2 - Fix streamtcp to print packet data to stdout. This makes the
3 stdout and stderr not mix together lines, when parsing its output.
4 - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
5 due to added libdynmod, but it does not compile, it conflicts with
7 - branch now named 1.11.0 and 1.11.0rc1 tag.
10 - Fix libnettle compile for session ticket key callback function
12 - Fix lock dependency cycle in rpz zone config setup.
15 - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
17 - Fix PR #234 log_assert sizeof to use union buffer.
20 - Fix check conf test for referencing installation paths.
21 - Fix unused variable warning for clang analyzer.
24 - Introduce 'include-toplevel:' configuration option.
27 - Add bidirectional frame streams support.
30 - Fix add missing DSA header, for compilation without deprecated
32 - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
34 - Longer keys for the test set, this avoids weak crypto errors.
37 - Fix #259: Fix unbound-checkconf does not check view existence.
38 unbound-checkconf checks access-control-view, access-control-tags,
39 access-control-tag-actions and access-control-tag-datas.
40 - Fix offset of error printout for access-control-tag-datas.
41 - Review fixes for checkconf #259 change.
44 - run_vm cleanup better and removes trailing slash on single argument.
47 - Move reply list clean for serve expired mesh callback to after
48 the reply is sent, so that script callbacks have reply_info.
49 - Also move reply list clean for mesh callbacks to the scrip callback
50 can see the reply_info.
51 - Fix for mesh accounting if the reply list already empty to begin
53 - Fix for mesh accounting when rpz decides to drop a reply with a
54 tcp stream waiting for it.
55 - Review fix for number of detached states due to use of variable
57 - Fix tcp req info drop due to size call into mesh accounting
58 removal of mesh state during mesh send reply.
61 - iana portlist updated.
62 - doxygen file comments for dynlibmodule.
65 - Fix default explanation in man page for qname-minimisation-strict.
66 - Fix display of event loop method with libev.
69 - Mention tls name possible when tls is enabled for stub-addr in the
73 - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
77 - Update contrib/aaaa-filter-iterator.patch for the recent
78 generate_sub_request() change and to apply cleanly.
81 - Fix for integer overflow when printing RDF_TYPE_TIME.
84 - CVE-2020-12662 Unbound can be tricked into amplifying an incoming
85 query into a large number of queries directed to a target.
86 - CVE-2020-12663 Malformed answers from upstream name servers can be
87 used to make Unbound unresponsive.
88 - Release 1.10.1 is 1.10.0 with fixes, code repository continues,
89 including those fixes, towards the next release. Configure has
90 version 1.10.2 version number in it.
91 - For PR #93: windows compile warnings removal
92 - windows compile warnings removal for ip dscp option code.
93 - For PR #93: unit test for dynlib module.
96 - For PR #93: dynlibmod can handle reloads and deinit and inits again,
97 with dlclose and dlopen of the library again. Also for multiple
98 modules. Fix memory leak by not closing dlopened content. Fix
99 to allow one dynlibmod instance by unbound-checkconf.
100 - For PR #93: checkconf allows multiple dynlib in module-config, for
102 - For PR #93: checkconf allows python dynlib in module-config, for
104 - For PR #93: man page spelling reference fix.
105 - For PR #93: fix link of other executables for dynlibmod dependency.
108 - Merge PR #93: Add dynamic library support.
109 - Fixed conflicts for PR #93 and make configure, yacc, lex.
110 - For PR #93: Fix warnings for dynlibmodule.
113 - Cache ECS answers with longest scope of CNAME chain.
115 22 April 2020: George
116 - Explicitly use 'rrset-roundrobin: no' for test cases.
118 21 April 2020: Wouter
119 - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
120 KSK-2010 from the default list in unbound-anchor, now that the
121 revocation period is over. KSK-2017 is the only trust anchor in
122 the shipped default now.
124 21 April 2020: George
125 - Change default value for 'rrset-roundrobin' to yes.
126 - Fix tests for new rrset-roundrobin default.
128 20 April 2020: Wouter
129 - Fix #222: --enable-rpath, fails to rpath python lib.
130 - Fix for count of reply states in the mesh.
131 - Remove unneeded was_mesh_reply check.
133 17 April 2020: George
134 - Add SNI support on more TLS connections (fixes #193).
135 - Add SNI support to unbound-anchor.
137 16 April 2020: George
138 - Add doxygen documentation for DSCP.
140 16 April 2020: Wouter
141 - Fix help return code in unbound-control-setup script.
142 - Fix for posix shell syntax for trap in nsd-control-setup.
143 - Fix for posix shell syntax for trap in run_msg.sh test script.
145 15 April 2020: George
146 - Fix #220: auth-zone section in config may lead to segfault.
149 - Merge PR #214 from gearnode: unbound-control-setup recreate
150 certificates. With the -r option the certificates are created
151 again, without it, only the files that do not exist are created.
154 - Keep track of number of timeouts. Use this counter to determine if
155 capsforid fallback should be started.
158 - More documentation for redis-expire-records option.
161 - Merge PR #206: Redis TTL, by Talkabout.
163 30 March 2020: Wouter
164 - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
165 - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
168 27 March 2020: Wouter
169 - Merge PR #203 from noloader: Update README-Travis.md with current
173 - Make unbound-control error returned on missing domain name more user
177 - Fix RPZ concurrency issue when using auth_zone_reload.
179 25 March 2020: George
180 - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
183 24 March 2020: Wouter
184 - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
185 tag for outgoing packets.
187 - Travis fix for ios by omitting tools from install.
189 23 March 2020: Wouter
190 - Fix compile on Solaris for unbound-checkconf.
192 20 March 2020: George
193 - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
194 only used in this file.
196 20 March 2020: Wouter
197 - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
201 - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
202 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
204 - Merge PR#134, Allow the kernel to provide random source ports. By
206 - Log warning when using outgoing-port-permit and outgoing-port-avoid
207 while explicit port randomisation is disabled.
208 - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
209 - Fix .travis.yml error, missing 'env' option.
211 16 March 2020: Wouter
212 - Fix #192: In the unbound-checkconf tool, the module config of
213 dns64 subnetcache respip validator iterator is whitelisted, it was
214 reported it seems to work.
216 12 March 2020: Wouter
217 - Fix compile of test tools without protobuf.
220 - Add check to make sure RPZ records are subdomains of configured
223 11 March 2020: George
224 - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
226 - Changelog entry for (Fix #189, Merge PR #190).
228 11 March 2020: Wouter
229 - Fix #188: unbound-control.c:882:6: error: 'execlp' is
230 unavailable: not available on tvOS.
233 - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
237 - Fix PR #182 from noloader: Add iOS testing to Travis.
240 - Update README-Travis.md (from PR #179), by Jeffrey Walton.
243 - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
246 - Merge PR #180 from noloader: Avoid calling exit in Travis script.
249 - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
252 - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
253 with no-engine, thanks noloader.
256 - Fix compiler warning in dns64/dns64.c
257 - Merge PR #174: Add Android to Travis testing, by noloader.
258 - Move android build scripts to contrib/ and allow android tests to fail.
261 - Fix #177: dnstap does not build on macOS.
263 28 February 2020: Ralph
264 - Merge PR #172: Add IBM s390x arch for testing, by noloader.
266 28 February 2020: Wouter
267 - Merge PR #173: updated makedist.sh for config.guess and
268 config.sub and sha256 digest for gpg, by noloader.
269 - Merge PR #164: Framestreams, this branch implements dnstap
270 unidirectional connectivity in unbound. This has a number of
273 The dependency on libfstrm is removed. The fstrm protocol code
274 resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
275 contains a brief definition of what unbound needs.
277 The make unbound-dnstap-socket builds a debug tool,
278 unbound-dnstap-socket. It can listen, accept multiple DNSTAP
279 streams and print information. Commandline options control it.
281 Unbound can reconnect if the unix domain socket file socket is
282 closed. This uses exponential backoff after which it uses a
283 one second timer to throttle cpu down. There is also support
284 to use TCP and TLS for connecting to the log server. There
285 are new config options to turn them on, in the dnstap section
286 in the man page and example config file. dnstap-ip with IP
287 address of server for TCP or TLS use. dnstap-tls to turn
288 on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
289 dnstap-tls-client-key-file and dnstap-tls-client-cert-file
290 to configure the certificates for server authentication and
291 client authentication, or leave at "" to not use that.
293 27 February 2020: George
294 - Merge PR #171: Add additional compilers and platforms to Travis
295 testing, by noloader.
297 27 February 2020: Wouter
298 - Fix #169: Fix warning for daemon/remote.c output may be truncated
300 - Fix #170: Fix gcc undefined sanitizer signed integer overflow
301 warning in signature expiry RFC1982 serial number arithmetic.
302 - Fix more undefined sanitizer issues, in respip copy_rrset null
303 dname, and in the client_info_compare routine for null memcmp.
305 26 February 2020: Wouter
306 - iana portlist updated.
308 25 February 2020: Wouter
309 - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
310 using ipv4 filters, because the hosts ip6 netblock /64 is not owned
311 by one operator, and thus reputation is shared.
313 24 February 2020: George
314 - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
316 20 February 2020: Wouter
317 - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
318 Unbound from Yuri Voinov.
319 - master branch has 1.10.1 version.
321 18 February 2020: Wouter
322 - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
323 different openssl versions.
325 17 February 2020: Wouter
326 - changelog point where the tag for 1.10.0rc2 release is. And with
327 the unbound_smf23 commit added to it, that is the 1.10.0 release.
329 17 February 2020: Ralph
330 - Add respip to supported module-config options in unbound-checkconf.
332 17 February 2020: George
333 - Remove unused variable.
335 17 February 2020: Wouter
336 - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
337 in RPZ-Format, contributed by Andreas Schulze.
339 14 February 2020: Wouter
340 - Fix spelling in unbound.conf.5.in.
341 - Stop unbound-checkconf from insisting that auth-zone and rpz
342 zonefiles have to exist. They can not exist, and download later.
344 13 February 2020: Wouter
345 - tag for 1.10.0rc1 release.
347 12 February 2020: Wouter
348 - Fix with libnettle make test with dsa disabled.
349 - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
350 fixes, but it does not compile, conflicts with new rpz code.
351 - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
352 - Fix compile warning when threads disabled.
353 - updated version number to 1.10.0.
355 10 February 2020: George
356 - Document 'ub_result.was_ratelimited' in libunbound.
357 - Fix use after free on log-identity after a reload; Fixes #163.
359 6 February 2020: George
360 - Fix num_reply_states and num_detached_states counting with
361 serve_expired_callback.
362 - Cleaner code in mesh_serve_expired_lookup.
363 - Document in unbound.conf manpage that configuration clauses can be
364 repeated in the configuration file.
366 6 February 2020: Wouter
367 - Fix num_reply_addr counting in mesh and tcp drop due to size
368 after serve_stale commit.
369 - Fix to create and destroy rpz_lock in auth_zones structure.
370 - Fix to lock zone before adding rpz qname trigger.
371 - Fix to lock and release once in mesh_serve_expired_lookup.
372 - Fix to put braces around empty if body when threading is disabled.
374 5 February 2020: George
375 - Added serve-stale functionality as described in
376 draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
377 to configure the behavior.
378 - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
379 - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
380 come with a configurable TTL value (`serve-expired-reply-ttl`).
381 - Fixed stats when replying with cached, cname-aliased records.
382 - Added missing default values for redis cachedb backend.
384 3 February 2020: Ralph
385 - Add assertion to please static analyzer
387 31 January 2020: Wouter
388 - Fix fclose on error in TLS session ticket code.
390 30 January 2020: Ralph
391 - Fix memory leak in error condition remote.c
392 - Fix double free in error condition view.c
393 - Fix memory leak in do_auth_zone_transfer on success
394 - Merge RPZ support into master. Only QNAME and Response IP triggers are
396 - Stop working on socket when socket() call returns an error.
397 - Check malloc return values in TLS session ticket code
399 30 January 2020: Wouter
400 - Fix subnet tests for disabled DSA algorithm by default.
401 - Update contrib/fastrpz.patch for clean diff with current code.
402 - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
403 and Frzk. Updates the unbound.service systemd file and adds
404 a portable systemd service file.
405 - updated .gitignore for added contrib file.
406 - Add build rule for ipset to Makefile
407 - Add getentropy_freebsd.o to Makefile dependencies.
409 29 January 2020: Ralph
410 - Merge PR#156 from Alexander Berkes; Added unbound-control
411 view_local_datas_remove command.
413 29 January 2020: Wouter
414 - Fix #157: undefined reference to `htobe64'.
416 28 January 2020: Ralph
417 - Merge PR#147; change rfc reference for reserved top level dns names.
419 28 January 2020: Wouter
420 - iana portlist updated.
421 - Fix to silence the tls handshake errors for broken pipe and reset
422 by peer, unless verbosity is set to 2 or higher.
424 27 January 2020: Ralph
425 - Merge PR#154; Allow use of libbsd functions with configure option
426 --with-libbsd. By Robert Edmonds and Steven Chamberlain.
427 - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
429 27 January 2020: Wouter
430 - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
431 to Libs/Requires for crypto library dependencies.
432 - Fix #153: Disable validation for DSA algorithms. RFC 8624
435 23 January 2020: Wouter
436 - Merge PR#150 from Frzk: Systemd unit without chroot. It add
437 contrib/unbound_nochroot.service.in, a systemd file for use with
438 chroot: "", see comments in the file, it uses systemd protections
441 14 January 2020: Wouter
442 - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
443 because dnscrypt-proxy (2.0.36) does not support the test setup
444 any more, and also the config file format does not seem to have
445 the appropriate keys to recreate that setup.
446 - Fix crash after reload where a stats lookup could reference old key
447 cache and neg cache structures.
448 - Fix for memory leak when edns subnet config options are read when
449 compiled without edns subnet support.
450 - Fix auth zone support for NSEC3 records without salt.
452 10 January 2020: Wouter
453 - Fix the relationship between serve-expired and prefetch options,
454 patch from Saksham Manchanda from Secure64.
455 - Fix unreachable code in ssl set options code.
457 8 January 2020: Ralph
458 - Fix #138: stop binding pidfile inside chroot dir in systemd service
461 8 January 2020: Wouter
462 - Fix 'make test' to work for --disable-sha1 configure option.
463 - Fix out-of-bounds null-byte write in sldns_bget_token_par while
464 parsing type WKS, reported by Luis Merino from X41 D-Sec.
465 - Updated sldns_bget_token_par fix for also space for the zero
466 delimiter after the character. And update for more spare space.
468 6 January 2020: George
469 - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
470 The dl_iterate_phdr() function introduced in newer versions raises
471 compilation errors on solaris 10.
472 - Changes to compat/getentropy_solaris.c for,
473 ifdef stdint.h inclusion for older systems.
474 ifdef sha2.h inclusion for older systems.
476 6 January 2020: Wouter
477 - Merge #135 from Florian Obser: Use passed in neg and key cache
479 - Fix #140: Document slave not downloading new zonefile upon update.
481 16 December 2019: George
482 - Update mailing list URL.
484 12 December 2019: Ralph
485 - Master is 1.9.7 in development.
486 - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
489 10 December 2019: Wouter
490 - Fix to make auth zone IXFR to fallback to AXFR if a single
491 response RR is received over TCP with the SOA in it.
493 6 December 2019: Wouter
494 - Fix ipsecmod compile.
495 - Fix Makefile.in for ipset module compile, from Adi Prasaja.
496 - release-1.9.6 tag, which became the 1.9.6 release
498 5 December 2019: Wouter
499 - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
500 replacements for unbound-fuzzme.c that gets created after applying
501 the contrib/unbound-fuzzme.patch. They are contributed by
502 Eric Sesterhenn from X41 D-Sec.
505 4 December 2019: Wouter
506 - Fix lock type for memory purify log lock deletion.
507 - Fix testbound for alloccheck runs, memory purify and lock checks.
508 - update contrib/fastrpz.patch to apply more cleanly.
509 - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
510 reported by X41 D-Sec.
512 3 December 2019: Wouter
513 - Merge pull request #124 from rmetrich: Changed log lock
514 from 'quick' to 'basic' because this is an I/O lock.
515 - Fix text around serial arithmatic used for RRSIG times to refer
516 to correct RFC number.
517 - Fix Assert Causing DoS in synth_cname(),
518 reported by X41 D-Sec.
519 - Fix similar code in auth_zone synth cname to add the extra checks.
520 - Fix Assert Causing DoS in dname_pkt_copy(),
521 reported by X41 D-Sec.
522 - Fix OOB Read in sldns_wire2str_dname_scan(),
523 reported by X41 D-Sec.
524 - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
525 reported by X41 D-Sec.
526 - Fix Out of Bounds Write in sldns_b64_pton(),
527 fixed by check in sldns_str2wire_int16_data_buf(),
528 reported by X41 D-Sec.
529 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
530 reported by X41 D-Sec.
531 - Fix Out of Bound Write Compressed Names in rdata_copy(),
532 reported by X41 D-Sec.
533 - Fix Hang in sldns_wire2str_pkt_scan(),
534 reported by X41 D-Sec.
535 This further lowers the max to 256.
536 - Fix snprintf() supports the n-specifier,
537 reported by X41 D-Sec.
538 - Fix Bad Indentation, in dnscrypt.c,
539 reported by X41 D-Sec.
540 - Fix Client NONCE Generation used for Server NONCE,
541 reported by X41 D-Sec.
542 - Fix compile error in dnscrypt.
543 - Fix _vfixed not Used, removed from sbuffer code,
544 reported by X41 D-Sec.
545 - Fix Hardcoded Constant, reported by X41 D-Sec.
548 2 December 2019: Wouter
549 - Merge pull request #122 from he32: In tcp_callback_writer(),
550 don't disable time-out when changing to read.
552 22 November 2019: George
553 - Fix compiler warnings.
555 22 November 2019: Wouter
556 - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
557 - Add make distclean that removes everything configure produced,
558 and make maintainer-clean that removes bison and flex output.
560 20 November 2019: Wouter
561 - Fix Out of Bounds Read in rrinternal_get_owner(),
562 reported by X41 D-Sec.
563 - Fix Race Condition in autr_tp_create(),
564 reported by X41 D-Sec.
565 - Fix Shared Memory World Writeable,
566 reported by X41 D-Sec.
567 - Adjust unbound-control to make stats_shm a read only operation.
568 - Fix Weak Entropy Used For Nettle,
569 reported by X41 D-Sec.
570 - Fix Randomness Error not Handled Properly,
571 reported by X41 D-Sec.
572 - Fix Out-of-Bounds Read in dname_valid(),
573 reported by X41 D-Sec.
574 - Fix Config Injection in create_unbound_ad_servers.sh,
575 reported by X41 D-Sec.
576 - Fix Local Memory Leak in cachedb_init(),
577 reported by X41 D-Sec.
578 - Fix Integer Underflow in Regional Allocator,
579 reported by X41 D-Sec.
580 - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
581 - Synchronize compat/getentropy_win.c with version 1.5 from
582 OpenBSD, no changes but makes the file, comments, identical.
583 - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
584 - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
585 - Changes to compat/getentropy files for,
586 no link to openssl if using nettle, and hence config.h for
587 HAVE_NETTLE variable.
588 compat definition of MAP_ANON, for older systems.
589 ifdef stdint.h inclusion for older systems.
590 ifdef sha2.h inclusion for older systems.
591 - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
592 - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
593 - Fix Terminating Quotes not Written, reported by X41 D-Sec.
594 - Fix Useless memset() in validator, reported by X41 D-Sec.
595 - Fix Unrequired Checks, reported by X41 D-Sec.
596 - Fix Enum Name not Used, reported by X41 D-Sec.
597 - Fix NULL Pointer Dereference via Control Port,
598 reported by X41 D-Sec.
599 - Fix Bad Randomness in Seed, reported by X41 D-Sec.
600 - Fix python examples/calc.py for eval, reported by X41 D-Sec.
601 - Fix comments for doxygen in dns64.
603 19 November 2019: Wouter
604 - Fix CVE-2019-18934, shell execution in ipsecmod.
605 - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
606 - Fix authzone printout buffer length check.
607 - Fixes to please lint checks.
608 - Fix Integer Overflow in Regional Allocator,
609 reported by X41 D-Sec.
610 - Fix Unchecked NULL Pointer in dns64_inform_super()
611 and ipsecmod_new(), reported by X41 D-Sec.
612 - Fix Out-of-bounds Read in rr_comment_dnskey(),
613 reported by X41 D-Sec.
614 - Fix Integer Overflows in Size Calculations,
615 reported by X41 D-Sec.
616 - Fix Integer Overflow to Buffer Overflow in
617 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
618 - Fix Out of Bounds Read in sldns_str2wire_dname(),
619 reported by X41 D-Sec.
620 - Fix Out of Bounds Write in sldns_bget_token_par(),
621 reported by X41 D-Sec.
623 18 November 2019: Wouter
624 - In unbound-host use separate variable for get_option to please
626 - update to bison output of 3.4.1 in code repository.
627 - Provide a prototype for compat malloc to remove compile warning.
628 - Portable grep usage for reuseport configure test.
629 - Check return type of HMAC_Init_ex for openssl 0.9.8.
630 - gitignore .source tempfile used for compatible make.
632 13 November 2019: Wouter
633 - iana portlist updated.
634 - contrib/fastrpz.patch updated to apply for current code.
635 - fixes for splint cleanliness, long vs int in SSL set_mode.
637 11 November 2019: Wouter
638 - Fix #109: check number of arguments for stdin-pipes in
639 unbound-control and fail if too many arguments.
640 - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
642 24 October 2019: Wouter
643 - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
645 23 October 2019: George
646 - Add new configure option `--enable-fully-static` to enable full static
647 build if requested; in relation to #91.
649 23 October 2019: Wouter
650 - Merge #97: manpage: Add missing word on unbound.conf,
653 22 October 2019: Wouter
654 - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
655 queries, to stop random floods. Apply with
656 patch -p1 < contrib/drop-tld.diff and compile.
657 From Saksham Manchanda (Secure64). Please note that we think this
658 will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
659 lookups for downstream clients.
661 7 October 2019: Wouter
662 - Add doxygen comments to unbound-anchor source address code, in #86.
664 3 October 2019: Wouter
665 - Merge #90 from vcunat: fix build with nettle-3.5.
666 - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
667 - Continue with development of 1.9.5.
668 - Merge #86 from psquarejho: Added -b source address option to
669 smallapp/unbound-anchor.c, from Lukas Wunner.
671 26 September 2019: Wouter
672 - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
673 Drop CAP_KILL, use + prefix for ExecReload= instead.
675 25 September 2019: Wouter
676 - The unbound.conf includes are sorted ascending, for include
677 statements with a '*' from glob.
679 23 September 2019: Wouter
680 - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
681 service file to fix that systemctl reload fails.
683 20 September 2019: Wouter
684 - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
686 - Merge #81 from Maryse47: Consistently use /dev/urandom instead
687 of /dev/random in scripts and docs.
688 - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
691 19 September 2019: Wouter
692 - Fix #78: Memory leak in outside_network.c.
693 - Merge pull request #76 from Maryse47: Improvements and fixes for
694 systemd unbound.service.
695 - oss-fuzz badge on README.md.
696 - Fix fix for #78 to also free service callback struct.
697 - Fix for oss-fuzz build warning.
698 - Fix wrong response ttl for prepended short CNAME ttls, this would
699 create a wrong zero_ttl response count with serve-expired enabled.
700 - Merge #80 from stasic: Improve wording in man page.
702 11 September 2019: Wouter
703 - Use explicit bzero for wiping clear buffer of hash in cachedb,
704 reported by Eric Sesterhenn from X41 D-Sec.
706 9 September 2019: Wouter
707 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
708 LOG_DAEMON (as before) can set the syslog facility that the server
709 uses to log messages.
711 4 September 2019: Wouter
712 - Fix #71: fix openssl error squelch commit compilation error.
714 3 September 2019: Wouter
715 - squelch DNS over TLS errors 'ssl handshake failed crypto error'
716 on low verbosity, they show on verbosity 3 (query details), because
717 there is a high volume and the operator cannot do anything for the
718 remote failure. Specifically filters the high volume errors.
720 2 September 2019: Wouter
721 - ipset module #28: log that an address is added, when verbosity high.
722 - ipset: refactor long routine into three smaller ones.
723 - updated Makefile dependencies.
725 23 August 2019: Wouter
726 - Fix contrib/fastrpz.patch asprintf return value checks.
728 22 August 2019: Wouter
729 - Fix that pkg-config is setup before --enable-systemd needs it.
730 - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
731 Master is 1.9.4 in development.
733 21 August 2019: Wouter
734 - Fix log_dns_msg to log irrespective of minimal responses config.
736 19 August 2019: Ralph
737 - Document limitation of pidfile removal outside of chroot directory.
739 16 August 2019: Wouter
740 - Fix unittest valgrind false positive uninitialised value report,
741 where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
742 issues an uninitialised value for the token buffer at the str2wire.c
743 rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
744 straight character comparisons removes the false positive. Also
745 valgrinds --expensive-definedness-checks=yes can stop this false
747 - Please doxygen's parser for "@" occurrence in doxygen comment.
748 - Fixup contrib/fastrpz.patch
749 - Remove warning about unknown cast-function-type warning pragma.
751 15 August 2019: Wouter
752 - iana portlist updated.
753 - Fix autotrust temp file uniqueness windows compile.
754 - avoid warning about upcast on 32bit systems for autotrust.
755 - escape commandline contents for -V.
756 - Fix character buffer size in ub_ctx_hosts.
757 - 1.9.3rc1 release candidate tag.
758 - Option -V prints if TCP fastopen is available.
760 14 August 2019: George
761 - Fix #59, when compiled with systemd support check that we can properly
762 communicate with systemd through the `NOTIFY_SOCKET`.
764 14 August 2019: Wouter
765 - Generate configlexer with newer flex.
766 - Fix warning for unused variable for compilation without systemd.
768 12 August 2019: George
769 - Introduce `-V` option to print the version number and build options.
770 Previously reported build options like linked libs and linked modules
771 are now moved from `-h` to `-V` as well for consistency.
772 - PACKAGE_BUGREPORT now also includes link to GitHub issues.
774 1 August 2019: Wouter
775 - For #52 #53, second context does not close logfile override.
776 - Fix #52 #53, fix for example fail program.
777 - Fix to return after failed auth zone http chunk write.
778 - Fix to remove unused test for task_probe existance.
779 - Fix to timeval_add for remaining second in microseconds.
780 - Check repinfo in worker_handle_request, if null, drop it.
783 - Add verbose log message when auth zone file is written, at level 4.
784 - Add hex print of trust anchor pointer to trust anchor file temp
785 name to make it unique, for libunbound created multiple contexts.
788 - Fix question section mismatch in local zone redirect.
791 - Fix #49: Set no renegotiation on the SSL context to stop client
792 session renegotiation.
795 - Fix #48: Unbound returns additional records on NODATA response,
796 if minimal-responses is enabled, also the additional for negative
797 responses is removed.
800 - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
801 call made it impossible to go up the tree when the matching netmask is
805 - Fix for possible assertion failure when answering respip CNAME from
809 - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
810 when do-not-query-localhost is turned on, or at default on,
811 unbound-checkconf prints a warning if it is found in forward-addr or
812 stub-addr statements.
815 - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
818 - PR #28: IPSet module, by Kevin Chou. Created a module to support
819 the ipset that could add the domain's ip to a list easily.
820 Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
821 - Fix to omit RRSIGs from addition to the ipset.
822 - Fix to make unbound-control with ipset, remove unused variable,
823 use unsigned type because of comparison, and assign null instead
824 of compare with it. Remade lex and yacc output.
826 - Added documentation to the ipset files (for doxygen output).
827 - Merge PR #6: Python module: support multiple instances
828 - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
829 - Merge PR #4: Python module: assign something useful to the
830 per-query data store 'qdata'
831 - Fix python dict reference and double free in config.
834 - Master contains version 1.9.3 in development.
835 - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
836 - Fix for #24: Fix abort due to scan of auth zone masters using old
837 address from previous scan.
840 - Fix another spoolbuf storage code point, in prefetch.
841 - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
845 - Fix that fixes the Fix that spoolbuf is not used to store tcp
846 pipelined response between mesh send and callback end, this fixes
847 error cases that did not use the correct spoolbuf.
848 - 1.9.2rc2 release candidate tag.
851 - 1.9.2rc1 release candidate tag.
854 - iana portlist updated.
857 - Fix to guard _OPENBSD_SOURCE from redefinition.
860 - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
861 - gitignore config.h.in~.
864 - Fix double file close in tcp pipelined response code.
867 - Fix that spoolbuf is not used to store tcp pipelined response
868 between mesh send and callback end.
871 - Note that so-reuseport at extreme load is better turned off,
872 otherwise queries are not distributed evenly, on Linux 4.4.x.
875 - Fix #31: swig 4.0 and python module.
878 - Squelch log messages from tcp send about connection reset by peer.
879 They can be enabled with verbosity at higher values for diagnosing
880 network connectivity issues.
881 - Attempt to fix malformed tcp response.
884 - Revert fix for oss-fuzz, error is in that build script that
885 unconditionally includes .o files detected by configure, also
886 when the machine architecture uses different LIBOBJS files.
889 - Attempt to fix build failure in oss-fuzz because of reallocarray.
890 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
891 Does not omit compile flags from commandline.
894 - Fix edns-subnet locks, in error cases the lock was not unlocked.
895 - Fix doxygen output error on readme markdown vignettes.
898 - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
899 - Fix #30: AddressSanitizer finding in lookup3.c. This sets the
900 hash function to use a slower but better auditable code that does
901 not read beyond array boundaries. This makes code better security
902 checkable, and is better for security. It is fixed to be slower,
903 but not read outside of the array.
906 - contrib/fastrpz.patch updated for code changes, and with git diff.
907 - Fix .gitignore, add pythonmod and dnstap generated files.
908 And unit test generated files, and generated doc files.
911 - Update makedist for git.
912 - Nicer travis output for clang analysis.
913 - PR #16: XoT support, AXFR over TLS, turn it on with
914 master: <ip>#<authname> in unbound.conf. This uses TLS to
915 download the AXFR (or IXFR).
917 25 April 2019: Wouter
918 - Fix wrong query name in local zone redirect answers with a CNAME,
919 the copy of the local alias is in unpacked form.
922 - Scrub RRs from answer section when reusing NXDOMAIN message for
924 - For harden-below-nxdomain: do not consider a name to be non-exitent
925 when message contains a CNAME record.
927 18 April 2019: Wouter
930 16 April 2019: Wouter
931 - Better braces in if statement in TCP fastopen code.
932 - iana portlist updated.
934 15 April 2019: Wouter
935 - Fix tls write event for read state change to re-call SSL_write and
936 not resume the TLS handshake.
938 11 April 2019: George
939 - Update python documentation for init_standard().
942 11 April 2019: Wouter
943 - Fix that auth zone uses correct network type for sockets for
944 SOA serial probes. This fixes that probes fail because earlier
945 probe addresses are unreachable.
946 - Fix that auth zone fails over to next master for timeout in tcp.
947 - Squelch SSL read and write connection reset by peer and broken pipe
948 messages. Verbosity 2 and higher enables them.
951 - Fix to use event_assign with libevent for thread-safety.
952 - verbose information about auth zone lookup process, also lookup
953 start, timeout and fail.
954 - Fix #17: Add python module example from Jan Janak, that is a
955 plugin for the Unbound DNS resolver to resolve DNS records in
956 multicast DNS [RFC 6762] via Avahi. The plugin communicates
957 with Avahi via DBus. The comment section at the beginning of
958 the file contains detailed documentation.
959 - Fix to wipe ssl ticket keys from memory with explicit_bzero,
963 - Fix to reinit event structure for accepted TCP (and TLS) sockets.
966 - Fix spelling error in log output for event method.
969 - Move goto label in answer_from_cache to the end of the function
970 where it is more visible.
971 - Fix auth-zone NSEC3 response for wildcard nodata answers,
972 include the closest encloser in the answer.
975 - Fix auth-zone NSEC3 response for empty nonterminals with exact
977 - Fix for out of bounds integers, thanks to OSTIF audit. It is in
978 allocation debug code.
979 - Fix for auth zone nsec3 ent fix for wildcard nodata.
981 25 March 2019: Wouter
982 - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
983 disables the tls session ticker key calls into the OpenSSL API.
984 - Fix crash if tls-servic-pem not filled in when necessary.
986 21 March 2019: Wouter
987 - Fix #4240: Fix whitespace cleanup in example.conf.
989 19 March 2019: Wouter
990 - add type CAA to libpyunbound (accessing libunbound from python).
992 18 March 2019: Wouter
993 - Add log message, at verbosity 4, that says the query is encrypted
994 with TLS, if that is enabled for the query.
995 - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
998 - Fix for #4233: guard use of NDEBUG, so that it can be passed in
999 CFLAGS into configure.
1001 5 March 2019: Wouter
1002 - Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
1003 has 1.9.2 in development.
1005 1 March 2019: Wouter
1006 - output forwarder log in ssl_req_order test.
1008 28 February 2019: Wouter
1009 - Remove memory leak on pythonmod python2 script file init.
1010 - Remove swig gcc8 python function cast warnings, they are ignored.
1011 - Print correct module that failed when module-config is wrong.
1013 27 February 2019: Wouter
1014 - Fix #4229: Unbound man pages lack information, about access-control
1015 order and local zone tags, and elements in views.
1016 - Fix #14: contrib/unbound.init: Fix wrong comparison judgment
1018 - Fix for python module on Windows, fix fopen.
1020 25 February 2019: Wouter
1021 - Fix #4227: pair event del and add for libevent for tcp_req_info.
1023 21 February 2019: Wouter
1024 - Fix the error for unknown module in module-config is understandable,
1025 and explains it was not compiled in and where to see the list.
1026 - In example.conf explain where to put cachedb module in module-config.
1027 - In man page and example config explain that most modules have to
1028 be listed at the start of module-config.
1030 20 February 2019: Wouter
1031 - Fix pythonmod include and sockaddr_un ifdefs for compile on
1032 Windows, and for libunbound.
1034 18 February 2019: Wouter
1035 - Print query name with ip_ratelimit exceeded log lines.
1036 - Spaces instead of tabs in that log message.
1037 - Print query name and IP address when domain rate limit exceeded.
1039 14 February 2019: Wouter
1040 - Fix capsforid canonical sort qsort callback.
1042 11 February 2019: Wouter
1043 - Note default for module-config in man page.
1044 - Fix recursion lame test for qname minimisation asked queries,
1045 that were not present in the set of prepared answers.
1046 - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
1047 cert name matching, from man page.
1048 - make depend, with newer gcc, nicer layout.
1050 7 February 2019: Wouter
1051 - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
1052 - Fix that qname minimisation does not skip a label when missing
1053 nameserver targets need to be fetched.
1054 - Fix #4225: clients seem to erroneously receive no answer with
1055 DNS-over-TLS and qname-minimisation.
1057 4 February 2019: Wouter
1058 - Fix that log-replies prints the correct name for local-alias
1059 names, for names that have a CNAME in local-data configuration.
1060 It logs the original query name, not the target of the CNAME.
1061 - Add local-zone type inform_redirect, which logs like type inform,
1062 and redirects like type redirect.
1063 - Perform canonical sort for 0x20 capsforid compare of replies,
1064 this sorts rrsets in the authority and additional section before
1065 comparison, so that out of order rrsets do not cause failure.
1067 31 January 2019: Wouter
1068 - Set ub_ctx_set_tls call signature in ltrace config file for
1069 libunbound in contrib/libunbound.so.conf.
1070 - improve documentation for tls-service-key and forward-first.
1071 - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
1072 conditional section, fixes systemd builds, from Enrico Scholz.
1073 - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
1074 still supports the set_id_callback previous API. And for 1.1.0
1075 no locking callbacks are needed.
1076 - #8: Fix OpenSSL without ENGINE support compilation.
1077 - Wipe TLS session key data from memory on exit.
1079 30 January 2019: Ralph
1080 - Fix case in which query timeout can result in marking delegation
1083 29 January 2019: Wouter
1084 - Fix spelling of tls-ciphers in example.conf.in.
1085 - Fix #4224: auth_xfr_notify.rpl test broken due to typo
1086 - Fix locking for libunbound context setup with broken port config.
1088 28 January 2019: Wouter
1089 - ub_ctx_set_tls call for libunbound that enables DoT for the machines
1090 set with ub_ctx_set_fwd. Patch from Florian Obser.
1091 - Set build system for added call in the libunbound API.
1092 - List example config for root zone copy locally hosted with auth-zone
1093 as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
1095 - set version to 1.9.0 for release. And this was released with the
1096 spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
1099 25 January 2019: Wouter
1100 - Fix that tcp for auth zone and outgoing does not remove and
1101 then gets the ssl read again applied to the deleted commpoint.
1102 - updated contrib/fastrpz.patch to cleanly diff.
1103 - no lock when threads disabled in tcp request buffer count.
1104 - remove compile warnings from libnettle compile.
1105 - output of newer lex 2.6.1 and bison 3.0.5.
1107 24 January 2019: Wouter
1108 - Newer aclocal and libtoolize used for generating configure scripts,
1109 aclocal 1.16.1 and libtoolize 2.4.6.
1110 - Fix unit test for python 3.7 new keyword 'async'.
1111 - clang analysis fixes, assert arc4random buffer in init,
1112 no check for already checked delegation pointer in iterator,
1113 in testcode check for NULL packet matches, in perf do not copy
1114 from NULL start list when growing capacity. Adjust host and file
1115 only when present in test header read to please checker. In
1116 testcode for unknown macro operand give zero result. Initialise the
1117 passed argv array in test code. In test code add EDNS data
1118 segment copy only when nonempty.
1119 - Patch from Florian Obser fixes some compiler warnings:
1120 include mini_event.h to have a prototype for mini_ev_cmp
1121 include edns.h to have a prototype for apply_edns_options
1122 sldns_wire2str_edns_keepalive_print is only called in the wire2str,
1123 module declare it static to get rid of compiler warning:
1124 no previous prototype for function
1125 infra_find_ip_ratedata() is only called in the infra module,
1126 declare it static to get rid of compiler warning:
1127 no previous prototype for function
1128 do not shadow local variable buf in authzone
1129 auth_chunks_delete and az_nsec3_findnode are only called in the
1130 authzone module, declare them static to get rid of compiler warning:
1131 no previous prototype for function...
1132 copy_rrset() is only called in the respip module, declare it
1133 static to get rid of compiler warning:
1134 no previous prototype for function 'copy_rrset'
1135 no need for another variable "r"; gets rid of compiler warning:
1136 declaration shadows a local variable in libunbound.c
1137 no need for another variable "ns"; gets rid of compiler warning:
1138 declaration shadows a local variable in iterator.c
1139 - Moved includes and make depend.
1141 23 January 2019: Wouter
1142 - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
1143 options for unbound.conf.
1144 - Fixes for the patch, and man page entry.
1145 - Fix configure to detect SSL_CTX_set_ciphersuites, for better
1146 library compatibility when compiling.
1147 - Patch for TLS session resumption from Manabu Sonoda,
1148 enable with tls-session-ticket-keys in unbound.conf.
1149 - Fixes for patch (includes, declarations, warnings). Free at end
1150 and keep config options in order read from file to keep the first
1151 one as the first one.
1152 - Fix for IXFR fallback to reset counter when IXFR does not timeout.
1154 22 January 2019: Wouter
1155 - Fix space calculation for tcp req buffer size.
1156 - Doc for stream-wait-size and unit test.
1157 - unbound-control stats has mem.streamwait that counts TCP and TLS
1158 waiting result buffers.
1159 - Fix for #4219: secondaries not updated after serial change, unbound
1160 falls back to AXFR after IXFR gives several timeout failures.
1161 - Fix that auth zone after IXFR fallback tries the same master.
1163 21 January 2019: Wouter
1164 - Fix tcp idle timeout test, for difference in the tcp reply code.
1165 - Unit test for tcp request reorder and timeouts.
1166 - Unit tests for ssl out of order processing.
1167 - Fix that multiple dns fragments can be carried in one TLS frame.
1168 - Add stream-wait-size: 4m config option to limit the maximum
1169 memory used by waiting tcp and tls stream replies. This avoids
1170 a denial of service where these replies use up all of the memory.
1172 17 January 2019: Wouter
1173 - For caps-for-id fallback, use the whitelist to avoid timeout
1174 starting a fallback sequence for it.
1175 - increase mesh max activation count for capsforid long fetches.
1177 16 January 2019: Ralph
1178 - Get ready for the DNS flag day: remove EDNS lame procedure, do not
1179 re-query without EDNS after timeout.
1181 15 January 2019: Wouter
1182 - In the out of order processing, reset byte count for (potential)
1184 - Review fixes in out of order processing.
1186 14 January 2019: Wouter
1187 - streamtcp option -a send queries consecutively and prints answers
1189 - Fix for out of order processing administration quit cleanup.
1190 - unit test for tcp out of order processing.
1192 11 January 2019: Wouter
1193 - Initial commit for out-of-order processing for TCP and TLS.
1195 9 January 2019: Wouter
1196 - Log query name for looping module errors.
1198 8 January 2019: Wouter
1199 - Fix syntax in comment of local alias processing.
1200 - Fix NSEC3 record that is returned in wildcard replies from
1201 auth-zone zones with NSEC3 and wildcards.
1203 7 January 2019: Wouter
1204 - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
1205 and server tcp fastopen is enabled at compile time.
1206 - Document interaction between the tls-upstream option in the server
1207 section and forward-tls-upstream option in the forward-zone sections.
1208 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
1209 the patch adds a program used for fuzzing.
1211 12 December 2018: Wouter
1212 - Fix for crash in dns64 module if response is null.
1214 10 December 2018: Wouter
1215 - Fix config parser memory leaks.
1216 - ip-ratelimit-factor of 1 allows all traffic through, instead of the
1217 previous blocking everything.
1218 - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
1219 - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
1220 alongside the 1.1.0 and later support that is already there.
1221 - Fixup openssl 1.0.2 compile
1223 6 December 2018: Wouter
1224 - Fix dns64 allocation in wrong region for returned internal queries.
1226 3 December 2018: Wouter
1227 - Fix icon, no ragged edges and nicer resolutions available, for eg.
1228 Win 7 and Windows 10 display.
1229 - cache-max-ttl also defines upperbound of initial TTL in response.
1231 30 November 2018: Wouter
1232 - Patch for typo in unbound.conf man page.
1233 - log-tag-queryreply: yes in unbound.conf tags the log-queries and
1234 log-replies in the log file for easier log filter maintenance.
1236 29 November 2018: Wouter
1237 - iana portlist updated.
1238 - Fix chroot auth-zone fix to remove chroot prefix.
1239 - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
1240 updated. Trunk contains 1.8.3 in development.
1241 Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
1242 Trunk then became 1.8.4 in development.
1243 - Fix that unbound-checkconf does not complains if the config file
1244 is not placed inside the chroot.
1245 - Refuse to start with no ports.
1246 - Remove clang analysis warnings.
1248 28 November 2018: Wouter
1249 - Fix leak in chroot fix for auth-zone.
1250 - Fix clang analysis for outside directory build test.
1252 27 November 2018: Wouter
1253 - Fix DNS64 to not store intermediate results in cache, this avoids
1254 other threads from picking up the wrong data. The module restores
1255 the previous no_cache_store setting when the the module is finished.
1256 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
1257 - New and better fix for Fix #4193: Fix that prefetch failure does
1258 not overwrite valid cache entry with SERVFAIL.
