Unbound 1.6.0 has a number of features and bugfixes. More extensible
EDNS support. Views and local-zone tags provide for more feature rich
filtering options, with CNAME support. SSL configuration features to
turn on dns over tls for particular parts of the namespace.
Features
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS option lists were added to module_qstate
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from "Robin
H. Johnson" (robbat2@gentoo.org).
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.
Bug Fixes
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again. The --
is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies, from
Pavel Odintsov.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
no encryption over the unix socket.
- hyphen as minus fix, by Andreas Schulze
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code.
Fantastic improvement, thanks Wouter and everybody else that made this possible.
A couple questions from an unbound noob regarding the new features, bear with me please:
“Added two flags to module_qstate”, does this mean that a python plugin now could intercept a request before it’s served by cache and override it? We need to override some domains differently for different parts of the org and right now I’m running two diff unbounds because my understanding was that if the answer was cached after group1 hit the domain for example, that would be served to group2 too because their python script would never be called since no resolution was necessary. Does this new feature change this?
“Added views functionality.” does this change the above completely in terms of serving different As to different part of the orgs? how does this compare to say Bind’s views? or am I misunderstanding entirely what you mean with views here?
“Patch that resolves CNAMEs entered in local-data” , this mentions “hosts on the internet”, does that mean it’s still not possible to have CNAMEs for local-data to local servers? I understand unbound is not an authoritative server and I like that design choice, but I do maintain a few pointers for internal infrastructure and would be nice to be able to do everything with unbound without running bind.
thanks again to everybody who worked on this, the rest of us really appreciate it.
Fantastic improvement, thanks Wouter and everybody else that made this
possible.
A couple questions from an unbound noob regarding the new features, bear
with me please:
- "Added two flags to module_qstate", does this mean that a python
plugin now could intercept a request before it's served by cache and
override it? We need to override some domains differently for different
parts of the org and right now I'm running two diff unbounds because my
understanding was that if the answer was cached after group1 hit the
domain for example, that would be served to group2 too because their
python script would never be called since no resolution was necessary.
Does this new feature change this?
A module (C or Python) can now dictate that the Unbound cache should be
bypassed when receiving queries containing the by the module registered
EDNS options. This makes the module responsible to do the cache lookup.
If you disable cache lookup and don't implement the cache lookup in your
module, you wont use any cache at all!
In your case you could better use the local-zones and data with tags, or
views, to do the overrides based on client addresses.
- "Added views functionality." does this change the above completely in
terms of serving different As to different part of the orgs? how does
this compare to say Bind's views? or am I misunderstanding entirely what
you mean with views here?
A view in Unbound is a named list of configuration options. The
currently supported view configuration options are local-zone and
local-data. Mapping a view to a client can be done using the
access-control-view element.
- "Patch that resolves CNAMEs entered in local-data" , this mentions
"hosts on the internet", does that mean it's still not possible to have
CNAMEs for local-data to local servers? I understand unbound is not an
authoritative server and I like that design choice, but I do maintain a
few pointers for internal infrastructure and would be nice to be able to
do everything with unbound without running bind.
You would like Unbound to also give the local-data record for the domain
the local-data CNAME is pointing to? That is not yet possible, but an
interesting idea!
A module (C or Python) can now dictate that the Unbound cache should be
bypassed when receiving queries containing the by the module registered
EDNS options. This makes the module responsible to do the cache lookup.
If you disable cache lookup and don’t implement the cache lookup in your
module, you wont use any cache at all!
Did you mean that somehow I could change that code to ignore the cache? I thought that module wasn’t called to begin with if the cache had a hit, which is my problem to begin with. At the same time I’m not sure I wanna run that python script every single request even when there’s a cache hit available.
am I making any sense?
In your case you could better use the local-zones and data with tags, or
views, to do the overrides based on client addresses.
unfortunately in some cases I need inverted regexps/whitelists, for example allow sub.domain.tld but otherwise block *.domain.tld. As far as I could see you can’t do that with local-data.
A view in Unbound is a named list of configuration options. The
currently supported view configuration options are local-zone and
local-data. Mapping a view to a client can be done using the
access-control-view element.
thanks for clarifying this.
You would like Unbound to also give the local-data record for the domain
the local-data CNAME is pointing to? That is not yet possible, but an
interesting idea!
Just to be clear, let me try with a simple example. We run a small lan with just a few nodes I need dns for. I don’t really wanna run bind/an auth dns if I can avoid it and unbound works just fine for 90% of the use cases, ie nagios.mylan , printer.mylan, etc. In some cases however I would like to have also cnames such that monitor.mylan → nagios.mylan. I could of course implement this with an A record, pointing monitor.mylan to the same ip as nagios does (and I’m doing that right now), but it’s error prone and with the rate that things are changing here I’d rather use CNAMEs.
Unbound 1.6.0 has a number of features and bugfixes. More extensible
EDNS support. Views and local-zone tags provide for more feature rich
filtering options, with CNAME support. SSL configuration features to
turn on dns over tls for particular parts of the namespace.
Features
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four
EDNS option lists were added to module_qstate
(module_qstate.edns_opts_*) to store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store)
that control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
- Added views functionality.
- Added qname-minimisation-strict config option.
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- serve-expired config option: serve expired responses with TTL 0.
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from "Robin
H. Johnson" (robbat2@gentoo.org).
- Added stub-ssl-upstream and forward-ssl-upstream options.
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- g.root-servers.net has AAAA address.
Bug Fixes
- Fix #836: unbound could echo back EDNS options in an error response.
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
- Fix #1117: spelling errors, from Robert Edmonds.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from
Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Fix #1130: whitespace in example.conf.in more consistent.
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
- Ported tests for local_cname unit test to testbound framework.
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again. The --
is to ignore the '-1' as an option flag.
- Patch for server.num.zero_ttl stats for count of expired replies, from
Pavel Odintsov.
- Fix failure to build on arm64 with no sbrk.
- Set OpenSSL security level to 0 when using aNULL ciphers.
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure, this
means nsec3 with optout is insufficient.
- Fix #1155: test status code of unbound-control in 04-checkconf, not
the status code from the tee command.
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
- patch from Dag-Erling Smorgrav that removes code that relies on sbrk().
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for this
type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain synergy.
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using
no encryption over the unix socket.
- hyphen as minus fix, by Andreas Schulze
- Fix #1170: document that 'inform' local-zone uses local-data.
- Fix #1173: differ local-zone type deny from unset tag_actions element.
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
- Fix downcast warnings from visual studio in sldns code.
A module (C or Python) can now dictate that the Unbound cache should be
bypassed when receiving queries containing the by the module registered
EDNS options. This makes the module responsible to do the cache lookup.
If you disable cache lookup and don't implement the cache lookup in your
module, you wont use any cache at all!
Did you mean that somehow I could change that code to ignore the cache?
I thought that module wasn't called to begin with if the cache had a
hit, which is my problem to begin with. At the same time I'm not sure I
wanna run that python script every single request even when there's a
cache hit available.
am I making any sense?
The rationale for the module triggered skip cache lookup option is that
there are use cases in which different caches are needed based on the
edns option in the query. The module that dictates the cache bypassing
should cache the answers in some way.
This does not seem to be the case for you. You can do this using local
zones, which are handled before the cache lookup. Also see Wouter's
answer for an example.
Brilliant, thank you Wouter for your insight, this is enough to get us off of the python module at least on half of our instances. I’ve clearly still much to learn about unbound and how to leverage its power.
For some other cases however in the python script I’m using simple regexps and I’m wondering if there is any way to use wildcards in the local-zone string. So, following from your example, could I do something like: