 - unit test runs lock-verify afterwards and checks result.
9698 - need writelock to update data on hash_insert.
9699 - message cache code, msgreply code.
9701 21 March 2007: Wouter
9702 - unit test of hash table, fixup locking problem in table_grow().
9703 - fixup accounting of sizes for removing items from hashtable.
9704 - unit test for hash table, single threaded test of integrity.
9705 - lock-verify reports errors nicely. More quiet in operation.
9707 16 March 2007: Wouter
9708 - lock-verifier, checks consistent order of locking.
9710 14 March 2007: Wouter
9711 - hash table insert (and subroutines) and lookup implemented.
9712 - hash table remove.
9713 - unit tests for hash internal bin, lru functions.
9715 13 March 2007: Wouter
9716 - lock_unprotect in checklocks.
9717 - util/storage/lruhash.h for LRU hash table structure.
9719 12 March 2007: Wouter
9720 - configure.ac moved to 0.2.
9721 - query_info and replymsg util/data structure.
9723 9 March 2007: Wouter
9724 - added rwlock writelock checking.
9725 So it will keep track of the writelock, and readlocks are enforced
9726 to not change protected memory areas.
9727 - log_hex function to dump hex strings to the logfile.
9728 - checklocks zeroes its destroyed lock after checking memory areas.
9729 - unit test for alloc.
9730 - identifier for union in checklocks to please older compilers.
9733 8 March 2007: Wouter
9734 - Reviewed checklock code.
9736 7 March 2007: Wouter
9737 - created a wrapper around thread calls that performs some basic
9738 checking for data race and deadlock, and basic performance
9739 contention measurement.
9741 6 March 2007: Wouter
9742 - Testbed works with threading (different machines, different options).
9743 - alloc work, does the special type.
9745 2 March 2007: Wouter
9746 - do not compile fork funcs unless needed. Otherwise will give
9747 type errors as their typedefs have not been enabled.
9748 - log shows thread numbers much more nicely (and portably).
9749 - even on systems with nonthreadsafe libevent signal handling,
9750 unbound will exit if given a signal.
9751 Reloads will not work, and exit is not graceful.
9752 - start of alloc framework layout.
9754 1 March 2007: Wouter
9755 - Signals, libevent and threads work well, with libevent patch and
9756 changes to code (close after event_del).
9757 - set ipc pipes nonblocking.
9759 27 February 2007: Wouter
9760 - ub_thread_join portable definition.
9761 - forking is used if no threading is available.
9762 Tested, it works, since pipes work across processes as well.
9763 Thread_join is replaced with waitpid.
9764 - During reloads the daemon will temporarily handle signals,
9765 so that they do not result in problems.
9766 - Also randomize the outgoing port range for tests.
9767 - If query list is full, will stop selecting listening ports for read.
9768 This makes all threads service incoming requests, instead of one.
9769 No memory is leaking during reloads, service of queries, etc.
9770 - test that uses ldns-testns -f to test threading. Have to answer
9771 three queries at the same time.
9772 - with verbose=0 operates quietly.
9774 26 February 2007: Wouter
9775 - ub_random code used to select ID and port.
9776 - log code prints thread id.
9777 - unbound can thread itself, with reload(HUP) and quit working
9779 - don't open pipes for #0, doesn't need it.
9780 - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
9782 23 February 2007: Wouter
9783 - Can do reloads on sigHUP. Everything is stopped, and freed,
9784 except the listening ports. Then the config file is reread.
9785 And everything is started again (and listening ports if needed).
9786 - Ports for queries are shared.
9787 - config file added interface:, chroot: and username:.
9788 - config file: directory, logfile, pidfile. And they work too.
9789 - will daemonize by default now. Use -d to stay in the foreground.
9790 - got BSD random[256 state] code, made it threadsafe. util/random.
9792 22 February 2007: Wouter
9793 - Have a config file. Removed commandline options, moved to config.
9794 - tests use config file.
9796 21 February 2007: Wouter
9797 - put -c option in man page.
9798 - minievent fd array capped by FD_SETSIZE.
9800 20 February 2007: Wouter
9801 - Added locks code and pthread spinlock detection.
9802 - can use no locks, or solaris native thread library.
9803 - added yacc and lex configure, and config file parsing code.
9804 also makedist.sh, and manpage.
9805 - put include errno.h in config.h
9807 19 February 2007: Wouter
9808 - Created 0.0 svn tag.
9809 - added acx_pthread.m4 autoconf check for pthreads from
9810 the autoconf archive. It is GPL-with-autoconf-exception Licensed.
9811 You can specify --with-pthreads, or --without-pthreads to configure.
9813 16 February 2007: Wouter
9814 - Updated testbed script, works better by using make on remote end.
9815 - removed check decls, we can compile without them.
9816 - makefile supports LIBOBJ replacements.
9817 - docs checks ignore compat code.
9818 - added util/mini-event.c and .h, a select based alternative used with
9819 ./configure --with-libevent=no
9820 It is limited to 1024 file descriptors, and has less features.
9821 - will not create ip6 sockets if ip6 not on the machine.
9823 15 February 2007: Wouter
9824 - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
9825 Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
9826 - malloc rndstate, so that it is aligned for access.
9827 - fixed rbtree cleanup with postorder traverse.
9828 - fixed pending messages are deleted when handled.
9829 - You can control verbosity; default is not verbose, every -v
9830 adds more verbosity.
9832 14 February 2007: Wouter
9833 - Included configure.ac changes from ldns.
9834 - detect (some) headers before the standards check.
9835 - do not use isblank to test c99, since its not available on solaris9.
9836 - review of testcode.
9837 * entries in a RANGE are no longer reversed.
9838 * print name of file with replay entry parse errors.
9839 - port to OSX: cast to int for some prints of sizet.
9840 - Makefile copies ldnstestpkts.c before doing dependencies on it.
9842 13 February 2007: Wouter
9843 - work on fake events, first fwd replay works.
9844 - events can do timeouts and errors on queries to servers.
9845 - test package that runs replay scenarios.
9847 12 February 2007: Wouter
9848 - work on fake events.
9850 9 February 2007: Wouter
9851 - replay file reading.
9852 - fake event setup, it creates fake structures, and teardowns,
9853 added signal callbacks to reply to be able to fake those,
9854 and main structure of event replay routines.
9856 8 February 2007: Wouter
9859 - testcode/fake_event work.
9861 7 February 2007: Wouter
9862 - return answer with the same ID as query was sent with.
9863 - created udp forwarder test. I've done some effort to make it perform
9864 quickly. After servers are created, no big sleep statements but
9865 it checks the logfiles to see if servers have come up. Takes 0.14s.
9866 - set addrlen value when calling recvfrom.
9867 - comparison of addrs more portable.
9868 - LIBEVENT option for testbed to set libevent directory.
9869 - work on tcp input.
9871 6 February 2007: Wouter
9872 - reviewed code and improved in places.
9874 5 February 2007: Wouter
9875 - Picked up stdc99 and other define tests from ldns. Improved
9876 POSIX define test to include getaddrinfo.
9877 - defined constants for netevent callback error code.
9878 - unit test for strisip6.
9880 2 February 2007: Wouter
9881 - Created udp4 and udp6 port arrays to provide service for both
9883 - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
9884 - listens on both ip4 and ip6 ports to provide correct return address.
9885 - worker fwder address filled correctly.
9887 - forwards udp queries and sends answer.
9889 1 February 2007: Wouter
9890 - outside network more UDP work.
9891 - moved * closer to type.
9892 - comm_timer object and events.
9894 31 January 2007: Wouter
9895 - Added makedist.sh script to make release tarball.
9896 - Removed listen callback layer, did not add anything.
9897 - Added UDP recv to netevent, worker callback for udp.
9898 - netevent communication reply storage structure.
9899 - minimal query header sanity checking for worker.
9900 - copied over rbtree implementation from NSD (BSD licensed too).
9901 - outgoing network query service work.
9903 30 January 2007: Wouter
9904 - links in example/ldns-testpkts.c and .h for premade packet support.
9905 - added callback argument to listen_dnsport and daemon/worker.
9907 29 January 2007: Wouter
9908 - unbound.8 a short manpage.
9910 26 January 2007: Wouter
9912 - make lint works on BSD and Linux (openssl defines).
9914 - testbound program start.
9916 25 January 2007: Wouter
9917 - fixed lint so it may work on BSD.
9918 - put license into header of every file.
9919 - created verbosity flag.
9920 - fixed libevent configure flag.
9921 - detects event_base_free() in new libevent 1.2 version.
9922 - getopt in daemon. fatal_exit() and verbose() logging funcs.
9923 - created log_assert, that throws assertions to the logfile.
9924 - listen_dnsport service. Binds ports.
9926 24 January 2007: Wouter
9927 - cleaned up configure.ac.
9929 23 January 2007: Wouter
9930 - added libevent to configure to link with.
9931 - util/netevent setup work.
9932 - configure searches for libevent.
9933 - search for libs at end of configure (when other headers and types
9935 - doxygen works with ATTR_UNUSED().
9936 - util/netevent implementation.
9938 22 January 2007: Wouter
9939 - Designed header file for network communication.
9941 16 January 2007: Wouter
9942 - added readme.svn and readme.tests.
9944 4 January 2007: Wouter
9945 - Testbed script (run on multiple platforms the test set).
9946 Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
9947 - added unit test tpkg.
9949 3 January 2007: Wouter
9950 - committed first set of files into subversion repository.
9951 svn co svn+ssh://unbound.net/svn/unbound
9952 You need a ssh login. There is no https access yet.
9953 - Added LICENSE, the BSD license.
9954 - Added doc/README with compile help.
9955 - main program stub and quiet makefile.
9956 - minimal logging service (to stderr).
9957 - added postcommit hook that serves emails.
9958 - added first test 00-lint. postcommit also checks if build succeeds.
9959 - 01-doc: doxygen doc target added for html docs. And stringent test
9960 on documented files, functions and parameters.
9962 15 December 2006: Wouter
9963 - Created Makefile.in and configure.ac.