1259 - auth-zone give SERVFAIL when expired, fallback activates when
1260 expired, and this is documented in the man page.
1261 - stat count SERVFAIL downstream auth-zone queries for expired zones.
1262 - Put new logos into windows installer.
1263 - Fix windows compile for new rrset roundrobin fix.
1264 - Update contrib fastrpz patch for latest release.
1266 26 November 2018: Wouter
1267 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
1268 sorted and in a predictable order.
1269 - Fix #4193: Fix that prefetch failure does not overwrite valid cache
1270 entry with SERVFAIL.
1271 - Add unbound-control view_local_datas command, like local_datas.
1272 - Fix that unbound-control can send file for view_local_datas.
1274 22 November 2018: Wouter
1275 - With ./configure --with-pyunbound --with-pythonmodule
1276 PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
1277 succeed for the python module.
1278 - pythonmod logs the python error and traceback on failure.
1279 - ignore debug python module for test in doxygen output.
1280 - review fixes for python module.
1281 - Fix #4209: Crash in libunbound when called from getdns.
1282 - auth zone zonefiles can be in a chroot, the chroot directory
1283 components are removed before use.
1284 - Fix that empty zonefile means the zonefile is not set and not used.
1287 21 November 2018: Wouter
1288 - Scrub NS records from NODATA responses as well.
1290 20 November 2018: Wouter
1291 - Scrub NS records from NXDOMAIN responses to stop fragmentation
1292 poisoning of the cache.
1293 - Add patch from Jan Vcelak for pythonmod,
1294 add sockaddr_storage getters, add support for query callbacks,
1295 allow raw address access via comm_reply and update API documentation.
1296 - Removed compile warnings in pythonmod sockaddr routines.
1298 19 November 2018: Wouter
1299 - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
1300 option in unbound.conf.
1302 6 November 2018: Ralph
1303 - Bugfix min-client-subnet-ipv6
1305 25 October 2018: Ralph
1306 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
1308 25 October 2018: Wouter
1309 - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
1310 - Fix #4190: Please create a "ANY" deny option, adds the option
1311 deny-any: yes in unbound.conf. This responds with an empty message
1312 to queries of type ANY.
1313 - Fix #4141: More randomness to rrset-roundrobin.
1314 - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
1315 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
1316 adds the option unknown-server-time-limit to unbound.conf that
1317 can be increased to avoid the problem.
1318 - remade makefile dependencies.
1319 - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
1321 24 October 2018: Ralph
1322 - Add markdel function to ECS slabhash.
1323 - Limit ECS scope returned to client to the scope used for caching.
1324 - Make lint like previous #4154 fix.
1326 22 October 2018: Wouter
1327 - Fix #4192: unbound-control-setup generates keys not readable by
1329 - check that the dnstap socket file can be opened and exists, print
1331 - Fix #4154: make ECS_MAX_TREESIZE configurable, with
1332 the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
1334 22 October 2018: Ralph
1335 - Change fast-server-num default to 3.
1337 8 October 2018: Ralph
1338 - Add fast-server-permil and fast-server-num options.
1339 - Deprecate low-rtt and low-rtt-permil options.
1341 8 October 2018: Wouter
1342 - Squelch log of failed to tcp initiate after TCP Fastopen failure.
1344 5 October 2018: Wouter
1345 - Squelch EADDRNOTAVAIL errors when the interface goes away,
1346 this omits 'can't assign requested address' errors unless
1347 verbosity is set to a high value.
1348 - Set default for so-reuseport to no for FreeBSD. It is enabled
1349 by default for Linux and DragonFlyBSD. The setting can
1350 be configured in unbound.conf to override the default.
1353 2 October 2018: Wouter
1354 - updated contrib/fastrpz.patch to apply for this version
1355 - dnscrypt.c removed sizeof to get array bounds.
1356 - Fix testlock code to set noreturn on error routine.
1357 - Remove unused variable from contrib fastrpz/rpz.c and
1358 remove unused diagnostic pragmas that themselves generate warnings
1359 - clang analyze test is used only when assertions are enabled.
1361 1 October 2018: Wouter
1362 - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
1363 fastrpz.patch fix included. Trunk has 1.8.2 in development.
1365 27 September 2018: Wouter
1366 - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
1367 qname minimisation with a forwarder when connectivity has issues
1368 from rejecting responses.
1370 25 September 2018: Wouter
1371 - Perform TLS SNI indication of the host that is being contacted
1372 for DNS over TLS service. It sets the configured tls auth name.
1373 This is useful for hosts that apart from the DNS over TLS services
1374 also provide other (web) services.
1375 - Fix #4149: Add SSL cleanup for tcp timeout.
1377 17 September 2018: Wouter
1378 - Fix compile on Mac for unbound, provide explicit_bzero when libc
1380 - Fix unbound for openssl in FIPS mode, it uses the digests with
1381 the EVP call contexts.
1382 - Fix that with harden-below-nxdomain and qname minisation enabled
1383 some iterator states for nonresponsive domains can get into a
1384 state where they waited for an empty list.
1385 - Stop UDP to TCP failover after timeouts that causes the ping count
1386 to be reset by the TCP time measurement (that exists for TLS),
1387 because that causes the UDP part to not be measured as timeout.
1388 - Fix #4156: Fix systemd service manager state change notification.
1390 13 September 2018: Wouter
1391 - Fix seed for random backup code to use explicit zero when wiped.
1392 - exit log routine is annotated as noreturn function.
1393 - free memory leaks in config strlist and str2list insert functions.
1394 - do not move unused argv variable after getopt.
1395 - Remove unused if clause in testcode.
1396 - in testcode, free async ids, initialise array, and check for null
1397 pointer during test of the test. And use exit for return to note
1398 irregular program stop.
1399 - Free memory leak in config strlist append.
1400 - make sure nsec3 comparison salt is initialized.
1401 - unit test has clang analysis.
1402 - remove unused variable assignment from iterator scrub routine.
1403 - check for null in delegation point during iterator refetch
1405 - neater pointer cast in libunbound context quit routine.
1406 - initialize statistics totals for printout.
1407 - in authzone check that node exists before adding rrset.
1408 - in unbound-anchor, use readwrite memory BIO.
1409 - assertion in autotrust that packed rrset is formed correctly.
1410 - Fix memory leak when message parse fails partway through copy.
1411 - remove unused udpsize assignment in message encode.
1412 - nicer bio free code in unbound-anchor.
1413 - annotate exit functions with noreturn in unbound-control.
1415 11 September 2018: Wouter
1416 - Fixed unused return value warnings in contrib/fastrpz.patch for
1418 - Fix to squelch respip warning in unit test, it is printed at
1419 higher verbosity settings.
1420 - Fix spelling errors.
1421 - Fix initialisation in remote.c
1423 10 September 2018: Wouter
1424 - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
1427 5 September 2018: Wouter
1428 - Fix spelling error in header, from getdns commit by Andreas Gelmini.
1430 4 September 2018: Ralph
1431 - More explicitly mention the type of ratelimit when applying
1434 4 September 2018: Wouter
1435 - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
1437 31 August 2018: Wouter
1438 - Disable minimal-responses in subnet unit tests.
1440 30 August 2018: Wouter
1441 - Fix that a local-zone with a local-zone-type that is transparent
1442 in a view with view-first, makes queries check for answers from the
1443 local-zones defined outside of views.
1445 28 August 2018: Ralph
1446 - Disable minimal-responses in ipsecmod unit tests.
1447 - Added serve-expired-ttl and serve-expired-ttl-reset options.
1449 27 August 2018: Wouter
1450 - Set defaults to yes for a number of options to increase speed and
1451 resilience of the server. The so-reuseport, harden-below-nxdomain,
1452 and minimal-responses options are enabled by default. They used
1453 to be disabled by default, waiting to make sure they worked. They
1454 are enabled by default now, and can be disabled explicitly by
1455 setting them to "no" in the unbound.conf config file. The reuseport
1456 and minimal options increases speed of the server, and should be
1457 otherwise harmless. The harden-below-nxdomain option works well
1458 together with the recently default enabled qname minimisation, this
1459 causes more fetches to use information from the cache.
1460 - next release is called 1.8.0.
1461 - Fix lintflags for lint on FreeBSD.
1463 22 August 2018: George
1464 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
1465 gives access to reply information for the client's communication
1466 point when the callback is called before the mesh state (modules).
1467 Changes to C and Python's inplace_callback signatures were also
1470 21 August 2018: Wouter
1471 - log-local-actions: yes option for unbound.conf that logs all the
1472 local zone actions, a patch from Saksham Manchanda (Secure64).
1473 - #4146: num.query.subnet and num.query.subnet_cache counters.
1474 - Fix only misc failure from log-servfail when val-log-level is not
1477 17 August 2018: Ralph
1478 - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
1481 17 August 2018: Wouter
1482 - Set libunbound to increase current, because the libunbound change
1483 to the event callback function signature. That needs programs,
1484 that use it, to recompile against the new header definition.
1485 - print servfail info to log as error.
1486 - added more servfail printout statements, to the iterator.
1487 - log-servfail: yes prints log lines that say why queries are
1488 returning SERVFAIL to clients.
1490 16 August 2018: Wouter
1491 - Fix warning on compile without threads.
1492 - Fix contrib/fastrpz.patch.
1494 15 August 2018: Wouter
1495 - Fix segfault in auth-zone read and reorder of RRSIGs.
1497 14 August 2018: Wouter
1498 - Fix that printout of error for cycle targets is a verbosity 4
1499 printout and does not wrongly print it is a memory error.
1500 - Upgraded crosscompile script to include libunbound DLL in the
1503 10 August 2018: Wouter
1504 - Fix #4144: dns64 module caches wrong (negative) information.
1506 9 August 2018: Wouter
1507 - unbound-checkconf checks if modules exist and prints if they are
1508 not compiled in the name of the wrong module.
1509 - document --enable-subnet in doc/README.
1510 - Patch for stub-no-cache and forward-no-cache options that disable
1511 caching for the contents of that stub or forward, for when you
1512 want immediate changes visible, from Bjoern A. Zeeb.
1514 7 August 2018: Ralph
1515 - Make capsforid fallback QNAME minimisation aware.
1517 7 August 2018: Wouter
1518 - Fix #4142: unbound.service.in: improvements and fixes.
1519 Add unit dependency ordering (based on systemd-resolved).
1520 Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
1521 about missing privileges during startup). Add 'AF_INET6' to
1522 'RestrictAddressFamilies' (without it IPV6 can't work). From
1524 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
1525 This limits the number of simultaneous TCP client connections
1526 from a nominated netblock.
1527 - make depend, yacc, lex, doc, headers. And log the limit exceeded
1528 message only on high verbosity, so as to not spam the logs when
1531 6 August 2018: Wouter
1532 - Fix for #4136: Fix to unconditionally call destroy in daemon.c.
1534 3 August 2018: George
1535 - Expose if a query (or a subquery) was ratelimited (not src IP
1536 ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
1537 This also introduces a change to 'ub_event_callback_type' in
1538 libunbound/unbound-event.h.
1541 3 August 2018: Wouter
1542 - Revert previous change for #4136: because it introduces build
1544 - New fix for #4136: This one ignores lex without without
1547 1 August 2018: Wouter
1548 - Fix to remove systemd sockaddr function check, that is not
1549 always present. Make socket activation more lenient. But not
1550 different when socket activation is not used.
1551 - iana port list update.
1553 31 July 2018: Wouter
1554 - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
1555 - Sort out test runs when the build directory isn't the project
1557 - Add config tcp-idle-timeout (default 30s). This applies to
1558 client connections only; the timeout on TCP connections upstream
1560 - Error if EDNS Keepalive received over UDP.
1561 - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
1562 and implement option in client responses.
1563 - Correct and expand manual page entries for keepalive and idle timeout.
1564 - Implement progressive backoff of TCP idle/keepalive timeout.
1565 - Fix 'make depend' to work when build dir is not project root.
1566 - Add delay parameter to streamtcp, -d secs.
1567 To be used when testing idle timeout.
1568 - From Wouter: make depend, the dependencies in the patches did not
1569 apply cleanly. Also remade yacc and lex.
1570 - Fix mesh.c incompatible pointer pass.
1571 - Please doxygen so it passes.
1572 - Fix #4139: Fix unbound-host leaks memory on ANY.
1574 30 July 2018: Wouter
1575 - Fix #4136: insufficiency from mismatch of FLEX capability between
1576 released tarball and build host.
1578 27 July 2018: Wouter
1579 - Fix man page, say that chroot is enabled by default.
1581 26 July 2018: Wouter
1582 - Fix #4135: 64-bit Windows Installer Creates Entries Under The
1583 Wrong Registry Key, reported by Brian White.
1585 23 July 2018: Wouter
1586 - Fix use-systemd readiness signalling, only when use-systemd is yes
1587 and not in signal handler.
1589 20 July 2018: Wouter
1590 - Fix #4130: print text describing -dd and unbound-checkconf on
1591 config file read error at startup, the errors may have been moved
1592 away by the startup process.
1593 - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
1595 19 July 2018: Wouter
1596 - Fix #4129 unbound-control error message with wrong cert permissions
1599 17 July 2018: Wouter
1600 - Fix #4127 unbound -h does not list -p help.
1601 - Print error if SSL name verification configured but not available
1603 - Fix that ratelimit and ip-ratelimit are applied after reload of
1604 changed config file.
1605 - Resize ratelimit and ip-ratelimit caches if changed on reload.
1607 16 July 2018: Wouter
1608 - Fix qname minimisation NXDOMAIN validation lookup failures causing
1609 error_supers assertion fails.
1610 - Squelch can't bind socket errors with Permission denied unless
1611 verbosity is 4 or higher, for UDP outgoing sockets.
1613 12 July 2018: Wouter
1614 - Fix to improve systemd socket activation code file descriptor
1616 - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
1617 easily changed to adjust default rtt assumptions.
1619 10 July 2018: Wouter
1620 - Note in documentation that the cert name match code needs
1621 OpenSSL 1.1.0 or later to be enabled.
1624 - Fix documentation ambiguity for tls-win-cert in tls-upstream and
1625 forward-tls-upstream docs.
1627 - Note RFC8162 support. SMIMEA record type can be read in by the
1629 - Fix round robin for failed addresses with prefer-ip6: yes
1632 - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
1633 if DNSSEC is not enabled. New option -R allows fallback from
1634 resolv.conf to direct queries.
1637 - Better documentation for unblock-lan-zones and insecure-lan-zones
1639 - Fix permission denied printed for auth zone probe random port nrs.
1642 - Fix checking for libhiredis printout in configure output.
1643 - Fix typo on man page in ip-address description.
1644 - Update libunbound/python/examples/dnssec_test.py example code to
1645 also set the 20326 trust anchor for the root in the example code.
1647 29 June 2018: Wouter
1648 - dns64-ignore-aaaa: config option to list domain names for which the
1649 existing AAAA is ignored and dns64 processing is used on the A
1652 28 June 2018: Wouter
1653 - num.queries.tls counter for queries over TLS.
1654 - log port number with err_addr logs.
1656 27 June 2018: Wouter
1657 - #4109: Fix that package config depends on python unconditionally.
1658 - Patch, do not export python from pkg-config, from Petr Menšík.
1660 26 June 2018: Wouter
1661 - Partial fix for permission denied on IPv6 address on FreeBSD.
1662 - Fix that auth-zone master reply with current SOA serial does not
1663 stop scan of masters for an updated zone.
1664 - Fix that auth-zone does not start the wait timer without checking
1665 if the wait timer has already been started.
1667 21 June 2018: Wouter
1668 - #4108: systemd reload hang fix.
1669 - Fix usage printout for unbound-host, hostname has to be last
1670 argument on BSDs and Windows.
1672 19 June 2018: Wouter
1673 - Fix for unbound-control on Windows and set TCP socket parameters
1675 This fix is part of 1.7.3.
1676 - Windows example service.conf edited with more windows specific
1678 - Fix windows unbound-control no cert bad file descriptor error.
1679 This fix is part of 1.7.3.
1681 18 June 2018: Wouter
1682 - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
1683 This fix is part of 1.7.3rc2.
1684 - Fix unbound-checkconf for control-use-cert.
1685 This fix is part of 1.7.3.
1687 15 June 2018: Wouter
1690 - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
1691 - unbound-control auth_zone_transfer _zone_ option starts the probe
1692 sequence for a master to transfer the zone from and transfers when
1693 a new zone version is available.
1695 14 June 2018: Wouter
1696 - #4103: Fix that auth-zone does not insist on SOA record first in
1697 file for url downloads.
1698 - Fix that first control-interface determines if TLS is used. Warn
1699 when IP address interfaces are used without TLS.
1700 - Fix nettle compile.
1703 - Don't count CNAME response types received during qname minimisation as
1706 12 June 2018: Wouter
1707 - #4102 for NSD, but for Unbound. Named unix pipes do not use
1708 certificate and key files, access can be restricted with file and
1709 directory permissions. The option control-use-cert is no longer
1710 used, and ignored if found in unbound.conf.
1711 - Rename tls-additional-ports to tls-additional-port, because every
1713 - Fix buffer size warning in unit test.
1714 - remade dependencies in the Makefile.
1717 - Patch to fix openwrt for mac os build darwin detection in configure.
1720 - Fix crash if ratelimit taken into use with unbound-control
1721 instead of with unbound.conf.
1724 - Fix deadlock caused by incoming notify for auth-zone.
1725 - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
1726 trunk is 1.7.3 in development from this point.
1727 - #4100: Fix stub reprime when it becomes useless.
1730 - Rename additional-tls-port to tls-additional-ports.
1731 The older name is accepted for backwards compatibility.
1734 - Patch from Syzdek: Add ability to ignore RD bit and treat all
1735 requests as if the RD bit is set.
1738 - in compat/arc4random call getentropy_urandom when getentropy fails
1740 - Fix that fallback for windows port.
1743 - Fix windows tcp and tls spin on events.
1744 - Add routine from getdns to add windows cert store to the SSL_CTX.
1745 - tls-win-cert option that adds the system certificate store for
1746 authenticating DNS-over-TLS connections. It can be used instead
1747 of the tls-cert-bundle option, or with it to add certificates.
1750 - For TCP and TLS connections that don't establish, perform address
1751 update in infra cache, so future selections can exclude them.
1752 - Fix that tcp sticky events are removed for closed fd on windows.
1753 - Fix close events for tcp only.
1756 - Fix that libunbound can do DNS-over-TLS, when configured.
1757 - Fix that windows unbound service can use DNS-over-TLS.
1758 - unbound-host initializes ssl (for potential DNS-over-TLS usage
1759 inside libunbound), when ssl upstream or a cert-bundle is configured.
1762 - Use accept4 to speed up incoming TCP (and TLS) connections,
1763 available on Linux, FreeBSD and OpenBSD.
1766 - Qname minimisation default changed to yes.
1769 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
1772 - Fix contrib/libunbound.pc for libssl libcrypto references,
1773 from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
1776 - Fix windows to not have sticky TLS events for TCP.
1777 - Fix read of DNS over TLS length and data in one read call.
1778 - Fix mesh state assertion failure due to callback removal.
1781 - Fix that configure --with-libhiredis also turns on cachedb.
1782 - Fix gcc 8 buffer warning in testcode.
1783 - Fix function type cast warning in libunbound context callback type.
1786 - Fix fail to reject dead peers in forward-zone, with ssl-upstream.
1789 - Fix that unbound-control reload frees the rrset keys and returns
1790 the memory pages to the system.
1792 30 April 2018: Wouter
1793 - Fix spelling error in man page and note defaults as no instead of
1796 26 April 2018: Wouter
1797 - Fix for crash in daemon_cleanup with dnstap during reload,
1798 from Saksham Manchanda.
1799 - Also that for dnscrypt.
1800 - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
1801 is from here 1.7.2 in development.
1803 25 April 2018: Ralph
1804 - Fix memory leak when caching wildcard records for aggressive NSEC use
1806 24 April 2018: Wouter
1807 - Fix contrib/fastrpz.patch for this release.
1808 - Fix auth https for libev.
1810 24 April 2018: Ralph
1811 - Added root-key-sentinel support
1813 23 April 2018: Wouter
1814 - makedist uses bz2 for expat code, instead of tar.gz.
1815 - Fix #4092: libunbound: use-caps-for-id lacks colon in
1817 - auth zone http download stores exact copy of downloaded file,
1818 including comments in the file.
1819 - Fix sldns parse failure for CDS alternate delete syntax empty hex.
1820 - Attempt for auth zone fix; add of callback in mesh gets from
1821 callback does not skip callback of result.
1822 - Fix cname classification with qname minimisation enabled.
1823 - list_auth_zones unbound-control command.
1825 20 April 2018: Wouter
1826 - man page documentation for dns-over-tls forward-addr '#' notation.
1827 - removed free from failed parse case.
1828 - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
1829 with the previous contents.
1830 - Delete auth zone when removed from config.
1832 19 April 2018: Wouter
1833 - Can set tls authentication with forward-addr: IP#tls.auth.name
1834 And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
1835 such as forward-addr: 9.9.9.9@853#dns.quad9.net or
1836 1.1.1.1@853#cloudflare-dns.com
1837 - Fix #658: unbound using TLS in a forwarding configuration does not
1838 verify the server's certificate (RFC 8310 support).
1839 - For addr with #authname and no @port notation, the default is 853.
1841 18 April 2018: Wouter
1842 - Fix auth-zone retry timer to be on schedule with retry timeout,
1843 with backoff. Also time a refresh at the zone expiry.
1845 17 April 2018: Wouter
1846 - auth zone notify work.
1847 - allow-notify: config statement for auth-zones.
1848 - unit test for allow-notify
1850 16 April 2018: Wouter
1851 - Fix auth zone target lookup iterator.
1852 - auth zone notify with prefix
1853 - auth zone notify work.
1855 13 April 2018: Wouter
1856 - Fix for max include depth for authzones.
1857 - Fix memory free on fail for $INCLUDE in authzone.
1858 - Fix that an internal error to look up the wrong rr type for
1859 auth zone gets stopped, before trying to send there.
1860 - auth zone notify work.
1862 10 April 2018: Ralph
1863 - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
1864 statistics counters.
1866 10 April 2018: Wouter
1867 - documentation for low-rtt and low-rtt-pct.
1868 - auth zone notify work.
1870 9 April 2018: Wouter
1871 - Fix that flush_zone sets prefetch ttl expired, so that with
1872 serve-expired enabled it'll start prefetching those entries.
1873 - num.query.authzone.up and num.query.authzone.down statistics counters.
1874 - Fix downstream auth zone, only fallback when auth zone fails to
1875 answer and fallback is enabled.
1876 - Accept both option names with and without colon for get_option
1878 - low-rtt and low-rtt-pct in unbound.conf enable the server selection
1879 of fast servers for some percentage of the time.
1881 5 April 2018: Wouter
1882 - Combine write of tcp length and tcp query for dns over tls.
1883 - nitpick fixes in example.conf.
1884 - Fix above stub queries for type NS and useless delegation point.
1885 - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
1886 tls_choose_sigalg routine does not allow the ciphers for the pipe,
1890 3 April 2018: Wouter
1891 - Fix #4043: make test fails due to v6 presentation issue in macOS.
1892 - Fix unable to resolve after new WLAN connection, due to auth-zone
1893 failing with a forwarder set. Now, auth-zone is only used for
1894 answers (not referrals) when a forwarder is set.
1896 29 March 2018: Ralph
1897 - Check "result" in dup_all(), by Florian Obser.
1899 23 March 2018: Ralph
1900 - Fix unbound-control get_option aggressive-nsec
1902 21 March 2018: Ralph
1903 - Do not use cached NSEC records to generate negative answers for
1904 domains under DNSSEC Negative Trust Anchors.
1906 19 March 2018: Wouter
1909 16 March 2018: Wouter
1910 - corrected a minor typo in the changelog.
1911 - move htobe64/be64toh portability code to cachedb.c.
1913 15 March 2018: Wouter
1914 - Add --with-libhiredis, unbound support for a new cachedb backend
1915 that uses a Redis server as the storage. This implementation
1916 depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
1917 And unbound should be built with both --enable-cachedb and
1918 --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
1919 should exist). Patch from Jinmei Tatuya (Infoblox).
1920 - Fix #3817: core dump happens in libunbound delete, when queued
1921 servfail hits deleted message queue.
1922 - Create additional tls service interfaces by opening them on other
1923 portnumbers and listing the portnumbers as additional-tls-port: nr.
1925 13 March 2018: Wouter
1926 - Fix typo in documentation.
1927 - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
1928 flushed with serve-expired on.
1930 12 March 2018: Wouter
1931 - Added documentation for aggressive-nsec: yes.
1932 - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
1933 now has 1.7.1 in development.
1934 - Fix #3727: Protocol name is TLS, options have been renamed but
1935 documentation is not consistent.
1936 - Check IXFR start serial.
1938 9 March 2018: Wouter
1939 - Fix #3598: Fix swig build issue on rhel6 based system.
1940 configure --disable-swig-version-check stops the swig version check.
1942 8 March 2018: Wouter
1945 7 March 2018: Wouter
1946 - Fixed contrib/fastrpz.patch, even though this already applied
1947 cleanly for me, now also for others.
1948 - patch to log creates keytag queries, from A. Schulze.
1949 - patch suggested by Debian lintian: allow to -> allow one to, from
1951 - Attempt to remove warning about trailing whitespace.
1953 6 March 2018: Wouter
1954 - Reverted fix for #3512, this may not be the best way forward;
1955 although it could be changed at a later time, to stay similar to
1956 other implementations.
1957 - svn trunk contains 1.7.0, this is the number for the next release.
1958 - Fix for windows compile.
1961 5 March 2018: Wouter
1962 - Fix to check define of DSA for when openssl is without deprecated.
1964 - Fix #3582: Squelch address already in use log when reuseaddr option
1965 causes same port to be used twice for tcp connections.
1967 27 February 2018: Wouter
1968 - Fixup contrib/fastrpz.patch so that it applies.
1969 - Fix compile without threads, and remove unused variable.
1970 - Fix compile with staticexe and python module.
1971 - Fix nettle compile.
1973 22 February 2018: Ralph
1974 - Save wildcard RRset from answer with original owner for use in
1977 21 February 2018: Wouter
1978 - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
1979 when there is a CNAME loop.
1980 - Fix validation for CNAME loops. When it detects a cname loop,
1981 by finding the cname, cname in the existing list, it returns
1982 the partial result with the validation result up to then.
1983 - more robust cachedump rrset routine.
1985 19 February 2018: Wouter
1986 - Fix #3505: Documentation for default local zones references
1988 - Fix #3494: local-zone noview can be used to break out of the view
1989 to the global local zone contents, for queries for that zone.
1990 - Fix for more maintainable code in localzone.
1992 16 February 2018: Wouter
1993 - Fixes for clang static analyzer, the missing ; in
1994 edns-subnet/addrtree.c after the assert made clang analyzer
1995 produce a failure to analyze it.
1997 13 February 2018: Ralph
1998 - Aggressive NSEC tests
2000 13 February 2018: Wouter
2001 - tls-cert-bundle option in unbound.conf enables TLS authentication.
2004 12 February 2018: Wouter
2005 - Unit test for auth zone https url download.
2007 12 February 2018: Ralph
2008 - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
2009 - Processed aggressive NSEC code review remarks Wouter
2011 8 February 2018: Ralph
2012 - Aggressive use of NSEC implementation. Use cached NSEC records to
2013 generate NXDOMAIN, NODATA and positive wildcard answers.
2015 8 February 2018: Wouter
2017 - auth zone url config.
2019 5 February 2018: Wouter
2020 - Fix #3451: dnstap not building when you have a separate build dir.
2021 And removed protoc warning, set dnstap.proto syntax to proto2.
2022 - auth-zone provides a way to configure RFC7706 from unbound.conf,
2023 eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
2024 fallback-enabled: yes and masters or a zonefile with data.
2026 2 February 2018: Wouter
2027 - Fix unfreed locks in log and arc4random at exit of unbound.
2028 - unit test with valgrind
2029 - Fix lock race condition in dns cache dname synthesis.
2030 - lock subnet new item before insertion to please checklocks,
2031 no modification of critical regions outside of lock region.
2033 1 February 2018: Wouter
2034 - fix unaligned structure making a false positive in checklock
2037 29 January 2018: Ralph
2038 - Use NSEC with longest ce to prove wildcard absence.
2039 - Only use *.ce to prove wildcard absence, no longer names.
2041 25 January 2018: Wouter
2042 - ltrace.conf file for libunbound in contrib.
2044 23 January 2018: Wouter
2045 - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
2046 for startup scripts to get the full pathname(s) of anchor file(s).
2047 - Print fatal errors about remote control setup before log init,
2048 so that it is printed to console.
2050 22 January 2018: Wouter
2051 - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
2052 also recognized and means the same. Also for tls-port,
2053 tls-service-key, tls-service-pem, stub-tls-upstream and
2054 forward-tls-upstream.
2055 - Fix #3397: Fix that cachedb could return a partial CNAME chain.
2056 - Fix #3397: Fix that when the cache contains an unsigned DNAME in
2057 the middle of a cname chain, a result without the DNAME could
2060 19 January 2018: Wouter
2061 - tag 1.6.8 for release with CVE fix.
2062 - trunk has 1.6.9 with fix and previous commits.
2063 - patch for CVE-2017-15105: vulnerability in the processing of
2064 wildcard synthesized NSEC records.
2066 - make depend: code dependencies updated in Makefile.
2068 4 January 2018: Ralph
2069 - Copy query and correctly set flags on REFUSED answers when cache
2070 snooping is not allowed.
2072 3 January 2018: Ralph
2073 - Fix queries being leaked above stub when refetching glue.
2075 2 January 2017: Wouter
2076 - Fix that DS queries with referral replies are answered straight
2077 away, without a repeat query picking the DS from cache.
2078 The correct reply should have been an answer, the reply is fixed
2079 by the scrubber to have the answer in the answer section.
2080 - Remove clang optimizer disable,
2081 Fix that expiration date checks don't fail with clang -O2.
2083 15 December 2017: Wouter
2084 - Fix timestamp failure because of clang optimizer failure, by
2085 disabling -O2 when the compiler --version is clang.
2087 - Also disable -flto for clang, to make incep-expi signature check
2090 12 December 2017: Ralph
2091 - Fix qname-minimisation documentation (A QTYPE, not NS)
2093 12 December 2017: Wouter
2094 - authzone work, transfer connect.
2096 7 December 2017: Ralph
2097 - Check whether --with-libunbound-only is set when using --with-nettle
2100 4 December 2017: Wouter
2101 - Fix link failure on OmniOS.
2103 1 December 2017: Wouter
2106 30 November 2017: Wouter
2107 - Fix #3299 - forward CNAME daisy chain is not working
2109 14 November 2017: Wouter
2110 - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
2111 set for stub zone. It no longer searches for DNSSEC information.
2112 - auth xfer work on probe timer and lookup.
2114 13 November 2017: Wouter
2115 - Fix #2801: Install libunbound.pc.
2116 - Fix qname minimisation to send AAAA queries at zonecut like type A.
2117 - reverted AAAA change.
2119 7 November 2017: Wouter
2120 - Fix #2492: Documentation libunbound.
2122 3 November 2017: Wouter
2123 - Fix #2362: TLS1.3/openssl-1.1.1 not working.
2124 - Fix #2034 - Autoconf and -flto.
2125 - Fix #2141 - for libsodium detect lack of entropy in chroot, print
2128 2 November 2017: Wouter
2129 - Fix #1913: ub_ctx_config is under circumstances thread-safe.
2130 - make ip-transparent option work on OpenBSD.
2132 31 October 2017: Wouter
2133 - Document that errno is left informative on libunbound config read
2138 25 October 2017: Ralph
2139 - Fixed libunbound manual typo.
2140 - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
2141 - Fix #2031: Double included headers
2143 24 October 2017: Ralph
2144 - Update B root ipv4 address.
2146 19 October 2017: Wouter
2147 - authzone work, probe timer setup.
2149 18 October 2017: Wouter
2150 - lint for recent authzone commit.
2152 17 October 2017: Wouter
2153 - Fix #1749: With harden-referral-path: performance drops, due to
2154 circular dependency in NS and DS lookups.
2155 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
2157 - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
2159 This option allows handling multiple cert/key pairs while only
2160 distributing some of them.
2161 In order to reliably match a client magic with a given key without
2162 strong assumption as to how those were generated, we need both key and
2163 cert. Likewise, in order to know which ES version should be used.
2164 On the other hand, when rotating a cert, it can be desirable to only
2165 serve the new cert but still be able to handle clients that are still
2166 using the old certs's public key.
2167 The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
2168 publish the cert as part of the DNS's provider_name's TXT answer.
2169 - Better documentation for cache-max-negative-ttl.
2170 - Work on local root zone code.
2172 10 October 2017: Wouter
2174 - trunk has version 1.6.8.
2176 6 October 2017: Wouter
2177 - Fix spelling in unbound-control man page.
2179 5 October 2017: Wouter
2180 - Fix trust-anchor-signaling works in libunbound.
2181 - Fix some more crpls in testdata for different signaling default.
2184 5 October 2017: Ralph
2185 - Set trust-anchor-signaling default to yes
2186 - Use RCODE from A query on DNS64 synthesized answer.
2188 2 October 2017: Wouter
2189 - Fix param unused warning for windows exportsymbol compile.
2191 25 September 2017: Ralph
2192 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
2193 (by Danilo G. Baio).
2195 21 September 2017: Ralph
2196 - Log name of looping module
2198 19 September 2017: Wouter
2199 - use a cachedb answer even if it's "expired" when serve-expired is yes
2200 (patch from Jinmei Tatuya).
2201 - trigger refetching of the answer in that case (this will bypass
2203 - allow storing a 0-TTL answer from cachedb in the in-memory message
2204 cache when serve-expired is yes
2205 - Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
2207 18 September 2017: Ralph
2208 - Fix #1400: allowing use of global cache on ECS-forwarding unless
2211 18 September 2017: Wouter
2212 - tag 1.6.6 (is 1.6.6rc2)
2213 - Fix that looping modules always stop the query, and don't pass
2215 - Fix #1435: Please allow UDP to be disabled separately upstream and
2217 - Fix #1440: [dnscrypt] client nonce cache.
2219 15 September 2017: Wouter
2220 - Fix unbound-host to report error for DNSSEC state of failed lookups.
2221 - Spelling fixes, from Josh Soref.
2223 13 September 2017: Wouter
2224 - tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
2226 12 September 2017: Wouter
2227 - Add dns64 for client-subnet in unbound-checkconf.
2229 4 September 2017: Ralph
2230 - Fix #1412: QNAME minimisation strict mode not honored
2231 - Fix #1434: Fix windows openssl 1.1.0 linking.
2233 4 September 2017: Wouter
2235 - makedist fix for windows binaries, with openssl 1.1.0 windres fix,
2236 and expat 2.2.4 install target fix.
2238 1 September 2017: Wouter
2239 - Recommend 1472 buffer size in unbound.conf
2241 31 August 2017: Wouter
2242 - Fix #1424: cachedb:testframe is not thread safe.
2243 - For #1417: escape ; in dnscrypt tests.
2244 - but reverted that, tests fails with that escape.
2245 - Fix #1417: [dnscrypt] shared secret cache counters, and works when
2246 dnscrypt is not enabled. And cache size configuration option.
2248 - Fix #1418: [ip ratelimit] initialize slabhash using
2251 30 August 2017: Wouter
2252 - updated contrib/fastrpz.patch to apply with configparser changes.
2253 - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
2255 29 August 2017: Wouter
2256 - Fix #1414: fix segfault on parse failure and log_replies.
2257 - zero qinfo in handle_request, this zeroes local_alias and also the
2259 - new keys and certs for dnscrypt tests.
2260 - fixup WKS test on buildhost without servicebyname.
2262 28 August 2017: Wouter
2263 - Fix #1415: patch to free dnscrypt environment on reload.
2264 - iana portlist update
2265 - Fix #1415: [dnscrypt] shared secret cache, patch from
2267 - Small fixes for the shared secret cache patch.
2268 - Fix WKS records on kvm autobuild host, with default protobyname
2269 entries for udp and tcp.
2271 23 August 2017: Wouter
2272 - Fix #1407: Add ECS options check to unbound-checkconf.
2274 - Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
2277 22 August 2017: Wouter
2278 - Fix install of trust anchor when two anchors are present, makes both
2279 valid. Checks hash of DS but not signature of new key. This fixes
2280 the root.key file if created when unbound is installed between
2281 sep11 and oct11 2017.
2282 - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
2283 - trunk version 1.6.6 in development.
2284 - Fix issue on macOX 10.10 where TCP fast open is detected but not
2285 implemented causing TCP to fail. The fix allows fallback to regular
2286 TCP in this case and is also more robust for cases where connectx()
2287 fails for some reason.
2288 - Fix #1402: squelch invalid argument error for fd_set_block on windows.
2290 10 August 2017: Wouter
2291 - Patch to show DNSCrypt status in help output, from Carsten
2294 8 August 2017: Wouter
2295 - Fix #1398: make cachedb secret configurable.
2296 - Remove spaces from Makefile.
2298 7 August 2017: Wouter
2299 - Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
2301 3 August 2017: Ralph
2302 - Remove unused iter_env member (ip6arpa_dname)
2303 - Do not reset rrset.bogus stats when called using stats_noreset.
2304 - Added stats for queries that have been ratelimited by domain
2306 - Do not add rrset_bogus and query ratelimiting stats per thread, these
2307 module stats are global.
2309 3 August 2017: Wouter
2310 - Fix #1394: mix of serve-expired and response-ip could cause a crash.
2312 24 July 2017: Wouter
2313 - upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
2314 config.sub(2016-09-05).
2315 - annotate case statement fallthrough for gcc 7.1.1.
2316 - flex output from flex 2.6.1.
2317 - snprintf of thread number does not warn about truncated string.
2318 - squelch TCP fast open error on FreeBSD when kernel has it disabled,
2319 unless verbosity is high.
2320 - remove warning from windows compile.
2321 - Fix compile with libnettle
2322 - Fix DSA configure switch (--disable dsa) for libnettle and libnss.
2323 - Fix #1365: Add Ed25519 support using libnettle.
2324 - iana portlist update
2326 17 July 2017: Wouter
2327 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
2328 - Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
2329 With the -p option unbound does not create a pidfile.
2331 11 July 2017: Wouter
2332 - Fix #1344: RFC6761-reserved domains: test. and invalid.
2333 - Redirect all localhost names to localhost address for RFC6761.
2336 - Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
2337 - Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
2340 - Fix 1332: Bump verbosity of failed chown'ing of the control socket.
2343 - Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
2345 - Fix #1331: libunbound segfault in threaded mode when context is
2347 - Fix pythonmod link line option flag.
2348 - Fix openssl 1.1.0 load of ssl error strings from ssl init.
2350 29 June 2017: Wouter
2351 - Fix python example0 return module wait instead of error for pass.
2352 - iana portlist update
2353 - enhancement for hardened-tls for DNS over TLS. Removed duplicated
2356 27 June 2017: Wouter
2357 - Tag 1.6.4 is created with the 1.6.4rc2 contents.
2358 - Trunk contains 1.6.5, with changes from 26, 27 june.
2359 - Remove signed unsigned warning from authzone.
2360 - Fix that infra cache host hash does not change after reconfig.
2362 26 June 2017: Wouter
2364 Better fixup of dnscrypt_cert_chacha test for different escapes.
2365 - First fix for zero b64 and hex text zone format in sldns.
2366 - unbound-control dump_infra prints port number for address if not 53.
2368 23 June 2017: Wouter
2369 - (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
2371 22 June 2017: Wouter
2375 - Added fastrpz patch to contrib
2377 21 June 2017: Wouter
2378 - Fix #1316: heap read buffer overflow in parse_edns_options.
2380 20 June 2017: Wouter
2381 - Fix warning in pythonmod under clang compiler.
2386 - Fix #1277: disable domain ratelimit by setting value to 0.
2388 16 June 2017: Wouter
2389 - Fix #1301: memory leak in respip and tests.
2390 - Free callback in edns-subnetmod on exit and restart.
2391 - Fix memory leak in sldns_buffer_new_frm_data.
2392 - Fix memory leak in dnscrypt config read.
2393 - Fix dnscrypt chacha cert support ifdefs.
2394 - Fix dnscrypt chacha cert unit test escapes in grep.
2395 - Remove asynclook tests that cause test and purifier problems.
2396 - Fix to unlock view in view test.
2398 15 June 2017: Wouter
2399 - Fix stub zone queries leaking to the internet for
2400 harden-referral-path ns checks.
2401 - Fix query for refetch_glue of stub leaking to internet.
2403 13 June 2017: Wouter
2404 - Fix #1279: Memory leak on reload when python module is enabled.
2405 - Fix #1280: Unbound fails assert when response from authoritative
2406 contains malformed qname. When 0x20 caps-for-id is enabled, when
2407 assertions are not enabled the malformed qname is handled correctly.
2408 - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
2409 - More fixes in depth for buffer checks in 0x20 qname checks.
2411 12 June 2017: Wouter
2412 - Fix #1278: Incomplete wildcard proof.
2415 - Added domain name based ECS whitelist.
2418 - Detect chacha for dnscrypt at configure time.
2419 - dnscrypt unit tests with chacha.
2422 - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
2423 - Add dnscrypt XChaCha20 tests.
2426 - Add an explicit type cast for TCP FASTOPEN fix.
2427 - renumbering B-Root's IPv6 address to 2001:500:200::b.
2428 - Fix #1275: cached data in cachedb is never used.
2429 - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
2432 - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
2433 (from Manu Bretelle).
2436 - Fix fastopen EPIPE fallthrough to perform connect.
2439 - Also use global local-zones when there is a matching view that does
2440 not have any local-zone specified.
2443 - Fix #1273: cachedb.c doesn't compile with -Wextra.
2444 - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
2447 - Fix #1269: inconsistent use of built-in local zones with views.
2448 - Add defaults for new local-zone trees added to views using
2452 - Support for openssl EVP_DigestVerify.
2453 - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
2456 - Fix assertion for low buffer size and big edns payload when worker
2460 - Added redirect-bogus.patch to contrib directory.
2463 - Fix #1270: unitauth.c doesn't compile with higher warning level
2465 - exec_prefix is by default equal to prefix.
2466 - printout localzone for duplicate local-zone warnings.
2469 - authzone cname chain, no rrset duplicates, wildcard doesn't change
2470 rrsets added for cname chain.
2473 - first services/authzone check in, it compiles and reads and writes
2475 - iana portlist update
2478 - Fix #1268: SIGSEGV after log_reopen.
2481 - Fix #1265 to use /bin/kill.
2482 - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
2483 and compatibility with BoringSSL.
2486 - Fix #1265: contrib/unbound.service contains hardcoded path.
2489 - Use qstate's region for IPSECKEY rrset (ipsecmod).
2492 - Implemented opportunistic IPsec support module (ipsecmod).
2493 - Some whitespace fixup.
2496 - updated dependencies in the makefile.
2497 - document trust-anchor-signaling in example config file.
2498 - updated configure, dependencies and flex output.
2499 - better module memory lookup, fix of unbound-control shm names for
2500 module memory printout of statistics.
2501 - Fix type AVC sldns rrdef.
2504 - Adjust servfail by iterator to not store in cache when serve-expired
2505 is enabled, to avoid overwriting useful information there.
2506 - Fix queries for nameservers under a stub leaking to the internet.
