Unbound 1.24.0
Unbound 1.24.0
This release features increased defaults, num.valops statistic, unbound-control cache_lookup, and bug fixes.
The default value increase for num-queries-per-thread is to make saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report.
The default value increase for so-sndbuf is to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report.
To help the server start more easily, the setsockopt for sndbuf buffer size prints a warning instead of a failure to start the server if it can not set the buffer size.
Various cache -slabs options are auto-configured if not specified in the config file. It uses a power of two close to the number of threads. When the option is specified in the config file that value is used instead.
An extra statistic is added to track the number of signature validation
operations by the validator, num.valops.
The unbound-control cache_lookup command prints cache information for
names in the domain given. This prints similar to dump_cache, but only
names under the zone(s) specified. Because of that it locks the caches
for a much shorter time, and this is good for server responsiveness.
The sock-queue-timeout option is adapted to work on FreeBSD as well
as Linux.
Features
- Increase default to
num-queries-per-thread: 2048, when unbound is compiled with libevent. It makes saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report. - Merge #1276: Auto-configure '-slabs' values.
- Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report.
- Adjusted so-sndbuf default to 4m.
- Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to track the number of signature validation operations. Adds 'num.valops' to extended statistics.
- Fix #1303: [FR] Disable TLSv1.2.
- unbound-control cache_lookup prints the cached rrsets and messages for those.
- unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed.
- Fix #1319: [FR] zone status for Unbound auth-zones.
Bug Fixes
- Fix #1272: assertion failure testcode/unitverify.c:202.
- Merge #1275: Use macros for the fr_check_changed* functions.
- Fix for parallel build of dnstap protoc-c output.
- Fix dnstap to use protoc.
- Sync unbound and unbound-checkconf log output for unknown modules.
- Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." in 1.23.0, but worked in 1.22.0.
- Fix #1283: Unsafe usage of atoi() while parsing the configuration file.
- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) data. Could lead to hang while trying to prove a wildcard answer.
- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) by adding a log_assert() to safeguard future development.
- Fix #1282: log-destaddr fail on long ipv6 addresses.
- Fix config of slab values when there is no config file.
- Fix for cname chain length with qtype ANY and qname minimisation. Thanks to Jim Greenwood from Nominet for the report.
- Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man.
- Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error.
- Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound program.
- Small manpage corrections for the 'disable-dnssec-lame-check' option.
- Fix unbound-anchor certificate file read for line ends and end of file.
- Fix comment for the dname_remove_label_limit_len function.
- iana portlist updated.
- Fix bitwise operators in conditional expressions with parentheses.
- Fix conditional expressions with parentheses for bitwise and.
- Fix header return value description for skip_pkt_rrs and parse_edns_from_query_pkt.
- Fix to check control-interface addresses in unbound-checkconf.
- Fix #1295: Windows 32-bit binaries download seems to be missing dll dependency.
- Fix for consistent use of local zone CNAME alias for configured auth zones. Now it also applies to downstream configured auth zones.
- Fix #1296: DNS over QUIC depends on a very outdated version of ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
- Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
- Fix rrset cache create allocation failure case.
- Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit.