This version is a prerelease for packagers and maintainers.
This version blocks .test and .invalid by default. It has a -p option
to suppress pidfile creation (for startup script integration). And more
stats and a shared secret cache for dnscrypt. And bug fixes.
Features:
- unbound-control dump_infra prints port number for address if not 53.
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
- Added stats for queries that have been ratelimited by domain
recursion.
- Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
- Fix #1407: Add ECS options check to unbound-checkconf.
- Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
Bug Fixes:
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
- First fix for zero b64 and hex text zone format in sldns.
- Better fixup of dnscrypt_cert_chacha test for different escapes.
- Fix that infra cache host hash does not change after reconfig.
- Fix python example0 return module wait instead of error for pass.
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
- Fix #1331: libunbound segfault in threaded mode when context is
deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
- Redirect all localhost names to localhost address for RFC6761.
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
- Fix #1424: cachedb:testframe is not thread safe.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
- Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
- Recommend 1472 buffer size in unbound.conf
Compiles without issues and seems to run without issues too, but
only did limited testing.
It seems I had a bug in my ipsecmod hook, that caused the hook to
accidentally also try a lookup of the name that triggered the hook,
and while this previously succeeded, it is now getting a servfail
(justifiably so!), so I'm fixing up my code
I see that the default local-zone type for these is "static", which
will look bogus to downstream validating resolvers. Perhaps "refuse"
would have been a better choice? Of course one might argue that
such resolvers should not have leaked queries for ".invalid" and
".test" upstream...
This version blocks .test and .invalid by default. It has a -p option
to suppress pidfile creation (for startup script integration). And more
stats and a shared secret cache for dnscrypt. And bug fixes.
Features:
- unbound-control dump_infra prints port number for address if not 53.
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
- Added stats for queries that have been ratelimited by domain
recursion.
- Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
- Fix #1407: Add ECS options check to unbound-checkconf.
- Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
Bug Fixes:
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
- First fix for zero b64 and hex text zone format in sldns.
- Better fixup of dnscrypt_cert_chacha test for different escapes.
- Fix that infra cache host hash does not change after reconfig.
- Fix python example0 return module wait instead of error for pass.
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
- Fix #1331: libunbound segfault in threaded mode when context is
deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
- Redirect all localhost names to localhost address for RFC6761.
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
- Fix #1424: cachedb:testframe is not thread safe.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
- Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
- Recommend 1472 buffer size in unbound.conf
- Fix #1412: QNAME minimisation strict mode not honored
- Fix #1434: Fix windows openssl 1.1.0 linking.
- Add dns64 for client-subnet in unbound-checkconf.
Bug Fixes:
- Redirect all localhost names to localhost address for RFC6761.
Hello,
I've a setup that monitor a running resolver on regular base.
To avoid the log is fooded with queries for "localhost" I found it meaningful to monitor a more 'speaking' label:
I monitor "monitoring_app_test_if_unbound_is_alive.localhost." and expect a A Record 127.0.0.1
For that I've in unbound.conf:
server:
local-data: 'monitoring_app_test_if_unbound_is_alive.localhost. A 127.0.0.1'
local-data: 'monitoring_app_test_if_unbound_is_alive.localhost. TXT "some description"
After upgrading to 1.6.6 I now get errors
[1505895425] unbound-checkconf[2825:0] error: local-data in redirect zone must reside at top of zone, not at monitoring_app_test_if_unbound_is_alive.localhost. A 127.0.0.1
[1505895425] unbound-checkconf[2825:0] fatal error: failed local-zone, local-data configuration
OK, I now could remove the "local-data: A Record" at all. But I like to understand the feature a little more.
Could anyone explain the error message a bit more verbose?
The default local-zone type for "localhost." changed from static to
redirect, so that the default local-data applies to both localzone. and
its subdomains.
You can change your local-data domain to localhost., then it will still
be available under monitoring_app_test_if_unbound_is_alive.localhost,
but also for localhost itself.
You can also add a local-zone for
monitoring_app_test_if_unbound_is_alive.localhost with the static type:
