Unbound 1.6.1rc1 prerelease

Wouter · February 9, 2017, 2:16pm

Hi,

Unbound 1.6.1rc1 is available:
http://www.unbound.net/downloads/unbound-1.6.1rc1.tar.gz
sha256 b741673993f84bca2409c9097f056964ea198682aa9d714f1f3dce0cac9f61b7
pgp http://www.unbound.net/downloads/unbound-1.6.1rc1.tar.gz.asc
http://www.unbound.net/downloads/unbound-1.6.1rc1.zip
http://www.unbound.net/downloads/unbound-1.6.1rc1.zip.asc
http://www.unbound.net/downloads/unbound_setup_1.6.1rc1.exe
http://www.unbound.net/downloads/unbound_setup_1.6.1rc1.exe.asc

This is the maintainers prerelease.

This release has the 2017 root trust anchor in unbound-anchor. Previous
versions should work equally well during root key rollover. In this new
version, the UDP initialisation attempt will be able to be successful,
instead of having to fall back to fetching the XML.

Compile time changes are --enable-systemd for systemd integration.
contrib/libunbound.pc for pkg-config integration (introduced in 1.6.0)
that could be used by packagers. The libunbound API has changed
slightly, the callback typedef does not end in _t to make the include
file POSIX compliant.

Features
- configure --enable-systemd and lets unbound use systemd sockets if you
enable use-systemd: yes in unbound.conf. Also there are
contrib/unbound.socket and contrib/unbound.service: systemd files for
unbound, install them in /usr/lib/systemd/system. Contributed by Sami
Kerola and Pavel Odintsov.
- [bugzilla: 1185 ]
Source IP rate limiting, patch from Larissa Feng.
- [bugzilla: 1184 ]
Log DNS replies. This includes the same logging information that DNS
queries and response code and response size, patch from Larissa Feng.
- Include root trust anchor id 20326 in unbound-anchor.
- 64bit is default for windows builds.

Bug Fixes
- [bugzilla: 1176 ]
  Fix stack size too small for Alpine Linux.
- Fix unbound-control and ipv6 only.
  [bugzilla: 1182 ]
- Fix Resource leak (socket), at startup.
  [bugzilla: 1178 ]
- Fix attempt to fix setup error at end, pop result values at end of
install.
- iana portlist update
- Fix inet_ntop and inet_pton warnings in windows compile.
- [bugzilla: 1191 ]
  Fix remove comment about view deletion.
- [bugzilla: 1188 ]
  Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
- [bugzilla: 1190 ]
  Fix to not echo back EDNS options in local-zone error response.
- [bugzilla: 1194 ]
  Fix if cross build fails when $host isn't `uname` for getentropy.
- Fix reload chdir failure when also chrooted to that directory.
- Fix to return formerr for queries for meta-types, to avoid packet
amplification if this meta-type is sent on to upstream.
- [bugzilla: 1201 ]
  Fix missing unlock in answer_from_cache error condition.
- [bugzilla: 1202 ]
  Fix code comment that packed_rrset_data is not always 'packed'.
- Fix to also block meta types 128 through to 248 with formerr.
- [bugzilla: 1206 ]
  Fix that some view-related commands are missing from 'unbound-control -h'
- Fix to rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t type
names are reserved by POSIX.
- Increase MAX_MODULE to 16.
- [bugzilla: 1211 ]
  Fix can't enable interface-automatic if no IPv6 with more helpful
error message.
- fix root_anchor test for updated icannbundle.pem lower certificates.
- Fix compile on solaris of the fix to use $host detect.
- Fix for type name change and fix warning on windows compile.

Best regards, Wouter

Simon_Deziel · February 9, 2017, 5:17pm

Hi Wouter,

Thanks for this new RC!

PaulWouters · February 9, 2017, 8:24pm

Looking at the unbound.conf man page, I see that the socket support is
for socket activation. I know that the systemd people think that is
all cool and stuff, but I really don't know if this is appropriate
for various daemons, especially DNS. Any service requiring DNS will
pretty much block until it gets a DNS answer.

I don't think pointing resolv.conf to something not running yet is
a swell idea either. Much better to confirm the DNS server is working
before pointing resolv.conf at it.

And what is port 1153 used for? According to IANA this port is used
for transporting ANSI C12.22/IEEE 1703/MC12.22 Advanced Metering
Infrastructure (AMI) Application Layer Messages on an IP network as
per RFC-6142. I don't think unbound should be using that port.

c1222-acse 1153/tcp # ANSI C12.22 Port

Also, the port is > 1024, so that makes me double reserved about
unbound as a daemon running the port. Any user could grab that
port. I'm not clear on the security implications of that.

If you really want to ship an unbound service file, I think this one
that is used by rhel/fedora is much better, as it also deals with
not restarting and failing on a bad configuration file, trying to
update the DNSSEC root key before starting, and generating the keys
and certs to use unbound-control properly.

[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload

[Install]
WantedBy=multi-user.target

Paul

Michael_Ströder · February 9, 2017, 8:26pm

Any new build dependencies introduced compared to 1.6.0 which I should add to .spec files?

I'm asking because my OBS build fails (which works for 1.6.0):

https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/unbound/openSUSE_Tumbleweed/x86_64

Ciao, Michael.

Wouter · February 10, 2017, 8:35am

Hi Michael,

Unbound 1.6.1rc1 is available:

Any new build dependencies introduced compared to 1.6.0 which I
should add to .spec files?

I'm asking because my OBS build fails (which works for 1.6.0):

Thank you for the build log. I have fixed two fixes, in dnstap and
pythonmod for that. I'll make an rc2 shortly for the fix for pythonmod.

Best regards, Wouter

https://build.opensuse.org/package/live_build_log/home:stroeder:branch

es:server:dns/unbound/openSUSE_Tumbleweed/x86_64

Wouter · February 10, 2017, 8:45am

Hi,

Unbound 1.6.1rc2 is available:
https://www.unbound.net/downloads/unbound-1.6.1rc2.tar.gz
sha256 5dc7d2df247aa75c0c335529bc36bff8540056cd860c7d6289f54141e8b1b9f8
pgp https://www.unbound.net/downloads/unbound-1.6.1rc2.tar.gz.asc
https://www.unbound.net/downloads/unbound-1.6.1rc2.zip
https://www.unbound.net/downloads/unbound-1.6.1rc2.zip.asc
https://www.unbound.net/downloads/unbound_setup_1.6.1rc2.exe
https://www.unbound.net/downloads/unbound_setup_1.6.1rc2.exe.asc

Changes are fixes for dnstap and pythonmod at compile time.

Best regards, Wouter

Michael_Ströder · February 10, 2017, 4:02pm

I can confirm that 1.6.1rc2 with your fixes builds and works.

Thanks for your quick fix.

Ciao, Michael.

PaulWouters · February 10, 2017, 5:43pm

That fixed the issues on fedora and it now compiles properly.

Paul

Luiz_Fernando_Softov · February 13, 2017, 6:39pm

Hi,

Is there anything in the workflow to include my patch for statistics using SHM?

Wouter · February 14, 2017, 8:18am

Hi Luiz,

Hi,

Is there anything in the workflow to include my patch for statistics
using SHM?

Yes, I would like to get the diff file for that patch. Lower CPU usage
is nice, and SHM is an interesting construction. Can you send me the
diff; or link to the github pull/push thingy that contains the diff (or
the newest diff if you updated it recently)?

Depending on how invasive this is, I can put it in the mainline code
(optional) or it can be a patch that is available to other users in the
contrib directory.

Although there may be an rc3 because of pkg-config vs autoconf problems,
I don't want to introduce features in rc3; so it'd be there for the
subsequent release.

Best regards, Wouter

Luiz_Fernando_Softov · February 14, 2017, 9:57am

Hi,
I don’t know if it’s relevant, but in January i have sent a message to the mailing list
about this.

http://unbound.net/pipermail/unbound-users/2017-January/004626.html

Yes, I would like to get the diff file for that patch. Lower CPU usage
is nice, and SHM is an interesting construction. Can you send me the
diff; or link to the github pull/push thingy that contains the diff (or
the newest diff if you updated it recently)?
. . .
I put my changes here. https://github.com/softov/unbound

This branch is 1 commit ahead, 12 commits behind NLnetLabs:master.

But, if you need, I can make the update.

Depending on how invasive this is, I can put it in the mainline code
(optional) or it can be a patch that is available to other users in the
contrib directory.

As I said before.

This make 2 SHM instances and I am using the timer to stats-interval to fill the memory.

I have some daemons, reading this stats with shmget each second.
It’s been a few weeks since I launched the last release with this changes for my clients.

I have ~2400 clients running my SO, called FreeBRS - Free BrByte Routing System.
Which is a release based on FreeBSD.
For those clients, the average of requests are between 50 and 1500 per second.

I all clientes, the CPU consume is 0%, while using my own daemon,
who use ssl in a tcp connection like unbound-control.
The CPU increase ~3% in my daemon and ~2,5% in unbound.

Although there may be an rc3 because of pkg-config vs autoconf problems,
I don’t want to introduce features in rc3; so it’d be there for the
subsequent release.

I thing there is more to do about, like.
1 - setting variables in conf (I don’t know how)

shm-key: number
shm-enabled: yes or no
Maybe
shm-interval: number, if 0 or null shm will be filled in the timer
of stat-interval, like i have made, > 0 will be created a reserved timer
and I don’t know how to interact with the base or how much I can change
because, you know using threads, this can create problems

2 - reset shared memory - zerofill values
3 - A header file.h to be referenced in the binary who is reading this info
like a file with the struct and etc.

For now, I only need the conf options, and I don’t know how to make those.

It will be my pleasure to help you in some way.
The Unbound have been helping the community a lot.
Here in Brazil, its used by about 80% of the ISPs.

Thanks for the reply.
Best regards, Softov

Wouter · February 14, 2017, 2:00pm

Hi,

Unbound 1.6.1rc3 is available:
https://www.unbound.net/downloads/unbound-1.6.1rc3.tar.gz
sha256 25707d44125d93973e76efac798d1465d805647f601dad019df302e7cab1a6a7
pgp https://www.unbound.net/downloads/unbound-1.6.1rc3.tar.gz.asc
https://www.unbound.net/downloads/unbound-1.6.1rc3.zip
https://www.unbound.net/downloads/unbound-1.6.1rc3.zip.asc
https://www.unbound.net/downloads/unbound_setup_1.6.1rc3.exe
https://www.unbound.net/downloads/unbound_setup_1.6.1rc3.exe.asc

Fixed the --enable-systemd configure script contents. Some ports
distributions (eg FreeBSD) rerun autoconf; and the pkg-config dependency
of --enable-systemd was also present when it was not selected. Now,
only when enabled.

Best regards, Wouter

PaulWouters · February 14, 2017, 7:43pm

Still compiled successfully on all architectures

Paul

A_Schulze · February 14, 2017, 10:53pm

compiled Debian Jessie+Stretch without warnings.
"log-replies:yes" is cool

Andreas

Robert_Edmonds · February 18, 2017, 10:00pm

W.C.A. Wijngaards wrote:

Unbound 1.6.1rc3 is available:
https://www.unbound.net/downloads/unbound-1.6.1rc3.tar.gz

Hi,

I notice that unbound-anchor from 1.6.1rc3 produces two DSes when run
with "-F" (one for KSK-2010, one for KSK-2017), but it only produces a
single DNSKEY when run without "-F". Is this intentional?

edmonds@chase{0}:/tmp/u/unbound-1.6.1rc3$ rm -f anchor.out; ./unbound-anchor -a anchor.out; cat anchor.out
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1487455039 ;;Sat Feb 18 16:57:19 2017
;;last_success: 1487455039 ;;Sat Feb 18 16:57:19 2017
;;next_probe_time: 1487494910 ;;Sun Feb 19 04:01:50 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1487455039 ;;Sat Feb 18 16:57:19 2017
edmonds@chase{0}:/tmp/u/unbound-1.6.1rc3$ rm -f anchor.out; ./unbound-anchor -F -a anchor.out; cat anchor.out
; created by unbound-anchor on Sat Feb 18 16:57:26 2017
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
edmonds@chase{0}:/tmp/u/unbound-1.6.1rc3$

Jaap · February 19, 2017, 10:21am

Robert Edmonds writes:

> W.C.A. Wijngaards wrote:
> > Unbound 1.6.1rc3 is available:
> > https://www.unbound.net/downloads/unbound-1.6.1rc3.tar.gz
>
> Hi,
>
> I notice that unbound-anchor from 1.6.1rc3 produces two DSes when run
> with "-F" (one for KSK-2010, one for KSK-2017), but it only produces a
> single DNSKEY when run without "-F". Is this intentional?

Yes.

