Unbound 1.7.0rc1 pre-release

Unbound
1

Hi,

Unbound 1.7.0rc1 maintainers prerelease is available:
https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz
sha256 eb9e57e44f7bb6e68879c8672c9a9b15273cece250d1ed85964b9620e736521a
pgp https://www.unbound.net/downloads/unbound-1.7.0rc1.tar.gz.asc

This release adds authority zones, for a local copy of the root zone,
and also aggressive NSEC processing, for denial of nxdomain floods.

Features
- auth-zone provides a way to configure RFC7706 from unbound.conf,
  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
  generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
  also recognized and means the same. Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
  forward-tls-upstream.
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
  This option allows handling multiple cert/key pairs while only
  distributing some of them.
  In order to reliably match a client magic with a given key without
  strong assumption as to how those were generated, we need both key and
  cert. Likewise, in order to know which ES version should be used.
  On the other hand, when rotating a cert, it can be desirable to only
  serve the new cert but still be able to handle clients that are still
  using the old certs's public key.
  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
  publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.

Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
  circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
  duplicates
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
  fail.
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
  a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
  set for stub zone. It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
  or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
  away, without a repeat query picking the DS from cache.
  The correct reply should have been an answer, the reply is fixed
  by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
  snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
  the middle of a cname chain, a result without the DNAME could
  be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
  for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
  so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
  And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
  edns-subnet/addrtree.c after the assert made clang analyzer
  produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
  wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
  to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
  aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
  causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
  although it could be changed at a later time, to stay similar to
  other implementations.
- Fix for windows compile.

Best regards, Wouter

2

Hello Wouter,

the feature list sounds promising!
3 points:

1.
contrib/fastrpz.patch apply but not without additional help from patch
I have a "fixed" version that apply without warnings. -> attached

also I received 2 warnings from quilt, the tool to manage patch stacks in Debian,
while preparing this fastrpz.patch
Warning: trailing whitespace in line 1390 of daemon/worker.c
Warning: trailing whitespace in line 879 of services/cache/dns.c

2.
since some months I use a patch that log keytag queries generated by unbound to support trustanchor signaling.
It's a simple change but it helped us a lot to identify hosts not using the new KSK-2017
-> log_trust-anchor-signaling.patch

(I wish, NSD could log such queries, too)

3.
Debian lintian warn about "allow to" should be written as "allow one to"
-> spelling-error-in-manpage.patch

That's only from packaging, tommorow I'll /install/ the new version...

Andreas

(attachments)

fastrpz.patch (108 KB)
log_trust-anchor-signaling.patch (693 Bytes)
spelling-error-in-manpage.patch (993 Bytes)

3

Hi Andreas,

Thanks for the patches, and real fast too! I have applied them, all three.

For fastrpz, I removed the trailing whitespace, both from the source and
from the patch file. The patch already applied for me, before your fix.
With the fix it applies without offsets. The fix uses -p1, not -p0.

Also, I don't agree that the spelling is improved by lintian. But to
remove the warning, the patch is applied.

Best regards, Wouter

4

Hi,

Unbound 1.7.0rc2 maintainers prerelease is available:
https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz
sha256 ed5e4529af6b1e70abaa8999935ec667db2a8b47ae479563b5f3b25b7a034eed
pgp https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz.asc

It was updated from rc1 because the patch for fastrpz did not work for
some, there is a new patch in rc2.

Changes:
- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.

Best regards, Wouter

5

Wouter,

this release looks fine!
It build without warnings¹) on Debian.

- the auth-zone feature works as expected.
- Aggressive use of NSEC is not so transparent to me.
  unsure, what I really may expect here. Under which conditions is this active?

Andreas

¹)
marginal:
./util/configparser.y:2412:3: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
   asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util/configparser.y:2425:3: warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result [-Wunused-result]
   asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6

Hi Andreas,

7

From: Ralph Dolmans via Unbound-users <unbound-users@unbound.net>

- Aggressive use of NSEC is not so transparent to me.
  unsure, what I really may expect here. Under which conditions is this active?

When this option is enabled Unbound will try to use cached NSEC records
to generate an NXDOMAIN, NODATA or wildcard answer. See RFC8198.

Thanks very much for implementing RFC 8198.

One comment is that there is no documentation about "aggressive-nsec: yes"
in server secton. (default no)

# I read it from util/config_file.c .

Please add documentations about aggressive-nsec.