2509 - Add 'c' to getopt() in testbound.
2510 - iana portlist update
2513 - Fix tcp-mss failure printout text.
2514 - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
2515 connect limited tcp connections. With the option tcp connections
2516 can share the same source port (for different destinations).
2519 - Added mesh_add_sub to add detached mesh entries.
2520 - Use mesh_add_sub for key tag signaling query.
2523 - Added test for leak of stub information.
2524 - Fix sldns wire2str printout of RR type CAA tags.
2525 - Fix sldns int16_data parse.
2526 - Fix sldns parse and printout of TSIG RRs.
2527 - sldns SMIMEA and AVC definitions, same as getdns definitions.
2530 - Fix #1259: "--disable-ecdsa" argument overwritten
2531 by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
2532 - iana portlist update
2533 - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
2534 and fix that 64bit getting installed in C:\Program Files (x86).
2536 26 April 2017: Ralph
2537 - Implemented trust anchor signaling using key tag query.
2539 26 April 2017: Wouter
2540 - Based on #1257: check parse limit before t increment in sldns RR
2541 string parse routine.
2543 24 April 2017: Wouter
2544 - unbound-checkconf -o allows query of dnstap config variables.
2545 Also unbound-control get_option. Also for dnscrypt.
2546 - trunk contains 1.6.3 version number (changes from 1.6.2 back from
2547 when the 1.6.2rc1 tag has been created).
2549 21 April 2017: Ralph
2550 - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
2551 - iana portlist update
2553 18 April 2017: Ralph
2554 - Fix #1252: more indentation inconsistencies.
2555 - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
2557 13 April 2017: Ralph
2558 - Added ECS unit test (from Manu Bretelle).
2559 - ECS documentation fix (from Manu Bretelle).
2561 13 April 2017: Wouter
2562 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
2564 - (for 1.6.3:) unbound.h exports the shm stats structures. They use
2565 type long long and no ifdefs, and ub_ before the typenames.
2567 12 April 2017: Wouter
2568 - subnet mem value is available in shm, also when not enabled,
2569 to make the struct easier to memmap by other applications,
2570 independent of the configuration of unbound.
2572 12 April 2017: Ralph
2573 - Fix #1247: unbound does not shorten source prefix length when
2575 - Properly check for allocation failure in local_data_find_tag_datas.
2576 - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
2577 - Set SHM ECS memory usage to 0 when module not loaded.
2579 11 April 2017: Ralph
2580 - Display ECS module memory usage.
2582 10 April 2017: Wouter
2583 - harden-algo-downgrade: no also makes unbound more lenient about
2584 digest algorithms in DS records.
2586 10 April 2017: Ralph
2587 - Remove ECS option after REFUSED answer.
2588 - Fix small memory leak in edns_opt_copy_alloc.
2589 - Respip dereference after NULL check.
2590 - Zero initialize addrtree allocation.
2591 - Use correct identifier for SHM destroy.
2593 7 April 2017: George
2594 - Fix pythonmod for cb changes.
2595 - Some whitespace fixup.
2598 - Unlock view in respip unit test
2601 - Generalise inplace callback (de)registration
2602 - (de)register inplace callbacks for module id
2603 - No unbound-control set_option for ECS options
2604 - Deprecated client-subnet-opcode config option
2605 - Introduced client-subnet-always-forward config option
2606 - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
2607 - Removed extern ECS config options
2608 - module_restart_next now calls clear on all following modules
2609 - Also create ECS module qstate on module_event_pass event
2610 - remove malloc from inplace_cb_register
2612 6 April 2017: Wouter
2613 - Small fixup for documentation.
2614 - iana portlist update
2615 - Fix respip for braces when locks arent used.
2616 - Fix pythonmod for cb changes.
2618 4 April 2017: Wouter
2619 - Fix #1244: document that use of chroot requires trust anchor file to
2621 - iana portlist update
2624 - Do not add current time twice to TTL before ECS cache store.
2625 - Do not touch rrset cache after ECS cache message generation.
2626 - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
2628 3 April 2017: Wouter
2629 - Fix #1217: Add metrics to unbound-control interface showing
2630 crypted, cert request, plaintext and malformed queries (from
2632 - iana portlist update
2634 27 March 2017: Wouter
2635 - Remove (now unused) event2 include from dnscrypt code.
2637 24 March 2017: George
2638 - Fix to prevent non-referal query from being cached as referal when the
2639 no_cache_store flag was set.
2641 23 March 2017: Wouter
2642 - Fix #1239: configure fails to find python distutils if python
2645 22 March 2017: Wouter
2646 - Fix #1238: segmentation fault when adding through the remote
2647 interface a per-view local zone to a view with no previous
2648 (configured) local zones.
2649 - Fix #1229: Systemd service sandboxing, options in wrong sections.
2651 21 March 2017: Ralph
2652 - Merge EDNS Client subnet implementation from feature branch into main
2653 branch, using new EDNS processing framework.
2655 21 March 2017: Wouter
2656 - Fix doxygen for dnscrypt files.
2658 20 March 2017: Wouter
2659 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
2660 enabled in the config file from Manu Bretelle.
2661 - make depend, autoconf, remove warnings about statement before var.
2662 - lru_demote and lruhash_insert_or_retrieve functions for getdns.
2663 - fixup for lruhash (whitespace and header file comment).
2666 17 March 2017: Wouter
2667 - Patch for view functionality for local-data-ptr from Björn Ketelaars.
2668 - Fix #1237 - Wrong resolving in chain, for norec queries that get
2671 16 March 2017: Wouter
2672 - Fix that SHM is not inited if not enabled.
2673 - Add trustanchor.unbound CH TXT that gets a response with a number
2674 of TXT RRs with a string like "example.com. 2345 1234" with
2675 the trust anchors and their keytags.
2676 - Fix that looped DNAMEs do not cause unbound to spend effort.
2677 - trustanchor tags are sorted. reusable routine to fetch taglist.
2679 13 March 2017: Wouter
2680 - testbound understands Deckard MATCH rcode question answer commands.
2681 - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
2682 of YXDOMAIN + query loop, reported by Petr Spacek.
2684 10 March 2017: Wouter
2685 - Fix #1234: shortening DNAME loop produces duplicate DNAME records
2688 9 March 2017: Wouter
2689 - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
2690 DS records. NSEC3 is not disabled.
2691 - fake-sha1 test option; print warning if used. To make unit tests.
2692 - unbound-control list local zone and data commands listed in the
2695 8 March 2017: Wouter
2696 - make depend for build dependencies.
2697 - swig version 2.0.1 required.
2698 - fix enum conversion warnings
2700 7 March 2017: Wouter
2701 - Fix #1230: swig version 2.0.0 is required for pythonmod, with
2702 1.3.40 it crashes when running repeatly unbound-control reload.
2703 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
2705 6 March 2017: Wouter
2706 - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
2707 - iana portlist update
2709 28 February 2017: Ralph
2710 - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
2713 28 February 2017: Wouter
2714 - For #1227: if we have sha256, set the cipher list to have no
2717 27 February 2017: Wouter
2718 - Fix #1227: Fix that Unbound control allows weak ciphersuits.
2719 - Fix #1226: provide official 32bit binary for windows.
2721 24 February 2017: Wouter
2722 - include sys/time.h for new shm code on NetBSD.
2724 23 February 2017: Wouter
2725 - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
2727 - Patch from Luiz Fernando Softov for Stats Shared Memory.
2728 - unbound-control stats_shm command prints stats using shared memory,
2729 which uses less cpu.
2730 - make depend, autoconf, doxygen and lint fixed up.
2732 22 February 2017: Wouter
2733 - Fix #1224: Fix that defaults should not fall back to "Program Files
2734 (x86) if Unbound is 64bit by default on windows.
2736 21 February 2017: Wouter
2737 - iana portlist update
2739 16 February 2017: Wouter
2740 - sldns updated for vfixed and buffer resize indication from getdns.
2742 15 February 2017: Wouter
2743 - sldns has ED25519 and ED448 algorithm number and name for display.
2745 14 February 2017: Wouter
2746 - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
2748 13 February 2017: Wouter
2749 - Fix autoconf of systemd check for lack of pkg-config.
2751 10 February 2017: Wouter
2752 - Fix pythonmod for typedef changes.
2753 - Fix dnstap for warning of set but not used.
2756 9 February 2017: Wouter
2759 8 February 2017: Wouter
2760 - Fix for type name change and fix warning on windows compile.
2762 7 February 2017: Wouter
2763 - Include root trust anchor id 20326 in unbound-anchor.
2765 6 February 2017: Wouter
2766 - Fix compile on solaris of the fix to use $host detect.
2768 4 February 2017: Wouter
2769 - fix root_anchor test for updated icannbundle.pem lower certificates.
2771 26 January 2017: Wouter
2772 - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
2773 more helpful error message.
2775 20 January 2017: Wouter
2776 - Increase MAX_MODULE to 16.
2778 19 January 2017: Wouter
2779 - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
2780 reserves _t typedefs.
2781 - Fix to rename internally used types from _t to _type, because _t
2782 type names are reserved by POSIX.
2783 - iana portlist update
2785 12 January 2017: Wouter
2786 - Fix to also block meta types 128 through to 248 with formerr.
2787 - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
2789 9 January 2017: Wouter
2790 - Fix #1202: Fix code comment that packed_rrset_data is not always
2793 6 January 2017: Wouter
2794 - Fix #1201: Fix missing unlock in answer_from_cache error condition.
2796 5 January 2017: Wouter
2797 - Fix to return formerr for queries for meta-types, to avoid
2798 packet amplification if this meta-type is sent on to upstream.
2799 - Fix #1184: Log DNS replies. This includes the same logging
2800 information that DNS queries and response code and response size,
2801 patch from Larissa Feng.
2802 - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
2804 3 January 2017: Wouter
2805 - configure --enable-systemd and lets unbound use systemd sockets if
2806 you enable use-systemd: yes in unbound.conf.
2807 Also there are contrib/unbound.socket and contrib/unbound.service:
2808 systemd files for unbound, install them in /usr/lib/systemd/system.
2809 Contributed by Sami Kerola and Pavel Odintsov.
2810 - Fix reload chdir failure when also chrooted to that directory.
2812 2 January 2017: Wouter
2813 - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
2815 23 December 2016: Ralph
2816 - Fix #1190: Do not echo back EDNS options in local-zone error response.
2817 - iana portlist update
2819 21 December 2016: Ralph
2820 - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
2823 19 December 2016: Ralph
2824 - Fix #1191: remove comment about view deletion.
2826 15 December 2016: Wouter
2827 - iana portlist update
2828 - 64bit is default for windows builds.
2829 - Fix inet_ntop and inet_pton warnings in windows compile.
2831 14 December 2016: Wouter
2832 - Fix #1178: attempt to fix setup error at end, pop result values
2835 13 December 2016: Wouter
2836 - Fix #1182: Fix Resource leak (socket), at startup.
2837 - Fix unbound-control and ipv6 only.
2839 9 December 2016: Wouter
2840 - Fix #1176: stack size too small for Alpine Linux.
2842 8 December 2016: Wouter
2843 - Fix downcast warnings from visual studio in sldns code.
2844 - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
2846 7 December 2016: Ralph
2847 - Add DSA support for OpenSSL 1.1.0
2848 - Fix remote control without cert for LibreSSL
2850 6 December 2016: George
2851 - Added generic EDNS code for registering known EDNS option codes,
2852 bypassing the cache response stage and uniquifying mesh states. Four EDNS
2853 option lists were added to module_qstate (module_qstate.edns_opts_*) to
2854 store EDNS options from/to front/back side.
2855 - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
2856 control the modules' cache interactions.
2857 - Added code for registering inplace callback functions. The registered
2858 functions can be called just before replying with local data or Chaos,
2859 replying from cache, replying with SERVFAIL, replying with a resolved
2860 query, sending a query to a nameserver. The functions can inspect the
2861 available data and maybe change response/query related data (i.e. append
2863 - Updated Python module for the above.
2864 - Updated Python documentation.
2866 5 December 2016: Ralph
2867 - Fix #1173: differ local-zone type deny from unset
2868 tag_actions element.
2870 5 December 2016: Wouter
2871 - Fix #1170: document that 'inform' local-zone uses local-data.
2873 1 December 2016: Ralph
2874 - hyphen as minus fix, by Andreas Schulze
2876 30 November 2016: Ralph
2877 - Added local-zones and local-data bulk addition and removal
2878 functionality in unbound-control (local_zones, local_zones_remove,
2879 local_datas and local_datas_remove).
2880 - iana portlist update
2882 29 November 2016: Wouter
2883 - version 1.6.0 is in the development branch.
2884 - braces in view.c around lock statements.
2886 28 November 2016: Wouter
2889 25 November 2016: Wouter
2890 - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
2891 using no encryption over the unix socket.
2893 22 Novenber 2016: Ralph
2894 - Make access-control-tag-data RDATA absolute. This makes the RDATA
2895 origin consistent between local-data and access-control-tag-data.
2896 - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
2897 subdomain of the NSEC owner.
2898 - QNAME minimisation uses QTYPE=A, therefore always check cache for
2899 this type in harden-below-nxdomain functionality.
2900 - Added unit test for QNAME minimisation + harden below nxdomain
2903 22 November 2016: Wouter
2904 - iana portlist update.
2905 - Fix unit tests for DS hash processing for fake-dsa test option.
2906 - patch from Dag-Erling Smorgrav that removes code that relies
2909 21 November 2016: Wouter
2910 - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
2911 Underneath" for the harden-below-nxdomain option.
2913 10 November 2016: Ralph
2914 - Fix #1155: test status code of unbound-control in 04-checkconf,
2915 not the status code from the tee command.
2917 4 November 2016: Ralph
2918 - Added stub-ssl-upstream and forward-ssl-upstream options.
2920 4 November 2016: Wouter
2921 - configure detects ssl security level API function in the autoconf
2922 manner. Every function on its own, so that other libraries (eg.
2923 LibreSSL) can develop their API without hindrance.
2924 - Fix #1154: segfault when reading config with duplicate zones.
2925 - Note that for harden-below-nxdomain the nxdomain must be secure,
2926 this means nsec3 with optout is insufficient.
2928 3 November 2016: Ralph
2929 - Set OpenSSL security level to 0 when using aNULL ciphers.
2931 3 November 2016: Wouter
2932 - .gitattributes line for githubs code language display.
2933 - log-identity: config option to set sys log identity, patch from
2934 "Robin H. Johnson" <robbat2@gentoo.org>
2936 2 November 2016: Wouter
2937 - iana portlist update.
2939 31 October 2016: Wouter
2940 - Fix failure to build on arm64 with no sbrk.
2941 - iana portlist update.
2943 28 October 2016: Wouter
2944 - Patch for server.num.zero_ttl stats for count of expired replies,
2945 from Pavel Odintsov.
2947 26 October 2016: Wouter
2948 - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
2949 with the undocumented switch 'fake-dsa'. It logs a warning.
2951 25 October 2016: Wouter
2952 - Fix #1134: unbound-control set_option -- val-override-date: -1 works
2953 immediately to ignore datetime, or back to 0 to enable it again.
2954 The -- is to ignore the '-1' as an option flag.
2956 24 October 2016: Wouter
2957 - serve-expired config option: serve expired responses with TTL 0.
2958 - g.root-servers.net has AAAA address.
2960 21 October 2016: Wouter
2961 - Ported tests for local_cname unit test to testbound framework.
2963 20 October 2016: Wouter
2964 - suppress compile warning in lex files.
2965 - init lzt variable, for older gcc compiler warnings.
2966 - fix --enable-dsa to work, instead of copying ecdsa enable.
2967 - Fix DNSSEC validation of query type ANY with DNAME answers.
2968 - Fixup query_info local_alias init.
2970 19 October 2016: Wouter
2971 - Fix #1130: whitespace in example.conf.in more consistent.
2973 18 October 2016: Wouter
2974 - Patch that resolves CNAMEs entered in local-data conf statements that
2975 point to data on the internet, from Jinmei Tatuya (Infoblox).
2976 - Removed patch comments from acllist.c and msgencode.c
2977 - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
2978 from Jinmei Tatuya (Infoblox).
2979 - Fix #1125: unbound could reuse an answer packet incorrectly for
2980 clients with different EDNS parameters, from Jinmei Tatuya.
2981 - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
2982 - Added Requires line to libunbound.pc
2983 - Please doxygen by modifying mesh.h
2985 17 October 2016: Wouter
2986 - Re-fix #839 from view commit overwrite.
2987 - Fixup const void cast warning.
2989 12 October 2016: Ralph
2990 - Free view config elements.
2992 11 October 2016: Ralph
2993 - Added qname-minimisation-strict config option.
2994 - iana portlist update.
2995 - fix memoryleak logfile when in debug mode.
2997 5 October 2016: Ralph
2998 - Added views functionality.
2999 - Fix #1117: spelling errors, from Robert Edmonds.
3001 30 September 2016: Wouter
3002 - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
3004 29 September 2016: Wouter
3005 - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
3006 - Fix #839: Memory grows unexpectedly with large RPZ files.
3007 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
3008 - Fix #841: big local-zone's make it consume large amounts of memory.
3010 27 September 2016: Wouter
3011 - tag for 1.5.10 release
3012 - trunk contains 1.5.11 in development.
3013 - Fix dnstap relaying "random" messages instead of resolver/forwarder
3014 responses, from Nikolay Edigaryev.
3015 - Fix #836: unbound could echo back EDNS options in an error response.
3017 20 September 2016: Wouter
3018 - iana portlist update.
3019 - Fix #835: fix --disable-dsa with nettle verify.
3020 - tag for 1.5.10rc1 release.
3022 15 September 2016: Wouter
3023 - Fix 883: error for duplicate local zone entry.
3024 - Test for openssl init_crypto and init_ssl functions.
3026 15 September 2016: Ralph
3027 - fix potential memory leak in daemon/remote.c and nullpointer
3028 dereference in validator/autotrust.
3029 - iana portlist update.
3031 13 September 2016: Wouter
3032 - Silenced flex-generated sign-unsigned warning print with gcc
3034 - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
3036 9 September 2016: Wouter
3037 - Fix #831: workaround for spurious fread_chk warning against petal.c
3039 5 September 2016: Ralph
3040 - Take configured minimum TTL into consideration when reducing TTL
3041 to original TTL from RRSIG.
3043 5 September 2016: Wouter
3044 - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
3045 off-by-one typo, from Jinmei Tatuya (Infoblox).
3046 - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
3047 - Fix #828: missing type in access-control-tag-action redirect results
3050 2 September 2016: Wouter
3051 - Fix compile with openssl 1.1.0 with api=1.1.0.
3053 1 September 2016: Wouter
3054 - RFC 7958 is now out, updated docs for unbound-anchor.
3055 - Fix for compile without warnings with openssl 1.1.0.
3056 - Fix #826: Fix refuse_non_local could result in a broken response.
3057 - iana portlist update.
3059 29 August 2016: Wouter
3060 - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
3062 - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
3064 25 August 2016: Ralph
3065 - Clarify local-zone-override entry in unbound.conf.5
3067 25 August 2016: Wouter
3068 - 64bit build option for makedist windows compile, -w64.
3070 24 August 2016: Ralph
3071 - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
3072 in each iteration in find_tag_datas().
3073 - unbound.conf.5 entries for define-tag, access-control-tag,
3074 access-control-tag-action, access-control-tag-data, local-zone-tag,
3075 and local-zone-override.
3077 23 August 2016: Wouter
3078 - Fix #804: unbound stops responding after outage. Fixes queries
3079 that attempt to wait for an empty list of subqueries.
3080 - Fix #804: lower num_target_queries for iterator also for failed
3083 8 August 2016: Wouter
3084 - Note that OPENPGPKEY type is RFC 7929.
3086 4 August 2016: Wouter
3087 - Fix #807: workaround for possible some "unused" function parameters
3088 in test code, from Jinmei Tatuya.
3090 3 August 2016: Wouter
3091 - use sendmsg instead of sendto for TFO.
3093 28 July 2016: Wouter
3094 - Fix #806: wrong comment removed.
3096 26 July 2016: Wouter
3097 - nicer ratelimit-below-domain explanation.
3099 22 July 2016: Wouter
3100 - Fix #801: missing error condition handling in
3101 daemon_create_workers().
3102 - Fix #802: workaround for function parameters that are "unused"
3104 - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
3106 20 July 2016: Wouter
3107 - Fix typo in unbound.conf.
3109 18 July 2016: Wouter
3110 - Fix #798: Client-side TCP fast open fails (Linux).
3112 14 July 2016: Wouter
3113 - TCP Fast open patch from Sara Dickinson.
3114 - Fixed unbound.doxygen for 1.8.11.
3117 - access-control-tag-data implemented. verbose(4) prints tag debug.
3120 - Fix dynamic link of anchor-update.exe on windows.
3121 - Fix detect of mingw for MXE package build.
3122 - Fixes for 64bit windows compile.
3123 - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
3124 --with-libunbound-only --with-nettle.
3127 - For #787: prefer-ip6 option for unbound.conf prefers to send
3128 upstream queries to ipv6 servers.
3129 - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
3130 freebind to use 64bits of entropy for every query with random local
3133 30 June 2016: Wouter
3134 - Document always_transparent, always_refuse, always_nxdomain types.
3136 29 June 2016: Wouter
3137 - Fix static compile on windows missing gdi32.
3139 28 June 2016: Wouter
3140 - Create a pkg-config file for libunbound in contrib.
3142 27 June 2016: Wouter
3143 - Fix #784: Build configure assumess that having getpwnam means there
3144 is endpwent function available.
3145 - Updated repository with newer flex and bison output.
3148 - Possibility to specify local-zone type for an acl/tag pair
3149 - Possibility to specify (override) local-zone type for a source address
3152 - Decrease dp attempts at each QNAME minimisation iteration
3154 16 June 2016: Wouter
3155 - Fix tcp timeouts in tv.usec.
3157 15 June 2016: Wouter
3158 - TCP_TIMEOUT is specified in milliseconds.
3159 - If more than half of tcp connections are in use, a shorter timeout
3160 is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
3163 - QNAME minimisation unit test for dropped QTYPE=A queries.
3165 14 June 2016: Wouter
3166 - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
3167 null delete for wsaevent.
3168 - Fix spelling in freebind option man page text.
3169 - Fix windows link of ssl with crypt32.
3170 - Fix 779: Union casting is non-portable.
3171 - Fix 780: MAP_ANON not defined in HP-UX 11.31.
3172 - Fix 781: prealloc() is an HP-UX system library call.
3175 - Use QTYPE=A for QNAME minimisation.
3176 - Keep track of number of time-outs when performing QNAME minimisation.
3177 Stop minimising when number of time-outs for a QNAME/QTYPE pair is
3180 13 June 2016: Wouter
3181 - Fix #778: unbound 1.5.9: -h segfault (null deref).
3182 - Fix directory: fix for unbound-checkconf, it restores cwd.
3184 10 June 2016: Wouter
3185 - And delete service.conf.shipped on uninstall.
3186 - In unbound.conf directory: dir immediately changes to that directory,
3187 so that include: file below that is relative to that directory.
3188 With chroot, make the directory an absolute path inside chroot.
3189 - keep debug symbols in windows build.
3190 - do not delete service.conf on windows uninstall.
3191 - document directory immediate fix and allow EXECUTABLE syntax in it
3195 - Trunk is called 1.5.10 (with previous fixes already in there to 2
3197 - Revert fix for NetworkService account on windows due to breakage
3199 - Fix that windows install will not overwrite existing service.conf
3200 file (and ignore gui config choices if it exists).
3203 - Lookup localzones by taglist from acl.
3204 - Possibility to lookup local_zone, regardless the taglist.
3205 - Added local_zone/taglist/acl unit test.
3208 - Fix #773: Non-standard Python location build failure with pyunbound.
3209 - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
3212 - Better help text from -h (from Ray Griffith).
3213 - access-control-tag config directive.
3214 - local-zone-override config directive.
3215 - access-control-tag-action and access-control-tag-data config
3217 - free acl-tags, acltag-action and acltag-data config lists during
3218 initialisation to free up memory for more entries.
3221 - Fix to not ignore return value of chown() in daemon startup.
3224 - Fix libubound for edns optlist feature.
3225 - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
3226 - Fix #752: retry resource temporarily unavailable on control pipe.
3227 - un-document localzone tags.
3228 - tag for release 1.5.9rc1.
3229 And this also became release 1.5.9.
3230 - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
3231 Program Files with (x86) appended.
3232 - re-documented localzone tags in example.conf.
3235 - Fix windows service to be created run with limited rights, as a
3236 network service account, from Mario Turschmann.
3237 - compat strsep implementation.
3238 - generic edns option parse and store code.
3239 - and also generic edns options for upstream messages (and replies).
3240 after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
3241 to insert use edns_opt_append(edns, region, code, len, bindata) on
3242 the opt_list passed to send_query, or in edns_opt_inplace_reply.
3245 - Fix time in case answer comes from cache in ub_resolve_event().
3246 - Attempted fix for #765: _unboundmodule missing for python3.
3249 - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
3250 if unbound control uses a unix local named pipe.
3251 - Document write permission to directory of trust anchor needed.
3252 - Fix #768: Unbound Service Sometimes Can Not Shutdown
3253 Completely, WER Report Shown Up. Close handle before closing WSA.
3256 - Updated patch from Charles Walker.
3259 - disable-dnssec-lame-check config option from Charles Walker.
3260 - remove memory leak from lame-check patch.
3261 - iana portlist update.
3264 - Fix #767: Reference to an expired Internet-Draft in
3265 harden-below-nxdomain documentation.
3268 - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
3270 - iana portlist update.
3273 - Fix #766: dns64 should synthesize results on timeout/errors.
3276 - Fix #761: DNSSEC LAME false positive resolving nic.club.
3279 - trunk updated with output of flex 2.6.0.
3282 - Fix memory leak in out-of-memory conditions of local zone add.
3284 29 April 2016: Wouter
3285 - Fix sldns with static checking fixes copied from getdns.
3287 28 April 2016: Wouter
3288 - Fix #759: 0x20 capsforid no longer checks type PTR, for
3289 compatibility with cisco dns guard. This lowers false positives.
3291 18 April 2016: Wouter
3292 - Fix some malformed responses to edns queries get fallback to nonedns.
3294 15 April 2016: Wouter
3295 - cachedb module event handling design.
3297 14 April 2016: Wouter
3298 - cachedb module framework (empty).
3299 - iana portlist update.
3301 12 April 2016: Wouter
3302 - Fix #753: document dump_requestlist is for first thread.
3304 24 March 2016: Wouter
3305 - Document permit-small-holddown for 5011 debug.
3306 - Fix #749: unbound-checkconf gets SIGSEGV when use against a
3307 malformatted conf file.
3309 23 March 2016: Wouter
3310 - OpenSSL 1.1.0 portability, --disable-dsa configure option.
3312 21 March 2016: Wouter
3313 - Fix compile of getentropy_linux for SLES11 servicepack 4.
3314 - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
3315 - Fix test for openssl to use HMAC_Update for 1.1.0.
3316 - acx_nlnetlabs.m4 to v33, with HMAC_Update.
3317 - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
3318 - ERR_remove_state deprecated since openssl 1.0.0.
3319 - OPENSSL_config is deprecated, removing.
3321 18 March 2016: Ralph
3322 - Validate QNAME minimised NXDOMAIN responses.
3323 - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
3324 harden-below-nxdomain.
3326 17 March 2016: Ralph
3327 - Limit number of QNAME minimisation iterations.
3329 17 March 2016: Wouter
3330 - Fix #746: Fix unbound sets CD bit on all forwards.
3331 If no trust anchors, it'll not set CD bit when forwarding to another
3332 server. If a trust anchor, no CD bit on the first attempt to a
3333 forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
3334 - iana portlist update.
3336 16 March 2016: Wouter
3337 - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
3338 - Fix ip-transparent for tcp on freebsd.
3340 15 March 2016: Wouter
3341 - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
3342 binding to an IP address while the interface or address is down.
3344 14 March 2016: Wouter
3345 - Fix warnings in ifdef corner case, older or unknown libevent.
3346 - Fix compile for ub_event code with older libev.
3348 11 March 2016: Wouter
3349 - Remove warning about unused parameter in event_pluggable.c.
3350 - Fix libev usage of dispatch return value.
3351 - No side effects in tolower() call, in case it is a macro.
3352 - For test put free in pluggable api in parenthesis.
3354 10 March 2016: Wouter
3355 - Fixup backend2str for libev.
3357 09 March 2016: Willem
3358 - User defined pluggable event API for libunbound
3359 - Fixup of compile fix for pluggable event API from P.Y. Adi
3362 09 March 2016: Wouter
3363 - Updated configure and ltmain.sh.
3364 - Updated L root IPv6 address.
3366 07 March 2016: Wouter
3367 - Fix #747: assert in outnet_serviced_query_stop.
3368 - iana ports fetched via https.
3369 - iana portlist update.
3371 03 March 2016: Wouter
3372 - configure tests for the weak attribute support by the compiler.
3374 02 March 2016: Wouter
3376 - trunk contains 1.5.9 in development.
3377 - iana portlist update.
3378 - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
3379 contains trailing dot.
3381 24 February 2016: Wouter
3382 - Fix OpenBSD asynclook lock free that gets used later (fix test code).
3383 - Fix that NSEC3 negative cache is used when there is no salt.
3385 23 February 2016: Wouter
3386 - ub_ctx_set_stub() function for libunbound to config stub zones.
3387 - sorted ubsyms.def file with exported libunbound functions.
3389 19 February 2016: Wouter
3390 - Print understandable debug log when unusable DS record is seen.
3391 - load gost algorithm if digest is seen before key algorithm.
3392 - iana portlist update.
3394 17 February 2016: Wouter
3395 - Fix that "make install" fails due to "text file busy" error.
3397 16 February 2016: Wouter
3398 - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
3400 15 February 2016: Wouter
3401 - ip-transparent option for FreeBSD with IP_BINDANY socket option.
3402 - wait for sendto to drain socket buffers when they are full.
3404 9 February 2016: Wouter
3405 - Test for type OPENPGPKEY.
3406 - insecure-lan-zones: yesno config option, patch from Dag-Erling
3409 8 February 2016: Wouter
3410 - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
3411 - RR Type CSYNC support RFC 7477, in debug printout and config input.
3412 - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
3414 29 January 2016: Wouter
3415 - Neater cmdline_verbose increment patch from Edgar Pettijohn.
3417 27 January 2016: Wouter
3418 - Made netbsd sendmsg test nonfatal, in case of false positives.
3419 - Fix #741: log message for dnstap socket connection is more clear.
3421 26 January 2016: Wouter
3422 - Fix #734: chown the pidfile if it resides inside the chroot.
3423 - Use arc4random instead of random in tests (because it is
3424 available, possibly as compat, anyway).
3425 - Fix cmsg alignment for argument to sendmsg on NetBSD.
3426 - Fix that unbound complains about unimplemented IP_PKTINFO for
3427 sendmsg on NetBSD (for interface-automatic).
3429 25 January 2016: Wouter
3430 - Fix #738: Swig should not be invoked with CPPFLAGS.
3432 19 January 2016: Wouter
3433 - Squelch 'cannot assign requested address' log messages unless
3434 verbosity is high, it was spammed after network down.
3436 14 January 2016: Wouter
3437 - Fix to simplify empty string checking from Michael McConville.
3438 - iana portlist update.
3440 12 January 2016: Wouter
3441 - Fix #734: Do not log an error when the PID file cannot be chown'ed.
3442 Patch from Simon Deziel.
3444 11 January 2016: Wouter
3445 - Fix test if -pthreads unused to use better grep for portability.
3447 06 January 2016: Wouter
3448 - Fix mingw crosscompile for recent mingw.
3449 - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
3451 05 January 2016: Wouter
3452 - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
3453 from Daisuke Higashi.
3454 - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
3455 by default, and can be unblocked with "nodefault" localzone config.
3457 04 January 2016: Wouter
3458 - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
3459 for Linux glibc 2.20.
3460 - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
3461 source code, so it applies cleanly again. Removed unused variable
3464 15 December 2015: Ralph
3465 - Fix #729: omit use of escape sequences in echo since they are not
3466 portable (unbound-control-setup).
3468 11 December 2015: Wouter
3469 - remove NULL-checks before free, patch from Michael McConville.
3470 - updated ax_pthread.m4 to version 21 with clang support, this
3471 removes a warning from compilation.
3472 - OSX portability, detect if sbrk is deprecated.
3473 - OSX clang, stop -pthread unused during link stage warnings.
3474 - OSX clang new flto check.
3476 10 December 2015: Wouter
3478 - trunk has 1.5.8 in development.
3480 8 December 2015: Wouter
3481 - Fixup 724 for unbound-control.
3483 7 December 2015: Ralph
3484 - Do not minimise forwarded requests.
3486 4 December 2015: Wouter
3487 - Removed unneeded whitespace from example.conf.
3489 3 December 2015: Ralph
3491 - Committed fix to qname minimisation and unit test case for it.
3493 3 December 2015: Wouter
3494 - iana portlist update.
3495 - 1.5.7rc1 prerelease tag.
3497 2 December 2015: Wouter
3498 - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
3499 re-enable stdout printout.
3500 - For 724: Add Changelog to windows binary dist.
3502 1 December 2015: Ralph
3503 - Qname minimisation review fixes
3505 1 December 2015: Wouter
3506 - Fixup 724 fix for fname_after_chroot() calls.
3507 - Remove stdout printout for unbound-service-install.exe
3508 - .gitignore for git users.
3510 30 November 2015: Ralph
3511 - Implemented qname minimisation
3513 30 November 2015: Wouter
3514 - Fix for #724: conf syntax to read files from run dir (on Windows).
3516 25 November 2015: Wouter
3517 - Fix for #720, fix unbound-control-setup windows batch file.
3519 24 November 2015: Wouter
3520 - Fix #720: add windows scripts to zip bundle.
3521 - iana portlist update.
3523 20 November 2015: Wouter
3524 - Added assert on rrset cache correctness.
3525 - Fix that malformed EDNS query gets a response without malformed EDNS.
3527 18 November 2015: Wouter
3528 - newer acx_nlnetlabs.m4.
3529 - spelling fixes from Igor Sobrado Delgado.
3531 17 November 2015: Wouter
3532 - Fix #594. libunbound: optionally use libnettle for crypto.
3533 Contributed by Luca Bruno. Added --with-nettle for use with
3534 --with-libunbound-only.
3535 - refactor nsec3 hash implementation to be more library-portable.
3536 - iana portlist update.
3537 - Fixup DER encoded DSA signatures for libnettle.
3539 16 November 2015: Wouter
3540 - Fix for lenient accept of reverse order DNAME and CNAME.
3542 6 November 2015: Wouter
3543 - Change example.conf: ftp.internic.net to https://www.internic.net
3545 5 November 2015: Wouter
3546 - ACX_SSL_CHECKS no longer adds -ldl needlessly.
3548 3 November 2015: Wouter
3549 - Fix #718: Fix unbound-control-setup with support for env
3550 without HEREDOC bash support.
3552 29 October 2015: Wouter
3553 - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
3554 - Fix #716: nodata proof with empty non-terminals and wildcards.
3556 28 October 2015: Wouter
3557 - Fix checklock testcode for linux threads on exit.
3559 27 October 2015: Wouter
3560 - isblank() compat implementation.
3561 - detect libexpat without xml_StopParser function.
3562 - portability fixes.
3563 - portability, replace snprintf if return value broken.
3565 23 October 2015: Wouter
3566 - Fix #714: Document config to block private-address for IPv4
3567 mapped IPv6 addresses.
3569 22 October 2015: Wouter
3570 - Fix #712: unbound-anchor appears to not fsync root.key.
3572 20 October 2015: Wouter
3574 - trunk tracks development of 1.5.7.
3576 15 October 2015: Wouter
3577 - Fix segfault in the dns64 module in the formaterror error path.
3578 - Fix sldns_wire2str_rdata_scan for malformed RRs.
3579 - tag for 1.5.6rc1 release.
3581 14 October 2015: Wouter
3582 - ANY responses include DNAME records if present, as per Evan Hunt's
3584 - Fix manpage to suggest using SIGTERM to terminate the server.
3586 9 October 2015: Wouter
3587 - Default for ssl-port is port 853, the temporary port assignment
3588 for secure domain name system traffic.
3589 If you used to rely on the older default of port 443, you have
3590 to put a clause in unbound.conf for that. The new value is likely
3591 going to be the standardised port number for this traffic.
3592 - iana portlist update.
3594 6 October 2015: Wouter
3596 - trunk tracks the development of 1.5.6.
3598 28 September 2015: Wouter
3599 - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
3601 - tag for 1.5.5rc1 release.
3602 - makedist.sh: pgp sig echo commands.
3604 25 September 2015: Wouter
3605 - Fix unbound-control flush that does not succeed in removing data.
3607 22 September 2015: Wouter
3608 - Fix config globbed include chroot treatment, this fixes reload of
3609 globs (patch from Dag-Erling Smørgrav).
3610 - iana portlist update.
3611 - Fix #702: New IPs for for h.root-servers.net.
3612 - Remove confusion comment from canonical_compare() function.
3613 - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
3614 - testbound selftest also works in non-debug mode.
3615 - Fix minor error in unbound.conf.5.in
3616 - Fix unbound.conf(5) access-control description for precedence
3619 31 August 2015: Wouter
3620 - changed windows setup compression to be more transparent.
3622 28 August 2015: Wouter
3623 - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
3625 - Feature #699: --enable-pie option to that builds PIE binary.
3626 - Feature #700: --enable-relro-now option that enables full read-only
3629 24 August 2015: Wouter
3630 - Fix deadlock for local data add and zone add when unbound-control
3631 list_local_data printout is interrupted.
3632 - iana portlist update.
3633 - Change default of harden-algo-downgrade to off. This is lenient
3634 for algorithm rollover.
3636 13 August 2015: Wouter
3637 - 5011 implementation does not insist on all algorithms, when
3638 harden-algo-downgrade is turned off.
3639 - Reap the child process that libunbound spawns.
3641 11 August 2015: Wouter
3642 - Fix #694: configure script does not detect LibreSSL 2.2.2
3644 4 August 2015: Wouter
3645 - Document that local-zone nodefault matches exactly and transparent
3646 can be used to release a subzone.
3648 3 August 2015: Wouter
3649 - Document in the manual more text about configuring locally served
3651 - Fix 5011 anchor update timer after reload.
3652 - Fix mktime in unbound-anchor not using UTC.
3654 30 July 2015: Wouter
3655 - please afl-gcc (llvm) for uninitialised variable warning.
3656 - Added permit-small-holddown config to debug fast 5011 rollover.
3658 24 July 2015: Wouter
3659 - Fix #690: Reload fails when so-reuseport is yes after changing
3661 - iana portlist update.
3663 21 July 2015: Wouter
3664 - Fix configure to detect SSL_CTX_set_ecdh_auto.
3665 - iana portlist update.
3667 20 July 2015: Wouter
3668 - Enable ECDHE for servers. Where available, use
3669 SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
3670 enable ECDHE. Otherwise, manually offer curve p256.
3671 Client connections should automatically use ECDHE when available.
3672 (thanks Daniel Kahn Gillmor)
3674 18 July 2015: Willem
3675 - Allow certificate chain files to allow for intermediate certificates.
3676 (thanks Daniel Kahn Gillmor)
3678 13 July 2015: Wouter
3679 - makedist produces sha1 and sha256 files for created binaries too.
3683 - trunk has 1.5.5 in development.
3684 - Fix #681: Setting forwarders with unbound-control forward
3685 implicitly turns on forward-first.
3687 29 June 2015: Wouter
3688 - iana portlist update.
3689 - Fix alloc with log for allocation size checks.
3691 26 June 2015: Wouter
3692 - Fix #677 Fix DNAME responses from cache that failed internal chain
3694 - iana portlist update.
3696 22 June 2015: Wouter
3697 - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
3698 and was therefore always synthesized (thanks to Valentin Dietrich).
3701 - RFC 7553 RR type URI support, is now enabled by default.
3704 - Fix #674: Do not free pointers given by getenv.
3707 - Fix that unparseable error responses are ratelimited.
3708 - SOA negative TTL is capped at minimumttl in its rdata section.
3709 - cache-max-negative-ttl config option, default 3600.
3712 - Document that ratelimit works with unbound-control set_option.
3715 - iana portlist update.
3716 - documentation proposes ratelimit of 1000 (closer to what upstream
3717 servers expect from us).
3720 - DLV is going to be decommissioned. Advice to stop using it, and
3721 put text in the example configuration and man page to that effect.
3724 - Change syntax of particular validator error to be easier for
3725 machine parse, swap rrset and ip adres info so it looks like:
3726 validation failure <www.example.nl. TXT IN>: signature crypto
3727 failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
3730 - caps-whitelist in unbound.conf allows whitelist of loadbalancers
3731 that cannot work with caps-for-id or its fallback.
3733 30 April 2015: Wouter
3734 - Unit test for type ANY synthesis.
3736 22 April 2015: Wouter
3737 - Removed contrib/unbound_unixsock.diff, because it has been
3738 integrated, use control-interface: /path in unbound.conf.
3739 - iana portlist update.
3741 17 April 2015: Wouter
3742 - Synthesize ANY responses from cache. Does not search exhaustively,
3743 but MX,A,AAAA,SOA,NS also CNAME.
3744 - Fix leaked dns64prefix configuration string.
3746 16 April 2015: Wouter
3747 - Add local-zone type inform_deny, that logs query and drops answer.
3748 - Ratelimit does not apply to prefetched queries, and ratelimit-factor
3749 is default 10. Repeated normal queries get resolved and with
3750 prefetch stay in the cache.
3751 - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
3752 Use print_function also for Python2.
3753 libunbound examples: produce sorted output.
3754 libunbound-Python: libldns is not used anymore.
3755 Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
3757 10 April 2015: Wouter
3758 - unbound-control ratelimit_list lists high rate domains.
3759 - ratelimit feature, ratelimit: 100, or some sensible qps, can be
3760 used to turn it on. It ratelimits recursion effort per zone.
3761 For particular names you can configure exceptions in unbound.conf.
3762 - Fix that get_option for cache-sizes does not print double newline.
3763 - Fix#663: ssl handshake fails when using unix socket because dh size
3766 8 April 2015: Wouter
3767 - Fix crash in dnstap: Do not try to log TCP responses after timeout.
3769 7 April 2015: Wouter
3770 - Libunbound skips dos-line-endings from etc/hosts.
3771 - Unbound exits with a fatal error when the auto-trust-anchor-file
3772 fails to be writable. This is seconds after startup. You can
3773 load a readonly auto-trust-anchor-file with trust-anchor-file.
3774 The file has to be writable to notice the trust anchor change,
3775 without it, a trust anchor change will be unnoticed and the system
3776 will then become inoperable.
3777 - unbound-control list_insecure command shows the negative trust
3778 anchors currently configured, patch from Jelte Jansen.
3780 2 April 2015: Wouter
3781 - Fix #660: Fix interface-automatic broken in the presence of
3784 26 March 2015: Wouter
3785 - remote.c probedelay line is easier to read.
3786 - rename ldns subdirectory to sldns to avoid name collision.
3788 25 March 2015: Wouter
3789 - Fix #657: libunbound(3) recommends deprecated
3790 CRYPTO_set_id_callback.
3791 - If unknown trust anchor algorithm, and libressl is used, error
3792 message encourages upgrade of the libressl package.
