Hi,
Unbound 1.4.14 is release, get it here:
http://unbound.net/downloads/unbound-1.4.14.tar.gz
sha1 1435029abe63d0106213acb9f173b885183cf1d7
sha256 c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3
It contains a patch for VU#209659 CVE-2011-4528: Unbound denial of
service vulnerabilities from nonstandard redirection and denial of
existence. http://www.unbound.net/downloads/CVE-2011-4528.txt
Therefore, 1.4.14 does not equal 1.4.14rc1, it has code changes (this
patch and some other fixes found during the review process).
Major changes are a new BSD-compatible makefile (with BSD-make).
SSL-wrapped query support (for dnssec-trigger, passing firewalls, it
does *not* check the actual SSL certificate at this time).
It stores timeouts per-zonename, for compatibility with servers that
drop out-of-served-zone queries. It attempts EDNS1480 (or 12xx on
ip6) probes in case EDNS0 fails to workaround fragmentation issues
more easily.
Features
- - Makefile changed for BSD make compatibility.
- - dns over ssl support as a client, ssl-upstream yes turns it on. It
performs an SSL transaction for every DNS query.
- - dns over ssl support as a server, ssl-service-pem and
ssl-service-key files can be given and then TCP queries are serviced
wrapped in SSL.
- - lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- - TCP-upstream calculates tcp-ping so server selection works if
there are alternatives.
- - Unbound probes at EDNS1480 if there an EDNS0 timeout.
Bug Fixes
- - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps,
causes SERVFAILs. Also fixed for UDP (but less likely).
- - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- - Fix double free in unbound-host, reported by Steve Grubb.
- - fix -flto detection on Lion for llvm-gcc.
- - [bugzilla: 416 ] Infra cache stores information about ping and
lameness per IP, zone.
- - [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com
with a fix for the server selection for choosing out of a (particular)
list of bad choices.
- - Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to Matthew
Lee).
- - fix unbound-anchor for broken strptime on OSX lion, detected in
configure.
- - Detect if GOST really works, openssl1.0 on OSX fails.
- - Implement ipv6%interface notation for scope_id usage.
- - better documentation for inform_super (Thanks Yang Zhe).
- - Fix for out-of-memory condition in libunbound (thanks Robert
Fleischman).
- - Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur. The
feature is disabled on windows.
- - updated contrib/unbound_munin_ to family=auto so that it works
with munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
- - unbound.exe -w windows option for start and stop service.
- - Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
- - [bugzilla: 408 ] accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- - fix various compiler warnings (reported by Paul Wouters).
- - max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch
if sentcount > 3, stop query if sentcount > 16. Count is reset when
referral or CNAME happens. This makes unbound better at managing large
NS sets, they are explored when there is continued interest (in the
form of queries).
- - remove uninit warning from cachedump code.
- - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
- - fix infra cache comparison.
- - Fix to constrain signer_name to be a parent of the lookupname.
- - robust checks for next-closer NSEC3s.
- - iana portlist updated.
Best regards,
Wouter