Unbound 1.4.18rc1 is available for download: http://unbound.net/downloads/unbound-1.4.18rc1.tar.gz
sha1 e1d765195beddb5489029e7ad09d032ffd8563fd
sha256 110c19aa28b54b510b2b00941089e8d32fbb0e2320f1c657bdf3347d1d6f63d3
This release has bugfixes, notably two assertion failures.
There is a build feature to build with libnss, but only to compile
libunbound not the unbound daemon (because of its remote control
functions) at this time. You have to link with libldns compiled
- --without-ssl, otherwise ldns links with openssl.
There is some support for FIPS-compliant mode, where it will
understand that some algorithms are not available, those DNSSEC
results are then marked 'insecure' (and not 'bogus').
Features
implement log-time-ascii on windows.
--with-libunbound-only build option, only builds the library and
not the daemon and other tools.
--with-nss build option (for now, --with-libunbound-only), uses
libNSS for crypto operations.
disable RSAMD5 if in FIPS mode (for openssl and for libnss).
Add flush_bogus option for unbound-control.
Bug Fixes
Fix libunbound report of errors when in background mode.
[bugzilla: 454 ]
Fix for ACX_CHECK_COMPILER_FLAG from configure.ac, if CFLAGS is
specified at configure time then '-g -O2' is not appended to CFLAGS,
so that the user can override them.
FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
fix missing break for GOST DS hash function.
implemented forward_first for the root.
code review: return value of cache_store can be ignored for better
performance in out of memory conditions.
patch for unbound_munin_ script to handle arbitrary thread count
by Sven Ulland.
Fix validation of qtype DS queries that result in no data for
non-optout NSEC3 zones.
fix edns-buffer-size and msg-buffer-size manpage documentation.
fix error handling of alloc failure during rrsig verification.
The key-cache bad key ttl is now 60 seconds.
[bugzilla: 452 ]
fix crash on assert in mesh_state_attachment. Fixes DS NS search
to not generate duplicate sub queries.
silence warning from swig-generated code (md set but not used in
swig initmodule, due to ifdefs in swig-generated code).
Fix debian-bugs-658021: Please enable hardened build flags.
update iana ports list
This release has bugfixes, notably two assertion failures.
Seems to package fine and work.
There is some support for FIPS-compliant mode, where it will
understand that some algorithms are not available, those DNSSEC
results are then marked 'insecure' (and not 'bogus').
Note I've encountered resolving issues with this, but have not had
time to track these down further. Don't do this yet in production.
If you want to test fips mode, simply run (as root)
prelink -ua
then you can flip FIPS mode using these simply scripts, without
actually having to boot the system in real fips mode:
If you're going to span testing over days, remove the unlink package.
At least on Fedora/RHEL, there is a daily cronjob that will run prelink,
resulting in openssl and nss libraries failing the FIPS internal self
test.
Here is 1.4.18rc2, second release candidate, for download: http://unbound.net/downloads/unbound-1.4.18rc2.tar.gz
sha1 3f959022b1d008f5e066bd6c2049c910e2f9cab0
sha256 2c262d2cb5f17ba35758f565cc4cd07d1ec3f739212b5d6c337ca37af24cbbf8
This release has bugfixes, notably two assertion failures. And fixes
a bogus nodata cname chain which was not reported as bogus by
validator (Thanks Peter van Dijk).
Features
implement log-time-ascii on windows.
--with-libunbound-only build option, only builds the library and
not the daemon and other tools.
--with-nss build option (for now, --with-libunbound-only), uses
libNSS for crypto operations.
disable RSAMD5 if in FIPS mode (for openssl and for libnss).
Add flush_bogus option for unbound-control.
Bug Fixes
Fix libunbound report of errors when in background mode.
[bugzilla: 454 ]
Fix for ACX_CHECK_COMPILER_FLAG from configure.ac, if CFLAGS is
specified at configure time then '-g -O2' is not appended to CFLAGS,
so that the user can override them.
FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
fix missing break for GOST DS hash function.
implemented forward_first for the root.
code review: return value of cache_store can be ignored for better
performance in out of memory conditions.
patch for unbound_munin_ script to handle arbitrary thread count
by Sven Ulland.
Fix validation of qtype DS queries that result in no data for
non-optout NSEC3 zones.
fix edns-buffer-size and msg-buffer-size manpage documentation.
fix error handling of alloc failure during rrsig verification.
The key-cache bad key ttl is now 60 seconds.
[bugzilla: 452 ]
fix crash on assert in mesh_state_attachment. Fixes DS NS search
to not generate duplicate sub queries.
silence warning from swig-generated code (md set but not used in
swig initmodule, due to ifdefs in swig-generated code).
Fix debian-bugs-658021: Please enable hardened build flags.
update iana ports list