3794 23 March 2015: Wouter
3795 - Fix segfault on user not found at startup (from Maciej Soltysiak).
3797 20 March 2015: Wouter
3798 - Fixed to add integer overflow checks on allocation (defense in depth).
3800 19 March 2015: Wouter
3801 - Add ip-transparent config option for bind to non-local addresses.
3803 17 March 2015: Wouter
3804 - Use reallocarray for integer overflow protection, patch submitted
3805 by Loganaden Velvindron.
3807 16 March 2015: Wouter
3808 - Fixup compile on cygwin, more portable openssl thread id.
3810 12 March 2015: Wouter
3811 - Updated default keylength in unbound-control-setup to 3k.
3813 10 March 2015: Wouter
3814 - Fix lintian warning in unbound-checkconf man page (from Andreas
3816 - print svnroot when building windows dist.
3817 - iana portlist update.
3818 - Fix warning on sign compare in getentropy_linux.
3820 9 March 2015: Wouter
3821 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
3822 reported excessive validation failure when multiple algorithms
3823 are present. It allows the weakest algorithm to validate the zone.
3824 - iana portlist update.
3826 5 March 2015: Wouter
3827 - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
3828 scripts. Contributed by Yuri Voinov.
3829 - Document that incoming-num-tcp increase is good for large servers.
3830 - stats reports tcp usage, of incoming-num-tcp buffers.
3832 4 March 2015: Wouter
3833 - Patch from Brad Smith that syncs compat/getentropy_linux with
3834 OpenBSD's version (2015-03-04).
3835 - 0x20 fallback improved: servfail responses do not count as missing
3836 comparisons (except if all responses are errors),
3837 inability to find nameservers does not fail equality comparisons,
3838 many nameservers does not try to compare more than max-sent-count,
3839 parse failures start 0x20 fallback procedure.
3840 - store caps_response with best response in case downgrade response
3841 happens to be the last one.
3842 - Document windows 8 tests.
3844 3 March 2015: Wouter
3846 [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
3848 2 March 2015: Wouter
3849 - iana portlist update.
3851 20 February 2015: Wouter
3852 - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
3854 - Fix #645 Portability to Solaris 10, use AF_LOCAL.
3855 - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
3856 - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
3859 19 February 2015: Wouter
3860 - 1.5.2 release tag.
3861 - svn trunk contains 1.5.3 under development.
3863 13 February 2015: Wouter
3864 - Fix #643: doc/example.conf.in: unnecessary whitespace.
3866 12 February 2015: Wouter
3869 11 February 2015: Wouter
3870 - iana portlist update.
3872 10 February 2015: Wouter
3873 - Fix scrubber with harden-glue turned off to reject NS (and other
3874 not-address) records.
3876 9 February 2015: Wouter
3877 - Fix validation failure in case upstream forwarder (ISC BIND) does
3878 not have the same trust anchors and decides to insert unsigned NS
3879 record in authority section.
3881 2 February 2015: Wouter
3882 - infra-cache-min-rtt patch from Florian Riehm, for expected long
3883 uplink roundtrip times.
3885 30 January 2015: Wouter
3886 - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
3888 - Portability fix for Solaris ('sun' is not usable for a variable).
3890 29 January 2015: Wouter
3891 - Fix pyunbound byte string representation for python3.
3893 26 January 2015: Wouter
3894 - Fix unintended use of gcc extension for incomplete enum types,
3895 compile with pedantic c99 compliance (from Daniel Dickman).
3897 23 January 2015: Wouter
3898 - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
3900 16 January 2015: Wouter
3901 - unit test for local unix connection. Documentation and log_addr
3902 does not inspect port for AF_LOCAL.
3903 - unbound-checkconf -f prints chroot with pidfile path.
3905 13 January 2015: Wouter
3906 - iana portlist update.
3908 12 January 2015: Wouter
3909 - Cast sun_len sizeof to socklen_t.
3910 - Fix pyunbound ord call, portable for python 2 and 3.
3912 7 January 2015: Wouter
3913 - Fix warnings in pythonmod changes.
3915 6 January 2015: Wouter
3916 - iana portlist update.
3917 - patch for remote control over local sockets, from Dag-Erling
3918 Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
3919 control-use-cert: no.
3920 - Fixup that patch and uid lookup (only for daemon).
3921 - coded the default of control-use-cert, to yes.
3923 5 January 2015: Wouter
3924 - getauxval test for ppc64 linux compatibility.
3925 - make strip works for unbound-host and unbound-anchor.
3926 - patch from Stephane Lapie that adds to the python API, that
3927 exposes struct delegpt, and adds the find_delegation function.
3928 - print query name when max target count is exceeded.
3929 - patch from Stuart Henderson that fixes DESTDIR in
3930 unbound-control-setup for installs where config is not in
3931 the prefix location.
3932 - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
3933 IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
3934 - Updated contrib warmup.cmd/sh to support two modes - load
3935 from pre-defined list of domains or (with filename as argument)
3936 load from user-specified list of domains, and updated contrib
3937 unbound_cache.sh/cmd to support loading/save/reload cache to/from
3938 default path or (with secondary argument) arbitrary path/filename,
3940 - Patch from Philip Paeps to contrib/unbound_munin_ that uses
3941 type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
3942 unbound_munin_hits.graph_period minute
3944 9 December 2014: Wouter
3945 - svn trunk has 1.5.2 in development.
3946 - config.guess and config.sub update from libtoolize.
3947 - local-zone: example.com inform makes unbound log a message with
3948 client IP for queries in that zone. Eg. for finding infected hosts.
3950 8 December 2014: Wouter
3951 - Fix CVE-2014-8602: denial of service by making resolver chase
3952 endless series of delegations.
3954 1 December 2014: Wouter
3955 - Fix bug#632: unbound fails to build on AArch64, protects
3956 getentropy compat code from calling sysctl if it is has been removed.
3958 29 November 2014: Wouter
3959 - Add include to getentropy_linux.c, hopefully fixing debian build.
3961 28 November 2014: Wouter
3962 - Fix makefile for build from noexec source tree.
3964 26 November 2014: Wouter
3965 - Fix libunbound undefined symbol errors for main.
3966 Referencing main does not seem to be possible for libunbound.
3968 24 November 2014: Wouter
3969 - Fix log at high verbosity and memory allocation failure.
3970 - iana portlist update.
3972 21 November 2014: Wouter
3973 - Fix crash on multiple thread random usage on systems without
3976 20 November 2014: Wouter
3977 - fix compat/getentropy_win.c check if CryptGenRandom works and no
3978 immediate exit on windows.
3980 19 November 2014: Wouter
3981 - Fix cdflag dns64 processing.
3983 18 November 2014: Wouter
3984 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
3986 - iana portlist update.
3988 17 November 2014: Wouter
3989 - Fix #627: SSL_CTX_load_verify_locations return code not properly
3992 14 November 2014: Wouter
3993 - parser with bison 2.7
3995 13 November 2014: Wouter
3996 - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
3997 added to contrib/aaaa-filter-iterator.patch.
3999 12 November 2014: Wouter
4000 - trunk has 1.5.1 in development.
4001 - Patch from Robert Edmonds to build pyunbound python module
4002 differently. No versioninfo, with -shared and without $(LIBS).
4003 - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
4004 - Removed 'increased limit open files' log message that is written
4005 to console. It is only written on verbosity 4 and higher.
4006 This keeps system bootup console cleaner.
4007 - Patch from James Raftery, always print stats for rcodes 0..5.
4009 11 November 2014: Wouter
4010 - iana portlist update.
4011 - Fix bug where forward or stub addresses with same address but
4012 different port number were not tried.
4013 - version number in svn trunk is 1.5.0
4015 - review fix from Ralph.
4017 7 November 2014: Wouter
4018 - dnstap fixes by Robert Edmonds:
4019 dnstap/dnstap.m4: cosmetic fixes
4020 dnstap/: Remove compiled protoc-c output files
4021 dnstap/dnstap.m4: Error out if required libraries are not found
4022 dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
4024 dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
4026 4 November 2014: Wouter
4027 - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
4028 tracked trust anchor to libunbound.
4029 - Redefine internal minievent symbols to unique symbols that helps
4030 linking on platforms where the linker leaks names across modules.
4032 27 October 2014: Wouter
4033 - Disabled use of SSLv3 in remote-control and ssl-upstream.
4034 - iana portlist update.
4036 16 October 2014: Wouter
4037 - Documented dns64 configuration in unbound.conf man page.
4039 13 October 2014: Wouter
4040 - Fix #617: in ldns in unbound, lowercase WKS services.
4041 - Fix ctype invocation casts.
4043 10 October 2014: Wouter
4044 - Fix unbound-checkconf check for module config with dns64 module.
4045 - Fix unbound capsforid fallback, it ignores TTLs in comparison.
4047 6 October 2014: Wouter
4048 - Fix #614: man page variable substitution bug.
4049 6 October 2014: Willem
4050 - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
4051 - $TTL's value starts at position 5 (ldns).
4053 1 October 2014: Wouter
4054 - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
4056 29 September 2014: Wouter
4057 - Fix #612: create service with service.conf in present directory and
4059 - Fix for mingw compile openssl ranlib.
4061 25 September 2014: Wouter
4062 - updated configure and aclocal with newer autoconf 1.13.
4064 22 September 2014: Wouter
4065 - Fix swig and python examples for Python 3.x.
4066 - Fix for mingw compile with openssl-1.0.1i.
4068 19 September 2014: Wouter
4069 - improve python configuration detection to build on Fedora 22.
4071 18 September 2014: Wouter
4072 - patches to also build with Python 3.x (from Pavel Simerda).
4074 16 September 2014: Wouter
4075 - Fix tcp timer waiting list removal code.
4076 - iana portlist update.
4077 - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
4078 is longer and more tcp connections can be handled.
4080 15 September 2014: Wouter
4081 - Fix unit test for CDS typecode.
4083 5 September 2014: Wouter
4084 - type CDS and CDNSKEY types in sldns.
4086 25 August 2014: Wouter
4087 - Fixup checklock code for log lock and its mutual initialization
4089 - iana portlist update.
4090 - Removed necessity for pkg-config from the dnstap.m4, new are
4091 the --with-libfstrm and --with-protobuf-c configure options.
4093 19 August 2014: Wouter
4094 - Update unbound manpage with more explanation (from Florian Obser).
4096 18 August 2014: Wouter
4097 - Fix #603: unbound-checkconf -o <option> should skip verification
4099 - iana portlist update.
4100 - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
4102 5 August 2014: Wouter
4103 - dnstap support, with a patch from Farsight Security, written by
4104 Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
4105 It is BSD licensed (see dnstap/dnstap.c).
4106 Building with --enable-dnstap needs pkg-config with this patch.
4107 - Noted dnstap in doc/README and doc/CREDITS.
4108 - Changes to the dnstap patch.
4110 - dnstap/dnstap_config.h should not have been added to the repo,
4111 because is it generated.
4113 1 August 2014: Wouter
4114 - Patch add msg, rrset, infra and key cache sizes to stats command
4115 from Maciej Soltysiak.
4116 - iana portlist update.
4118 31 July 2014: Wouter
4119 - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
4120 Initial commit of the patch from the FreeBSD base (with its fixes).
4121 This adds a module (for module-config in unbound.conf) dns64 that
4122 performs DNS64 processing, see README.DNS64.
4123 - Changes from DNS64:
4124 strcpy changed to memmove.
4125 arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
4126 allocation of result consistently in the correct region.
4127 time_t is now used for ttl in unbound (since the patch's version).
4128 - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
4130 29 July 2014: Wouter
4131 - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
4132 does not fork in the background and also logs to stderr.
4134 21 July 2014: Wouter
4135 - Fix endian.h include for OpenBSD.
4137 16 July 2014: Wouter
4138 - And Fix#596: Bail out of unbound-control dump_infra when ssl
4141 15 July 2014: Wouter
4142 - Fix #596: Bail out of unbound-control list_local_zones when ssl
4144 - iana portlist update.
4146 13 July 2014: Wouter
4147 - Configure tests if main can be linked to from getentropy compat.
4149 12 July 2014: Wouter
4150 - Fix getentropy compat code, function refs were not portable.
4151 - Fix to check openssl version number only for OpenSSL.
4152 - LibreSSL provides compat items, check for that in configure.
4153 - Fix bug in fix for log locks that caused deadlock in signal handler.
4154 - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
4156 11 July 2014: Matthijs
4157 - fake-rfc2553 patch (thanks Benjamin Baier).
4159 11 July 2014: Wouter
4160 - arc4random in compat/ and getentropy, explicit_bzero, chacha for
4161 dependencies, from OpenBSD. arc4_lock and sha512 in compat.
4162 This makes arc4random available on all platforms, except when
4163 compiled with LIBNSS (it uses libNSS crypto random).
4164 - fix strptime implicit declaration error on OpenBSD.
4165 - arc4random, getentropy and explicit_bzero compat for Windows.
4168 - Fix #593: segfault or crash upon rotating logfile.
4172 - signit tool fixup for compile with libldns library.
4173 - iana portlist updated.
4175 27 June 2014: Wouter
4176 - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
4178 26 June 2014: Wouter
4179 - unbound-control status reports if so-reuseport was successful.
4180 - iana portlist updated.
4182 24 June 2014: Wouter
4183 - Fix caps-for-id fallback, and added fallback attempt when servers
4184 drop 0x20 perturbed queries.
4185 - Fixup testsetup for VM tests (run testcode/run_vm.sh).
4187 17 June 2014: Wouter
4188 - iana portlist updated.
4191 - Add AAAA for B root server to default root hints.
4194 - Remove unused define from iterator.h
4197 - Fixup sldns_enum_edns_option typedef definition.
4200 - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
4201 fixes from FreeBSD's copy of Unbound, he notes:
4202 Generate unbound-control-setup.sh at build time so it respects
4203 prefix and sysconfdir from the configure script. Also fix the
4204 umask to match the comment, and the comment to match the umask.
4205 Add const and static where needed. Use unions instead of
4206 playing pointer poker. Move declarations that are needed in
4207 multiple source files into a shared header. Move sldns_bgetc()
4208 from parse.c to buffer.c where it belongs. Introduce a new
4209 header file, worker.h, which declares the callbacks that
4210 all workers must define. Remove those declarations from
4211 libworker.h. Include the correct headers in the correct places.
4212 Fix a few dummy callbacks that don't match their prototype.
4213 Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
4214 Remove a useless printf which breaks reproducible builds.
4215 Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
4216 no longer used. Add unbound-control-setup.sh to the list of
4217 generated files. The prototype for libworker_event_done_cb()
4218 needs to be moved from libunbound/libworker.h to
4219 libunbound/worker.h.
4220 - Fixup out-of-directory compile with unbound-control-setup.sh.in.
4224 - unbound-host -D enabled dnssec and reads root trust anchor from
4225 the default root key file that was compiled in.
4228 - Feature, unblock-lan-zones: yesno that you can use to make unbound
4229 perform 10.0.0.0/8 and other reverse lookups normally, for use if
4230 unbound is running service for localhost on localhost.
4233 - Updated create_unbound_ad_servers and unbound_cache scripts from
4234 Yuri Voinov in the source/contrib directory. Added
4235 warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
4238 - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
4239 - iana portlist updated.
4242 - Contrib windows scripts from Yuri Voinov added to src/contrib:
4243 create_unbound_ad_servers.cmd: enters anti-ad server lists.
4244 unbound_cache.cmd: saves and loads the cache.
4245 - Added unbound-control-setup.cmd from Yuri Voinov to the windows
4246 unbound distribution set. It requires openssl installed in %PATH%.
4249 - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
4252 - More #567: remove : from output of stub and forward lists, this is
4255 29 April 2014: Wouter
4256 - iana portlist updated.
4257 - Add unbound-control flush_negative that flushed nxdomains, nodata,
4258 and errors from the cache. For dnssec-trigger and NetworkManager,
4259 fixes cases where network changes have localdata that was already
4260 negatively cached from the previous network.
4262 23 April 2014: Wouter
4263 - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
4264 if available on the OS, it gets entropy from the OS.
4266 15 April 2014: Wouter
4267 - Fix compile with libevent2 on FreeBSD.
4269 11 April 2014: Wouter
4270 - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
4271 but it stops the use of the ipv6 transport layer for DNS traffic.
4272 - iana portlist updated.
4274 10 April 2014: Wouter
4275 - iana portlist updated.
4276 - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
4277 option for DNS fragmentation defense.
4278 - Document that dump_requestlist only prints queries from thread 0.
4279 - unbound-control stats prints num.query.tcpout with number of TCP
4280 outgoing queries made in the previous statistics interval.
4281 - Fix #567: unbound lists if forward zone is secure or insecure with
4282 +i annotation in output of list_forwards, also for list_stubs
4283 (for NetworkManager integration.)
4284 - Fix #554: use unsigned long to print 64bit statistics counters on
4286 - Fix #558: failed prefetch lookup does not remove cached response
4287 but delays next prefetch (in lieu of caching a SERVFAIL).
4288 - Fix #545: improved logging, the ip address of the error is printed
4289 on the same log-line as the error.
4291 8 April 2014: Wouter
4292 - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
4293 in testbound scripts.
4294 - iana portlist updated.
4296 7 April 2014: Wouter
4297 - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
4298 hints (patch from Anand Buddhdev).
4299 - Fix #572: Fix unit test failure for systems with different
4302 28 March 2014: Wouter
4303 - Fix #569: do_tcp is do-tcp in unbound.conf man page.
4305 25 March 2014: Wouter
4306 - Patch from Stuart Henderson to build unbound-host man from .1.in.
4308 24 March 2014: Wouter
4309 - Fix print filename of encompassing config file on read failure.
4311 12 March 2014: Wouter
4313 - trunk has 1.4.23 in development.
4315 10 March 2014: Wouter
4316 - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
4317 because of spelling. Patch from Chris Coates.
4319 27 February 2014: Wouter
4322 21 February 2014: Wouter
4323 - iana portlist updated.
4325 20 February 2014: Matthijs
4326 - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
4327 received. This is okay according 4035, but not after revising
4328 existence in 4592. NSEC empty non-terminals exist and thus the
4329 RCODE should have been NOERROR. If this occurs, and the RRsets
4330 are secure, we set the RCODE to NOERROR and the security status
4331 of the response is also considered secure.
4333 14 February 2014: Wouter
4334 - Works on Minix (3.2.1).
4336 11 February 2014: Wouter
4337 - Fix parse of #553(NSD) string in sldns, quotes without spaces.
4339 7 February 2014: Wouter
4340 - iana portlist updated.
4341 - add body to ifstatement if locks disabled.
4342 - add TXT string"string" test case to unit test.
4343 - Fix #551: License change "Regents" to "Copyright holder", matching
4344 the BSD license on opensource.org.
4346 6 February 2014: Wouter
4347 - sldns has type HIP.
4348 - code documentation on the module interface.
4350 5 February 2014: Wouter
4351 - Fix sldns parse tests on osx.
4353 3 February 2014: Wouter
4354 - Detect libevent2 install automatically by configure.
4355 - Fixup link with lib/event2 subdir.
4356 - Fix parse in sldns of quoted parenthesized text strings.
4358 31 January 2014: Wouter
4359 - unit test for ldns wire to str and back with zones, root, nlnetlabs
4361 - Fix for hex to string in unknown, atma and nsap.
4362 - fixup nss compile (no ldns in it).
4363 - fixup warning in unitldns
4364 - fixup WKS and rdata type service to print unsigned because strings
4365 are not portable; they cannot be read (for sure) on other computers.
4366 - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
4369 30 January 2014: Wouter
4370 - delay-close does not act if there are udp-wait queries, so that
4371 it does not make a socketdrain DoS easier.
4373 28 January 2014: Wouter
4374 - iana portlist updated.
4375 - iana portlist test updated so it does not touch the source
4376 if there are no changes.
4377 - delay-close: msec option that delays closing ports for which
4378 the UDP reply has timed out. Keeps the port open, only accepts
4379 the correct reply. This correct reply is not used, but the port
4380 is open so that no port-denied ICMPs are generated.
4382 27 January 2014: Wouter
4383 - reuseport is attempted, then fallback to without on failure.
4385 24 January 2014: Wouter
4386 - Change unbound-event.h to use void* buffer, length idiom.
4387 - iana portlist updated.
4388 - unbound-event.h is installed if you configure --enable-event-api.
4389 - speed up unbound (reports say it could be up to 10%), by reducing
4390 lock contention on localzones.lock. It is changed to an rwlock.
4391 - so-reuseport: yesno option to distribute queries evenly over
4392 threads on Linux (Thanks Robert Edmonds).
4395 21 January 2014: Wouter
4396 - Fix #547: no trustanchor written if filesystem full, fclose checked.
4398 17 January 2014: Wouter
4399 - Fix isprint() portability in sldns, uses unsigned int.
4400 - iana portlist updated.
4402 16 January 2014: Wouter
4403 - fix #544: Fixed +i causes segfault when running with module conf
4405 - Windows port, adjust %lld to %I64d, and warning in win_event.c.
4407 14 January 2014: Wouter
4408 - iana portlist updated.
4411 - Fix bug in cachedump that uses sldns.
4412 - update pythonmod for ldns_ to sldns_ name change.
4415 - Fix sldns to use sldns_ prefix for all ldns_ variables.
4416 - Fix windows compile to compile with sldns.
4419 - Fix sldns to make globals use sldns_ prefix. This fixes
4420 linking with libldns that uses global variables ldns_ .
4423 - Fix bug#537: compile python plugin without ldns library.
4426 - Fix bug#536: acl_deny_non_local and refuse_non_local added.
4429 - Patch from Neel Goyal to fix async id assignment if callback
4430 is called by libunbound in the mesh attach.
4431 - Accept ip-address: as an alternative for interface: for
4432 consistency with nsd.conf syntax.
4435 - Patch from Neel Goyal to fix callback in libunbound.
4438 - if configured --with-libunbound-only fix make install.
4441 - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
4442 more specific interface port 53 can be used at the same time, and
4443 one of the daemons is unbound.
4444 - iana portlist update.
4445 - separate ldns into core ldns inside ldns/ subdirectory. No more
4446 --with-ldns is needed and unbound does not rely on libldns.
4447 - portability fixes for new USE_SLDNS ldns subdir codebase.
4450 - Patch from Neel Goyal: Add an API call to set an event base on an
4451 existing ub_ctx. This basically just destroys the current worker and
4452 sets the event base to the current. And fix a deadlock in
4453 ub_resolve_event – the cfglock is held when libworker_create is
4454 called. This ends up trying to acquire the lock again in
4455 context_obtain_alloc in the call chain.
4456 - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
4459 - unbound-event.h is installed if configured --with-libevent. It
4460 contains low-level library calls, that use libevent's event_base
4461 and an ldns_buffer for the wire return packet to perform async
4462 resolution in the client's eventloop.
4465 - 1.4.21 tag created.
4466 - trunk has 1.4.22 number inside it.
4467 - iana portlist updated.
4468 - acx_nlnetlabs.m4 to 26; improve FLTO help text.
4471 - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
4475 - MIN_TTL and MAX_TTL also in time_t.
4476 - tag 1.4.21rc1 made again.
4479 - More fixes for bug#519: for the threaded case test if the bg
4480 thread has been killed, on ub_ctx_delete, to avoid hangs.
4483 - more fixes that I overlooked.
4484 - review fixes from Willem.
4487 - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
4490 - Fix for 2038, with time_t instead of uint32_t.
4493 - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
4496 - Fix uninit variable in fix#516.
4499 - Fix#516 dnssec lameness detection for answers that are improper.
4505 - Fix#512 memleak in testcode for testbound (if it fails).
4506 - Fix#512 NSS returned arrays out of setup function to be statics.
4509 - max include of 100.000 files (depth and globbed at one time).
4510 This is to preserve system memory in bug cases, or endless cases.
4511 - iana portlist updated.
4514 - streamtcp man page, contributed by Tomas Hozza.
4515 - iana portlist updated.
4516 - libunbound documentation on how to avoid openssl race conditions.
4519 - Squelch sendto-permission denied errors when the network is
4520 not connected, to avoid spamming syslog.
4521 - configure --disable-flto option (from Robert Edmonds).
4524 - Fix for const string literals in C++ for libunbound, from Karel
4526 - iana portlist updated.
4529 - Fixup manpage syntax.
4532 - get_option and set_option support for log-time-ascii, python-script
4533 val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
4534 immediately. The others are mostly useful for libunbound users.
4537 - get_option, set_option, unbound-checkconf -o and libunbound
4538 getoption and setoption support cache-min-ttl and cache-max-ttl.
4541 - Fix#501: forward-first does not recurse, when forward name is ".".
4542 - iana portlist update.
4543 - Max include depth is unlimited.
4546 - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
4547 patch to it to not fail when -Werror is also specified, from the
4549 - iana portlist update.
4552 - Explain bogus and secure flags in libunbound more.
4555 - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
4557 - Fix#500 use on non-initialised values on socket bind failures.
4560 - Fix round-robin doesn't work with some Windows clients (from Ilya
4564 - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
4566 26 April 2013: Wouter
4567 - add unbound-control insecure_add and insecure_remove for the
4568 administration of negative trust anchors.
4570 25 April 2013: Wouter
4571 - Implement max-udp-size config option, default 4096 (thanks
4573 - Robust checks on dname validity from rdata for dname compare.
4574 - updated iana portlist.
4576 19 April 2013: Wouter
4577 - Fixup snprintf return value usage, fixed libunbound_get_option.
4579 18 April 2013: Wouter
4580 - fix bug #491: pick program name (0th argument) as syslog identity.
4581 - own implementation of compat/snprintf.c.
4583 15 April 2013: Wouter
4584 - Fix so that for a configuration line of include: "*.conf" it is not
4585 an error if there are no files matching the glob pattern.
4586 - unbound-anchor review: BIO_write can return 0 successfully if it
4587 has successfully appended a zero length string.
4589 11 April 2013: Wouter
4590 - Fix queries leaking up for stubs and forwards, if the configured
4591 nameservers all fail to answer.
4593 10 April 2013: Wouter
4594 - code improve for minimal responses, small speed increase.
4596 9 April 2013: Wouter
4597 - updated iana portlist.
4598 - Fix crash in previous private address fixup of 22 March.
4600 28 March 2013: Wouter
4601 - Make reverse zones easier by documenting the nodefault statements
4602 commented-out in the example config file.
4604 26 March 2013: Wouter
4605 - more fixes to lookup3.c endianness detection.
4607 25 March 2013: Wouter
4608 - #492: Fix endianness detection, revert to older lookup3.c detection
4609 and put new detect lines after previous tests, to avoid regressions
4610 but allow new detections to succeed.
4611 And add detection for machine/endian.h to it.
4613 22 March 2013: Wouter
4614 - Fix resolve of names that use a mix of public and private addresses.
4615 - iana portlist update.
4616 - Fix makedist for new svn for -d option.
4617 - unbound.h header file has UNBOUND_VERSION_MAJOR define.
4618 - Fix windows RSRC version for long version numbers.
4620 21 March 2013: Wouter
4623 - committed libunbound version 4:1:2 for binary API updated in 1.4.20
4624 - install copy of unbound-control.8 man page for unbound-control-setup
4626 14 March 2013: Wouter
4627 - iana portlist update.
4630 12 March 2013: Wouter
4631 - Fixup makedist.sh for windows compile.
4633 11 March 2013: Wouter
4634 - iana portlist update.
4635 - testcode/ldns-testpkts.c check for makedist is informational.
4637 15 February 2013: Wouter
4638 - fix defines in lookup3 for bigendian bsd alpha
4640 11 February 2013: Wouter
4641 - Fixup openssl_thread init code to only run if compiled with SSL.
4643 7 February 2013: Wouter
4644 - detect endianness in lookup3 on BSD.
4645 - add libunbound.ttl at end of result structure, version bump for
4646 libunbound and binary backwards compatible, but 1.4.19 is not
4647 forward compatible with 1.4.20.
4648 - update iana port list.
4650 30 January 2013: Wouter
4651 - includes and have_ssl fixes for nss.
4653 29 January 2013: Wouter
4654 - printout name of zone with duplicate fwd and hint errors.
4656 28 January 2013: Wouter
4657 - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
4659 17 January 2013: Wouter
4660 - unbound-anchors checks the emailAddress of the signer of the
4661 root.xml file, default is dnssec@iana.org. It also checks that
4662 the signer has the correct key usage for a digital signature.
4663 - update iana port list.
4665 3 January 2013: Wouter
4666 - Test that unbound-control checks client credentials.
4667 - Test that unbound can handle a CNAME at an intermediate node in
4668 the chain of trust (where it seeks a DS record).
4669 - Check the commonName of the signer of the root.xml file in
4670 unbound-anchor, default is dnssec@iana.org.
4672 2 January 2013: Wouter
4673 - Fix openssl lock free on exit (reported by Robert Fleischman).
4674 - iana portlist updated.
4675 - Tested that unbound implements the RFC5155 Technical Errata id 3441.
4676 Unbound already implements insecure classification of an empty
4677 nonterminal in NSEC3 optout zone.
4679 20 December 2012: Wouter
4680 - Fix unbound-anchor xml parse of entity declarations for safety.
4682 19 December 2012: Wouter
4683 - iana portlist updated.
4685 18 December 2012: Wouter
4686 - iana portlist updated.
4688 14 December 2012: Wouter
4689 - Change of D.ROOT-SERVERS.NET A address in default root hints.
4691 12 December 2012: Wouter
4693 - trunk has 1.4.20 under development.
4695 5 December 2012: Wouter
4696 - note support for AAAA RR type RFC.
4698 4 December 2012: Wouter
4701 30 November 2012: Wouter
4702 - bug 481: fix python example0.
4703 - iana portlist updated.
4705 27 November 2012: Wouter
4706 - iana portlist updated.
4708 9 November 2012: Wouter
4709 - Fix unbound-control forward disables configured stubs below it.
4711 7 November 2012: Wouter
4712 - Fixup ldns-testpkts, identical to ldns/examples.
4713 - iana portlist updated.
4715 30 October 2012: Wouter
4716 - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
4718 29 October 2012: Matthijs
4719 - Fix validation for responses with both CNAME and wildcard
4720 expanded CNAME records in answer section.
4722 8 October 2012: Wouter
4723 - update ldns-testpkts.c to ldns 1.6.14 version.
4724 - fix build of pythonmod in objdir, for unbound.py.
4725 - make clean and makerealclean remove generated python and docs.
4727 5 October 2012: Wouter
4728 - fix build of pythonmod in objdir (thanks Jakob Schlyter).
4730 3 October 2012: Wouter
4731 - fix text in unbound-anchor man page.
4733 1 October 2012: Wouter
4734 - ignore trusted-keys globs that have no files (from Paul Wouters).
4736 27 September 2012: Wouter
4737 - include: directive in config file accepts wildcards. Patch from
4738 Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
4739 - unbound-control -q option is quiet, patch from Mariano Absatz.
4740 - iana portlist updated.
4741 - updated contrib/unbound.spec, patch from Valentin Bud.
4743 21 September 2012: Wouter
4744 - chdir to / after chroot call (suggested by Camiel Dobbelaar).
4746 17 September 2012: Wouter
4747 - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
4748 otherwise it is treated as insecure. The RSAMD5 algorithm is
4749 deprecated (RFC6725). The MD5 hash is considered weak for some
4750 purposes, if you want to sign your zone, then RSASHA256 is an
4753 30 August 2012: Wouter
4754 - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
4755 - iana portlist updated.
4757 29 August 2012: Wouter
4758 - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
4760 22 August 2012: Wouter
4761 - Fallback to 1472 and 1232, one fragment size without headers.
4763 21 August 2012: Wouter
4764 - Fix timeouts so that when a server has been offline for a while
4765 and is probed to see it works, it becomes fully available for
4766 server selection again.
4768 17 August 2012: Wouter
4769 - Add documentation to libunbound for default nonuse of resolv.conf.
4771 2 August 2012: Wouter
4772 - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
4774 - iana portlist updated.
4776 1 August 2012: Wouter
4777 - Fix openssl race condition, initializes openssl locks, reported
4778 by Einar Lonn and Patrik Wallstrom.
4780 31 July 2012: Wouter
4781 - Improved forward-first and stub-first documentation.
4782 - Fix that enables modules to register twice for the same
4783 serviced_query, without race conditions or administration issues.
4784 This should not happen with the current codebase, but it is robust.
4785 - Fix forward-first option where it sets the RD flag wrongly.
4786 - added manpage links for libunbound calls (Thanks Paul Wouters).
4788 30 July 2012: Wouter
4789 - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
4791 27 July 2012: Wouter
4792 - unbound-host works with libNSS
4793 - fix bogus nodata cname chain not reported as bogus by validator,
4794 (Thanks Peter van Dijk).
4796 26 July 2012: Wouter
4797 - iana portlist updated.
4800 25 July 2012: Wouter
4801 - review fix for libnss, check hash prefix allocation size.
4803 23 July 2012: Wouter
4804 - fix missing break for GOST DS hash function.
4805 - implemented forward_first for the root.
4807 20 July 2012: Wouter
4808 - Fix bug#452 and another assertion failure in mesh.c, makes
4809 assertions in mesh.c resist duplicates. Fixes DS NS search to
4810 not generate duplicate sub queries.
4812 19 July 2012: Willem
4813 - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
4814 if CFLAGS is specified at configure time then '-g -O2' is not
4815 appended to CFLAGS, so that the user can override them.
4817 18 July 2012: Willem
4818 - Fix libunbound report of errors when in background mode.
4820 11 July 2012: Willem
4821 - updated iana ports list.
4824 - Add flush_bogus option for unbound-control
4827 - Fix validation of qtype DS queries that result in no data for
4828 non-optout NSEC3 zones.
4831 - compile libunbound with libnss on Suse, passes regression tests.
4834 - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
4837 - updated iana ports list.
4839 29 June 2012: Wouter
4840 - patch for unbound_munin_ script to handle arbitrary thread count by
4843 28 June 2012: Wouter
4844 - detect if openssl has FIPS_mode.
4845 - code review: return value of cache_store can be ignored for better
4846 performance in out of memory conditions.
4847 - fix edns-buffer-size and msg-buffer-size manpage documentation.
4848 - updated iana ports list.
4850 25 June 2012: Wouter
4851 - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
4853 22 June 2012: Wouter
4854 - implement DS records, NSEC3 and ECDSA for compile with libnss.
4856 21 June 2012: Wouter
4857 - fix error handling of alloc failure during rrsig verification.
4858 - nss check for verification failure.
4859 - nss crypto works for RSA and DSA.
4861 20 June 2012: Wouter
4862 - work on --with-nss build option (for now, --with-libunbound-only).
4864 19 June 2012: Wouter
4865 - --with-libunbound-only build option, only builds the library and
4866 not the daemon and other tools.
4868 18 June 2012: Wouter
4871 15 June 2012: Wouter
4872 - implement log-time-ascii on windows.
4873 - The key-cache bad key ttl is now 60 seconds.
4874 - updated iana ports list.
4877 11 June 2012: Wouter
4878 - bug #452: fix crash on assert in mesh_state_attachment.
4881 - silence warning from swig-generated code (md set but not used in
4882 swig initmodule, due to ifdefs in swig-generated code).
4885 - Fix debian-bugs-658021: Please enable hardened build flags.
4888 - updated iana ports list.
4891 - tag for 1.4.17 release.
4892 - trunk is 1.4.18 in development.
4895 - Review comments, removed duplicate memset to zero in delegpt.
4898 - Updated doc/FEATURES with RFCs that are implemented but not listed.
4899 - Protect if statements in val_anchor for compile without locks.
4900 - tag for 1.4.17rc1.
4903 - fix configure ECDSA support in ldns detection for windows compile.
4904 - fix possible uninitialised variable in windows pipe implementation.
4907 - Fix alignment problem in util/random on sparc64/freebsd.
4910 - Fix for accept spinning reported by OpenBSD.
4911 - iana portlist updated.
4914 - Fix validation of nodata for DS query in NSEC zones, reported by
4917 13 April 2012: Wouter
4918 - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
4921 10 April 2012: Wouter
4922 - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
4923 minimal-responses features.
4924 - iana portlist updated.
4926 5 April 2012: Wouter
4927 - fix bug #443: --with-chroot-dir not honoured by configure.
4928 - fix bug #444: setusercontext was called too late (thanks Bjorn
4931 27 March 2012: Wouter
4932 - fix bug #442: Fix that Makefile depends on pythonmod headers
4933 even using --without-pythonmodule.
4935 22 March 2012: Wouter
4936 - contrib/validation-reporter follows rotated log file (patch from
4939 21 March 2012: Wouter
4940 - new approach to NS fetches for DS lookup that works with
4941 cornercases, and is more robust and considers forwarders.
4943 19 March 2012: Wouter
4944 - iana portlist updated.
4945 - fix to locate nameservers for DS lookup with NS fetches.
4947 16 March 2012: Wouter
4948 - Patch for access to full DNS packet data in unbound python module
4951 9 March 2012: Wouter
4952 - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
4954 2 March 2012: Wouter
4955 - flush_infra cleans timeouted servers from the cache too.
4956 - removed warning from --enable-ecdsa.
4958 1 March 2012: Wouter
4959 - forward-first option. Tries without forward if a query fails.
4960 Also stub-first option that is similar.
4962 28 February 2012: Wouter
4963 - Fix from code review, if EINPROGRESS not defined chain if statement
4966 27 February 2012: Wouter
4967 - Fix bug#434: on windows check registry for config file location
4968 for unbound-control.exe, and unbound-checkconf.exe.
4970 23 February 2012: Wouter
4971 - Fix to squelch 'network unreachable' errors from tcp connect in
4972 logs, high verbosity will show them.
4974 16 February 2012: Wouter
4975 - iter_hints is now thread-owned in module env, and thus threadsafe.
4976 - Fix prefetch and sticky NS, now the prefetch works. It picks
4977 nameservers that 'would be valid in the future', and if this makes
4978 the NS timeout, it updates that NS by asking delegation from the
4979 parent again. If child NS has longer TTL, that TTL does not get
4980 refreshed from the lookup to the child nameserver.
4982 15 February 2012: Wouter
4983 - Fix forward-zone memory, uses malloc and frees original root dp.
4984 - iter hints (stubs) uses malloc inside for more dynamicity.
4985 - unbound-control forward_add, forward_remove, stub_add, stub_remove
4986 can modify stubs and forwards for running unbound (on mobile computer)
4987 they can also add and remove domain-insecure for the zone.
4989 14 February 2012: Wouter
4990 - Fix sticky NS (ghost domain problem) if prefetch is yes.
4991 - iter forwards uses malloc inside for more dynamicity.
4993 13 February 2012: Wouter
4994 - RT#2955. Fix for cygwin compilation.
4995 - iana portlist updated.
4997 10 February 2012: Wouter
4998 - Slightly smaller critical region in one case in infra cache.
4999 - Fix timeouts to keep track of query type, A, AAAA and other, if
5000 another has caused timeout blacklist, different type can still probe.
5001 - unit test fix for nomem_cnametopos.rpl race condition.
5003 9 February 2012: Wouter
5004 - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
5006 8 February 2012: Wouter
5007 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
5008 implementation is experimental at this time and not recommended
5009 for use on the public internet (the protocol numbers have not
5010 been assigned). Needs recent ldns with --enable-ecdsa.
5011 - fix memory leak in errorcase for DSA signatures.
5012 - iana portlist updated.
5013 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
5015 3 February 2012: Wouter
5016 - fix for windows, rename() is not posix compliant on windows.
5018 2 February 2012: Wouter
5019 - 1.4.16 release tag.
5020 - svn trunk is 1.4.17 in development.
5021 - iana portlist updated.
5023 1 February 2012: Wouter
5024 - Fix validation failures (like: validation failure xx: no NSEC3
5025 closest encloser from yy for DS zz. while building chain of trust,
5026 because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
5027 for an NSEC3. Now it does not change rdata, and fixes TTL.
5029 30 January 2012: Wouter
5030 - Fix version-number in libtool to be version-info so it produces
5031 libunbound.so.2 like it should.
5033 26 January 2012: Wouter
5034 - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
5035 - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
5036 and keyfile write fixup.
5037 - applied patch to support outgoing-interface with ub_ctx_set_option.
5039 23 January 2012: Wouter
5040 - Fix memset in test code.
5042 20 January 2012: Wouter
5043 - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
5045 19 January 2012: Wouter
5046 - Fix to write key files completely to a temporary file, and if that
5047 succeeds, replace the real key file. So failures leave a useful file.
5049 18 January 2012: Wouter
5050 - tag 1.4.15rc1 created
5051 - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
5053 17 January 2012: Wouter
5054 - Fix bug where canonical_compare of RRSIG did not downcase the
5055 signer-name. This is mostly harmless because RRSIGs do not have
5056 to be sorted in canonical order, usually.
5058 12 January 2012: Wouter
5059 - bug#428: add ub_version() call to libunbound. API version increase,
5060 with (binary) backwards compatibility for the previous version.
5062 10 January 2012: Wouter
5063 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
5064 that would be permissible by the RFCs but it is not the TTL in the
5066 - iana portlist updated.
5067 - uninitialised variable in reprobe for rtt blocked domains fixed.
5068 - lintfix and new flex output.
5070 2 January 2012: Wouter
5071 - Fix to randomize hash function, based on 28c3 congress, reported
5074 24 December 2011: Wouter
5075 - Fix for memory leak (about 20 bytes when a tcp or udp send operation
5076 towards authority servers failed, takes about 50.000 such failures to
5077 leak one Mb, such failures are also usually logged), reported by
5079 - iana portlist updated.
5081 19 December 2011: Wouter
5082 - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
5083 vulnerabilities from nonstandard redirection and denial of existence
5084 http://www.unbound.net/downloads/CVE-2011-4528.txt
5085 - robust checks for next-closer NSEC3s.
5086 - tag 1.4.14 created.
5087 - trunk has 1.4.15 in development.
5089 15 December 2011: Wouter
5090 - remove uninit warning from cachedump code.
5091 - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
5093 13 December 2011: Wouter
5094 - iana portlist updated.
5096 - fix infra cache comparison.
5097 - Fix to constrain signer_name to be a parent of the lookupname.
5099 5 December 2011: Wouter
5100 - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
5101 - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
5102 - Fix warning unused in compat/strptime.c.
5103 - Fix malloc detection and double definition.
5105 2 December 2011: Wouter
5106 - configure generated with autoconf 2.68.
5108 30 November 2011: Wouter
5109 - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
5110 SERVFAILs. Also fixed for UDP (but less likely).
5112 28 November 2011: Wouter
5113 - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
5114 - iana ports updated.
5116 11 November 2011: Wouter
5117 - Makefile compat with SunOS make, BSD make and GNU make.
5118 - iana ports updated.
5120 10 November 2011: Wouter
5121 - Makefile changed for BSD make compatibility.
5123 9 November 2011: Wouter
5124 - added unit test for SSL service and SSL-upstream.
5126 8 November 2011: Wouter
5127 - can configure ssl service to one port number, and not on others.
5128 - fixup windows compile with ssl support.
5129 - Fix double free in unbound-host, reported by Steve Grubb.
5130 - iana portlist updated.
5132 1 November 2011: Wouter
5133 - dns over ssl support as a client, ssl-upstream yes turns it on.
5134 It performs an SSL transaction for every DNS query (250 msec).
5135 - documentation for new options: ssl-upstream, ssl-service-key and
5137 - iana portlist updated.
5138 - fix -flto detection on Lion for llvm-gcc.
