Hi,
Unbound 1.4.11 is released, bugfixes and small features.
http://unbound.net/downloads/unbound-1.4.11.tar.gz
sha1: 3dbd7854b05b1e48fcc088be50e4c7aafc8d7306
sha256: 19e44dd7a737de678456885483002c6cd84147d334c7323cb3674d2012c82b4b
It has small and happy changes: querylog option, ignore-cdflag for
support of (win) legacy servers, lto optimization for speedup,
- --enable-allsymbols to have smaller install size. The control port
number has been registered with IANA. The unbound-control sends a
version number in its header, so its protocol has changed and you need
to update unbound(server) and unbound-control(client).
This version of unbound does DNSSEC validation also for queries received
with CD flag (from downstream validators). It returns the answer
regardless (it continues to support CD flag). But the DNSSEC validation
protects its cache from bogus data with failover to other authority
servers; this means that a downstream validator is more likely to find
'good' data here.
Features
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port
number registered with IANA, 8953.
Bug Fixes
* Fix Makefile for U in environment, since wrong U is more common
than deansification necessity.
* defense in depth against the assertion failure bug fixed in
1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ] --enable-allsymbols option links all binaries to
libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ] Fix that configure checks for ldns_get_random
presence.
* queries with CD flag set cause DNSSEC validation, but the answer
is not withheld if it is bogus. Thus, unbound will retry if it is bad
and curb the TTL if it is bad, thus protecting the cache for use by
downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the
cached nxdomain is dnssec secure. This avoids backwards incompatibility
because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
Best regards,
Wouter