One major change in this release is fixed algorithm treatment. This is
fixed after long discussions on dnsext (IETF workgroup), it is more
lenient to allow easier key algorithm rollover, but at the same time
unbound still checks that the algorithms advertised (via trust anchor or
DS record) really work. In actual deployments changes happen if you have
multiple DNSKEY algorithms in trust anchors or published DS RRsets. It
would be good for our users to pick up this fix, and implement it, so
that key algorithm rollover becomes easier on the internet.
Also Fixed is 'imgw.pl', many people reported this, now unbound has
'bind-like' lenience for this.
Features
o harden-below-nxdomain config option, default off (because very old
software may be incompatible). We could enable it by default in
the future. From draft-vixie-dnsext-resimprove-00.
o typetransparent localzone: does not block other RR types.
o so-sndbuf option for very busy servers, a bit like so-rcvbuf.
Bug Fixes
o Fix so a changed NS RRset does not get moved name stuck on old
server, for type NS the TTL is not increased.
o Fix prefetch so it does not get stuck on old server for moved names.
o Fix insecure CNAME sequence marked as secure, reported by Bert
Hubert.
o faster lruhash get_mem routine.
o #346: remove ITAR scripts from contrib, the service is discontinued.
o Fix in infra cache that could cause rto larger than TOP_TIMEOUT
kept.
o algorithm compromise protection using the algorithms signalled in
the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
and thus, if you have multiple algorithms in your trust-anchor-file
then it will now behave different than before. Also, 5011 rollover
for algorithms needs to be double-signature until the old algorithm
is revoked.
o squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see
them)
o fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
o Fix our 'BDS' license (typo reported by Xavier Belanger).
o #338: print address when socket creation fails.
o Fix storage of EDNS failures in the infra cache.
o silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
o unbound-anchor compiles with openssl 0.9.7.
o Be lenient and accept imgw.pl malformed packet (like BIND).
o the included ldns tarball is updated (to 1.6.8)
o iana portlist updated.
Can be used to present different graphs. Use ln -s for that name in
the plugins directory to enable the graph.
unbound_munin_hits - base volume, cache hits, unwanted traffic
unbound_munin_queue - to monitor the internal requestlist
unbound_munin_memory - memory usage
unbound_munin_by_type - incoming queries by type
unbound_munin_by_class - incoming queries by class
unbound_munin_by_opcode - incoming queries by opcode
unbound_munin_by_rcode - answers by rcode, validation status
unbound_munin_by_flags - incoming queries by flags
unbound_munin_histogram - histogram of query resolving times
=head1 AUTHOR
Copyright 2008 W.C.A. Wijngaards
=head1 LICENSE
BSD
=cut
This has to be removed before this file can be used or it will cause problems.
Specifically, it causes so many errors without a /usr/local/var that munin-node
can end up using 200G of disk space in /var/log/munin/munin-node.log within 24h,
so before logrotate had a chance to remove the junk from disk.
For the next version, can this section be placed in full comments using "#"?
The contrib/unbound_munin_ is still broken. It contains:
: <<=cut
=head1 NAME
....
=cut
This has to be removed before this file can be used or it will cause
problems.
Specifically, it causes so many errors without a /usr/local/var that
munin-node
can end up using 200G of disk space in /var/log/munin/munin-node.log
within 24h,
so before logrotate had a chance to remove the junk from disk.
Hi Paul,
I use this syntax regularly in my own munin plugins, and see no issues
or errors with it. Also, most munin packaged plugins contain this syntax
for documentation, as it is promoted by munin developers.
Could you explain what errors you are seeing, and what implementation of
/bin/sh you are using? As said, no issues here with /bin/sh provided by
bash 4 on linux.
The only (minor) issue that I see with the packaged file is that it
would be nice if default paths to unbound-control et al would be set to
the paths used in the install, in stead of hardcoding them to a default
that most unbound users probably do not use.
I use this syntax regularly in my own munin plugins, and see no issues
or errors with it. Also, most munin packaged plugins contain this syntax
for documentation, as it is promoted by munin developers.
Could you explain what errors you are seeing, and what implementation of
/bin/sh you are using? As said, no issues here with /bin/sh provided by
bash 4 on linux.
This was using bash from EL-5, bash-3.2-24.el5
The only (minor) issue that I see with the packaged file is that it
would be nice if default paths to unbound-control et al would be set to
the paths used in the install, in stead of hardcoding them to a default
that most unbound users probably do not use.
I no longer have the 200G of logs. The last ones I now see is path related:
/etc/munin/plugins/unbound_munin_hits: line 151: /usr/local/var/munin/plugin-state/unbound-state.lock: No such file or directory
the munin log file would generate like 32MB of this within a few minutes,
hence our logrotate issues within 24h filling up a 200G partition.
I'll retest with the uncommented blob and just the paths fixed.