5140 31 October 2011: Wouter
5141 - dns over ssl support, ssl-service-pem and ssl-service-key files
5142 can be given and then TCP queries are serviced wrapped in SSL.
5144 27 October 2011: Wouter
5145 - lame-ttl and lame-size options no longer exist, it is integrated
5146 with the host info. They are ignored (with verbose warning) if
5147 encountered to keep the config file backwards compatible.
5148 - fix iana-update for changing gzip compression of results.
5149 - fix export-all-symbols on OSX.
5151 26 October 2011: Wouter
5152 - iana portlist updated.
5153 - Infra cache stores information about ping and lameness per IP, zone.
5154 This fixes bug #416.
5155 - fix iana_update target for gzipped file on iana site.
5157 24 October 2011: Wouter
5158 - Fix resolve of partners.extranet.microsoft.com with a fix for the
5159 server selection for choosing out of a (particular) list of bad
5161 - Fix make_new_space function so that the incoming query is not
5162 overwritten if a jostled out query causes a waiting query to be
5163 resumed that then fails and sends an error message. (Thanks to
5166 21 October 2011: Wouter
5167 - fix --enable-allsymbols, fptr wlist is disabled on windows with this
5168 option enabled because of memory layout exe vs dll.
5170 19 October 2011: Wouter
5171 - fix unbound-anchor for broken strptime on OSX lion, detected
5173 - Detect if GOST really works, openssl1.0 on OSX fails.
5174 - Implement ipv6%interface notation for scope_id usage.
5176 17 October 2011: Wouter
5177 - better documentation for inform_super (Thanks Yang Zhe).
5179 14 October 2011: Wouter
5180 - Fix for out-of-memory condition in libunbound (thanks
5183 13 October 2011: Wouter
5184 - Fix --enable-allsymbols, it depended on link specifics of the
5185 target platform, or fptr_wlist assertion failures could occur.
5187 12 October 2011: Wouter
5188 - updated contrib/unbound_munin_ to family=auto so that it works with
5189 munin-node-configure automatically (if installed as
5190 /usr/local/share/munin/plugins/unbound_munin_ ).
5192 27 September 2011: Wouter
5193 - unbound.exe -w windows option for start and stop service.
5195 23 September 2011: Wouter
5196 - TCP-upstream calculates tcp-ping so server selection works if there
5199 20 September 2011: Wouter
5200 - Fix classification of NS set in answer section, where there is a
5201 parent-child server, and the answer has the AA flag for dir.slb.com.
5202 Thanks to Amanda Constant from Secure64.
5204 16 September 2011: Wouter
5205 - fix bug #408: accept patch from Steve Snyder that comments out
5206 unused functions in lookup3.c.
5207 - iana portlist updated.
5208 - fix EDNS1480 change memleak and TCP fallback.
5209 - fix various compiler warnings (reported by Paul Wouters).
5210 - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
5211 fetch if sentcount > 3, stop query if sentcount > 16. Count is
5212 reset when referral or CNAME happens. This makes unbound better
5213 at managing large NS sets, they are explored when there is continued
5214 interest (in the form of queries).
5216 15 September 2011: Wouter
5218 - trunk contains 1.4.14 in development.
5219 - Unbound probes at EDNS1480 if there an EDNS0 timeout.
5221 12 September 2011: Wouter
5222 - Reverted dns EDNS backoff fix, it did not help and needs
5223 fragmentation fixes instead.
5226 7 September 2011: Wouter
5227 - Fix operation in ipv6 only (do-ip4: no) mode.
5229 6 September 2011: Wouter
5230 - fedora specfile updated.
5232 5 September 2011: Wouter
5235 2 September 2011: Wouter
5236 - iana portlist updated.
5238 26 August 2011: Wouter
5239 - Fix num-threads 0 does not segfault, reported by Simon Deziel.
5240 - Fix validation failures due to EDNS backoff retries, the retry
5241 for fetch of data has want_dnssec because the iter_indicate_dnssec
5242 function returns true when validation failure retry happens, and
5243 then the serviced query code does not fallback to noEDNS, even if
5244 the cache says it has this. This helps for DLV deployment when
5245 the DNSSEC status is not known for sure before the lookup concludes.
5247 24 August 2011: Wouter
5248 - Applied patch from Karel Slany that fixes a memory leak in the
5249 unbound python module, in string conversions.
5251 22 August 2011: Wouter
5252 - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
5253 Zhang and Luo Ce). Unbound responds with the RR types that are
5254 available at the name for qtype ANY and validates those RR types.
5255 It does not test for completeness (i.e. with NSEC or NSEC3 query),
5256 and it does not follow the CNAME or DNAME to another name (with
5257 even more data for the already large response).
5258 - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
5259 - Documented the options that work with control set_option command.
5260 - tcp-upstream yes/no option (works with set_option) for tunnels.
5262 18 August 2011: Wouter
5263 - fix autoconf call in makedist crosscompile to RC or snapshot.
5265 17 August 2011: Wouter
5266 - Fix validation of . DS query.
5267 - new xml format at IANA, new awk for iana_update.
5268 - iana portlist updated.
5270 10 August 2011: Wouter
5271 - Fix python site-packages path to /usr/lib64.
5272 - updated patch from Tom.
5273 - fix memory and fd leak after out-of-memory condition.
5275 9 August 2011: Wouter
5276 - patch from Tom Hendrikx fixes load of python modules.
5278 8 August 2011: Wouter
5279 - make clean had ldns-src reference, removed.
5281 1 August 2011: Wouter
5282 - Fix autoconf 2.68 warnings
5284 14 July 2011: Wouter
5285 - Unbound implements RFC6303 (since version 1.4.7).
5286 - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
5287 meantime, those are for 1.4.13).
5288 - iana portlist updated.
5290 13 July 2011: Wouter
5291 - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
5293 11 July 2011: Wouter
5294 - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
5295 validated as insecure, reported by Jia Li (lijia@cnnic.cn).
5298 - 1.4.12rc1 tag created.
5301 - version number in example config file.
5302 - fix that --enable-static-exe does not complain about it unknown.
5304 30 June 2011: Wouter
5305 - tag relase 1.4.11, trunk is 1.4.12 development.
5306 - iana portlist updated.
5307 - fix bug#395: id bits of other query may leak out under conditions
5308 - fix replyaddr count wrong after jostled queries, which leads to
5309 eventual starvation where the daemon has no replyaddrs left to use.
5310 - fix comment about rndc port, that referred to the old port number.
5311 - fix that the listening socket is not closed when too many remote
5312 control connections are made at the same time.
5313 - removed ldns-src tarball inside the unbound tarball.
5315 23 June 2011: Wouter
5316 - Changed -flto check to support clang compiler.
5317 - tag 1.4.11rc3 created.
5319 17 June 2011: Wouter
5320 - tag 1.4.11rc1 created.
5321 - remove warning about signed/unsigned from flex (other flex version).
5322 - updated aclocal.m4 and libtool to match.
5323 - tag 1.4.11rc2 created.
5325 16 June 2011: Wouter
5326 - log-queries: yesno option, default is no, prints querylog.
5327 - version is 1.4.11.
5329 14 June 2011: Wouter
5330 - Use -flto compiler flag for link time optimization, if supported.
5331 - iana portlist updated.
5333 12 June 2011: Wouter
5334 - IPv6 service address for d.root-servers.net (2001:500:2D::D).
5336 10 June 2011: Wouter
5337 - unbound-control has version number in the header,
5338 UBCT[version]_space_ is the header sent by the client now.
5339 - Unbound control port number is registered with IANA:
5340 ub-dns-control 8953/tcp unbound dns nameserver control
5341 This is the new default for the control-port config setting.
5342 - statistics-interval prints the number of jostled queries to log.
5345 - Fix Makefile for U in environment, since wrong U is more common than
5346 deansification necessity.
5347 - iana portlist updated.
5348 - updated ldns tarball to 1.6.10rc2 snapshot of today.
5351 - Fix assertion failure when unbound generates an empty error reply
5352 in response to a query, CVE-2011-1922 VU#531342.
5353 - This fix is in tag 1.4.10.
5354 - defense in depth against the above bug, an error is printed to log
5355 instead of an assertion failure.
5358 - bug#386: --enable-allsymbols option links all binaries to libunbound
5359 and reduces install size significantly.
5360 - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
5361 - iana portlist updated.
5362 - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
5364 14 April 2011: Wouter
5365 - configure created with newer autoconf 2.66.
5367 12 April 2011: Wouter
5368 - bug#378: Fix that configure checks for ldns_get_random presence.
5370 8 April 2011: Wouter
5371 - iana portlist updated.
5372 - queries with CD flag set cause DNSSEC validation, but the answer is
5373 not withheld if it is bogus. Thus, unbound will retry if it is bad
5374 and curb the TTL if it is bad, thus protecting the cache for use by
5375 downstream validators.
5376 - val-override-date: -1 ignores dates entirely, for NTP usage.
5378 29 March 2011: Wouter
5379 - harden-below-nxdomain: changed so that it activates when the
5380 cached nxdomain is dnssec secure. This avoids backwards
5381 incompatibility because those old servers do not have dnssec.
5383 24 March 2011: Wouter
5384 - iana portlist updated.
5388 17 March 2011: Wouter
5389 - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
5390 Applied but did not do the --disable-gost.
5392 10 March 2011: Wouter
5393 - tag 1.4.9 release candidate 1 created.
5395 3 March 2011: Wouter
5396 - updated ldns to today.
5398 1 March 2011: Wouter
5399 - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
5400 - give config parse error for multiple names on a stub or forward zone.
5401 - updated ldns tarball to 1.6.9(todays snapshot).
5403 24 February 2011: Wouter
5404 - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
5406 23 February 2011: Wouter
5407 - iana portlist updated.
5408 - common.sh to version 3.
5410 18 February 2011: Wouter
5411 - common.sh in testdata updated to version 2.
5413 15 February 2011: Wouter
5414 - Added explicit note on unbound-anchor usage:
5415 Please note usage of unbound-anchor root anchor is at your own risk
5416 and under the terms of our LICENSE (see that file in the source).
5418 11 February 2011: Wouter
5419 - iana portlist updated.
5420 - tpkg updated with common.sh for common functionality.
5422 7 February 2011: Wouter
5423 - Added regression test for addition of a .net DS to the root, and
5424 cache effects with different TTL for glue and DNSKEY.
5425 - iana portlist updated.
5427 28 January 2011: Wouter
5428 - Fix remove private address does not throw away entire response.
5430 24 January 2011: Wouter
5433 19 January 2011: Wouter
5434 - fix bug#349: no -L/usr for ldns.
5436 18 January 2011: Wouter
5437 - ldns 1.6.8 tarball included.
5440 17 January 2011: Wouter
5441 - add get and set option for harden-below-nxdomain feature.
5442 - iana portlist updated.
5444 14 January 2011: Wouter
5445 - Fix so a changed NS RRset does not get moved name stuck on old
5446 server, for type NS the TTL is not increased.
5448 13 January 2011: Wouter
5449 - Fix prefetch so it does not get stuck on old server for moved names.
5451 12 January 2011: Wouter
5452 - iana portlist updated.
5454 11 January 2011: Wouter
5455 - Fix insecure CNAME sequence marked as secure, reported by Bert
5458 10 January 2011: Wouter
5459 - faster lruhash get_mem routine.
5461 4 January 2011: Wouter
5462 - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
5463 - iana portlist updated.
5465 23 December 2010: Wouter
5466 - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
5468 21 December 2010: Wouter
5469 - algorithm compromise protection using the algorithms signalled in
5470 the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
5471 and thus, if you have multiple algorithms in your trust-anchor-file
5472 then it will now behave different than before. Also, 5011 rollover
5473 for algorithms needs to be double-signature until the old algorithm
5475 It is not an option, because I see no use to turn the security off.
5476 - iana portlist updated.
5478 17 December 2010: Wouter
5479 - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
5480 - fix validation in this case: CNAME to nodata for co-hosted opt-in
5481 NSEC3 insecure delegation, was bogus, fixed to be insecure.
5483 16 December 2010: Wouter
5484 - Fix our 'BDS' license (typo reported by Xavier Belanger).
5486 10 December 2010: Wouter
5487 - iana portlist updated.
5488 - review changes for unbound-anchor.
5490 2 December 2010: Wouter
5491 - feature typetransparent localzone, does not block other RR types.
5493 1 December 2010: Wouter
5494 - Fix bug#338: print address when socket creation fails.
5496 30 November 2010: Wouter
5497 - Fix storage of EDNS failures in the infra cache.
5498 - iana portlist updated.
5500 18 November 2010: Wouter
5501 - harden-below-nxdomain option, default off (because very old
5502 software may be incompatible). We could enable it by default in
5505 17 November 2010: Wouter
5506 - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
5507 - make test output nicer.
5509 15 November 2010: Wouter
5510 - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
5511 - iana portlist updated.
5512 - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
5514 9 November 2010: Wouter
5515 - unbound-anchor compiles with openssl 0.9.7.
5517 8 November 2010: Wouter
5518 - release tag 1.4.7.
5519 - trunk is version 1.4.8.
5520 - Be lenient and accept imgw.pl malformed packet (like BIND).
5522 5 November 2010: Wouter
5523 - do not synthesize a CNAME message from cache for qtype DS.
5525 4 November 2010: Wouter
5526 - Use central entropy to seed threads.
5528 3 November 2010: Wouter
5529 - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
5531 2 November 2010: Wouter
5535 1 November 2010: Wouter
5536 - GOST code enabled by default (RFC 5933).
5538 27 October 2010: Wouter
5539 - Fix uninit value in dump_infra print.
5540 - Fix validation failure for parent and child on same server with an
5541 insecure childzone and a CNAME from parent to child.
5542 - Configure detects libev-4.00.
5544 26 October 2010: Wouter
5545 - dump_infra and flush_infra commands for unbound-control.
5546 - no timeout backoff if meanwhile a query succeeded.
5547 - Change of timeout code. No more lost and backoff in blockage.
5548 At 12sec timeout (and at least 2x lost before) one probe per IP
5549 is allowed only. At 120sec, the IP is blocked. After 15min, a
5550 120sec entry has a single retry packet.
5552 25 October 2010: Wouter
5553 - Configure errors if ldns is not found.
5555 22 October 2010: Wouter
5556 - Windows 7 fix for the installer.
5558 21 October 2010: Wouter
5559 - Fix bug where fallback_tcp causes wrong roundtrip and edns
5560 observation to be noted in cache. Fix bug where EDNSprobe halted
5561 exponential backoff if EDNS status unknown.
5562 - new unresponsive host method, exponentially increasing block backoff.
5563 - iana portlist updated.
5565 20 October 2010: Wouter
5566 - interface automatic works for some people with ip6 disabled.
5567 Therefore the error check is removed, so they can use the option.
5569 19 October 2010: Wouter
5570 - Fix for request list growth, if a server has long timeout but the
5571 lost counter is low, then its effective rtt is the one without
5572 exponential backoff applied. Because the backoff is not working.
5573 The lost counter can then increase and the server is blacklisted,
5574 or the lost counter does not increase and the server is working
5577 18 October 2010: Wouter
5578 - iana portlist updated.
5580 13 October 2010: Wouter
5581 - Fix TCP so it uses a random outgoing-interface.
5582 - unbound-anchor handles ADDPEND keystate.
5584 11 October 2010: Wouter
5585 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
5586 the zone has a secure delegation hosted on the same server did not
5587 verify as secure (it was insecure by mistake).
5588 - iana portlist updated.
5589 - ldns tarball updated (for reading cachedumps with bad RR data).
5591 1 October 2010: Wouter
5592 - test for unbound-anchor. fix for reading certs.
5593 - Fix alloc_reg_release for longer uptime in out of memory conditions.
5595 28 September 2010: Wouter
5596 - unbound-anchor working, it creates or updates a root.key file.
5597 Use it before you start the validator (e.g. at system boot time).
5599 27 September 2010: Wouter
5600 - iana portlist updated.
5602 24 September 2010: Wouter
5603 - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
5605 23 September 2010: Wouter
5606 - unbound-anchor app, unbound requires libexpat (xml parser library).
5608 22 September 2010: Wouter
5609 - compliance with draft-ietf-dnsop-default-local-zones-14, removed
5610 reverse ipv6 orchid prefix from builtin list.
5611 - iana portlist updated.
5613 17 September 2010: Wouter
5614 - DLV has downgrade protection again, because the RFC says so.
5615 - iana portlist updated.
5617 16 September 2010: Wouter
5618 - Algorithm rollover operational reality intrudes, for trust-anchor,
5619 5011-store, and DLV-anchor if one key matches it's good enough.
5620 - iana portlist updated.
5621 - Fix reported validation error in out of memory condition.
5623 15 September 2010: Wouter
5624 - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
5626 14 September 2010: Wouter
5627 - increased mesh-max-activation from 1000 to 3000 for crazy domains
5628 like _tcp.slb.com with 262 servers.
5629 - iana portlist updated.
5631 13 September 2010: Wouter
5632 - bug#327: Fix for cannot access stub zones until the root is primed.
5634 9 September 2010: Wouter
5635 - unresponsive servers are not completely blacklisted (because of
5636 firewalls), but also not probed all the time (because of the request
5637 list size it generates). The probe rate is 1%.
5638 - iana portlist updated.
5640 20 August 2010: Wouter
5641 - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
5642 iterator get_mem includes priv_get_mem. delegpt nodup removed.
5643 listen_pushback, query_info_allocqname, write_socket, send_packet,
5644 comm_point_set_cb_arg and listen_resume removed.
5646 19 August 2010: Wouter
5647 - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
5648 Delegpt structures checked for duplicates always.
5649 No more nameserver lookups generated when depth is full anyway.
5650 - example.conf notes how to do DNSSEC validation and track the root.
5651 - iana portlist updated.
5653 18 August 2010: Wouter
5654 - Fix bug#322: configure does not respect CFLAGS on Solaris.
5655 Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
5656 if use sun-cc, but some systems need different flags.
5658 16 August 2010: Wouter
5659 - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
5660 changes, uses m4_bpatsubst now.
5661 - make test (or make check) should be more portable and run the unit
5662 test and testbound scripts. (make longtest has special requirements).
5664 13 August 2010: Wouter
5665 - More pleasant remote control command parsing.
5666 - documentation added for return values reported by doxygen 1.7.1.
5667 - iana portlist updated.
5669 9 August 2010: Wouter
5670 - Fix name of rrset printed that failed validation.
5672 5 August 2010: Wouter
5673 - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
5675 4 August 2010: Wouter
5676 - Fix validation in case a trust anchor enters into a zone with
5677 unsupported algorithms.
5679 3 August 2010: Wouter
5680 - updated ldns tarball with bugfixes.
5681 - release tag 1.4.6.
5682 - trunk becomes 1.4.7 develop.
5683 - iana portlist updated.
5685 22 July 2010: Wouter
5686 - more error details on failed remote control connection.
5688 15 July 2010: Wouter
5689 - rlimit adjustments for select and ulimit can happen at the same time.
5691 14 July 2010: Wouter
5692 - Donation text added to README.
5693 - Fix integer underflow in prefetch ttl creation from cache. This
5694 fixes a potential negative prefetch ttl.
5696 12 July 2010: Wouter
5697 - Changed the defaults for num-queries-per-thread/outgoing-range.
5698 For builtin-select: 512/960, for libevent 1024/4096 and for
5699 windows 24/48 (because of win api). This makes the ratio this way
5700 to improve resilience under heavy load. For high performance, use
5701 libevent and possibly higher numbers.
5703 10 July 2010: Wouter
5704 - GOST enabled if SSL is recent and ldns has GOST enabled too.
5705 - ldns tarball updated.
5708 - iana portlist updated.
5709 - Fix validation of qtype DNSKEY when a key-cache entry exists but
5710 no rr-cache entry is used (it expired or prefetch), it then goes
5711 back up to the DS or trust-anchor to validate the DNSKEY.
5714 - Neat function prototypes, unshadowed local declarations.
5717 - failure to chown the pidfile is not fatal any more.
5718 - testbound uses UTC timezone.
5719 - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
5720 /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
5723 - log if a server is skipped because it is on the donotquery list,
5724 at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
5725 - added feature to print configure date, target and options with -h.
5726 - added feature to print event backend system details with -h.
5727 - wdiff is not actually required by make test, updated requirements.
5730 - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
5731 must be signed with all algorithms from the DS rrset at the parent.
5732 This is now checked and becomes bogus if not.
5734 28 June 2010: Wouter
5735 - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
5736 in overload situations to be about 5 qps for the class of shortly
5738 The capacity of the resolver is then about (numqueriesperthread / 2)
5739 / (average time for such long queries) qps for long queries.
5740 And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
5741 qps for short queries, per thread.
5742 - Fix the max number of reply-address count to be applied for duplicate
5743 queries, and not for new query list entries. This raises the memory
5744 usage to a max of (16+1)*numqueriesperthread reply addresses.
5746 25 June 2010: Wouter
5747 - Fix handling of corner case reply from lame server, follows rfc2308.
5748 It could lead to a nodata reply getting into the cache if the search
5749 for a non-lame server turned up other misconfigured servers.
5750 - unbound.h has extern "C" statement for easier include in c++.
5752 23 June 2010: Wouter
5753 - iana portlist updated.
5754 - makedist upgraded cross compile openssl option, like this:
5755 ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
5757 22 June 2010: Wouter
5758 - Unbound reports libev or libevent correctly in logs in verbose mode.
5759 - Fix to unload gost dynamic library module for leak testing.
5761 18 June 2010: Wouter
5762 - iana portlist updated.
5764 17 June 2010: Wouter
5765 - Add AAAA to root hints for I.ROOT-SERVERS.NET.
5767 16 June 2010: Wouter
5768 - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
5769 assertion was wrong.
5770 - updated ldns tarball.
5772 15 June 2010: Wouter
5773 - tag 1.4.5 created.
5774 - trunk contains 1.4.6 in development.
5775 - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
5776 - Fix to use one pointer less for iterator query state store_parent_NS.
5777 - makedist crosscompile to windows uses builtin ldns not host ldns.
5778 - Max referral count from 30 to 130, because 128 one character domains
5780 - added documentation for the histogram printout to syslog.
5782 11 June 2010: Wouter
5783 - When retry to parent the retrycount is not wiped, so failed
5784 nameservers are not tried again.
5785 - iana portlist updated.
5787 10 June 2010: Wouter
5788 - Fix bug where a long loop could be entered, now cycle detection
5789 has a loop-counter and maximum search amount.
5792 - iana portlist updated.
5793 - 1.4.5rc1 tag created.
5796 - ldns tarball updated, 1.6.5.
5797 - review comments, split dependency cycle tracking for parentside
5798 last resort lookups for A and AAAA so there are more lookup options.
5801 - Fix compile warning if compiled without threads.
5802 - updated ldns-tarball with current ldns svn (pre 1.6.5).
5803 - GOST disabled-by-default, the algorithm number is allocated but the
5804 RFC is still has to pass AUTH48 at the IETF.
5807 - Ignore Z flag in incoming messages too.
5808 - Fix storage of negative parent glue if that last resort fails.
5809 - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
5810 - new splint flags for newer splint install.
5813 - Fix AD flag handling, it could in some cases mistakenly copy the AD
5814 flag from upstream servers.
5815 - alloc_special_obtain out of memory is not a fatal error any more,
5816 enabling unbound to continue longer in out of memory conditions.
5817 - parentside names are dispreferred but not said to be dnssec-lame.
5818 - parentside check for cached newname glue.
5819 - fix parentside and querytargets modulestate, for dump_requestlist.
5820 - unbound-control-setup makes keys -rw-r--- so not all users permitted.
5821 - fix parentside from cache to be marked dispreferred for bad names.
5824 - iana portlist updated.
5825 - parent-child disagreement approach altered. Older fixes are
5826 removed in place of a more exhaustive search for misconfigured data
5827 available via the parent of a delegation.
5828 This is designed to be throttled by cache entries, with TTL from the
5829 parent if possible. Additionally the loop-counter is used.
5830 It also tests for NS RRset differences between parent and child.
5831 The fetch of misconfigured data should be more reliable and thorough.
5832 It should work reliably even with no or only partial data in cache.
5833 Data received from the child (as always) is deemed more
5834 authoritative than information received from the delegation parent.
5835 The search for misconfigured data is not performed normally.
5838 - Contribution from Migiel de Vos (Surfnet): nagios patch for
5839 unbound-host, in contrib/ (in the source tarball). Makes
5840 unbound-host suitable for monitoring dnssec(-chain) status.
5843 - EDNS timeout code will not fire if EDNS status already known.
5844 - EDNS failure not stored if EDNS status known to work.
5847 - Fix resolution for domains like safesvc.com.cn. If the iterator
5848 can not recurse further and it finds the delegation in a state
5849 where it would otherwise have rejected it outhand if so received
5850 from a cache lookup, then it can try to ask higherup (with loop
5852 - Fix comments in iter_utils:dp_is_useless.
5855 - Fix various compiler warnings from the clang llvm compiler.
5856 - iana portlist updated.
5859 - Fix bug#308: spelling error in variable name in parser and lexer.
5862 - Fix dnssec-missing detection that was turned off by server selection.
5863 - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
5864 reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
5865 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
5867 29 April 2010: Wouter
5868 - Fix for dnssec lameness detection to use the key cache.
5869 - infra cache entries that are expired are wiped clean. Previously
5870 it was possible to not expire host data (if accessed often).
5872 28 April 2010: Wouter
5873 - ldns tarball updated and GOST support is detected and then enabled.
5874 - iana portlist updated.
5875 - Fix detection of gost support in ldns (reported by Chris Smith).
5877 27 April 2010: Wouter
5878 - unbound-control get_option domain-insecure shows config file items.
5879 - fix retry sequence if prime hints are recursion-lame.
5880 - autotrust anchor file can be initialized with a ZSK key as well.
5881 - harden-referral-path does not result in failures due to max-depth.
5882 You can increase the max-depth by adding numbers (' 0') after the
5883 target-fetch-policy, this increases the depth to which is checked.
5885 26 April 2010: Wouter
5886 - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
5887 CPPFLAGS during configure process.
5888 - if libev is installed on the base system (not libevent), detect
5889 it from the event.h header file and link with -lev.
5890 - configlexer.lex gets config.h, and configyyrename.h added by make,
5891 no more double include.
5892 - More strict scrubber (Thanks to George Barwood for the idea):
5893 NS set must be pertinent to the query (qname subdomain nsname).
5894 - Fix bug#307: In 0x20 backoff fix fallback so the number of
5895 outstanding queries does not become -1 and block the request.
5896 Fixed handling of recursion-lame in combination with 0x20 fallback.
5897 Fix so RRsets are compared canonicalized and sorted if the immediate
5898 comparison fails, this makes it work around round-robin sites.
5900 23 April 2010: Wouter
5901 - Squelch log message: sendto failed permission denied for
5902 255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
5903 - Fix to fetch data as last resort more tenaciously. When cycle
5904 targets cause the server selection to believe there are more options
5905 when they really are not there, the server selection is reinitiated.
5906 - Fix fetch from blacklisted dnssec lame servers as last resort. The
5907 server's IP address is then given in validator errors as well.
5908 - Fix local-zone type redirect that did not use the query name for
5911 22 April 2010: Wouter
5913 - trunk contains 1.4.5 in development.
5914 - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
5915 The validator error message was 'no signatures from ...'.
5917 16 April 2010: Wouter
5918 - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
5921 15 April 2010: Wouter
5922 - ECC-GOST algorithm number 12 that is assigned by IANA. New test
5923 example key and signatures for GOST. GOST requires openssl-1.0.0.
5924 GOST is still disabled by default.
5926 9 April 2010: Wouter
5927 - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
5928 get into an endless loop, if 0x20 was enabled, and buffers are small
5929 or particular broken packets are received.
5930 - Fix chain of trust with CNAME at an intermediate step, for the DS
5933 8 April 2010: Wouter
5934 - Fix validation of queries with wildcard names (*.example).
5936 6 April 2010: Wouter
5937 - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
5938 cache timeout coincided with a server update, the current EDNS
5939 backoff is less sensitive, and does not cache the backoff unless
5940 the backoff actually works and the domain is not expecting DNSSEC.
5941 - GOST support with correct algorithm numbers.
5943 1 April 2010: Wouter
5944 - iana portlist updated.
5946 24 March 2010: Wouter
5947 - unbound control flushed items are not counted when flushed again.
5949 23 March 2010: Wouter
5950 - iana portlist updated.
5952 22 March 2010: Wouter
5953 - unbound-host disables use-syslog from config file so that the
5954 config file for the main server can be used more easily.
5955 - fix bug#301: unbound-checkconf could not parse interface
5956 '0.0.0.0@5353', even though unbound itself worked fine.
5958 19 March 2010: Wouter
5959 - fix fwd_ancil test to pass if the socket options are not supported.
5961 18 March 2010: Wouter
5962 - Fixed random numbers for port, interface and server selection.
5963 Removed very small bias.
5964 - Refer to the listing in unbound-control man page in the extended
5965 statistics entry in the unbound.conf man page.
5967 16 March 2010: Wouter
5968 - Fix interface-automatic for OpenBSD: msg.controllen was too small,
5969 also assertions on ancillary data buffer.
5970 - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
5971 - for NSEC3 check if signatures are cached.
5973 15 March 2010: Wouter
5974 - unit test for util/regional.c.
5976 12 March 2010: Wouter
5977 - Reordered configure checks so fork and -lnsl -lsocket checks are
5978 earlier, and thus later checks benefit from and do not hinder them.
5979 - iana portlist updated.
5980 - ldns tarball updated.
5981 - Fix python use when multithreaded.
5982 - Fix solaris python compile.
5983 - Include less in config.h and include per code file for ldns, ssl.
5985 11 March 2010: Wouter
5986 - another memory allocation option: --enable-alloc-nonregional.
5987 exposes the regional allocations to other memory purifiers.
5988 - fix for memory alignment in struct sock_list allocation.
5989 - Fix for MacPorts ldns without ssl default, unbound checks if ldns
5990 has dnssec functionality and uses the builtin if not.
5991 - Fix daemonize on Solaris 10, it did not detach from terminal.
5992 - tag 1.4.3 created.
5993 - trunk is 1.4.4 in development.
5994 - spelling fix in validation error involving cnames.
5996 10 March 2010: Wouter
5997 - --enable-alloc-lite works with test set.
5998 - portability in the testset: printf format conversions, prototypes.
6000 9 March 2010: Wouter
6001 - tag 1.4.2 created.
6002 - trunk is 1.4.3 in development.
6003 - --enable-alloc-lite debug option.
6005 8 March 2010: Wouter
6006 - iana portlist updated.
6008 4 March 2010: Wouter
6009 - Fix crash in control channel code.
6011 3 March 2010: Wouter
6012 - better casts in pipe code, brackets placed wrongly.
6013 - iana portlist updated.
6015 1 March 2010: Wouter
6016 - make install depends on make all.
6017 - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
6018 - --enable-checking: enables assertions but does not look nonproduction.
6019 - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
6020 nxdomain and nodata distinguished.
6021 - ldns tarball updated.
6022 - --disable-rpath fixed for libtool not found errors.
6023 - new fedora specfile from Fedora13 in contrib from Paul Wouters.
6025 26 February 2010: Wouter
6026 - Fixup prototype for lexer cleanup in daemon code.
6027 - unbound-control list_stubs, list_forwards, list_local_zones and
6030 24 February 2010: Wouter
6031 - Fix scrubber bug that potentially let NS records through. Reported
6033 - Also delete potential poison references from additional.
6034 - Fix: no classification of a forwarder as lame, throw away instead.
6036 23 February 2010: Wouter
6037 - libunbound ub_ctx_get_option() added.
6038 - unbound-control set_option and get_option commands.
6039 - iana portlist updated.
6041 18 February 2010: Wouter
6042 - A little more strict DS scrubbing.
6043 - No more blacklisting of unresponsive servers, a 2 minute timeout
6045 - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
6046 - pickup ldns compile fix, libdl for libcrypto.
6047 - log 'tcp connect: connection timed out' only in high verbosity.
6048 - unbound-control log_reopen command.
6049 - moved get_option code from unbound-checkconf to util/config_file.c
6051 17 February 2010: Wouter
6052 - Disregard DNSKEY from authority section for chain of trust.
6053 DS records that are irrelevant to a referral scrubbed. Anti-poison.
6054 - iana portlist updated.
6056 16 February 2010: Wouter
6057 - Check for 'no space left on device' (or other errors) when
6058 writing updated autotrust anchors and print errno to log.
6060 15 February 2010: Wouter
6061 - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
6062 hardcoded. We made the choice to send out more conservatively,
6063 protecting against an aggregate effect more than protecting a
6064 single user (from their own folly, perhaps in case of misconfig).
6066 12 February 2010: Wouter
6067 - Re-query pattern changed on validation failure. To protect troubled
6068 authority servers, unbound caches a failure for the DNSKEY or DS
6069 records for the entire zone, and only retries that 900 seconds later.
6070 This implies that only a handful of packets are sent extra to the
6071 authority if the zone fails.
6073 11 February 2010: Wouter
6074 - ldns tarball update for long label length syntax error fix.
6075 - iana portlist updated.
6077 9 February 2010: Wouter
6078 - Fixup in compat snprintf routine, %f 1.02 and %g support.
6079 - include math.h for testbound test compile portability.
6081 2 February 2010: Wouter
6082 - Updated url of IANA itar, interim trust anchor repository, in script.
6084 1 February 2010: Wouter
6085 - iana portlist updated.
6086 - configure test for memcmp portability.
6088 27 January 2010: Wouter
6089 - removed warning on format string in validator error log statement.
6090 - iana portlist updated.
6092 22 January 2010: Wouter
6093 - libtool finish the install of unbound python dynamic library.
6095 21 January 2010: Wouter
6096 - acx_nlnetlabs.m4 synchronised with nsd's version.
6098 20 January 2010: Wouter
6099 - Fixup lookup trouble for parent-child domains on the first query.
6101 14 January 2010: Wouter
6102 - Fixup ldns detection to also check for header files.
6104 13 January 2010: Wouter
6105 - prefetch-key option that performs DNSKEY queries earlier in the
6106 validation process, and that could halve the latency on DNSSEC
6107 queries. It takes some extra processing (CPU, a cache is needed).
6109 12 January 2010: Wouter
6110 - Fix unbound-checkconf for auto-trust-anchor-file present checks.
6112 8 January 2010: Wouter
6113 - Fix for parent-child disagreement code which could have trouble
6114 when (a) ipv6 was disabled and (b) the TTL for parent and child
6115 were different. There were two bugs, the parent-side information
6116 is fixed to no longer block lookup of child side information and
6117 the iterator is fixed to no longer attempt to get ipv6 when it is
6118 not enabled and then give up in failure.
6119 - test and fixes to make prefetch actually store the answer in the
6120 cache. Considers some rrsets 'already expired' but does not allow
6121 overwriting of rrsets considered more secure.
6123 7 January 2010: Wouter
6124 - Fixup python documentation (thanks Leo Vandewoestijne).
6125 - Work on cache prefetch feature.
6126 - Stats for prefetch, in log print stats, unbound-control stats
6127 and in unbound_munin plugin.
6129 6 January 2010: Wouter
6130 - iana portlist updated.
6131 - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
6132 - verbose output includes parent-side-address notion for lameness.
6133 - documented val-log-level: 2 setting in example.conf and man page.
6134 - change unbound-control-setup from 1024(sha1) to 1536(sha256).
6136 1 January 2010: Wouter
6137 - iana portlist updated.
6139 22 December 2009: Wouter
6140 - configure with newer libtool 2.2.6b.
6142 17 December 2009: Wouter
6145 - trunk to version 1.4.2.
6147 15 December 2009: Wouter
6148 - Answer to qclass=ANY queries, with class IN contents.
6149 Test that validation also works.
6150 - updated ldns snapshot tarball with latest fixes (parsing records).
6152 11 December 2009: Wouter
6153 - on IPv4 UDP turn off DF flag.
6155 10 December 2009: Wouter
6156 - requirements.txt updated with design choice explanations.
6157 - Reading fixes: fix to set unlame when child confirms parent glue,
6158 and fix to avoid duplicate addresses in delegation point.
6159 - verify_rrsig routine checks expiration last.
6161 9 December 2009: Wouter
6162 - Fix Bug#287(reopened): update of ldns tarball with fix for parse
6163 errors generated for domain names like '.example.com'.
6164 - Fix SOA excluded from negative DS responses. Reported by Hauke
6165 Lampe. The negative cache did not include proper SOA records for
6166 negative qtype DS responses which makes BIND barf on it, such
6167 responses are now only used internally.
6168 - Fix negative cache lookup of closestencloser check of DS type bit.
6170 8 December 2009: Wouter
6171 - Fix for lookup of parent-child disagreement domains, where the
6172 parent-side glue works but it does not provide proper NS, A or AAAA
6173 for itself, fixing domains such as motorcaravanners.eu.
6174 - Feature: you can specify a port number in the interface: line, so
6175 you can bind the same interface multiple times at different ports.
6177 7 December 2009: Wouter
6178 - Bug#287: Fix segfault when unbound-control remove nonexistent local
6179 data. Added check to tests.
6181 1 December 2009: Wouter
6182 - Fix crash with module-config "iterator".
6183 - Added unit test that has "iterator" module-config.
6185 30 November 2009: Wouter
6186 - bug#284: fix parse of # without end-of-line at end-of-file.
6188 26 November 2009: Wouter
6189 - updated ldns with release candidate for version 1.6.3.
6190 - tag for 1.4.0 release.
6191 - 1.4.1 version in trunk.
6192 - Fixup major libtool version to 2 because of why_bogus change.
6193 It was 1:5:0 but should have been 2:0:0.
6195 23 November 2009: Wouter
6196 - Patch from David Hubbard for libunbound manual page.
6197 - Fixup endless spinning in unbound-control stats reported by
6198 Attila Nagy. Probably caused by clock reversal.
6200 20 November 2009: Wouter
6201 - contrib/split-itar.sh contributed by Tom Hendrikx.
6203 19 November 2009: Wouter
6204 - better argument help for unbound-control.
6205 - iana portlist updated.
6207 17 November 2009: Wouter
6208 - noted multiple entries for multiple domain names in example.conf.
6209 - iana portlist updated.
6211 16 November 2009: Wouter
6212 - Fixed signer detection of CNAME responses without signatures.
6213 - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
6214 - Tests for CNAMEs to deeper trust anchors, secure and bogus.
6215 - svn tag 1.4.0rc1 made.
6217 13 November 2009: Wouter
6218 - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
6219 - unbound-host does not fail on type ANY.
6220 - Fixed wireparse failure to put RRSIGs together with data in some
6221 long ANY mix cases, which fixes validation failures.
6223 12 November 2009: Wouter
6224 - iana portlist updated.
6225 - fix manpage errors reported by debian lintian.
6227 - fixup very long vallog2 level error strings.
6229 11 November 2009: Wouter
6230 - ldns tarball updated (to 1.6.2).
6233 10 November 2009: Wouter
6234 - Thanks to Surfnet found bug in new dnssec-retry code that failed
6235 to combine well when combined with DLV and a particular failure.
6236 - Fixed unbound-control -h output about argument optionality.
6239 5 November 2009: Wouter
6240 - lint fixes and portability tests.
6241 - better error text for multiple domain keys in one autotrust file.
6243 2 November 2009: Wouter
6244 - Fix bug where autotrust does not work when started with a DS.
6245 - Updated GOST unit tests for unofficial algorithm number 249
6246 and DNSKEY-format changes in draft version -01.
6248 29 October 2009: Wouter
6249 - iana portlist updated.
6250 - edns-buffer-size option, default 4096.
6253 28 October 2009: Wouter
6254 - removed abort on prealloc failure, error still printed but softfail.
6255 - iana portlist updated.
6256 - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
6257 - ldns tarball updated (which also enables rsasha256 support).
6259 27 October 2009: Wouter
6260 - iana portlist updated.
6262 8 October 2009: Wouter
6264 - add val-log-level print to corner case (nameserver.epost.bg).
6265 - more detail to errors from insecure delegation checks.
6266 - Fix double time subtraction in negative cache reported by
6267 Amanda Constant and Hugh Mahon.
6268 - Made new validator error string available from libunbound for
6269 applications. It is in result->why_bogus, a zero-terminated string.
6270 unbound-host prints it by default if a result is bogus.
6271 Also the errinf is public in module_qstate (for other modules).
6273 7 October 2009: Wouter
6274 - retry for validation failure in DS and prime results. Less mem use.
6275 unit test. Provisioning in other tests for requeries.
6276 - retry for validation failure in DNSKEY in middle of chain of trust.
6278 - retry for empty non terminals in chain of trust and unit test.
6279 - Fixed security bug where the signatures for NSEC3 records were not
6280 checked when checking for absence of DS records. This could have
6281 enabled the substitution of an insecure delegation.
6282 - moved version number to 1.4.0 because of 1.3.4 release with only
6283 the NSEC3 patch from the entry above.
6284 - val-log-level: 2 shows extended error information for validation
6285 failures, but still one (longish) line per failure. For example:
6286 validation failure <example.com. DNSKEY IN>: signature expired from
6287 192.0.2.4 for trust anchor example.com. while building chain of trust
6288 validation failure <www.example.com. A IN>: no signatures from
6289 192.0.2.6 for key example.com. while building chain of trust
6291 6 October 2009: Wouter
6292 - Test set updated to provide additional ns lookup result.
6293 The retry would attempt to fetch the data from other nameservers
6294 for bogus data, and this needed to be provisioned in the tests.
6296 5 October 2009: Wouter
6297 - first validation failure retry code. Retries for data failures.
6300 2 October 2009: Wouter
6301 - improve 5011 modularization.
6302 - fix unbound-host so -d can be given before -C.
6303 - iana portlist updated.
6305 28 September 2009: Wouter
6306 - autotrust-anchor-file can read multiline input and $ORIGIN.
6307 - prevent integer overflow in holddown calculation. review fixes.
6308 - fixed race condition in trust point revocation. review fix.
6309 - review fixes to comments, removed unused code.
6311 25 September 2009: Wouter
6312 - so-rcvbuf: 4m option added. Set this on large busy servers to not
6313 drop the occasional packet in spikes due to full socket buffers.
6314 netstat -su keeps a counter of UDP dropped due to full buffers.
6315 - review of validator/autotrust.c, small fixes and comments.
6317 23 September 2009: Wouter
6318 - 5011 query failed counts verification failures, not lookup failures.
6319 - 5011 probe failure handling fixup.
6320 - test unbound reading of original autotrust data.
6321 The metadata per-key, such as key state (PENDING, MISSING, VALID) is
6322 picked up, otherwise performs initial probe like usual.
6324 22 September 2009: Wouter
6325 - autotrust test with algorithm rollover, new ordering of checks
6326 assists in orderly rollover.
6327 - autotrust test with algorithm rollover to unknown algorithm.
6328 checks if new keys are supported before adding them.
6329 - autotrust test with trust point revocation, becomes unsigned.
6330 - fix DNSSEC-missing-signature detection for minimal responses
6331 for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
6333 18 September 2009: Wouter
6334 - autotrust tests, fix trustpoint timer deletion code.
6335 fix count of valid anchors during missing remove.
6336 - autotrust: pick up REVOKE even if not signed with known other keys.
6338 17 September 2009: Wouter
6339 - fix compile of unbound-host when --enable-alloc-checks.
6340 - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
6341 - Manual page fixes reported by Tony Finch.
