unbound version bump 1.9.1
Unbound 1.9.1 is available:
https://www.nlnetlabs.nl/downloads/unbound/unbound-1.9.1.tar.gz
sha256 c3c0bf9b86ccba4ca64f93dd4fe7351308ab54293f297a67de5a8914c1dc59c5
pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.9.1.tar.gz.asc
This release contains bug fixes for two issues in the out of order processing introduced in 1.9.0, one where the wrong answer was returned and a crash bug in file descriptor handling.
There is also a fix for qname minimisation, that could have skipped a label-fetch-step when it should not have. This was caused by certain recursion situations and the subsequent qname minimisation continuation. Qname minimisation in Unbound is designed to sometimes add several labels at a time, instead of just adding one label at a time and performing lookups until the full qname is reached, because certain names are very long, especially in the IPv6 reverse space. Unbound performs short steps near the top, in root and TLDs, but then makes longer label add steps when the name is very long, near the left side of the qname. This is to keep the lookup latency short.
A new type of local-zone is added, inform_redirect, this acts like both type inform and type redirect are both used. The answer is logged and the content of the answer is like type redirect.
For 0x20 capsforid, a canonical sort is used to compare faulty replies. This removes some cases where the fallback could not figure out the reply is genuine in several retries.
To make ratelimiting easier, the ratelimit logs print the query name that triggered the ratelimit message. Not all query names are supposedly the same, but the query name of the query that made the ratelimit exceed is printed, and this gives (a single name of) insight into the nature of the traffic employed. Also the IP-address of the sender of the query that triggered the upstream ratelimit is printed. If a recursion exceeds ratelimit, it does not print the IP-address of the query ultimately responsible for the recursive lookup.
Unbound has ratelimiting for both the clients (the downstream side) and for traffic sent by unbound to the wider internet (the upstream side). The ip-ratelimit options limit traffic in packets per client IP. The ratelimit options limit traffic towards a domain name. The new logging prints extra information with the log messages for both of them, so that an inkling of information on some of that traffic is visible straight away.
Features
- Add local-zone type inform_redirect, which logs like type inform, and redirects like type redirect.
- Perform canonical sort for 0x20 capsforid compare of replies, this sorts rrsets in the authority and additional section before comparison, so that out of order rrsets do not cause failure.
- Print query name with ip_ratelimit exceeded log lines. Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.
Bug Fixes
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
- Fix locking for libunbound context setup with broken port config.
- Fix case in which query timeout can result in marking delegation as edns_lame_known.
- Set ub_ctx_set_tls call signature in ltrace config file for libunbound in contrib/libunbound.so.conf.
- improve documentation for tls-service-key and forward-first.
- #10 (closed): fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of conditional section, fixes systemd builds, from Enrico Scholz.
- #9 (closed): For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, still supports the set_id_callback previous API. And for 1.1.0 no locking callbacks are needed.
- #8 (closed): Fix OpenSSL without ENGINE support compilation.
- Wipe TLS session key data from memory on exit.
- Fix that log-replies prints the correct name for local-alias names, for names that have a CNAME in local-data configuration. It logs the original query name, not the target of the CNAME.
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
- Fix that qname minimisation does not skip a label when missing nameserver targets need to be fetched.
- Fix #4225: clients seem to erroneously receive no answer with DNS-over-TLS and qname-minimisation.
- Note default for module-config in man page.
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for cert name matching, from man page.
- Fix capsforid canonical sort qsort callback.
- Fix pythonmod include and sockaddr_un ifdefs for compile on Windows, and for libunbound.
- Fix the error for unknown module in module-config is understandable, and explains it was not compiled in and where to see the list.
- In example.conf explain where to put cachedb module in module-config.
- In man page and example config explain that most modules have to be listed at the start of module-config.
- Fix #4227: pair event del and add for libevent for tcp_req_info.
- Fix #4229: Unbound man pages lack information, about access-control order and local zone tags, and elements in views.
- Fix #14 (closed): contrib/unbound.init: Fix wrong comparison judgment before copying.
- Fix for python module on Windows, fix fopen.
- Remove memory leak on pythonmod python2 script file init.
- Remove swig gcc8 python function cast warnings, they are ignored.
- Print correct module that failed when module-config is wrong.