The key hasn't been published yets, jsut the trust anchors. THe
dnskey publication is planned for July. See iana <https://www.iana.org>
and the time line at the ksk-rollover pages
<https://www.icann.org/resources/pages/ksk-rollover>\.

jaap

A_Schulze · February 20, 2017, 8:26am

A. Schulze via Unbound-users:

Unbound 1.6.1rc3 is available:

compiled Debian Jessie+Stretch without warnings.
"log-replies:yes" is cool

Now, some days later, I like to announce the rc3 not only compile but also run fine:-)
Work without problems on my testlab systems...

On note:
I included again a patch that implement nsec_aggressiveuse [1]
Works as expected but only for nsec, not nsec3.

Andreas

[1] draft-ietf-dnsop-nsec-aggressiveuse-07

(attachments)

nsec-aggressivuse.patch (5.76 KB)

Ralph_Dolmans · February 20, 2017, 9:12am

Hi Andreas,

A_Schulze · February 20, 2017, 5:06pm

I suspect the patch may have rough corners so it's good to know your working on a better implementation...

Andreas

Wouter · February 21, 2017, 2:04pm

Hi,

Unbound 1.6.1 is available:
https://www.unbound.net/downloads/unbound-1.6.1.tar.gz
sha256 42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
pgp https://www.unbound.net/downloads/unbound-1.6.1.tar.gz.asc
https://www.unbound.net/downloads/unbound-1.6.1.zip
https://www.unbound.net/downloads/unbound-1.6.1.zip.asc
https://www.unbound.net/downloads/unbound_setup_1.6.1.exe
https://www.unbound.net/downloads/unbound_setup_1.6.1.exe.asc

This release has the 2017 root trust anchor in unbound-anchor. Previous
versions should work equally well during root key rollover. In this new
version, the UDP initialisation attempt will be able to be successful,
instead of having to fall back to fetching the XML.

Compile time changes are --enable-systemd for systemd integration.
contrib/libunbound.pc for pkg-config integration (introduced in 1.6.0)
that could be used by packagers. The libunbound API has changed
slightly, the callback typedef does not end in _t to make the include
file POSIX compliant.

Features
- configure --enable-systemd and lets unbound use systemd sockets if you
enable use-systemd: yes in unbound.conf. Also there are
contrib/unbound.socket and contrib/unbound.service: systemd files for
unbound, install them in /usr/lib/systemd/system. Contributed by Sami
Kerola and Pavel Odintsov.
- [bugzilla: 1185 ]
Source IP rate limiting, patch from Larissa Feng.
- [bugzilla: 1184 ]
Log DNS replies. This includes the same logging information that DNS
queries and response code and response size, patch from Larissa Feng.
- Include root trust anchor id 20326 in unbound-anchor.
- 64bit is default for windows builds.

Bug Fixes
- [bugzilla: 1176 ]
  Fix stack size too small for Alpine Linux.
- Fix unbound-control and ipv6 only.
  [bugzilla: 1182 ]
- Fix Resource leak (socket), at startup.
  [bugzilla: 1178 ]
- Fix attempt to fix setup error at end, pop result values at end of
install.
- iana portlist update
- Fix inet_ntop and inet_pton warnings in windows compile.
- [bugzilla: 1191 ]
  Fix remove comment about view deletion.
- [bugzilla: 1188 ]
  Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle
- [bugzilla: 1190 ]
  Fix to not echo back EDNS options in local-zone error response.
- [bugzilla: 1194 ]
  Fix if cross build fails when $host isn't `uname` for getentropy.
- Fix reload chdir failure when also chrooted to that directory.
- Fix to return formerr for queries for meta-types, to avoid packet
amplification if this meta-type is sent on to upstream.
- [bugzilla: 1201 ]
  Fix missing unlock in answer_from_cache error condition.
- [bugzilla: 1202 ]
  Fix code comment that packed_rrset_data is not always 'packed'.
- Fix to also block meta types 128 through to 248 with formerr.
- [bugzilla: 1206 ]
  Fix that some view-related commands are missing from 'unbound-control -h'
- Fix to rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t type
names are reserved by POSIX.
- Increase MAX_MODULE to 16.
- [bugzilla: 1211 ]
  Fix can't enable interface-automatic if no IPv6 with more helpful
error message.
- fix root_anchor test for updated icannbundle.pem lower certificates.
- Fix compile on solaris of the fix to use $host detect.
- Fix for type name change and fix warning on windows compile.
- Fix pythonmod for typedef changes.
- Fix dnstap for warning of set but not used.
- Fix autoconf of systemd check for lack of pkg-config.

Best regards, Wouter