6343 16 September 2009: Wouter
6344 - Fix memory leak reported by Tao Ma.
6345 - Fix memstats test tool for log-time-ascii log format.
6347 15 September 2009: Wouter
6348 - iana portlist updated.
6350 10 September 2009: Wouter
6351 - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
6352 - use linebuffering for log-file: output, this can be significantly
6353 faster than the previous fflush method and enable some class of
6354 resolvers to use high verbosity (for short periods).
6355 Not on windows, because line buffering does not work there.
6357 9 September 2009: Wouter
6358 - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
6359 The RRsets would still expire at the normal time, but this would
6360 keep messages bogus in the cache for too long.
6361 - regression test for that bug.
6362 - documented that load_cache is meant for debugging.
6364 8 September 2009: Wouter
6365 - fixup printing errors when load_cache, they were printed to the
6366 SSL connection which broke, now to the log.
6367 - new ldns - with fixed parse of large SOA values.
6369 7 September 2009: Wouter
6370 - autotrust testbound scenarios.
6371 - autotrust fix that failure count is written to file.
6372 - autotrust fix that keys may become valid after add holddown time
6373 alone, before the probe returns.
6375 4 September 2009: Wouter
6376 - Changes to make unbound work with libevent-2.0.3 alpha. (in
6377 configure detection due to new ssl dependency in libevent)
6378 - do not call sphinx for documentation when python is disabled.
6379 - remove EV_PERSIST from libevent timeout code to make the code
6380 compatible with the libevent-2.0. Works with older libevent too.
6381 - fix memory leak in python code.
6383 3 September 2009: Wouter
6384 - Got a patch from Luca Bruno for libunbound support on windows to
6385 pick up the system resolvconf nameservers and hosts there.
6386 - included ldns updated (enum warning fixed).
6387 - makefile fix for parallel makes.
6388 - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
6389 from python scripts. See pythonmod/examples/resip.py.
6390 - doxygen comment fixes.
6392 2 September 2009: Wouter
6393 - TRAFFIC keyword for testbound. Simplifies test generation.
6394 ${range lower val upper} to check probe timeout values.
6395 - test with 5011-prepublish rollover and revocation.
6396 - fix revocation of RR for autotrust, stray exclamation mark.
6398 1 September 2009: Wouter
6399 - testbound variable arithmetic.
6400 - autotrust probe time is randomised.
6401 - autotrust: the probe is active and does not fetch from cache.
6403 31 August 2009: Wouter
6404 - testbound variable processing.
6406 28 August 2009: Wouter
6407 - fixup unbound-control lookup to print forward and stub servers.
6409 27 August 2009: Wouter
6410 - autotrust: mesh answer callback is empty.
6412 26 August 2009: Wouter
6413 - autotrust probing.
6414 - iana portlist updated.
6416 25 August 2009: Wouter
6417 - fixup memleak in trust anchor unsupported algorithm check.
6418 - iana portlist updated.
6419 - autotrust options: add-holddown, del-holddown, keep-missing.
6420 - autotrust store revoked status of trust points.
6421 - ctime_r compat definition.
6422 - detect yylex_destroy() in configure.
6423 - detect SSL_get_compression_methods declaration in configure.
6424 - fixup DS lookup at anchor point with unsigned parent.
6425 - fixup DLV lookup for DS queries to unsigned domains.
6427 24 August 2009: Wouter
6428 - cleaner memory allocation on exit. autotrust test routines.
6429 - free all memory on program exit, fix for ssl and flex.
6431 21 August 2009: Wouter
6432 - autotrust: debug routines. Read,write and conversions work.
6434 20 August 2009: Wouter
6435 - autotrust: save and read trustpoint variables.
6437 19 August 2009: Wouter
6438 - autotrust: state table updates.
6439 - iana portlist updated.
6441 17 August 2009: Wouter
6442 - autotrust: process events.
6444 17 August 2009: Wouter
6445 - Fix so that servers are only blacklisted if they fail to reply
6446 to 16 queries in a row and the timeout gets above 2 minutes.
6447 - autotrust work, split up DS verification of DNSKEYs.
6449 14 August 2009: Wouter
6450 - unbound-control lookup prints out infra cache information, like RTT.
6451 - Fix bug in DLV lookup reported by Amanda from Secure64.
6452 It could sometimes wrongly classify a domain as unsigned, which
6453 does not give the AD bit on replies.
6455 13 August 2009: Wouter
6456 - autotrust read anchor files. locked trust anchors.
6458 12 August 2009: Wouter
6459 - autotrust import work.
6461 11 August 2009: Wouter
6462 - Check for openssl compatible with gost if enabled.
6463 - updated unit test for GOST=211 code.
6464 Nicer naming of test files.
6465 - iana portlist updated.
6467 7 August 2009: Wouter
6468 - call OPENSSL_config() in unbound and unit test so that the
6469 operator can use openssl.cnf for configuration options.
6470 - removed small memory leak from config file reader.
6472 6 August 2009: Wouter
6473 - configure --enable-gost for GOST support, experimental
6474 implementation of draft-dolmatov-dnsext-dnssec-gost-01.
6475 - iana portlist updated.
6476 - ldns tarball updated (with GOST support).
6478 5 August 2009: Wouter
6479 - trunk moved to 1.3.4.
6481 4 August 2009: Wouter
6482 - Added test that the examples from draft rsasha256-14 verify.
6483 - iana portlist updated.
6486 3 August 2009: Wouter
6487 - nicer warning when algorithm not supported, tells you to upgrade.
6488 - iana portlist updated.
6490 27 July 2009: Wouter
6491 - Updated unbound-cacti contribution from Dmitriy Demidov, with
6492 the queue statistics displayed in its own graph.
6493 - iana portlist updated.
6495 22 July 2009: Wouter
6496 - Fix bug found by Michael Tokarev where unbound would try to
6497 prime the root servers even though forwarders are configured for
6501 21 July 2009: Wouter
6502 - Fix server selection, so that it waits for open target queries when
6503 faced with lameness.
6505 20 July 2009: Wouter
6506 - Ignore transient sendto errors, no route to host, and host, net down.
6507 - contrib/update-anchor.sh has -r option for root-hints.
6508 - feature val-log-level: 1 prints validation failures so you can
6509 keep track of them during dnssec deployment.
6511 16 July 2009: Wouter
6512 - fix replacement malloc code. Used in crosscompile.
6513 - makedist -w creates crosscompiled setup.exe on fedora11.
6515 15 July 2009: Wouter
6516 - dependencies for compat items, for crosscompile.
6517 - mingw32 crosscompile changes, dependencies and zipfile creation.
6518 and with System.dll from the windows NSIS you can make setup.exe.
6519 - package libgcc_s_sjlj exception handler for NSISdl.dll.
6521 14 July 2009: Wouter
6522 - updated ldns tarball for solaris x64 compile assistance.
6523 - no need to define RAND_MAX from config.h.
6524 - iana portlist updated.
6525 - configure changes and ldns update for mingw32 crosscompile.
6527 13 July 2009: Wouter
6528 - Fix for crash at start on windows.
6529 - tag for release 1.3.2.
6530 - trunk has version 1.3.3.
6531 - Fix for ID bits on windows to use all 16. RAND_MAX was not
6532 defined like you'd expect on mingw. Reported by Mees de Roo.
6535 - tag for release 1.3.1.
6536 - trunk has version 1.3.2.
6539 - iana portlist updated.
6542 - prettier error handling in SSL setup.
6543 - makedist.sh uname fix (same as ldns).
6544 - updated fedora spec file.
6547 - fixup linking when ldnsdir is "".
6549 30 June 2009: Wouter
6550 - more lenient truncation checks.
6552 29 June 2009: Wouter
6553 - ldns trunk r2959 imported as tarball, because of solaris cc compile
6554 support for c99. r2960 for better configure.
6555 - better wrongly_truncated check.
6556 - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
6557 avoid dropped packets at routers.
6559 26 June 2009: Wouter
6560 - Fix EDNS fallback when EDNS works for short answers but long answers
6563 22 June 2009: Wouter
6564 - fixup iter priv strict aliasing while preserving size of sockaddr.
6565 - iana portlist updated. (one less port allocated, one more fraction
6566 of a bit for security!)
6567 - updated fedora specfile in contrib from Paul Wouters.
6569 19 June 2009: Wouter
6570 - Fixup strict aliasing warning in iter priv code.
6571 and config_file code.
6572 - iana portlist updated.
6573 - harden-referral-path: handle cases where NS is in answer section.
6575 18 June 2009: Wouter
6576 - Fix of message parse bug where (specifically) an NSEC and RRSIG
6577 in the wrong order would be parsed, but put wrongly into internal
6578 structures so that later validation would fail.
6579 - Extreme lenience for wrongly truncated replies where a positive
6580 reply has an NS in the authority but no signatures. They are
6581 turned into minimal responses with only the (secure) answer.
6582 - autoconf 2.63 for configure.
6583 - python warnings suppress. Keep python API away from header files.
6585 17 June 2009: Wouter
6586 - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
6587 used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
6589 16 June 2009: Wouter
6590 - Fixup opportunistic target query generation to it does not
6591 generate queries that are known to fail.
6592 - Touchup on munin total memory report.
6593 - messages picked out of the cache by the iterator are checked
6594 if their cname chain is still correct and if validation status
6595 has to be reexamined.
6597 15 June 2009: Wouter
6598 - iana portlist updated.
6600 14 June 2009: Wouter
6601 - Fixed bug where cached responses would lose their security
6602 status on second validation, which especially impacted dlv
6603 lookups. Reported by Hauke Lampe.
6605 13 June 2009: Wouter
6606 - bug #254. removed random whitespace from example.conf.
6608 12 June 2009: Wouter
6609 - Fixup potential wrong NSEC picked out of the cache.
6610 - If unfulfilled callbacks are deleted they are called with an error.
6611 - fptr wlist checks for mesh callbacks.
6612 - fwd above stub in configuration works.
6614 11 June 2009: Wouter
6615 - Fix queries for type DS when forward or stub zones are there.
6616 They are performed to higherup domains, and thus treated as if
6617 going to higher zones when looking up the right forward or stub
6618 server. This makes a stub pointing to a local server that has
6619 a local view of example.com signed with the same keys as are
6620 publicly used work. Reported by Johan Ihren.
6621 - Added build-unbound-localzone-from-hosts.pl to contrib, from
6622 Dennis DeDonatis. It converts /etc/hosts into config statements.
6623 - same thing fixed for forward-zone and DS, chain of trust from
6624 public internet into the forward-zone works now. Added unit test.
6627 - openssl key files are opened apache-style, when user is root and
6628 before chrooting. This makes permissions on remote-control key
6629 files easier to set up. Fixes bug #251.
6630 - flush_type and flush_name remove msg cache entries.
6631 - codereview - dp copy bogus setting fix.
6634 - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
6635 inadvertant behaviour.
6636 - 1.3.0 tarball for release created.
6637 - 1.3.1 development in svn trunk.
6638 - iana portlist updated.
6639 - fix lint from complaining on ldns/sha.h.
6640 - help compiler figure out aliasing in priv_rrset_bad() routine.
6641 - fail to configure with python if swig is not found.
6642 - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
6645 - fixup bad free() when wrongly encoded DSA signature is seen.
6646 Reported by Paul Wouters.
6647 - review comments from Matthijs.
6650 - --enable-sha2 option. The draft rsasha256 changed its algorithm
6651 numbers too often. Therefore it is more prudent to disable the
6652 RSASHA256 and RSASHA512 support by default.
6653 - ldns trunk included as new tarball.
6654 - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
6657 - fixup doc bug in README reported by Matthew Dempsky.
6660 - update iana port list
6661 - update ldns lib tarball
6664 - detect lack of IPv6 support on XP (with a different error code).
6665 - Fixup a crash-on-exit which was triggered by a very long queue.
6666 Unbound would try to re-use ports that came free, but this is
6667 of course not really possible because everything is deleted.
6668 Most easily triggered on XP (not Vista), maybe because of the
6669 network stack encouraging large messages backlogs.
6670 - change in debug statements.
6671 - Fixed bug that could cause a crash if root prime failed when there
6672 were message backlogs.
6675 - Thanks again to Brett Carr, found an assertion that was not true.
6676 Assertion checked if recursion parent query still existed.
6678 29 April 2009: Wouter
6679 - Thanks to Brett Carr, caught windows resource leak, use
6680 closesocket() and not close() on sockets or else the network stack
6681 starts to leak handles.
6682 - Removed usage of windows Mutex because windows cannot handle enough
6683 mutexes open. Provide own mutex implementation using primitives.
6685 28 April 2009: Wouter
6686 - created svn tag for 1.3.0.
6688 27 April 2009: Wouter
6689 - optimised cname from cache.
6690 - ifdef windows functions in testbound.
6692 23 April 2009: Wouter
6693 - fix for threadsafety in solaris thr_key_create() in tests.
6694 - iana portlist updated.
6695 - fix pylib test for Darwin.
6696 - fix pymod test for Darwin and a python threading bug in pymod init.
6697 - check python >= 2.4 in configure.
6698 - -ldl check for libcrypto 1.0.0beta.
6700 21 April 2009: Wouter
6701 - fix for build outside sourcedir.
6702 - fix for configure script swig detection.
6704 17 April 2009: Wouter
6705 - Fix reentrant in minievent handler for unix. Could have resulted
6706 in spurious event callbacks.
6707 - timers do not take up a fd slot for winsock handler.
6708 - faster fix for winsock reentrant check.
6709 - fix rsasha512 unit test for new (interim) algorithm number.
6710 - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
6711 - fix compile warning on ubuntu (configlexer fwrite return value).
6712 - move python include directives into CPPFLAGS instead of CFLAGS.
6714 16 April 2009: Wouter
6715 - winsock event handler exit very quickly on signal, even if
6717 - iana portlist updated.
6718 - fixup windows winsock handler reentrant problem.
6720 14 April 2009: Wouter
6721 - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
6722 - makedist.sh; better help text.
6723 - cache-min-ttl option and tests.
6724 - mingw detect error condition on TCP sockets (NOTCONN).
6726 9 April 2009: Wouter
6727 - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
6728 - ldns tarball updated.
6729 - iana portlist update.
6730 - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
6731 because that openssl defines the name STRING for itself.
6733 6 April 2009: Wouter
6734 - windows compile fix.
6735 - Detect FreeBSD jail without ipv6 addresses assigned.
6736 - python libunbound wrapper unit test.
6737 - installs the following files. Default is to not build them.
6738 from configure --with-pythonmodule:
6739 /usr/lib/python2.x/site-packages/unboundmodule.py
6740 from configure --with-pyunbound:
6741 /usr/lib/python2.x/site-packages/unbound.py
6742 /usr/lib/python2.x/site-packages/_unbound.so*
6743 The example python scripts (pythonmod/examples and
6744 libunbound/python/examples) are not installed.
6745 - python invalidate routine respects packed rrset ids and locks.
6746 - clock skew checks in unbound, config statements.
6747 - nxdomain ttl considerations in requirements.txt
6749 3 April 2009: Wouter
6750 - Fixed a bug that caused messages to be stored in the cache too
6751 long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
6752 targets have been more vulnerable to the TTL miscalculation bug.
6753 - documentation test fixed for python addition.
6755 2 April 2009: Wouter
6756 - pyunbound (libunbound python plugin) compiles using libtool.
6757 - documentation for pythonmod and pyunbound is generated in doc/html.
6758 - iana portlist updated.
6759 - fixed bug in unbound-control flush_zone where it would not flush
6760 every message in the target domain. This especially impacted
6761 NXDOMAIN messages which could remain in the cache regardless.
6762 - python module test package.
6764 1 April 2009: Wouter
6765 - suppress errors when trying to contact authority servers that gave
6766 ipv6 AAAA records for their nameservers with ipv4 mapped contents.
6767 Still tries to do so, could work when deployed in intranet.
6768 Higher verbosity shows the error.
6769 - new libunbound calls documented.
6770 - pyunbound in libunbound/python. Removed compile warnings.
6771 Makefile to make it.
6773 30 March 2009: Wouter
6774 - Fixup LDFLAGS from libevent sourcedir compile configure restore.
6775 - Fixup so no non-absolute rpaths are added.
6776 - Fixup validation of RRSIG queries, they are let through.
6777 - read /dev/random before chroot
6778 - checkconf fix no python checks when no python module enabled.
6779 - fix configure, pthread first, so other libs do not change outcome.
6781 27 March 2009: Wouter
6782 - nicer -h output. report linked libraries and modules.
6783 - prints modules in intuitive order (config file friendly).
6784 - python compiles easily on BSD.
6786 26 March 2009: Wouter
6787 - ignore swig varargs warnings with gcc.
6788 - remove duplicate example.conf text from python example configs.
6789 - outofdir compile fix for python.
6791 - print modules compiled in on -h. manpage.
6793 25 March 2009: Wouter
6794 - initial import of the python contribution from Zdenek Vasicek and
6796 - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
6798 24 March 2009: Wouter
6799 - more neat configure.ac. Removed duplicate config.h includes.
6800 - neater config.h.in.
6801 - iana portlist updated.
6802 - fix util/configlexer.c and solaris -std=c99 flag.
6803 - fix postcommit aclocal errors.
6804 - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
6805 - swap order of host detect and libtool generation.
6807 23 March 2009: Wouter
6808 - added launchd plist example file for MacOSX to contrib.
6809 - deprecation test for daemon(3).
6810 - moved common configure actions to m4 include, prettier Makefile.
6812 20 March 2009: Wouter
6813 - bug #239: module-config entries order is important. Documented.
6814 - build fix for test asynclook.
6816 19 March 2009: Wouter
6817 - winrc/README.txt dos-format text file.
6818 - iana portlist updated.
6819 - use _beginthreadex() when available (performs stack alignment).
6820 - defaults for windows baked into configure.ac (used if on mingw).
6822 18 March 2009: Wouter
6823 - Added tests, unknown algorithms become insecure. fallback works.
6824 - Fix for and test for unknown algorithms in a trust anchor
6825 definition. Trust anchors with no supported algos are ignored.
6826 This means a (higher)DS or DLV entry for them could succeed, and
6827 otherwise they are treated as insecure.
6828 - domain-insecure: "example.com" statement added. Sets domain
6829 insecure regardless of chain of trust DSs or DLVs. The inverse
6832 17 March 2009: Wouter
6833 - unit test for unsupported algorithm in anchor warning.
6834 - fixed so queries do not fail on opportunistic target queries.
6836 16 March 2009: Wouter
6837 - fixup diff error printout in contrib/update-itar.sh.
6838 - added contrib/unbound_cacti for statistics support in cacti,
6839 contributed by Dmitriy Demidov.
6841 13 March 2009: Wouter
6842 - doxygen and lex/yacc on linux.
6843 - strip update-anchor on makedist -w.
6844 - fix testbound on windows.
6845 - default log to syslog for windows.
6846 - uninstaller can stop unbound - changed text on it to reflect that.
6847 - remove debugging from windows 'cron' actions.
6849 12 March 2009: Wouter
6850 - log to App.logs on windows prints executable identity.
6852 - munin plugin fix benign locking error printout.
6853 - anchor-update for windows, called every 24 hours; unbound reloads.
6855 11 March 2009: Wouter
6856 - winsock event handler resets WSAevents after signalled.
6857 - winsock event handler tests if signals are really signalled.
6858 - install and service with log to file works on XP and Vista on
6859 default install location.
6860 - on windows logging to the Application logbook works (as a service).
6861 - fix RUN_DIR on windows compile setting in makedist.
6862 - windows registry has Software\Unbound\ConfigFile element.
6863 If does not exist, the default is used. The -c switch overrides it.
6864 - fix makedist version cleanup function.
6866 10 March 2009: Wouter
6867 - makedist -w strips out old rc.. and snapshot info from version.
6868 - setup.exe starts and stops unbound after install, before uninstall.
6869 - unbound-checkconf recognizes absolute pathnames on windows (C:...).
6871 9 March 2009: Wouter
6872 - Nullsoft NSIS installer creation script.
6874 5 March 2009: Wouter
6875 - fixup memory leak introduced on 18feb in mesh reentrant fix.
6877 3 March 2009: Wouter
6878 - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
6879 - service works on xp/vista, no config necessary (using defaults).
6880 - windows registry settings.
6882 2 March 2009: Wouter
6883 - fixup --export-symbols to be -export-symbls for libtool.
6884 This should fix extraneous symbols exported from libunbound.
6885 Thanks to Ondrej Sury and Robert Edmonds for finding it.
6886 - iana portlist updated.
6887 - document FAQ entry on stub/forward zones and default blocking.
6888 - fix asynclook test app for libunbound not exporting symbols.
6889 - service install and remove utils that work with vista UAC.
6891 27 February 2009: Wouter
6892 - Fixup lexer, to not give warnings about fwrite. Appeared in
6894 - makedistro functionality for mingw. Has RC support.
6895 - support spaces and backslashes in configured defaults paths.
6896 - register, deregister in service control manager.
6898 25 February 2009: Wouter
6899 - windres usage for application resources.
6901 24 February 2009: Wouter
6902 - isc moved their dlv key download location.
6903 - fixup warning on vista/mingw.
6904 - makedist -w for window zip distribution first version.
6906 20 February 2009: Wouter
6907 - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
6908 Nicer script layout. Added url to site in -h output.
6910 19 February 2009: Wouter
6911 - unbound-checkconf and unbound print warnings when trust anchors
6912 have unsupported algorithms.
6913 - added contrib/update-itar.sh This script is similar to
6914 update-anchor.sh, and updates from the IANA ITAR repository.
6915 You can provide your own PGP key and trust repo, or can use the
6916 builtin. The program uses wget and gpg to work.
6917 - iana portlist updated.
6918 - update-itar.sh: using ftp:// urls because https godaddy certificate
6919 is not available everywhere and then gives fatal errors. The
6920 security is provided by pgp signature.
6922 18 February 2009: Wouter
6923 - more cycle detection. Also for target queries.
6924 - fixup bug where during deletion of the mesh queries the callbacks
6925 that were reentrant caused assertion failures. Keep the mesh in
6926 a reentrant safe state. Affects libunbound, reload of server,
6927 on quit and flush_requestlist.
6928 - iana portlist updated.
6930 13 February 2009: Wouter
6931 - forwarder information now per-thread duplicated.
6932 This keeps it read only for speed, with no locking necessary.
6933 - forward command for unbound control to change forwarders to use
6935 - document that unbound-host reads no config file by default.
6936 - updated iana portlist.
6938 12 February 2009: Wouter
6939 - call setusercontext if available (on BSD).
6940 - small refactor of stats clearing.
6941 - #227: flush_stats feature for unbound-control.
6942 - stats_noreset feature for unbound-control.
6943 - flush_requestlist feature for unbound-control.
6944 - libunbound version upped API (was changed 5 feb).
6945 - unbound-control status shows if root forwarding is in use.
6946 - slightly nicer memory management in iter-fwd code.
6948 10 February 2009: Wouter
6949 - keys with rfc5011 REVOKE flag are skipped and not considered when
6951 - iana portlist updated
6952 - #226: dump_requestlist feature for unbound-control.
6954 6 February 2009: Wouter
6955 - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
6956 - iana portlist updated.
6957 - fixup EOL in include directive (reported by Paul Wouters).
6958 You can no longer specify newlines in the names of included files.
6959 - config parser changed. Gives some syntax errors closer to where they
6960 occurred. Does not enforce a space after keyword anymore.
6961 Does not allow literal newlines inside quoted strings anymore.
6962 - verbosity level 5 logs customer IP for new requestlist entries.
6963 - test fix, lexer and cancel test.
6964 - new option log-time-ascii: yes if you enable it prints timestamps
6965 in the log file as Feb 06 13:45:26 (like syslog does).
6966 - detect event_base_new in libevent-1.4.1 and later and use it.
6967 - #231 unbound-checkconf -o option prints that value from config file.
6968 Useful for scripting in management scripts and the like.
6970 5 February 2009: Wouter
6971 - ldns 1.5.0 rc as tarball included.
6972 - 1.3.0 development continues:
6973 change in libunbound API: ub_cancel can return an error, that
6974 the async_id did not exist, or that it was already delivered.
6975 The result could have been delivered just before the cancel
6976 routine managed to acquire the lock, so a caller may get the
6977 result at the same time they call cancel. For this case,
6978 ub_cancel tries to return an error code.
6979 Fixes race condition in ub_cancel() libunbound function.
6980 - MacOSX Leopard cleaner text output from configure.
6981 - initgroups(3) is called to drop secondary group permissions, if
6983 - configure option --with-ldns-builtin forces the use of the
6984 inluded ldns package with the unbound source. The -I include
6985 is put before the others, so it avoids bad include files from
6986 an older ldns install.
6987 - daemon(3) posix call is used when available.
6988 - testbound test for older fix added.
6990 4 February 2009: Wouter
6991 - tag for release 1.2.1.
6992 - trunk setup for 1.3.0 development.
6994 3 February 2009: Wouter
6995 - noted feature requests in doc/TODO.
6996 - printout more detailed errors on ssl certificate loading failures.
6997 - updated IANA portlist.
6999 16 January 2009: Wouter
7000 - more quiet about ipv6 network failures, i.e. when ipv6 is not
7001 available (network unreachable). Debug still printed on high
7003 - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
7004 debugging with unbound-host -4 -d ...
7005 - more cycle detection for NS-check, addr-check, root-prime and
7006 stub-prime queries in the iterator. Avoids possible deadlock
7009 15 January 2009: Wouter
7010 - bug #229: fixup configure checks for compilation with Solaris
7011 Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
7012 - fixup suncc warnings.
7013 - fix bug where unbound could crash using libevent 1.3 and older.
7014 - update testset for recent retry change.
7016 14 January 2009: Wouter
7017 - 1.2.1 feature: negative caching for failed queries.
7018 Queries that failed are cached for 5 seconds (NORR_TTL).
7019 If the failure is local, like out of memory, it is not cached.
7020 - the TTL comparison for the cache used different comparisons,
7021 causing many cache responses that used the iterator and validator
7022 state machines unnecessarily.
7023 - retry from 4 to 5 so that EDNS drop retry is part of the first
7024 query resolve attempt, and cached error does not stop EDNS fallback.
7025 - remove debug prints that protect against bad referrals.
7026 - honor QUIET=no on make commandline (or QUIET=yes ).
7028 13 January 2009: Wouter
7029 - fixed bug in lameness marking, removed printouts.
7030 - find NS rrset more cleanly for qtype NS.
7031 - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
7033 - 1.2.1 feature: stops resolving AAAAs promiscuously when they
7034 are in the negative cache.
7036 12 January 2009: Wouter
7037 - fixed bug in infrastructure lameness cache, did not lowercase
7038 name of zone to hash when setting lame.
7039 - lameness debugging printouts.
7041 9 January 2009: Wouter
7042 - created svn tag for 1.2.0 release.
7043 - svn trunk contains 1.2.1 version number.
7044 - iana portlist updated for todays list.
7045 - removed debug print.
7047 8 January 2009: Wouter
7048 - new version of ldns-trunk (today) included as tarball, fixed
7049 bug #224, building with -j race condition.
7050 - remove possible race condition in the test for race conditions.
7052 7 January 2009: Wouter
7053 - version 1.2.0 in preparation.
7054 - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
7055 statements. (Adapted from patch by Paul Wouters).
7056 - typo fix and iana portlist updated.
7057 - porting testsuite; unused var warning, and type fixup.
7059 6 January 2009: Wouter
7060 - fixup packet-of-death when compiled with --enable-debug.
7061 A malformed packet could cause an internal assertion failure.
7062 - added test for HINFO canonicalisation behaviour.
7063 - fixup reported problem with transparent local-zone data where
7064 queries with different type could get nxdomain. Now queries
7065 with a different name get resolved normally, with different type
7066 get a correct NOERROR/NODATA answer.
7067 - HINFO no longer downcased for validation, making unbound compatible
7069 - fix reading included config files when chrooted.
7070 Give full path names for include files.
7071 Relative path names work if the start dir equals the working dir.
7072 - fix libunbound message transport when no packet buffer is available.
7074 5 January 2009: Wouter
7075 - fixup getaddrinfo failure handling for remote control port.
7076 - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
7077 - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
7078 - comm_timer_set performs base_set operation after event_add.
7080 18 December 2008: Wouter
7081 - fixed bug reported by Duane Wessels: error in DLV lookup, would make
7082 some zones that had correct DLV keys as insecure.
7083 - follows -rc makedist from ldns changes (no _rc).
7084 - ldns tarball updated with 1.4.1rc for DLV unit test.
7085 - verbose prints about recursion lame detection and server selection.
7086 - fixup BSD port for infra host storage. It hashed wrongly.
7087 - fixup makedist snapshot name generation.
7088 - do not reopen syslog to avoid dev/log dependency.
7090 17 December 2008: Wouter
7091 - follows ldns makedist.sh. -rc option. autom4te dir removed.
7092 - unbound-control status command.
7093 - extended statistics has a number of ipv6 queries counter.
7094 contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
7096 16 December 2008: Wouter
7097 - follow makedist improvements from ldns, for maintainers prereleases.
7098 - snapshot version uses _ not - to help rpm distinguish the
7101 11 December 2008: Wouter
7102 - better fix for bug #219: use LOG_NDELAY with openlog() call.
7103 Thanks to Tamas Tevesz.
7105 9 December 2008: Wouter
7106 - bug #221 fixed: unbound checkconf checks if key files exist if
7107 remote control is enabled. Also fixed NULL printf when not chrooted.
7108 - iana portlist updated.
7110 3 December 2008: Wouter
7111 - Fix problem reported by Jaco Engelbrecht where unbound-control stats
7112 freezes up unbound if this was compiled without threading, and
7113 was using multiple processes.
7114 - iana portlist updated.
7115 - test for remote control with interprocess communication.
7116 - created command distribution mechanism so that remote control
7117 commands other than 'stats' work on all processes in a nonthreaded
7118 compiled version. dump/load cache work, on the first process.
7119 - fixup remote control local_data addition memory corruption bug.
7121 1 December 2008: Wouter
7122 - SElinux policy files in contrib/selinux for the unbound daemon,
7123 by Paul Wouters and Adam Tkac.
7125 25 November 2008: Wouter
7126 - configure complains when --without-ssl is given (bug #220).
7127 - skip unsupported feature tests on vista/mingw.
7128 - fixup testcode/streamtcp to work on vista/mingw.
7129 - root-hints test checks version of dig required.
7130 - blacklisted servers are polled at a low rate (1%) to see if they
7131 come back up. But not if there is some other working server.
7133 24 November 2008: Wouter
7134 - document that the user of the server daemon needs read privileges
7135 on the keys and certificates generated by unbound-control-setup.
7136 This is different per system or distribution, usually, running the
7137 script under the same username as the server uses suffices.
7138 i.e. sudo -u unbound unbound-control-setup
7139 - testset port to vista/mingw.
7140 - tcp_sigpipe to freebsd port.
7142 21 November 2008: Wouter
7143 - fixed tcp accept, errors were printed when they should not.
7144 - unbound-control-setup.sh removes read/write permissions other
7145 from the keys it creates (as suggested by Dmitriy Demidov).
7147 20 November 2008: Wouter
7148 - fixup fatal error due to faulty error checking after tcp accept.
7149 - add check in rlimit to avoid integer underflow.
7150 - rlimit check with new formula; better estimate for number interfaces
7151 - nicer comments in rlimit check.
7152 - tag 1.1.1 created in svn.
7153 - trunk label is 1.1.2
7155 19 November 2008: Wouter
7156 - bug #219: fixed so that syslog which delays opening until the first
7157 log line is written, gets a log line while not chroot'ed yet.
7159 18 November 2008: Wouter
7160 - iana portlist updated.
7161 - removed cast in unit test debug print that was not 64bit safe.
7162 - trunk back to 1.1.0; copied to tags 1.1.0 release.
7163 - trunk to has version number 1.1.1 again.
7164 - in 1.1.1; make clean nicer. grammar in manpage.
7166 17 November 2008: Wouter
7167 - theoretical fix for problems reported on mailing list.
7168 If a delegation point has no A but only AAAA and do-ip6 is no,
7169 resolution would fail. Fixed to ask for the A and AAAA records.
7170 It has to ask for both always, so that it can fail quietly, from
7171 TLD perspective, when a zone is only reachable on one transport.
7172 - test for above, only AAAA and doip6 is no. Fix causes A record
7173 for nameserver to be fetched.
7174 - fixup address duplication on cache fillup for delegation points.
7175 - testset updated for new query answer requirements.
7177 14 November 2008: Wouter
7178 - created 1.1.0 release tag in svn.
7179 - trunk moved to 1.1.1
7180 - fixup unittest-neg for locking.
7182 13 November 2008: Wouter
7183 - added fedora init and specfile to contrib (by Paul Wouters).
7184 - added configure check for ldns 1.4.0 (using its compat funcs).
7185 - neater comments in worker.h.
7186 - removed doc/plan and updated doc/TODO.
7187 - silenced EHOSTDOWN (verbosity 2 or higher to see it).
7188 - review comments from Jelte, Matthijs. Neater code.
7190 12 November 2008: Wouter
7191 - add unbound-control manpage to makedist replace list.
7193 11 November 2008: Wouter
7194 - unit test for negative cache, stress tests the refcounting.
7195 - fix for refcounting error that could cause fptr_wlist fatal exit
7196 in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
7197 Attila Nagy for testing).
7198 - nicer comments in cachedump about failed RR to string conversion.
7199 - fix 32bit wrap around when printing large (4G and more) mem usage
7200 for extended statistics.
7202 10 November 2008: Wouter
7203 - fixup the getaddrinfo compat code rename.
7205 8 November 2008: Wouter
7206 - added configure check for eee build warning.
7208 7 November 2008: Wouter
7209 - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
7210 - detect nonblocking problems in network stack in configure script.
7212 6 November 2008: Wouter
7213 - dname_priv must decompress the name before comparison.
7214 - iana portlist updated.
7216 5 November 2008: Wouter
7217 - fixed possible memory leak in key_entry_key deletion.
7218 Would leak a couple bytes when trust anchors were replaced.
7219 - if query and reply qname overlap, the bytes are skipped not copied.
7220 - fixed file descriptor leak when messages were jostled out that
7221 had outstanding (TCP) replies.
7222 - DNAMEs used from cache have their synthesized CNAMEs initialized
7224 - fixed file descriptor leak for localzone type deny (for TCP).
7225 - fixed memleak at exit for nsec3 negative cached zones.
7226 - fixed memleak for the keyword 'nodefault' when reading config.
7227 - made verbosity of 'edns incapable peer' warning higher, so you
7228 do not get spammed by it.
7229 - caught elusive Bad file descriptor error bug, that would print the
7230 error while unnecessarily try to listen to a closed fd. Fixed.
7232 4 November 2008: Wouter
7233 - fixed -Wwrite-strings warnings that result in better code.
7235 3 November 2008: Wouter
7236 - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
7237 - generated configure with autoconf-2.61.
7238 - iana portlist updated.
7239 - detect if libssl needs libdl. For static linking with libssl.
7240 - changed to use new algorithm identifiers for sha256/sha512
7241 from ldns 1.4.0 (need very latest version).
7242 - updated the included ldns tarball.
7243 - proper detection of SHA256 and SHA512 functions (not just sizes).
7245 23 October 2008: Wouter
7246 - a little more debug info for failure on signer names. prints names.
7248 22 October 2008: Wouter
7249 - CFLAGS are picked up by configure from the environment.
7250 - iana portlist updated.
7251 - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
7252 - new stub-prime: yesno option. Default is off, so it does not prime.
7253 can be turned on to get same behaviour as previous unbound release.
7254 - made automated test that checks if builtin root hints are uptodate.
7255 - finished draft-wijngaards-dnsext-resolver-side-mitigation
7256 implementation. The unwanted-reply-threshold can be set.
7257 - fixup so fptr_whitelist test in alloc.c works.
7259 21 October 2008: Wouter
7260 - fix update-anchors.sh, so it does not report different RR order
7261 as an update. Sorts the keys in the file. Updated copyright.
7262 - fixup testbound on windows, the command control pipe doesn't exist.
7263 - skip 08hostlib test on windows, no fork() available.
7264 - made unbound-remote work on windows.
7266 20 October 2008: Wouter
7267 - quench a log message that is debug only.
7268 - iana portlist updated.
7269 - do not query bogus nameservers. It is like nameservers that have
7270 the NS or A or AAAA record bogus are listed as donotquery.
7271 - if server selection is faced with only bad choices, it will
7272 attempt to get more options to be fetched.
7273 - changed bogus-ttl default value from 900 to 60 seconds.
7274 In anticipation that operator caused failures are more likely than
7275 actual attacks at this time. And thus repeated validation helps
7276 the operators get the problem fixed sooner. It makes validation
7277 failures go away sooner (60 seconds after the zone is fixed).
7278 Also it is likely to try different nameserver targets every minute,
7279 so that if a zone is bad on one server but not another, it is
7280 likely to pick up the 'correct' one after a couple minutes,
7281 and if the TTL is big enough that solves validation for the zone.
7282 - fixup unbound-control compilation on windows.
7284 17 October 2008: Wouter
7285 - port Leopard/G5: fixup type conversion size_t/uint32.
7286 please ranlib, stop file without symbols warning.
7287 - harden referral path now also validates the root after priming.
7288 It looks up the root NS authoritatively as well as the root servers
7289 and attemps to validate the entries.
7291 16 October 2008: Wouter
7292 - Fixup negative TTL values appearing (reported by Attila Nagy).
7294 15 October 2008: Wouter
7295 - better documentation for 0x20; remove fallback TODO, it is done.
7296 - harden-referral-path feature includes A, AAAA queries for glue,
7297 as well as very careful NS caching (only when doing NS query).
7298 A, AAAA use the delegation from the NS-query.
7300 14 October 2008: Wouter
7301 - fwd_three.tpkg test was flaky. If the three requests hit the
7302 wrong threads by chance (or bad OS) then the test would fail.
7303 Made less flaky by increasing number of retries.
7304 - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
7305 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
7306 Which includes the ldns_dname_absolute fix.
7307 - fwd_three test remains flaky now that unbound does not stop
7308 listening when full. Thus, removed timeout problem.
7309 It may be serviced by three threads, or maybe by one.
7310 Mostly only useful for lock-check testing now.
7312 13 October 2008: Wouter
7313 - fixed recursion servers deployed as authoritative detection, so
7314 that as a last resort, a +RD query is sent there to get the
7316 - iana port list update.
7317 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
7319 10 October 2008: Wouter
7320 - fixup tests - the negative cache contained the correct NSEC3s for
7321 two tests that are supposed to fail to validate.
7323 9 October 2008: Wouter
7324 - negative cache caps max iterations of NSEC3 done.
7325 - NSEC3 negative cache for qtype DS works.
7327 8 October 2008: Wouter
7328 - NSEC negative cache for DS.
7330 6 October 2008: Wouter
7331 - jostle-timeout option, so you can config for slow links.
7332 - 0x20 fallback code. Tries 3xnumber of nameserver addresses
7333 queries that must all be the same. Sent to random nameservers.
7334 - documented choices for DoS, EDNS, 0x20.
7336 2 October 2008: Wouter
7337 - fixup unlink of pidfile.
7338 - fixup SHA256 algorithm collation code.
7339 - contrib/update-anchor.sh does not overwrite anchors if not needed.
7340 exits 0 when a restart is needed, other values if not.
7341 so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
7342 can restart unbound exactly when needed.
7344 30 September 2008: Wouter
7345 - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
7346 - tests for sha256 support and downgrade resistance.
7347 - RSASHA256 and RSASHA512 support (using the draft in dnsext),
7348 using the drafted protocol numbers.
7349 - when using stub on localhost (127.0.0.1@10053) unbound works.
7350 Like when running NSD to host a local zone, on the same machine.
7351 The noprime feature. manpages more explanation. Added a test for it.
7352 - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
7354 29 September 2008: Wouter
7355 - EDNS lameness detection, if EDNS packets are dropped this is
7356 detected, eventually.
7357 - multiple query timeout rtt backoff does not backoff too much.
7359 26 September 2008: Wouter
7360 - tests for remote-control.
7361 - small memory leak in exception during remote control fixed.
7362 - fixup for lock checking but not unchecking in remote control.
7363 - iana portlist updated.
7365 23 September 2008: Wouter
7366 - Msg cache is loaded. A cache load enables cache responses.
7367 - unbound-control flush [name], flush_type and flush_zone.
7369 22 September 2008: Wouter
7370 - dump_cache and load_cache statements in unbound-control.
7371 RRsets are dumped and loaded correctly.
7372 Msg cache is dumped.
7374 19 September 2008: Wouter
7375 - locking on the localdata structure.
7376 - add and remove local zone and data with unbound-control.
7377 - ldns trunk snapshot updated, make tests work again.
7379 18 September 2008: Wouter
7380 - fixup error in time calculation.
7381 - munin plugin improvements.
7382 - nicer abbreviations for high query types values (ixfr, axfr, any...)
7383 - documented the statistics output in unbound-control man page.
7384 - extended statistics prints out histogram, over unbound-control.
7386 17 September 2008: Wouter
7387 - locking for threadsafe bogus rrset counter.
7388 - ldns trunk no longer exports b32 functions, provide compat.
7389 - ldns tarball updated.
7390 - testcode/ldns-testpkts.c const fixups.
7391 - fixed rcode stat printout.
7392 - munin plugin in contrib.
7393 - stats always printout uptime, because stats plugins need it.
7395 16 September 2008: Wouter
7396 - extended-statistics: yesno config option.
7397 - unwanted replies spoof nearmiss detector.
7398 - iana portlist updated.
7400 15 September 2008: Wouter
7401 - working start, stop, reload commands for unbound-control.
7402 - test for unbound-control working; better exit value for control.
7403 - verbosity control via unbound-control.
7404 - unbound-control stats.
7406 12 September 2008: Wouter
7407 - removed browser control mentions. Proto speccy.
7409 11 September 2008: Wouter
7410 - set nonblocking on new TCP streams, because linux does not inherit
7411 the socket options to the accepted socket.
7413 - SSL protected connection between server and unbound-control.
7415 10 September 2008: Wouter
7416 - remove memleak in privacy addresses on reloads and quits.
7417 - remote control work.
7419 9 September 2008: Wouter
7420 - smallapp/unbound-control-setup.sh script to set up certificates.
7422 4 September 2008: Wouter
7423 - scrubber scrubs away private addresses.
7424 - test for private addresses. man page entry.
7425 - code refactored for name and address tree lookups.
7427 3 September 2008: Wouter
7428 - options for 'DNS Rebinding' protection: private-address and
7430 - dnstree for reuse of routines that help with domain, addr lookups.
7431 - private-address and private-domain config option read, stored.
7433 2 September 2008: Wouter
7434 - DoS protection features. Queries are jostled out to make room.
7435 - testbound can pass time, increasing the internal timer.
7436 - do not mark unsigned additionals bogus, leave unchecked, which
7439 1 September 2008: Wouter
7440 - disallow nonrecursive queries for cache snooping by default.
7441 You can allow is using access-control: <subnet> allow_snoop.
7442 The defaults do allow access no authoritative data without RD bit.
7443 - two tests for it and fixups of tests for nonrec refused.
7445 29 August 2008: Wouter
7446 - version 1.1 number in trunk.
7447 - harden-referral-path option for query for NS records.
7448 Default turns off expensive, experimental option.
7450 28 August 2008: Wouter
7451 - fixup logfile handling; it is created with correct permissions
7452 again. (from bugfix#199).
