This release contains key tag signaling RFC8145 support. B root is
renumbered in the default root hints. The dnscrypt code supports the
chacha cipher. The Unbound DNSSEC validator supports the ED25519
algorithm. The redirect-bogus patch in contrib can send validation
failure users to a landing page.
Features:
- Implemented trust anchor signaling using key tag query.
- unbound-checkconf -o allows query of dnstap config variables.
Also unbound-control get_option. Also for dnscrypt.
- unbound.h exports the shm stats structures. They use
type long long and no ifdefs, and ub_ before the typenames.
- Implemented opportunistic IPsec support module (ipsecmod).
- Added redirect-bogus.patch to contrib directory.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
- Fix #1277: disable domain ratelimit by setting value to 0.
Bug Fixes:
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
- Based on #1257: check parse limit before t increment in sldns RR
string parse routine.
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
and fix that 64bit getting installed in C:\Program Files (x86).
- Fix #1259: "--disable-ecdsa" argument overwritten
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
- iana portlist update
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
connect limited tcp connections. With the option tcp connections
can share the same source port (for different destinations).
- Add 'c' to getopt() in testbound.
- Adjust servfail by iterator to not store in cache when serve-expired
is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
module memory printout of statistics.
- Fix type AVC sldns rrdef.
- Some whitespace fixup.
- Fix #1265: contrib/unbound.service contains hardcoded path.
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
and compatibility with BoringSSL.
- Fix #1268: SIGSEGV after log_reopen.
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
- Fix assertion for low buffer size and big edns payload when worker
overrides udpsize.
- Support for openssl EVP_DigestVerify.
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
unbound-control.
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
- Also use global local-zones when there is a matching view that does
not have any local-zone specified.
- Fix fastopen EPIPE fallthrough to perform connect.
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
(from Manu Bretelle).
- Fix #1275: cached data in cachedb is never used.
- Fix that unbound-control can set val_clean_additional and
val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
- Added domain name based ECS whitelist.
- Fix #1278: Incomplete wildcard proof.
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- More fixes in depth for buffer checks in 0x20 qname checks.
- Fix stub zone queries leaking to the internet for
harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Fix to unlock view in view test.
- Fix warning in pythonmod under clang compiler.
This release contains key tag signaling RFC8145 support. B root is
renumbered in the default root hints. The dnscrypt code supports the
chacha cipher. The Unbound DNSSEC validator supports the ED25519
algorithm. The redirect-bogus patch in contrib can send validation
failure users to a landing page.
Features:
- Implemented trust anchor signaling using key tag query.
- unbound-checkconf -o allows query of dnstap config variables.
Also unbound-control get_option. Also for dnscrypt.
- unbound.h exports the shm stats structures. They use
type long long and no ifdefs, and ub_ before the typenames.
- Implemented opportunistic IPsec support module (ipsecmod).
- Added redirect-bogus.patch to contrib directory.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
- Fix #1277: disable domain ratelimit by setting value to 0.
- Added fastrpz patch to contrib
Bug Fixes:
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
- Based on #1257: check parse limit before t increment in sldns RR
string parse routine.
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
and fix that 64bit getting installed in C:\Program Files (x86).
- Fix #1259: "--disable-ecdsa" argument overwritten
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
- iana portlist update
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
connect limited tcp connections. With the option tcp connections
can share the same source port (for different destinations).
- Add 'c' to getopt() in testbound.
- Adjust servfail by iterator to not store in cache when serve-expired
is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
module memory printout of statistics.
- Fix type AVC sldns rrdef.
- Some whitespace fixup.
- Fix #1265: contrib/unbound.service contains hardcoded path.
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
and compatibility with BoringSSL.
- Fix #1268: SIGSEGV after log_reopen.
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
- Fix assertion for low buffer size and big edns payload when worker
overrides udpsize.
- Support for openssl EVP_DigestVerify.
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
unbound-control.
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
- Also use global local-zones when there is a matching view that does
not have any local-zone specified.
- Fix fastopen EPIPE fallthrough to perform connect.
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
(from Manu Bretelle).
- Fix #1275: cached data in cachedb is never used.
- Fix that unbound-control can set val_clean_additional and
val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
- Added domain name based ECS whitelist.
- Fix #1278: Incomplete wildcard proof.
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- More fixes in depth for buffer checks in 0x20 qname checks.
- Fix stub zone queries leaking to the internet for
harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Fix to unlock view in view test.
- Fix warning in pythonmod under clang compiler.
- Fix lintian typo.
- Fix #1316: heap read buffer overflow in parse_edns_options.
I'm trying to understand the exact meaning of this part of the
description of ratelimit in unbound.conf(5):
"The zone of the query is determined by examining the nameservers for
it, the zone name is used to keep track of the rate."
So if we have a ratelimit of 1000, does that mean that limit applies
to a.tiles.mapbox.com., tiles.mapbox.com., and everything under
mapbox.com.? How does unbound determine the zone that the name is
under?
Are you aware of any suggestions on ways to determine suitable values
for ratelimit to match the scale of queries received? And for
ip-ratelimit?