8

Hi,

From: Ralph Dolmans via Unbound-users <unbound-users@unbound.net>

- Aggressive use of NSEC is not so transparent to me.
  unsure, what I really may expect here. Under which conditions is this active?

When this option is enabled Unbound will try to use cached NSEC records
to generate an NXDOMAIN, NODATA or wildcard answer. See RFC8198.

Thanks very much for implementing RFC 8198.

One comment is that there is no documentation about "aggressive-nsec: yes"
in server secton. (default no)

# I read it from util/config_file.c .

Please add documentations about aggressive-nsec.

Did that for the upcoming rc3 of 1.7.0, thank you for noting it,

Best regards, Wouter

9

Hi,

Unbound 1.7.0rc3 maintainers prerelease is available:
https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz
sha256 209e94c1da10c839f52e04b79ab4ea8b6fc3d88bbe544d9053b96d330538170c
pgp https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz.asc

It was updated from rc3, because some people patch configure.ac, but
autoconf in older versions refuses to create correct output for this
version's configure.ac, and to solve that there is an added option to
the configure script, --disable-swig-version-check.

Changes:
- Fix #3598: Fix swig build issue on rhel6 based system.
  configure --disable-swig-version-check stops the swig version check.
- Added documentation for aggressive-nsec: yes.

Best regards, Wouter

10

CCed list again - my fault

11

I'd still like unbound-control reverse_add support, since we cannot do
forward_add on reverse zones :slight_smile:

Paul, doomed to rely on VPN provided reverse records for kerberos

12

typo: nonexistant -> nonexistent

Andreas

13

I also suggest to say "Default is no" instead of "Default is off"

Andreas

14

Hi Andreas,

Changes:
- Added documentation for aggressive-nsec: yes.

I also suggest to say "Default is no" instead of "Default is off"

Sure, made those edits. (These fixes are scheduled for the next
release, I want to get 1.7.0 out the door).

Best regards, Wouter

15

Hoi,

Unbound 1.7.0 is available:
https://www.unbound.net/downloads/unbound-1.7.0.tar.gz
sha256 94dd9071fb13d8ccd122a3ac67c4524a3324d0e771fc7a8a7c49af8abfb926a2
pgp https://www.unbound.net/downloads/unbound-1.7.0.tar.gz.asc

This release adds authority zones, for a local copy of the root zone,
and also aggressive NSEC processing, for denial of nxdomain floods.

It was updated from rc1 because the patch for fastrpz did not work for
some, there is a new patch in rc2. It was updated to rc3, because some
people patch configure.ac, but autoconf in older versions refuses to
create correct output for this version's configure.ac, and to solve that
there is an added option to the configure script,
--disable-swig-version-check.

Features
- auth-zone provides a way to configure RFC7706 from unbound.conf,
  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
  fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
  generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
  also recognized and means the same. Also for tls-port,
  tls-service-key, tls-service-pem, stub-tls-upstream and
  forward-tls-upstream.
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
  from Manu Bretelle.
  This option allows handling multiple cert/key pairs while only
  distributing some of them.
  In order to reliably match a client magic with a given key without
  strong assumption as to how those were generated, we need both key and
  cert. Likewise, in order to know which ES version should be used.
  On the other hand, when rotating a cert, it can be desirable to only
  serve the new cert but still be able to handle clients that are still
  using the old certs's public key.
  The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
  publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix #2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix #3598: Fix swig build issue on rhel6 based system.
  configure --disable-swig-version-check stops the swig version check.

Bug Fixes
- Fix #1749: With harden-referral-path: performance drops, due to
  circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
  duplicates
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
- Document that errno is left informative on libunbound config read
  fail.
- iana port update.
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
  a message and exit.
- Fix #2492: Documentation libunbound.
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
  set for stub zone. It no longer searches for DNSSEC information.
- Fix #3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
  or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
  away, without a repeat query picking the DS from cache.
  The correct reply should have been an answer, the reply is fixed
  by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
  snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
  the middle of a cname chain, a result without the DNAME could
  be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
  for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
  so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix #3451: dnstap not building when you have a separate build dir.
  And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
  edns-subnet/addrtree.c after the assert made clang analyzer
  produce a failure to analyze it.
- Fix #3505: Documentation for default local zones references
  wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
  to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
  aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
  causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
  although it could be changed at a later time, to stay similar to
  other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
  cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
  A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.

Best regards, Wouter