7453 Some errors are not written to logfile (pidfile writing, forking),
7454 and these are only visible by using the -d commandline flag.
7456 27 August 2008: Wouter
7457 - daemon(3) is causing problems for people. Reverting the patch.
7458 bug#200, and 199 and 203 contain sideline discussion on it.
7459 - bug#199 fixed: pidfile can be outside chroot. openlog is done before
7460 chroot and drop permissions.
7461 - config option to set size of aggressive negative cache,
7463 - bug#203 fixed: dlv has been implemented.
7465 26 August 2008: Wouter
7466 - test for insecure zone when DLV is in use, also does negative cache.
7467 - test for trustanchor when DLV is in use (the anchor works).
7468 - test for DLV used for a zone below a trustanchor.
7469 - added scrub filter for overreaching NSEC records and unit test.
7470 - iana portlist update
7471 - use of setresuid or setreuid when available.
7472 - use daemon(3) if available.
7474 25 August 2008: Wouter
7475 - realclean patch from Robert Edmonds.
7477 22 August 2008: Wouter
7478 - nicer debuglogging of DLV.
7479 - test with secure delegation inside the DLV repository.
7481 21 August 2008: Wouter
7482 - negative cache code linked into validator, for DLV use.
7483 negative cache works for DLV.
7484 - iana portlist update.
7485 - dlv-anchor option for unit tests.
7486 - fixup NSEC_AT_APEX classification for short typemaps.
7487 - ldns-testns has subdomain checks, for unit tests.
7489 20 August 2008: Wouter
7490 - negative cache code, reviewed.
7492 18 August 2008: Wouter
7493 - changes info: in logfile to notice: info: or debug: depending on
7494 the verbosity of the statements. Better logfile message
7496 - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
7498 15 August 2008: Wouter
7499 - DLV nsec code fixed for better detection of closest existing
7500 enclosers from NSEC responses.
7501 - DLV works, straight to the dlv repository, so not for production.
7504 14 August 2008: Wouter
7505 - synthesize DLV messages from the rrset cache, like done for DS.
7507 13 August 2008: Wouter
7508 - bug #203: nicer do-auto log message when user sets incompatible
7510 - bug #204: variable name ameliorated in log.c.
7511 - bug #206: in iana_update, no egrep, but awk use.
7512 - ldns snapshot r2699 taken (includes DLV type).
7513 - DLV work, config file element, trust anchor read in.
7515 12 August 2008: Wouter
7516 - finished adjusting testset to provide qtype NS answers.
7518 11 August 2008: Wouter
7519 - Fixup rrset security updates overwriting 2181 trust status.
7520 This makes validated to be insecure data just as worthless as
7521 nonvalidated data, and 2181 rules prevent cache overwrites to them.
7522 - Fix assertion fail on bogus key handling.
7523 - dnssec lameness detection works on first query at trust apex.
7524 - NS queries get proper cache and dnssec lameness treatment.
7525 - fixup compilation without pthreads on linux.
7527 8 August 2008: Wouter
7528 - NS queries are done after every referral.
7529 validator is used on those NS records (if anchors enabled).
7531 7 August 2008: Wouter
7532 - Scrubber more strict. CNAME chains, DNAMEs from cache, other
7533 irrelevant rrsets removed.
7534 - 1.0.2 released from 1.0 support branch.
7535 - fixup update-anchor.sh to work both in BSD shell and bash.
7537 5 August 2008: Wouter
7538 - fixup DS test so apex nodata works again.
7540 4 August 2008: Wouter
7543 - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
7544 - added explanatory text for outgoing-port-permit in manpage.
7546 30 July 2008: Wouter
7547 - fixup bug qtype DS for unsigned zone and signed parent validation.
7549 25 July 2008: Wouter
7550 - added original copyright statement of OpenBSD arc4random code.
7551 - created tube signaling solution on windows, as a pipe replacement.
7552 this makes background asynchronous resolution work on windows.
7553 - removed very insecure socketpair compat code. It also did not
7554 work with event_waiting. Solved by pipe replacement.
7555 - unbound -h prints openssl version number as well.
7557 22 July 2008: Wouter
7558 - moved pipe actions to util/tube.c. easier porting and shared code.
7559 - check _raw() commpoint callbacks with fptr_wlist.
7562 21 July 2008: Wouter
7563 - #198: nicer entropy warning message. manpage OS hints.
7565 19 July 2008: Wouter
7566 - #198: fixup man page to suggest chroot entropy fix.
7568 18 July 2008: Wouter
7569 - branch for 1.0 support.
7570 - trunk work on tube.c.
7572 17 July 2008: Wouter
7573 - fix bug #196, compile outside source tree.
7574 - fix bug #195, add --with-username=user configure option.
7575 - print error and exit if started with config that requires more
7576 fds than the builtin minievent can handle.
7578 16 July 2008: Wouter
7579 - made svn tag 1.0.1, trunk now 1.0.2
7580 - sha256 checksums enabled in makedist.sh
7582 15 July 2008: Wouter
7583 - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
7584 IPv6 example prefix to AS112 default blocklist.
7585 - fixup lookup of DS records by client with trustanchor for same.
7586 - libunbound ub_resolve, fix handling of error condition during setup.
7587 - lowered log_hex blocksize to fit through BSD syslog linesize.
7588 - no useless initialisation if getpwnam not available.
7589 - iana, ldns snapshot updated.
7592 - Matthijs fixed memory leaks in root hints file reading.
7594 26 June 2008: Wouter
7595 - fixup streamtcp bounds setting for udp mode, in the test framework.
7596 - contrib item for updating trust anchors.
7598 25 June 2008: Wouter
7599 - fixup fwd_ancil test typos.
7600 - Fix for newegg lameness : ok for qtype=A, but lame for others.
7601 - fixup unit test for infra cache, test lame merging.
7602 - porting to mingw, bind, listen, getsockopt and setsockopt error
7605 24 June 2008: Wouter
7606 - removed testcode/checklocks from production code compilation path.
7607 - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
7609 - fwd_ancil test fails if platform support is lacking.
7611 23 June 2008: Wouter
7612 - fixup minitpkg to cleanup on windows with its file locking troubles.
7613 - minitpkg shows skipped tests in report.
7614 - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
7616 - winsock event handler keeps track of sticky TCP events, that have
7617 not been fully handled yet. when interest in the event(s) resumes,
7618 they are sent again. When WOULDBLOCK is returned events are cleared.
7619 - skip tests that need signals when testing on mingw.
7621 18 June 2008: Wouter
7622 - open testbound replay files in binary mode, because fseek/ftell
7623 do not work in ascii-mode on windows. The b does nothing on unix.
7624 unittest and testbound tests work on windows (xp too).
7625 - ioctlsocket prints nicer error message.
7626 - fixed up some TCP porting for winsock.
7627 - lack of IPv6 gives a warning, no fatal error.
7628 - use WSAGetLastError() on windows instead of errno for some errors.
7630 17 June 2008: Wouter
7631 - outgoing num fds 32 by default on windows ; it supports less
7632 fds for waiting on than unixes.
7633 - winsock_event minievent handler for windows. (you could also
7634 attempt to link with libevent/libev ports for windows).
7635 - neater crypto check and gdi32 detection.
7636 - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
7638 16 June 2008: Wouter
7639 - on windows, use windows threads, mutex and thread-local-storage(Tls).
7640 - detect if openssl needs gdi32.
7641 - if no threading, THREADS_DISABLED is defined for use in the code.
7642 - sets USE_WINSOCK if using ws2_32 on windows.
7643 - wsa_strerror() function for more readable errors.
7644 - WSA Startup and Cleanup called in unbound.exe.
7646 13 June 2008: Wouter
7647 - port mingw32, more signal ifdefs, detect sleep, usleep,
7648 random, srandom (used inside the tests).
7649 - signed or unsigned FD_SET is cast.
7651 10 June 2008: Wouter
7652 - fixup warnings compiling on eeepc xandros linux.
7655 - in iteration response type code
7656 * first check for SOA record (negative answer) before NS record
7658 * check if no AA bit for non-forwarder, and thus lame zone.
7659 In response to error report by Richard Doty for mail.opusnet.com.
7660 - fixup unput warning from lexer on freeBSD.
7661 - bug#183. pidfile, rundir, and chroot configure options. Also the
7662 example.conf and manual pages get the configured defaults.
7663 You can use: (or accept the defaults to /usr/local/etc/unbound/)
7664 --with-conf-file=filename
7665 --with-pidfile=filename
7667 --with-chroot-dir=path
7670 - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
7671 Reported by Robert Edmonds.
7672 - iana port updated.
7675 - updated libtool files with newer version.
7676 - iana portlist updated.
7679 - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
7680 trailing dot is not used during comparison.
7683 - Jelte fixed bugs in my absence
7684 - bug 178: fixed unportable shell usage in configure (relied on
7686 - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
7687 - bug 181: fixed buffer overflow in ldns (called by unbound to parse
7690 - bug 177: fixed compilation failure on opensuse, the
7691 --disable-static configure flag caused problems. (Patch from
7693 - bug 179: same fix as 177.
7694 - bug 185: --disable-shared not passed along to ldns included with
7695 unbound. Fixed so that configure parameters are passed to the
7696 subdir configure script.
7697 fixed that ./libtool is used always, you can still override
7698 manually with ./configure libtool=mylibtool or set $libtool in
7700 - update of the ldns tarball to current ldns svn version (fix 181).
7701 - bug 184: -r option for unbound-host, read resolv.conf for
7702 forwarder. (Note that forwarder must support DNSSEC for validation
7707 - test for sys/wait.h
7708 - WSAEWOULDBLOCK test after nonblocking TCP connect.
7709 - write_iov_buffer removed: unused and no struct iov on windows.
7710 - signed/unsigned warning fixup mini_event.
7711 - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
7712 - skip signals that are not defined
7714 - detect getpwnam, getrlimit, setsid, sbrk, chroot.
7715 - default config has no chroot if chroot() unavailable.
7716 - if no kill() then no pidfile is read or written.
7717 - gmtime_r is replaced by nonthreadsafe alternative if unavail.
7718 used in rrsig time validation errors.
7721 - contrib unbound.spec from Patrick Vande Walle.
7722 - fixup bug#175: call tzset before chroot to have correct timestamps
7724 - do not generate lex input and lex unput functions.
7725 - mingw port. replacement functions labelled _unbound.
7726 - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
7729 - fedora 9, check in6_pktinfo define in configure.
7730 - CREDITS fixup of history.
7731 - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
7734 - fixup for MacOSX hosts file reading (reported by John Dickinson).
7735 - created 1.0.0 svn tag.
7736 - trunk version 1.0.1.
7739 - accepted patch from Ondrej Sury for library version libtool option.
7740 - configure --disable-rpath fixes up libtool for rpath trouble.
7741 Adapted from debian package patch file.
7744 - Added root ipv6 addresses to builtin root hints.
7745 - TODO modified for post 1.0 plans.
7746 - trunk version set to 1.0.0.
7747 - no unnecessary linking with librt (only when libevent/libev used).
7750 - fixup no-ip4 problem with error callback in outside network.
7752 25 April 2008: Wouter
7753 - DESTDIR is honored by the Makefile for rpms.
7754 - contrib files unbound.spec and unbound.init, builds working RPM
7755 on FC7 Linux, a chrooted caching resolver, and libunbound.
7756 - iana ports update.
7758 24 April 2008: Wouter
7759 - chroot checks improved. working directory relative to chroot.
7760 checks if config file path is inside chroot. Documentation on it.
7761 - nicer example.conf text.
7764 23 April 2008: Wouter
7765 - parseunbound.pl contrib update from Kai Storbeck for threads.
7768 22 April 2008: Wouter
7770 - unit test for SIGPIPE ignore.
7772 21 April 2008: Wouter
7773 - FEATURES document.
7774 - fixup reread of config file if it was given as a full path
7775 and chroot was used.
7777 16 April 2008: Wouter
7778 - requirements doc, updated clean query returns.
7779 - parseunbound.pl update from Kai Storbeck.
7780 - sunos4 porting changes.
7782 15 April 2008: Wouter
7783 - fixup default rc.d pidfile location to /usr/local/etc.
7784 - iana ports updated.
7785 - copyright updated in ldns-testpkts to keep same as in ldns.
7786 - fixup checkconf chroot tests a bit more, chdir must be inside
7788 - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
7789 - example.conf values changed to /usr/local/etc/unbound
7791 - DSA signatures: unbound is compatible with both encodings found.
7792 It will detect and convert when necessary.
7794 14 April 2008: Wouter
7795 - got update for parseunbound.pl statistics script from Kai Storbeck.
7796 - tpkg tests for udp wait list.
7797 - documented 0x20 status.
7798 - fixup chroot and checkconf, it is much smarter now.
7799 - fixup DSA EVP signature decoding. Solution that Jelte found copied.
7800 - and check first sig byte for the encoding type.
7802 11 April 2008: Wouter
7803 - random port selection out of the configged ports.
7804 - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
7805 - removed base_port.
7806 - created 256-port ephemeral space for the OS, 59802 available.
7807 - fixup consistency of port_if out array during heavy use.
7809 10 April 2008: Wouter
7810 - --with-libevent works with latest libevent 1.4.99-trunk.
7811 - added log file statistics perl script to contrib.
7812 - automatic iana ports update from makefile. 60058 available.
7814 9 April 2008: Wouter
7815 - configure can detect libev(from its build directory) when passed
7816 --with-libevent=/home/wouter/libev-3.2
7817 libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
7818 - unused commpoints not listed in epoll list.
7819 - statistics-cumulative option so that the values are not reset.
7820 - config creates array of available ports, 61841 available,
7821 it excludes <1024 and iana assigned numbers.
7822 config statements to modify the available port numbers.
7824 8 April 2008: Wouter
7825 - unbound tries to set the ulimit fds when started as server.
7826 if that does not work, it will scale back its requirements.
7828 27 March 2008: Wouter
7829 - documented /dev/random symlink from chrootdir as FAQ entry.
7831 26 March 2008: Wouter
7832 - implemented AD bit signaling. If a query sets AD bit (but not DO)
7833 then the AD bit is set in the reply if the answer validated.
7834 Without including DNSSEC signatures. Useful if you have a trusted
7835 path from the client to the resolver. Follows dnssec-updates draft.
7837 25 March 2008: Wouter
7838 - implemented check that for NXDOMAIN and NOERROR answers a query
7839 section must be present in the reply (by the scrubber). And it must
7840 be equal to the question sent, at least lowercase folded.
7841 Previously this feature happened because the cache code refused
7842 to store such messages. However blocking by the scrubber makes
7843 sure nothing gets into the RRset cache. Also, this looks like a
7844 timeout (instead of an allocation failure) and this retries are
7845 done (which is useful in a spoofing situation).
7846 - RTT banding. Band size 400 msec, this makes band around zero (fast)
7847 include unknown servers. This makes unbound explore unknown servers.
7849 7 March 2008: Wouter
7850 - -C config feature for harvest program.
7851 - harvest handles CNAMEs too.
7853 5 March 2008: Wouter
7854 - patch from Hugo Koji Kobayashi for iterator logs spelling.
7856 4 March 2008: Wouter
7857 - From report by Jinmei Tatuya, rfc2181 trust value for remainder
7858 of a cname trust chain is lower; not full answer_AA.
7859 - test for this fix.
7860 - default config file location is /usr/local/etc/unbound.
7861 Thus prefix is used to determine the location. This is also the
7862 chroot and pidfile default location.
7864 3 March 2008: Wouter
7865 - Create 0.10 svn tag.
7866 - 0.11 version in trunk.
7867 - indentation nicer.
7869 29 February 2008: Wouter
7870 - documentation update.
7871 - fixup port to Solaris of perf test tool.
7872 - updated ldns-tarball with decl-after-statement fixes.
7874 28 February 2008: Wouter
7875 - fixed memory leaks in libunbound (during cancellation and wait).
7876 - libunbound returns the answer packet in full.
7877 - snprintf compat update.
7878 - harvest performs lookup.
7879 - ldns-tarball update with fix for ldns_dname_label.
7880 - installs to sbin by default.
7881 - install all manual pages (unbound-host and libunbound too).
7883 27 February 2008: Wouter
7884 - option to use caps for id randomness.
7885 - config file option use-caps-for-id: yes
7886 - harvest debug tool
7888 26 February 2008: Wouter
7889 - delay utility delays TCP as well. If the server that is forwarded
7890 to has a TCP error, the delay utility closes the connection.
7891 - delay does REUSE_ADDR, and can handle a server that closes its end.
7892 - answers use casing from query.
7894 25 February 2008: Wouter
7895 - delay utility works. Gets decent thoughput too (>20000).
7897 22 February 2008: Wouter
7898 - +2% for recursions, if identical queries (except for destination
7899 and query ID) in the reply list, avoid re-encoding the answer.
7900 - removed TODO items for optimizations that do not show up in
7902 - default is now minievent - not libevent. As its faster and
7903 not needed for regular installs, only for very large port ranges.
7904 - loop check different speedup pkt-dname-reading, 1% faster for
7905 nocache-recursion check.
7906 - less hashing during msg parse, 4% for recursion.
7907 - small speed fix for dname_count_size_labels, +1 or +2% recursion.
7908 - some speed results noted:
7909 optimization resulted in +40% for recursion (cache miss) and
7910 +70 to +80 for cache hits, and +96% for version.bind.
7911 zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
7912 www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
7913 www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
7914 So, unbound can be about equal qps to NSD in cache hits.
7915 And about 3.4x faster than BIND in cache performance.
7916 - delay utility for testing.
7918 21 February 2008: Wouter
7919 - speedup of root-delegation message encoding by 15%.
7920 - minor speedup of compress tree_lookup, maybe 1%.
7921 - speedup of dname_lab_cmp and memlowercmp - the top functions in
7922 profiler output, maybe a couple percent when it matters.
7924 20 February 2008: Wouter
7925 - setup speec_cache for need-ldns-testns in dotests.
7926 - check number of queued replies on incoming queries to avoid overload
7928 - fptr whitelist checks are not disabled in optimize mode.
7929 - do-daemonize config file option.
7930 - minievent time share initializes time at start.
7931 - updated testdata for nsec3 new algorithm numbers (6, 7).
7932 - small performance test of packet encoding (root delegation).
7934 19 February 2008: Wouter
7935 - applied patch to unbound-host man page from Jan-Piet Mens.
7936 - fix donotquery-localhost: yes default (it erroneously was switched
7938 - time is only gotten once and the value is shared across unbound.
7939 - unittest cleans up crypto, so that it has no memory leaks.
7940 - mini_event shares the time value with unbound this results in
7941 +3% speed for cache responses and +9% for recursions.
7942 - ldns tarball update with new NSEC3 sign code numbers.
7943 - perform several reads per UDP operation. This improves performance
7944 in DoS conditions, and costs very little in normal conditions.
7945 improves cache response +50%, and recursions +10%.
7946 - modified asynclook test. because the callback from async is not
7947 in any sort of lock (and thus can use all library functions freely),
7948 this causes a tiny race condition window when the last lock is
7949 released for a callback and a new cancel() for that callback.
7950 The only way to remove this is by putting callbacks into some
7951 lock window. I'd rather have the small possibility of a callback
7952 for a cancelled function then no use of library functions in
7953 callbacks. Could be possible to only outlaw process(), wait(),
7954 cancel() from callbacks, by adding another lock, but I'd rather not.
7956 18 February 2008: Wouter
7957 - patch to unbound-host from Jan-Piet Mens.
7958 - unbound host prints errors if fails to configure context.
7959 - fixup perf to resend faster, so that long waiting requests do
7960 not hold up the queue, they become lost packets or SERVFAILs,
7961 or can be sent a little while later (i.e. processing time may
7962 take long, but throughput has to be high).
7963 - fixup iterator operating in no cache conditions (RD flag unset
7965 - streamlined code for RD flag setting.
7966 - profiled code and changed dname compares to be faster.
7967 The speedup is about +3% to +8% (depending on the test).
7968 - minievent tests for eintr and eagain.
7970 15 February 2008: Wouter
7971 - added FreeBSD rc.d script to contrib.
7972 - --prefix option for configure also changes directory: pidfile:
7973 and chroot: defaults in config file.
7974 - added cache speed test, for cache size OK and cache too small.
7976 14 February 2008: Wouter
7977 - start without a config file (will complain, but start with
7979 - perf test program works.
7981 13 February 2008: Wouter
7983 - 1.0 development. Printout ldns version on unbound -h.
7984 - start of perf tool.
7985 - bugfix to read empty lines from /etc/hosts.
7987 12 February 2008: Wouter
7988 - fixup problem with configure calling itself if ldns-src tarball
7991 11 February 2008: Wouter
7992 - changed library to use ub_ instead of ub_val_ as prefix.
7993 - statistics output text nice.
7994 - etc/hosts handling.
7995 - library function to put logging to a stream.
7996 - set any option interface.
7998 8 February 2008: Wouter
7999 - test program for multiple queries over a TCP channel.
8000 - tpkg test for stream tcp queries.
8001 - unbound replies to multiple TCP queries on a TCP channel.
8002 - fixup misclassification of root referral with NS in answer
8003 when validating a nonrec query.
8005 - layout of manpages, spelling fix in header, manpages process by
8006 makedist, list asynclook and tcpstream tests as ldns-testns
8009 7 February 2008: Wouter
8010 - moved up all current level 2 to be level 3. And 3 to 4.
8011 to make room for new debug level 2 for detailed information
8013 - verbosity level 2. Describes recursion and validation.
8014 - cleaner configure script and fixes for libevent solaris.
8015 - signedness for log output memory sizes in high verbosity.
8017 6 February 2008: Wouter
8018 - clearer explanation of threading configure options.
8019 - fixup asynclook test for nothreading (it creates only one process
8020 to do the extended test).
8021 - changed name of ub_val_result_free to ub_val_resolve_free.
8022 - removes warning message during library linking, renamed
8023 libunbound/unbound.c -> libunbound.c and worker to libworker.
8024 - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
8026 5 February 2008: Wouter
8027 - statistics-interval: seconds option added.
8028 - test for statistics option
8029 - ignore errors making directories, these can occur in parallel builds
8030 - fixup Makefile strip command and libunbound docs typo.
8032 31 January 2008: Wouter
8033 - bg thread/process reads and writes the pipe nonblocking all the time
8034 so that even if the pipe is buffered or so, the bg thread does not
8035 block, and services both pipes and queries.
8037 30 January 2008: Wouter
8038 - check trailing / on chrootdir in checkconf.
8039 - check if root hints and anchor files are in chrootdir.
8040 - no route to host tcp error is verbosity level 2.
8041 - removed unused send_reply_iov. and its configure check.
8042 - added prints of 'remote address is 1.2.3.4 port 53' to errors
8043 from netevent; the basic socket errors.
8045 28 January 2008: Wouter
8046 - fixup uninit use of buffer by libunbound (query id, flags) for
8048 - fixup uninit warning from random.c; also seems to fix sporadic
8049 sigFPE coming out of openssl.
8050 - made openssl entropy warning more silent for library use. Needs
8052 - fixup forgotten locks for rbtree_searches on ctx->query tree.
8053 - random generator cleanup - RND_STATE_SIZE removed, and instead
8054 a super-rnd can be passed at init to chain init random states.
8055 - test also does lock checks if available.
8056 - protect config access in libworker_setup().
8057 - libevent doesn't like comm_base_exit outside of runloop.
8058 - close fds after removing commpoints only (for epoll, kqueue).
8060 25 January 2008: Wouter
8061 - added tpkg for asynclook and library use.
8062 - allows localhost to be queried when as a library.
8063 - fixup race condition between cancel and answer (in case of
8064 really fast answers that beat the cancel).
8065 - please doxygen, put doxygen comment in one place.
8066 - asynclook -b blocking mode and test.
8067 - refactor asynclook, nicer code.
8068 - fixup race problems from opensll in rand init from library, with
8069 a mutex around the rand init.
8070 - fix pass async_id=NULL to _async resolve().
8071 - rewrote _wait() routine, so that it is threadsafe.
8072 - cancelation is threadsafe.
8073 - asynclook extended test in tpkg.
8074 - fixed two races where forked bg process waits for (somehow shared?)
8075 locks, so does not service the query pipe on the bg side.
8076 Now those locks are only held for fg_threads and for bg_as_a_thread.
8078 24 January 2008: Wouter
8079 - tested the cancel() function.
8080 - asynclook -c (cancel) feature.
8081 - fix fail to allocate context actions.
8082 - make pipe nonblocking at start.
8083 - update plane for retry mode with caution to limit bandwidth.
8084 - fix Makefile for concurrent make of unbound-host.
8085 - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
8086 - new calls to set forwarding added to header and docs.
8088 23 January 2008: Wouter
8089 - removed debug prints from if-auto, verb-algo enables some.
8090 - libunbound QUIT setup, remove memory leaks, when using threads
8091 will share memory for passing results instead of writing it over
8092 the pipe, only writes ID number over the pipe (towards the handler
8093 thread that does process() ).
8095 22 January 2008: Wouter
8096 - library code for async in libunbound/unbound.c.
8097 - fix link testbound.
8098 - fixup exit bug in mini_event.
8099 - background worker query enter and result functions.
8100 - bg query test application asynclook, it looks up multiple
8101 hostaddresses (A records) at the same time.
8103 21 January 2008: Wouter
8104 - libworker work, netevent raw commpoints, write_msg, serialize.
8106 18 January 2008: Wouter
8107 - touch up of manpage for libunbound.
8108 - support for IP_RECVDSTADDR (for *BSD ip4).
8109 - fix for BSD, do not use ip4to6 mapping, make two sockets, once
8110 ip6 and once ip4, uses socket options.
8111 - goodbye ip4to6 mapping.
8112 - update ldns-testpkts with latest version from ldns-trunk.
8113 - updated makedist for relative ldns pathnames.
8114 - library API with more information inside the result structure.
8115 - work on background resolves.
8117 17 January 2008: Wouter
8118 - fixup configure in case -lldns is installed.
8119 - fixup a couple of doxygen warnings, about enum variables.
8120 - interface-automatic now copies the interface address from the
8121 PKT_INFO structure as well.
8122 - manual page with library API, all on one page 'man libunbound'.
8123 - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
8125 16 January 2008: Wouter
8126 - incoming queries to the server with TC bit on are replied FORMERR.
8127 - interface-automatic replied the wrong source address on localhost
8128 queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
8129 to use ifnum=-1 to mean 'no interface, use kernel route'.
8131 15 January 2008: Wouter
8132 - interface-automatic feature. experimental. Nice for anycast.
8133 - tpkg test for ip6 ancillary data.
8134 - removed debug prints.
8135 - porting experience, define for Solaris, test refined for BSD
8136 compatibility. The feature probably will not work on OpenBSD.
8137 - makedist fixup for ldns-src in build-dir.
8139 14 January 2008: Wouter
8140 - in no debug sets NDEBUG to remove asserts.
8141 - configure --enable-debug is needed for dependency generation
8142 for assertions and for compiler warnings.
8143 - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
8144 - fix lint, unit test in optimize mode.
8145 - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
8147 11 January 2008: Wouter
8148 - man page, warning removed.
8149 - added text describing the use of stub zones for private zones.
8150 - checkconf tests for bad hostnames (IP address), and for doubled
8152 - memory sizes can be given with 'k', 'Kb', or M or G appended.
8154 10 January 2008: Wouter
8155 - typo in example.conf.
8156 - made using ldns-src that is included the package more portable
8157 by linking with .lo instead of .o files in the ldns package.
8158 - nicer do-ip6: yes/no documentation.
8159 - nicer linking of libevent .o files.
8160 - man pages render correctly on solaris.
8162 9 January 2008: Wouter
8163 - fixup openssl RAND problem, when the system is not configured to
8164 give entropy, and the rng needs to be seeded.
8166 8 January 2008: Wouter
8167 - print median and quartiles with extensive logging.
8169 4 January 2008: Wouter
8170 - document misconfiguration in private network.
8172 2 January 2008: Wouter
8173 - fixup typo in requirements.
8174 - document that 'refused' is a better choice than 'drop' for
8175 the access control list, as refused will stop retries.
8177 7 December 2007: Wouter
8178 - unbound-host has a -d option to show what happens. This can help
8179 with debugging (why do I get this answer).
8180 - fixup CNAME handling, on nodata, sets and display canonname.
8181 - dot removed from CNAME display.
8182 - respect -v for NXDOMAINs.
8183 - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
8184 - size_t to int for portability of the header file.
8185 - fixup bogus handling.
8186 - dependencies and lint for unbound-host.
8188 6 December 2007: Wouter
8189 - library resolution works in foreground mode, unbound-host app
8191 - unbound-host prints rdata using ldns.
8192 - unbound-host accepts trust anchors, and prints validation
8193 information when you give -v.
8195 5 December 2007: Wouter
8196 - locking in context_new() inside the function.
8197 - setup of libworker.
8199 4 December 2007: Wouter
8200 - minor Makefile fixup.
8201 - moved module-stack code out of daemon/daemon into services/modstack,
8202 preparing for code-reuse.
8203 - move context into own header file.
8204 - context query structure.
8205 - removed unused variable pwd from checkconf.
8206 - removed unused assignment from outside netw.
8207 - check timeval length of string.
8208 - fixup error in val_utils getsigner.
8209 - fixup same (*var) error in netblocktostr.
8210 - fixup memleak on parse error in localzone.
8211 - fixup memleak on packet parse error.
8212 - put ; after union in parser.y.
8213 - small hardening in iter_operate against iq==NULL.
8214 - hardening, if error reply with rcode=0 (noerror) send servfail.
8215 - fixup same (*var) error in find_rrset in msgparse, was harmless.
8216 - check return value of evtimer_add().
8217 - fixup lockorder in lruhash_reclaim(), building up a list of locked
8218 entries one at a time. Instead they are removed and unlocked.
8219 - fptr_wlist for markdelfunc.
8220 - removed is_locked param from lruhash delkeyfunc.
8221 - moved bin_unlock during bin_split purely to please.
8223 3 December 2007: Wouter
8224 - changed checkconf/ to smallapp/ to make room for more support tools.
8225 (such as unbound-host).
8226 - install dirs created with -m 755 because they need to be accessible.
8227 - library extensive featurelist added to TODO.
8228 - please doxygen, lint.
8229 - library test application, with basic functionality.
8230 - fix for building in a subdirectory.
8231 - link lib fix for Leopard.
8233 30 November 2007: Wouter
8234 - makefile that creates libunbound.la, basic file or libunbound.a
8235 when creating static executables (no libtool).
8238 29 November 2007: Wouter
8239 - 0.9 public API start.
8241 28 November 2007: Wouter
8242 - Changeup plan for 0.8 - no complication needed, a simple solution
8243 has been chosen for authoritative features.
8244 - you can use single quotes in the config file, so it is possible
8245 to specify TXT records in local data.
8246 - fixup small memory problem in implicit transparent zone creation.
8247 - test for implicit zone creation and multiple RR RRsets local data.
8248 - local-zone nodefault test.
8249 - show testbound testlist on commit.
8250 - iterator normalizer changes CNAME chains ending in NXDOMAIN where
8251 the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
8253 - nicer verbosity: 0 and 1 levels.
8254 - lower nonRDquery chance of eliciting wrongly typed validation
8255 requiring message from the cache.
8256 - fix for nonRDquery validation typing; nodata is detected when
8257 SOA record in auth section (all validation-requiring nodata messages
8258 have a SOA record in authority, so this is OK for the validator),
8259 and NS record is needed to be a referral.
8260 - duplicate checking when adding NSECs for a CNAME, and test.
8261 - created svn tag 0.8, after completing testbed tests.
8263 27 November 2007: Wouter
8264 - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
8265 - set size of msgparse lookup table to 32, from 1024, so that its size
8266 is below the 2048 regional large size threshold, and does not cause
8267 a call to malloc when a message is parsed.
8268 - update of memstats tool to print number of allocation calls.
8269 This is what is taking time (not space) and indicates the avg size
8270 of the allocations as well. region_alloc stat is removed.
8272 22 November 2007: Wouter
8273 - noted EDNS in-the-middle dropping trouble as a TODO.
8274 At this point theoretical, no user trouble has been reported.
8275 - added all default AS112 zones.
8276 - answers from local zone content.
8277 * positive answer, the rrset in question
8278 * nodata answer (exist, but not that type).
8279 * nxdomain answer (domain does not exist).
8280 * empty-nonterminal answer.
8281 * But not: wildcard, nsec, referral, rrsig, cname/dname,
8282 or additional section processing, NS put in auth.
8283 - test for correct working of static and transparent and couple
8284 of important defaults (localhost, as112, reverses).
8285 Also checks deny and refuse settings.
8286 - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
8288 21 November 2007: Wouter
8289 - local zone internal data setup.
8291 20 November 2007: Wouter
8292 - 0.8 - str2list config support for double string config options.
8293 - local-zone and local-data options, config storage and documentation.
8295 19 November 2007: Wouter
8296 - do not downcase NSEC and RRSIG for verification. Follows
8297 draft-ietf-dnsext-dnssec-bis-updates-06.txt.
8298 - fixup leaking unbound daemons at end of tests.
8299 - README file updated.
8300 - nice libevent not found error.
8301 - README talks about gnu make.
8302 - 0.8: unit test for addr_mask and fixups for it.
8303 and unit test for addr_in_common().
8304 - 0.8: access-control config file element.
8305 and unit test rpl replay file.
8306 - 0.8: fixup address reporting from netevent.
8308 16 November 2007: Wouter
8309 - privilege separation is not needed in unbound at this time.
8310 TODO item marked as such.
8311 - created beta-0.7 branch for support.
8312 - tagged 0.7 for beta release.
8313 - moved trunk to 0.8 for 0.8(auth features) development.
8314 - 0.8: access control list setup.
8316 15 November 2007: Wouter
8317 - review fixups from Jelte.
8319 14 November 2007: Wouter
8320 - testbed script does not recreate configure, since its in svn now.
8321 - fixup checkconf test so that it does not test
8322 /etc/unbound/unbound.conf.
8325 13 November 2007: Wouter
8326 - remove debug print.
8327 - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
8329 12 November 2007: Wouter
8330 - fixup signal handling where SIGTERM could be ignored if a SIGHUP
8332 - bugreports to unbound-bugs@nlnetlabs.nl
8333 - fixup testbound so it exits cleanly.
8334 - cleanup the caches on a reload, so that rrsetID numbers won't clash.
8336 9 November 2007: Wouter
8337 - took ldns snapshot in repo.
8338 - default config file is /etc/unbound/unbound.conf.
8339 If it doesn't exist, it is installed with the doc/example.conf file.
8340 The file is not deleted on uninstall.
8341 - default listening is not all, but localhost interfaces.
8343 8 November 2007: Wouter
8344 - Fixup chroot and drop user privileges.
8345 - new L root ip address in default hints.
8347 1 November 2007: Wouter
8348 - Fixup of crash on reload, due to anchors in env not NULLed after
8349 dealloc during deinit.
8350 - Fixup of chroot call. Happens after privileges are dropped, so
8351 that checking the passwd entry still works.
8352 - minor touch up of clear() hashtable function.
8353 - VERB_DETAIL prints out what chdir, username, chroot is being done.
8354 - when id numbers run out, caches are cleared, as in design notes.
8355 Tested with a mock setup with very few bits in id, it worked.
8356 - harden-dnssec-stripped: yes is now default. It insists on dnssec
8357 data for trust anchors. Included tests for the feature.
8359 31 October 2007: Wouter
8360 - cache-max-ttl config option.
8361 - building outside sourcedir works again.
8362 - defaults more secure:
8364 chroot: "/etc/unbound"
8365 The operator can override them to be less secure ("") if necessary.
8366 - fix horrible oversight in sorting rrset references in a message,
8367 sort per reference key pointer, not on referencepointer itself.
8368 - pidfile: "/etc/unbound/unbound.pid" is now the default.
8369 - tests changed to reflect the updated default.
8370 - created hashtable clear() function that respects locks.
8372 30 October 2007: Wouter
8373 - fixup assertion failure that relied on compressed names to be
8374 smaller than uncompressed names. A packet from comrite.com was seen
8375 to be compressed to a larger size. Added it as unit test.
8376 - quieter logging at low verbosity level for common tcp messages.
8377 - no greedy TTL update.
8379 23 October 2007: Wouter
8380 - fixup (grand-)parent problem for dnssec-lameness detection.
8381 - fixup tests to do additional section processing for lame replies,
8382 since the detection needs that.
8383 - no longer trust in query section in reply during dnssec lame detect.
8384 - dnssec lameness does not make the server never ever queried, but
8385 non-preferred. If no other servers exist or answer, the dnssec lame
8386 server is used; the fastest dnssec lame server is chosen.
8387 - added test then when trust anchor cannot be primed (nodata), the
8388 insecure mode from unbound works.
8389 - Fixup max queries per thread, any more are dropped.
8391 22 October 2007: Wouter
8392 - added donotquerylocalhost config option. Can be turned off for
8394 - ISO C compat changes.
8395 - detect RA-no-AA lameness, as LAME.
8396 - DNSSEC-lameness detection, as LAME.
8397 See notes in requirements.txt for choices made.
8398 - tests for lameness detection.
8399 - added all to make test target; need unbound for fwd tests.
8400 - testbound does not pollute /etc/unbound.
8402 19 October 2007: Wouter
8403 - added configure (and its files) to svn, so that the trunk is easier
8404 to use. ./configure, config.guess, config.sub, ltmain.sh,
8406 - added yacc/lex generated files, util/configlexer.c,
8407 util/configparser.c util/configparser.h, to svn.
8408 - without lex no attempt to use it.
8409 - unsecure response validation collated into one block.
8410 - remove warning about const cast of cfgfile name.
8411 - outgoing-interfaces can be different from service interfaces.
8412 - ldns-src configure is done during unbound configure and
8413 ldns-src make is done during unbound make, and so inherits the
8414 make arguments from the unbound make invocation.
8415 - nicer error when libevent problem causes instant exit on signal.
8416 - read root hints from a root hint file (like BIND does).
8418 18 October 2007: Wouter
8419 - addresses are logged with errors.
8420 - fixup testcode fake event to remove pending before callback
8421 since the callback may create new pending items.
8422 - tests updated because retries are now in iterator module.
8423 - ldns-testpkts code is checked for differences between unbound
8424 and ldns by makedist.sh.
8425 - ldns trunk from today added in svn repo for fallback in case
8426 no ldns is installed on the system.
8427 make download_ldns refreshes the tarball with ldns svn trunk.
8428 - ldns-src.tar.gz is used if no ldns is found on the system, and
8429 statically linked into unbound.
8430 - start of regional allocator code.
8431 - regional uses less memory and variables, simplified code.
8432 - remove of region-allocator.
8433 - alloc cache keeps a cache of recently released regional blocks,
8435 - make unit test cleanly free memory.
8437 17 October 2007: Wouter
8438 - fixup another cycle detect and ns-addr timeout resolution bug.
8439 This time by refusing delegations from the cache without addresses
8440 when resolving a mandatory-glue nameserver-address for that zone.
8441 We're going to have to ask a TLD server anyway; might as well be
8442 the TLD server for this name. And this resolves a lot of cases where
8443 the other nameserver names lead to cycles or are not available.
8444 - changed random generator from random(3) clone to arc4random wrapped
8445 for thread safety. The random generator is initialised with
8446 entropy from the system.
8447 - fix crash where failure to prime DNSKEY tried to print null pointer
8449 - removed some debug prints, only verb_algo (4) enables them.
8450 - fixup test; new random generator took new paths; such as one
8451 where no scripted answer was available.
8452 - mark insecure RRs as insecure.
8453 - fixup removal of nonsecure items from the additional.
8454 - reduced timeout values to more realistic, 376 msec (262 msec has
8455 90% of roundtrip times, 512 msec has 99% of roundtrip times.)
8456 - server selection failover to next server after timeout (376 msec).
8458 16 October 2007: Wouter
8459 - no malloc in log_hex.
8460 - assertions around system calls.
8461 - protect against gethostname without ending zero.
8462 - ntop output is null terminated by unbound.
8463 - pidfile content null termination
8464 - various snprintf use sizeof(stringbuf) instead of fixed constant.
8465 - changed loopdetect % 8 with & 0x7 since % can become negative for
8466 weird negative input and particular interpretation of integer math.
8467 - dname_pkt_copy checks length of result, to protect result buffers.
8468 prints an error, this should not happen. Bad strings should have
8469 been rejected earlier in the program.
8470 - remove a size_t underflow from msgreply size func.
8472 15 October 2007: Wouter
8474 - fix IP6 TCP, wrong definition check. With test package.
8475 - fixup the fact that the query section was not compressed to,
8476 the code was there but was called by value instead of by reference.
8477 And test for the case, uses xxd and nc.
8478 - more portable ip6 check for sockaddr types.
8480 8 October 2007: Wouter
8481 - --disable-rpath option in configure for 64bit systems with
8482 several dynamic lib dirs.
8484 7 October 2007: Wouter
8485 - fixup tests for no AD bit in non-DO queries.
8486 - test that makes sure AD bit is not set on non-DO query.
8488 6 October 2007: Wouter
8489 - removed logfile open early. It did not have the proper permissions;
8490 it was opened as root instead of the user. And we cannot change user
8491 id yet, since chroot and bind ports need to be done.
8492 - callback checks for event callbacks done from mini_event. Because
8493 of deletions cannot do this from netevent. This means when using
8494 libevent the protection does not work on event-callbacks.
8495 - fixup too small reply (did not zero counts).
8496 - fixup reply no longer AD bit when query without DO bit.
8498 5 October 2007: Wouter
8499 - function pointer whitelist.
8501 4 October 2007: Wouter
8502 - overwrite sensitive random seed value after use.
8503 - switch to logfile very soon if not -d (console attached).
8504 - error messages do not reveal the trustanchor contents.
8505 - start work on function pointer whitelists.
8507 3 October 2007: Wouter
8508 - fix for multiple empty nonterminals, after multiple DSes in the
8510 - mesh checks if modules are looping, and stops them.
8511 - refetch with CNAMEd nameserver address regression test added.
8512 - fixup line count bug in testcode, so testbound prints correct line
8513 number with parse errors.
8514 - unit test for multiple ENT case.
8515 - fix for cname out of validated unsec zone.
8516 - fixup nasty id=0 reuse. Also added assertions to detect its
8517 return (the assertion catches in the existing test cases).
8519 1 October 2007: Wouter
8520 - skip F77, CXX, objC tests in configure step.
8521 - fixup crash in refetch glue after a CNAME.
8522 and protection against similar failures (with error print).
8524 28 September 2007: Wouter
8525 - test case for unbound-checkconf, fixed so it also checks the
8526 interface: statements.
8528 26 September 2007: Wouter
8529 - SIGHUP will reopen the log file.
8530 - Option to log to syslog.
8531 - please lint, fixup tests (that went to syslog on open, oops).
8532 - config check program.
8534 25 September 2007: Wouter
8535 - tests for NSEC3. Fixup bitmap checks for NSEC3.
8536 - positive ANY response needs to check if wildcard expansion, and
8537 check that original data did not exist.
8538 - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
8539 delegation, for abuse of child zone apex nsec3.
8540 - create 0.5 release tag.
8542 24 September 2007: Wouter
8543 - do not make test programs by default.
8544 - But 'make test' will perform all of the tests.
8545 - Advertise builtin select libevent alternative when no libevent
8547 - signit can generate NSEC3 hashes, for generating tests.
8548 - multiple nsec3 parameters in message test.
