This release has a couple of new features and a list of bug fixes.
trustanchor.unbound chaos query, response IP actions, stats from shm,
--disable-sha1, dnscrypt support, and edns client subnet support merged in.
Features
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
- Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
which uses less cpu.
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
DS records. NSEC3 is not disabled.
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
- harden-algo-downgrade: no also makes unbound more lenient about
digest algorithms in DS records.
Bug fixes
- sldns has ED25519 and ED448 algorithm number and name for display.
- sldns updated for vfixed and buffer resize indication from getdns.
- iana portlist update
- Fix #1224: Fix that defaults should not fall back to "Program Files
(x86) if Unbound is 64bit by default on windows.
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
redirect.
- make depend, autoconf, doxygen and lint fixed up.
- include sys/time.h for new shm code on NetBSD.
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
- Fix #1226: provide official 32bit binary for windows.
- For #1227: if we have sha256, set the cipher list to have no
known vulns.
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
record.
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- Fix #1230: swig version 2.0.1 is required for pythonmod, with
1.3.40 it crashes when running repeatly unbound-control reload.
- fix enum conversion warnings
- fake-sha1 test option; print warning if used. To make unit tests.
- unbound-control list local zone and data commands listed in the
help output.
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
in ANSWER section.
- testbound understands Deckard MATCH rcode question answer commands.
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
of YXDOMAIN + query loop, reported by Petr Spacek.
- Fix that SHM is not inited if not enabled.
- Fix that looped DNAMEs do not cause unbound to spend effort.
- trustanchor tags are sorted. reusable routine to fetch taglist.
- Fix #1237 - Wrong resolving in chain, for norec queries that get
SERVFAIL returned.
- make depend, autoconf, remove warnings about statement before var.
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
- fixup for lruhash (whitespace and header file comment).
- dnscrypt tests.
- Fix doxygen for dnscrypt files.
- Fix #1238: segmentation fault when adding through the remote
interface a per-view local zone to a view with no previous
(configured) local zones.
- Fix #1229: Systemd service sandboxing, options in wrong sections.
- Fix #1239: configure fails to find python distutils if python
prints warning.
- Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.
- Remove (now unused) event2 include from dnscrypt code.
- Fix #1217: Add metrics to unbound-control interface showing
crypted, cert request, plaintext and malformed queries (from
Manu Bretelle).
- Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
- Fix #1244: document that use of chroot requires trust anchor file to
be under chroot.
- Small fixup for documentation.
- Fix respip for braces when locks arent used.
- Fix pythonmod for cb changes.
- Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event
- remove malloc from inplace_cb_register
- Unlock view in respip unit test
- Some whitespace fixup.
- Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc.
- Respip dereference after NULL check.
- Zero initialize addrtree allocation.
- Use correct identifier for SHM destroy.
- Display ECS module memory usage.
- Fix #1247: unbound does not shorten source prefix length when
forwarding ECS.
- Properly check for allocation failure in local_data_find_tag_datas.
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- Set SHM ECS memory usage to 0 when module not loaded.
- subnet mem value is available in shm, also when not enabled,
to make the struct easier to memmap by other applications,
independent of the configuration of unbound.
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
Unbound 1.6.2rc1 maintainers prerelease is available:
works noiseless here since a week.
one question came up when I combine these two announcements:
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
May this "new EDNS processing framework" also support RFC 8145 soon?
That would be helpful for the YETI DNS project for example.
I read RFC again and am now aware of /two/ options to transport the key tag information.
So, first: thanks for your question!
the answer depend a little bit on "how can a zone operator consume the key tag information?"
It would be helpful if nsd has the ability to collect such queries.
That could happen dnscap or dnstap based but a simple logging in nsd would also be OK.
there are currently 2727 DS records in the root zone.
65 x Algorithm 5 for DNSKEY RSA/SHA-1
474 x Algorithm 7 for DNSKEY RSASHA1-NSEC3-SHA1
2152 x Algorithm 8 for DNSKEY RSA/SHA-256
36 x Algorithm 10 for DNSKEY RSA/SHA512
--disable-sha1 make 539 zones / ~20% of the root zone unsigned
sound strongly not like "enabled on production systems"
>
>> Unbound 1.6.2rc1 maintainers prerelease is available:
>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
>> DS records. NSEC3 is not disabled.
>
> I tried --disable-sha1 and found any org. zone no longer got validated
> (was handled like unsigned)
there are currently 2727 DS records in the root zone.
65 x Algorithm 5 for DNSKEY RSA/SHA-1
Note that this includes the ".se" TLD which I believe has one of
the highest number of signed child 2LDs. Among zones for which
I can get complete zone data, the signed 2LD child count is:
685654 se ALG 5 (RSA/SHA-1)
654244 com ALG 8 (RSA/SHA-256)
104376 net ALG 8
84536 nu ALG 7 (RSA/SHA-1 NSEC3-SHA1)
75838 org ALG 7
19909 ovh ALG 8
7401 xyz
...
(Incomplete) data from other sources yields lower bounds for
additional TLDs:
514361 nl ALG 8
313133 fr ALG 8
175890 cz ALG 10 (RSA/SHA-512)
165568 no ALG 8
116359 de ALG 8
91986 eu ALG 8
49890 br ALG 5
19818 info ALG 7
16756 hu ALG 8
15379 biz ALG 8
14167 pw ALG 7
14009 be ALG 8
5504 at ALG 8
...
--disable-sha1 make 539 zones / ~20% of the root zone unsigned
sound strongly not like "enabled on production systems"
Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively
account for at least 930k signed 2LD domains out of a total of
around 3 million. So that's closer to 30% of the deployed base.
Unbound 1.6.2rc1 maintainers prerelease is available:
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
Any chance that the nameservers Unbound is sending queries to are not on
the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to
whitelisted addresses.
Any chance that the nameservers Unbound is sending queries to are not on
the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to
whitelisted addresses.
Ralf.
2000::/3 should cover any IPv6 nameserver.
just added "send-client-subnet: 0.0.0.0/0" to cover IPv4 also
( suggestion: document the "any address" case )
but no visible change in packet traces
every time I
1. restart unbound
2. capture any traffic on Port 53
3. send a query "dig @resolver google.com. ns"
4. stop & inspect the trace
Are you sure you are not looking at subqueries generated by Unbound,
like root priming queries or queries for the DNSKEY? We do not add ECS
data to these queries.
I do not think we should document the any address case. Sending (privacy
sensitive) ECS data to all nameservers does not sound like a wise thing
to do.
Are you sure you are not looking at subqueries generated by Unbound,
like root priming queries or queries for the DNSKEY? We do not add ECS
data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)
and, surprise:
the data aren't unknown to wireshark
I do not think we should document the any address case. Sending (privacy
sensitive) ECS data to all nameservers does not sound like a wise thing
to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.
Other question (man 5 unbound.conf)
... When an answer contains the ECS option the response and the
option are placed in a specialized cache.
I read it as
unbound send a query + ECS option to a nameserver. The response from the nameserver
contain also a ECS option to indicate support. unbound place the answer in a separate cache.
This release has a couple of new features and a list of bug fixes.
trustanchor.unbound chaos query, response IP actions, stats from shm,
--disable-sha1, dnscrypt support, and edns client subnet support merged in.
Features
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
- Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
which uses less cpu.
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
DS records. NSEC3 is not disabled.
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
- harden-algo-downgrade: no also makes unbound more lenient about
digest algorithms in DS records.
Bug fixes
- sldns has ED25519 and ED448 algorithm number and name for display.
- sldns updated for vfixed and buffer resize indication from getdns.
- iana portlist update
- Fix #1224: Fix that defaults should not fall back to "Program Files
(x86) if Unbound is 64bit by default on windows.
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
redirect.
- make depend, autoconf, doxygen and lint fixed up.
- include sys/time.h for new shm code on NetBSD.
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
- Fix #1226: provide official 32bit binary for windows.
- For #1227: if we have sha256, set the cipher list to have no
known vulns.
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
record.
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- Fix #1230: swig version 2.0.1 is required for pythonmod, with
1.3.40 it crashes when running repeatly unbound-control reload.
- fix enum conversion warnings
- fake-sha1 test option; print warning if used. To make unit tests.
- unbound-control list local zone and data commands listed in the
help output.
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
in ANSWER section.
- testbound understands Deckard MATCH rcode question answer commands.
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
of YXDOMAIN + query loop, reported by Petr Spacek.
- Fix that SHM is not inited if not enabled.
- Fix that looped DNAMEs do not cause unbound to spend effort.
- trustanchor tags are sorted. reusable routine to fetch taglist.
- Fix #1237 - Wrong resolving in chain, for norec queries that get
SERVFAIL returned.
- make depend, autoconf, remove warnings about statement before var.
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
- fixup for lruhash (whitespace and header file comment).
- dnscrypt tests.
- Fix doxygen for dnscrypt files.
- Fix #1238: segmentation fault when adding through the remote
interface a per-view local zone to a view with no previous
(configured) local zones.
- Fix #1229: Systemd service sandboxing, options in wrong sections.
- Fix #1239: configure fails to find python distutils if python
prints warning.
- Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.
- Remove (now unused) event2 include from dnscrypt code.
- Fix #1217: Add metrics to unbound-control interface showing
crypted, cert request, plaintext and malformed queries (from
Manu Bretelle).
- Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
- Fix #1244: document that use of chroot requires trust anchor file to
be under chroot.
- Small fixup for documentation.
- Fix respip for braces when locks arent used.
- Fix pythonmod for cb changes.
- Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event
- remove malloc from inplace_cb_register
- Unlock view in respip unit test
- Some whitespace fixup.
- Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc.
- Respip dereference after NULL check.
- Zero initialize addrtree allocation.
- Use correct identifier for SHM destroy.
- Display ECS module memory usage.
- Fix #1247: unbound does not shorten source prefix length when
forwarding ECS.
- Properly check for allocation failure in local_data_find_tag_datas.
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- Set SHM ECS memory usage to 0 when module not loaded.
- subnet mem value is available in shm, also when not enabled,
to make the struct easier to memmap by other applications,
independent of the configuration of unbound.
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