8549 - too high nsec3 iterations becomes insecure test.
8551 21 September 2007: Wouter
8552 - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
8553 - fixup testcode lock safety (port FreeBSD).
8554 - removes subscript has type char warnings (port Solaris 9).
8555 - fixup of field with format type to int (port MacOS/X intel).
8556 - added test for infinite loop case in nonRD answer validation.
8557 It was a more general problem, but hard to reproduce. When an
8558 unsigned rrset is being validated and the key fetched, the DS
8559 sequence is followed, but if the final name has no DS, then no
8560 proof is possible - the signature has been stripped off.
8562 20 September 2007: Wouter
8563 - fixup and test for NSEC wildcard with empty nonterminals.
8564 - makedist.sh fixup for svn info.
8565 - acl features request in plan.
8566 - improved DS empty nonterminal handling.
8567 - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
8568 proof anyway, which succeeds in ANS failure case.
8569 - striplab protection in case it becomes -1.
8570 - plans for static and blacklist config.
8572 19 September 2007: Wouter
8573 - comments about non-packed usage.
8574 - plan for overload support in 0.6.
8575 - added testbound tests for a failed resolution from the logs
8576 and for failed prime when missing glue.
8577 - fixup so useless delegation points are not returned from the
8578 cache. Also the safety belt is used if priming fails to complete.
8579 - fixup NSEC rdata not to be lowercased, bind compat.
8581 18 September 2007: Wouter
8582 - wildcard nsec3 testcases, and fixup to get correct wildcard name.
8583 - validator prints subtype classification for debug.
8585 17 September 2007: Wouter
8586 - NSEC3 hash cache unit test.
8587 - validator nsec3 nameerror test.
8589 14 September 2007: Wouter
8590 - nsec3 nodata proof, nods proof, wildcard proof.
8591 - nsec3 support for cname chain ending in noerror or nodata.
8592 - validator calls nsec3 proof routines if no NSECs prove anything.
8593 - fixup iterator bug where it stored the answer to a cname under
8594 the wrong qname into the cache. When prepending the cnames, the
8595 qname has to be reset to the original qname.
8597 13 September 2007: Wouter
8598 - nsec3 find matching and covering, ce proof, prove namerror msg.
8600 12 September 2007: Wouter
8601 - fixup of manual page warnings, like for NSD bugreport.
8602 - nsec3 work, config, max iterations, filter, and hash cache.
8604 6 September 2007: Wouter
8605 - fixup to find libevent on mac port install.
8606 - fixup size_t vs unsigned portability in validator/sigcrypt.
8607 - please compiler on different platforms, for unreachable code.
8609 - pthread_rwlock type is optional, in case of old pthread libs.
8611 5 September 2007: Wouter
8612 - cname, name error validator tests.
8613 - logging of qtype ANY works.
8614 - ANY type answers get RRSIG in answer section of replies (but not
8615 in other sections, unless DO bit is on).
8616 - testbound can replay a TCP query (set MATCH TCP in the QUERY).
8617 - DS and noDS referral validation test.
8618 - if you configure many trust anchors, parent trust anchors can
8619 securely deny existence of child trust anchors, if validated.
8620 - not all *.name NSECs are present because a wildcard was matched,
8621 and *.name NSECs can prove nodata for empty nonterminals.
8622 Also, for wildcard name NSECs, check they are not from the parent
8623 zone (for wildcarded zone cuts), and check absence of CNAME bit,
8625 - configure option for memory allocation debugging.
8626 - port configure option for memory allocation to solaris10.
8628 4 September 2007: Wouter
8629 - fixup of Leakage warning when serviced queries processed multiple
8630 callbacks for the same query from the same server.
8631 - testbound removes config file from /tmp on failed exit.
8632 - fixup for referral cleanup of the additional section.
8633 - tests for cname, referral validation.
8634 - neater testbound tpkg output.
8635 - DNAMEs no longer match their apex when synthesized from the cache.
8636 - find correct signer name for DNAME responses.
8637 - wildcarded DNAME test and fixup code to detect.
8638 - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
8639 So that wildcarded CNAMEs get their NSEC with them to the answer.
8640 - test for a CNAME to a DNAME to a CNAME to an answer, all from
8641 different domains, for key fetching and signature checking of
8644 3 September 2007: Wouter
8645 - Fixed error in iterator that would cause assertion failure in
8646 validator. CNAME to a NXDOMAIN response was collated into a response
8647 with both a CNAME and the NXDOMAIN rcode. Added a test that the
8648 rcode is changed to NOERROR (because of the CNAME).
8649 - timeout on tcp does not lead to spurious leakage detect.
8650 - account memory for name of lame zones, so that memory leakages does
8651 not show lame cache growth as a leakage growth.
8652 - config setting for lameness cache expressed in bytes, instead of
8654 - tool too summarize allocations per code line.
8656 31 August 2007: Wouter
8657 - can read bind trusted-keys { ... }; files, in a compatibility mode.
8658 - iterator should not detach target queries that it still could need.
8659 the protection against multiple outstanding queries is moved to a
8660 current_query num check.
8661 - validator nodata, positive, referral tests.
8662 - dname print can print '*' wildcard.
8664 30 August 2007: Wouter
8665 - fixup override date config option.
8666 - config options to control memory usage.
8667 - caught bad free of un-alloced data in worker_send error case.
8668 - memory accounting for key cache (trust anchors and temporary cache).
8669 - memory accounting fixup for outside network tcp pending waits.
8670 - memory accounting fixup for outside network tcp callbacks.
8671 - memory accounting for iterator fixed storage.
8672 - key cache size and slabs config options.
8673 - lib crypto cleanups at exit.
8675 29 August 2007: Wouter
8676 - test tool to sign rrsets for testing validator with.
8677 - added RSA and DSA test keys, public and private pairs, 512 bits.
8678 - default configuration is with validation enabled.
8679 Only a trust-anchor needs to be configured for DNSSEC to work.
8680 - do not convert to DER for DSA signature verification.
8681 - validator replay test file, for a DS to DNSKEY DSA key prime and
8684 28 August 2007: Wouter
8685 - removed double use for udp buffers, that could fail,
8686 instead performs a malloc to do the backup.
8687 - validator validates referral messages, by validating all the rrsets
8688 and stores the rrsets in the cache. Further referral (nonRD queries)
8689 replies are made from the rrset cache directly. Unless unchecked
8690 rrsets are encountered, there are then validated.
8691 - enforce that signing is done by a parent domain (or same domain).
8692 - adjust TTL downwards if rrset TTL bigger than signature allows.
8693 - permissive mode feature, sets AD bit for secure, but bogus does
8694 not give servfail (bogus is changed into indeterminate).
8695 - optimization of rrset verification. rr canonical sorting is reused,
8696 for the same rrset. canonical rrset image in buffer is reused for
8698 - if the rrset is too big (64k exactly + large owner name) the
8699 canonicalization routine will fail if it does not fit in buffer.
8700 - faster verification for large sigsets.
8701 - verb_detail mode reports validation failures, but not the entire
8702 algorithm for validation. Key prime failures are reported as
8705 27 August 2007: Wouter
8706 - do not garble the edns if a cache answer fails.
8707 - answer norecursive from cache if possible.
8708 - honor clean_additional setting when returning secure non-recursive
8710 - do not store referral in msg cache for nonRD queries.
8711 - store verification status in the rrset cache to speed up future
8713 - mark rrsets indeterminate and insecure if they are found to be so.
8714 and store this in the cache.
8716 24 August 2007: Wouter
8717 - message is bogus if unsecure authority rrsets are present.
8718 - val-clean-additional option, so you can turn it off.
8719 - move rrset verification out of the specific proof types into one
8720 routine. This makes the proof routines prettier.
8721 - fixup cname handling in validator, cname-to-positive and cname-to-
8723 - Do not synthesize DNSKEY and DS responses from the rrset cache if
8724 the rrset is from the additional section. Signatures may have
8725 fallen off the packet, and cause validation failure.
8726 - more verbose signature date errors (with the date attached).
8727 - increased default infrastructure cache size. It is important for
8728 performance, and 1000 entries are only 212k (or a 400 k total cache
8729 size). To 10000 entries (for 2M entries, 4M cache size).
8731 23 August 2007: Wouter
8732 - CNAME handling - move needs_validation to before val_new().
8733 val_new() setups the chase-reply to be an edited copy of the msg.
8734 new classification, and find signer can find for it.
8735 removal of unsigned crap from additional, and query restart for
8737 - refuse to follow wildcarded DNAMEs when validating.
8738 But you can query for qtype ANY, or qtype DNAME and validate that.
8740 22 August 2007: Wouter
8742 - review - use val_error().
8744 21 August 2007: Wouter
8745 - ANY response validation.
8746 - store security status in cache.
8747 - check cache security status and either send the query to be
8748 validated, return the query to client, or send servfail to client.
8749 Sets AD bit on validated replies.
8750 - do not examine security status on an error reply in mesh_done.
8751 - construct DS, DNSKEY messages from rrset cache.
8752 - manual page entry for override-date.
8754 20 August 2007: Wouter
8755 - validate and positive validation, positive wildcard NSEC validation.
8756 - nodata validation, nxdomain validation.
8758 18 August 2007: Wouter
8759 - process DNSKEY response in FINDKEY state.
8761 17 August 2007: Wouter
8762 - work on DS2KE routine.
8763 - val_nsec.c for validator NSEC proofs.
8764 - unit test for NSEC bitmap reading.
8765 - dname iswild and canonical_compare with unit tests.
8767 16 August 2007: Wouter
8769 - latest release libevent 1.3c and 1.3d have threading fixed.
8770 - key entry fixup data pointer and ttl absolute.
8771 - This makes a key-prime succeed in validator, with DS or DNSKEY as
8773 - fixup canonical compare byfield routine, fix bug and also neater.
8774 - fixed iterator response type classification for queries of type
8776 dig ANY gives sometimes NS rrset in AN and NS section, and parser
8777 removes the NS section duplicate. dig NS gives sometimes the NS
8778 in the answer section, as referral.
8779 - validator FINDKEY state.
8781 15 August 2007: Wouter
8782 - crypto calls to verify signatures.
8783 - unit test for rrsig verification.
8785 14 August 2007: Wouter
8786 - default outgoing ports changed to avoid port 2049 by default.
8787 This port is widely blocked by firewalls.
8788 - count infra lameness cache in memory size.
8789 - accounting of memory improved
8790 - outbound entries are allocated in the query region they are for.
8791 - extensive debugging for memory allocations.
8792 - --enable-lock-checks can be used to enable lock checking.
8793 - protect undefs in config.h from autoheaders ministrations.
8794 - print all received udp packets. log hex will print on multiple
8796 - fixed error in parser with backwards rrsig references.
8797 - mark cycle targets for iterator did not have CD flag so failed
8800 13 August 2007: Wouter
8801 - fixup makefile, if lexer is missing give nice error and do not
8802 mess up the dependencies.
8803 - canonical compare routine updated.
8804 - canonical hinfo compare.
8805 - printout list of the queries that the mesh is working on.
8807 10 August 2007: Wouter
8808 - malloc and free overrides that track total allocation and frees.
8809 for memory debugging.
8810 - work on canonical sort.
8812 9 August 2007: Wouter
8813 - canonicalization, signature checks
8814 - dname signature label count and unit test.
8815 - added debug heap size print to memory printout.
8816 - typo fixup in worker.c
8817 - -R needed on solaris.
8818 - validator override option for date check testing.
8820 8 August 2007: Wouter
8821 - ldns _raw routines created (in ldns trunk).
8822 - sigcrypt DS digest routines
8823 - val_utils uses sigcrypt to perform signature cryptography.
8824 - sigcrypt keyset processing
8826 7 August 2007: Wouter
8827 - security status type.
8828 - security status is copied when rdata is equal for rrsets.
8829 - rrset id is updated to invalidate all the message cache entries
8830 that refer to NSEC, NSEC3, DNAME rrsets that have changed.
8832 - val_sigcrypt file for validator signature checks.
8834 6 August 2007: Wouter
8835 - key cache for validator.
8836 - moved isroot and dellabel to own dname routines, with unit test.
8838 3 August 2007: Wouter
8840 - scrubber check section of lame NS set.
8841 - trust anchors can be in config file or read from zone file,
8842 DS and DNSKEY entries.
8843 - unit test trust anchor storage.
8844 - trust anchors converted to packed rrsets.
8845 - key entry definition.
8847 2 August 2007: Wouter
8848 - configure change for latest libevent trunk version (needs -lrt).
8849 - query_done and walk_supers are moved out of module interface.
8850 - fixup delegation point duplicates.
8851 - fixup iterator scrubber; lame NS set is let through the scrubber
8852 so that the classification is lame.
8853 - validator module exists, and does nothing but pass through,
8854 with calling of next module and return.
8857 1 August 2007: Wouter
8858 - set version to 0.5
8859 - module work for module to module interconnections.
8860 - config of modules.
8861 - detect cycle takes flags.
8863 31 July 2007: Wouter
8867 30 July 2007: Wouter
8868 - changed random state init, so that sequential process IDs are not
8869 cancelled out by sequential thread-ids in the random number seed.
8870 - the fwd_three test, which sends three queries to unbound, and
8871 unbound is kept waiting by ldns-testns for 3 seconds, failed
8872 because the retry timeout for default by unbound is 3 seconds too,
8873 it would hit that timeout and fail the test. Changed so that unbound
8874 is kept waiting for 2 seconds instead.
8876 27 July 2007: Wouter
8877 - removed useless -C debug option. It did not work.
8878 - text edit of documentation.
8879 - added doc/CREDITS file, referred to by the manpages.
8882 26 July 2007: Wouter
8883 - cycle detection, for query state dependencies. Will attempt to
8884 circumvent the cycle, but if no other targets available fails.
8885 - unit test for AXFR, IXFR response.
8886 - test for cycle detection.
8888 25 July 2007: Wouter
8889 - testbound read ADDRESS and check it.
8890 - test for version.bind and friends.
8891 - test for iterator chaining through several referrals.
8892 - test and fixup for refetch for glue. Refetch fails if glue
8893 is still not provided.
8895 24 July 2007: Wouter
8896 - Example section in config manual.
8897 - Addr stored for range and moment in replay.
8899 20 July 2007: Wouter
8900 - Check CNAME chain before returning cache entry with CNAMEs.
8901 - Option harden-glue, default is on. It will discard out of zone
8902 data. If disabled, performance is faster, but spoofing attempts
8903 become a possibility. Note that still normalize scrubbing is done,
8904 and that the potentially spoofed data is used for infrastructure
8905 and not returned to the client.
8906 - if glue times out, refetch by asking parent of delegation again.
8907 Much like asking for DS at the parent side.
8908 - TODO items from forgery-resilience draft.
8909 and on memory handling improvements.
8910 - renamed module_event_timeout to module_event_noreply.
8911 - memory reporting code; reports on memory usage after handling
8912 a network packet (not on cache replies).
8914 19 July 2007: Wouter
8915 - shuffle NS selection when getting nameserver target addresses.
8916 - fixup of deadlock warnings, yield cpu in checklock code so that
8917 freebsd scheduler selects correct process to run.
8918 - added identity and version config options and replies.
8919 - store cname messages complete answers.
8921 18 July 2007: Wouter
8922 - do not query addresses, 127.0.0.1, and ::1 by default.
8924 17 July 2007: Wouter
8925 - forward zone options in config file.
8926 - forward per zone in iterator. takes precedence over stubs.
8927 - fixup commithooks.
8928 - removed forward-to and forward-to-port features, subsumed by
8930 - fix parser to handle absent server: clause.
8931 - change untrusted rrset test to account for scrubber that is now
8932 applied during the test (which removes the poison, by the way).
8933 - feature, addresses can be specified with @portnumber, like nsd.conf.
8934 - test config files changed over to new forwarder syntax.
8936 27 June 2007: Wouter
8937 - delete of mesh does a postorder traverse of the tree.
8938 - found and fixed a memory leak. For TTL=0 messages, that would
8939 not be cached, instead the msg-replyinfo structure was leaked.
8940 - changed server selection so it will filter out hosts that are
8941 unresponsive. This is defined as a host with the maximum rto value.
8942 This means that unbound tried the host for retries up to 120 secs.
8943 The rto value will time out after host-ttl seconds from the cache.
8944 This keeps such unresolvable queries from taking up resources.
8945 - utility for keeping histogram.
8947 26 June 2007: Wouter
8948 - mesh is called by worker, and iterator uses it.
8949 This removes the hierarchical code.
8950 QueryTargets state and Finished state are merged for iterator.
8951 - forwarder mode no longer sets AA bit on first reply.
8952 - rcode in walk_supers is not needed.
8954 25 June 2007: Wouter
8956 - error encode routine for ease.
8958 22 June 2007: Wouter
8959 - removed unused _node iterator value from rbtree_t. Takes up space.
8960 - iterator can handle querytargets state without a delegation point
8961 set, so that a priming(stub) subquery error can be handled.
8962 - iterator stores if it is priming or not.
8963 - log_query_info() neater logging.
8964 - changed iterator so that it does not alter module_qstate.qinfo
8965 but keeps a chase query info. Also query_flags are not altered,
8966 the iterator uses chase_flags.
8967 - fixup crash in case no ports for the family exist.
8969 21 June 2007: Wouter
8970 - Fixup secondary buffer in case of error callback.
8971 - cleanup slumber list of runnable states.
8972 - module_subreq_depth fails to work in slumber list.
8973 - fixup query release for cached results to sub targets.
8974 - neater error for tcp connection failure, shows addr in verbose.
8975 - rbtree_init so that it can be used with preallocated memory.
8977 20 June 2007: Wouter
8978 - new -C option to enable coredumps after forking away.
8980 - fixup CNAME generation by scrubber, and memory allocation of it.
8981 - fixup deletion of serviced queries when all callbacks delete too.
8982 - set num target queries to 0 when you move them to slumber list.
8983 - typo in check caused subquery errors to be ignored, fixed.
8984 - make lint happy about rlim_t.
8985 - freeup of modules after freeup of module-states.
8986 - duplicate replies work, this uses secondary udp buffer in outnet.
8988 19 June 2007: Wouter
8989 - nicer layout in stats.c, review 0.3 change.
8990 - spelling improvement, review 0.3 change.
8991 - uncapped timeout for server selection, so that very fast or slow
8992 servers will stand out from the rest.
8993 - target-fetch-policy: "3 2 1 0 0" config setting.
8994 - fixup queries answered without RD bit (for root prime results).
8995 - refuse AXFR and IXFR requests.
8996 - fixup RD flag in error reply from iterator. fixup RA flag from
8998 - fixup encoding of very short edns buffer sizes, now sets TC bit.
8999 - config options harden-short-bufsize and harden-large-queries.
9001 18 June 2007: Wouter
9002 - same, move subqueries to slumber list when first has resolved.
9003 - fixup last fix for duplicate callbacks.
9004 - another offbyone in targetcounter. Also in Java prototype by the way.
9006 15 June 2007: Wouter
9007 - if a query asks to be notified of the same serviced query result
9008 multiple times, this will succeed. Only one callback will happen;
9009 multiple outbound-list entries result (but the double cleanup of it
9011 - when iterator moves on due to CNAME or referral, it will remove
9012 the subqueries (for other targets). These are put on the slumber
9014 - state module wait subq is OK with no new subqs, an old one may have
9015 stopped, with an error, and it is still waiting for other ones.
9016 - if a query loops, halt entire query (easy way to clean up properly).
9018 14 June 2007: Wouter
9019 - num query targets was > 0 , not >= 0 compared, so that fetch
9020 policy of 0 did nothing.
9022 13 June 2007: Wouter
9023 - debug option: configure --enable-static-exe for compile where
9024 ldns and libevent are linked statically. Default is off.
9025 - make install and make uninstall. Works with static-exe and without.
9026 installation of unbound binary and manual pages.
9027 - alignment problem fix on solaris 64.
9028 - fixup address in case of TCP error.
9030 12 June 2007: Wouter
9031 - num target queries was set to 0 at a bad time. Default it to 0 and
9032 increase as target queries are done.
9033 - synthesize CNAME and DNAME responses from the cache.
9034 - Updated doxygen config for doxygen 1.5.
9035 - aclocal newer version.
9036 - doxygen 1.5 fixes for comments (for the strict check on docs).
9038 11 June 2007: Wouter
9039 - replies on TCP queries have the address field set in replyinfo,
9040 for serviced queries, because the initiator does not know that
9041 a TCP fallback has occured.
9042 - omit DNSSEC types from nonDO replies, except if qtype is ANY or
9043 if qtype directly queries for the type (and then only show that
9044 'unknown type' in the answer section).
9045 - fixed message parsing where rrsigs on their own would be put
9046 in the signature list over the rrsig type.
9049 - fixup error in double linked list insertion for subqueries and
9050 for outbound list of serviced queries for iterator module.
9051 - nicer printout of outgoing port selection.
9052 - fixup cname target readout.
9053 - nicer debug output.
9054 - fixup rrset counts when prepending CNAMEs to the answer.
9055 - fixup rrset TTL for prepended CNAMEs.
9056 - process better check for looping modules, and which submodule to
9058 - subreq insertion code fixup for slumber list.
9059 - VERB_DETAIL, verbosity: 2 level gives short but readable output.
9060 VERB_ALGO, verbosity: 3 gives extensive output.
9061 - fixup RA bit in cached replies.
9062 - fixup CNAME responses from the cache no longer partial response.
9063 - error in network send handled without leakage.
9064 - enable ip6 from config, and try ip6 addresses if available,
9065 if ip6 is not connected, skips to next server.
9068 - iterator state finished.
9069 - subrequests without parent store in cache and stop.
9070 - worker slumber list for ongoing promiscuous queries.
9071 - subrequest error handling.
9072 - priming failure returns SERVFAIL.
9073 - priming gives LAME result, returns SERVFAIL.
9074 - debug routine to print dns_msg as handled by iterator.
9075 - memleak in config file stubs fixup.
9076 - more small bugs, in scrubber, query compare no ID for lookup,
9077 in dname validation for NS targets.
9078 - sets entry.key for new special allocs.
9079 - lognametypeclass can display unknown types and classes.
9082 - random selection of equally preferred nameserver targets.
9083 - reply info copy routine. Reuses existing code.
9084 - cache lameness in response handling.
9085 - do not touch qstate after worker_process_query because it may have
9086 been deleted by that routine.
9087 - Prime response state.
9088 - Process target response state.
9089 - some memcmp changed to dname_compare for case preservation.
9092 - normalize incoming messages. Like unbound-java, with CNAME chain
9093 checked, DNAME checked, CNAME's synthesized, glue checked.
9094 - sanitize incoming messages.
9095 - split msgreply encode functions into own file msgencode.c.
9096 - msg_parse to queryinfo/replyinfo conversion more versatile.
9097 - process_response, classify response, delegpt_from_message.
9100 - querytargets state.
9101 - dname_subdomain_c() routine.
9102 - server selection, based on RTT. ip6 is filtered out if not available,
9103 and lameness is checked too.
9104 - delegation point copy routine.
9107 - removed FLAG_CD from message and rrset caches. This was useful for
9108 an agnostic forwarder, but not for a sophisticated (trust value per
9109 rrset enabled) cache.
9110 - iterator response typing.
9111 - iterator cname handle.
9112 - iterator prime start.
9114 - processInitRequest and processInitRequest2.
9115 - cache synthesizes referral messages, with DS and NSEC.
9116 - processInitRequest3.
9117 - if a request creates multiple subrequests these are all activated.
9120 - routines to lock and unlock array of rrsets moved to cache/rrset.
9121 - lookup message from msg cache (and copy to region).
9122 - fixed cast error in dns msg lookup.
9123 - message with duplicate rrset does not increase its TTLs twice.
9124 - 'qnamesize' changed to 'qname_len' for similar naming scheme.
9127 - Acknowledge use of unbound-java code in iterator. Nicer readme.
9128 - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
9129 rrset cache from module environment.
9130 - packed rrset key has type and class as easily accessible struct
9131 members. They are still kept in network format for fast msg encode.
9132 - dns cache find_delegation routine.
9133 - iterator main functions setup.
9134 - dns cache lookup setup.
9137 - small changes to prepare for subqueries.
9138 - iterator forwarder feature separated out.
9139 - iterator hints stub code, config file stub code, so that first
9140 testing can proceed locally.
9141 - replay tests now have config option to enable forwarding mode.
9144 - outside network does precise timers for roundtrip estimates for rtt
9145 and for setting timeout for UDP. Pending_udp takes milliseconds.
9146 - cleaner iterator sockaddr conversion of forwarder address.
9147 - iterator/iter_utils and iter_delegpt setup.
9151 - outbound query list for modules and support to callback with the
9152 outbound entry to the module.
9153 - testbound support for new serviced queries.
9154 - test for retry to TCP cannot use testbound any longer.
9155 - testns test for EDNS fallback, test for TCP fallback already exists.
9156 - fixes for no-locking compile.
9157 - mini_event timer precision and fix for change in timeouts during
9158 timeout callback. Fix for fwd_three tests, performed nonexit query.
9161 - small comment on hash table locking.
9162 - outside network serviced queries, contain edns and tcp fallback,
9163 and udp retries and rtt timing.
9166 - lruhash_touch() would cause locking order problems. Fixup in
9167 lock-verify in case locking cycle is found.
9168 - services/cache/rrset.c for rrset cache code.
9169 - special rrset_cache LRU updating function that uses the rrset id.
9170 - no dependencies calculation when make clean is called.
9171 - config settings for infra cache.
9172 - daemon code slightly cleaner, only creates caches once.
9176 - unit test for host cache.
9179 - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
9180 - extensive lock debug report on join timeout.
9181 - proper RTT calculation, in utility code.
9182 - setup of services/cache/infra, host cache.
9185 - iterator/iterator.c module.
9186 - fixup to pass reply_info in testcode and in netevent.
9189 - created release-0.3 svn tag.
9191 - fixed compression - no longer compresses root name.
9194 - outside network cleans up waiting tcp queries on exit.
9196 - testbound replay with retry in TCP mode.
9197 - tpkg test for retry in TCP mode, against ldns-testns server.
9198 - daemon checks max number of open files and complains if not enough.
9199 - test where data expires in the cache.
9200 - compiletests: fixed empty body ifstatements in alloc.c, in case
9204 - outgoing network keeps list of available tcp buffers for outgoing
9206 - outgoing-num-tcp config option.
9207 - outgoing network keeps waiting list of queries waiting for buffer.
9208 - netevent supports outgoing tcp commpoints, nonblocking connects.
9211 - EDNS read from query, used to make reply smaller.
9212 - advertised edns value constants.
9213 - EDNS BADVERS response, if asked for too high edns version.
9214 - EDNS extended error responses once the EDNS record from the query
9215 has successfully been parsed.
9218 - msgreply sizefunc is more accurate.
9219 - config settings for rrset cache size and slabs.
9220 - hashtable insert takes argument so that a thread can use its own
9221 alloc cache to store released keys.
9222 - alloc cache special_release() locks if necessary.
9223 - rrset trustworthiness type added.
9224 - thread keeps a scratchpad region for handling messages.
9225 - writev used in netevent to write tcp length and data after another.
9226 This saves a roundtrip on tcp replies.
9227 - test for one rrset updated in the cache.
9228 - test for one rrset which is not updated, as it is not deemed
9230 - test for TTL refreshed in rrset.
9233 - fill refs. Use new parse and encode to answer queries.
9234 - stores rrsets in cache.
9235 - uses new msgreply format in cache.
9238 - dname unit tests in own file and spread out neatly in functions.
9239 - more dname unit tests.
9240 - message encoding creates truncated TC flagged messages if they do
9241 not fit, and will leave out (whole)rrsets from additional if needed.
9244 - decompress query section, extremely lenient acceptance.
9245 But only for answers from other servers, not for plain queries.
9246 - compression and decompression test cases.
9248 - example.conf interface: line is changed from 127.0.0.1 which leads
9249 to problems if used (restricting communication to the localhost),
9250 to a documentation and test address.
9252 27 April 2007: Wouter
9253 - removed iov usage, it is not good for dns message encoding.
9254 - owner name compression more optimal.
9255 - rrsig owner name compression.
9256 - rdata domain name compression.
9258 26 April 2007: Wouter
9259 - floating point exception fix in lock-verify.
9260 - lint uses make dependency
9261 - fixup lint in dname owner domain name compression code.
9262 - define for offset range that can be compressed to.
9264 25 April 2007: Wouter
9265 - prettier code; parse_rrset->type kept in host byte order.
9266 - datatype used for hashvalue of converted rrsig structure.
9267 - unit test compares edns section data too.
9269 24 April 2007: Wouter
9270 - ttl per RR, for RRSIG rrsets and others.
9271 - dname_print debug function.
9272 - if type is not known, size calc will skip DNAME decompression.
9273 - RRSIG parsing and storing and putting in messages.
9274 - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
9275 - EDNS extraction routine.
9277 20 April 2007: Wouter
9278 - code comes through all of the unit tests now.
9279 - disabled warning about spurious extra data.
9280 - documented the RRSIG parse plan in msgparse.h.
9281 - rrsig reading and outputting.
9283 19 April 2007: Wouter
9284 - fix unit test to actually to tests.
9285 - fix write iov helper, and fakevent code.
9286 - extra builtin testcase (small packet).
9287 - ttl converted to network format in packets.
9288 - flags converted correctly
9289 - rdatalen off by 2 error fixup.
9290 - uses less iov space for header.
9292 18 April 2007: Wouter
9293 - review of msgparse code.
9294 - smaller test cases.
9296 17 April 2007: Wouter
9297 - copy and decompress dnames.
9298 - store calculated hash value too.
9299 - routine to create message out of stored information.
9300 - util/data/msgparse.c for message parsing code.
9301 - unit test, and first fixes because of test.
9302 * forgot rrset_count addition.
9303 * did & of ptr on stack for memory position calculation.
9304 * dname_pkt_copy forgot to read next label length.
9305 - test from file and fixes
9306 * double frees fixed in error conditions.
9307 * types with less than full rdata allowed by parser.
9308 Some dynamic update packets seem to use it.
9310 16 April 2007: Wouter
9311 - following a small change in LDNS, parsing code calculates the
9312 memory size to allocate for rrs.
9313 - code to handle ID creation.
9315 13 April 2007: Wouter
9316 - parse routines. Code that parses rrsets, rrs.
9318 12 April 2007: Wouter
9319 - dname compare routine that preserves case, with unit tests.
9321 11 April 2007: Wouter
9322 - parse work - dname packet parse, msgparse, querysection parse,
9323 start of sectionparse.
9325 10 April 2007: Wouter
9326 - Improved alignment of reply_info packet, nice for 32 and 64 bit.
9327 - Put RRset counts in reply_info, because the number of RRs can change
9328 due to RRset updates.
9329 - import of region-allocator code from nsd.
9330 - set alloc special type to ub_packed_rrset_key.
9331 Uses lruhash entry overflow chain next pointer in alloc cache.
9332 - doxygen documentation for region-allocator.
9333 - setup for parse scratch data.
9335 5 April 2007: Wouter
9336 - discussed packed rrset with Jelte.
9338 4 April 2007: Wouter
9339 - moved to version 0.3.
9340 - added util/data/dname.c
9341 - layout of memory for rrsets.
9343 3 April 2007: Wouter
9344 - detect sign of msghdr.msg_iovlen so that the cast to that type
9345 in netevent (which is there to please lint) can be correct.
9346 The type on several OSes ranges from int, int32, uint32, size_t.
9347 Detects unsigned or signed using math trick.
9348 - constants for DNS flags.
9349 - compilation without locks fixup.
9350 - removed include of unportable header from lookup3.c.
9351 - more portable use of struct msghdr.
9352 - casts for printf warning portability.
9353 - tweaks to tests to port them to the testbed.
9356 2 April 2007: Wouter
9357 - check sizes of udp received messages, not too short.
9358 - review changes. Some memmoves can be memcpys: 4byte aligned.
9359 set id correctly on cached answers.
9360 - review changes msgreply.c, memleak on error condition. AA flag
9361 clear on cached reply. Lowercase queries on hashing.
9362 unit test on lowercasing. Test AA bit not set on cached reply.
9363 Note that no TTLs are managed.
9365 29 March 2007: Wouter
9366 - writev or sendmsg used when answering from cache.
9367 This avoids a copy of the data.
9368 - do not do useless byteswap on query id. Store reply flags in uint16
9369 for easier access (and no repeated byteswapping).
9371 - configure detects and config.h includes sys/uio.h for writev decl.
9373 28 March 2007: Wouter
9374 - new config option: num-queries-per-thread.
9375 - added tpkg test for answering three queries at the same time
9376 using one thread (from the query service list).
9378 27 March 2007: Wouter
9379 - added test for cache and not cached answers, in testbound replays.
9380 - testbound can give config file and commandline options from the
9381 replay file to unbound.
9382 - created test that checks if items drop out of the cache.
9383 - added word 'partitioned hash table' to documentation on slab hash.
9384 A slab hash is a partitioned hash table.
9385 - worker can handle multiple queries at a time.
9387 26 March 2007: Wouter
9388 - config settings for slab hash message cache.
9389 - test for cached answer.
9390 - Fixup deleting fake answer from testbound list.
9392 23 March 2007: Wouter
9393 - review of yesterday's commits.
9394 - covered up memory leak of the entry locks.
9395 - answers from the cache correctly. Copies flags correctly.
9396 - sanity check for incoming query replies.
9397 - slabbed hash table. Much nicer contention, need dual cpu to see.
9399 22 March 2007: Wouter
9400 - AIX configure check.
9401 - lock-verify can handle references to locks that are created
9402 in files it has not yet read in.
9403 - threaded hash table test.
9404 - unit test runs lock-verify afterwards and checks result.
9405 - need writelock to update data on hash_insert.
9406 - message cache code, msgreply code.
9408 21 March 2007: Wouter
9409 - unit test of hash table, fixup locking problem in table_grow().
9410 - fixup accounting of sizes for removing items from hashtable.
9411 - unit test for hash table, single threaded test of integrity.
9412 - lock-verify reports errors nicely. More quiet in operation.
9414 16 March 2007: Wouter
9415 - lock-verifier, checks consistent order of locking.
9417 14 March 2007: Wouter
9418 - hash table insert (and subroutines) and lookup implemented.
9419 - hash table remove.
9420 - unit tests for hash internal bin, lru functions.
9422 13 March 2007: Wouter
9423 - lock_unprotect in checklocks.
9424 - util/storage/lruhash.h for LRU hash table structure.
9426 12 March 2007: Wouter
9427 - configure.ac moved to 0.2.
9428 - query_info and replymsg util/data structure.
9430 9 March 2007: Wouter
9431 - added rwlock writelock checking.
9432 So it will keep track of the writelock, and readlocks are enforced
9433 to not change protected memory areas.
9434 - log_hex function to dump hex strings to the logfile.
9435 - checklocks zeroes its destroyed lock after checking memory areas.
9436 - unit test for alloc.
9437 - identifier for union in checklocks to please older compilers.
9440 8 March 2007: Wouter
9441 - Reviewed checklock code.
9443 7 March 2007: Wouter
9444 - created a wrapper around thread calls that performs some basic
9445 checking for data race and deadlock, and basic performance
9446 contention measurement.
9448 6 March 2007: Wouter
9449 - Testbed works with threading (different machines, different options).
9450 - alloc work, does the special type.
9452 2 March 2007: Wouter
9453 - do not compile fork funcs unless needed. Otherwise will give
9454 type errors as their typedefs have not been enabled.
9455 - log shows thread numbers much more nicely (and portably).
9456 - even on systems with nonthreadsafe libevent signal handling,
9457 unbound will exit if given a signal.
9458 Reloads will not work, and exit is not graceful.
9459 - start of alloc framework layout.
9461 1 March 2007: Wouter
9462 - Signals, libevent and threads work well, with libevent patch and
9463 changes to code (close after event_del).
9464 - set ipc pipes nonblocking.
9466 27 February 2007: Wouter
9467 - ub_thread_join portable definition.
9468 - forking is used if no threading is available.
9469 Tested, it works, since pipes work across processes as well.
9470 Thread_join is replaced with waitpid.
9471 - During reloads the daemon will temporarily handle signals,
9472 so that they do not result in problems.
9473 - Also randomize the outgoing port range for tests.
9474 - If query list is full, will stop selecting listening ports for read.
9475 This makes all threads service incoming requests, instead of one.
9476 No memory is leaking during reloads, service of queries, etc.
9477 - test that uses ldns-testns -f to test threading. Have to answer
9478 three queries at the same time.
9479 - with verbose=0 operates quietly.
9481 26 February 2007: Wouter
9482 - ub_random code used to select ID and port.
9483 - log code prints thread id.
9484 - unbound can thread itself, with reload(HUP) and quit working
9486 - don't open pipes for #0, doesn't need it.
9487 - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
9489 23 February 2007: Wouter
9490 - Can do reloads on sigHUP. Everything is stopped, and freed,
9491 except the listening ports. Then the config file is reread.
9492 And everything is started again (and listening ports if needed).
9493 - Ports for queries are shared.
9494 - config file added interface:, chroot: and username:.
9495 - config file: directory, logfile, pidfile. And they work too.
9496 - will daemonize by default now. Use -d to stay in the foreground.
9497 - got BSD random[256 state] code, made it threadsafe. util/random.
9499 22 February 2007: Wouter
9500 - Have a config file. Removed commandline options, moved to config.
9501 - tests use config file.
9503 21 February 2007: Wouter
9504 - put -c option in man page.
9505 - minievent fd array capped by FD_SETSIZE.
9507 20 February 2007: Wouter
9508 - Added locks code and pthread spinlock detection.
9509 - can use no locks, or solaris native thread library.
9510 - added yacc and lex configure, and config file parsing code.
9511 also makedist.sh, and manpage.
9512 - put include errno.h in config.h
9514 19 February 2007: Wouter
9515 - Created 0.0 svn tag.
9516 - added acx_pthread.m4 autoconf check for pthreads from
9517 the autoconf archive. It is GPL-with-autoconf-exception Licensed.
9518 You can specify --with-pthreads, or --without-pthreads to configure.
9520 16 February 2007: Wouter
9521 - Updated testbed script, works better by using make on remote end.
9522 - removed check decls, we can compile without them.
9523 - makefile supports LIBOBJ replacements.
9524 - docs checks ignore compat code.
9525 - added util/mini-event.c and .h, a select based alternative used with
9526 ./configure --with-libevent=no
9527 It is limited to 1024 file descriptors, and has less features.
9528 - will not create ip6 sockets if ip6 not on the machine.
9530 15 February 2007: Wouter
9531 - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
9532 Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
9533 - malloc rndstate, so that it is aligned for access.
9534 - fixed rbtree cleanup with postorder traverse.
9535 - fixed pending messages are deleted when handled.
9536 - You can control verbosity; default is not verbose, every -v
9537 adds more verbosity.
9539 14 February 2007: Wouter
9540 - Included configure.ac changes from ldns.
9541 - detect (some) headers before the standards check.
9542 - do not use isblank to test c99, since its not available on solaris9.
9543 - review of testcode.
9544 * entries in a RANGE are no longer reversed.
9545 * print name of file with replay entry parse errors.
9546 - port to OSX: cast to int for some prints of sizet.
9547 - Makefile copies ldnstestpkts.c before doing dependencies on it.
9549 13 February 2007: Wouter
9550 - work on fake events, first fwd replay works.
9551 - events can do timeouts and errors on queries to servers.
9552 - test package that runs replay scenarios.
9554 12 February 2007: Wouter
9555 - work on fake events.
9557 9 February 2007: Wouter
9558 - replay file reading.
9559 - fake event setup, it creates fake structures, and teardowns,
9560 added signal callbacks to reply to be able to fake those,
9561 and main structure of event replay routines.
9563 8 February 2007: Wouter
9566 - testcode/fake_event work.
9568 7 February 2007: Wouter
9569 - return answer with the same ID as query was sent with.
9570 - created udp forwarder test. I've done some effort to make it perform
9571 quickly. After servers are created, no big sleep statements but
9572 it checks the logfiles to see if servers have come up. Takes 0.14s.
9573 - set addrlen value when calling recvfrom.
9574 - comparison of addrs more portable.
9575 - LIBEVENT option for testbed to set libevent directory.
9576 - work on tcp input.
9578 6 February 2007: Wouter
9579 - reviewed code and improved in places.
9581 5 February 2007: Wouter
9582 - Picked up stdc99 and other define tests from ldns. Improved
9583 POSIX define test to include getaddrinfo.
9584 - defined constants for netevent callback error code.
9585 - unit test for strisip6.
9587 2 February 2007: Wouter
9588 - Created udp4 and udp6 port arrays to provide service for both
9590 - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
9591 - listens on both ip4 and ip6 ports to provide correct return address.
9592 - worker fwder address filled correctly.
9594 - forwards udp queries and sends answer.
9596 1 February 2007: Wouter
9597 - outside network more UDP work.
9598 - moved * closer to type.
9599 - comm_timer object and events.
9601 31 January 2007: Wouter
9602 - Added makedist.sh script to make release tarball.
9603 - Removed listen callback layer, did not add anything.
9604 - Added UDP recv to netevent, worker callback for udp.
9605 - netevent communication reply storage structure.
9606 - minimal query header sanity checking for worker.
9607 - copied over rbtree implementation from NSD (BSD licensed too).
9608 - outgoing network query service work.
9610 30 January 2007: Wouter
9611 - links in example/ldns-testpkts.c and .h for premade packet support.
9612 - added callback argument to listen_dnsport and daemon/worker.
9614 29 January 2007: Wouter
9615 - unbound.8 a short manpage.
9617 26 January 2007: Wouter
9619 - make lint works on BSD and Linux (openssl defines).
9621 - testbound program start.
9623 25 January 2007: Wouter
9624 - fixed lint so it may work on BSD.
9625 - put license into header of every file.
9626 - created verbosity flag.
9627 - fixed libevent configure flag.
9628 - detects event_base_free() in new libevent 1.2 version.
9629 - getopt in daemon. fatal_exit() and verbose() logging funcs.
9630 - created log_assert, that throws assertions to the logfile.
9631 - listen_dnsport service. Binds ports.
9633 24 January 2007: Wouter
9634 - cleaned up configure.ac.
9636 23 January 2007: Wouter
9637 - added libevent to configure to link with.
9638 - util/netevent setup work.
9639 - configure searches for libevent.
9640 - search for libs at end of configure (when other headers and types
9642 - doxygen works with ATTR_UNUSED().
9643 - util/netevent implementation.
9645 22 January 2007: Wouter
9646 - Designed header file for network communication.
9648 16 January 2007: Wouter
9649 - added readme.svn and readme.tests.
9651 4 January 2007: Wouter
9652 - Testbed script (run on multiple platforms the test set).
9653 Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
9654 - added unit test tpkg.
9656 3 January 2007: Wouter
9657 - committed first set of files into subversion repository.
9658 svn co svn+ssh://unbound.net/svn/unbound
9659 You need a ssh login. There is no https access yet.
9660 - Added LICENSE, the BSD license.
9661 - Added doc/README with compile help.
9662 - main program stub and quiet makefile.
9663 - minimal logging service (to stderr).
9664 - added postcommit hook that serves emails.
9665 - added first test 00-lint. postcommit also checks if build succeeds.
9666 - 01-doc: doxygen doc target added for html docs. And stringent test
9667 on documented files, functions and parameters.
9669 15 December 2006: Wouter
9670 - Created Makefile.in and configure.ac.